Thursday, May 29, 2008

TJX shoots the messenger reporting potential identity theft issues!

(Picture courtesy of b d solis at Flickr)

One would assume after compromising an estimated 94 million people's information, a company would become a model of information security for the rest of us to aspire to. Sadly, if the following story is true, this is NOT the case at TJX.

Ran into this disturbing example of a messenger getting shot for trying to report sloppy security on Sans Newsbites:

TJX Companies has fired an employee from a Lawrence, Kansas TJ Maxx store for making posts to a forum about the company's lax security practices, even after the notable breach. The employee, Nick Benson, said in several posts that except for a period of time following the breach disclosure when a strong password policy was enforced, the employee password at his store's server was set to blank. In addition, at one point a store server was running in administrator mode. When Benson began work at TJX, his password was the same as his user name. TJX says Benson was fired for disclosing confidential company information. -

Reading a little further by linking to the article written by Dan Goodin in the Register, I discovered that the act of posting in forums came about AFTER the employee tried to resolve the problem, internally:

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

After posting on the forum (,15148,page=1), the boss of one of the people Benson reported the matter to summoned him into the office and terminated him.

I suppose we could all argue that posting this information in a public forum is dangerous. Saying that, Benson did try to report the matter through his internal chain of command and nothing was done?

Maybe it is because the people, he reported it to aren't IT savvy enough to realize how vulnerable TJX's systems are when they are left unprotected like this?

Even if a hacker didn't compromise the system, it is feasible that a dishonest employee could gather quite of bit of information and sell it? Carder forums -- where personal and financial details are bartered over cyberspace -- are well known and not very hard to find.

Please note, I wrote IF a hacker didn't compromise the system. I'm just pointing out stealing information wouldn't take a very sophisticated hacking job given the opportunities described in this instance.

They might even post (anonymously), how easily they got the information in hacker forums. Sadly if Mr. Benson had been more anonymous, he would probably still be employed. I guess it doesn't pay to be honest in cases like these?

My post just before this was about another revelation (pun intended) that not all data breaches are being reported. I tied this post into two stories. One was about the lack of reporting, and other one was recent reports about Finjan finding crimeservers via simple searches that contain a lot of information that could be used to commit a host of financial crimes.

Interestingly enough, the crimeservers (available to anyone on the Internet) weren't "password protected," either.

So far as Mr. Benson is concerned, I wonder if TJX was required to maintain a confidential hot-line and if he ever reported the matter there? Although, I'm not a lawyer, I also have to wonder if federal laws protecting "whistleblowers" apply here. More information on whistleblower laws can be seen on

It's a crying shame that the powers that be at TJX didn't value the fact that an employee was trying to show them where they might receive a lot more unfavorable public exposure by compromising their customer information.

I'll close with a supportive comment from the editor at SANS:

[Editor's Note (Schultz): Once again TJX is proving itself to be a villain. Interestingly, I still sometimes shop at a TJ Maxx or Marshalls store, but I always pay cash--I would never use a credit card because of TJX's huge security deficiencies. And if Nick Benson reads this comment, I would encourage him to contact me, because I will do everything in my power to help him find another job. ]

PS: I would like to add that I'm pretty sure there are companies out there that would value an employee, who brought matters like these to their attention. They might save them millions of dollars in the end when you consider the cost of recovering from a data breach.

As a disclaimer, TJX's side of the story is unknown, but according to the Register article when they were asked they would not comment on the matter.

Wednesday, May 28, 2008

We are a long way to full disclosure in data breaches - even if we wanted to be!

I saw an article on PCWorld, written by Robert McMillan (IDG News), that according to the research firm Gartner -- not all data breaches are being reported by retailers.

I thought to myself ... here we go again ... burying our heads in the sand that all personal and financial information is hacked from retailers. Of course, that isn't to say that none of the stolen information is coming from retailers, either.

The conclusion was based on 50 retailers being interviewed and 21 of them saying they had been breached. Of these 21, allegedly only 3 had reported a data breach.

This led me to wonder if any of these retailers do business in an area, where disclosing data breaches is a matter of law?

My humble guess is that in the litigation happy society we live in today, no one is going to report anything unless they have to. As long as no one is certain (or they can get away with saying that) the information is probably buried, or someone comes up with a rationalization that it really didn't happen.

Going a little further, there has to be a lot of information being stolen that no one is even aware has been compromised. The fact that no one is aware it was compromised makes it easier to be used by the criminal element, effectively.

The sad truth is even if you could make computer systems bulletproof, human beings will continue to compromise information, either via social engineering techniques or to obtain financial compensation. We've made some of this information worth a lot of money.

Of course, information thieves often combine technology and social engineering, also. In the mysterious world of information crime, one shoe rarely fits all.

Right after reading the PCWorld article, I happened upon more research from Finjan, which might provide evidence that there must be a lot of computer systems out there that are NOT very "bulletproof."

As stated on Finjan's MCRC blog:

In our recent MPOM report, we reported on a Crimeserver hosting 1.4G of unprotected stolen data, including passwords, medical data, emails etc.

Many people asked us how we found the data. Was the data secure or not?

Although we cannot disclose all information to the public (for obvious reasons), I can say that the data on that Crimeserver was unprotected, meaning anyone could access it.

Today we came across another Crimeserver - it seems that we are finding one every other day...
Additionally, Finjan reported:

As we disclosed in our Q3/2006 Trend report, malicious code is hosted on caching servers of leading Search Engine Providers. This time we reported in our recent MPOM that stolen end-user data is also stored on these caching servers. Yes, your passwords, Social Security numbers, Online banking information …. no data is safe, as the examples below illustrate.

Even more alarming, it didn't take a lot of know-how to access all this information. The people at Finjan were able to do it, using simple Google searches.

I highly recommend taking a look at the entire blog post from Finjan (link provided at the bottom of this page) -- there are some alarming visual presentations indicating how much information is out there.

I'll include one, which shows a compromised (actual info blocked out) SSN:

The blog post also has visual presentations (screenshots) of user names and passwords to internal company sites, porn sites and online banking sites.

Now let me see ... if stolen information is being hosted on unprotected (anyone can access) crimeservers ... and it is being indexed (cached) by search engines ... it's probably safe to assume we don't have any real idea how much stolen information there is out there.

Also, please note it's safe to say not all this information came from retailers.

Last, but not least, I've seen commentary that we should blame Google for all this. First of all, I doubt that Google is the only place this information can be found. Another thing to contemplate is that thinking like this is as narrowly focused as thinking that retailers are to blame for most of the stolen information out there.

Unless we stop blaming each other -- we are going to be a long way from achieving transparency in data breaches. Exposing problems often is the first step in correcting them.

Until we embrace transparency, the people to blame (criminals) are going to be laughing all the to the bank.

Finjan post from their MCRC blog, here.

Sunday, May 25, 2008

13 year old buying Hookers with Dad's credit card is a marketing scam!

About two weeks ago, I heard a story about a 13 year old stealing his Dad's credit card to buy XBoxes and Hookers on a morning radio show. After seeing the story surface on several mainstream media outlets, I even wrote the Police Chief of the town (Newark, Texas) where it allegedly happened because it sounded a little too bizarre to be true.

Maybe it was the part of the story, where the escorts were conned into believing the boys were suffering from a disability (restricted growth) and State law dictated they couldn't be discriminated against? Perhaps it was because the escorts were not arrested because the boys were more interested in playing computer games??

The Police Chief never replied and I gave up on the story. Now, just as I thought in the beginning, the entire thing was nothing more than a hoax. Of course, the hoax had a purpose, which was to build backlinks to hawk credit cards by a company called

It's ironic that a company selling financial products would use fraud as a marketing tool (my opinion).

JD Rucker wrote about this on NowPublic:

What a virtual world we travel through sometimes. A (relatively) innocent marketing ploy designed to draw in backlinks for a financial services comparison website in London has stirred up media attention ranging from the front page of Digg to coverage on Fox News.

When posted a story titled 13 Year Old Steals Dad's Credit Card to Buy Hookers, the idea was that it could be read as a humorous parody piece that could get attention from social media sites, yield quality backlinks, and draw in hundreds of thousands of visitors. The backlinks would help the site achieve higher rankings on search engines, especially for the target keyword phrases that would include the words "Credit Card".
JD Rucker summed up his article with a rationalization on why this occurred:

With the heavy emphasis that search engines place on inbound links, many websites are desperate for any form of viral link-building. It may not be "ethical" through some perspectives, but it is arguably justifiable in the competitive Internet marketplace.

Until the search engines come up with a better ranking system, we can expect sensationalized parodies to continue to pop up.

I'm probably going to be a little less kind when I say this appears to have been a marketing scam designed to sell credit cards.

I wonder what Bill O'Reilly will have to say? Fox picked up the story and "story about this in Wired News.

Bill is often fond of accusing the blogosphere of spreading not very well founded rumors. I guess one shoe doesn't fit all and it's never wise for people who live in glass houses to throw stones?

Now that is what I consider a rather "piffy" comment.

Sorry Bill, I do watch your show from time to time, but being a blogger, who "sometimes" tries to be thoughtful about what I write -- I couldn't resist making a point! I also agree with Jeanine that if this story were true, the hookers should have been arrested.

Now saying that, I do agree with you that an awful lot of "spinned yarns" and "malicious garbage" is plastered across the electronic universe. In fact, last time I checked, the more "malicious garbage is a current theme of this blog.

Full story on NowPublic, here.

Original Digg submission, which was "dug" 2507 times, here.

Lifelock's identity theft protection saga racks up 339 articles in Google!

Todd Davis, Lifelock's flamboyant CEO, who flashes his social security in public to sell identity theft protection made Yahoo's top five stories of the week. When I checked Google News, there were no less than 339 articles covering the woes of Lifelock and it's CEO.

Lifelock has been mired in controversy since it was revealed in the New Phoenix Times that one of his co-founders (Robert Maynard) wasn't being truthful about being an identity theft victim and was suspected of being a identity thief, himself.

I covered this part of the Lifelock saga in a post called, "Is LifeLock an identity theft protection service people can trust?"

Maynard stepped down from his position as co-founder, but continued to maintain a 10 percent interest in the company.

A short while thereafter, it was revealed that Todd Davis was himself a victim of identity theft. Instead of letting the authorities do their job, Davis took it upon himself to send out a PI (and film crew) to get a pre-written confession from the scoundrel. The end result was that the authorities dropped the case.

Meanwhile, Lifelock seemed to flourish and obtained a lot of investment capital to drive their aggressive marketing campaign. Everyone from Radio icons to bloggers have been paid to endorse their services.

The bad publicity even led to speculation that an organized hit job was being undertaken against Lifelock.

So far as the organized hit job theory, it does have some merit. The reason for this is that Lifelock's service isn't much different than what a lot of other companies are offering. Additionally, the repetitive fraud alerts make it more expensive to issue credit, and there is a cost incurred by the credit bureaus for providing them.

Then there is the competitive edge, identity theft protection services are being hawked by a lot of different companies. They range from unknown start-ups to financial institutions and the credit bureaus, themselves. In not very good economic times, the industry is showing double-digit growth.

The Motley Fool gave a good explanation of the reason for this in their article (one of the recent 339 or so) about Lifelock:

There's clearly profit to be had in the privacy protection market -- much-needed profit for credit reporting-related services. The 2003 passage of the Fair and Accurate Credit Transactions Act (FACT Act) handicapped one of their revenue streams by mandating free credit reports for all. (Get yours at

To help make up for the financial shortfall, the credit reporting companies created a new revenue stream: credit watch products. Seeing profit in consumer fear, other companies soon created their own credit watch muscle for hire.

Please note, the article in the Motley Fool gives some pretty sound advice about how to protect yourself for free from identity theft, also.

Then came the legal actions, first Experian filed a law suit and then came a series of class actions alleging the Lifelock is guilty of misleading advertising, doesn't warn it's customers that it only provides limited protection and doesn't warn them that repetitive fraud alerts might damage their credit rating.

I suspect the current flurry of stories were partially the result of information released from the law offices in the class action suits that Todd Davis has been the victim of identity theft numerous times.

It's now been revealed that Davis' identity has been compromised 87 times in the past two years. 20 of these attempts involved drivers licenses. Davis has responded by stating that this proves Lifelock protects it's consumers from identity theft since the only known successful attempt was with the PayDay loan in Texas.

While this might be partially true, there is a flaw in this thinking. The flaw is that partial information isn't always picked up by credit bureaus and credit bureaus don't detect all forms of identity theft.

A new buzz word in identity theft circles is "synthetic identity theft." Here is a description of it from a previous post:

This is where different parts of other people's identities are used to forge a synthetic one. Quite often, because a lot of the information doesn't match, the credit bureaus don't pick it up. Most frequently, this is discovered at tax time, when someone gets a bill for taxes that an identity thief never paid to the government.

So far as identity theft that isn't picked up on a credit bureau, here is what I wrote about that in the same post:

Another reason there is no way to guarantee protection is that not all identity theft shows up on credit bureaus. Some examples of this are in cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

Because of these reasons, I'm not certain if Mr. Davis can be sure that all 87 attempts were entirely unsuccessful?

Another marketing claim that many feel is misleading is Lifelock's $1 million dollar guarantee. If you read the fine print, they only guarantee they will hire people to look into it should you become a statistic while using their service. They also stipulate that they will choose who does this for you.

Trust me, it's highly unlikely anyone will collect much of anything if they become an identity theft statistic while paying for Lifelock. In most instances, after the work is done, the financial institutions end up responsible for the loss.

Of course, when this happens the cost is passed on to all of us. No business would be able to remain solvent, otherwise.

The sad truth is that there really is no guarantee that you will never become an identity theft victim and it's probably better to exercise common sense and perform your own due diligence.

Since I seem to be quoting myself a lot in this post, here is something I wrote about this:

Most of the experts (not selling services) agree most people can fix their identity for free, and in the long run, they might do a better job of it, themselves.

If someone were to do this, a good place would be the FTC's Identity Theft page. Other decent free resources are the Identity Theft Resource Center and the Privacy Rights Clearinghouse.

Last, but not least, the good folks at did a highly amusing parody of identity theft protection services after they got sick and tired of them using their free material:

Going forward, we would like to announce that we have a new partnership with Identity-Love-Sock, a trusted provider of identity theft prevention services. Not only can Identity-Love-Sock protect YOU from IDENTITY THEFT, it also provides several guarantees for your PROTECTION should YOU be affected by IDENTITY THEFT. With the services provided by Identity-Love-Sock , YOU will NEVER have to WORRY about your IDENTITY being STOLEN, MISUSED, or otherwise COMPROMISED. For more details on how YOU can be COVERED and PROTECTED, please visit Identity-Love-Sock . You'll be glad you did.

Along with covering various matters related to computer security and privacy, Attrition is recognized for maintaining a pretty telling database on where a lot of identity theft starts, or data breaches.

Oregon case reveals the tie between software piracy and identity theft!

(Photo courtesy of naveenium at Flickr)

Software Piracy is a multi-billion dollar issue. Whether it's hawked in a spam e-mail, a flea market or on a auction site -- it might not work as well as advertised -- and could even lead to identity theft.

You never know what might be installed in pirated software. The person selling it to you might add a little malicious software (containing a keylogger) and steal all your personal and financial information.

A recent case showing how pirated software leads to identity theft was announced by the Department of Justice:

An Oregon man pleaded guilty today to selling counterfeit computer software with a retail value of more than $1 million, in addition to aggravated identity theft and mail fraud, announced Assistant Attorney General of the Criminal Division Alice S. Fisher and Karin J. Immergut, U.S. Attorney for the District of Oregon. This case is part of the Justice Department’s initiative to combat online auction piracy.

Jeremiah Joseph Mondello, 23, of Eugene, Ore., pleaded guilty to one count each of criminal copyright infringement, aggravated identity theft and mail fraud before U.S. District Court Judge Ann L. Aiken in Eugene. Mondello faces up to 27 years in prison, a maximum fine of $500,000 and three years of supervised release. Sentencing has been set for July 23, 2008.

Although this only appears to be a small win in the overall problem, it illustrates the danger of installing unauthorized software on your system. You might get more than you bargained for:

Mondello admitted to stealing individuals’ identifying information to establish online payment accounts in their names. Mondello acquired victims’ names, bank account numbers and passwords by using a computer keystroke logger program to surreptitiously obtain this information. The keystroke logger program installed itself on the victim’s computer and then recorded the victim’s name and bank account information as the information was being typed. The program then electronically sent the information back to Mondello, and he used this stolen information to establish the online payment accounts.

In other words, the moral of the story is that the money you save buying knock-off software can easily be lost when the seller returns to clean out your financial assets.

Trust me, criminals are not honorable and they could care less, if you get left holding the bag.

Last, but not least, most victims of identity theft are able to get their financial institutions to write-off their losses. However, if they discover you used illegal software -- which happened to contain malicious capabilities -- my guess is they are going to deny your fraud claim.

DOJ credited the Software & Information Industry Association for their assistance in this conviction. This association represents the software industry and goes after software and content piracy. They provide a means to report instances of piracy and offer up to a million dollar reward for doing so.

Full press release on this matter, here.