Wednesday, August 27, 2008

The Item for today is "Another Way to Lose Your Identity."

Well, as you'd expect, the bad guys have found another way to launch an attack against us.

PORTLAND, Ore. - Users of the popular social Web site Facebook are being warned that a computer virus is being spread through a well-disguised e-mail masquerading as a video from a friend.

The site boasts over 60 million registered users, including many employees at KATU.

Reporter Dan Tilkin recently registered on the site on the advice of friends and co-workers and received what he thought was a friendly e-mail from a former producer.

A link in the e-mail led him to a Web site that appeared to play a video and prompted him to update his computer's software to see the video.

However, the download was a virus instead.

It's not clear exactly what the virus does, but it should be assumed the purpose is malicious. A computer virus is also commonly referred to as "malware," which is short for "malicious software."

Many viruses scour a computer for personal information including banking and credit card information and then send it out of the country where hackers use it steal funds from the victim.

A virus can also turn a computer into a "zombie" and help to spread the virus to other computers or launch Denial of Service attacks on Web sites without the owner realizing what is taking place.

Computer experts warn users never to download any file with an ".exe" prefix sent from anyone, even if they are a friend, and to carefully monitor what page your browser lands on.

http://www.komonews.com/news/tech/27449439.html




Labels: , , , , , , , , ,

Thursday, August 21, 2008

Welcome to Campus! Give me Your Identity!


It's college time kids!

Now we need to prep ypu for all the perps out there who will find you easy pickin' for stealing your credit card or more. The statistics on growing ID theft cases at colleges are frightening and we need to more quickly to change your behavior and teach you to be "Identity Theft Aware."

We have been working on an ID theft "condom" to make sure you practice "safe computing."

After all, the college health serives (in spite of Rush Limbaugh) may be handing out actual condoms so you have "safe sex" so we want to make sure that you also protect your identity information from "viruses" just like you do against STD's.

Unfortunately we have had a hard time making the ID condom big enough to cover your laptop so instead we are developing a short, one hour, on-line "Safe Identity behavior" workshop for you kids.

We want to encourage every college and university in the USA to include a short 10 minute presentation on Safe Identity Behavior right after the talk about safe sex during incoming or freshman orientation. Then they should send you to the web site so you can take the short seminar.

Also, don't get trashed and let someone steal your wallet, purse, bag or backpack and all that personal info you keep in there. A drunk is the best target for old fashioned "analog"ID theft!

Have fun ! Be safe!

As soon as it comes out I'll be posting a link to an article on this that will be published in a college-oriented publication soon.

Labels: , , , , , , , ,

Wednesday, August 20, 2008

You Cannot protect Your Identity Information Against This Sort of Stupidity!

The New York times reported yesterday that
The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks.

A flaw in configuring the site allowed anyone to type in a relatively simple Web address and have unfettered access to hundreds of files on the company’s computer network, including educational materials and internal communications.
I will not make you sick with the details - you can go read the story for yourself. I will pick a couple of lines from the article which nails the problem right to the wall of what went wrong.
The Web error indicates that the Princeton Review neglected several accepted online security practices. In addition to failing to properly restrict access to the student information, the company combined confidential and innocuous files on the same computers — which security researchers say is never a good idea.
When you have a bunch of incompetent people owning your private data you are completely exposed to data and privacy losses such as this. These are a bunch of people making a ton of money off manipulating, analyzing, and sharing your private (in this case test score and performance data) for profit!

One of my colleagues in Washington, DC believes that the Princeton Review should be hit with a severe punitive class action law suit on behalf of the almost 100 K students whose information was breached. Remember, we don't know who accessed this information or what they have done with the data they gleaned from these records. It could already be off in Cyberspace getting prepared for sale on one of many criminal identity and private data sites that abound all over the world for just this purpose.

My colleague and friend also believes that Congress needs to pass serious legislation that puts a much more protective wall around the cavalier, commercial use of peoples private data.

Thursday, August 14, 2008

The Complexities on an Online Crime Ring

These guys are as efficient and professional as any major multinational, global company!

they certainly are smarter business people than our dear, old, rusting, failing auto industry.

OH the betrayal! Here is the truth in a nutshell.
"As an international ring of thieves plundered the credit card numbers of millions of Americans, investigators struggled to figure out who was orchestrating the crimes in the United States.

When prosecutors unveiled indictments last week, they made a stunning admission: the culprit was, they said, their very own informant.

Albert Gonzalez, 27, appeared to be a reformed hacker. To avoid prison time after being arrested in 2003, he had been helping federal agents identify his former cohorts in the online underworld where credit and debit card numbers are stolen, bought and sold.

But on the sly, federal officials now say, Mr. Gonzalez was connecting with those same cohorts and continuing to ply his trade, using online pseudonyms — including “soupnazi” — that would be his undoing. As they tell it, Mr. Gonzalez had a central role in a loosely organized online crime syndicate that obtained tens of millions of credit and debit card numbers from nine of the biggest retailers in the United States."

When you read the story (see link to NY Times see link below) you'll cringe and you'll say "That's kinda what happened to us in Iraq where a bunch of lying weasels lied about Saddam Hussein's Weapons of Mass Destruction!" Yeah. Betrayed by the snake! (Biblical reference).

New York Times article -

No, in case you were wondering, this is not the same Albert(o) Gonzales who was US Attorney general!

Tuesday, August 12, 2008

Passwords Don't work!

Oh no! Once again we find that our "best practice" for security on the Net are worthless! When will all this end.

Here is the gist of the problem:
"Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites."

"The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see."
Passwords are OUT! NY Times article. NOW go ahead and read the full article.

Labels: , , , , ,

Monday, August 11, 2008

Are Hackers Bad or Good? Boston and the MIT "T" Hackers


Here is the basic story as reported by thenoiseboard.com:
"The state of Massachusetts has asked a federal judge for a temporary restraining order preventing three MIT students from giving a presentation on Sunday about hacking smartcards used in the Boston subway system. The students are scheduled to give a presentation at the Defcon conference that they said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created. Massachusetts' request to halt the Defcon presentation was scheduled to be heard by a federal judge in Boston on Saturday. The suit, filed on Friday, also names the Massachusetts Institute of Technology as a defendant."


The Boston Glob article (link below) is very interesting because it takes this incident and asks some interesting questions about the role of hackers. Myself, I find it interesting that students so smart they can get into MIT are hacking - they see it is a service to expose security weaknesses. Government (in this case the Massachusetts transit people, want to silence and even punish hackers.

May the debate continue!


T -Interesting Comments by MIT student on "helping" by hacking!

August 10, 2008
You need to also check out the hacker conference. Are they a threat to us or are they the "testing service" for IT and Internet security holes? "Created in 1993, DEFCON claims on its website, www.defcon.org, to be the oldest continuously running hacker convention in the world, drawing 3,000 to 5,000 people annually."

I suggest that we cooptate hackers and use their energy and skills to help us build a better Internet and security envelope.

Sunday, August 10, 2008

The Big Enchiladas Get Caught!

We've dribbling out cases of spammers and hackers recently arrested. Now we can report on the largest ID theft case in history!



11 are charged with massive ID theft:
41 million credit card numbers allegedly stolen in global theft ring

This is the version in The Boston Globe, August 6, 2008

A ring of people spread across the globe hacked into nine major US companies and stole and sold more than 41 million credit and debit card numbers from 2003 to 2008, costing the companies and individuals hundreds of millions of dollars, federal law enforcement officials said yesterday.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," US Attorney General Michael Mukasey said at a news conference at the John Joseph Moakley US Courthouse in Boston.

A grand jury indictment released yesterday charged that Albert "Segvec" Gonzalez of Miami, the alleged ringleader, and his 10 conspirators cruised around with a laptop computer and tapped into accessible wireless networks.

They then hacked into the networks of TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster's, Sports Authority, Forever 21, and DSW. After gaining access to the systems, they installed programs that captured card numbers, passwords, and account information, officials said.

In addition to Gonzalez, two other Miami residents were charged in Boston and eight other alleged conspirators were charged in San Diego. The defendants - one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin - allegedly concealed the data in encrypted computer servers they controlled in Europe and the United States. They sold some of the numbers, via the Internet, to other criminals, authorities alleged.

The suspected hackers also encoded some of the stolen numbers on the magnetic strips of blank credit or debit cards, which were then used to withdraw tens of thousands of dollars from ATM machines, officials said.

It was not clear how much of the stolen information had been used.

Rene Palomino Jr., a Miami lawyer representing Gonzalez, said his client will be proven innocent. "The government will have an uphill battle to prove their allegations," said Palomino, who declined to comment on the specific allegations.

Lawyers for the other men charged in Boston did not return calls.

Part of the scheme came to the public's attention early last year, when TJX, the Framingham-based retailer that runs T.J. Maxx, Marshalls, and other stores, found that credit and debit card information had been stolen from its computer systems.

In a statement yesterday, TJX officials called on credit card companies to improve security measures to protect consumers.

"The sheer number of retailers attacked by these cyber criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat," said Sherry Lang, a TJX spokeswoman. "Broader action beyond retailers alone is required to protect consumer data. Banks and the US payment card industry must join retailers and work together."

Lang called for installing proven card security measures that are in use throughout much of the world.

Ted Julian, vice president of strategy and marketing for Application Security Inc. in New York, said the indictments reflect the changing tactics of cyber-criminals. Rather than go after individual consumers, hackers are targeting major retailers, such as wireless networks, to access troves of personal data.

"There are thousands of conduits to customer data. Security isn't working and TJX is the poster child of a big data breach," Julian said. "What is needed is a different approach to secure that data far more directly where it lives."

Officials at BJ's Wholesale Club of Natick, which settled charges in 2005 with the Federal Trade Commission that it failed to take appropriate security measures to protect the sensitive information of thousands of its customers, said they are pleased by the case's progress.

"We instituted significant system upgrades . . . and we are continuously employing measures to help protect data against the ever-increasing sophistication of thieves," the company said in a statement.

At yesterday's news conference, Mukasey said that over the past three years, officials and undercover agents from various federal agencies received help from investigative agencies worldwide.

"The message is simply this: We will track you down wherever you are in the world," Mukasey said. "We will see that you are arrested, and you will go to jail."

Officials said Gonzalez was previously arrested by the Secret Service in 2003 for access device fraud. The Secret Service later discovered that Gonzalez, who was working as a confidential informant for the agency, had become involved in the credit card theft case. He is now in a federal prison in New York awaiting trial on related charges.

Christopher Scott and Damon Patrick Toey of Miami were also charged in Boston. Maksym "Maksik" Yastermskiy, Dzmitry Burak, and Sergey Storchak of Ukraine; Aleksandr "Jonny Hell" Suvorov of Estonia; Hung-Ming Chiu and Zhi Zhi Wang of China; Sergey Pavlovich of Belarus; and a person known only by the online nickname of "Delpiero" were charged in San Diego.

The indictments charge the defendants with crimes related to the sale of the stolen credit card data. Charges included conspiracy to possess unauthorized access devices, possession of unauthorized access devices, trafficking in unauthorized access devices, identity theft, aggravated identity theft, aiding and abetting, trafficking in unauthorized access devices, conspiracy to launder monetary instruments, and trafficking in counterfeit access devices.

The San Diego charges allege that Yastremskiy, Suvorov, Chiu, Wang, Delpiero, Pavolvich, Burak, and Storchak operated an international stolen credit and debit card distribution ring with operations from Ukraine, Belarus, Estonia, China, the Philippines, and Thailand. The indictments allege Yastremskiy earned more than $11 million from his illicit operation.

In May, prosecutors charged Gonzalez, Suvorov, and Yastremskiy with hacking into computer networks run by the Dave & Buster's restaurant chain and stealing credit and debit card numbers from at least 11 locations. They allegedly gained access to the cash register terminals and installed at each restaurant a computer code configured to capture credit and debit card numbers as the restaurants processed them.

At one restaurant, the so-called "packet sniffer" captured data for about 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards, authorities said.

Richard Walega, a New Bedford city employee who had $6,700 in fraudulent charges appear on his bank card weeks after shopping for Christmas presents at a T.J. Maxx store in Westborough in 2006, said he was "aghast" at the scope of the crimes.

Walega said he hasn't returned to T.J. Maxx and is still awaiting a settlement from the company, which has offered vouchers, cash benefits, credit monitoring, identity theft insurance, and reimbursements to eligible victims.

"It's totally mind-boggling," he said. "I hope this is the end of the trail."

That our security systems have been so porous and weak is the real story here. that corporations still don't have robust defenses against ID theft is the tragedy!

Labels: , , , , , , , ,

Wednesday, August 06, 2008

Russian Gang Hijacking PCs in Vast Scheme

This is how the story starts:Link
A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.

The new form of attack indicates that little progress has been made in defusing the threat of botnets, networks of infected computers that criminals use to send spam, steal passwords and do other forms of damage, according to computer security investigators.
The rest of this scary and excellent story can be found at the New York Times, Russian Gang -

Monday, August 04, 2008

Another Hacker Falls!

The Globe and Mail reported the demise of another hacker. This represents a new stage in the fight against identity theft and intrusions into sensitive sites. Some believe that hackers actually play an important role in calling attention to vulnerabilities in information security. Others poo-poo this perspective, pointing out that most hackers are not doing it for fun but to cause harm and damage.

British hacker loses extradition appeal

Associated Press

LONDON — Some call it the biggest hack of military computers; perhaps it was just a big embarrassment.

Gary McKinnon — accused of breaking into military and NASA computers in what he claims was a search for UFOs, allegedly causing nearly $1 million in damage — has lost his appeal for extradition to the United States.

McKinnon, 42, an unemployed computer administrator, allegedly broke into 97 computers belonging to the U.S. Army, Navy, Air Force, and Department of Defence from a bedroom in a north London home.

His attacks between 2001 and 2002 allegedly shut down the Army district responsible for protecting Washington, and cleared logs from computers at the Naval Weapons Station Earle in New Jersey that tracks the location and battle-readiness of Navy ships.

That last attack, coming immediately after the Sept. 11, knocked out the station's entire network of 300 computers. NASA and privately owned computers also were damaged, prosecutors said, putting the total cost of his online activities at $900,000.

At the time of his indictment, prosecutor Paul McNulty said McKinnon pulled off “the biggest hack of military computers ever — at least ever detected.”

In his defence, McKinnon, known online as SOLO, said he was trying to expose security weaknesses and uncover evidence of UFOs.

“I was a man obsessed,” McKinnon wrote on The Guardian newspaper's Web site last year, describing a year spent trying to break into U.S. military systems: eight hours a day at a computer in his girlfriend's aunt's house while unkempt, drinking beer and smoking marijuana.

In interviews, he claimed that his hacking uncovered photographic proof of alien spacecraft and the names and ranks of “non-terrestrial officers.”

Prosecutors accuse him of deliberately trying to intimidate the U.S. government by tearing through their networks. They pointed to a note written by McKinnon — and left on an Army computer — attacking U.S. foreign policy as “akin to government-sponsored terrorism.”

“It was not a mistake that there was a huge security stand down on Sept. 11 last year,” he wrote. “I am SOLO. I will continue to disrupt at the highest levels.”

McKinnon was caught in 2002 after some of the software used in the attacks was traced back to his girlfriend's e-mail account. The U.S. sought his extradition, a move his lawyer Claire Anderson claimed Wednesday was motivated by the government's desire to “make an example” of a man who humbled officials in Washington by hacking into their systems using off-the-shelf office software and a dial-up modem.

Aspects of American cyber-security had been shown up as “really shameful,” with some computers not even password-protected, said Graham Cluley, a security consultant with Sophos PLC.

He said the United States appeared to be pursuing McKinnon in an effort to flexing its legal muscle to the hacking community, which has watched the case with interest.

“The overriding message is: You shouldn't mess with American government and military computers, particularly right after Sept. 11,” Cluley said.

McKinnon's lawyers had hoped to hold any trial in Britain, saying he could be dragged before a military tribunal or even end up at Guantanamo Bay.

In their appeals, they said McKinnon was warned by U.S. officials that he would not be allowed to serve any part of his sentence in Britain unless he agreed to co-operate with his extradition. That, they argued, amounted to an unlawful threat and abuse of process.

Not so, Britain's House of Lords said Wednesday. Lord Brown, writing for Britain's highest court, said plea bargaining could only be called an abuse of process “in a wholly extreme case.”

“This is far from being such a case,” he said.

While the decision exhausts McKinnon's legal options in Britain, Anderson said she would appeal to the European Court of Human Rights in Strasbourg, France. She said British authorities had agreed to keep McKinnon in Britain for at least two weeks to allow his lawyers to prepare their application.

“If that fails, then it's off to jail in America for 60 years,” McKinnon told the British Broadcasting Corp. “Rapists and murderers and real terrorists get less.”

Should McKinnon be extradited, he would face trial in Virginia and New Jersey on eight charges of computer fraud.

Each charge potentially carries a sentence of up to 10 years in prison and $250,000 in fines. However, U.S. sentencing guidelines would likely recommend a much lighter sentence.

Legal action against hackers could help to reduce the surge of attacks against critical information. International cooperation in this law enforcement is especially critical since these crimes cross all national borders.

Sunday, August 03, 2008

False ID Cards - identity fabrication!


"Postville, Ia. — Federal agents who raided the Agriprocessors meatpacking plant here in May found evidence that a human resources department employee helped distribute false immigration documents to workers, court papers say.

The agents said they found about 96 fraudulent resident-alien cards in the human resources department. Many of the cards were grouped in stacks. Most of the cards, commonly known as green cards, appeared to have been made by the same forger, the court papers say.
This is a very common problem but usually company HR departments are not as blatantly involved in creating, procuring, and/or issuing false US immigration ID cards. One of the key reasons for ICE raids on companies in the United States is now ID theft. We need more information but it is likely that many of these ID cards are actually fabricated, fake identities rather than "stolen" identities.

Interesting Footnote: We have recently learned that most of the illegal workers did not even know what a Social Security Card is used for (they were asked after their arrest) and any of them cannot read or write in Spanish or English so the ID thieves and forgers were the people working for the company - the employers. But, none of them have been charged or arrested. HMM. Go figger!





Labels: , , , , , , ,

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft