Thursday, December 27, 2012

Is ID theft so common that it is ignored?
They’re guilty of ID theft, but don’t ask the government how/where they got the personal info?
December 26, 2012 by admin
Here’s another case where it’s clear there’s been some compromise of PII, but we have no idea how from what law enforcement tells us:
According to documents filed in court, Miami-Dade Police Department (MDPD) officers executed a search warrant at [Travonn Xavier Russell's] residence on January 18, 2012. During the search, MDPD officers found the following inside the residence: distribution quantities of different types of narcotics (cocaine, MDMA, and marijuana); paraphernalia associated with narcotics distribution; two firearms; approximately 129 debit cards in various names; tax return documents in names other than the defendant’s; and multiple notebooks with personal identifying information (names, dates of birth, and social security numbers) of 442 individuals.
The criminal complaint also indicated that they found “various employment applications with personal identifying information along with photocopies of driver’s licenses belonging to individuals other than Russell” and “additional photocopies of social security cards and driver’s licenses in names other than Russell.”
With respect to the notebooks, the complaint states:
Notebooks with hundreds of hand-written entries with names, social security numbers, dates of birth, addresses, occupations, e-mail addresses with password, date accepted, date filed and dollar amount – none of which were in the name of RUSSELL (numerous entries of personal identifying information in the notebooks match the names embossed on the debit cards).
So where did he get the identity info? They don’t say. In fact, nowhere in the court records that I read does it mention the source of the identity information. You’d think law enforcement might ask or make a point of finding out, right? Apparently not.
I had an interesting conversation recently with someone knowledgeable about USAO press releases. He informed me that there were actually very strict laws about what they are allowed to include in press releases and that the releases cannot go beyond the public record. That makes sense, I suppose, but it is still frustrating because I think it should be in the court documents.
I wish prosecutors would make it part of any plea deal that the defendant has to explain how/where they got the identity information.
But that’s in the World According to Dissent. Most law enforcement officials don’t inhabit that world.

(Related) Certainly the bad guys can get stolen Ids cheap.
Exploring the Market for Stolen Passwords
December 26, 2012 by Dissent
If you haven’t been keeping up with what’s going on in the online criminal market for your credentials and information, you really need to read a new column by Brian Krebs. As Brian reports, the days of compromised PCs just being used for spam runs or denial of service attacks is in the past. Now the information on your PC – including your email, banking, and store login credentials are being harvested and monetized:
Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.
Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums. A miscreant who operates a Citadel botnet of respectable size (a few thousand bots, e.g.) can expect to quickly accumulate huge volumes of “logs,” records of user credentials and browsing history from victim PCs. Without even looking that hard, I found several individuals on Underweb forums selling bulk access to their botnet logs; for example, one Andromeda bot user was selling access to 6 gigabytes of bot logs for a flat rate of $150.
Read more on KrebsonSecurity.com.


For those of us who think mandatory brach disclosure is a good thing, I give you a “for instance.”
December 26, 2012
NextGov - New mandate would require military contractors to report cyber breaches
Aliya Sternstein reporting in NextGov: "The Defense authorization bill approved by Congress last week would require contractors to tell the Pentagon about penetrations of company-owned networks that handle military data. If President Obama signs the legislation into law, it would make permanent part of a Pentagon test program under which participating contractors report computer breaches in exchange for access to some classified cyber threat intelligence. What began as a defense industrial base pilot program in 2011 was opened to all interested military vendors in May. In October, reports surfaced that five of the 17 initial contractors dropped out of part of the program in which the National Security Agency shares classified threat indicators with the participants, apparently because they concluded the requirements for participation were too expensive and time-consuming for any enhanced security benefit. At the time, Lockheed Martin Corp. executives who help run the program noted the growth potential of another segment of the program that allows contractors to voluntarily share information about breaches to their networks without revealing identifying information to fellow contractors and the government. Now they say interest in the whole program is increasing."


Why butt your head against even moderately good security when you can easily find data that has no security at all?
By Dissent, December 26, 2012 4:25 pm
This will come as absolutely no surprise to regular readers of this blog, but The Washington Post has published the results of an investigation into security in the healthcare sector, and the results are… well, what I’d expect. The article is instructive for the range of problems it covers and some real-world examples.
Many of the potential risks are obvious – like employees losing laptops or mobile devices or having them stolen with unencrypted information on them. Others may not be so obvious to hospitals and practitioners, like this example:
Another researcher, Tim Elrod, a consultant at FishNet Security, found vulnerabilities in a system that enables care providers using a Web browser to automatically dispense drugs from a secure cabinet produced by Omnicell.
Working with Stefan Morris, Elrod discovered that unauthorized users could sidestep the login and password page and gain control of a cabinet at a hospital run by Integris Health, the largest health organization in Oklahoma. They used a well-known hacking technique called a “forced browsing” attack.
At that point, we had full administrative control,” Elrod said. “We could do anything.”
After being contacted by The Post, Peter Fisher, vice president of engineering at Omnicell, said he “is launching an immediate investigation into this reported vulnerability.” The same day, the company issued a software fix to customers around the globe.
The article is not doing much for Omnicell’s public relations, as this is the second time this month that their name has been associated with security problems. In the first case, a laptop stolen from their employee’s car contained information on 4,000 patients in Michigan.
But Omnicell is just one of may firms whose software may contain vulnerabilities or flaws that well-meaning health care systems may not detect in time to protect patient data.
Overall, I really recommend everyone read the Washington Post piece.


Might be worth reading...
This is Your Wakeup Call on Employee Privacy
With social networking and other electronic communications making employees' actions and attitudes more visible than ever to employers, it's clear that a big change in the relationship between work and private life is well underway. Yet little research has been undertaken to understand organizations' use of that information, or how the potential for increased monitoring and surveillance is perceived by workers. My colleagues Dr Brian Cooper from Monash University and Dr Rob Hecker from the University of Tasmania and I have just conducted a survey to understand workers' awareness of employer policies and the current state of what they consider to be fair and reasonable. We polled a random sample of 500 working people in our own country, Australia.


And here I thought that with the anal probing et al thay would already know who you are. Maybe that waits until the second date...
"Noted in an AP story about how fees make it difficult to compare air travel costs, is how the airline industry is moving toward tailoring offer packages (and presumably, fares) for individuals based on their personal information. Worse, 'The airline association said consumers who choose not to supply personal information would still be able to see fares and purchase tickets, though consumer advocates said those fares would probably be at the "rack rate" — the travel industry's term for full price, before any discounts.'"


They could have included information like: “No guns here” “Works 9-5” “Out of town this week” “Collects Krugerrands”
Should registered gun owners be named and mapped?
December 26, 2012 by Dissent
Julie Moos reports:
The Journal News honored victims of the Newtown, Conn., shooting on its front page Christmas Day with memorial candles that named the 26 students and staff killed at Sandy Hook Elementary. The paper chose a less lyrical approach last weekend, when — in response to the shooting – it published maps with the names and home addresses of people who had been issued pistol permits in Westchester County, where the Gannett paper is based, and nearby Rockland County.
So how did folks express their displeasure? They doxed the reporter, the editor, and the publisher.
Read more on Poynter.org about the controversy, keeping in mind that this is not the first time this paper – or other papers have done something like this.

No comments: