Nell, I’m sorry the system let you down and I understand your frustration. I am days away from my hearing and representing myself since I couldn’t find an attorney with the time and motivation to help me – even though I was fully willing to pay.
I tried posting on your 101 page, but kept getting booted – but here’s my input:
To your comments above, I would add – talk with every finance and CPA friend you have and understand how the work you do fits into the finance side using ‘finance speak’. Research auditing standards and COSO guidelines, and get internal SOX flowcharts. Be able to map how the IT issue would hit the financial statements – whether that’s through reporting errors internally or an external threat.
Find out what kind of IT insurance products your company carries. Many policies have line item descriptions of what they do and don’t cover, and the newer the IT issue, the more likely its a separate product or a policy exclusion. (i.e. Data privacy can be an ‘add-on’.) Does the company represent in its financials that its adequately insured? Could the company argue successfully that it’s an insured risk, so complaints aren’t ‘reasonable’. If you can go so far as to get the annual applications where the company represents its forms of security – are they accurate?
I don’t know if this will help anyone, but the possibility is a good stress reliever for me right now.
Archive for June, 2008
Nathan McFeters reports on yet another laptop with sensitive data on it stolen – and this one is REALLY SCARY………..
LAST UPDATED: June 18, 2008.
Questions & Answers regarding a stolen laptop which contained restricted information about Stanford employees.
- What happened?A laptop was stolen that contained records of approximately 62,000 current and former employees.* On June 5 we learned that it contained restricted information. Immediately upon learning of this situation, Stanford mobilized to identify contact information for the affected individuals and sent e-mail notification to current employees, including faculty and staff. We are mailing notification letters to the rest of the affected individuals.* Original estimates placed the number of affected individuals as high as 72,000. …
What data was on the laptop?
- Name, gender, date of birth
- Social Security number
- Salary, business title, office location, office phone number, and e-mail address while employed by Stanford
- Home address and phone number while employed by Stanford
- Stanford ID card number and Stanford employee number
There are no driver’s license numbers, credit card numbers, bank account numbers or other financial information in this file.
Well – thank god there was at least a few things that WEREN’T ON IT………..
A Sad and Cautionary Tale………….
Here is an article the reflects unexpected results of laptops not being appropriately protected against malware. This poor guy really got screwed………….
When the Commonwealth of Massachusetts issued Michael Fiola a Dell Latitude in November 2006, it set off a chain of events that would cost him his job, his friends and about a year of his life, as he fought criminal charges that he had downloaded child pornography onto the laptop. Last week, prosecutors dropped their year-old case after a state investigation of his computer determined there was insufficient evidence to prove he had downloaded the files.
An initial state investigation had come to the opposite conclusion, and authorities took a second look at Fiola’s case only after he hired a forensic investigator to look at his laptop. What she found was scary, given the gravity of the charges against him: The Microsoft SMS (Systems Management Server) software used to keep his laptop up to date was not functional. Neither was its antivirus protection. And the laptop was crawling with malicious programs that were most likely responsible for the files on his PC.
Fiola had been an investigator with the state’s Department of Industrial Accidents, examining businesses to see whether they had worker’s compensation plans. Over the past two days, however, he’s become a spokesman for people who have had their lives ruined by malicious software. He now works as an insurance salesman in North Scituate, Rhode Island
http://www.pcworld.com/businesscenter/article/147213/article.html?tk=nl_baxnws
Lifelock – a Victim????
Bruce Schneier published an interesting opinion in Wired Magazine last week – one that gave me poise for thought
In December 2003, as part of the Fair and Accurate Credit Transactions Act, or Facta, credit bureaus were forced to allow you to put a fraud alert on their credit reports, requiring lenders to verify your identity before issuing a credit card in your name. This alert is temporary, and expires after 90 days. Several companies have sprung up — LifeLock, Debix, LoudSiren, TrustedID — that automatically renew these alerts and effectively make them permanent.
This service pisses off the credit bureaus and their financial customers. The reason lenders don’t routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy — it’s the American way.) So in the eyes of credit bureaus, LifeLock’s customers are inferior goods; selling their data isn’t as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.
And, so began a smear campaign on the part of the credit bureaus. You can read their points of view in this New York Times article, written by a reporter who didn’t do much more than regurgitate their talking points. And the class action lawsuits have piled on, accusing LifeLock of deceptive business practices, fraudulent advertising and so on. The biggest smear is that LifeLock didn’t even protect Todd Davis, and that his identity was allegedly stolen.
It wasn’t. Someone in Texas used Davis’s SSN to get a $500 advance against his paycheck. It worked because the loan operation didn’t check with any of the credit bureaus before approving the loan — perfectly reasonable for an amount this small. The payday-loan operation called Davis to collect, and LifeLock cleared up the problem. His credit report remains spotless.
The Experian credit bureau’s lawsuit basically claims that fraud alerts are only for people who have been victims of identity theft. This seems spurious; the text of the law states that anyone “who asserts a good faith suspicion that the consumer has been or is about to become a victim of fraud or related crime” can request a fraud alert. It seems to me that includes anybody who has ever received one of those notices about their financial details being lost or stolen, which is everybody.
As to deceptive business practices and fraudulent advertising — those just seem like class action lawyers piling on. LifeLock’s aggressive fear-based marketing doesn’t seem any worse than a lot of other similar advertising campaigns. My guess is that the class action lawsuits won’t go anywhere.
My take on all this is that it’s just a matter of who is “less bad” as far as the fear based marketing goes. Interesting point about the NY Times article being just the talking points for the credit bureaus. I do agree with the following statement:
In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn’t work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry’s lobbyists would never allow that.
However, the class action lawsuits mentioned above will do one thing, put a substantial amount of cash in some trial lawyer’s pockets – if they win, and do little for the consumer.
http://www.wired.com/politics/security/commentary/securitymatters/2008/06/securitymatters_0612
Wired magazine broke the story yesterday about yet another hack at a financial institution that leaves acres of areas of speculation as to what actually happened. Good old Citibank had their ATM network compromised, but few details as to how, when, how much was lost etc. Don’t these bankers understand that all the information is usually public record anyway and it’s best just to come clean?
Citibank denied to Wired.com’s Threat Level that its systems were hacked. But the bank’s representatives warned the FBI on February 1 that “a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached,” according to a sworn affidavit (.pdf) by FBI cyber-crime agent Albert Murray.
Federal prosecutors in New York have charged 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, with access device fraud for allegedly using the stolen information to go on a cash-withdrawal spree. Ryabinin, who is allegedly an active member of underground credit card fraud forums, is not charged with the intrusion itself. He and a co-defendant “received over the internet information related to Citibank customers, which information had previously been stolen from Citibank,” according to an indictment (.pdf) in the case.
Also charged is 30-year-old Ivan Biltse, who allegedly made some of the withdrawals, and Angelina Kitaeva. Ryabinin’s wife is charged with obstruction of justice in the investigation.
In addition to looting Citibank accounts, Ryabinin is accused of participating in a global cyber crime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 — just two days — the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines “around the world,” according to Murray’s affidavit, resulting in a staggering $5 million in losses.
Ryabinin was allegedly responsible for more than $100,000 of the stolen iWire cash, which he pulled from Brooklyn ATMs. St. Louis-based First Bank, which issued the cards, declined to comment on the matter, citing the ongoing prosecution.
At the time of the ATM capers, FBI and U.S. Secret Service agents had already been investigating Ryabinin for his alleged activities on eastern European carder forums.
Ryabinin allegedly used the same ICQ chat account to conduct criminal business, and to participate in amateur radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by ATM cameras in the New York Citibank and iWire withdrawals, and determined it was the same man — right down to the tan jacket with dark-blue trim.
When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer, and $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.
Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.
The entire story can be read at http://blog.wired.com/27bstroke6/2008/06/citibank-atm-se.html
Kelly Jackson Higgins has an interesting article that appeared in Dark Reading yesterday concerning new types of data that is being traded now. Credit Cards, SS#s are old hat apparently – now cybercriminals are finding new and improved ways of misusing other types of data:
Researchers at Finjan recently discovered 500 megabytes’ worth of a different kind of booty sitting on servers located in Argentina and Malaysia: Citrix single sign-on credentials for accessing patient and financial data at a major U.S. hospital and major healthcare organization; and similar credentials for accessing a large U.S. airline carrier’s passenger and cargo lists, flight schedules, security measures, and financial data.
Finjan’s research illustrates that the bad guys are looking for different and more lucrative data that they can steal and then sell online to the highest bidder, says Yuval Ben-Itzhak, CTO of Finjan.
“It’s supply and demand. The fact is these people are now going after data that’s different from [the standard] credit card and SSN,” Ben-Itzhak says. “A year ago, a [stolen] credit card was $100. Now you can get one for $10-$20 a card.”
But that doesn’t mean cybercriminals still aren’t pilfering credit card data, other security experts argue. “I don’t think there is a shift in cybercriminals stealing data other than credit card numbers. The stolen data from popular and mainstream Trojans is mainly grabbed via keylogging — everything is captured, [and] then the wheat is separated from the chaff,” says Guillaume Lovet, senior manager for Fortinet’s Threat Response Team.
Lovet says the cybercriminals behind the servers Finjan found may not have even been after the login credentials, nor is it clear that the credentials are especially valuable. “The bottom line is that cybercriminals tend to capture all the data residing or transiting through compromised computers, [and] then sell everything there is a buyer for,” he says.
“Are there a lot of buyers for internal login credentials? [It] depends,” Lovet says. “I may be wrong, but building a business based on buying/selling prescription drugs via ‘medical records’ hacking seems complicated, risky, and not significantly more profitable than messing with, say, eBay or Paypal accounts.”
Cybercriminals’ quest for more lucrative data to steal and sell is no surprise, experts say. “The scope of the credit card problem garners attention, but hackers have long been after any data of value,” says Randy Abrams, director of technical education for Eset.
Finjan also found stolen Social Security numbers and a health care organization employee’s Outlook email account credentials.
Meanwhile, Ben-Itzhak says he’s not sure exactly how the victims initially got infected, but it could have been via spam or visiting an infected Website. “We are aware of several Websites infected with this malicious code,” Ben-Itzhak says. It probably began with a doctor or other employee visiting such a site and his machine getting infected with the keylogger and other malware, he says.
The servers use the so-called ZeUs Trojan, which does keylogging, takes screen shots of the victim’s machine, and can poison legitimate Websites, according to Finjan’s report on its findings.
So – it pays to remain vigilant.
http://www.darkreading.com/document.asp?doc_id=156892&WT.svl=news1_1
FAA whistleblowers – UNREAL
I just can’t believe what lengths FAA managers in Dallas went to in their torture of whistleblowers, what were they thinking? And what has been done to them since? There seems to be a culture there that really needs some shaking up.
Anne Whiteman, a controller who was the first to go public about the problems inside the tower at DFW a decade ago, says it’s no fun being an FAA whistle-blower.
“They did things blatant, they tried to run me off the road,” Whiteman says. “A guy used to knock me down at work all the time. He’d walk by — if nobody was looking, he’d knock me down.”
Whiteman blew the whistle on managers at DFW who were covering up incidents involving aircraft flying too close to one another. They retaliated by declaring her medically unfit for duty. While the top brass of the FAA in Washington now admits it’s had an ongoing problem at DFW, Whiteman says that for her it doesn’t matter, the retaliation in Dallas never stops. After 10 years, she’s worn down.
“I used to say I would do it again; [now I'm] not so sure,” Whiteman says, her voice shaking. “Twice now I’ve been removed from my job. The most recent instance, I was locked in the office. I’ll never be the same ‘ole Annie again. They’ve changed me in many ways. But I do have my pride. I do have a sense that I did the right thing, but I have a whole lot of sadness that I don’t think I would have ever had.”
Whiteman’s account and supporting testimony by witnesses were documented by the federal government. Managers disputed the door was locked.
To be an FAA whistle-blower is to be an outcast. But the dangers they eventually report weigh heavily on their consciences. It is their fear of the soul-crushing guilt they would suffer if the worst actually were to happen — and they had done nothing to stop it.
This is from an article by NPR………
http://www.npr.org/templates/story/story.php?storyId=91428378
Tim Wilson at Dark Reading makes a very good point about something that irks me – vendors who publish self-serving “research” about issues that will help sell their products. Also – he has found two articles, both with merit and I agree with him:
The IronPort study goes beyond the usual “hacker trends” research and asks some important questions about who’s funding the rapid growth of botnets. The answer: pharmaceutical resellers, who need botnets as a launching pad for extensive spam campaigns that sell prescription drugs illegally.
What’s impressive about the IronPort study is not just the technical research that led the authors to analyze the use of botnets and backtrack their use for specific campaigns. What’s impressive is that IronPort actually went as far as ordering some of the illegal drugs and having them analyzed, proving that most of them contained the wrong dosage or were out-and-out placebos. Do we need to ask any more questions about the legitimacy of these spammers? It certainly doesn’t seem so.
Similarly, the Verizon report offers some real meat to the discussion over how data security breaches occur. Instead of just asking breached businesses what they think, the Verizon study compiles data from actual forensic investigations conducted at major corporations over a three-year period. If anybody knows what caused a breach, it ought to be a forensic investigator. (See Verizon Study Links External Hacks to Internal Mistakes.)
Like the IronPort study, the Verizon study doesn’t just look at the symptoms and effects of a security problem, but attempts to identify the causes. What it shows is that most breaches are the result of multiple factors, rather than just one — typically, an internal mistake followed by a shrewd exploitation of that mistake by an attacker.
Good one, Tim.
http://www.darkreading.com/blog.asp?blog_sectionid=327&f_src=drdaily
I was wondering when someone from the mortgage industry was going to step up and file a whistleblower complaint – and here is one as reported by Reuters. http://uk.reuters.com/article/marketsNewsUS/idUKN1248153820080612
But – you see aboslutely NOTHING about this in the US mainstream press – and here is someone who had reported fraudulant activities (including being forced to approve loans that contained fraudulant information) as far back as 2006. I wish her better luck with this than I had – she might do better in the District Court in Manhattan.
I just don’t get it. Why is the press in the USA so silent about this, but they spend so much time on the intimate details of Britney Spears and petty details about Barack Obama and Hilary Clinton.
To me it’s just a modern version of bread and circuses. Pacify the mob, and they’ll never notice that they are losing their freedoms inch by inch.
John Sawyer at Dark Reading gave a brief analysis of this report today and I agree with him wholeheartedly. This is some outstanding work, and I plan on using it going forward for executive summaries and risk analysis. The thing that jumped out at me the most was that most companies don’t know where their data is, or don’t WANT to know where it is. When I was trying to get my former employer to do something about all the CC# and SS#s they had in their various databases, the response was (in the beginning) covering up the ears and saying “Not listening! Not listening!”, and after that it was “Can’t someone just SHUT HER UP?”:
66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls
Nine of 10 breaches involved some type of “unknown unknown,” the most common of which was data that was not known to be on the compromised system. Most breaches go undetected for quite a while and are discovered by a third party rather than the victim organization. Attacks tend to be of low to moderate difficulty and largely opportunistic in nature rather than targeted. Due, in part, to these reasons, investigators concluded that nearly all breaches would likely have been prevented if basic security controls had been in place at the time of attack.
The complete report can be found at:
http://www.verizonbusiness.com/resources/security/databreachreport.pdf
Sawyer’s Blog:
http://www.darkreading.com/document.asp?doc_id=156296
