Wednesday, June 25, 2008

An interesting Social Engineering Example

This is a very interesting story posted on CIO insight involving social engineering:

Every few days, Richard would seek out Sally, a twenty-something salesclerk at a retail outlet of a telecommunications conglomerate. When they first met, Richard, who’s in his early 30s, said he was the manager in charge of buying telecom equipment for a fast-growing startup, and he did, in fact, make a purchase on each visit.

Richard and Sally became friendly, and after a month, he took her out to lunch and confessed, “You’re a nice woman, but I’m not interested in you as a friend. I’m on a secret mission from the CEO of your company, and we need your help.”

He explained that a midlevel manager had been stealing trade secrets from the company, and they needed Sally’s help to replicate the methods they thought the manager was using. Sally had access to a PC that was connected to the corporate network, and Richard told her how to retrieve confidential files. He swore her to secrecy, telling her that only the CEO, a vice president, Richard and now Sally knew of this operation.

What Richard didn’t tell Sally was that this was all a lie: He actually worked for her company’s rival. Unwittingly, Sally became a corporate spy for the competition and began dutifully relaying files to a secret e-mail account.

A few weeks later, Richard told Sally that the vice president wanted to meet her at a restaurant. When they arrived, Sally saw the executive sitting at a table across the room with a man she didn’t recognize. Richard walked over to their table and, out of Sally’s earshot, began chatting with the companion. Unbeknownst to the VP, the man was an agent who was working with Richard and had arranged to meet the VP at the restaurant.

Richard soon returned to Sally and told her the VP had had second thoughts about meeting in public for fear it could jeopardize the operation. He said the VP wanted to recognize her cooperation, so Richard asked Sally to glance over at the VP. When Sally turned toward the executive, she could no longer see Richard, who then waved to the VP. The executive waved back, and Sally assumed that he was acknowledging her.

Weeks passed, and Richard gave Sally a $15,000 bonus as part of the “anti-fraud team.” Months later, he gave her a $30,000 bonus. She was hooked and would do anything Richard asked.

Eventually, Richard told Sally the truth. Though shocked and dismayed, she was too deep into the scheme to back out.


Do you think this could happen to your company?

Nate Evans

Labels: , ,

Sunday, June 22, 2008

British Cabinet Member has Computer Stolen



UK minister's computer stolen in latest government data breach

LONDON: British Prime Minister Gordon Brown's spokesman Michael Ellam says a Cabinet minister's computer has been stolen from her office in a new data mishap.

Communities Secretary Hazel Blears had her desktop computer stolen from an office in northern England on Saturday. The computer contained government data.

Ellam says Brown told ministers to take more care with data at a Tuesday Cabinet meeting.

Two sets of confidential documents have been left on trains by security officials in the last week. One set of papers included secret briefings on Iraq and al-Qaida.

Tuesday, June 17, 2008

Are any heads going to roll?
Will the British government wake up and take notice?
Very, Very, Doubtful!

Medicare and ID Theft - Watch out!

From the New York Times we get the chilling call of warning about Social Security, Medicare, and ID theft. The Social Security Administration is 100% right!

This is another example of clueless government. Remember drivers licenses with your Social Security number on it? I do and that was a horrible disaster!

June 22, 2008

Agency Sees Theft Risk for ID Card in Medicare

WASHINGTON — Social Security officials, concerned about the risk of identity theft, are calling for immediate action to remove Social Security numbers from the Medicare cards used by millions of Americans.

But Medicare officials have resisted the proposal, saying it would be costly and impractical.

In a new report, the inspector general of Social Security, Patrick P. O’Carroll Jr., says “immediate action is needed.”

“Displaying such information on Medicare cards unnecessarily places millions of individuals at risk for identity theft,” Mr. O’Carroll said. “We do not believe a federal agency should place more value on convenience than the security of its beneficiaries’ personal information.”

In a memorandum to the heads of federal departments and agencies in May 2007, Clay Johnson III, deputy director of the White House Office of Management and Budget, said they should draw up plans to “eliminate the unnecessary collection and use of Social Security numbers within 18 months.”

Social Security cannot prohibit the Medicare agency from using Social Security numbers, although Congress could do so. Federal officials say that more than 40 million people who are 65 and older or disabled have Medicare cards with Social Security numbers on them.

Charlene M. Frizzera, chief operating officer of the Centers for Medicare and Medicaid Services, played down the risk of identity theft from the misuse of Medicare cards. If the government suddenly issued new Medicare cards or identification numbers, she said, it could startle or alarm beneficiaries. “We don’t want to scare them,” Ms. Frizzera said.

Most private insurance companies have abandoned the use of Social Security numbers as identifiers because many states forbid it.

Gail K. Hillebrand, a lawyer at Consumers Union, said, “A person holding a private health insurance card now has more privacy protections than a person holding a Medicare card.”

Byron Hollis, director of the antifraud department at the Blue Cross and Blue Shield Association, said, “Medical identity theft is the fastest-growing form of health care fraud.”

To prevent such fraud, Mr. Hollis said, Blue Cross and Blue Shield plans stopped using Social Security numbers on their cards several years ago. The 39 Blue Cross and Blue Shield companies provide coverage for more than 100 million people.

Ms. Frizzera, the Medicare official, said that issuing new Medicare cards would be “a huge undertaking.” The agency would need three years to plan such a move and eight more years to carry it out, she said.

Medicare officials estimate that it would cost $500 million to change their computer systems if they issued new ID numbers to beneficiaries. Doctors, hospitals and other health care providers use those numbers in filing claims with Medicare, which pays a billion claims a year.

A survey by America’s Health Insurance Plans, a trade group, found that at least 31 states had laws prohibiting or restricting the use and display of Social Security numbers.

Many are modeled on a 2001 California law that says companies cannot print a person’s Social Security number on any card needed to obtain goods or services offered by the companies.

In his report, Mr. O’Carroll noted that Social Security numbers were “linked to vast amounts of personal information.”

“Many individuals carry their Medicare cards in their wallets or purses and could become victims of identity theft should dishonest individuals steal such items or lift their Medicare number from a beneficiary card or medical document,” Mr. O’Carroll said.

Other federal agencies are taking steps to remove Social Security numbers from identification cards. The Department of Veterans Affairs said that new identification cards issued to veterans generally did not display Social Security numbers.

Mary M. Dixon, director of the Defense Manpower Data Center, said the Defense Department planned to issue eight million new identification cards in the next few years. New cards will have just the last four digits of Social Security numbers.

Friday, June 13, 2008

How To Lose Vital Information the Easy, The British, Way!

Independent.co.uk

Secret files lost after 'clear breach' of rules

Thursday, 12 June 2008

The loss of high-level intelligence documents by a Government official was a "clear breach" of security rules, Cabinet Office Minister Ed Miliband said today.

The documents were left on a commuter train on Tuesday morning by a member of the Joint Intelligence Committee assessment staff.

Updating MPs on the situation, Mr Miliband said the official - who has been suspended - had no authorisation to remove the files from Government premises.

Former Permanent Secretary for Security and Intelligence Sir David Omand will carry out a full investigation of the circumstances of the case, Mr Miliband added.

However there was no evidence to suggest vital national security interests had been damaged, or that any individuals or operations were at risk.

Tory spokesman Francis Maude said: "There can scarcely have been a graver breach of intelligence and security procedures than this."

The documents, containing an assessment of al Qaida's vulnerabilities and the competence of Iraqi security forces, were handed to the BBC.

Mr Miliband said: "While the documents do not contain the names of individual sources or specific operational details, they are sensitive, high-level intelligence assessments."

The official told superiors about the loss of the documents yesterday morning and the BBC subsequently handed them over.

Mr Miliband said: "There is no evidence to suggest that our vital national security interests have been damaged or any individuals or operations have been put at risk.

"However the police investigation is continuing."

He added: "This was a clear breach of well established security rules which forbid the removal of documents of this kind outside secure Government premises without clear authorisation and compliance with special security procedures."

In this case, "no authorisation was sought for the removal of the documents" and the official has been suspended as part of a standard civil service disciplinary procedure.

All Joint Intelligence Committee staff have been reminded of the rules, as have officials in other Whitehall departments with access to sensitive material.

"It is a matter of utmost concern to the Government that this breach of security has happened," Mr Miliband said.

Mr Maude said: "The Prime Minister said yesterday: 'We should take no risks with national security'.

"There can be few greater risks that the casual abandonment of top secret intelligence material on a train."

He added: "That al Qaida do not today know precisely what Britain know about their activities, and perhaps more importantly what Britain doesn't know about their activities, is entirely due to the responsible way in which the BBC has behaved and reflects no credit whatsoever on the Government."

It was, he said, a "lamentable lapse of basic security awareness and procedures".

Mr Maude said there was "clearly a major systemic problem with data security at the heart of the Government."

He asked "what reason could there possibly be" for allowing an official to remove such sensitive files.

"Why, now that such powerful encryption is available, why are documents at this extremely high level of security, why are they printed onto paper at all?

"Will anybody and it may be too early to say this, will anybody be prosecuted under the Official Secrets Act?"

Mr Maude suggested the lapse had come after a raft of other data security breaches in previous months.

He went on to suggest there was a "real issue with civil service morale which leads to laxity in the way in which procedures are not complied with".

Mr Maude said Mr Miliband was responsible for information security across the whole of Government.

"There is no evidence that he takes this crucial part of his responsibilities nearly seriously enough."

Mr Miliband told Mr Maude the copies of the documents that were returned were the original copies. "Obviously the police will be investigating the question of these originals and looking into any circumstances surrounding these original copies and how they found their way from being lost on the train on Tuesday to the BBC."

He went on: "This is a clear breach not just of the rules, the rules that people sign up to when they work in the assessment staff."

He said he would not comment on potential prosecutions.

Mr Miliband said there were "clear rules" for staff. "This is a case where those rules weren't followed and it is a matter of deep regret that those rules were not followed."

He rejected Mr Maude's claim that morale was low. They did an "extraordinary job".

"I don't believe that is the reason why this document was left on a train."

Labour former minister Don Touhig (Islwyn) said: "MPs in this House who serve on the Intelligence and Security Committee have to go to the Cabinet Office and read the documents there.

"They may not be removed. Why on earth does someone who works in the Cabinet Office need to remove documents at all?"

Mr Miliband said: "There are circumstances where people need to have meetings outside secure premises and they need to be transferred from one place to another. There are the most stringent rules in place for that."

For the Liberal Democrats, Susan Kramer said she hoped the investigators did not dismiss as "simply chance or accident" the fact the documents could have been seen by others.

She asked for clarification on the procedures regarding officials taking away secret documents. "Just a locked box for example doesn't seem terribly appropriate."

She was "concerned" that the whole incident should not be "slur" on the civil service as a whole.

"We certainly don't need to treat this as suggesting in any way that the civil service at large is not conscious of the issues.

"But I do indeed wish the issue of culture be fundamentally addressed."

Mr Miliband said it was "easy" in such circumstances to criticise the civil service generally.

On the rules for taking documents away from buildings he said: "There was no authorisation for this document to be taken out of the building. The rules were absolutely clear - authorisation should be sought.

"If a document is taken out of the building it should only be in the most exceptional circumstances."

Tory Julian Lewis (New Forest E) called for officials to be searched when they left the Cabinet Office "to see that they are not removing classified material" and suggested senior staff might think they were "above such procedures".

Mr Miliband said: "Searching each individual from the assessment staff who left the building each evening would clearly be quite an onerous task. But Sir David will look at all suggestions."

Chairman of the Home Affairs Select Committee Labour's Keith Vaz said: "Many of us have been campaigning for many years for more transparency, but this of course is not what we had in mind." He called for the inquiry to be published "so we can see whether the process was followed".

Tory Douglas Hogg (Sleaford and N Hykeham), a former Foreign Office minister, said: "I wouldn't have favoured being searched when I left the Foreign Office." He said there was a "pattern of failure" and mistakes on security lapses were not being addressed.

Mr Miliband said: "This is one individual within the assessment staff." But the Minister did recognise the "gravity" of the issue.

Labour's Andrew Mackinlay (Thurrock) blamed the loss on a seconded MI5 officer and expressed "no confidence" in Sir David's inquiry, which would be a "cover-up".

Mr Mackinlay, a member of the foreign affairs select committee, said: "Isn't it a fact that this official was actually a seconded MI5 officer."

He told Mr Miliband: "Although you are innocent of responsibility for this cock-up, nevertheless you are responsible for looking at the investigation and the remedy.

"I have no confidence whatsoever in Sir David Omand. He's a safe pair of hands and will be involved in a cover-up."

Mr Mackinlay called for proper parliamentary oversight of the security and intelligence services.

Mr Miliband said Mr Mackinlay had strong views about the status of the intelligence and security committee.

"On the question of the status of the individual concerned, I'm not going to get into a discussion of his particular status. I don't think it is fair to the individual apart from anything else.

"As for your comments about Sir David Omand, I met him this morning. He's determined to do a rigorous investigation to make sure we, as far as possible, have the necessary safeguards in place."

China Hacks Congress?!

So basically how are you adn I going to ward off intrusions when the government of the United States of America, this time Congress, can't protect themselves?! Here is the latest story on this. Later this month I'll share some actions that the big boys (think corporations, law firms, etc.) are taking in terms of privacy security. You will be amazed!

According to the AP, "Multiple congressional computers have been hacked by people working from inside China, lawmakers said Wednesday, suggesting the Chinese were seeking lists of dissidents. Two congressmen, both longtime critics of Beijing's record on human rights, said the compromised computers contained information about political dissidents from around the world. One of the lawmakers said he'd been discouraged from disclosing the computer attacks by other U.S. officials."

Rep. Frank Wolf, R-Va., said four of his computers were compromised beginning in 2006. New Jersey Rep. Chris Smith, a senior Republican on the House Foreign Affairs Committee, said two of the computers at his global human rights subcommittee were attacked in December 2006 and March 2007.

Wolf said that following one of the attacks, a car with license plates belonging to Chinese officials went to the home of a dissident in Fairfax County, Va., outside Washington and photographed it.

During the same time period, The House International Relations Committee — now known as the House Foreign Affairs Committee — was targeted at least once by someone working inside China, said committee spokeswoman Lynne Weil.

Wednesday's disclosures came as U.S. authorities continued to investigate whether Chinese officials secretly copied the contents of a government laptop computer during a visit to China by Commerce Secretary Carlos M. Gutierrez and used the information to try to hack into Commerce Department computers.

The Pentagon last month acknowledged at a closed House Intelligence committee meeting that its vast computer network is scanned or attacked by outsiders more than 300 million times each day.

Wolf said the FBI had told him that computers of other House members and at least one House committee had been accessed by sources working from inside China. The Virginia Republican suggested that Senate computers could have been attacked as well.

He said the hacking of computers in his Capitol Hill office began in August 2006, that he had known about it for a long time and that he had been discouraged from disclosing it by people in the U.S. government he refused to identify.

"The problem has been that no one wants to talk about this issue," he said. "Every time I've started to do something I've been told 'You can't do this.' A lot of people have made it very, very difficult."

The FBI and the White House declined to comment.

The Bush administration has been increasingly reluctant publicly to discuss or acknowledge cyber attacks, especially ones traced to China.

In the Senate, the office of Sen. Dick Durbin, D-Ill., who chairs the Senate's subcommittee on humanitarian issues, asked the sergeant at arms to investigate whether Senate computers have been compromised.

Wolf said the first computer hacked in his office belonged to the staffer who works on human rights cases and that others included the machines of Wolf's chief of staff and legislative director.

"They knew which ones to get," said Dan Scandling, who currently is on leave of absence from his job as Wolf's chief of staff. "It was a very sophisticated operation," he said. "The FBI verified that it had been done."

Smith said the attacks on his office computers were "very much an orchestrated effort."

He said that after the first intrusion in December 2006, "that was the last time" his office put the names of dissidents on its computers.

Smith said the intrusions were discovered when House technicians found a virus that seemed designed to take control of the computers. Technical experts who cleaned the computers reported that the attacks seemed to come from the People's Republic of China.

In Beijing, the Chinese Ministry of Foreign Affairs had no immediate comment on the allegations by Wolf and Smith.

Last week, China denied the accusations regarding Gutierrez's laptop and the alleged effort to hack Commerce Department computers.

Wolf said he was introducing a House resolution that would help ensure protection for all House computers and information systems.

It calls for the chief administrative officer and sergeant at arms of the House, in consultation with the FBI, to alert members and their staffs to the danger of electronic attacks. Wolf also wants lawmakers to be fully briefed on ways to safeguard official records from electronic security breaches.

"My own suspicion is I was targeted by China because of my long history of speaking out about China's abysmal human rights record," Wolf said in a draft of remarks he prepared to give on the House floor.

He said Congress should hold hearings, specifically the House Intelligence Committee, Armed Services Committee and Government Operations Committee.

Speaking generally in May 2006, Wolf called Chinese spying efforts "frightening" and said it was no secret that the United States is a principal target of Chinese intelligence services.

Wolf thinks that President Bush should stay away from the Olympics because of China's human rights record.

He also has been outspoken on the subject of violence in the Darfur region of Sudan, where China has major oil interests.

Smith has introduced the Global Online Freedom Act which would prohibit U.S. Internet companies from cooperating with countries such as China that restrict information about human rights and democracy on the Internet.

Wolf and Smith both traveled to Beijing 17 years ago seeking the release of 77 people imprisoned or under house arrest because of their religious activities.

As I teach in my electronic Democracy class, Cyber warfare is alive, well, and growing. The intent of this attack against members of Congress was not to steal their identity but it could have been. Stay safe.

Tuesday, June 03, 2008

Identity theft: 9 million victims per year - News

Identity theft: 9 million victims per year - News

Nice article from the Iowa State Daily.

ISU scholars write book on identity theft protections

Andrea Fier

Issue date: 6/3/08 Section: News
Two ISU researchers, Steffen Schmidt, professor in political science, and Michael McCoy, graduate student, have written their second book on identity theft. The book covers the basics of identity theft and how to protect yourself online from identity theft.
Media Credit: Trevor Patch
Two ISU researchers, Steffen Schmidt, professor in political science, and Michael McCoy, graduate student, have written their second book on identity theft. The book covers the basics of identity theft and how to protect yourself online from identity theft.

Approximately 9 million Americans fall victim to identity theft each year, according to the Federal Trade Commission. The prevalence of identity theft prompted two researchers from Iowa State to write a book about the crime.

"It's a real problem because it's fairly easy to do. Crooks have discovered that it's a lot easier than getting a job," said Steffen Schmidt, university professor of political science and co-author of "The Silent Crime: What You Need to Know About Identity Theft."

Schmidt and his co-author, Michael McCoy, graduate student in interdisciplinary graduate studies, said identity theft is one of the fastest-growing crimes in the United States.

"It's scary what you can find out about people on Facebook and MySpace," McCoy said. "People are just trying to pick up data on you. They put little pieces of your life together until they get enough to assume your identity."

Anyone can be a victim, he warns.

"It crosses all races, ages and socioeconomic groups," McCoy said, "It's not really just hitting the wealthy, young, poor or the old, and that's what's frightening about it."

The book, which focuses on the basics of identity theft, is targeted toward the general public, McCoy said.

If someone steals your Social Security number or birthday, it's very difficult to prove that you're you, Schmidt said.

"You can show me your driver's license, but they have one too," he said.

Though many identity thieves use the Internet to find personal information, most are not hackers. Instead, many of these thieves depend on "social engineering" to trick people into providing their own information.

"People are the weakest link in security - so you can buy a multimillion dollar security system, but if someone lets out the password, it's all worthless," said Nathan Evans, graduate student in computer and electrical engineering.

Thieves often use e-mail to trick recipients into clicking on links to the thief's Web site. The site can then trigger an automatic download of malicious software, such as key-logging software, which keeps a record of everything the user types and lets an identity thief search through the record for sensitive information, such as credit card and Social Security numbers.

These Web sites can also install software that lets thieves run programs to commit fraud from your computer, making the crimes harder to trace.

"They use the links to dump a piece of software that is going to use your computer to commit crimes and you won't even know it's happening," Schmidt said.

Evans said identity thieves also use e-mail scams to trick recipients into volunteering their personal information. One example is the PayPal scam, which directs people to a site designed to look like PayPal, asking them to enter their username and password.

"A lot of times people will pick up personal information like a phone number and use it to bill you or sign you up for a number of other scams," Evans said.

Schmidt said it is important to use the security settings with social networking sites and be sure who you're adding as a friend.

"A lot of students just accept the person and, you know, the name might be familiar, but it doesn't tell you a lot about who it is," Schmidt said. "They may be trying to sell you something, or hit on you, or get to your friends and tell them they are a friend of yours to get information out of people that they shouldn't be giving out."

Although it is ultimately up to you to protect yourself, there are things you can do, including getting identity theft insurance.

"I'm a strong believer in using some type of identity theft service," McCoy said.

McCoy talked about "Identity Theft Shield" from Pre-Paid Legal Services, Inc., which monitors your credit report on a daily basis and sends you an alert every time the report changes, e.g. whenever you (or an identity thief) take out a loan. If you find fraudulent activity, some services will correct the problems for you, McCoy said.

However, consumers should be careful to know exactly what kind of coverage their service provides. LifeLock Inc., for example, advertises a $1 million guarantee, but that doesn't cover all cases - the guarantee only pays off if LifeLock fails to put an alert on the customer's credit report. LifeLock has been sued at least twice this year for deceptive advertising.

The Federal Trade Commission has more tips on its Web site at www.ftc.gov/bcp/edu/microsites/idtheft.

Monday, June 02, 2008

Department of Commerce - How Naive Can You Be?!

Once again, courtesy of your federal government, the security of the United States may have been compromised. While YOU are required to put your tiny toothpaste in a zip lock bag at the airport your US Cabinet officers are leaving their laptops, chock full of super sensitive material, are left unattended with horrendous consequences to trade secrets, passwords, bargaining strategies and no doubt the personal identity information of people and US companies.

Here is one version of the story:

Chinese May Have Hacked U.S. Laptop
CBS News

WASHINGTON, May 29, 2008(AP) U.S. authorities are investigating whether Chinese officials secretly copied the contents of a government laptop computer during a visit to China by Commerce Secretary Carlos M. Gutierrez and used the information to try to hack into Commerce computers, officials and industry experts told The Associated Press.

Surreptitious copying is believed to have occurred when a laptop was left unattended during Gutierrez's trip to Beijing for trade talks in December, people familiar with the incident told the AP. These people spoke on condition of anonymity because the incident was under investigation.

Gutierrez told the AP on Thursday he could not discuss whether or how the laptop's contents might have been copied.

"Because there is an investigation going on, I would rather not comment on that," he said. "To the extent that there is an investigation going on, those are the things being looked at, those are the questions being asked. I don't think I should provide any speculative answers."

A Commerce Department spokesman, Rich Mills, said he could not confirm or deny such an incident in China. Asked whether the department has issued new rules for carrying computers overseas, Mills said: "The department is continuing to improve our security posture, and that includes providing updates, guidances and best practices to staff to maintain security."

It was not immediately clear what information on the laptop might have been compromised, but it would be highly unorthodox for any U.S. government official to carry classified data on a laptop overseas to China, especially one left unattended even briefly. Modern copying equipment can duplicate a laptop's storage drive in just minutes.

The report of the incident is the latest in a series of worrisome cyber security problems blamed on China and comes at a sensitive time, with looming trade issues between the countries and special attention on China over the upcoming summer Olympics. Gutierrez returned just weeks ago from another trip to Beijing, where he noted he had "traveled here more than to any other foreign city during my tenure as commerce secretary."

In the period after Gutierrez returned from China in December, the U.S. Computer Emergency Readiness Team - known as US-CERT, some of the government's leading computer forensic experts - rushed to the Commerce Department on at least three occasions to respond to serious attempts at data break-ins, officials told the AP.

"There's nothing to substantiate an actual compromise at this time," said Russ Knocke, spokesman for the Department of Homeland Security. Knocke said he was unable to find records of a DHS investigation. He said US-CERT workers have visited the Commerce Department eight times since December, but none of those visits related to laptops or the secretary's trip to China. He said the US-CERT organization works routinely with all U.S. agencies.

The FBI declined to comment.

It wasn't clear whether leaving the laptop unattended violated U.S. government rules. Some agencies, such as Homeland Security, routinely provide officials with sanitized laptops to carry on trips overseas and require them to leave in the U.S. their everyday laptops, which might contain sensitive information. Some former Commerce officials told the AP they were careful to keep electronic devices with them at all times during trips to China.

"We have rules in place," Gutierrez said. "We have procedures that people go through before they travel. So, there is a very significant process in place. Technology is obviously moving very quickly, and we have to move very quickly with it. But all of that is something that we are going through."

A senior U.S. intelligence official, Joel F. Brenner, recounted a separate story of an American financial executive who traveled to Beijing on business and said he had detected attempts to remotely implant monitoring software on his handheld "personal digital assistant" device - software that could have infected the executive's corporate network when he returned home. The executive "counted five beacons popped into his PDA between the time he got off his plane in Beijing and the time he got to his hotel room," Brenner, chief of the office of the National Counterintelligence Executive under the Office of the Director of National Intelligence, said during a speech in December.

Brenner recommended throwaway cellular phones for any business people traveling to China.

"The more serious danger is that your device will be corrupted with malicious software that takes only a second or two to download - and you will not know it - and that can be transferred to your home server when you collect your e-mail," he said.

The Pentagon, State Department and Commerce Department all have been victimized by widespread computer intrusions blamed on China since July 2006. Defense Secretary Robert Gates confirmed in September that parts of the Pentagon's unclassified e-mail system - used by Gates and hundreds of others - were disrupted in June 2007 due to a break-in.

The Commerce Department break-ins have been so serious that its Bureau of Industry and Security, which regulates exports of sensitive technology that might be used in weapons, effectively unplugged itself from the Internet.

Workers were instructed to use a few laptops placed around the office that are isolated from the department's network, even to search for public information using Google's Web search engine.

"We have discovered a number of very serious threats to the integrity of our systems and data," wrote then-Deputy Undersecretary of Commerce Mark Foulon to employees in an e-mail obtained by AP under the Freedom of Information Act. He said the department was not the government's only hacking victim, "but we have an obligation, which we must take seriously, to take all necessary measures to protect our systems and our data."

At the time, Foulon acknowledged that some of the protective measures "may create difficulties and even reduce productivity."

Fully one year after being unplugged from the Internet, some Commerce Department employees complained about the inconvenience. One worker offered to provide his own laptop so he could work at his desk, rather than use one of the office terminals 30 feet away. "How does that endanger the network?" the employee wrote last summer. His request was denied by a security supervisor who complained that he, too, was struggling with the same Internet restrictions.

My question is how someone as smart and powerful as Commerce Secretary Carlos M. Gutierrez can be so, well, pardon my saying so, STUPID, about identity, espionage, and computer security. Be VERY AFRAID!


  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft