Protect Your Good Name!

Bits and Bytes – Blurbs Concerning Information Security

2007-01-11T08:15:00.001-08:00

Microsoft has released a fix for some of the flaws in Internet Explorer. The release originally scheduled for October 10 was pushed up due to the rash of computer takeovers. If you have not already updated your Microsoft system, doing so may avoid a nasty round of attacks similar to the ones mentioned above.

The Transportation Security Administration has announced it will charge a $30 frequent traveler’s fee for people interested in going through an express lane at airport security. The original fee was expected to be over $100. Information Security Education, LLC has been certified by Social Security Administration and Department of Homeland Security to check valid work statuses. We will also be pursuing the ability to provide expedited TSA screening. Watch for further announcements.

The U.S. Commerce Department has lost 1,137 laptop computers since 2001. Almost half of these computers were the responsibility of the Census Bureau. At least 246 of the machines contained personal information, but the Census Bureau was unable to determine the number of people affected. The government states that no personal information from these devices has been used improperly. Since, officials can’t even figure out whose data was lost, how can they assure the public’s safety.

Personal computer users should consider making a recovery partition. A partition is an area of your hard drive set aside as if it were a separate hard drive. This area will enable you to recover your PC in a short amount of time. Several software vendors have products available including Symantec's Norton PartitionMagic 8.0 and Norton Ghost. You should evaluate your need and make sure you have a proper recovery partition.

Credit Card Firms Fining Merchants

2007-01-11T08:15:00.000-08:00

Mastercard, Visa, Dicover and American Express all require merchants to discard credit card information as soon as they receive an authorization for a charge. The company and authorization number are all that is required for a merchant to receive payment.

Last weekend ushered in a new era in the credit card industry, as Visa joined Mastercard in imposing penalties from $10,000 to $100,000 for failure to keep transactions secure. The credit providers are not assessing merchants directly, but invoking the penalties on the companies that process the transactions. It will be up to these middlemen to collect from the individual merchants.

At this point, the program is being aimed at large merchandisers who violate the terms of their credit cards agreements. Neither card company would comment as to who the biggest offenders were other than indicating that such vendors are responsible for more than six million deals a year. Visa noted that only twenty of 334 merchants were non-compliant. This pool of sellers represent almost half of all Visa’s transactions.

Mastercard would not detail how many merchants violated the card agreement. Chris Tom, chief risk officer would only say, “We are not levying fines for noncompliance. We are levying them for non-cooperation.”

In a related development, Visa has not met its own security deadlines. The company had set a goal of completion by January 1, 2006, but did gain auditor’s approval in September only nine months behind schedule.

Health Study Participant Info Stolen

2007-01-11T08:14:00.000-08:00

Participants in a University of Iowa study on maternal and child health have had their Social Security Numbers exposed. The research program had over 14,500 contributors. The university has sent warnings to all involved.

The people concerned have been part of the study from 1995 to the present. The computers caught up in this mess were issued to professors in the psychology and psychiatry departments.

It appears that the attack was initiated outside the college campus and surveyed all campus computers looking for unlocked systems. Law enforcement likened the action to a person walking down a hallway and checking door knobs to see which if any were unlocked.

The operation apparently was intended to seek space to store illegally obtained copyrighted materials such as music and video.

New “Trojan Horse” Attacks Security Shield

2007-01-11T08:13:00.001-08:00

Banks and other businesses accepting financial transactions over the web have developed a way for the user to simply use the mouse instead of keyboard to enter PINs or credit card information. This avoids the effect of any keystroke loggers that might be installed on the PC without the user’s knowledge.

A Spanish company called Hispasec Systems has now discovered a “Trojan Horse” that infiltrates the targeted computer and captures the screen images of computer users. This software can follow the mouse movements of a displayed keypad making it simple to steal both PINs and credit card numbers.

The clandestine software is downloaded unwittingly by surfers who do not realize they may pay dearly for that free software. They may also be downloaded when users respond to spam links.

Security software makers are not yet able to defend against this new threat. Hispasec tested more than 30 anti-virus programs with only six showing any protection against this threat.

Some banks and financial institutions are using these “virtual keyboards” as a solution to government requirements to secure their online systems. Unfortunately, this is another example of the criminal element working hard to learn how to pick the latest lock. It is a vicious circle, with the good guys only able to keep a step ahead of the bad, at best.

Hackers Attack Applications

2007-01-11T08:13:00.000-08:00

Symantec Inc. the company which produces the Norton line of security products has determined that computer hackers are targeting the applications that are used on home computers in a larger proportion than other computer related attacks such as phishing. This means that programs like Internet Explorer, Firefox, Microsoft Office and other programs are being infiltrated to gain access to personal information (more in a later article).

The computer user goes about his business using his/her browser to surf the Internet. While cruising the Information Superhighway, one goes to a site that seems really cool, with great videos, music or interactive games. While downloading the special software to use these (usually free) items you also get a special present, an attachment to your browser, or productivity software that will log your keystrokes and look for items like online banking or credit card numbers.

It doesn’t matter which browser you use, you are at risk. A simple look at three of the most popular internet browsers shows that Mozilla’s Firefox contains 47 flaws that allow access to your system. Internet Explorer is no angel with 38 bugs. Even Apple’s Safari was documented as having 12 faults.

Security software manufacturers can only protect users from attacks they know about. This is usually done after the invasion has already caused damage. The door to your system is through the browser and it is those developers who need to partner more closely with security vendors to close the holes.

Most computer users can also protect themselves by not downloading items that they have not completely checked out as being safe. Symantec and other security software sites do offer help in understanding whether or not the sites you are interested in are legitimate. Another tip, simply Google the software you are interested in, and you will usually find both good and bad info. I suggest reading both.

More Fallout in H-P Case

2007-01-11T08:12:00.000-08:00

The trials and tribulations of the actions in the boardroom at Hewlett-Packard have continued to escalate. Patricia Dunn moved up her exit from the board and was summoned to a Congressional hearing where she denied that she had knowledge of the escapades which occurred. The House of Representatives is now considering enhanced penalties for ‘pretexting.” Representative Edward Markey of Massachusetts is leading this effort.

Mark Hurd the current CEO is also being asked the question, “What did you know and when did you know it?” These questions seem to be obvious whenever scandal is involved. Mr. Hurd and his counsel’s responses seem to be shifting, both in when he was made of aware of the actions and his involvement in the process. It is unfortunate that one of America’s most respected companies (until now) has placed itself in this position.

In addition to company’s actions, Cingular is now suing CAS Agency of Atlanta and its primary Charles Kelly over gaining access to cell phone records. Dawn Kawamoto, a reporter for CNET, who reported the original story was one victim whose information had been purloined. Verizon and Vodaphone have also filed legal proceedings related to the case.

In a related action, the Federal Trade Commission has settled with Integrity Security & Investigation Services for marketing services that allow consumers to gather information on other’s phone records. The agreement provides for ISIS to cease its illegal activities as well as “disgorge ill-gotten gains derived from alleged violations.”

The big question here is whether additional legislation is required when laws already exist? It seems enforcement is lacking. Congress is considering new laws that place more responsibility on the telephone companies to protect customer data. We have seen enforcement responsibility pushed to the private sector in banking and now communications. What good does it do to continue to pass laws that are simply ignored? Let’s prosecute offenders even if they are corporate execs.

By the way, the phone companies, which have armies of lobbyists in Washington are opposed to accepting the enforcement provisions. Can you guess how this might end?

Bits and Bytes – Blurbs Concerning Information Security

2007-01-10T09:20:00.001-08:00

Identity thieves used hundreds of stolen credit card numbers to buy tickets to Barbara Streisand’s latest concert tour. These tickets have been voided by the vendor, but that won’t help the people who will think the have purchased legitimate tickets. The winners here are the crooks and the losers are those who buy tickets for the performance through unauthorized sources.

A recent survey allowed some scary statistics to be released. Only 25% of companies report security breaches to law enforcement. Four of five businesses do security audits. More than half of IT shops surveyed spend two percent or less of their IT budget on security. Most companies still have to make an ROI case for expenditures. Most of the respondents, 71% do not carry cyber-security insurance.

Banks, the targets of phishing schemes are becoming a helpful partner in computer protection. Financial institutions are starting to offer security tools to their online users. Many organizations will subsidize the purchase price, encouraging customers to protect their digital assets. Depositories will be required to use two factor identification by the first of next year, which is another incentive to persuade patrons to use affiliated products. Large conglomerates are working with Internet Service Providers to develop secure access methods.

A new device can be used to test computer systems for vulnerability to hackers. The pen-sized tester can be slipped into your pocket as you walk through the target area. The object can be set to try 150 different computer exploits. This new tool is intended for corporate security teams to conduct audits, but it is available to others who are willing to pay $3,000 for it.

A second Veteran’s Administration computer containing personal information was stolen from Unisys, a contractor. The computer has been recovered and the temp who stole the unit has been charged. The government agency does not believe the thief intended to steal personal data.

Wireless Access Points Can Fool You

2007-01-10T09:20:00.000-08:00

A recent test at O’Hare International Airport found that more than 90% of the wireless access points were not sponsored by the airport. Many of these sites advertised “Free Wi-Fi.”

The security group doing the study concluded that at least 80% were peer-to-peer networks. These are personal computers that are set up to allow Internet access to others. While you are using these portals to the information superhighway, your keystrokes can be monitored or collected.

Most of the disguised access points masked their own MAC address, so as to be more difficult to identify. A MAC address is the like a serial number on the networking device. It can be used to determine manufacturer and in some cases even the computer involved.

Most newer laptops are set up to connect to the strongest signal. The user can open its wireless LAN area and sometimes determine whether the connection is from a legitimate provider. Otherwise, the computer that resides between you and the authorized provider can collect any information that is transmitted in either direction.

Many of these operators are trying to collect usernames and passwords to gain access to the legitimate users resources. These resources may be e-mail, corporate networks or even online financial transactions.

Ten Steps to Protect Laptops

2007-01-10T09:19:00.000-08:00

The following ten steps can help protect your laptops from falling into the wrong hands:

1. Use visual deterrents such as cable locks wrapped around a desk to discourage someone from taking the machine. You can even use these in hotel rooms and conference rooms.

2. Avoid leaving unsecured portable devices unattended. This rule applies to home as well as office.

3. Use simple inconspicuous carrying cases. Some cases scream “Laptop inside!”

4. Use complex alphanumeric passwords. Complex passwords usually use at least 3 of 4 tactics: Uppercase alpha, Lowercase alpha, Numbers, and Special characers.

5. Use anti-virus, anti-spyware, firewalls and encryption programs on all portable computers. Make sure any file that contains sensitive data is also encrypted. It makes no sense to have the software if it’s not used.

6. Back up all valuable data, especially before you take the machine out of the office. Sometimes it is expedient to make two copies and place them in separate buildings.

7. Understand the dangers of introducing pirated software or downloading files to your device. These items often carry malicious code and could be used to enlist your machine in a robot network.

8. Pay attention to news reports of changing theft schemes. By knowing how your enemy works, you can better protect yourself. This includes understanding phishing and SPAM attempts.

9. Use asset tracking and recovery software, which in some cases can locate your PC in a manner similar to having LoJack on an automobile.

10. Use advanced data protection tools, such as requiring a login to the company network before you can decrypt sensitive files. This way stolen computers would be denied the access needed to view important files.

By following these steps you will reduce your chances of becoming a headline.

Wireless Computers at High Risk

2007-01-10T09:18:00.001-08:00

Placing a wireless card on your computer puts it at higher risk for downloaded malware. In most cases there is not a simple way to disable the device when in use.

The computer is turned on, and then signals are sent into the air seeking an Internet connection. Should there be a bad guy in the general vicinity, he would recognize a system making a connection. Should the culprit have the right software, he would be able to take total control of the box.

This vulnerability applies to both Windows and Apple computers. A demonstration was made by David Maynor and Jon Ellich on August 2. For purposes of effect they used an Apple MacBook.

The pair did not release into the public domain, the code showing everyone how to commit this act. They blamed the opening on wireless protocols called 802.11. Another item of concern are device drivers that tell the computer hardware how to communicate with the wireless card.

In a related press release Intel alerted users of Centrino mobile technology of the potential of attack. The Centrino problem allowed computers in the general wi-fi area to grab complete control of the operating system. A patch has been released.

I believe that any laptop used in the open should be used only for innocuous purposes and systems should be cleaned of sensitive data before allowed in public.

Personal Website Provider Dumps Service

2007-01-10T09:18:00.000-08:00

Facebook, one of many sites that hosts personal websites, began a new service “News Feed” which tells people who are on your friends list about changes that occur in your online profile.

The new feature allows members to notify all of their contacts upon changes, so the user can invite friends to events, announce a birth, etc. Members immediately saw only the negative by protesting the service. Over 600,000 users complained to the host.

Facebook and other personal website providers offer a service that allows a person to tell the world anything they wish. Once a post is made, it is virtually open to anybody with internet access. Facebook is a little more secure since it limits membership to certain groups like students of a specific institution or employees of a company.

Whenever a person wants others to know more, they make a post. This is a change to the individual’s site. Usually, the site owner is proud of the items shown or they probably wouldn’t have placed it on the internet.

I offer a simple solution in response to the complaints. Do not put negative items on your personal website.

Actions Cause Resignations

2007-01-10T09:17:00.000-08:00

Hewlett-Packard was concerned about leaks coming from its board meetings. The company’s non-executive chairman Patricia Dunn apparently directed an operation to find out the source of the leaks. The way the investigation was conducted may have been illegal.

The source of the problem is an outside investigation firm hired by H-P, Security Outsourcing Solutions, of Boston found out who was providing details of meetings by gathering telephone records of board members without their permission or knowledge. The process known as “pretexting” occurs when an investigator calls the phone provider and PRETENDS to be the person whose records are about to be viewed. The imposter is then given online access to phone records.

I have written numerous articles about this practice over the past year including stories about phone companies suing those who use this ploy. The latest was about A T & T suing to find out who was gaining permission without approval (Vol. II No. 6, September 6 , 2006).

Federal officials have started an investigation into the company’s actions, which could lead to three-year prison terms on each count as well as $10,000 in fines. The California Attorney General’s office has already stated they have enough evidence to file charges in that state.

A Hewlett-Packard attorney and outside counsel both assured the board members that the probe was legal. The outside counsel, now says he relied on the company’s legal counsel.

Ms. Dunn has since resigned from her chairmanship. Two other board members have left, one removed and the other resigned in protest. Mark Hurd, CEO of H-P, has assumed the chair in the interim.

Bits and Bytes – Blurbs Concerning Information Security

2007-01-04T07:39:00.000-08:00

AT&T, Co. formerly known as Southwestern Bell, which also owns Cingular, revealed that 18,000 to 19,000 customers’ credit card and personal information were breached when a server was hacked by an outsider. The company is offering credit-monitoring services to those affected. The telephone giant is reviewing its security policy. A spokesperson claimed the organization stressed its commitment “to weeding out and punishing the violators.”

The Agriculture Department reported another data breach as a laptop computer and printed reports containing private data were stolen from a parked car of an employee in Kansas. It is just another example of lax treatment of government data. This is the third breach attributed to the Agriculture Department this year. The Veteran’s Administration is running a close second at two incidents.

A Dubuque, Iowa man will spend six months in prison for stealing mail that he was to deliver. Scott Meiner pled guilty to two counts of theft of U.S. Mail. He will also be required to pay a $2,000 fine and $1,202 in restitution. He was working as a highway contract rural mail carrier at the time of his offense.

AOL’s new software release 9.0 has been labeled “badware” by StopBadWare.org. The organization run by The Berkman Center and Oxford Internet Institute receives advise from the Consumers Union. It is funded by Google, Sun Microsystems and Lenovo (Formerly IBM PC division). The major problem is that software is loaded without the computer owner’s consent. The software could affect system performance.

It’s not a total victory, but anti-virus software producers have claimed that worms may be on the way out. Remember when we used worms for fishing and not phishing. We may soon be able to go back to the good old days. The good guys do keep getting better.

You Can Now Relakks!

2007-01-04T07:38:00.000-08:00

A new service based in Sweden, intends to use the country’s privacy umbrella to prevent exposure of private information. The infant company was launched as a response to AOL’s recent exposure of searches of more than 650,000 clients.

Labs2 Group based in Lund, Sweden offers Relakks which costs five euros –about $6.50 a month. It provides encryption as well as legal protections to hide customer’s credit information. They delete credit card data as soon as the transaction is complete. This is totally in compliance with the service agreement of most plastic providers. The customer must resubmit their card information each month, but it is a very safe and effective method of protecting information.

People who are involved with promoting violence and child pornography will still be tracked as Sweden’s law is tight, but not absolute.

At least two-thirds of the current 21,000 customers are based in the United States. This is a reflection of the concern about exposure of personal data. It could also indicate the number of people who may have a reason to hide information.

Although many may feel this new service is a great way to regain peace of mind, it is my guess that few will use it in the long term.

I think the authorities in both countries will raise an eyebrow should traffic increase substantially. Global law enforcement compacts will probably be changed so that at least official investigating agencies will have greater access.

AT & T Goes After Data Brokers

2007-01-04T07:37:00.000-08:00

AT & T has filed a suit to identify data brokers who used fraudulent means to gain access to customer phone records. The company claims that more than 25 different brokers used the ploy to dupe the phone giant into granting access.

These data brokers would then sell the information to clients. Many offered this service to check up on suspected cheating spouses and other investigative purposes without obtaining a court order. Unfortunately, it is illegal to engage in this sport.

Since no defendants were specifically named, the company can now use discovery powers to subpoena data sellers’ records. The plaintiff will use computer records to reconstruct the movements of those who violated the law.

AT & T froze online access to phone records which precluded web access not only to the perpetrators, but also some 2,500 customers. The court action seeks an injunction to cease the phone record mining. The Complainant also seeks monetary damages. We will keep an eye on this case.

Major Worldwide Dragnet Nets Scammers

2007-01-04T07:35:00.000-08:00

Authorities busted 565 individuals responsible for scamming Americans out of more than $1 billion. Most of these scams played on our sense of greed.

Many of the culprits were in West Africa running variations on the Nigerian scam. The fraud claims to have money in another country, and tries to get the victim to work with a fictitious attorney. The counselor claims to be able to help spirit the money to the victim. There is never any money that comes toward the mark.

Another posse of criminals wrapped up in the sweep targeted non-English speakers who were promised credit cards for deposits. Needless to say the cards never arrived and the recent immigrants were unable to contact the source of the crime.

A third area of misdeed was international lotteries. In this scam, the injured party was conned into paying taxes for supposed winnings in a foreign lottery. Sometimes the unfortunates were even mailed fake cashier’s checks. This newsletter discussed these instruments on July 12, 2006 in Volume II, Number 2.

Operation Global Con took more than 14 months to culminate in arrests. This was “the largest enforcement operation of its kind.” The authorities have netted 61 convictions and 139 arrests in the United States. Another 426 people were arrested in Canada, Costa Rica, the Netherlands and Spain.

The action comes on the heels of another lottery scam broken up by U.S. and Costa Rican authorities.

Banks See Yet Another Rule Change

2007-01-04T07:34:00.000-08:00

The FFIEC is a group of federal agencies that work together to regulate financial institutions. Last year the assembly decided that financial institutions must use additional means to confirm the identity of customers who use online banking systems. That rule goes into effect at the end of this year.

The set of regulators has taken further aim on identity theft by developing a list of activities that signal possible identity theft. The pattern of transactions, which I am reluctant to present in this format, raise so-called “red flags.”

Financial institutions will be required to verify the legitimacy of the acts. If the true ownership cannot be established the transaction should be terminated. This shifts some responsibility back to the banking organization, but can be quicker than calling in law enforcement.

Financial groups have 60 days to comment on this proposed rule before it can be enacted.

On the bright side, several software companies have developed systems that look for the questionable deeds and alert appropriate personnel. Hopefully, the cost is affordable for all sizes of providers.

What To Do About That Cellphone

2007-01-04T07:33:00.000-08:00

Many people continue to upgrade to the latest and greatest cell phone technology. The newest models feature GPS, camera, MP3 and by the way you can make phone calls. How you dispose of the old phone is now causing some concern.

People are trying to recoup some of their investment by selling the old equipment on sites like e-bay. Unfortunately, the information on the unused devices can open a window into your past. A study of some recent purchases found the contact list in tact. In addition, text messages were available including discussions of love affairs.

In the most egregious error, a former corporate executive left the plans for a major business expansion on his portable communication device. Many credit card numbers and ATM PIN numbers were also discovered. This type of disposal could lead to more than embarrassment; it could lead to financial loss. In most cases the loss is self-inflicted.

The safest thing you can do is either destroy your old phone. Also, all features except dialing 911 are blocked if you donate it to a group that will set it up as an emergency device for someone who cannot afford a cell phone. You can also protect yourself by only saving data to a removable memory card and remove the card before selling the phone. Most current models have this feature. You can learn more by reading the owner’s manual.

Should you sell your cell phone to another party, you are putting your call list at risk as well as your personal information. You might even lose a few friends.

Bits and Bytes – Blurbs Concerning Information Security

2007-01-02T13:44:00.000-08:00

Jayson Harris of Davenport, Iowa was sentenced to 21 months in prison for his phishing expedition. We have followed his case since his arrest. You may remember that he used a fake MSN e-mail to convince people to reveal their personal information. The scam was foiled when the mother of a Microsoft employee forwarded the e-mail to her son. Microsoft sued Harris and won a large financial judgment. This should be the last we hear from Harris for at least a while.

Old Mutual Capital, Inc. reported the theft of a laptop computer placing 6,500 investors’ personal information at risk. Account numbers and Social Security Numbers are included in the data on the equipment. Just another shining example of being able to learn from the unfortunate experiences of our competitors. In 2006, Ameriprise and Fidelity have both reported stolen units. Recommendations have been made, but companies are either not implementing or adhering to security policies.

Barely two months after the loss of computer equipment containing personal information on 26.5 million veterans, the Veteran’s Administration reported the loss of another portable device. Data in the latest event was not encrypted or password protected. The government agency did announce afterward that they will encrypt information in the future. This embarrassment is a glaring example of your tax dollars at work.

A new phone scam is making the rounds. The caller claims that Medicare is issuing new cards and the operator must confirm your personal information. The potential thief then asks for your Social Security Number, name and address. Should you receive such a call, simply hang up MEDICARE IS NOT ISSUING NEW CARDS!

Vanguard is implementing technology that is being used by some of the largest banks. The investment company is beginning to track the habits of its online customers to detect fraudulent or suspicious activity. Banks are required to implement such tactical measures by the end of the year, but no such demand is made of investment companies. I applaud Vanguard for its proactive action.

Social Engineers Biggest Threat

2007-01-02T13:43:00.000-08:00

With all of the engineering fields in the professional world, you should be very aware of the one that poses the biggest threat to your finances. The job of social engineer is practiced by people intent on gaining your confidence. We used to call these people confidence men or simply con men.

These folks prey on our nature to trust. It is a normal reaction to believe the best in people and we really want to live in a world where people honestly deal with one another. Unfortunately, that basic trust is the key for a social engineer to ply his trade.

Many of these artists seem to take a special interest in you personally. They will ask about your family and try to gain specific knowledge. The best practitioners appear to be trustworthy enough to watch your children. Be very careful of strangers prying into your personal life. These sly people will convince you that they are helping you, when in fact you will be sorry for your kindness.

Among recent examples of social engineering that have surfaced are people who try to send excess payment for products or services you provide, and ask that you just refund the difference. Callers who try to help with jury duty problems, or Medicare issues should set off a red light. People who contact you through e-mail claiming to know long lost relatives who have left you a fortune are also suspect.

T assist you, these frauds may offer to do home repairs or run errands. They may also claim they have found a winning lotto ticket, or some other valuable item and invite you to split any reward.

Frank Abagnale was probably the best social engineer in history. Should you wish to learn more about this occupation I suggest you either read the book, Catch Me If You Can, or watch the movie of the same name. You should be able to find about 100 very good examples of this practice. You will also enjoy the irony of trusting a crook.

Colleges In Need of Remedial Education

2007-01-02T13:42:00.001-08:00

Since January 2005, 76 schools have reported 109 computer breaches. Yes, some of the institutions have had more than one experience with this problem.

Employers depend on our higher education system to produce the future players in the U.S. economy. It is somewhat discouraging that they are also producing opportunities for the exposure of private personal information. It is estimate that as many as one-third of all data exposures occur on college-owned computer equipment.

In parallel, the Department of Education is requiring increased reporting of individual student progress, which requires the school to collect enhanced data. Some institutions still use Social Security Numbers as students’ ID. I have been touting a change from this procedure for more than five years. I have worked with colleges on strategies for change.

Some of the problem is attributed to decentralized responsibility for student data. Teachers carry laptops with student data. Department heads, admissions, recruitment and placement offices also handle personal information. There are usually no campus-wide security procedures, so the data may be exposed in a variety of ways. Donors, students, patrons of bookstores, recruits, and employee information has been exposed.

Is Web Search Data Private?

2007-01-02T13:42:00.000-08:00

The federal government asked web search providers to save the information for a 90-day period as provided for in the 1986 Stored Communications Act. This request led to yet another uproar over privacy rights. The original request did not ask for names to be attached to the data, but were interested in mining the data for phrases that might be used by terrorism suspects, child pornographers and drug smugglers.

It was suggested by USA Today that AOL, Yahoo! and Microsoft provided limited information while Google loudly protested and refused to comply. This space is not large enough to debate the pros and cons of such requests, so I leave that discussion to those among you who wish to do so in private.

The administration wanted to extend the period to two years. Remember the law is on the books and has been for twenty years. As with fraud, forgery, and counterfeiting, law enforcement has shifted a part of the job to the private sector.

Then a funny thing happened on the way to the debate, AOL exposed data collected from searches of 650,000 users. The results are probably what you might expect, millions of searches, most in search of free stuff. The word “sex” was 17th on the list. Large scale searches for child porn, explosives, and drugs do not exist.

Everyone who uses a device connected to the Internet should know the following: Your searches are not private! (by law they have been saved for a 90-day period for the past 20 years) You are not anonymous! (every request on the Internet can be traced) If it is illegal in the physical world, it is probably illegal in the cyber world. (child porn, drug smuggling and gambling online within the United States)

Most people are decent and law abiding. That is the reason we don’t need more police than civilians. Just as computers have allowed business to increase volume at incredible speed, the same factors have been used by people who wish to break laws.

Laptops Offer More Security

2007-01-02T13:41:00.000-08:00

Laptops manufactured by Dell, H-P, Lenovo (formerly IBM), Toshiba, and others are adding devices to protect laptops from losing their lode of information. These innovations allow employees to travel with laptops without the risk of losing valuable customer or employee data.

Gateway, Toshiba, and Lenovo have introduced fingerprint scanners that can be required to gain access to websites. These devices reside on the laptop themselves so no additional equipment is needed. The owner of the device can require a fingerprint to be scanned before the computer can even be used. This simple $50 addition can protect millions of dollars of data.

H-P introduced a smart card reader that prevents the use of the machine until the card, presumable carried by the user is inserted into the computer.

Some Toshiba devices require the mobile worker to insert a key and turn a switch before the power can be applied. This is an approach similar to putting a key in the ignition switch of an automobile.

Software developers have produced products which can remotely erase hard drives is a laptop is lost or stolen. Others have developed GPS tracking systems to search for lost or stolen devices.

Perhaps the simplest of solutions is to password protect files. Another easy solution is to encrypt data on transportable units, requiring the user to log onto the main network to access the key which makes the data readable. Had these two steps been implemented and followed over the past couple of years, 60 million records may not have been lost.

Employers Add Another Benefit

2007-01-02T13:40:00.000-08:00

Employers are beginning to offer their staff identity theft protection services. Companies have learned that workers who have been victimized by this crime spend company time clearing their name. Several providers offer products to help personnel complete the many steps which have to be taken. Although some actions can only be done by the victim, these services can help speed the time to completion.

It is estimated that a person can spend up to 18 months and over $2,000 to clear their credit report after an incident of identity theft. By offering the services, a company may instill more loyalty from the employee. Of course, I might suggest providing employees with a copy of my book, Protect Your Good Name! (From IDentity Theft) for each employee or at least the opportunity to buy one. The book is an easy read and contains many suggestions to prevent the attack as well as resolving the problem should it occur. It is also a far less expensive tack.

My company, Information Security Education, LLC also offers training session for employees, and clients. The basic courses can be done in as little as two hours and cover protection around the home, personal computers and protecting your business. I have conducted these course for individuals, community groups, colleges and private companies. The rates are reasonable and the comments have been very good.

Information Security Education, LLC can also work with your business in the prevention of information theft. Identity thieves have exposed more than 60 million private personal records since February, 2005. Educating employees as the importance of privacy was cited by The Wall Street Journal as the single greatest item in prevention.

If you are an employer, you may consider this benefit as a way to promote goodwill. If you are an employee feel free to share this information with your employer. The more people who are informed about the issue the better chance we have to prevent it.

Bits and Bytes – Blurbs Concerning Information Security

2007-01-01T08:25:00.000-08:00

Since February 2005, more than 90 million people have been the object of personal information exposure. The result of 243 data losses involving colleges, government agencies, private companies, investment firms and even auditors, have left one in three Americans potential victims of Identity Theft. Consumers should expect tighter controls from organizations that obtain private personal information in order to conduct business.

Online activities may benefit from a new service which verifies that a actually is who they say they are. The operation uses publicly available web databases such as Google, to confirm identities. This verification technique is also being used by some online stores, but the results may not be totally effective. People with common names may be confused with others unless unique identifiers are used. Better verification resources are background checks which delve into court records, sex offender registries and credit reports.

If you use McAfee Internet Suite, you should go to the McAfee site to make sure you have the latest version. McAfee software is known to have holes that can be compromised by hackers. McAfee has delivered a patch, but it does no good unless consumers put it on their PCs.

Authentium, a new company has developed software to secure transactions (mostly online financial) from hackers and spyware. The product called “VirtualATM” closes all other programs that are running on the user’s computer and creates a virtual private network in which to work.

CS Stars of Amarillo, Texas lost a computer containing records of more than half a million New York state workers. The state notified people whose information was lost by letter. The company handles New York Worker’s Compensation claims. The FBI is involved with the investigation.

Vacationing Tips

2007-01-01T08:24:00.001-08:00

Vacations are a great time to explore new places, try new things and generally recharge your batteries. In this last part of Summer, I want to give you some tips if you consider taking your computer with you. The first and most vital tip is “DON’T.” We have become addicted to the electric appliance, but if there is any way to avoid taking it on the road, find it. You will be much more refreshed when you return.

However, not everyone can break the addiction. I want to pass along some suggestion if you must take along your inanimate friend. The first and most obvious is to have up-to-date firewalls, anti-virus and spyware protection. This should also be done at home at least once a week. On vacation you will most likely be seeking free or low cost internet access. These network hotspots have little or no security and might be a point of presence for computer hackers.

Make sure you have backed up your files. Place the back up in a safe, secure location at or near your home. In case of computer loss, damage, or sabotage, you will be able to recover your precious data. You will also want to remove critical personal files from your computer and any USB drives making the trip. Should you work for a company and have detailed customer information, eliminate it before your trip.

You should password protect your equipment. This will slow or stop a thief from accessing your files. Although it may seem obvious, please don’t put your equipment in a checked bag. Your checked bag will go through x-ray machines, be tossed around and handled by people who look for treasures. The risk of damage or theft increases whenever you are not in possession of your equipment.

In a separate place, keep a list of online sites to which you are registered. Should your computer be lost or stolen, call these organizations and cancel the accounts. Otherwise, the bad guy can simply log on to your machine and click into your accounts. Many online merchants keep you credit card on file for convenience, but a thief considers this point and click profit.

Enjoy the Summer, take up a new hobby, get a tan and by all means get away from the real ball and chain (your computer).

Fake Virus Notice Downloads Real Virus

2007-01-01T08:24:00.000-08:00

An e-mail making the rounds recently claims to be from Microsoft, warning you to take action against a new virus. If you were to click on the link, you will actually download a virus on your computer allowing the hacker access to your computer.

The link actually looks like it goes to Microsoft, but it actually sends you to a site in Romania. Many computer problems are linked to Eastern Europe, but the originator could actually be located next door.

This particular attack requests you go to http://update.microsoft.go.ro. The last few letters give us insight as to the destination of a site. The letters “ro” indicate Romania.

If you are a Microsoft user, simply ask for automatic updates. This will require your computer to periodically check Microsoft’s database. If updates are available you will be notified by your web browser that the download is available. Microsoft does not send e-mails touting problems. In fact, Microsoft is very secretive about its software problems.

Cartoon Not So Funny

2007-01-01T08:23:00.000-08:00

A comic strip called “Retail” recently ran a joke about Identity Theft. In the strip a customer tries to pay for a purchase with a credit card. The customer had not signed the card, and explained to the clerk he was taking steps to reduce identity theft.

The customer explained that by presenting an unsigned card the clerk would be prompted to ask for a photo ID to make sure he was indeed the cardholder. The points out that although the customer’s scheme may be good in theory, any thief with a pen could simply need to sign the back of the card in order to use it.

This comic caused me to chuckle at first, but then I realized the point is not publicized enough. If you are carrying credit cards that do not contain your signature, sign them immediately. Handwriting does vary among individuals and thieves would need painstaking hours to try and match your signature. You may wish to write “See Photo ID” on the card as well, but remember identity thieves are very good at making false credentials.

Sometimes the joke carries a point; don’t just laugh them off.

Are Empty E-Mails a Threat

2007-01-01T08:22:00.000-08:00

A new phenomenon is occurring on the web. People are receiving e-mails from famous, but long dead authors. The interesting aspect is that the e-mails once opened are empty. This activity has most computer users scratching their heads.

Empty e-mails can be a forewarning of many types of scams. The first and most obvious use of these transactions is to gather legitimate e-mail addresses that are stored and sold to spamming operations. Each legitimate e-mail can be sold for two to ten cents.

A second reason for this e-mail storm could be a test of zombie networks. A zombie network is formed by a hacker or group of hackers that download programs on PCs without the authorization of the computer owner. The network is then placed into service by the network commander, mailing millions of bogus e-mails to unsuspecting users around the world through the captured PCs.

The third reason these empty e-mails may be to expand zombie networks. Programs may have been developed to automatically load malware when the empty e-mail is opened. This threat has been mentioned before, but not fully documented.

In any event, you should be very careful of items landing in you inbox. If you do not know the sender of a message or the subject line seems bogus, simply delete it without opening. Although some spam carries instructions to unsubscribe, my advice to not even respond. By answering in any manner you have verified a valid e-mail address. This action could simply increase the amount of unwanted e-mail received, or may even wreak more havoc with your PC.

Another important point is that the subject line often will show “Re:” or “Fwd:” in the subject line. If the e-mail is from someone you know and contains either of these items in the subject line, be sure that you know the original e-mail address which the reply references. In a forwarded e-mail, make sure the message is one you are expecting before opening.

Add Another Tool to Your PC

2007-01-01T08:21:00.000-08:00

I have touted that personal computer users should have an arsenal of defense mechanisms on their desktops. Anti-Virus, Firewall and Anti-Spyware programs are available at nominal cost and provide excellent protection for PCs. Unfortunately, the threats continue to change as the bad guys change the ways they invade your computer. Major security vendors are trotting out new tools they claim will prevent you from unknowingly downloading fraudulent software.

Microsoft enters the mix by allowing computer users employing Internet Explorer 7 to set an option to turn off “Active X controls.” The Active X area allows commands which enable specialized web processes have also been proven vulnerable to hackers who download their spyware without the user’s knowledge. IE 7 is free.

Symantec is offering a product dubbed “Norton Confidential” which can be downloaded free during the test phase. One of the most respected names in computer security, Symantec maintains their software will actually prevent spyware from stealing your personal information. Symantec expcects the package to fetch from $40 to $50 when distributed for sale.

Another well-known security vendor, McAfee, approaches the problem from a different angle. Their software tracks websites which are known to download spyware and warns the user before a download from a questionable website. The package called “SiteAdvisor” is free to download.

Check Point Software Technologies the makers of ZoneAlarm are adding a feature to its “Internet Security Suite 6.5” which will monitor black market sites, and notify you if your personal information is listed for sale. The package sells for $69.

Given the rise of spyware which reports personal information back to crooks, you should consider adding one of these tools to your supply of protection software.

Bits and Bytes – Blurbs Concerning Information Security

2006-12-29T09:36:00.000-08:00

McAfee recently announced it has made its 200,000th known patch for malware (software with an evil intent). McAfee, one of the top three providers of security software noted the threshold was passed 60% more quickly than when the 100,000th piece of code was discovered. This indicates the bad guys are working very hard to stay ahead of the good guys.

The government’s auditor, General Accounting Office (GAO), has conducted an audit on FEMA’s practices of assisting victims of natural disasters. The emergency organization issued $2,000 debit cards to most anyone who asked. The audit showed the records kept on the recipients included false addresses, invalid SSNs and fake names. The GAO has not put a final number on the losses.

Automatic Data Processing (ADP) claimed it was tricked into exposing thousands of investors’ personal information. Fidelity Investments, Merrill Lynch & Co. and Morgan Stanley all indicated customer data was affected. The details of the prank were not released. More than 150,000 individuals were put at risk for identity theft.

Microsoft has suggested users of Window’s popular Office software not download any Office type files from any source, even if the sender is known. A piece of malicious software called “zero-day attack” may be embedded into any of the Office application files including PowerPoint. Microsoft is working on the problem and expects a fix to be released by August 8. Examples of files that should be avoided are any Word documents, Excel spreadsheets, Access databases or PowerPoint presentations.

A recently discovered hole in McAfee’s software security programs could have allowed an attacker total access to a subscriber’s computer system. McAfee was beginning to work on a fix for the problem when it discovered the software had already been corrected through a normal update. It is great when we are smarter than we thought.

Be Careful About Personal Websites

2006-12-29T09:35:00.001-08:00

Many people take on a whole new persona on the web. They create personal websites showing themselves to be party animals in search of hedonistic pleasures. Unfortunately, once the information is available on the Web, it is out for public consumption, even if the actions are not true.

Younger people like to pretend they are more gregarious than reality would indicate in order to impress members of the opposite sex. One thing most do not even consider is that potential employers can also find these braggadocios remarks that may not endear them to a positive hiring outcome.

Even more of a problem is the removal of these sites. A recent report in “The Wall Street Journal” followed the trials and tribulations of Craig Pratt as he attempted to correct his online image. The biggest problem he had to overcome was the removal of his MySpace account. Only after several attempts did that happen.

Personal site owners also need to monitor the sites for postings by others. Your friends may leave messages about the next rave which may also be read by a potential boss. You may even show up to work and co-workers might inquire as to why they weren’t invited. Remember everything you post is open to everyone and that you should always portray yourself in the most positive way.

Different Approaches to Protection

2006-12-29T09:35:00.000-08:00

Every person who owns or uses a personal computer should take steps to avoid the heartbreak of being hacked. There are basically three tools that should be a first step toward defending your computer. These three pieces look at your system and remove or prevent bad acts from occurring. Required programs are firewalls, anti-virus protection and spyware removal tools.

Three different approaches can be taken to acquire the necessary tools. The first is to simply buy an all-in-one package which includes all three products from a single vendor. Among the advantages are the package may cost less than the individual components, you can load the entire suite of programs in one pass, the software works well together, and you only have one vendor to deal with should you have a problem.

Disadvantages of this strategy include a single-minded way of looking at the potential threats (sometimes hackers can skeak around this methodology), and should you find that you don’t like one piece of the product, you will then have to find a replacement that works with your existing parts.

The second approach is to buy what you consider to be the best product for each threat. The advantages of this approach include the ability to include some software that is free, and that you can have the best defense available at the time.

Disadvantages are: it is usually more expensive, it takes multiple installs, and some of the software may not run with other types of software (incompatibility).

The third line of attack is to load up on free software. The largest advantage is cost. Disadvantages are many in that tech support is often unavailable, many of the products will not work together (each thinks the other is a virus), and for-profit companies tend to update the freebie last leaving customers exposed in the mean time.

Great products are available, even in the free category, but the customer should be aware of the pitfalls before jumping head first into the installs. I’ve found that the adage: “You get what you pay for” can apply to protection software. The major players all sell packages and individual pieces so the customer has more choice.

New Software Detects Intruders

2006-12-29T09:34:00.001-08:00

Spectraguard Enteprise 5.0 allows businesses to monitor their own airspace. Wireless networks are becoming necessary in our busy and mobile world. This software can find where the connection is originating from and send an alert to information security personnel.

The product allows the business to register legitimate wireless products, then monitors the networked area for devices that are not registered. If it sees such a connection attempt, the software uses a decision tree to decide whether the access is of a friendly nature.

The package may even send a signal to the offending computer confirming a network connection. At this point the network software simply denies any activity while the information security personnel is alerted of the location of the suspect device. This is intended to hold the perpetrator in a range that can be easily inspected by personnel.

Spectragaurd Enterprise 5.0 received a very good rating from “eWeek Labs.” The solution is probably a little expensive for small businesses, but it would be an asset to larger or large volume data processors.

Xerox Protects Copiers

2006-12-29T09:34:00.000-08:00

Recent newsletters have addressed employee schemes to steal customer or confidential data. I haven’t touched on a very low tech manner of theft, where the employee simply copies the information on the office copier and walks out the door. This was how an administrative assistant at Coca-Cola was able to pilfer a secret formula that was later offered to rival Pepsi.

Xerox, one of the larger players in the copier, scanner, and fax world, announced it has implemented many security measures. The first enables the person who is making a copy to destroy data temporarily stored on a hard disk while the copying process continues. Thus, confidential information is rendered useless should an unauthorized person try to copy the machine’s memory.

A second feature, dubbed Internal Auditron, limits access to certain types of functions a client can use at the copier. For example, employee A may be allowed to fax documents under 5 pages twice a week, while employee B may not be able to fax at all, but is allowed copying access for 20 page documents that automatically shred after the task is completed. If an employee has a legitimate need for increased usage they must be granted permission from the administrator.

Since most Xerox machines are network enabled, a username and password may be required, and usage by each employee reported and monitored. Many of the machines have capability to log in at the copier for added convenience.

Xerox is also touting removable hard drives so employees can keep information in their possession throughout the copying process then removing the hard drive and storing it in a secure location (locked cabinet). PINs can be required before the machine can be used may be effective as well.

Even though we don’t often think of a copier as a tool for information theft, it is good to know the manufacturers are making product improvements with increased security measures.

Term of the Day: “Vishing”

2006-12-29T09:32:00.000-08:00

Computer users are becoming very familiar with “phishing,” an act of receiving an e-mail that seems to be from a legitimate source. The recipient is lead to believe there is a problem with their bank account as represented by the fake document. The victim is then asked to click on a link which asks for personal or private information.

The anti-fraud command center reports it has shuttered more than 10,000 phishing attacks. This large number can be multiplied by $1,200 (the average amount lost to a phishing attack). You can see phishing is still a major though declining problem.

We aren’t safe for long, because of the introduction of “vishing.” Vishing shares some similarity to phishing in that is originates from an e-mail sent to the intended target. The e-mail claims there is a problem with the e-mail respondent’s account. Rather than responding by e-mail, the message directs the intended mark to call a telephone number. The caller is then sent through an automated voice prompted system that requests information such as card number, PIN number, and even Social Security Number.

People need to be aware that this next big identity theft problem exists and has been somewhat effective. Most banks will call you directly if there is a problem with your account rather than notifying you by e-mail. They will never ask for a PIN number or your Social Security Number unless you are initiating a new account.

Be careful and you will avoid being among the first to be swindled by this new twist on a very effective scam.

Bits and Bytes – Blurbs Concerning Information Security

2006-12-18T07:35:00.000-08:00

In another breach of data entrusted to our government, personal private information on all fliers of the Navy and Marines for the past twenty years was posted on a website available to the general public. The release was blamed on human error (surprise). This is the fifth exposure of military personnel information in the last six months. Government often sets the rules; it is past time for them to play by the rules.

Speaking of government information exposure, employees at the IRS have been caught prying through personal tax records. Over the past eight years, the Treasury Department has investigated more than 3,700 cases of unauthorized access to personal tax records. Over 1,600 of these have resulted in “adverse personnel actions” and 126 IRS employees have been criminally prosecuted. Some of the breaches are simply financial voyeurism; some were used for personal financial gain. Given the current climate, I wonder if the IRS conducts pre-employment background checks.

A consortium of government agencies, corporations and universities started a research center to study Identity Fraud. After several years of billions of dollars in losses the center will begin its study based at Utica College. The Center for Identity Management and Information Protection (CIMIP) will be funded by grants and corporate donations of about $500,000. This amounts to about 1% of the annual loss. I visited the website, but as of yet they have not posted any announcement of any work being done.

The cost of a single data breach has reached $5 million. The costs include notification, legal fees and credit monitoring fees. Even though the costs are extreme, it seems we are observing as many major losses as we have in the recent past. I still think accountability has to be established and enforced. The VA employee who took home information on 26.5 million veterans is on paid leave pending dismissal hearings, along with one of his superiors, and another supervisor resigned. Company policies need to be explicit, upper management must be involved and accountability needs to be placed high in the organization before we will see significant reductions. We saw conformance with environmental laws and corporate governance only after legislation required accountability.

The recent arrest of three people trying to sell trade secrets developed at Coca-Cola to rival Pepsi revealed that two of the people involved had prior criminal records. This perhaps shows another reason to check out employees and potential employees, including personal web sites. Information Security Education, LLC can help you in this search.

Identity Theft Web Crew Jailed

2006-12-18T07:31:00.000-08:00

The Shadowcrew website was shut down in October 2004. Members of this online gang were rounded up in one of the most synchronized raids in recorded history. Twenty-one people were arrested in the United States and dozens overseas. Prison sentences are now being handed down to these miscreants.

Eighteen participants have pled guilty for their roles. Among them was Andrew Montovani, who co-founded the group, entered a guilty plea in November, 2005. At 24 years of age, he was sentenced by U.S. District Judge William Martini to two years and eight months behind bars. He was also ordered to pay $5,000 in fines.

This seems like a small sentence for the leader of a group of online thieves responsible for the theft of personal data on more than 18 million people. The data was purloined mainly through phishing activities. Phishing receives the results of sending fraudulent e-mails to which unsuspecting victims reply, revealing private personal information.

In total, the sentences ranged from three years probation to two and a half years in prison for seven more members of this mob. Shadowcrew was responsible for more than $4 million in damages over a two year period prior to being shut down by the Secret Service.

Companies Place Responsibility on Employees

2006-12-18T07:30:00.001-08:00

In the wake of huge increases in lost and stolen personal computers which contain personal private information of customers and employees, companies are updating policies concerning the use of laptop computers. The new rules include limiting who can remove data from the workplace as well as specialized training.

Information Security Education, LLC was conceived to help in this area. Having trained college students in the area of information security, I discovered that companies both large and small were not following even the most basic rules of data protection. It is heartening that some large organizations are beginning to pursue stiff policies.

Should employees be found in violation of the new policies, they will be disciplined up to and including termination of employment. I believe in a no tolerance policy and would recommend dismissal on the first offense. An employee who shows a reckless attitude toward sensitive data will show a callous disregard for other rules.

Some health care providers are even reconsidering the use of Palm Pilots and BlackBerrys. The companies are prohibiting employees from uploading and downloading data from the employer’s network. This is a first step, but companies should consider disabling USB ports on computers and even prohibitions on MP3 players in the workplace.

A single USB drive can store up to 2 gigabytes of information. The tiny “thumb” drive can be concealed in a pocket without detection. It only takes seconds to download files to the devices and out the door they go. Companies of all sizes need to be very careful about the way data is handled.

Companies should consider encryption of any sensitive data and require a connection to the owner’s network to decode any of the data. The process will require some costs and perhaps slow the process, but the value gained is far greater than the public mistrust created by a large data loss.

As an employee you should know your employer’s policies about working with confidential files outside the workplace. Take only the data needed, not entire files. It is your responsibility to make sure the information is encrypted and remains so. Do not use publicly accessible computers to peruse sensitive information, this includes copiers in public areas. Always log off and shut down your workstation before leaving your office for any length of time. Use locking and tracking devices on portable computing devices.

Can Buying T-Bills Online be Dangerous?

2006-12-18T07:30:00.000-08:00

According to a recent study, the government website which sells Treasury Bills online failed to take basic computer security steps. The site www.treasurydirect.gov sold $8 billion of the securities in the first half of its fiscal year.

Online investment sites Morningstar and Savings-Bond-Advisor.com have complained about this lack of security. Addresses, usernames, and passwords can be changed without the knowledge of the investor. Currently, private financial investment firms are required to send address change information to both the old and new address. Transactions must be followed up by at least an e-mail to the original e-mail account of the owner. This move helps an investor verify that a transaction is indeed legitimate and was initiated by the proper person.

Given the vast increase of online fraud, the Treasury Department should follow the same requirements as the private sector. In the past year fraudulent online checking account transactions have increased a whopping 104%. By not automatically notifying accountholders of changes, the government site may become a favorite target. The treasury site is susceptible to large scale phishing operations or watch keystroke logger programs.

Investors may print copies of transactions at the time of purchase, but no e-mail confirmation is sent. By simply sending a confirmation, the chance of fraud is reduced. Investors would also feel more comfortable with this procedure.

Employees Sue over ID Numbers

2006-12-18T07:29:00.001-08:00

Nine employees of Union Pacific Railroad have filed suit against their employer claiming the business put them at risk of Identity Theft. The employees claim the rail carrier, by using Social Security Number (SSN) as a computer search criteria, had exposed private personal information.

Many companies find it easier to use SSNs as an identifier, since it was already being used to file quarterly tax payments. Many insurance companies did the same, and many hospitals used the number for medical records. The health industry regulated by HIPAA is obligated to change this identifier. Most health insurance companies have complied by the January 1, 2006 deadline.

Even though Union Pacific does not use SSNs as an employee identification number, when an employee searches the company database for work schedules or insurance information, the number is required as a password to gain access.

The transportation company did disclose to its 30,000 employees the theft of personal computer from an employee’s home. The computer contained employee data including SSN. The company notified employees and retirees, offering to pay for one year of a credit monitoring service.

Social Security Number is considered by identity thieves to be the Holy Grail, as the crook can gain complete access to the victim’s financial history, and apply for new credit posing as the individual. The employees contend that the company should only use SSN for tax purposes.

This lawsuit may just be the beginning of many as some companies, schools, and health care facilities still use SSN as the primary identifier. Every consumer should review all identification material and ask any provider that uses SSN to find an alternative unique identifier.

Beware of Cashier’s Checks

2006-12-18T07:29:00.000-08:00

There was a time when a bank’s cashier check was as good as cash. This may no longer be the case. Recent events of cashier check and money order fraud are on the rise. Consumers and small business owners should be wary of the scheme detailed below.

I have had a couple of specific cases brought to my attention in the past month. The first involved a person who was trying to sell a timeshare. The buyer claimed to have received a sum of money either from lawsuit or other means. That person was then just going to have the total amount deposited into a bank and a single cashier check cut for the amount of the settlement. The cashier check would be made out to the seller of the time share. Since the amount was more than the agreed purchase price, the seller would send the buyer a check for the balance.

Fortunately, the person offering the timeshare thought there might be something amiss and called me. I walked through the situation and discussed the possibility of cashier check fraud. I did some research and found that even though a bank may accept a cashier check as a deposit to your account, the bank can later reclaim funds from your account, leaving you with the loss of both the merchandise and the amount of the refund. The lone exception to this rule is if the cashier check is accepted by the bank it is drawn on.

I explained this to the vacation spot owner. Upon receiving the document he called the issuing bank which happened to have a branch in his hometown to make sure he could cash the check. After the financial institution verified that funds were available, the check recipient went to the bank to cash the check. The bank immediately identified the document as fraudulent and refused to honor the transaction. The good news was the person was prepared for the result before it happened and did not transfer title of the timeshare or write the check for the excess of the proceeds.

The second instanced occurred when a local professional received a money order for future services. Enclosed was a letter explaining that the individual was to be traveling to the area and wished to have services performed while in the area. Any excess funds could simply be forwarded to a third party by return mail. The professional had never heard of such a request, and decided to investigate. She found the money order was a forgery and contacted the FBI.

If you have a big ticket item you wish to sell, or services that you provide, you need to be skeptical of any person who offers to send you a money order or cashier check in excess of the amount of the purchase. You should also take great care when dealing with anyone through the Internet or e-mail. Make sure you can verify the person’s address or phone number. You can do that by looking up the person’s phone number on Google or the name through whitepages.com. This helps establish the individual has a permanent residence to which law enforcement can respond.

If you do obtain a cashier check in payment, request it to be in the amount of the transaction only. If the check can be cashed at a branch of the issuing bank, then the obligation falls on the bank, otherwise the cashing bank will come back to you if the instrument is false. You should expect to show two forms of ID and file a document that goes to federal officials. In the event of fraud, investigators will start their work with you. Keep all documentation including e-mails of such transactions. Computer forensic experts do an excellent job of tracing the origin of electronic communications.

Remember, if something sounds a little out of the normal, it probably is.

Bits and Bytes – Blurbs Concerning Information Security

2006-12-14T09:52:00.002-08:00

All 26.5 million veterans whose information was lost due to a theft of a laptop and other equipment from an analyst’s home on May 3 are eligible for credit monitoring provided by the government. If you are affected, you should be receiving information on enrollment soon or contact your VA representative. If someone else is paying for it, credit monitoring may be worthwhile. Another way to Protect Your Good Name would be to purchase a copy of my book by the same name (unfortunately, the VA will not pick up the cost of the book).

Technology allows us to check on our pets when they are in a kennel, watch our children at daycare and even visit patients in the hospital. A new use of the same technology allows people to attend funerals over the Internet. I’m not sure how secure the virtual attendance systems are, but be sure the bad guys are trying to figure out how to use the same to take advantage of you or your personal information.

An employee of Equifax, one of three companies which provide credit reports on all Americans, lost his laptop computer which contained personal information on 2,500 of the 4,600 Equifax employees in Atlanta. The employee was disciplined for violating company policy (although we don’t know if he was fired).

An employee of ING Financial Services lost a laptop computer containing the data of 13,000 current and former District of Columbia employees. The computer contained personal information including Social Security Number. Again, no word on whether the employee is still with ING, after violating its security policy.

Over 1.3 million borrowers from the Texas Guaranteed Student Loan Corp. have had their personal information compromised. The data was stored on equipment that was reported missing. The equipment had been sent to a contractor, Hummingbird, Ltd. of Toronto. A Hummingbird employee downloaded and decrypted the information. No specific information was given on what type of equipment was lost (any guesses of laptop).

Thief Called “Classic Manipulator”

2006-12-14T09:52:00.001-08:00

When Judge Linda Reade sentenced Julie Raim in May, she called Raim a “classic manipulator” who had enough chances. Raim pleaded guilty of embezzling $87,332 from her employer. This was not Raim’s first brush with the law.

Raim had stolen wedding gifts in the past and was twice convicted of stealing from the same employer in Florida.

Reade sentenced Raim to the maximum recommended sentence of only two years and nine months and ordered Raim to repay the money she stole. When released she will be on supervised probation for three years. She will not be allowed to work in any job where she could be tempted to steal more money.

Had her employer requested a background check prior to offering her employment, they could have avoided the financial cost, the adverse publicity, and loss of customer confidence. Information Security Education, LLC is starting to do background checks for less than the cost of one hour of an attorney’s time. Isn’t that a small price to pay protect your company from a possible $87,000 loss? Call Steve at 319-210-0684 for more information on this protective measure.

How Private is Private Data?

2006-12-14T09:52:00.000-08:00

In the wake of the disclosure that NSA programs gather data from telephone companies for data mining purposes (the communications companies supposedly provide the government with call data including the numbers called from and to, as well as the date and time), a national uproar ensued, and Congressional hearings are being conducted.

It seems that no information about the account holder is passed along in the general disclosures. The government may obtain a subpoena by showing probable cause (which can be easily done by providing call numbers, date, time of day and length of call, if the other number had already been linked to criminal activity) compelling the provider to complete the puzzle with accountholder personal data.

Never mind that some enterprising companies have been selling this information over the Internet for about a year, and consumers have not voiced as loud an outrage. As a matter of fact, law enforcement has been paying data brokers for this information without need of a search warrant. Among the data broker customers are the Department of Homeland Security, the Justice Department (which includes the FBI), as well as municipal police departments nationwide.

Last week in a Senate Judiciary hearing, the Chairman and Chief Executive of AT&T, Ed Whitacre was questioned by Senator Arlen Specter of Pennsylvania. Whitacre continually replied, “The privacy of our customers is utmost [in importance] and we follow the law." When pressed on the issue, Whitacre continued to simply state, “We follow the law.” Specter even raised the possibility that the communications executive was in contempt of Congress.

During the same few days, AT&T announced it would change its privacy policy claiming that all personal data collected by the company during its normal operations becomes property of the telecom, and the business will use the information as it sees fit, including providing such information to law enforcement officials. The additional statement reads, “While your account information may be personal to you, these records are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others or respond to legal process.”

Expect more companies to watch the results of this change and probably join AT&T in claiming that personal data is company property.

Are Outside Auditing Firms Helpful?

2006-12-14T09:50:00.000-08:00

Ernst & Young is considered to be one of the best and largest accounting firms in the country. They conduct audits on many of the Fortune 500 companies to assure the investing public they are placing their money in good hands. But are companies like Ernst & Young concerned about the privacy of customer data?

In January, an Ernst & Young employee lost a laptop computer containing information on thousands of current and former IBM employees. The PC was stolen from the employee’s car. The employee handled tax issues for IBM employees who worked overseas. The information included names, dates of birth, genders, family sizes, SSNs and tax identifiers. Notification letters were not sent out until two months after the theft.

In February of this year, four Ernst & Young employees meeting in a conference room, had their laptops stolen (that’s right all four) when they left for lunch. Among the client information lost in the incident was data from Sun Microsystems, including social security numbers of employees even the president Scott McNealy. Cisco employees were also affected by this theft. It was later reported that Nokia employees were also involved. The same theft also left 38,000 BP employees vulnerable. It took only five minutes for thieves to jack the computers from the conference room, all captured on security cameras, but the thieves were never caught.

On May 3, this year another Ernst & Young employee lost a portable computer containing information on 243,000 customers of Hotels.com. This would be the third major loss of portable computers by the same “Big Four” accounting firm in less than six months. The most disconcerting revelation here is that the accounting firm also performs audits of companies to make sure that they are following policies and procedures to protect the financial health of the client.

Many companies depend on their accounting firms to advise them of best practices for information security. After three major data losses in six months, Ernst & Young has lost credibility on this subject. In addition, each of the incidents can be cited as direct violations of E & Y’s own security policies. The fate of employees involved in these disclosures has been available. Again, employees who constantly violate security standards are not only responsible for lost data, but for the lost confidence of customers. It was not very long ago when Arthur Anderson advised companies on accounting strategies that led to the collapse of large firms (Enron, Worldcom, McLoedUSA among others), which eventually led to the collapse of Arthur Anderson which no longer exists. Will Ernst & Young suffer the same fate as a result of the actions of a few employees who fail to value customer data or the rules that protect such information.

“I’m From the Government and I’m Here To Help You”

2006-12-14T09:49:00.000-08:00

This may be the busiest year yet for inadvertent personal information disclosures by our federal government. It isn’t even the end of June and the U.S. government is averaging one major data exposure per month. Since most federal agencies have large collections of personal data, we, the consuming public should raise our voices to our elected leaders to take the problem seriously.

In February, the Department of Agriculture, while complying with a Freedom of Information Act request, disclosed information on 350,000 people, including personal data such as Social Security Number. The root of the problem was traced to an employee in the department not following established privacy policies.

Things rocked along fairly well until May, when a Veteran’s Administration employee took a laptop and external hard drive home, against the VA’s security policy. The equipment was stolen from his home, affecting 26.5 million veterans, not only disclosing identification information, but in many cases also medical information. The employee was placed on administrative leave.

June has brought three major data losses. The first occurred when an IRS agent lost a laptop computer while on a commercial airline flight. The lost laptop contained tax records of 291 taxpayers. Then the Department of Agriculture (sound familiar) announced a hacker had infiltrated their computer systems to gain access to 25,000 employee records. Most recently, a Federal Trade Commission employee took home a laptop computer with personal data, which was stolen from his vehicle.

If you look closely at the items above you will notice that all but one instance was directly attributed to an individual employee who had not followed established security guidelines. The other instance can probably be traced to information security personnel who did not follow proper monitoring of security systems.

Most data loss can be traced to employees. In many cases, this would not be the first time the employee violated a policy or acted in an untoward manner. Business and government need to find out as much as they can about an individual before they are hired. The best way to do this chore is to conduct a pre-employment background check. An extensive search will include criminal and sexual offender records, a credit report, social security number verification and web sites. Information Security Education, LLC is pleased to announce the addition of these services. Call us at 319-210-0684 for more information

Another Case For Shredding

2006-12-14T09:48:00.000-08:00

Most Americans receive many offers for new credit cards each year. Most of us simply tear up the solicitation and go on our merry way. Is this action the most effective to deter someone from digging the torn application from the trash and apply for credit in your name?

Rob Cockerham had this question in his mind when he decided to conduct an experiment. He tore a credit card solicitation into many pieces and then taped the application together. He then changed the address on the form to his father’s home. Finally, he sent the completed request to the credit card issuer.

In a matter of weeks he received a call from his father, telling him that a thick envelope had been delivered by mail. Sure enough the envelope had a new credit card enclosed. Mr. Cockerham then notified the credit card issuer of the experiment.

The ABC Program 20/20 became aware of this trial and approached Chase bank, the credit provider in question. Chase claims the procedures have been updated and that the customer would not be held liable for any monetary loss. However, the victim would have the time consuming hassle of correcting his credit report.

You can verify and follow the plight of Rob Cockerham at www.cockeyed.com. This experiment shows once again the importance of shredding all unwanted solicitations that arrive at your home. If you do not want to shred, then simply collect items that should be shred and drive them once a month to your nearest certified document destruction service provider. They will assure that your junk mail is not used by identity thieves.

Bits and Bytes – Blurbs Concerning Information Security

2006-12-08T08:31:00.001-08:00

The FTC, BBB and NAID are working together to have a National Shred Day. This would be a single day on which Document Destruction companies would offer free services for consumers. Watch this space for more information.

A laptop computer belonging to an Aetna employee was stolen from his parked car. The computer contained information on 38,000 people. The individuals affected have been notified. Aetna is paying for credit monitoring services for those who may be vulnerable.

Earthlink has won a contract to establish a wi-fi network in Philadelphia. The contract calls for 22 free hotspots. Earthlink will charge most users around $20 a month for access to the network. Low income people will be able to receive services for a reduced rate. Earthlink will not charge the city, instead the company pays a fee to the city for the rights to provide the service and free accounts to city employees. Earthlink is also working on a project to establish wi-fi in San Francisco.

Notary Publics often attest a person’s signature on legal documents. Now the National Notaries Association is pushing an e-notary technology that allows special cryptography to be used as a manner of online notarization. People who are already Notary Publics can apply online to be an e-Notary for a fee of $24.95.

NextSentry has developed software used by law enforcement to track down online predators. The company is using similar technology for corporate security organizations to track employees that are violating company security policies. The main use will be to make sure sensitive information (customer data and company secrets) aren’t being sent outside the business.

Yahoo Instant Messenger Attacked

2006-12-08T08:31:00.000-08:00

Yahoo Instant Messenger is one of the highest volume messaging systems in the world. Users of this system are being duped into loading a worm believing it is a “safety” browser.

The worm called yhoo32.explr once loaded tries to send itself to people on the user’s buddy list (a list of people who are monitored for their online availability to chat). The program hijacks your home browser page and attempts to influence the user to go to a website that downloads spyware onto the PC. One of the programs looks like Internet Explorer even using a fake logo.

The virus also starts a guitar music loop whenever the PC is started. The music cannot be stopped and the infecting website becomes the person’s home page.

It appears that due to the sophistication of the attack, it is part of an organized computer crime gang. Should you be afflicted by this virus, let us know, we have some free software that will allow you to eliminate the problem.

Company Stops Distributing Rootkits

2006-12-08T08:30:00.000-08:00

ContextPlus has stopped distributing software that contained rootkits. I have done stories on rootkits in previous issues. Basically, a rootkit attaches to the operating system and allows a third party to collect information from your PC.

ContextPlus is an adware company. According to their website, they no longer guarantee the product or quality of customer information. The company has been the target of many class-action suits. It is illegal to use a PC you do not own without permission. The business is among those in a class-action suit mentioned later in this newsletter involving Yahoo!

ContextPlus is registered to owners in France and Poland. It is not known if the company is legitimate in any way.

The two programs most commonly placed on PCs are Apropos and PeopleOnPage. They are considered very advanced and are not detected by anti-virus or anti-spyware programs. You can do a search for these programs by typing the file names in a search of your computer (find Search from the Start Menu), should the search find the files you should delete them.

These programs collect information on the user’s browsing habits. Keystrokes can be logged and information is then transferred back to ContextPlus.

New York Judge Ruling Affects Computer Security

2006-12-08T08:29:00.000-08:00

An administrative law judge in New York has ruled that an education department worker was unfairly punished for surfing the web on company time. The judge’s opinion calls Internet play the same as reading a newspaper or accepting a personal phone call, in that it did not adversely affect the employee’s work.

Companies have instituted policies for workplace computers limiting personal access to protect the business from outside threats (viruses, Trojans and spyware). This ruling could cause many companies networks to be used as transfer points for malware.

Conscientious employees already know the damage that can be caused by unintended actions. In the last issue of this newsletter, I wrote about a study that found highly ranked search results contained spyware. An inexperienced employee surfing on a company computer can easily download this type of trouble.

So far, the ruling only affects New York public employees, but it will be looked at as a precedent in future employer-employee disputes.

Private companies need to establish and train employees on proper use policies. The Internet can be a valuable tool for employees, but is can also be a terrible disruption if used improperly. I get calls and e-mails almost weekly from people who have downloaded programs that have had unintended side effects.

Logan International Tests ID Technology

2006-12-08T08:28:00.001-08:00

Logan International Airport in Boston will test Radio Frequency Identification tags that will track both baggage and passengers. The system is designed to assure that passenger and luggage are traveling on the same plane.

As the passenger checks in at a self-service kiosk, his/her picture will be taken and tags will be printed as both boarding passes and luggage tags. Both will contain passenger profiles and photographs.

The passenger can then be tracked as they through the airport including boarding the flight. Their luggage will also be tracked. If a passenger fails to show up for the flight and leaves the premises, the baggage can be removed from the aircraft.

Boston Engineering is the firm conducting the tests. They believe the system can be used to increase air travel security. The tags can be read from as far away as 100 meters (about a football field).

Online Poker Players Lose More Than Rake

2006-12-08T08:28:00.000-08:00

Poker players who use online sites to play their favorite game may be losing more than money. The house takes a small amount from each poker pot called a “rake.” Players have decided to keep track of the amount of money that is being raked by online poker sites.

Players who have downloaded a Rakeback calculation application, may have also downloaded a Trojan virus that tracks usernames and passwords. The information can then be sent to the server that controls the downloads. A person then can use the login information to play poker on these sites as if they are the player with the Trojan program.

The act of an imposter can costs legitimate players as losses are added to the legitimate online accounts. Of course wins are also added to the accounts, but many more players lose than win. An abuser can even empty one account into another.

The program called RBCalc.exe is the problem. It was distributed by Check Raised of San Jose. RBCalc.exe also loads a file called Backdoor.Win32.Small.Ia. Users should look for both files and delete them.

This might be a good time for online poker player to re-examine the safety of playing online poker. Although no wide scale enforcement is currently underway, online gambling in the United States is not legal. There is also a bill winding its way through Congress which would make payment to online gambling sites by credit card a crime.

Since the servers which process the bets are not on U.S. soil, it is very difficult to slow the growth of online gambling. Most operators of these companies are being sought by American law enforcement. Since the activity is legal in the countries the servers reside, no extradition will take place. A few years ago, one gambling site operator returned to the U.S. to attend his father’s funeral and was arrested, but that is another story for another newsletter.

Bits and Bytes – Blurbs Concerning Information Security

2006-12-06T13:25:00.000-08:00

Symantec looked at three donated PCs to see if information had been removed. They found sensitive information including Social Security Numbers on the donated devices. Every person retiring a PC should make sure that data files are not only deleted, but written over. You can find programs on the web that write binary zeroes in every byte of a computer’s hard drive. The most popular ones are at download.com. You should always read the program description to make sure that the data will not be able to be recovered.

Gartner Group, the Boston area consulting firm, sees a consolidation in the anit-virus market. They claim that too many vendors offering similar products without differentiation will lead to companies combining. Since most users already have some form of the software installed, sales of new packages will slow. Consumers who are happy with the services they are using will simply buy upgrades, which are cheaper than new. The reduction of suppliers will lead to some confusion as customers will be forced into new products. This merging may led to slightly higher prices for consumers, as there will be fewer providers.

EMC has developed a product to be used as a virtual tape shredder. Some companies have replaced tape backups with disk backups called virtual tapes. The new offering will allow users to completely erase and remove these virtual tapes.

Not only are men the majority of perpetrators of computer mayhem, they are also most likely to be the victim. Men lose approximately $1.83 for every $1 that women lose to computer scams. Almost two-third of all victims are male. The most common scam involved Super Bowl tickets. California, Florida and New York had the highest rates of consumer complaints, but Alaska had the highest per capita statistic.

A new Trojan virus targets Microsoft Word. You can check you PC by doing a search for the following files: Trojan.Mdropper.H. or Backdoor.Ginwui. The attack is only aimed at Microsoft Word.

Yahoo! is being sued because its pay-per-click subsidiary allows companies that download software including spyware to use its service. The user clicks on an ad and software is automatically downloaded to the requesting computer. The suit was brought by an anti-spyware activist named Ben Edelman. Yahoo! stands by its practice. We will continue to report the progress of this suit.

Intel Increases Security

2006-12-06T13:24:00.000-08:00

Intel, the maker of Pentium chips, has announced a new product that will help users secure their personal computers. The new vPro series chip allows owners to become more proactive in the fight against computer intruders.

vPro will include dual-core processing which allows security applications such as firewalls, anit-virus and anti-spyware programs to run on the background processor. This will allow the PC to run at faster speeds for normal processing, such as Office applications.

The new chip contains a security processing area that people can use to run programs that monitor network traffic looking for unusual activity. Snort is a free application that consumers can use to watch such network activity.

Symantec, the maker of Norton products, has jumped on board developing software that will use the new features. Many consumers tend to skimp on security protections because they make PCs run slower.

Intel also claims the new chip will include a 40% increase in processing speed using less power.

Although the initial release of this chip may be a little expensive, those who use their PCs for business should consider the upgrade. If you wait awhile the price will certainly come down.

Search May Find Spyware

2006-12-06T13:23:00.001-08:00

A recent study by McAfee, Inc., the virus and spyware protection company, found search results often pointed to sites which downloaded spyware to the target computer. The sites usually showed up in the top five results either as paid advertisements or in the free portion of the search.

Typically, the results were found when searches were conducted by computer users trying to find free programs and services. Some of the activities already considered illegal, such as downloading music for free, are often laced with malware. Many of these misguided actions prosper because so many people are trying to beat the system.

In almost two-thirds of searches for free screensavers, sites that contain spyware were listed at the top.

Bearshare, Limewire, and free ringtones are the most obvious areas where spyware appears. Some recording artists, in particular Madonna, have placed spyware on music sharing sites to discourage illegal downloads.

Consumers should be aware of the activity on your home computer. If you have children, especially teenagers, talk to them about the damage that can be done by spyware, viruses and Trojans. If your computer is invaded by such malware, Information Security Education, can help clean it up.

IRS Rules Harmful to Consumers

2006-12-06T13:23:00.000-08:00

Consumers who use tax preparation services may have put their identities at risk. New rules allow tax preparers to sell information to third parties. Most of the time third parties simply target these customers for products and services, but others may try to use the personal information for identity theft.

Taxpayers are required to provide Social Security Numbers (Taxpayer ID) and the amount of money you make, in order to produce a tax return. By examining this data, companies can determine whether you are a good credit risk (a gold mine for identity thieves), and important for marketers of credit cards.

The rules allow electronic signatures to provide consent for the processing and release of data. Consumers must be provided with procedures similar to the privacy policies of credit granting institutions. The client is allowed to opt out of information sharing (highly recommended).

Tax preparation companies are required to inform the taxpayer how the information will be shared.

As with sharing of any personal information, be it personal, medical of financial, the wise consumer should always read the privacy policy and follow the instructions to opt out of information sharing.

SEC warns of “Autosurf” Scam

2006-12-06T13:22:00.001-08:00

The Securities and Exchange Commission has issued a warning to consumers involving “Autosurf” businesses. These businesses claim the computer user will make money by surfing the web and clicking on banner ads.

Most of these companies, most notably 12DailyPro, promise customers large returns if they join the program. The new member can sign up for free, but cannot collect for their activities unless they upgrad to a paid membership. The company would then claim to need more and higher fees to guarantee subscribers a larger return.

12DailyPro is accused of deceiving more than 300,000 people out of $50 million. The SEC claims the company was nothing more than a Ponzi or pyramid scheme.

Charis Johnson, the operator of 12DailyPro, first claimed her business practices were legitimate, but later agreed to an asset freeze proposal. Johnson funneled money through PayPal, an E-bay subsidiary. PayPal claimed that the businesses looked legitimate to them.

Other “Autosurf” businesses are NetInvestAutosurf.com and 123eTraffic. Consumers should be very wary of any “Get Rich Quick” scheme by following the adage, “If it sounds to good to be true, it probably

Millions of Veterans Identities Stolen

2006-12-06T13:22:00.000-08:00

A data analyst for the Veterans Administration took home a laptop computer containing personal information on more than 26.5 million veterans. The computer was later stolen from his home making it the second single largest loss of personal information. The information on these veterans contained name and Social Security Number, enough information for an identity thief to apply for credit under assumed names.

Policies at the Veterans Administration do not allow workers to take sensitive personal information on clients off the government premises. The data analyst has been placed on administrative leave. I believe that he should be charged as an accessory to the theft, by intentionally violating government policies, he permitted the data to be in a place where it could be easily stolen. Should the information be used in identity theft, the analyst should also be charged in those crimes. By making the punishment actually tie to the original act, the consequences may deter others from knowingly careless behavior.

The fact that employees have so little concern for the information with which they are entrusted is very disturbing. I have reported on more than a dozen similar instances in the past year.

Authorities think the burglary was simply a random act. The intruder may not know the value of items stolen, as there have been many thefts in the neighborhood where the employee lives.

The VA has mailed letters to all affected individuals with instructions on ways to check and monitor their credit records. Additional protection for any vet would be a copy of my book.

Veterans as well as any other person are entitled to a copy of their credit report once a year from each of the credit reporting agencies. Everyone should develop a strategy of checking credit reports every four months by rotating the free credit reports among the reporting agencies. You can obtain a free credit report at www.annualcreditreport.com.

Bits and Bytes – Blurbs Concerning Information Security

2006-12-05T08:26:00.000-08:00

Tina Stroud of Cedar Rapids was charged with opening two accounts in the name of a former roommate. One of the accounts involved a cell phone. With many high school graduates heading to college soon, this is a good time to teach young adults the importance of keeping personal information private. My book Protect Your Good Name! (From IDentity Theft) makes a great graduation gift. Consider giving it to anyone you feel needs this important information.

Soccer fans should beware of a virus currently circulating. It masquerades as an Excel spreadsheet to help the user track teams participating in the World Cup Soccer matches. Once the machine is infected, the virus sends itself to people in the user’s e-mail address book. Two versions exist at this time, can check your computer files by conducting a search for either “XF97/Yagnuul-A” or “Troj/Haxdoor-IN.”

I have received several e-mails in the past week about a jury duty scam. The intended victim receives a phone call claiming the person failed to show for jury duty. The caller will then want to verify the identity of the potential juror by asking for Social Security Number or threatening the person with jail unless given either SSN or a credit card number. I first reported this scam in the November 2, 2005 newsletter. It is making another round.

MSNBC has reported that services charging a monthly fee to protect your identity are not worth the cost. The report cited actions consumers should take on their own to reduce personal vulnerability. My book Protect Your Good Name! (From IDentity Theft) contains all of suggestions in the news article and much more. The retail cost of the book is $19.95 as opposed to $120 per year for these services. I reported on these services in the September 21, 2005 newsletter, noting that some homeowner’s insurance policies may provide adequate coverage for as little as $25 annually, making the book a bargain.

Microsoft has touted its new operating system Vista as being the most secure it has ever created. The Yankee Group has tested the product, listing doubts. The consultants don’t attack the software itself, but claim it is unwieldy. They believe its complexity will encourage users to search for other alternatives to secure company computers.

Apple Computers have celebrated the fact their systems have been largely untouched by the increasing number of attacks. Unfortunately, virus writers have stepped up attacks on the Mac. In the last three years, the number of different infections aimed at the machine has increased faster than the rate for PC users. This may be attributed to the ratio of malware already in place. In the past Mac users thought they had safe computers, but in reality, the criminals have been focused on PCs because there are simply more of them. With so many security companies honing in on solution for PCs, the bad guys are aiming for new and fertile fields to ply their trade.

Prison Awaits 20-Year-Old

2006-12-05T08:25:00.001-08:00

Jenson James Ancheta will be spending his early adulthood behind bars. The 20-year-old was sentenced to 57 months in federal prison for operating a robot network which he rented to spammers. This is the longest sentence to date for such abuse.

Ancheta also used his network to spawn attacks on web-based businesses. He would set a synchronized time for thousands of computers to send multiple requests to the target computers. The servers would soon be overwhelmed and shut down.

After serving his prison time, Ancheta will be on three years of supervised probation. In addition, he was ordered to pay the U.S. Naval Air Warfare Center in China Lake, California, $15,000 in restitution for damages caused. He will forfeit $60,000 in illicit gains.

The original indictment contained 17 counts accusing him of controlling more than 500,000 computers. Ancheta pled guilty.

During sentencing U.S. District Judge Gary Klausner told the convict, "Your worst enemy is your own intellectual arrogance that somehow the world cannot touch you on this."

I originally reported on Ancheta’s arrest in the December 1, 2005 newsletter, noting that he claimed not to know how many computers he controlled.

Helder Still Being Held

2006-12-05T08:25:00.000-08:00

Luke Helder is still in custody in a medical facility in Rochester, Minnesota. You may remember him as the mailbox bomber who placed 17 pipe bombs in private mailboxes on a cross country spree.

I cited his actions as an example of why mailboxes are not only an unsafe place for your personal data, but can be potentially dangerous. Several people were maimed during the May, 2002 crime wave.

Helder is considered incompetent to stand trial at this time. He is diagnosed with a number of separate illnesses.

I chronicle his escapade in my book. Since that time many instances of pipe bombs and other dangerous articles placed in mailboxes have been reported. I list ways to protect yourself from such dangers in my book. The first step is to either remove that tin box or replace it with a locking mailbox.

Hacker To Be Extradited

2006-12-05T08:24:00.000-08:00

Gary McKinnon, 40 of Great Britain will be coming to the United States, but instead of a vacation he will be facing charges of breaking into military computers. He could spend up to 70 years in one of our fine correctional resorts and be fined up to $1.75 million.

McKinnon’s antics include accessing 97 government computers including some at the Pentagon, Army, Navy and NASA. His is considered the “biggest military hack of all time.” Government officials claim over $700,000 in damages occurred.

The Brit, who used the screen name “Solo,” admitted to gaining access to the computers but denied causing any damage. He fought extradition claiming to be "already hung and quartered over there" declaring he could not get a fair trial.

The year-long attack started in February, 2002, causing great concern in the wake of the attacks of September 11, 2001.

McKinnon claims he was able to gain access to military computers without even entering a password. The intruder simply claimed to be researching the existence of UFOs. Security analysts say the attacks have underscored the lack of security on some of the most valuable computer systems in our government.

Spyware Seller Fined

2006-12-05T08:23:00.001-08:00

Sanford Wallace was ordered by the U.S. District Court in New Hampshire to pay $4 million in fines for planting spyware on computers. The case, the first such pursuit by the FTC, was filed in 2004.

Wallace’s scam started with pop-up ads that would imply the targeted PC had been infected with spyware. When the user clicked the ad, spyware would be downloaded to the computer. Pop-up ads would then circulate through the computer aggravating the owner.

A second ad would guarantee to remove the infection by simply buying a program either called “Spy Deleter” or “Spy Wiper.” Purchasers were charged $30 per copy.

Wallace and his company SmartBot.net are barred from spreading spyware.

Consumers should check their computers by doing a file search for the existence of either of the programs. A civil suit will probably be filed soon on behalf of computer owners to recover money taken in the scam.

Data Sellers Charged

2006-12-05T08:23:00.000-08:00

Five companies are being charged by the Federal Trade Commission for “pretexting,” gaining access to private data (telephone records and credit card statements) under false pretenses.

AccuSearch operating as Abika.com, 77 Investigations, CEO Group operating as Check Em Out, Information Search, and Integrity Search & Investigation Services are accused of unfair trade practices. The businesses advertised the services as a way for spouses to investigate suspected unfaithfulness. The information was being sold anyone to who paid the fee.

The FTC maintains that the services offered by these companies amounted to disclosing non-public personal information. The Internet allowed these providers to expand their reach worldwide.

The practice has gotten the attention of Congress, but the glacial pace of legislative reform caused any action to fall to the FTC.

FTC officials have filed charges against individuals employed by these companies who actually pretended to be cell phone and credit customers, asking for copies of detailed billing records.

Private investigators, law enforcement and others legitimately use the above services to track movements of people under surveillance.

Bits and Bytes – Blurbs Concerning Information Security

2006-11-30T08:59:00.001-08:00

Homeland Security is now using Social Security Numbers to find illegal workers in the country. It has been a Federal regulation for years that employers not hire anyone not legally permitted to work in the U.S. By tying Social Security Numbers (obtained through the IRS) to enforcement, the government is tearing down a previously constructed wall between agencies. Anyone who has started a job in the past 15 years is required to provide a Social Security Card or birth certificate. Secretary Chertoff alluded to the use of 000-00-0000 as an illegitimate SSN. Employers can be fined for violations.

The recent security update released by Microsoft has caused as many problems as it may have corrected. Many users are reporting computers that lock and sluggish results running Microsoft Office products. Microsoft has released another patch intended to repair the previous problems. The question that begs to be asked, “Has Microsoft created software that is too overwhelming to be maintained?” Computer users will know the answer by the number of patches released to fix patches that create further problems.

Information Technology professionals are expecting spending on security measures to increase by more than 10% over the next year. This signals the priority of security in the management process. Many institutions have not taken the threats seriously. Many organizations are expanding the fight against criminal activity based on personal experiences.

The Federal government has funded a startup company called Komoku located in College Park, Mayland. This company has developed both hardware and software to battle rootkit challenges. Rootkits are computer programs that dig into the operating systems to collect sensitive information like usernames and passwords. This software then passes the stolen nuggets back to its creator so the criminal can mine computer systems for other more valuable information. The project is being funded by DARPA a group within the Department of Defense.

RSA a leader in automated security solutions has acquired Passmark Security. The company claims this addition will help them meet two-factor authentication required of financial institutions for online processing by the end of the year. Passmark brings to the table software for voice authentication as a possible second security check.

The state of Oregon has instituted a new system that helps different levels of first responders work together. The computer network links public and private sector security operations from fire departments to mall security so they may coordinate activities including traffic control and staging in emergency situations. The Regional Alliances for Infrastructure and Network Security or RAINS has already been used in fighting fires.

Document Destruction Can Be for Everyone

2006-11-30T08:59:00.000-08:00

Document destruction and recycling service businesses have sprung up across the country. This industry has established standards and education for service providers. The National Association for Information Destruction is the overriding group providing certification and self policing.

Many private companies are required by law to use these companies to safely discard sensitive customer and company proprietary information. Sarbanes-Oxley, HIPAA, and financial regulations have contributed to the growth of this method of information protection.

Many providers of the service utilize mobile units to destroy documents at the customer site. Others collect original data from locked storage compartments and transport the material to a central controlled location.

All certified members are required to annual audits conducted by the trade group. All employees must pass background checks.

I recently toured the Document Destruction and Recycling Services facility in Cedar Rapids. Les Etscheidt, the Operations Manager of the plant gave me some insight into the process. I appreciate the time Les spent with me. He also provided information for this article.

Paper is shredded and baled all in a controlled and locked environment. The bales remain under the group’s control until it is safely at the recycler. Services are also provided for non-paper storage. Data is removed or destroyed in accordance with Department of Defense standards.

The service is not restricted to business. Individuals who do not want to shred and protect personal information can simply drop off items at the center for destruction. Prices are reasonable, especially if you have a fairly large amount of information to eliminate.

Document destruction services will continue to grow as more businesses are required to comply with federal requirements.

Remote Deletion Software Reviewed

2006-11-30T08:57:00.001-08:00

E-week magazine has reviewed Computrace by Absolute Software. I wrote about this program that can be used to delete data from lost and stolen laptop computers in the last issue of this publication.

Researchers rated the products as good overall, with an excellent rating in the category of resilience. The company also offers a product called Computrace Complete that includes a $1,000 recovery guarantee for tracking lost or stolen computers.

The program can be purchased for about $35 per unit ($53 if you include the tracking capability). It was given an easy to install and use rating. Any device reported as missing can be set to “self-destruct” by the software manager at the central computing location. Should the AWOL appliance try to attach to the organization’s network the data will perform a disappearing act.

Drawbacks to the software exist. Should the equipment not be linked to the home organization information can be copied, stolen or used by people with bad intent. Organizations still need to require encryption that necessitates network access for keys to make files readable again.

Deadlines Come and Deadlines Go

2006-11-30T08:57:00.000-08:00

Health Insurance Portability and Accountability Act (HIPAA) regulations dictate deadlines for the health care industry to protect patient information. It is unfortunate that people in the industry has taken the guidelines lightly.

Privacy requirements were initially set to be implemented by April, 2003. Only 84% are in compliance three years after the due date. Simple changes like removing Social Security Numbers from insurance identification cards were not complete until January 1, 2006, despite the requirement deadline of July, 2004. Only about half of the entities are in compliance with removal of SSN as the identification number.

Many organizations have simply decided not to implement the standards. The lack of enforcement promotes a pervasive attitude of providers, “What are you going to do to me, I am a provider of health care!”

Reality has set in. The government has not been effective in compelling providers to meet the legislated demands. HIPAA is not enforced in the same manner as Sarbanes-Oxley and will not receive the respect of those regulated until some examples of enforcement can be cited.

Patients should carefully read the privacy policies of health care providers. They should also note whether sensitive information, such as their Social Security Number has been removed from documents, most notably insurance cards. NOTE: Medicare patients will not see a change if the Social Security Administration is their health insurance carrier.

New Government Post for Privacy

2006-11-30T08:56:00.000-08:00

Alex Joel has accepted the newly created position of Civil-liberties Protection Officer of the U.S. Office of the Director of National Intelligence. This job was created to alleviate public concerns over government intrusion into citizens’ privacy.

Mr. Joel’s father was a U.S. aid worker in Guatemala during its civil war in the 1970’s. He was exposed to searches by armed soldiers for apparently no reason. It will be his job to assure that government-related agencies do not disregard boundaries.

In February, Jane Horvath was named Chief Privacy and Civil-liberties Officer at the Justice Department. This is also a new job created to calm the public’s fears of domestic spying. Horvath’s work will focus on tactics used by Justice officials (FBI, e.g.) in the investigation of domestic criminal activity.

Since September 11, 2001, the expectation of government to provide security to its people has been amplified. This new challenge must also be balanced with the rights and civil liberties established by the Constitution and the Court System over the years. Law enforcement could easily overstep its authority without oversight.

It is my hope that a sensible balance in protecting the public’s right to privacy and the overall responsibility for the safety and security for that same public can be achieved. It has been my experience that if both sides are a little upset, then progress is being made.

New Payment Device

2006-11-30T08:55:00.000-08:00

In addition to storing your phone list, saving pictures and ring tones, your cell phone may soon be used to make payments. Several options are in testing for using cell phones as payment appliances. Both MasterCard International and PayPal are developing very different ways of settling debt.

PayPal is testing text messaging for payments to vendors who do not accept credit cards. The new service will allow subscribers to transfer funds and authorize payments for services like babysitting or lawn care, by text messaging the directions for payment.

MasterCard wants to expand touchless payment systems to cell phones which already contain transmitter capabilities. In essence, the portable device becomes an electronic wallet.

The idea is not new. In Europe and Asia, the use of cell phones as purses has already reached billions of dollars.

As a realist in the area of information security, I am very concerned that users will leave important financial information unprotected and vulnerable to theft. Loss of cell phones is a very common occurrence. I can easily imagine the day when someone finds a cell phone on the sidewalk and immediately goes on a spending spree.

The use of passwords and other security measures can slow the unintended use of the new technology. Be aware that unsavory elements spend as much time breaking advancements as companies do inventing them.

Bits and Bytes – Blurbs Concerning Information Security

2006-11-27T08:59:00.000-08:00

Microsoft recently released patches which included ten repairs to its Internet Explorer product. The patch is significant in that some of the vulnerabilities would allow a remote user to take control of your PC. Users should install the patches as soon as possible. Given the trouble with Internet Explorer, some might wish to consider alternatives like Mozilla (which also recently issued a security fix) or Opera. Opera is the most popular browser program in Europe. The program offers many features including magnification for those with poor eyesight.

Shoppers in the bazaars around Baghdad and Afghanistan are finding computer hard drives with information from the U.S. military on them. It seems that the disks were stolen from U.S. bases by locals working as contractors. Personal information of service personnel have been reported on the devices. The information is enough for an identity thief to ply his trade.

MySpace.com a website used by millions to set up free personal websites has hired its first security director. Hemanshu Nigam brings 15 years of security experience from Microsoft to his new job. MySpace has been criticized for exposing teenagers to sexual predators.

Software is being downloaded to PCs and servers that will cause a request to legitimate bank websites to be redirected to fake sites that gather your logon information. Many of the fake sites have been found to be hosted on servers on Russia. The fraudulent site looks like the real deal, but exists only to capture you information. Many sites have been shut down, but the redirection programs update themselves to go to another fake site. Always double check the URL in the address bar of your browser to verify you are at the correct site.

A new computer virus has been developed that affects computers using Microsoft operating systems as well as Linux. Linux was often touted as the safe alternative to Windows, but given this advancement by the bad guys, the malicious programs will deliver evil no matter the operating system.

IBM has announced the ability to create encryption programs in small microprocessors. These small chips are the root of cell phones and PDAs. The new technology should allow mobile devices to increase their security by using sophisticated encryption algorithms. We will see how it is received.

Russian Mafia Back in Business

2006-11-27T08:58:00.000-08:00

Operation Firewall took out 28 co-conspirators in an Internet crime spree. The group sold credit card numbers and committed online bank fraud. The Russian mafia was found to be involved, but not badly hurt.

Like a Poltergeist “they’re baaaaack.” This time the organization seems to be a little less willing to let just anyone in their circle. Credit cards, botnets, eBay and PayPal accounts are included in the “product offerings” being sold online.

The criminal enterprise is also suspected of using online extortion by taking control of a computer and demanding ransom for the instructions to eliminate malicious software. I reported last time on a program that supposedly allowed users to watch movies on computers. The software demanded payment even if the computer owner had not ordered the product. I wonder if this is one of the ways these crooks operate.

Like major corporations, the Russian Mafia is recruiting highly skilled computer professionals on Russian language websites. The positions offer large salaries for people possessing coding skills that can stop (denial of service) websites. Teenagers are of prime interest as they may not yet be ready for the legitimate computer programming market. Ads showing up on Monster.com seek to hire people to be “money mules,” laundering cash across borders. The jobs called “private financial receiver," "shipping manager," or "country representative" are really low level mafia positions.

Another target of the gang is corporate secrets. The information is then offered to competitors or held for ransom. Once an organization loses its competitive advantage, the secret then becomes a commodity like paper, lumber or oil.

The group has been known to track down people trying to cause damage to their kingdom, even showing up at the person’s home and beating the interloper.

There appear to be many operations in business, as evidenced by turf wars that are springing up. Different gangs will war over botnets or targets for denial of service. They may even target each other. On robot network changed hands three times in the same day. It is far easier to steal an existing network than create a new one.

Law enforcement is working to identify the participants and break up the families, but cooperation must be coordinated among many law enforcement agencies and different governments. If such agreement existed we might have taken in the ringleaders during “Operation Firewall” two years ago.

New Summer Camps Spring Up

2006-11-27T08:57:00.001-08:00

Computer security professionals are heading to camp. These boot camps located around the country teach Information Technology professionals to think like computer criminals. The promoters quote The Art of War by Sun Tzu, “If you know the enemy and know yourself, you need not fear the results of a hundred battles.”

Campers are encouraged to find computer servers (in a controlled environment) that contain sensitive customer information. Points are given for determining vulnerabilities in the systems, taking advantage of those weaknesses and stealing data. Extra credit can be obtained for causing the server to shut down.

All of the actions taken during these sessions are legal and supervised. Participation in such exercises allow computer professionals to better understand the threats directed at their systems. Once the employee becomes proficient at these intrusion techniques, he may seek permission to attempt such exercises on his employer’s systems.

Seminars and boot camps that train professionals about the mindset of criminals is a far better option than hiring hackers who promise not to continue criminal activity. My seminars emphasize that once a person has violated a trust, it takes a very long time to redeem him/herself. No organization should knowingly hire a person who has gained unauthorized access to a computer system.

Insurance Companies Rush to Our Aid

2006-11-27T08:57:00.000-08:00

Homeowners can now add identity theft protection to their insurance policies. Most major carriers have offered the additional coverage over the past year. Only one major insurance firm, State Farm automatically includes the coverage.

Riders can be added on plans from other companies starting around $30 a year. Farmer’s and MetLife only allow the option on elite policies. Most of the companies use a service called Identity Theft 911 to help policyholders restore their credit.

Some providers are considering extending the ability to auto coverage as well.

The addition of identity theft coverage on existing insurance policies may be worth considering. The company can do the legwork and make calls for the insured, reducing both the out of pocket costs and time consumed to regain your previous financial status. Many services offered by third parties can cost as much as $20 a month. At rates of $30 to $40 a year, the coverage seems to financially feasible.

New Software Cleans Lost Laptops

2006-11-27T08:55:00.001-08:00

Absolute Software has introduced (in Beta version) a new computer program called Computrace Data Protection. The software currently being tested claims to locate lost or stolen laptop computers and “clean” data from the device’s hard drive.

Several companies and colleges have reported lost or stolen laptop computers since January 2005. Organizations that have shared this experience include: Wells Fargo Bank, Ameriprise Financial Services, University of California and Oklahoma State University, to name only a few.

Should a portable computer be lost or stolen, the IT security staff would be notified and alerts would be sent to the software. When the computer is powered up and connected to the Internet, it would be identified and then Computrace will erase and destroy file traces (computer files are not actually erased when deleted by removing the traces the data is rendered unusable) to standards equal with the Department of Defense.

The software will available for corporate grade laptop computers built by the major manufacturers since the summer of 2005. This new system should offer another level of protection to companies that allow employees to take portable computing devices from the employer’s premises.

Advances continue to be made to protect us from ourselves. Although technology can destroy data should a valuable company asset fall into the wrong hands, policies and procedures must be in place and followed to reduce the occurrence of data exposure

New Credit Cards Gain Enemies

2006-11-27T08:55:00.000-08:00

MasterCard, American Express, Visa and Exxon among others have instituted a new type of credit card that need not be passed through a reader. The card contains tiny antennae that transmit the cardholder’s information when the card is simply without contacting the reading unit. Each of the companies has come up with a proprietary name for these cards such as PayPass, Speed Pass, and ExpressPay.

Some people who have received the new technology have taken drastic measures to destroy the devices. It seems many cardholders believe their personal information is put at risk by broadcasting financial information to any receiving device. Although the concern is plausible, card issuers claim the signal will not exceed two inches. Tests have indicated the payment technology can be read as far as 18 centimeters (just over seven inches).

Card issuers are also using encryption and other safety features to protect customer data from being stolen through casual contact or in a crowd. American Express tested its system in its corporate cafeteria by having over seven hundred employees use the device.

Customers have been receiving the cards over the past few months. Several of the recipients have gone to great lengths to disable the card. One user tested his card at a gas station then proceeded to smash the card to pieces with a hammer. Other people have gone as far as nuking the technology in microwave ovens. These activities have spawned a new industry marketing devices designed to disable or render the transmitter embedded into the plastic payment system useless. Among the items offered is a wallet that does not allow precious personal information to be emitted.

The International Standards Organization (ISO) has issued a directive called ISO/IEC 14443 which specifies how a contactless payment system must work. The standards call for low power communications, but do not specify maximum transmission field in length.

I often tell my audiences that reasonable care be taken without succumbing to paranoia. Perhaps a consumer who is very concerned about these new ways to travel in a cashless society should consider the protective wallets. To take further steps, such as destroying your card with a hammer may be considered slightly paranoid.

Bits and Bytes – Blurbs Concerning Information Security

2006-11-20T13:25:00.000-08:00

Another form of ransomware was brought to my attention last week. The program called either “MoviePass.tv” or “Movieplayer.tv” may be downloaded to your computer by responding to either a pop-up ad or SPAM. This program will at some point take over your system and demand you pay either a subscription to keep it or a fee to get the instructions to delete it. You should do neither. If you are attacked by this virus let me know or search the Internet for simple solutions.

McAfee recently shipped an update of its anti-virus programs that flagged legitimate programs as viruses. Among the software marked as trouble were: Excel, Google toolbar, Macromedia Flash Player, and Adobe Update Manager. McAfee has since fixed the problem.

Some Tax Preparation services are sending personal data overseas for processing. Tax preparers are also allowed to sell personal information to third parties for marketing purposes. This data includes personal and financial information that could be used by an identity thief. Most customers were unaware of this practice. The IRS has changed its disclosure policy, not to stop the transfer of data, but to notify the customer. Notification must be made on a separate document. Be sure to read all disclosure information before having your taxes done by a service. Always opt out of any sharing of information for marketing purposes.

Elliot Spitzer, New York’s Attorney General, is going after Gratis Internet claiming the company used the lure of free iPods and DVDs to collect personal information. The company is then alleged to have sold the data to third parties who then used the booty for e-mail (SPAM) lists. Gratis denies the charges. In a similar suit, Datran Media agreed to settle for $1.1 million and reform its practices.

Leslie Ann Cady, of Coralville, Iowa was arrested for using a family member’s identity to purchase $17,850.63 woth of merchandise. Ms. Cady was on probation for (you guessed it) an identity theft conviction. It seems identity thieves don’t break their habits easily.

Los Angeles County is notifying 94,000 clients of the Public Social Services agency that their identities had been compromised. Apparently, documents that had not been shredded were placed next to a recycling bin last January.

The Weakest Link in Information Security

2006-11-20T13:24:00.000-08:00

A new report from the Wall Street Journal suggests that laptops may be the weakest link of information security in a corporate environment. Laptops are often taken off premises by employees as a convenience. The employee often carries customer, employee, or other sensitive data out the door as he/she leave the office.

In the past year, many laptops have been stolen after being taken from the workplace by a trusted employee. Hewlett-Packard Co., Ameriprise Financial Inc., Boeing Co. and Verizon Communications Inc. are just a few of the organizations that have had at least one laptop computer go missing in 2005.

Experts confirm employees using laptops seldom encrypt sensitive information before leaving the office. The employee involved in the Ameriprise incident was terminated for not following company policy including encryption of data.

Employees are also careless as to where they leave the computer. At least two of the above incidents involved computers left unattended in a car. Many companies require the laptop out of the workplace to be in the employee’s direct care at all times. This is the preferable situation because theft or loss is noticed by the employee much more quickly.

Laptop computers are capable of containing huge amounts of information including customer databases, payroll systems and company policy and procedure manuals. Employees who are trusted to use laptop computers away from work must respect the responsibility entrusted them. It could also help if companies would add a few safeguards including: mandatory encryption of files, physical locks on laptops leaving company property, GPS locator systems on the computers, and removing access to corporate networks when a laptop is reported missing (rendering it unable to decrypt data).

Teamwork between employer and employee can lead to far greater data security than we saw in 2005.

Trojan May Make You Cry

2006-11-20T13:23:00.001-08:00

A Trojan Horse program will look for files in your computer only to take ownership of them. The infection called Cryzip looks for files from Microsoft Office applications as well as databases and other commonly used files.

Cryzip then encrypts the files and places them in a zip file. At this point the user is notified that his/her files have been commandeered by the rogue application. A ransom of $300 is demanded to return the files in their previously readable form. The payment is expected to go through the e-gold online payment system.

This particular irritant is downloaded through spam. After being downloaded, when the computer user tries to open one of the encrypted files a message appears saying, “Erased by Zippo! GO OUT!!!”

The user is instructed to pay the ransom to retrieve a step-by step instruction guide for decrypting the affected data. This attack is widespread, so remember my advice and NEVER respond to spam in any way.

Government Fails Test

2006-11-20T13:23:00.000-08:00

Computer security is a central tenet in protecting customer information and proprietary business data. The private sector often looks to government for standards in technology. Given the recent results of an Information Technology Security audit, such reliance would be misplaced.

Congress set forth security standard through the Federal Information Security Management Act. Agencies reported progress to U.S. House Committee on Government Reform. The committee released a report card on the progress on March 16.

The Department of Labor, Social Security Administration, and Government Services Administration all scored well. The Department of Justice, which includes the FBI, the Department of Defense and Department of Homeland Security faced the lowest scores.

Just in the past year, several defense computers have been compromised. Here is a summary:

· An Air Force computer was compromised leaving 33,000 officers at risk of Identity Theft

· Several Navy computers became part of a robot network, and one of the law enforcement agents on the case had his cell phone hacked

· The FDIC exposed personal information on thousands of employees

· Several law enforcement officials lost personal information due to a breach of a security software vendor

It is a concern to all when the computer systems of government agencies that are supposed to protect the citizens are at risk. Let’s hope the government will place a higher priority on following the rules it creates.

Cash Register Software Flawed

2006-11-20T13:22:00.000-08:00

Visa USA, Inc. has found two versions of software used on cash registers which saves credit and debit card numbers after transactions have received authorization. I reported in the last issue that 85% of retailers surveyed still collect this sensitive information even though it violates the merchant agreement with the credit card issuing institutions.

Retailers may assume they are in compliance with the merchant agreement, but be unaware the cash register is maintaining the critical information, thus making the merchant vulnerable to a security breach. The non-conforming software is produced by Fujitsu Transaction Solutions, Inc. of Frisco, Texas. The company is a subsidiary of Fujitsu, Ltd. of Japan.

Some of the larger customers who use this software are Best Buy Co., Dress Barn Inc., Office Max Inc., Staples Inc., and Payless Shoe Source Inc. Fujitsu claims the software is not being used by identity thieves. Best Buy claimed they no longer use the version of software cited, and no other company commented.

All businesses, especially small business need to check cash register software to assure customers that sensitive customer credit card data is not put at risk. The non-compliant versions of software are RAFT and GlobalStore.

Banks and retailers continue to point fingers and deny responsibility for identity theft which has been traced to individual store locations. One of the disputes involves Citigroup and OfficeMax, with the bank claiming data was stolen from eight locations. Office Max continues to say they have no knowledge of any breach. Could cash register software possibly be the problem?

Blood Donors Lose Identity

2006-11-20T13:21:00.000-08:00

The Red Cross in St. Louis, Missouri notified thousands of blood donors of a data breach that could lead to identity theft. At least four donor’s Social Security Numbers were used by an employee to obtain credit reports. From the credit reports the criminal obtained credit card numbers to make unauthorized credit card purchases.

The employee was identified and relieved of his duties at the organization. A regional task force including postal inspectors is continuing the investigation. The breach occurred at the regional headquarters of the blood collection group.

Donors were notified by letter of the compromise. The correspondence reminded the affected individuals to carefully audit credit account activity. I recommend in my book and seminars that everyone look at every bill, every line every time, not waiting to receive a notice warning you of increased risk.

The Red Cross has made changes to its software restricting employee access to SSN. They will continue to use the number as away to track donors, even though there is no legal requirement to do so. Since its inception, SSN was never intended to be used as an identification number. I have called for organizations, both public and private, and now non-profits to discontinue the use of SSN as an identifier. Access to this number by an identity thief can be used to make unauthorized purchases and apply for new credit in the victim’s name. It is time that all groups reconsider how they identify customers or patrons.

Thanks to Herb and Marge Bilinsky in St. Louis for bringing this story to my attention.

Bits and Bytes – Blurbs Concerning Information Security

2006-11-17T08:55:00.000-08:00

A new type of attack against the Internet was discovered by VeriSign. The attack is designed to shut down major sites around the web. VeriSign noticed the activity beginning last December, but it seemed to almost vanish in mid-February. VeriSign claimed that this attack was the most widespread since 9 of the 13 computers that control Internet traffic were attacked in 2002. VeriSign warns that such an attack could knock major sites off the web for days at a time.

The IRS wants consumers to be reminded again of a phishing scam using its logo. The bogus e-mail claims that you are due a refund and asks you for Social Security Number and a bank account so that the refund can be completed. As always the IRS will send a letter explaining how additional tax or refunds are calculated and never ask you for information that you have already provided.

Software developers have recently released a group of anti-fraud tools which allow large companies to flag activities which might indicate fraud. The software is expensive and most likely will not benefit companies with little or no IT security staff.

Even though the federal government passed a law over 10 years ago requiring states to enact legislation removing social security numbers from driver’s licenses, 11 states and the District of Columbia are still using this identifier. In Iowa, more than 200,000 citizens carry driver’s license or state issued identification cards that display their SSN, even after the state law was changed four years ago.

The Wall Street Journal reviewed fingerprint scanners by Lenovo (mentioned in the last issue), Toshiba and Microsoft. They found that the technology has gotten much better. Encrypted password files can be set up in Windows XP that allow a fingerprint to replace entering a username and password. The Microsoft device simply plugs into a USB port on your computer and costs around $40. The other devices, offered by Lenovo and Toshiba, are embedded into laptop computers.

Olatunji Oluwatusin, the primary person involved in obtaining personal information fraudulently from ChoicePoint (check out first article), was sentenced to 10 years in prison and ordered to pay $6.5 million in restitution. It was his scheme that lead to the action taken by the FTC against ChoincePoint.

Credit Bureaus Adopt Single Scoring Strategy

2006-11-17T08:54:00.000-08:00

The three major credit reporting agencies have decided to adopt a single method in computing credit scores. These scores were previously calculated using different formulas by each credit bureau. Credit scores are used by lenders to determine the credit worthiness of an applicant. People who maintain high credit scores can often receive lower interest rate when borrowing for a home or car.

The new standard called VantageScore will simplify the calculation and should result in similar scores regardless which credit bureau is used. The system developed jointly by Equifax, Experian and TransUnion will compete with the FICO score marketed by Fair Isaac Corp. of Minneapolis. The FICO scoring system is used by 40 of the 50 largest banks and 75% of mortgage lenders. FICO scores range from 300 to 850 with 850 being the best score.

VantageScore will range from 500 to 900 and correspond to a letter grade from A to F, much like a school report card. The credit bureaus are hoping that the letter grading system will be easier for lenders to use. It is an expectation that scores among the three agencies would be consistent. Differences in the agencies formulas can cause as much as 50 point discrepancy in current scoring techniques.

Factors considered in calculating a credit score include payment history, amount of debt, and how long credit has been established. Other factors that may have been used are number of new accounts and recent requests for credit rating.

The Consumer Federation of America, a group devoted to consumer protection, expressed some confusion as to why such a new score would be necessary. The organization seemed to support the use of the FICO system.

Consumers are strongly encouraged to continuously monitor their credit rating to make sure that new credit is not obtained without their knowledge. You may acquire one report from each of the three reporting agencies every year. I recommend that you develop a strategy such that you receive a report from one credit bureau every four months. This will allow you to notice any changes which occur before they have an adverse effect on your credit score.

Protect Your Good Name!

Can a Freeze Protect You?

2006-11-17T08:53:00.001-08:00

Some security experts are recommending that consumers place a freeze on their credit record to prevent identity theft. This method costs the consumer an average of $10. Credit bureaus are required to place freezes on accounts of identity theft victims upon their request at no cost.

Placing a credit alert or freeze on your credit record is meant to require the credit reporting agency to contact the consumer by phone (preferably cell phone) before granting new credit. What happens most times is that the reporting group simply notifies the credit provider (finance company or bank) that a credit alert has been placed on the account. The lender usually denies credit at this point as it is easier than to pursue the applicant and have the freeze removed.

Even if a consumer attempts to remove the freeze on his own it may take several days and lead to rejection of credit. I have been approached by identity theft victims that claim it was a nightmare to get the alert removed.

If you do not intend to borrow money for any reason, you may benefit by placing a credit alert on your account. Increased credit alerts will slow the processing of new credit and could result in higher annual fees and processing charges. If you plan any major purchase that will require financing, I strongly discourage filing a credit alert unless you have been a victim of a credit breach.

Even though identity thieves can use your Social Security Number to establish new credit, a freeze does not stop purchases on accounts that already exist. You are dependant upon companies that provide credit to notice unusual spending patterns and terminate the use of those instruments (usually debit and credit cards). If the spending is in smaller amounts and occurs in locations that you normally visit, the fraud may not be noticed for months. It is vitally important that you audit every bill, every line, every time.

Passwords May Be on the Way Out

2006-11-17T08:53:00.000-08:00

Bill Gates speaking to a security conference recently stated, “passwords don’t cut it”. Many security professionals had reached this conclusion earlier, but when Gates speaks the technical world stops and takes notice. Mr. Gates was holding a device called InfoCard which would plug into your PC. This device would then activate your username and password as you opened applications and websites.

Another alternative is a token device, such as the SecurID used by E-Trade. This device attaches to a key chain and displays a code that changes every minute. The user of E-Trade is then required to enter the code as well as username and password. The down side of such a device is that an individual may be required to carry several of them to access the websites they patronize.

The SecurID token has wide backing and may be used as banks to provide additional authentication before users are able to perform online banking tasks. However, Windows XP does not currently support a facility that allows a single SecurID token to be recognized for several different accounts.

In contrast, InfoCard can be installed and automatically recognize the need for a password which is stored in an encrypted file. When used in this manner, the InfoCard can support all of the needs a person would have access to various websites and secured areas of the Internet.

InfoCard also has the backing of Yahoo! and Pay Pal, making it a strong contender in the secure device race.

Retailers Fail Test

2006-11-17T08:52:00.001-08:00

Visa USA surveyed 231 large merchants that accept Visa branded credit cards to see if they complied with its contractual requirement to purge credit card numbers from systems after receiving an authorization for a purchase. Visa found only 17% of the merchants complied with the agreement. On the bright side, 75% have indicated they are working to meet the terms, but no completion date was determined.

Not only Visa, but MasterCard, Discover and American Express all have this same rule. Major banks which issue cards, most notably, Citigroup, Inc., Washington Mutual, Inc., and Bank of America Corp. have had to freeze millions of accounts and reissue cards to consumers because of exposure of these credit card numbers by merchants and transaction processors.

The latest major incident involved Office Max, Inc., which originally denied a breach, but was accused by the credit card issuing banks of not complying with credit card security standards. Citigroup noticed several hundred fraudulent transactions occurring through ATMs in Britain, Russia, and Canada last month bringing the matter to its attention. Bank of America and Washington Mutual soon followed suit.

It costs a bank approximately $20 to reissue a credit card which usually is only done when the bank is very sure a breach has occurred.

ChoicePoint Judgment Affects All Businesses

2006-11-17T08:52:00.000-08:00

The recent settlement of charges against ChoicePoint not only netted the Federal Trade Commission (FTC) $10 million in fines, restitution of $6,250 for each of the approximately 800 victims, but expanded to all businesses the application of a law originally meant for banks and credit bureaus.

ChoicePoint violated its own privacy policy, which is posted on its website. The company was also the target of a security breach that exposed information on 168,000 individuals. It was further charged that the data aggregator “failed to have in place adequate measures to recognize the fraud” that later occurred.

Under this ruling, any business that handles non-public personal information (NPPI) will be expected to take additional precautions to avoid unauthorized access. NPPI includes any information that is not in the public domain such as an unlisted telephone number. Organizations that collect credit card information must either protect or remove that information. Credit card providers contractually require merchants to discard such information after receiving an authorization. More on this in the next article.

The FTC also came to terms with DSW (which lost 1.4 million customer records), prompting four specific items to be addressed by both companies. First, each company must designate an employee to be accountable for security. Second, a risk assessment of internal and external risks must be undertaken. Third, a risk management program must be implemented. Lastly, the program must be evaluated and adjusted based on continuous monitoring and testing. It is conceivable that these requirements can be imposed on any business.

Bits and Bytes – Blurbs in Information Security

2006-11-16T09:54:00.000-08:00

Google ads were attacked displaying products that Google does not normally allow. Basically, Google's AdSense was hacked so gambling, porn and Viagra could be sold to people searching Google. Some of these links could lead to phishing scam.

Corporations and government entities are being targeted for spying by rings of thieves. These groups use e-mail targeting strategic employees with e-mails similar to phishing e-mails, but sent only to a few people. The e-mail appears to be generated by colleagues.

Blackberry users are vulnerable because of an attack aimed at Blackberry servers. The net result is that programs used on the handheld device could become disabled for a period of time. Telephone and e-mail functions are not affected.

Symantec the maker of Norton products has purchased a company that makes security software for instant messaging (IM) systems. This increases the scope of Symantec's holdings and should help in fighting this new method of spreading viruses and botnets.

Wireless networks at business sites are not as secure as they should be. Thousands of companies have installed wireless networks, but few have adequately secured them. Check out my book to find seven ways to secure your wireless network.

Thank Goodness for Security Software Providers

2006-11-16T09:53:00.000-08:00

When major computer security vulnerabilities arise that could affect millions of computers, who rises to the challenge of either stopping it or diverting the consequences? Companies like Symantec, McAfee and VeriSign have all answered the call, but how do they do it? And how does this service help you?

Computer security software providers employ thousands of high-tech savvy individuals who are highly skilled in different areas of security software and hardware. There are groups who spend their entire working day searching the Internet for threats or even perceived threats. These individuals have infiltrated hacking organizations so that they can listen to chatter. It is not unusual for the developer of malicious software to brag about the vulnerabilities found and how to exploit these holes.

Other employees constantly monitor firewall, ant-virus, anti-spyware and other products to see if outsiders are trying attacks that are being blocked. Another group has completely open computers promising large stores of information that invite visitors to try their malicious programs. These computers are called honeypots. These employees watch and monitor the intruder activities so they will be able to build locks which will keep out future prowlers.

Another common job is to monitor the clearinghouses. The most well known of these is the Computer Emergency Response Team (CERT) at Carnegie-Mellon University. This group depends on computer users to report computing oddities to computer manufacturer help desks or Internet Service Provider (ISP) companies. For example, slow-running systems or failure to access the Internet. In turn, these vendors report heavy traffic or new problems to the CERT so that the response team can collect data on frequency of occurrences. If activity is unique and frequent the CERT will issue an advisory to its members. Almost all computer security software firms are members. If they are not, I would be concerned. The person who monitors these alerts then farms out the alert to a team that has experts in the specific area of the problem (operating systems, hardware, databases, etc).

The team that receives the alert often sets up, in laboratory environment, the conditions that make the event occur. They then study in detail what occurs with the computer (e.g. operating system, hardware, programs). The sleuths then follow the attack back to the way it was introduced to the machine. These detectives work under extremely tight timetables to develop a way to protect their customers from the specific attack. The solution providers determine a way to stop or divert the attack.

Every unique attack has a fingerprint differentiating it from every other attack. The software provider then matches the fingerprint to the solution. The team then tests the solution in the lab. When it works without fail, the company will include it in a software update that is made available to their customers.

As soon as the fix is made available to its customers, member companies will share information learned with CERT. This arrangement allows many heads to work on the problem, thus cutting down the solution time. The attitude is if I solve it this time, hopefully in the future someone else will solve a problem I am having and share the solution.

Most subscribers to security software products should go ahead and pay the annual subscription fee to provide funding to support continued solutions. Usually this includes registration so the provider can send any updates to your computer when a new fix needs to be added. The cost of running the company and the thousands of experts is spread among the millions of subscribers, allowing the price to be reasonable. If each of us had to do it on our own, there is no way we could afford the time or education needed.

How Many Passwords Do You Remember?

2006-11-16T09:52:00.000-08:00

It seems that every website and every piece of software require us to create a profile using a username and password. If we were to use the same password for all cases, it would be easy to lose our access to unauthorized individuals since one password fits all cases. So we try to rack our brains coming up with new passwords that we will surely forget.

At some point in the near future passwords may become obsolete. For example, the FDIC will require online banking to demand more from a customer than username and password. Banks must secure their systems by using at least two types of identification. Information security experts recognize three different types of authentication: (1) what you know (username, password); (2) what you have (key, credit card password token); and (3) who you are (fingerprint, iris scan).

Biometrics authenticates user’s identity by verifying a person’s fingerprint, iris scan or other unique physical trait. The technology is becoming cheaper and more reliable. Lenovo (which used to be IBM) has introduced a new PC with a built-in fingerprint scanner. This device is supposed to only allow the authorized user to start the computer. The fingerprint is tied to a file that contains a specific user profile that includes passwords to software the person will use. The user can choose to manually enter passwords after the biometric authentication has occurred.

Lenovo claims to have a success rate that only misses a fingerprint scan three times in 10,000 uses. Unfortunately, at a recent convention in front of 300 attendees, Peter Schwartz of Global Business Network, Inc. was unable to make the feature produce the desired result. He had to override the device and use a password. Mr. Schwartz claimed, “It’s not ready for prime time.”

San Francisco Airport has been using handprint scanners since the early 1990’s. Many hospitals around the country are installing fingerprint and hand scanners to grant access to restricted areas. Both physical and information security can be improved with reliable biometric devices. Expect them to get better.

Government is Concerned about Other Systems

2006-11-16T09:51:00.001-08:00

The focus of hackers on the Microsoft Windows based computer systems has caused law enforcement and other experts to focus efforts on learning the Microsoft products. Now more computer users are weaning themselves away from Windows and turning to other operating systems like Linux and Mac OS (Apple).

At a recent gathering of law enforcement and educators, a two-day seminar was held explaining Linux and the Apple operating systems. These sessions were well attended as people in the security field are finding more attacks on alternative computing systems. Law enforcement officials are even looking at video game systems and MP3 players as possible devices which can launch sophisticated computing assaults.

It has long been known that portable storage devices have been used to steal data from companies and unsuspecting computer users. Now it is expected that MP3 players and video game consoles that connect to PCs can be used to hijack systems and employ them in robot networks (botnets).

I-pods and X-boxes are two of the items being further explored by government officials for their potential to wreak havoc on computers when connected. Many times these portable devices can be used and removed without a trace of criminal activity.

As other forms of computing devices are gaining popularity they will be employed by bad folks to commit a variety of compromising acts. In the future, Play Station Portables (PSP) may be used by the animals as the miniature video game unit has an unusually large hard drive capability coupled with wireless compatibility. This is just a peek into the future of security challenges we face.

MasterCard Strikes Back

2006-11-16T09:51:00.000-08:00

In light of all the recent losses of customer data similar to the Atlantis breach mentioned above, MasterCard has introduced a system it hopes will stem the ever rising tide of customer information compromise.

MasterCard is using incentives including a reduction in transaction fees to entice online merchants to join the new program. Before a retailer can be a part of the initiative they must comply with a network vulnerability scan. The scan is free and conducted by MasterCard.

The plan dubbed MasterCard SecureCode applies to online purchases. The e-merchant would require MasterCard holders to enter additional code information known only by the cardholder and MasterCard. The authorization contains all the information needed for MasterCard to link the transaction to the specific cardholder, allowing the e-tailer to collect the transaction proceeds.

MasterCard will be promoting the new service through advertising and web-based seminars. The company has also initiated a website for merchants to learn more about online security options.

Luxury Resort Loses Data

2006-11-16T09:50:00.000-08:00

The Atlantis resort in the Bahamas, named after the lost city, is one of the latest cases of lost data. The vacation spot lost 55,000 customer records containing names, addresses, credit card numbers, passport information and social security numbers. The data breach was reported in January.

The Atlantis is a 2,000 room upscale resort on Paradise Island in the Bahamas. The company is sending customers a notice warning them to be vigilant regarding attempts of identity theft. The company was required to file a report with U.S. regulatory agencies.

The destination is reluctant to provide any more information as it does not want to compromise any criminal investigation. The hideaway is offering customers who have been affected a year of credit monitoring. This is a step toward repair of customer relations. Atlantis is operated by Kerzner International and is traded on the New York Stock Exchange under the symbol KZL.

The popular resort has several amenities including a golf course and casino; standard room rates run about $500 per night; proving once again that no place even a slice of paradise is immune from identity theft.

The Cost of a Security Breach

2006-11-15T09:00:00.000-08:00

A recent survey of 14 companies that suffered data loss of customer records shows companies lose an average of $13,795,000 per 100,000 records lost. The survey was conducted by The Ponemon Institute. This computes to about $138 per record lost.

The largest loss by far is in customer confidence. Current customers will find competitors who will secure their personal information. The report estimates that existing customers will move $6,728,000 from the offending company and that new customers will be slow to come to the company, costing an estimated $730,000 loss.

Cost of notification, instigated by the California Notification Law, totaled almost $2 million. Answering customer concerns and complaints accounted for the $1,018,000 of that amount. Almost $750,000 would be spent mailing notices to customers whose information was compromised. Some of the cost (e.g., the wording of the letter) could be trimmed if there were a single statement required to be sent.

Investigative expenses will be more than $1 million and legal defense will total another million. Protecting the data is more effective and economical. It is worrisome that business has not figured this out yet. Over 20 major information breaches occurred in 2005. Business executives should recognize that the rate of compromise will remain the same or grow. It is incumbent on management to demand security of customer data as a priority.

Russian Based Theft Ring Recruits Americans

2006-11-15T08:59:00.001-08:00

Carderplanet.com is a Russian based identity theft organization. This ring is not easily infiltrated because of the lack of cooperation between U.S. and Easter European law enforcement. Carderplanet has been shut down as of this writing.

Among the operatives of Carderplanet was Douglas Cade Havard, a Texas native, who started his criminal enterprise by making fake IDs for underage college students who wanted to drink. Following his arrest, he fled the country and wound up in the U.K. He became involved in Carderplanet and worked his way up the ranks. The ring offered criminals tools that could be used over the Internet to collect personal information.

Havard, 22, was arrested and is serving six years in Leeds. He owned a $57,000 Mercedes and was known to be a free spending gambler. He targeted the harvesting of information from ATM machines.

Havard and accomplice Lee Elwood are suspected of stealing more than $11 million over an eighteen month period. The duo would purloin bank account and PIN numbers, then create fake ATM cards. After looting bank accounts they would send as much as 60% to their affiliates in St. Petersburg. They were arrested with credit card blanks, credit card manufacturing equipment, and a large amount of cash.

Cooperation among law enforcement from the U.K. and U.S. helped in busting these guys, but not in grabbing the others in Eastern Europe and Russia. Further work needs to be done to ensure that rings like Carderplanet, ShadowCrew and others can be permanently erased.

We Can Work With China

2006-11-15T08:59:00.000-08:00

U.S. and Chinese officials are in talks to develop an agreement targeting computer-related crime in China. In the past few years, A large increase in activity including phishing and identity theft has been reported as originating from China. Foreign governments have been slow to cooperate in the past, but talks with China may be an indication of a new push from a huge trading partner to work with the U.S. to reduce criminal activity.

Authorities have tracked many rings of identity thieves and other computer criminals originating in China and other Asian countries. A big problem for law enforcement if criminal action is traced to a foreign country, U.S. law enforcement does not have any authority to pursue the criminal. Foreign governments take the lead at this point. In the past, some countries have been reluctant, even resistant to U.S. involvement.

An agreement with the Chinese may demonstrate how working with U.S. law enforcement may actually improve diplomatic and trade relations.

I have recommended that foreign aid be tied to cooperation with U.S. law enforcement in the pursuit of computer criminals. I still feel the economic carrot is important, especially in developing countries, to gain support for such partnering.

Computer-related crime, identity theft being the largest component of cyber crime, has now surpassed drugs in value of the criminal enterprise. Terrorist activity has been financed by criminal activity perpetrated over the computer. Recently, a large identity theft ring was traced to the Middle East. With $50 billion in losses each year, our government should work harder to encourage friendly relations with law enforcement in chasing these criminals.

Balancing Public Access and Privacy

2006-11-15T08:58:00.000-08:00

We expect government information to be available for public inspection on a moment’s notice. Americans demand transparency of government actions. However, such openness may place citizen’s personal and privileged information at risk.

Many agencies require citizens to use a unique identifier to provide a way for the records to distinguish among people who may have the same name. Usually this number is Social Security Number (SSN). A huge problem with the use of an SSN exposure for public records, allows an identity thief to obtain SSN on citizens who are simply conducting business with local, state or federal government entities.

In the rush to make government information even more accessible, many records have been placed online so that citizens can research public information from the convenience of office or even home. This allows sensitive information to be accessed by anyone logging into government databases.

The state of Iowa through its ombudsman William Angrick II, has recognized the inherent problem of exposing SSN in public records. He has reported to state officials that citizen’s personal and private information was being available through state run websites. Angrick noted that identity thieves from anywhere in the world had open access to records that could be used to obtain credit in the name of Iowa citizens. The websites were made temporarily unavailable last fall until the legislature could convene to fix the problem.

The legislature is currently in session, but the only concrete action so far is the request for Governor Vilsack to impanel a blue-ribbon task force to recommend policies and procedures to secure records. There is legislation in process to redact SSN from public viewing of state documents.

Iowa is taking a proactive step to balance the public right to know with an individual’s right to protect information that could be used in identity theft. Congratulations to Iowa for recognizing the issue.