Wednesday, July 09, 2008

Close to home... and some fairly basic security failures

http://www.denverpost.com/news/ci_9822063

DMV puts Coloradans at risk of ID theft

By Jessica Fender The Denver Post Article Last Updated: 07/09/2008 06:10:43 AM MDT

The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing.

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers — some workers more than a year after their departure, auditors found.

... Colorado ranks eighth in the nation in identity-theft complaints per person and first in the nation when it comes to general fraud reports.

... Auditors said the DMV's method for handling sensitive information was "fragmented, disorganized and poorly planned," partly because the division is made up of a number of decentralized offices scattered across the state. No one person is responsible for security.



This is as small an ID Theft as you can get (one person) but I wonder how often this trick is tried/successful? It is Social Engineering at its worst – yet it still worked! Do you think this could happen thousands of times every day?

http://blog.karppinen.fi/2008/07/apple-just-gave-out-my-apple-i.html

Apple just gave out my Apple ID password because someone asked

By Marko Karppinen on July 8, 2008

... Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com



Should make an interesting CASE for my security class. What would you do, if...?

http://www.phiprivacy.net/?p=524

Jul-9-2008

KS: Medical Group Investigates Allegations of Stolen Records

Denise Hnytka reports:

The Wichita Radiological Group received an anonymous call saying their patient records may have been stolen. On Monday, the executive director reported the information to Wichita police.

According to the police report, the caller claims a former employee stole patient records before being fired from the Wichita Radiological Group. The caller said the former employee is now using patients’ personal and financial information to pay bills.

The radiological group is not sure how much, if any information was stolen. So far, they have not found any evidence of the theft. But tens of thousands of patient records were in the database could have been compromised.

Read more on KansasCW.com

[From the article:

An attorney for the Wichita Radiological Group tells Eyewitness News they have launched an internal investigation. The group changed internal passwords to make sure no more records are accessed.

Wichita police say they need identity theft victims from the case to come forward before they can proceed in their investigation.



Not sure from the article how this was discovered, but it wasn't by the investment firm.

http://www.pogowasright.org/article.php?story=20080709060744305

Justice Breyer Is Among Victims in Data Breach Caused by File Sharing

Wednesday, July 09 2008 @ 06:07 AM EDT Contributed by: PrivacyNews

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer. In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.

The breach was not discovered for nearly six months. A reader of washingtonpost.com's Security Fix blog found the information while searching LimeWire in June.

Source - Washington Post

[From the article:

What users may not be aware of is that the software that facilitates file sharing may be configured to allow access to a portion, if not all, of a user's documents.

... they're not paying attention to the default settings that come with the application," Cabri said.



Interesting that the videos are only now being released. Perhaps it takes this long to sort through all the videos and identity people in the right place and time? (Do these guys look like “Master Hackers” to you?)

http://www.pogowasright.org/article.php?story=20080708170717794

2 sought in debit card skimming thefts

Tuesday, July 08 2008 @ 05:07 PM EDT Contributed by: PrivacyNews

Authorities have released video surveillance photos of the suspects believed to have stolen motorists' debit card information at convenience stores gas pumps in Pennsylvania and Delaware.... Trooper Christopher Shoap, of the Pennsylvania State Police, said these skimmers have turned up inside gas pumps in Concord Township, Downingtown, Bristol Township and Uwchlan Township in Pennsylvania, and in New Castle, Del.

Shoap said the skimmers have primarily been used at Wawa Food Market locations in New Castle County, Delaware, and in Delaware, Chester, Montgomery and Bucks counties in Pennsylvania.

Source - DelawareOnline

[From the article:

The investigation into this debit card fraud dates back to April, when it was discovered that thieves were rigging gas pumps with skimming devices to capture the customers’ debit card information and empty their bank accounts.

The skimming devices are being used on local gas station fuel pumps' credit card readers and are not easily detected.

... The suspects were believed to have placed a device inside the pump, where it would not be visible to customers, and later retrieved it, Shoap said.
With the stolen debit card information, these thieves have then made fraudulent withdrawals from ATM machines at Wawa and 7-Eleven convenience store locations throughout the area and even at casinos in Atlantic City.



So small as to be trivial, but the article includes an interesting proposal for compensating Class Action Lawyers... The coupon idea is similar to the “penalty” TJX paid.

http://www.pogowasright.org/article.php?story=2008070817083973

Stein Mart Settles Personal Data Breach By Offering... Coupons

Tuesday, July 08 2008 @ 05:08 PM EDT Contributed by: PrivacyNews

Stein Mart was caught "printing expiration dates and/or more than the last five digits of credit cards on receipts," and was subsequently hit with a class action lawsuit for exposing sensitive customer data. Now they've settled by agreeing to run coupons in local newspapers.

Source - The Consumerist

[From the article:

We need a new federal law that says class action lawyers have to be compensated in the same manner as their clients. Give those hard working guys and gals some $30-off coupons, please!



Anything that reduces phishing is good.

http://news.cnet.com/8301-10784_3-9985605-7.html

July 8, 2008 11:03 AM PDT

Gmail now blocking fake eBay, PayPal e-mails

Posted by Elinor Mills

... The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail. It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains.



Note that there is no requirement to prevent Identity Theft – these rules deal with records of transactions the thief made with your credit card...

http://www.bespacific.com/mt/archives/018748.html

July 08, 2008

Red Flag’ Regulations Require Financial Institutions and Creditors to Have Identity Theft Prevention Programs

Federal Trade Commission: "Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.

The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."



Tools & Techniques Stephen Rynerson submitted this one. It's so scary that I'm planning to move to Australia (by boat)

http://www.washingtontimes.com/weblogs/aviation-security/2008/Jul/01/want-some-torture-with-your-peanuts/

Want some torture with your peanuts?

Aviation Security

POSTED 2:18 PM BY P. JEFFREY BLACK & JEFFREY DENNING

By Jeffrey Denning

Just when you thought you’ve heard it all...

A senior government official with the U.S. Department of Homeland Security (DHS) has expressed great interest in a so-called safety bracelet that would serve as a stun device, similar to that of a police Taser®. According to this promotional video found at the Lamperd Less Lethal website, the bracelet would be worn by all airline passengers.

This bracelet would:

• take the place of an airline boarding pass

• contain personal information about the traveler

• be able to monitor the whereabouts of each passenger and his/her luggage [Does the luggage get its own bracelet, or is it attached to the passenger? Bob]

• shock the wearer on command, completely immobilizing him/her for several minutes [What a fun hack! Think of it: “Welcome aboard, Congressman!” ZAP “Welcome aboard, Senator!” ZAP Bob]

[I still like my idea – make everyone fly nude. Bob]



Detailing the governments efforts to “help you?”

http://www.pogowasright.org/article.php?story=2008070813042020

Tax-related identity theft rose 644%, IRS official says

Tuesday, July 08 2008 @ 01:04 PM EDT Contributed by: PrivacyNews

Tax-related identity theft grew more than seven times over a four-year period ending Sept. 30, according to a new report that said efforts by the Internal Revenue Service to deal with problem are further hurting victims.

Source - New York Daily News

[The report: Fiscal Year 2009 Objectives Report

Fiscal Year 2009 Objectives Report Supplement



No surprise. This is hard to do!

http://www.bespacific.com/mt/archives/018746.html

July 08, 2008

New GAO Report Reveals Agencies are Not Complying with Requirements to Preserve E-mails

Committee on Oversight: "Rep. Henry A. Waxman, Rep. Wm. Lacy Clay, and Rep. Paul W. Hodes released a new GAO report that finds that senior federal officials are failing to comply with requirements to preserve e-mail records. On Wednesday, the House is expected to consider legislation (H.R. 5811) to modernize the Federal Records Act and the Presidential Records Act to ensure the preservation of these important federal records.

The new GAO report, Federal Records: National Archives and Selected Agencies Need to Strengthen E-Mail Management, finds:

  • All four of the agencies examined — the Department of Homeland Security, the Department of Housing and Urban Development, the Environmental Protection Agency, and the Federal Trade Commission — are relying on outdated and unreliable “print and file” systems for preserving e-mail records.

  • Senior agency officials did not fully comply with key requirements for preserving e-mail records. GAO reviewed the practices of 15 senior agency officials in the four agencies and found that a majority of these officials failed to manage their e-mail records in accordance with regulatory requirements. E-mails were not retained in adequate recordkeeping systems, making the e-mail records easier to lose, harder to find, and vulnerable to deletion or other tampering. Inadequate oversight and training within agencies contributed to the inconsistent compliance with preservation requirements..."

No comments: