Remember, records are made to be broken...
Swedish bank hit by 'biggest ever' online heist
By Tom Espiner Story last modified Fri Jan 19 10:48:28 PST 2007
Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona--up to $1.1 million--in what security company McAfee is describing as the "biggest ever" online bank heist.
Over the last 15 months, Nordea customers have been targeted by e-mails containing a tailor-made Trojan, said the bank.
Nordea believes that 250 customers [$4,400 per customer. Bob] have been affected by the fraud, after falling victim to phishing e-mails containing the Trojan. According to McAfee, Swedish police believe Russian-organized criminals are behind the attacks. Currently, 121 people are suspected of being involved.
The attack started by a tailor-made Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application. Users who downloaded the attached file, called raking.zip or raking.exe, were infected by the Trojan, which some security companies call haxdoor.ki.
Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.
After the users entered the information an error message appeared, informing them that the site was experiencing technical difficulties. Criminals then used the harvested customer details on the real Nordea Web site to take money from customer accounts.
According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia. [Tracing e-criminals won't be easy... Bob] Police believe the heist to be the work of organized criminals.
Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus applications on their computers. The bank has borne the brunt of the attacks and has refunded all the affected customers.
Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea's security procedures. [The bank had no control over their client's actions. But they could have prevented this... Bob]
... In an effort to combat fraud, most banks have a policy of monitoring the behavior of people claiming to be their customers, so that unusual transaction behavior can be investigated and halted if fraudulent.
Nordea was aware [suspected? Bob] that some of the attempted transactions were false because of the large sums involved. However, during a period of 15 months a large series of small transactions enabled the criminals to successfully transfer a huge sum overall.
"In some cases we saw the transactions were false, and in some cases we didn't," said Ehlin. "We can't look at every transfer, [Your computer system does. Bob] and it looked like our customers had made the transfer. Most of the cases were small amounts that we thought were ordinary. We lost approximately seven to eight million krona."
Nordea has two million Internet banking customers in Sweden. The police investigation is underway, and the bank is currently reviewing its security procedures.
Another new record?
Ladies And Gentlemen, We May Have A New Winner For Most Credit Card Data Leaked
from the congrats-all-around dept
There was some talk yesterday about how TJX, the parent company for discount clothing stores T.J. Maxx, Marshalls and some others had lost some credit card data after their systems were hacked. Today, additional information is starting to come out suggesting that this may take the lead as the largest single set of compromised credit card data, reaching even beyond the 40 million or so records lost by CardSystems a few years back. Since those responsible for that data loss only got a slap on the wrist, perhaps it's not surprising that others haven't done much to beef up credit card security. In fact, another article on this story claims that, despite strict guidelines from Visa and Mastercard for how this type of data needs to be handled only 31% actually comply with the guidelines -- and apparently TJX is among those who don't comply (big surprise there). Since it's apparent that not much has happened in the past few years to better protect our data, expect plenty of fretting over what this means and how to do a better job... until enough people forget about it, and we're all set up for a year or two down the road when we'll have a new winner in the largest single data leak ever.
Does ANYONE think about what they are saying to the press?
Posted on Fri, Jan. 19, 2007
26 IRS tapes missing from City Hall
Records were delivered in August. Trail of where taxpayer data went is under investigation.
By LYNN HORSLEY The Kansas City Star
Twenty-six IRS computer tapes containing taxpayer information are missing after they were delivered to City Hall months ago.
Kansas City is one of hundreds of governmental entities that share taxpayer information back and forth with the Internal Revenue Service. City officials use the federal tax return information to enforce their collection of the 1 percent city earnings tax, which is paid by people who live or work in Kansas City.
City and IRS officials on Thursday either would not or could not say exactly what information is on the tapes or the number of taxpayers whose information is on the tapes. [Experience suggests the answer is “could not say” Bob]
But the information potentially could include taxpayers’ names, Social Security numbers and bank account numbers, or they could contain employer information.
The tapes require special equipment to read [a Tape Reader, available anywhere Bob] and software that is not commonly used, [Nonsense. Any programming language will do... Bob] so the average person could not access the information, said Assistant City Manager Rich Noll.
“We have no reason to believe there was any foul play,” [and no evidence to the contrary Bob] Noll said, although he added he could not rule it out.
Special agents with the Inspector General’s office of the Treasury Department, along with city officials, are investigating the missing tapes, Noll said.
Several Kansas City Council members said Thursday that they had been briefed on the missing tapes but that the matter was too sensitive for them to comment further. [What an asinine statement. Bob]
... Employees in the city’s Office of Management and Budget and the Finance Department were sent home early on Jan. 3 and their offices were searched, but the tapes were not found. [This is a bit unusual, isn't it? Bob]
Noll said he did not think the tapes contained images of tax forms. He said he did not think there was significant risk that sensitive taxpayer information had been inappropriately released, but he could not say there was no risk.
When asked why the city couldn’t provide more information about what type of information was missing, city spokeswoman Mary Charles said the city had never received this type of tape before. [“...and the IRS won't tell us anything about them.” Bob]
“The tapes were never reviewed, [“We seldom do our job,.” Bob] so we don’t know what’s on there,” she said.
The trail of where the tapes went in City Hall is what is under investigation, Charles said. There is no documentation to show that the tapes ever reached the Finance Department, [Control your sensitive data, people! Bob] where they would have been reviewed.
Follow-up. There seems to be a universal tendency to underestimate the loss – a lot!
UTD says more put at risk of ID theft
Computer attack exposed personal data of up to 35,000 people
08:29 PM CST on Friday, January 19, 2007 By HOLLY K. HACKER / The Dallas Morning News
A computer attack at the University of Texas at Dallas was worse than officials first thought. They now say Social Security numbers and other personal information may have been exposed for up to 35,000 faculty, current and former students, staff and others, putting them at risk of identify theft.
Officials said Friday that the names and Social Security numbers of 29,000 library cardholders may have been exposed. That group mainly includes students, faculty and staff, along with a few hundred people who aren't affiliated with UTD but have used its library.
UTD officials first reported the computer attack in December and said 6,000 people were affected.
... There is evidence the attack was "somewhat automated," [Another meaningless phrase? Bob] said Ms. Rogers, who declined to elaborate.
If your were the CEO of TJX, this headline could give you a heart attack...
Give her credit: AG fights off identity theft
By O’Ryan Johnson Friday, January 19, 2007 - Updated: 12:34 AM EST
Dude, you’re not getting a Dell, but you might be getting a cell - a jail cell.
A week before Martha Coakley was sworn in as attorney general, a cyber crook illegally used her credit card number to buy a Dell computer, and a rather pricey one at that.
“I’m sure they didn’t know (she is the state’s top prosecutor) when they took the number,” Coakley said with a chuckle. “I wouldn’t go after the new AG.”
Coakley said she was leaving on a ski vacation a week ago Monday when she got the call from Dell saying someone had ordered a computer worth about $1,250 and had requested it be shipped to an address in Texas.
Coakley said she called Dell and canceled the shipment, telling them she did not order the machine. She said it appears someone stole the information off one of her credit cards and used it to buy the computer. She said the credit card number theft is not related to consumer information stolen from TJX Corp.
“There was no damage done,” she said. “I was lucky to find out before someone went on a shopping spree.”
Coakley said she canceled the card and ordered a new one, and that appears to be the end of it.
She said the chances of catching the crook - even for the state’s top prosecutor - are slim to none, since even if they could link it to a person, jurisdictional issues would likely hamper an effort to prosecute.
“I wasn’t a victim of the conventional form of ID theft, but still I think it’s something a lot of people suffer,” she said, noting that the crook didn’t use her Social Security number to set up lines of credit.
“It can happen fairly easily.”
This is a new one to me...
Institute of Consumer Financial Education
The ICFE has developed the "ICFE Certified Identity Theft Risk Management Specialist" (CITRMS) educational and certification testing program. The main purpose is to comprehensively prepare and equip law enforcement professionals, financial planners and CPA's, resolution advocates, notaries, lawyers, credit and debt counselors, through education, testing and computer software training, with the knowledge and skills necessary to help consumers and businesses fully assess and minimize their present risk of credit and identity theft.
Think this might be useful?
U.S. Department of Education Office of Inspector General Launches New DVD: 'Identity Theft: It's Not Worth It'
FOR RELEASE: January 18, 2007 Contact: Catherine Grant (202) 245-7023
Editor's note: For a free copy of the DVD, please contact the U.S. Department of Education, Office of Inspector General, at (202) 245-7023.
The U.S. Department of Education's Office of Inspector General (OIG) today announced the release of its second DVD on the issue of identity theft in the student financial assistance arena.
Entitled "Identity Theft: It's Not Worth It," the DVD tracks how OIG, together with the U.S. Attorney's Office, U.S. Marshals Service, U.S. Postal Inspection Service, and Truckee Meadows Community College stopped a $1 million financial aid fraud scam, spearheaded by 64-year old grandmother, Ann Armstrong.
Along with four of her children and three of her grandchildren, Armstrong was convicted of using the identities of more than 65 people to fraudulently obtain federal student aid at various colleges in Arizona, Colorado, Maryland, Nevada, and Texas.
From January 2000 to March 2004, the Armstrongs obtained personal identifying information for various people and used it to enroll in distance education/on-line classes at colleges in those states. They applied for federal student loans and grants through the schools using these identities, submitting all information via e-mail or fax.
Checks for the loans or grants were sent in the students' name to addresses provided on the applications which the Armstrongs then picked up, cashed, or deposited into bank accounts using false identification.
The fraudulent scheme was initially reported to the OIG by a financial aid officer at Truckee Meadows Community College in Reno, Nev. The financial aid officer observed that a number of students were applying for financial aid using the same addresses and telephone numbers. [Apparently not a check made at the federal level... Bob] OIG initiated an investigation, ultimately leading to the filing of a criminal complaint and issuance of arrest warrants against the conspirators.
... Since 2003, the OIG, together with the U.S. Department of Education's Office of Federal Student Aid, has conducted a public awareness campaign to alert students, schools, and other financial aid participants about identity theft via the OIG's special Web site, www.ed.gov/misused.
The site provides information on scams, suggestions for preventing identity theft, and resources on how to report identity theft involving federal education dollars.
In 2003 with the assistance of the Arizona Department of Public Safety, OIG produced its first DVD on this issue, entitled, "FSA Identity Theft: We Need Your Help." This report featured an individual incarcerated for student aid fraud who described the techniques he used to steal identities.
These DVDs are made available to schools and student groups, and the media upon request. For more information on the mission and activities of the Office of Inspector General, visit: www.ed.gov/about/offices/list/oig/.
What, me worry? It's not like someone would track me down and punch me in the nose – is it?
Finding Those Local Blogs
by Keith Axline on January 18, 2007 - 11:40am.
The last step in the rise of the blog will be the connection of virtual and real space. Your favorite blogger might be in New York, but if you’re living in Oregon, chances are he’s not going to be covering local ordinances or missing dogs.
This is a crucial step for citizen journalism and the democratic process in general. When supporting local causes is as easy as checking your RSS reader, and when the paths of communication are transparent, the seemingly giant gap between an initial desire for change and actually seeing results evaporates.
So how do you find out who’s blogging in your neighborhood? Many hyperlocal blog directories are sprouting up and existing blog aggregators are growing local searches in order to fill this emerging demand. Here are a few of the better ones. (Don’t see your favorite local blog search here? Let us know in the comments of this post.)
Placeblogger.com: The most recent and promising site on the scene, to which Jay Rosen serves as an advisor, Placeblogger has a slick interface and enough buzz to draw a healthy amount of contributors. The success of any of these sites rests on the amount of participation, and Placeblogger seems to have a lot of momentum. Most of the towns I typed in - large or small - had enough blogs listed to keep me interested. The launch package also included a list of the top 10 placeblogs in the country.
Backfence.com: Though only available in a few cities at the moment, Backfence does a lot of things right. It’s easy to contribute to and navigate the site. The ‘Crime Log’ category and the photo gallery seemed particularly helpful. Backfence is currently in a state of transition, after losing , some of its original management team but is still attempting to expand into other cities as funding allows. If you like their format, you should write in and request they take a look at your city as a potential destination.
Feedmap.net: Feedmap is a little rough around the edges, but it gets the job done. Just type in the location you’re looking for and a map pops up with geotagged feeds from local blogs. It also has tools for adding a local blogroll to your own blog and a map image of your location.
Outside.in: This is my personal fave as far as design and content. It tends to only tap a few blogs in some of the more remote areas, but with more time I could see this becoming a great site. Started by Steven Johnson, co-creator of FEED magazine and Plastic.com, Outside.in is in good hands.
Metroblogging.com: Instead of aggregating other blogs in a particular area, Metroblogging hand-picks a few bloggers in a specific city and sets them up on one of their pre-formatted blogs. While this site doesn’t exactly fit perfectly into this list, the quality of its blogs are excellent and they encourage your participation. You may find other blogs in your area by following your town’s Metroblog.
Topix.net: This site is a great tool for narrowing in on any subject, whether it be local blogs or news stories on a specific subject. Topix works better as a local news aggregator than a blog finder, but I was able to find a few gems that weren’t listed elsewhere. Using their advanced search option you should be able to look up blogs by zip code, but the search results still produce local news sites in addition to great local blogs and the localized forums put you directly in touch with people from your neighborhood.
Blogdigger Local: This site feels a little ghetto, but shared some of the same buzz last year that Placeblogger is enjoying now. It definitely has some unique sites registered, and it could fill some crucial holes in your local blog web.
Technorati: Searching for local blogs is just one of the many features available at Technorati. If you’re specific enough, you can usually get excellent results, but it’s not explicitly geared towards that type of function, so the hits tend to not be as focused. A little work on your part could lead to a very local community of bloggers, but it’s not just sitting there for the taking.
AmericanTowns.com: Recently featured in a New York Times article, American Towns has a great interface, but not much more … yet. There’s a lot of potential here if a wide variety of people actively contribute, but when I looked up San Francisco, for example, the only events listed were religious events posted by local churches.
Miscellaneous: Micah Sifry at Personal Democracy Forum has a great post about this topic, specifically for political blogs. A couple directories he mentions are LeftyBlogs for Democrats and Blogatorium for Republicans. CitizenJournalist.net also has some great links related to this topic, although it’s not a blog directory.
There is a lot of potential in these sites that hasn’t really solidified into a standard function or practice. It reminds me of when e-mail and Internet were available on local BBS’s but no one really knew what to do with them. The localized blog movement needs a MySpace or Friendster to get it going. So far, only Placeblogger seems like it might be that type of site. You can help catalyze the movement by registering as many sites as you can with these services and geotagging your own blog. Happy hunting.
For my Business Continuity students... Looks like you should never rely on computers in coastal California, the gulf coast, or Florida.
January 19, 2007
Where NOT to keep your servers according to Mother Nature
If Mother Nature has anything to say, there simply are some places where you shouldn’t place a data center.
... We decided to look at heat maps for earthquakes, hurricanes and tornadoes in the U.S. to see exactly where the danger areas were located. In addition to that we also composited them to see get the full picture.
More to my liking than DRM – hold the consumer accountable for their actions, but don't restrict them.
Startup Tries Watermarking Instead of DRM
Posted by Zonk on Friday January 19, @02:43PM from the commendable-actions-mean-profits dept. Movies Businesses Technology
Loosehead Prop writes "A U.K. startup called Streamburst has a novel idea: selling downloadable video with watermarks instead of DRM. The system works by adding a 5-second intro to each download that shows the name of the person who bought the movie along with something like a watermark: 'it's not technically a watermark in the usual sense of that term, but the encoding process does strip out a unique series of bits from the file. The missing information is a minuscule portion of the overall file that does not affect video quality, according to Bjarnason, but does allow the company to discover who purchased a particular file.' The goal is to 'make people accountable for their actions without artificially restricting those actions.'"
Why is Colorado the home of e-voting machine certification? (Why haven't any machines been ISO certified before?)
E-voting test labs get initial nod
January 19, 2007 11:25 AM PST
Two Colorado-based laboratories this week became the first companies to receive the initial go-ahead in their quest for federal approval to test electronic voting machines used by American voters.
In a letter (PDF) on Thursday, the National Institute of Standards and Technology (NIST) recommended that iBeta Quality Assurance of Aurora, Colo. and SysTest Labs of Denver be granted final clearance to test the systems.
... The federal law leaves it up to states whether to pay attention to the EAC accreditations, but many are expected to require that their equipment be tested by those companies. Before HAVA, test labs were certified by the National Association of State Election Directors, and 39 states required their machines to have undergone testing by labs accredited by that group.
You do not need to be a lawyer to participate! (...or for any other reason I can think of...)
January 19, 2007
Free Acrobat for Legal Professionals eSeminar on 1/25
Covers PDF creation, security, Bates numbering, redaction, eFiling and more. Sign Up Here.
...from the Forrest Gump (Stupid is as stupid does) school of burglary. Perhaps we could add GPS devices to all those laptops that get stolen?
GPS devices lead to suspects' home
1 hour, 20 minutes ago
Three thieves who allegedly stole 14 global positioning system devices didn't get away with their crime for long. The devices led police right to their home.
Town officials said the thieves didn't even know what they had: they thought the GPS devices were cell phones, which they planned to sell.
According to Suffolk County police, the GPS devices were stolen Monday night from the Town of Babylon Public Works garage in Lindenhurst. The town immediately tapped its GPS system, and it showed that one of the devices was inside a house. Police said that when they arrived there, Kurt Husfeldt, 46, had the device in his hands.
Husfeldt was charged with criminal possession of stolen property. His 13-year-old son also was arrested on grand larceny charges.
Town officials said the boy committed the burglary with Steven Mangiapanella, 20, also of Lindenhurst. He was charged with grand larceny.
Babylon installed 300 GPS devices in snow plows, dump trucks, street sweepers and other vehicles last January.