Tuesday, October 28, 2008

Why Are YOUR Secrets onEBay?!

Jennifer L. Schenker in Paris wrote a short piece in Business Week titled "Are Your Secrets On eBay?" (Nov 3, 2008).

We have already written about some of this in both of our ID theft books but this is more confirmation of the on-going risk to people selling stuff that may have sensitive information (such as laptops, smart phones, "CrackBerry's", cell phones, and other devices that can store or manage data).

" Too many employees fail to erase or encrypt sensitive data on their mobile devices before tossing them out, say researchers from British phone company BT Group, the University of Glamorgan in Wales, and Edith Cowan University in Australia. To prove its point, the team recently purchased 161 discarded handheld devices from online auction sites and secondhand outlets in Britain and Australia."

"One in five, found the researchers, contained details about salaries, company finances, business plans, or board meetings. A BlackBerry once owned by the European sales director of a major Japanese firm, for instance, had the goods on company clients, as well as the executive’s bank account numbers—along with his car make and registration. “My generic advice to people is to delete your data, but the reality is not that simple,” says Andy Jones, BT’s head of information security research. “Someone inside corporations has to set policy and tell people exactly what they should do when they get rid of mobile devices.”

So the solution is obvious. We have been trying to convince companies, hospitals, and colleges to follow STRICT data killing techniques when they dispose of anything that can compromise confidential information. Thanks to the National Science foundation (NSF) and the Iowa State University Center for Information Protection (CIP) we are almost there with a robust national education and information security training model.

Please stay tuned and let us know if your and your company have an interest in this program.

Monday, October 27, 2008

On October 21, 2008 the New York Times reported that A Robot Network Seeks to Enlist Your Compute. This piece by JOHN MARKOFF is interesting and also frightening for those of us concerned with Identity theft.

REDMOND, Wash. — In a windowless room on Microsoft’s campus here, T. J. Campana, a cybercrime investigator, connects an unprotected computer running an early version of Windows XP to the Internet. In about 30 seconds the computer is “owned.”

An automated program lurking on the Internet has remotely taken over the PC and turned it into a “zombie.” That computer and other zombie machines are then assembled into systems called “botnets” — home and business PCs that are hooked together into a vast chain of cyber-robots that do the bidding of automated programs to send the majority of e-mail spam, to illegally seek financial information and to install malicious software on still more PCs.

Botnets remain an Internet scourge. Active zombie networks created by a growing criminal underground peaked last month at more than half a million computers, according to shadowserver.org, an organization that tracks botnets. Even though security experts have diminished the botnets to about 300,000 computers, that is still twice the number detected a year ago.

The actual numbers may be far larger; Microsoft investigators, who say they are tracking about 1,000 botnets at any given time, say the largest network still controls several million PCs.

“The mean time to infection is less than five minutes,” said Richie Lai, who is part of Microsoft’s Internet Safety Enforcement Team, a group of about 20 researchers and investigators. The team is tackling a menace that in the last five years has grown from a computer hacker pastime to a dark business that is threatening the commercial viability of the Internet.

Any computer connected to the Internet can be vulnerable. Computer security executives recommend that PC owners run a variety of commercial malware detection programs, like Microsoft’s Malicious Software Removal Tool, to find infections of their computers. They should also protect the PCs behind a firewall and install security patches for operating systems and applications.

Even these steps are not a sure thing. Last week Secunia, a computer security firm, said it had tested a dozen leading PC security suites and found that the best one detected only 64 out of 300 software vulnerabilities that make it possible to install malware on a computer.

Botnet attacks now come with their own antivirus software, permitting the programs to take over a computer and then effectively remove other malware competitors. Mr. Campana said the Microsoft investigators were amazed recently to find a botnet that turned on the Microsoft Windows Update feature after taking over a computer, to defend its host from an invasion of competing infections.

Botnets have evolved quickly to make detection more difficult. During the last year botnets began using a technique called fast-flux, which involved generating a rapidly changing set of Internet addresses to make the botnet more difficult to locate and disrupt.

Companies have realized that the only way to combat the menace of botnets and modern computer crime is to build a global alliance that crosses corporate and national boundaries. On Tuesday, Microsoft, the world’s largest software company, will convene a gathering of the International Botnet Taskforce in Arlington, Va. At the conference, which is held twice a year, more than 175 members of government and law enforcement agencies, computer security companies and academics will discuss the latest strategies, including legal efforts.

Although the Microsoft team has filed more than 300 civil lawsuits against botnet operators, the company also relies on enforcement agencies like the F.B.I. and Interpol-related organizations for criminal prosecution.

Last month the alliance received support from new federal legislation, which for the first time specifically criminalized the use of botnets. Many of the bots are based in other countries, however, and Mr. Campana said there were many nations with no similar laws.

“It’s really a sort of cat-and-mouse situation with the underground,” said David Dittrich, a senior security engineer at the University of Washington Applied Physics Laboratory and a member of the International Botnet Taskforce. “Now there’s profit motive, and the people doing stuff for profit are doing unique and interesting things.”

Microsoft’s botnet hunters, who have kept a low profile until now, are led by Richard Boscovich, who until six months ago served as a federal prosecutor in Miami. Mr. Boscovich, a federal prosecutor for 18 years, said he was optimistic that despite the growing number of botnets, progress was being made against computer crime. Recent successes have led to arrests.

“Every time we have a story that says bot-herders get locked up, that helps,” said Mr. Boscovich, who in 2000 helped convict Jonathan James, a teenage computer hacker who had gained access to Defense Department and National Air and Space Administration computers.

To aid in its investigations, the Microsoft team has built elaborate software tools including traps called “honeypots” that are used to detect malware and a system called the Botnet Monitoring and Analysis Tool. The software is installed in several refrigerated server rooms on the Microsoft campus that are directly connected to the open Internet, both to mask its location and to make it possible to deploy software sensors around the globe.

The door to the room simply reads “the lab.” Inside are racks of hundreds of processors and terabytes of disk drives needed to capture the digital evidence that must be logged as carefully as evidence is maintained by crime scene investigators.

Detecting and disrupting botnets is a particularly delicate challenge that Microsoft will talk about only in vague terms. Their challenge parallels the traditional one of law enforcement’s placing informers inside criminal gangs.

Just as gangs will often force a recruit to commit a crime as a test of loyalty, in cyberspace, bot-herders will test recruits in an effort to weed out spies. Microsoft investigators would not discuss their solution to this problem, but said they avoided doing anything illegal with their software.

One possible approach would be to create sensors that would fool the bot-herders by appearing to do malicious things, but in fact not perform the actions.

In 2003 and 2004 Microsoft was deeply shaken by a succession of malicious software worm programs with names like “Blaster” and “Sasser,” that raced through the Internet, sowing chaos within corporations and among home computer users. Blaster was a personal affront to the software firm that has long prided itself on its technology prowess. The program contained a hidden message mocking Microsoft’s co-founder: “billy gates why do you make this possible? Stop making money and fix your software!!”

The company maintains that its current software is less vulnerable, but even as it fixed some problems, the threat to the world’s computers has become far greater. Mr. Campana said that there had been ups and downs in the fight against a new kind of criminal who could hide virtually anywhere in the world and strike with devilish cleverness.

“I come in every morning, and I think we’re making progress,” he said. At the same time, he said, botnets are not going to go away any time soon.

“There are a lot of very smart people doing very bad things,” he said.

Sunday, October 26, 2008


Hundreds of Identity Theft Services have hit the market in the past few years, and hundreds of others have done so and failed. Still others have launched, floundered, renamed, changed costume, and returned to the stage.

There is one in particular into which I am looking for, and with which I need your help -- Identity Watchdog (formerly ID Rehab), both out of Denver, Colorado. In case it helps, it is my further understanding that the company founders (father/son) also own and operate a credit repair service in the same building.

If any of my readers can fill in the gaps, please add your comments to this thread.

Also, if you have information on any other company which has not made it under one name, and is now doing business under a different name, please send me the names and locations of those as well.

Why rename your business? Why try to hide your past?

Labels: , , , , , , ,

Monday, October 20, 2008

The Supremes Take on ID Theft!

Now ID theft rises to the top. even the Supreme Court steps up to the plate!

Supreme Court takes on 'aggravated' identity theft

By Bill Mears
CNN Supreme Court Producer

WASHINGTON (CNN) -- The Supreme Court agreed Monday to examine whether prosecutors can aggressively prosecute illegal immigrants for identity theft if they didn't know the documents they were given belonged to someone else.

The justices announced they will hear arguments in the appeal of a Mexican national arrested in a government work site raid in the Midwest. A ruling is expected by June.

At issue is whether people who use fake IDs to obtain work in the United States but did not know the documents belonged to someone else can be convicted of "aggravated identity theft."

Stealing personal identification such as Social Security numbers is illegal, but federal courts around the country are divided over how to treat people who buy them on the black market. Federal law states that for aggravated identity theft to occur, it must be proved that a person "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person."

Many criminals steal a person's identification to empty his or her bank account or falsely obtain loans or credit.

Lawyers for the detained illegal immigrants say their clients simply used numbers picked "out of thin air" that happened to belong to another person. They used the numbers only to obtain work, not steal to money, the lawyers said.

The Justice Department argues its prosecutors need not prove "knowledge" that the documents belonged to someone else instead of being fabricated.

The difference could mean an additional two years in federal prison under an enhanced sentence. Most workers with false papers serve only a few months behind bars, and many are then deported.

At stake is the government's crackdown on undocumented workers, most of whom must rely on fake IDs to obtain employment. Read a report from the front lines of the immigration debate

The case before the justices involves Mexican immigrant Ignacio Flores-Figueroa, who worked at a steel plant in East Moline, Illinois. He was arrested with phony Social Security and alien registration cards that had been assigned to someone else. He admitted obtaining the documents but said he did not know they were someone else's. He was convicted and sentenced to 75 months in prison.

The court did not act on a similar appeal from a Mexican national who was arrested during a raid on a meat processing plant in Iowa, the largest criminal workplace enforcement operation in U.S. history. Nicasio Mendoza-Gonzalez was among 389 people arrested, most of whom were given five months in prison.

Find this article at:

Sunday, October 19, 2008

How are we going to get enforcement against ID Theft?!

From the NY Times - Very bad news regarding the ability of the federal government to help get the bad guys - big and small and for our purposes the ID theft crooks who are lurking out there every day of the week. You government slashers, don't we need more white hats to fight the bad guys?! C'mon Git 'Er Done!

WASHINGTON — The Federal Bureau of Investigation is struggling to find enough agents and resources to investigate criminal wrongdoing tied to the country’s economic crisis, according to current and former bureau officials.

Brendan Smialowski for The New York Times

The bureau slashed its criminal investigative work force to expand its national security role after the Sept. 11 attacks, shifting more than 1,800 agents, or nearly one-third of all agents in criminal programs, to terrorism and intelligence duties. Current and former officials say the cutbacks have left the bureau seriously exposed in investigating areas like white-collar crime, which has taken on urgent importance in recent weeks because of the nation’s economic woes.

The pressure on the F.B.I. has recently increased with the disclosure of criminal investigations into some of the largest players in the financial collapse, including Fannie Mae and Freddie Mac. The F.B.I. is planning to double the number of agents working financial crimes by reassigning several hundred agents amid a mood of national alarm. But some people inside and out of the Justice Department wonder where the agents will come from and whether they will be enough.
I am a smaller government guy myself but NOT in areas of security, safety, and law enforcement!


Labels: , , , , ,

Monday, October 13, 2008

Employees cause most corporate data loss

According to a new study from Compuware, IT departments should be rewarded—only 1 percent of corporate data losses this past year were due to hackers. Unfortunately, the buck doesn’t end there. Employees are the largest cause of data breaches, but IT managers also listed outsourcing and malicious employees as two significant reasons why data breaches often occur.a

Compuware reports that of the 1,112 IT practitioners it surveyed, 79 percent reported that their organization had experienced at least one data breach.

This paper also has a couple very interesting graphs (courtesy of arstechnica.com) in it. One is the confidence level that all security breeches, which result in loss of personal information, are being detected by the organization (31% of people are not confident).

And then we get to the key data, who is responsible?

This obviously makes some sense, given that the IT department wasn't hired to teach Security 101 and focus much more on preventing technological security breeches. Companies need to hire an almost equal amount of employees to deal with training and to prevent data loss from a negligent employee!

Labels: , , ,

Saturday, October 11, 2008

Stop, Thief!

Stop, Thief!

Identity-theft threats seem to be a constant, thanks to porous networks and laid-back users. But there are some key strategies campus leaders can use to help keep the bad guys at bay.

By Elizabeth Millard, University Business, October 2008
October 2008

“Identity theft may not be your fault, but it could be your problem,” says Dan Holden of IBM’s X-Force research group, which examines identity theft. “It’s hard for any organization to achieve a high level of prevention and control, but it’s worth the effort to try.”

Although many higher ed institutions lock down their networks, eschew the use of Social Security numbers as identifiers, and train IT staff to protect student privacy, identity theft is still widespread on college campuses, Holden notes.

Still, there are ways administrators can—and should—help protect students, staff, guests, and their own good names from falling into the digital hands of identity thieves. Here are six prevention practices.

1. Pinpoint different perspectives on privacy.

IT needs to protect a range of users, from professors on the brink of retirement to 18-year-olds who have just claimed their side of the dorm room, and it is useful to understand that different groups have unique perceptions of what constitutes private information. “Kids raised on Facebook and MySpace don’t have much of an idea of privacy. They believe everything is up for public consumption,” says Stephen Katz, founder and president of the consulting firm Security Risk Solutions and former chief information security officer at Citibank.

Students may also feel that if a breach does happen, they’ll be protected anyway, a view that has been bolstered by the type of identity-theft control provided by credit card companies and banks. Having a strong grasp of what students believe about privacy will help shape user education efforts, Katz notes. “They learn not to go into each other’s lockers and backpacks, so they need to shift that learning to data, and realize that some things really should be kept private.”

2. Create formal education workshops.

Distributing information online or in printed form about identity theft might get some students and staff members to pay attention, but making education mandatory will net even more.
Iowa State University officials, for example, are pilot testing a two-hour online identity theft seminar that students, and even parents, can take. The material was developed through testing with law enforcement and insurance industry representatives, notes Steffen Schmidt, professor of political science at ISU and co-author of The Silent Crime: What You Need to Know About Identity Theft (Twin Lakes Press, 2008). “The workshop reminds people that this type of theft is a massive, exploding problem that’s almost out of control now,” he says. “People always think it won’t happen to them, and they don’t think it’s a really serious issue.”

To tailor the course toward students, Schmidt and others at ISU focused on how students conduct themselves online, pointing out how information sharing can lead to potential personal data breaches.

For students, address social engineering situations that could result in identity theft, such as sharing a password with a visiting friend or giving out personal information to a new roommate.
For IHEs who are developing their own efforts, Schmidt advises getting to know students’ habits to make the workshops or seminars more relevant. For instance, if many students use Facebook, a program could play up the dangers of sharing information on that site.

Also important is to address social engineering situations that could result in identity theft, such as sharing a password with a visiting friend or giving out personal information to a new roommate. After all, in 2007, one-third of all identity theft was done by someone known to the person whose identity was stolen, notes Matt Shanahan, senior vice president of marketing and strategy of software provider AdmitOne Security. Say a friend of a friend requests a password for access to a WiFi connection. “Now you’re vulnerable, because he or she can access all your files, and essentially become you,” he says. Describing these types of scenarios will be helpful for students, because they can see themselves in the situation, rather than talking in generalities.
Even one piece of information can be dangerous, since thieves may have several parts of what they need and require only one more, such as a person’s bank routing information or mother’s maiden name, says IBM’s Holden. “There’s been a lot of phishing activity lately, where someone gets an e-mail that’s supposedly from their bank or the IRS, where they’re supposed to call and just verify some info,” he says, noting that this combination of e-mail messages with phone confirmations is increasing, since many people are aware they shouldn’t be giving out bank information or personal details over e-mail. “They might think that because they’re talking to a real person, it’s legitimate,” he explains.

Another useful user education tactic, according to experts, is to highlight how an individual could be affected financially by identity theft. For example, students should learn that a hit to their credit rating could change financial aid in the next semester. Encouraging students and staff to check their bank transactions online frequently, and to look over their credit reports at least once or twice per year, can create better awareness about keeping their identities safe.
Even highlighting tactics as simple as not using laptop bags (since they’re bull’s-eye targets for thieves) and putting cable locks in place can be helpful.

Parents can also be involved. According to Schmidt, many parents have expressed interest in taking ISU’s ID theft seminar. Since personal data is often part of student aid packages and enrollment, parents and guardians are at risk as well. They can therefore be powerful allies in convincing students to take more care in how they share information.

3. Rediscover encryption.

A major security measure has been the use of encryption, which takes data and attaches long strings of numbers and text so that the information can’t be understood by unauthorized users—it needs to be decrypted to get the true data. But slapping on all this extra digital gobbledygook to numerically-based data has been tricky, Katz says. For example, credit card or Social Security numbers would get lost when an encrypted data string would swell to a format long enough to provide security, he says.

Commonsense ID Theft
Prevention Tips
- Buy a shredder and use it to destroy all personal information or mail before throwing it away, particularly credit card offers or forms that include Social Security numbers.
- Don't throw credit card receipts in the trash.
- Change passwords monthly, and choose ones that won't be obvious, such as ones that include your birthday or your pet's name.
- Don't carry extra credit cards, Social Security cards, passports, or other documents unless necessary.
- If possible, pick up new checks at the bank rather than having them sent to your home.
- Limit the number of credit cards you own, and cancel any inactive accounts.
- Keep a list of credit card accounts and bank accounts in a safe place, so you can call the companies if cards are missing or stolen.

But recently, Format Preserving Encryption (FPE) has been introduced, allowing ID numbers or bank routing info to be intact and maintain “referential integrity,” explains Katz. With FPE, a school can integrate data-level encryption into legacy application frameworks without the kind of database re-engineering previously required.

Another big encryption breakthrough has been encrypted USB drives. These little portable storage units, sometimes called flash drives or thumb drives, have sometimes been the bane of IT departments, since they can carry viruses that could infect a network. Also, if a lost or untended thumb drive is found, any personal data could be retrieved simply by plugging the drive into the nearest computer.

At Boston Medical Center, a university research hospital, the use of drives is widespread, and IT Director Brad Blake has instituted a policy that only drives with encryption are allowed to be used. “Locking down data on USB drives isn’t easy, but it’s part of what can make data more secure,” he says. “It’s similar to having a policy on anything that can be carried around and potentially lost.”

Students should be informed that any device—such as an iPhone, iPod, or cell phone—can contain data that could be used for identity theft. Education efforts should cover ways to protect these and USB drives as a good backup to encryption.

4. Establish a risk and compliance group.

Top ID-Related "Don'ts" for Students and Staff
Even sharing some quick tips for students and staff will help them be more adept at identity protection. The creators of Identity Finder security software, which searches through files and e-mail for personal data so it can be shredded, offer these cautions to share with end users:
- Don't store personal information on your computer unprotected.
- Don't share personal data, such as Social Security number or even birth date, on MySpace or Facebook.
- Don't assume the school can protect you completely.
- Don't forget to configure peer-to-peer file sharing programs so they're secure.
- Don't neglect to perform software updates and fixes weekly or monthly, if these are not handled by the school's IT department.
- Don't leave your laptop unattended.
- Don't click on e-mail messages that contain hyperlinks to websites.
- Don't enter private information on public computers, such as those in the library.
- Don't e-mail or instant message personal info, since these communications are usually not secure.

Responsibility for identity protection is shared among users, IT staff, software providers, and others, but to truly create a strong strategy that includes education initiatives and technology purchasing, a separate group should be created, according to Shanahan.

“For the best protection, there should be an integrated strategy that looks at the issue from end-to-end,” he says. “That’s in contrast to each department coming up with their own approach. Until someone owns it and does risk management, you’ll always be patching up the holes that will inevitably occur.”

Part of the risk management group’s effort should be the creation of a centralized data warehouse, he says, which prevents the kind of fragmentation that occurs when data is in departmental silos. Shanahan has seen many universities pool data in this way and develop risk management committees that address security policies and procedures. “Think of identity protection in a holistic way,” he advises. “Creating more unity will make fraud-monitoring tools more effective and give more clout to user education.”

5. Find ways to secure public computers.

Many students and staff have their own computing resources, but there’s also dependence on public machines, such as those found in libraries, and ensuring that these machines are safe can be tricky, says Steven Zink, vice president of information technology and dean of University Libraries at the University of Nevada, Reno. “I’ve seen people walk away from a terminal with all their personal information still on the screen, even banking data,” says Zink. “Sometimes they just get distracted and don’t even think about it.”

The university uses Deep Freeze, a security program from Faronics that resets a computer to its original settings on a regular basis. This erases any stored cookies, input data, and even malware and viruses that may have crept into the computer while it was idle.

6. Create a loss prevention plan.

A working group should address how to deal with lost or stolen laptops—a common way for information to be obtained by thieves. This type of loss is particularly challenging because laptops are so popular, notes David Hawks of Absolute Software, maker of Computrace laptop security software, which can detect changes in hardware (including missing computer memory or drives) and helps track and recover stolen computers. “People are putting their personal information on university assets like laptops, so there need to be added security measures,” Hawks says. “From an identity thief’s perspective, getting a machine is ideal, because not only will it have university information, but also a user’s personal data like passwords, banking information, and credit card numbers.”

Even if there’s some encryption, it can be fairly easy for thieves to use computer forensic tools to tweeze out valuable data, he adds. Using a program to wipe data remotely is a strong option, and establishing procedures for erasing data from broken or donated machines is crucial. Some laptops that land on eBay still have plenty of usable information even though a user might have put personal files in the digital trash.

Absolute Software, www.absolute.com
AdmitOne Security, www.admitonesecurity.com
Faronics, www.faronics.com
IBM X-Force, http://tinyurl.com/6aa22x
Identity Finder, www.identityfinder.com
IdentityTruth, www.identitytruth.com
Security Risk Solutions, www.securityrisksolutions.com
“To create enough identity protection, you need a layered approach, where there are best practices around password security, encryption, user education, and loss prevention,” says Hawks. “You’d be amazed at how many people don’t know how to protect their data, so an IT department has to do everything possible to do the protection for them.”
Elizabeth Millard, a Minneapolis-based freelance writer, specializes in covering technology.

Labels: , , , , , , ,

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft