Identity Theft – the terrorist connection??

I found this article from the Wall Street Journal profoundly disturbing, but not surprising.  I just wonder how much of the cash is being funnelled to the Hindu Kush and the terrorist hiding there?

European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case.

The device can be told to copy certain types of transactions — for example, five Visa platinum cards or every tenth transaction. It can also be instructed to go dormant to evade detection. On average, only five to 10 card numbers would be phoned in to Pakistan, the person close to British law enforcement said.

Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd.

The account data have been used to make repeated bank withdrawals and Internet purchases, such as airline tickets, in several countries including the U.S. Investigators haven’t pinpointed the culprits. Early estimates of the losses range of $50 million to $100 million, but the figure could grow, said the person close to British law enforcement.

The scheme uses untraceable devices inserted into credit-card readers that were made in China.

The devices selectively send account data by a wireless connection to computer servers in Lahore, Pakisan, and constantly change the pattern of theft so it is hard to detect, officials say.

“Pretty small but intelligent criminal organizations are pulling off transnational, multicontinent heists that only a foreign intelligence service would have been able to do a few years ago,” said Joel F. Brenner, the U.S. government’s top counterintelligence officer.

U.S. intelligence officials, including senior National Security Agency officials, are monitoring the case, in part because of its ties to Pakistan, which has become home to a resurgent al Qaeda.

The scheme comes on the heels of the August indictment of a fraud ring that stole more than 40 million credit-card numbers from U.S. companies, including TJX Cos., the parent company of TJ Maxx.

In March, security officials at MasterCard Inc. saw a pattern of potential fraud in northern England. Meanwhile, a security guard at a U.K. grocery store noticed suspicious static on his cellphone and alerted authorities. Scotland Yard learned of the report and eventually connected it with the warning from MasterCard, according to the person close to British law enforcement.

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug would read an individual’s card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

A MasterCard spokesman declined to discuss details of the case but said safeguarding financial information is a top priority for the company.

There is no obvious visual indication that a machine has been altered, but those with the bugs weigh about four ounces more. For the past several months, teams of investigators have been weighing thousands of machines across Europe with a precision scale.

So far, investigators have found hundreds of machines in at least five countries: Britain, Ireland, Belgium, the Netherlands and Denmark. They have turned up at European grocery chains including Asda, which is owned by Wal-Mart; Tesco; and J Sainsbury PLC, according to the person close to British law enforcement.

A spokeswoman for Asda said, “It’s subject to a police investigation, so we can’t comment.” A spokeswoman for Sainsbury denied its stores were hit by the scheme. A spokeswoman for Tesco said: “We’re aware that this was an issue for retailers.” She said Tesco tested its devices and is confident they are now secure.

http://online.wsj.com/article/SB122366999999723871.html

 

10 Sign of Compromise……..

SANS put out a good article last week on signs that you’ve had your network or data compromised:

Your logging server hasn’t logged any events or you haven’t received alerts in the last 12 hours

 Your FTP server/user hard drives etc. are suddenly out of disk space or maybe logs increase in size more than your normal variation

Your competition’s products looks just like yours, but have a prettier color scheme

Your customers start receiving spam on email addresses they used only to sign up for your service

You get machine acts “funny” report from users (i.e. windows closing by themselves, browser homepage changed, etc.)

Someone needs help connecting to the company’s wireless access point, you don’t have a wireless access point

Complaints that software (payment processing software, web browser, etc) keeps crashing

Complaints from user(s) that passwords/logins aren’t working

Computer systems running unusually slow

Visitors to your website complain that they get redirected to another site or one that just doesn’t “look” right

Another one we’ve seen – spikes in CPU usage, usually from dictionary attacks or DoS attacks.

October is Cyber Security Awareness month, so hopefully other organizations will be publishing other useful tips and information.

http://isc.sans.org/diary.html?storyid=5095&rss

Bailout and SOX whistleblowers………

$700 billion – and no one saw it coming??

I find that hard to believe, especially in light of the fact that 80 or more Sarbanes-Oxley whistleblower cases were filed against financial institutions, including mortgage brokerages, investment banks and other financial institutions that are now currently screaming that they made bad decisions in regards to loans and leverage and need the American taxpayer to foot the bill.  Boohoo.  Many of these cases filed included details about the problems within the industry and they date back to 2003 or earlier.  Four cases were filed against Fannie Mae, that outlined how Fannie Mae made “mistakes” in their books in the billions of $$$.

Here’s the problem, the same I ran into, so you discover the trouble within the company you are working for, get fired for not playing the corporate game, then there is no where  you can go to report the problems. Dept. of Labor/OSHA – what  a joke.  What do THEY know about financial issues?

Nothing is done………..and no one seems to care.

They are caring now – again, it takes a disaster to get our government to pay attention to a problem.  Prevention – OH NO, we could never do that.

Good for Senators Grassley and Leahy………

Well, I’m glad that someone from the Hill is finally starting to take notice of what’s happening in the Dept. of Labor regarding SOX whistleblower cases:

Two U.S. senators accused the Department of Labor of violating the “spirit and goals” of a federal law aimed at protecting employees who report corporate wrongdoing, and called on the agency to stop rejecting claims from workers at subsidiary companies.
In a letter to Secretary of Labor Elaine Chao, Sen. Patrick Leahy, a Vermont Democrat who is chairman of the Judiciary Committee, and Sen. Charles Grassley, an Iowa Republican who also is on the committee, wrote that they were dismayed that the “administration — the Department of Labor in particular — has been using overly restrictive interpretation of this law to dismiss a majority of the complaints” filed under the whistleblower-protection provisions of the 2002 Sarbanes-Oxley Act.
Sen. Leahy and Sen. Grassley, who wrote those provisions, said that “there is simply no basis to assert” that employees of the subsidiaries of publicly traded companies aren’t covered under the act, as the department has asserted in numerous recent cases.
The letter cited an article in The Wall Street Journal last week that reported on the department’s stance. Department records show the government has ruled in favor of corporate whistleblowers 17 times out of 1,273 complaints filed since 2002. An additional 841 cases have been dismissed, the records show, with many of the dismissals made on subsidiary-exclusion grounds. The rest of the cases are either pending, withdrawn, or were settled.
In a statement, the Labor Department said it would respond fully to the concerns of the senators. But the agency said, “We are confident we are correctly enforcing the statute, and do not believe the text of Sarbanes-Oxley as written supports the broader reading that employees of subsidiaries are automatically covered.”
Tom Devine, legal director of the Government Accountability Project, a nonprofit group that promotes whistleblower rights, called the department’s stance “dysfunctional,” saying: “This one is a no-brainer. There is nothing in the law that allows for that type of loophole.”
The senators asked the department to supply documentation and a response supporting the agency’s position — and until that time, to suspend its interpretation that exempts employees of subsidiaries.
The department’s Occupational Safety and Health Administration enforces the whistleblowers’ provisions, which prohibit publicly traded companies or “any other officer, employee, contractor, subcontractor, or agent of such company” from retaliating against employees who provide information or assist in investigations related to alleged fraud.
In their letter, the legislators wrote that the whistleblower provision was a direct response to fraud perpetrated by Enron Corp., “through the misuse and abuse of its shell corporations and subsidiaries.”
Cases dismissed on the subsidiary-exclusion rule include whistleblower complaints against the German manufacturing conglomerate Siemens AG, London media titan WPP Group PLC; ING Groep NV of the Netherlands; Alabama insurer Torchmark Corp.; and Florida investment firm Raymond James Financial Inc. The companies have declined to comment on the cases.
Another pending case involves UBS AG, the Swiss bank. An attorney says the Labor Department has asked him to show that the UBS unit that employed his client is covered under the act. UBS declined to comment.

I hope the letter does some good – but the federal courts need a good talking to also………

http://online.wsj.com/article/SB122101918024118495.html?mod=hpp_us_whats_news

Corporate Whistleblowers 0 – Corporations 9999

Sad end of the road for fellow Whistleblower David Welch.  This pretty much renders the Sarbanes-Oxley whistleblower provision useless.

Va. whistleblower loses bid for reinstatement
By LARRY O’DELL – 5 days ago

RICHMOND, Va. (AP) – A fired bank executive who became the first person to win protection under a federal law that shields whistleblowers, only to see his victory overturned, suffered another setback in a federal appeals court Tuesday.

A three-judge panel of the 4th U.S. Circuit Court of Appeals did not reinstate David Welch to his job, ruling that he failed to explain how his employer’s alleged shoddy accounting practices could be considered a violation of federal law.

Welch was dismissed as chief financial officer of Cardinal Bankshares Corp. in 2002 after reporting what he said were misclassifications in financial reports that essentially overstated the bank’s earnings by $195,000. Cardinal is the holding company for the local bank in Floyd, population about 400, in southwestern Virginia.

A federal administrative law judge ruled in 2004 that Welch should be reinstated under the Sarbanes-Oxley Act, enacted two years earlier in response to corporate scandals at Enron Corp., WorldCom Inc. and other companies. The law required more stringent accounting practices and offered protection to workers who point out violations.

Since Sarbanes-Oxley was signed into law, more than 1,000 self-professed whistleblowers have come forward, and most have seen their cases rejected. Welch was the first to win his case before an administrative law judge, but that decision was reversed in June 2007 by the Department of Labor’s Administrative Review Board.

The appeals court affirmed the board’s decision, saying Welch “utterly failed to explain how Cardinal’s alleged conduct could reasonably be regarded as violating any of the laws” covered by Sarbanes-Oxley.

Judge Diana Gribbon Motz wrote that Welch failed to support his arguments to the review board with relevant statements. For example, she said Welch relied on laws or regulations passed years after the financial reports were filed, as well as other regulations that do not fall within the purview of Sarbanes-0xley.

Welch, now an accounting professor at Franklin University in Columbus, Ohio, declined to comment and his lawyer, Bruce Shine, did not immediately return a phone call seeking comment.

Leon Moore, president of Cardinal Bankshares, also did not immediately return a phone message.

 http://ap.google.com/article/ALeqM5ih78_hLGvLZf73wTfmbOSierYTHwD92CD0K00

Another SOX whistleblower – adding to “101″

Nell, I’m sorry the system let you down and I understand your frustration. I am days away from my hearing and representing myself since I couldn’t find an attorney with the time and motivation to help me – even though I was fully willing to pay.

I tried posting on your 101 page, but kept getting booted – but here’s my input:

To your comments above, I would add – talk with every finance and CPA friend you have and understand how the work you do fits into the finance side using ‘finance speak’. Research auditing standards and COSO guidelines, and get internal SOX flowcharts. Be able to map how the IT issue would hit the financial statements – whether that’s through reporting errors internally or an external threat.

Find out what kind of IT insurance products your company carries. Many policies have line item descriptions of what they do and don’t cover, and the newer the IT issue, the more likely its a separate product or a policy exclusion. (i.e. Data privacy can be an ‘add-on’.) Does the company represent in its financials that its adequately insured? Could the company argue successfully that it’s an insured risk, so complaints aren’t ‘reasonable’. If you can go so far as to get the annual applications where the company represents its forms of security – are they accurate?

I don’t know if this will help anyone, but the possibility is a good stress reliever for me right now.

Finally – mortgage fraud whistleblower

I was wondering when someone from the mortgage industry was going to step up and file a whistleblower complaint – and here is one as reported by Reuters.  http://uk.reuters.com/article/marketsNewsUS/idUKN1248153820080612

But – you see aboslutely NOTHING about this in the US mainstream press – and here is someone who had reported fraudulant activities (including being forced to approve loans that contained fraudulant information) as far back as 2006.  I wish her better luck with this than I had – she might do better in the District Court in Manhattan.

I just don’t get it.  Why is the press in the USA so silent about this, but they spend so much time on the intimate details of Britney Spears and petty details about Barack Obama and Hilary Clinton.  

To me it’s just a modern version of bread and circuses.  Pacify the mob, and they’ll never notice that they are losing their freedoms inch by inch.

http://en.wikipedia.org/wiki/Bread_and_circuses

One of my bizarre experiences as a whistleblower………Russell Crowe?

During the three years I spent in whistleblower litigation I had to jump through a lot of hoops, as the defendant attorney’s strategy was to harass me to the point that I would drop the case.  Or it could have been as a billable-hour-blank-check guy he was just milking them for every penny he could get. Or both. Whatever.  Anyway, I had to spend 3 days in depositions (yes, that’s 24 hours of being asked the same stupid questions over and over again), produce thousands of pages of documents including my calendars which took hours of my time etc.  Anyway, this lawyer was pretty goofy.  One afternoon during a deposition he triumphantly threw pictures of Russell Crowe and Al Pacino in front of me, and demanded that I confess to secretly plotting with Hollywood moguls to make a film like “The Insider” – the movie about Big Tobacco whistleblower Jeffrey Wigand (with RC & AP).  My answer was, “I saw Gladiator 5 times – does that count?  I’ll watch anything with Russell Crowe in it.”  Of course he got pretty mad at that point which was a good thing. At trial the pictures showed up again, and the court reporter got excited because she thought Russell Crowe was going to be a witness.  I WISH!!

The ONLY thing I wanted during this whole process was for the defendant to address their data security problems.  But NOOOOO! that was not an option. It makes much more sense to pay a goofy hired gun a half million dollars or so to defend something that probably could have been settled over a cup of coffee. That’s Corporate America for you!!

Data security problems – Whistleblowing 101

I was extremely disappointed to see at http://ha.ckers.org/blog/20080522/tjx-whistle-blower/ that an employee of TJX (CrYpTiC_MauleR) had been tracked down and fired for posting some comments about TJX’s data security flaws (TJX of HUGE SECURITY BREACH fame).  As an information technology whistleblower that just finished with three years of whistleblower litigation against my former employer for data security problems, I thought it would be useful to post to the IT community how one goes about blowing the whistle in a way that gives you some chance of a successful outcome.

First off, this is not a path I would recommend to anyone unless you have a completely ethical reason for doing so, have a backbone of steel, and a very thick skin (don’t think you will make a million $$ in other words).  In my case, the security problems were rampant, auditors were not told the truth, and I was in the direct path to be blamed if there was a data breach (I was the company’s database administrator in managing security for their databases with CC#s, SS#s etc)

Secondly – something all IT people in the USA need to be aware of; we don’t have a lot of protections when it comes to whistle blowing.  There are basically two routes if you work in private industry (federal and state-employed whistleblowers have different avenues):  Sarbanes-Oxley (SOX) whistleblower protection for publicly traded companies (see fact sheet at http://www.osha.gov/Publications/osha-factsheet-sox-act.pdf)  and state “public policy” or whistleblower laws, for companies that aren’t publicly traded.  State laws are usually weak, and SOX whistleblower protection is pretty much a joke, but there is a way to negotiate them and possibly get a positive change as LONG AS YOU FOLLOW THE RULES (fyi – these rules pretty much apply to all forms of whistle blowing):

1. Know the law as it pertains to data security. Publicly traded companies are covered by SOX (internal controls rules CAN and SHOULD cover data security under the contractual obligations with VISA), financial institutions are covered by the Gramm-Leach-Blilely Act, and other OCC rules and regs. GLBA covers privacy data at a federal level. Nearly all states have some sort of laws for privacy and financial account protection these days and nearly all of them are similar to California SB 1386. They can be looked up online – good resources are www.privacyrights.org and www.consumersunion.org.
2. If you find something that the company is doing that is not in line with these laws, document what you’ve found and tell your supervisor. IT IS CRITICAL TO STATE WHICH LAW YOU THINK IS BEING VIOLATED AT THIS TIME – THE EXACT LAW AND DO IT IN WRITING – EMAIL IS FINE. KEEP A HARD COPY. Once you do this, you have entered the protected activity phase, which means that the company has to tread carefully from that point on as far as disciplinary action etc.
3. If you have gone to your supervisor 3 times and nothing has happened, escalate to his boss and/or the Information Security Department. I generally would recommend telling your supervisor that you intend to do this. Again – document everything and ALWAYS spell out which law is being broken.
4. If you STILL see no change I would see if the company has an Internal Audit department and I would find out how to contact the Audit Committee (for publicly traded companies). At this point I would also consider going to Human Resources just as a CYA. But remember, HR is NOT YOUR FRIEND.  IT IS GUARANTEED THAT WHATEVER YOU TELL THEM, THEY ARE GOING TO TELL YOUR BOSS. Forward your concern to the head of Internal Audit, and also the company’s Audit Committee. For non-publicly traded companies you might not have this option. ALWAYS KEEP THE DOCUMENTATION ON ALL THIS – and IF YOUR STATE LAW ALLOWS ONE-SIDED APPROVAL TO RECORD CONVERSATIONS I WOULD START CARRYING A SMALL RECORDER AND USING IT – ESPECIALLY WITH ANY DEALINGS WITH HUMAN RESOURCES. Cloak and dagger? Unethical? Against company policy?  Will get you fired if they find out? Probably all of the above - but this was one of my biggest regrets – not doing it.  If the judge and jury had heard the way that I was treated, I would have made all the difference in the world.
5. At this point, the company is a) going to do nothing and hope you shut up and/or go away, b) start working to fix the problem, c) start a harassment campaign to get you to quit or d) fire you. If you start experiencing any evidence of hostility, change in schedules or job functions, changes in responsibilities, shunning etc DOCUMENT EVERYTHING. Look up the definition of hostile work environment and if you start experiencing any of this – KEEP A JOURNAL. But, remember, journals are not admissible as evidence, but can be used to refresh your memory. EMAILS are the main evidence these days, so document, document, document and ALWAYS BE PROFESSIONAL.
6. If things reach this point and you STILL want to try to get the problem(s) fixed it’s time to consider going outside the company for a solution. Read the OSHA documentation for SOX whistleblowing listed above, if your company is not covered by SOX contact your attorney general’s office in your state to find out what to do (that may get you nowhere – be prepared for that).  You can try contacting the Federal Trade Commission for data security violations in regard to credit card numbers, but as they have a 1.8% enforcement rate (after data breaches occur) I’m not sure I would bother.  VISA/MC have no method of contact to my knowledge – although they are the ones that do enforcement of the PCI DSS.   Also – now is the time to start getting the documentation you need together, including proof of wrongdoing and putting it somewhere for safekeeping (unless your company is the firing type – then I’d start getting the docs out from the beginning). Please be advised that this gets on shaky ground because of non-disclosure agreements, but as long as you intend to use the documentation ONLY for purposes of an outside investigation you should be OK. Don’t hand it over to the press in other words, or post it online.
7. At this point you can still continue to do things on your own, but I would recommend contacting an attorney who specializes in whistleblower law – a good resource can be found at the Government Accountability Project, www.whistleblower.org

 Sounds like a lot of work and hassle – you bet it is.  But, I can say FROM EXPERIENCE that this is the about the only way to effect a positive change from whistle blower actions.  Hopefully, everything can be solved in-house and you will never have to go outside the company to try to solve the problem.

FYI – I lost my SOX case because the federal judge said that as a database administrator (rather than an accountant) I could not have had a “reasonable belief” that the company was breaking the law, although all the evidence that was produced showed that they were CLEARLY in violation of many state and federal laws.  The judge’s decision was totally bogus of course, and I think he regretted it after he saw all the evidence (case had a lot of “moving parts”, evidence came up in a jury trial on a state whistleblower claim).  But, if I had followed all the steps I had outlined above, I would have had a better chance of winning.  

Also be prepared for the “deer in the headlights” look whenever you start talking about IT security to anyone who is not in IT.  Learn how to speak in layman’s terms.

Nell Walton, CISA, CISSP

David Welch – Court of Appeals

The Welch Sarbanes-Oxley whistleblower case is back in the news again, the case was argued in the 4th U.S. Circuit Court of Appeals yesterday by his attorney, Bruce Shine.  I am interested to see how the court rules on this, there has been WAY too much legislating from the bench on the Sarbanes-Oxley whistleblower provision:

http://ap.google.com/article/ALeqM5ih78_hLGvLZf73wTfmbOSierYTHwD90LHMC00