Is ID
theft so common that it is ignored?
They’re
guilty of ID theft, but don’t ask the government how/where they got
the personal info?
December 26, 2012 by
admin
Here’s
another
case where it’s clear there’s been some compromise of PII,
but we have no idea how from what law enforcement tells us:
According to
documents filed in court, Miami-Dade Police Department (MDPD)
officers executed a search warrant at [Travonn Xavier Russell's]
residence on January 18, 2012. During the search, MDPD officers
found the following inside the residence: distribution quantities of
different types of narcotics (cocaine, MDMA, and marijuana);
paraphernalia associated with narcotics distribution; two firearms;
approximately 129 debit cards in various names; tax return documents
in names other than the defendant’s; and multiple notebooks
with personal identifying information (names, dates of birth, and
social security numbers) of 442 individuals.
The criminal complaint also indicated
that they found “various employment applications with personal
identifying information along with photocopies of driver’s licenses
belonging to individuals other than Russell” and “additional
photocopies of social security cards and driver’s licenses in names
other than Russell.”
With respect to the notebooks, the
complaint states:
Notebooks with
hundreds of hand-written entries with names, social security numbers,
dates of birth, addresses, occupations, e-mail addresses with
password, date accepted, date filed and dollar amount – none of
which were in the name of RUSSELL (numerous entries of personal
identifying information in the notebooks match the names embossed on
the debit cards).
So where did he get the identity info?
They don’t say. In fact, nowhere in the court records that I read
does it mention the source of the identity information. You’d
think law enforcement might ask or make a point of finding out,
right? Apparently not.
I had an interesting conversation
recently with someone knowledgeable about USAO press releases. He
informed me that there were actually very strict laws about what they
are allowed to include in press releases and that the releases cannot
go beyond the public record. That makes sense, I suppose, but it is
still frustrating because I think it should be in the court
documents.
I wish prosecutors would make it part
of any plea deal that the defendant has to explain how/where they got
the identity information.
But that’s in the World According to
Dissent. Most law enforcement officials don’t inhabit that world.
(Related)
Certainly the bad guys can get stolen Ids cheap.
Exploring
the Market for Stolen Passwords
If you haven’t been keeping up with
what’s going on in the online criminal market for your credentials
and information, you really need to read a new column by Brian Krebs.
As Brian reports, the days of compromised PCs just being used for
spam runs or denial of service attacks is in the past. Now the
information on your PC – including your email, banking, and store
login credentials are being harvested and monetized:
Some of the most
valuable data extracted from hacked PCs is bank login information.
But non-financial logins also have value, particularly for shady
online shops that collect and resell this information.
Logins for
everything from Amazon.com to Walmart.com
often are resold — either in bulk, or separately by
retailer name — on underground crime forums. A miscreant who
operates a Citadel botnet of respectable size (a few thousand bots,
e.g.) can expect to quickly accumulate huge volumes of “logs,”
records of user credentials and browsing history from victim PCs.
Without even looking that hard, I found several individuals on
Underweb forums selling bulk access to their botnet logs; for
example, one Andromeda bot user was selling access to
6 gigabytes of bot logs for a flat rate of $150.
For those of us who think mandatory
brach disclosure is a good thing, I give you a “for instance.”
December 26, 2012
NextGov
- New mandate would require military contractors to report cyber
breaches
Aliya
Sternstein reporting in NextGov: "The
Defense
authorization bill approved by Congress last week
would
require contractors to tell the Pentagon about penetrations of
company-owned networks that handle military data. If
President Obama signs the legislation into law, it would make
permanent part of a Pentagon test program under which participating
contractors report computer breaches in exchange for access to some
classified cyber threat intelligence. What began as a defense
industrial base pilot program in 2011 was opened to all interested
military vendors in May. In October,
reports
surfaced
that five of the 17 initial contractors
dropped
out of part of the program in which the National Security Agency
shares classified threat indicators with the participants, apparently
because they concluded the requirements for participation were too
expensive and time-consuming for any enhanced security benefit. At
the time, Lockheed Martin Corp. executives
who
help run the program noted the growth potential of another
segment of the program that allows contractors to voluntarily share
information about breaches to their networks without revealing
identifying information to fellow contractors and the government.
Now they say interest in the whole program is increasing."
Why
butt your head against even moderately good security when you can
easily find data that has no security at all?
By
Dissent,
December 26, 2012 4:25 pm
This will come as absolutely no
surprise to regular readers of this blog, but
The
Washington Post has published the results of an investigation
into security in the healthcare sector, and the results are… well,
what I’d expect. The article is instructive for the range of
problems it covers and some real-world examples.
Many of the potential risks are obvious
– like employees losing laptops or mobile devices or having them
stolen with unencrypted information on them. Others may not be so
obvious to hospitals and practitioners, like this example:
Another
researcher, Tim Elrod, a consultant at FishNet Security, found
vulnerabilities in a system that enables care providers using
a Web browser to automatically dispense drugs from a
secure cabinet produced by Omnicell.
Working with
Stefan Morris, Elrod discovered that unauthorized
users could sidestep the login and password page and gain control
of a cabinet at a hospital run by Integris Health,
the largest health organization in Oklahoma. They used a well-known
hacking technique called a “forced browsing” attack.
“At
that point, we had full administrative control,” Elrod
said. “We could do anything.”
After being
contacted by The Post, Peter Fisher, vice president of engineering at
Omnicell, said he “is launching an immediate investigation into
this reported vulnerability.” The same day, the company issued a
software fix to customers around the globe.
The article is not doing much for
Omnicell’s public relations, as this is the second time this month
that their name has been associated with security problems. In the
first
case, a laptop stolen from their employee’s car contained
information on 4,000 patients in Michigan.
But Omnicell is just one of may firms
whose software may contain vulnerabilities or flaws that well-meaning
health care systems may not detect in time to protect patient data.
Might be worth reading...
This
is Your Wakeup Call on Employee Privacy
With social networking and other
electronic communications making employees' actions and attitudes
more visible than ever to employers, it's clear that a big change in
the relationship between work and private life is well underway. Yet
little research has been undertaken to understand organizations' use
of that information, or how the potential for increased monitoring
and surveillance is perceived by workers. My colleagues
Dr
Brian Cooper from Monash University and
Dr
Rob Hecker from the University of Tasmania and I have just
conducted
a
survey to understand workers' awareness of employer policies and
the current state of what they consider to be fair and reasonable.
We polled a random sample of 500 working people in our own country,
Australia.
And here I thought that with the anal
probing et al thay would already know who you are. Maybe that waits
until the second date...
"Noted in an AP story about how
fees make it difficult to compare air travel costs, is how the
airline industry is moving toward tailoring offer packages (and
presumably, fares) for individuals based
on their personal information. Worse, 'The airline association
said consumers who choose not to supply personal information would
still be able to see fares and purchase tickets, though consumer
advocates said those fares would probably be at the "rack rate"
— the travel industry's term for full price, before any
discounts.'"
They
could have included information like: “No guns here” “Works
9-5” “Out of town this week” “Collects Krugerrands”
Should
registered gun owners be named and mapped?
Julie Moos reports:
So how did folks express their
displeasure? They doxed the reporter, the editor,
and the publisher.
Read more on
Poynter.org
about the controversy, keeping in mind that this is not the first
time this paper – or other papers have done something like this.