Evidently the criminals that utilize stolen credit card and ATM numbers for profit are called Cashers. Wired profiles a former Casher, and this is my favorite part:

It was his mother who introduced him to the online world of card thieves. In 2002, after completing a stint in drug rehab, his mother, “a big-time eBay seller,” sent him a link to Counterfeit Library, a website that catered to fraud artists.

“She knew I was into that stuff,” Dillinger says. “I used to send her these huge $150 gift baskets every Mother’s Day (paid for) with someone else’s credit-card number. So she pointed this (site) out to me.”

Who needs criminal help when you have a mom?  Good read on the in’s and out’s of phishing and other credit card related cyber crime.

Confessions of a Cybermule [Wired]

Interesting:

The State Department is recovering from large-scale computer break-ins worldwide over the past several weeks that appeared to target its headquarters and offices dealing with China and
North Korea, The Associated Press has learned.

Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking.

Their response is even more interesting:

State Department’s emergency response severely limited Internet access at many locations… The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet. Hackers can exploit weaknesses in this technology to break into computers, and they can use the same technology to transmit stolen information covertly off a victim’s network.

Yet again again demonstrates that cypto can be used for you or against you.

Agency recovers from computer break-ins [Yahoo/AP]

The non-profit Privacy Rights Clearinghouse has compiled a summary of all the published data breaches since the choice point breach in Feb 2005:

TOTAL number of records containing sensitive personal information involved in security breaches: 88,795,619

When will the madness stop? The real challenge is knowing which of these breaches is meaningful. With the best data (pdf) I’ve seen says that only 8.9 million people actually reported having their identities stolen, and that number is actually decreasing:

In the last twelve months, 8.9 million American adults (4.0% of US adult population) became victims of identity fraud, an 11.9% decrease from 2003.

Also, if this data is right, 90% of those beaches were by non-electronic means. By my count, that means that less that 1% (~890,000) people were actually affected by a data breach. While this is a significant number, it’s not the crisis the news makes it out to be.

What’s happening with the other 99% of these records? They are lost. People lose things.
We need something other than data breach reporting. They are becoming so common, and actually affecting so few people, that the noise is drowning out the true signal of what people should be worried about.

Until we get sensible regulations about these things there are a few things that security professionals can be doing to make sure their company doesn’t add to the statistics:

• Encrypt portable devices - laptops, thumbs drives, etc.
• Encrypt backup tapes
• Implement good access to controls to your databases where sensitive data is held.
• Educate users about the risks. Use the all the examples in the PRC’s report to make your point.
• Pray.

A Chronology of Data Breaches Reported Since the choice point Incident [privacyrights.org]

2006 Identity Fraud Survey Report (PDF) [Javelin Strategy and Research]

Also useful is the PRC’s link to the Consumer’s Union compilation of all the relevant state laws. When can we get one national standard?

Notice of Security Breach State Laws (PDF) [Consumers Union]

An update on the largest loss of personal information ever, the stolen laptop with 26 million VA records on it. They found it! Never underestimate the power of a $50,000 reward:

Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We’re talking about the kind of market that is literally run out of the back of a truck, one official said.

Compared to the estimated $500 million it was going to cost to clean it up, $50,000 is a steal. (Pun intended). The “experts” think the data wasn’t accessed.

… the FBI ran forensics tests on the equipment and concluded the sensitive data – such as veterans’ Social Security numbers — had not been accessed.

Of course there’s no way to guarantee the data wasn’t lifted, it seems like a pretty fair bet that anyone dumb enough to sell it out of the back of a van wouldn’t have known how to retrieve the data without being traced.

VA Laptop Sold From Back of Truck [MSNBC]

VA chief says laptop with vets’ data recovered [MSNBC]

Thankfully the former head of al-Qaida in Iraq hadn’t discovered laptop or flash drive encryption:

Al-Rubaie said a laptop, flashdrive and other documents were found in the debris after the airstrike that killed the al-Qaida in Iraq leader last week outside Baqouba, and more information has been uncovered in raids of other insurgent hideouts since then.

He called it a “huge treasure … a huge amount of information.”

When asked how he could be sure the information was authentic, al-Rubaie said “there is nothing more authentic than finding a thumbdrive in his pocket.”

Well actually I have every confidence that the NSA could have read it anyway, or at least cracked his password (I’d start with 1nf1d3lsMustD13).

But let this be a reminder that you should always encrypt your organization should always encrypt its plans for world domination strategic information.

Iraq Announces Info From Al-Zarqawi Raid [AP / myway news]

A group of penetration testers used USB “Thumb” Drives to social engineer there way into a credit union:

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers.

Combined with 25 million identities lost on a portable hard drive, may be it’s time for some good controls around our USB ports.

Social Engineering, the USB Way [TechWeb / DarkReading]

They are finally prosecuting Roger Duronio, a former network administrator for UBS PaineWebber, who in 2002 allegedly planted a logic bomb throughout their network at causing massive system failures:

… 2,000 of the company’s servers went down, leaving about 17,000 brokers across the country unable to make trades. Nearly 400 branch offices were affected. Files were deleted.

Prosecuters say he did it all because we was shorted about 1/3 of his bonus.

And you thought you were having a bad day.

Nightmare On Wall Street: Prosecution Witness Describes ‘Chaos’ In UBS PaineWebber Attack [Yahoo News/Information Week]

Original DoJ Press Release [DoJ]

We previously mentioned how some think that the underworld of identity theft is decentralized and that everyone meets online. A new Business Week article seems to suggest otherwise, that there are large mob-like organizations controlling the whole supply chain. US Law Enforcement suspects a Ukrainian named Dimity Ivanovich Golubov of being the mastermind:

U.S. Postal Inspection Service senior investigator Gregory S. Crabb, who worked with Ukrainian authorities on their case, says Golubov and others controlled the numbers, names, and security codes attached to credit cards. Low-level criminals would use that to load up fake cards and withdraw cash from automated teller machines or buy merchandise. “Golubov was known as the go-to guy,” says Crabb.

The article goes on to profile other members of the spyware, spam, and credit card theft underworld. It’s always good to know more about the bad guys.

Meet The Hackers [Business Week]

If you haven’t been under a rock, you’ve heard about the theft of the personal data of 25 million Americans from the home of a Veteran’s Administration employee. Some are now estimating up to $500 million to clean it up.

Some Perspective on $500 Million:

• That’s only $20 per person whose data was stolen.
• That equals more than 1/3 of their entire IT budget
• But it’s only about 1/2 of 1% of their entire 2006 Budget
• It’s estimated to be the amount all Phishing scams cost consumers in 2004.

Use this case as a wake-up call to your company. How much would it cost to notify all your customers that their data was lost or stolen? Figure out that number and you can justify a lot of projects.

VA data theft may cost $500 million [zdnet/reuters]

The Anti-Phishing Working Group just published their latest report on trends for this kind of threat. Among their findings:

• 89% of attacks are against financial institutions
• The number of unique Phishing sites rose to 11,121, the highest ever.
• 33% of phishing sites have some form of the taget name in the URL.

Worth a read if Phishing is a pain in your neck.

Phishing Activity Trends Report - April, 2006 (PDF) [Anti-Phishing Working Group]

With statistics being bantered about upwards of 10 million identity theft victims per year, law enforcement is overwhelmed. Private industry needs to do our part, and GE sets a good example:

Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. “You’ve got to make it easy, you’ve got to make a point,” he says.

It’s often hard to justify the need for a world-class forensics or investigations team. This idea helps make the case. If you can make your less of a target by aggressively supporting production of offenders everybody wins, including the bottom line.

One of my key security principles is “Make it easy to do the right thing.” This rings true for law enforcement, too.

GE security exec shares tips to reduce security risks [ComputerWorld]

Hack into your bosses computer and go to jail, even if you are security professional. This is this message the from DOJ to government employees with their “zero tolerance policy” about hacking into government computers.

A former computer security specialist at the Department of Education has been sentenced to five months in prison for hacking into his supervisor’s PC.

Kenneth Kwak, 34, of Chantilly, Va., admitted to installing remote control software on the computer and using that access to read his supervisor’s e-mail and monitor other Internet activity…

It’s not uncommon to meet security professionals with a God Complex. They think they can get away with anything because they have a substancial privledges and skills.

A criminal is still a criminal even when you have the word “Security” in your title.

Ex-government employee sentenced for hacking [news.com.com.com.com]

Former Federal Computer Security Specialist Sentenced for Hacking Department of Education Computer [doj]

Our favorite Internet regulator, ICAN’T ICANN, is close to deciding that the contact info needed in WHOIS is the technical contact. From the WSJ article:

… the Icann committee responsible for Whois voted 18-9 to restrict its listings solely to someone who can resolve technical “configuration” problems. That means a Web-hosting company could be listed without any link to the person who controls what appears on the site. After the committee makes recommendations on other aspects of the Whois rules, the full Icann board is expected to approve the reduced disclosure requirement.

It has been pushed by privacy advocates, but is opposed by ‘major corporations’ and the US Government. This may have significant implications for those of you who do investigations, or even normal users who are trying to determine if they are being phished.

The current options if you’d like your contact info to remain private are to:

1. Dummy it up (officially against ICANN policy, but rarely enforced) or
2. Pay your domain registrar extra to mask your whois information for you (can be as little as $1/domain)

I’m not sure we really need something beyond these two options, although I sure am tired of getting SPAM and telemarketing calls based on my WHOIS.

Sorry, the Wall Street Journal is a pay-subscription only, and Google News says no one else has picked it up yet.

Wall Street Journal: Should Owners of Websites be Anonymous?