Apr 7, 2008, By Ken Magill of Directmag.com

Americans reported $240 million in online fraud losses in 2007 to the Federal Bureau of Investigation, an increase of $40 million from 2006, according to the FBI’s National White Collar Crime Center.

The FBI’s Internet Crime Complaint Center in 2007 received 206,884 complaints, of which 90,000 were referred to various law enforcement agencies, according to the FBI’s 2007 Internet Crime Report released last week.

"The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become," said FBI Cyber Division assistant director James E. Finch, in a statement. "What this report does not show is how often this type of activity goes unreported."

Median dollar loss in 2007 per complaint was $680, according to the FBI. Also, men lost on average $1.67 to every dollar women lost in online fraud last year, the FBI said.

Online auction fraud was the most-reported online crime last year, accounting for 35.7% of complaints, the FBI said. Non-delivery of goods or services was No. 2, accounting for 24.9% of complaints. So-called confidence scams accounted for 6.7% of complaints in 2007, credit-card fraud accounted for 6.3%, check fraud accounted for 6%, and computer fraud accounted for 5.3%.

Surprisingly given all the press attention they get, identity theft accounted for just 2.9% of all complaints and Nigerian letter fraud or 419 scams as they are also called, accounted for 1.1% of all reported online fraud, the FBI said.

The highest dollar loss per crime reported was from investment scams with a median loss of $3,547, the FBI reported. Check fraud was No. 2 at $3,000 and Nigerian letter fraud was No. 3 at $1,922, the FBI said.

Also, men were more often perpetrators and victims of online crime than women in 2007, with men accounting for 75.2% of reported perpetrators and 57.6% of all complainants, according to the report.

The median loss for men per complaint was $765 compared to women whose median loss was $552, the report said.

By far the state with the highest complainants per 100,000 people was Alaska, with 356. By comparison Colorado was No. 2 with 90 per 100,000 people, the report said.

Retrieved April 9, 2008 from http://www.directmag.com/legal/online/internet_fraud_0405/index.html

Posted by Dr. Kardasz at 06:58 PM | Permalink

Dr. Kardasz:
The social networking opportunities provided by the Internet have become part of the fabric of life for many young people. As parents we may underestimate the seductive power of computers and their importance to some children and teens. The following story describes a tragedy involving a depressed 15 year old who shot his father after the youths' Internet privileges were revoked.

Teen who killed dad angry he couldn't use Internet

Jim Walsh, The Arizona Republic, 03/05/08

A 15-year-old boy told Mesa police he shot his father in the back of the head last month because he wouldn't let the teenager use the Internet, saying My Space was his outlet. When Hughstan Schlicker heard officers talking about the investigation, he responded, "Dad came home, I shot him in the head, what investigation?" according to a Mesa police report.

Almost laughing, the teen told police, "along with murder, can you put me down for truancy, I ditched today," the report said. "Can we clean up this before my mom gets home, I don't want her to come home and see my dad dead." Later, he told detectives he was angry with his father but couldn't remember the reason. "But I was mad at him very much and I wish I could take everything back; I wish this was a bad dream but it's not."

Hughstan said during an interview with a homicide detective that he considered committing suicide in front of his father after finding a shotgun and ammunition in the garage of their home, but decided to murder his father instead and then commit suicide. Hughstan apparently surprised his father, Ted Schlicker, who was standing in the kitchen when the boy approached him from behind, aimed the gun and pulled the trigger as the family dog brushed against the teen's leg, the report said.

Police arrested Hughstan after the slaying in the 100 block of South 56th St., Mesa, and accused him of first-degree murder. Ted Schlicker, 49, was found on the floor with his pistol still holstered on his hip.

An officer guarding the homicide scene was approached later that afternoon by Treva and Clayton Crull, who told him that their son was Hughstan's best friend. They told the officer that when they came home from work, they discovered a message on their answering machine from Hughstan saying "he would not see them for a long time because he just killed his father. They said at first they thought it was a joke, but they tried to call Hughstan back several times, but they got no answer," the report said. In a subsequent interview with detectives, Treva Crull said she "thought very highly of Hughstan and said he was a polite boy." She said her son and Hughstan often spent the night at each other's house. The boys met when they were in third grade. Treva Crull said her son told her that Hughstan wasn't at Brimhall Junior High School that day, where they went to school together, but that Hughstan had missed class before and it wasn't unusual.

Hughstan told police that he called in sick to school that day, faking his father's voice, and spent the day lounging around the house.
The Crull's son also told police that Ted Schlicker always carried a handgun, but she never saw him take it out of the holster. The boy also said he never saw Hughstan handle a gun and never "expressed any curiosity with the many guns in the home," the report said.
Police seized numerous guns from the home during the investigation, according to the report.

Hughstan told detectives that he used the Internet to communicate with his friends, and that two of his friends helped him when he tried to commit suicide a couple of weeks earlier. The report had no details. Since his father took the Internet away, Hughstan said he was "just so depressed all the time," the report said. When his father came home, Hughstan said he pointed the 12-gauge shotgun at his father "and I was getting ready to pull the trigger" when his dog walked by and brushed his leg. He said he glanced down at the dog and squeezed the trigger, the report said. "I know it's not an accident I did intentionally kill," he told police. The transcribed tape Hughston's interview with detectives shows his mother entered the room at some point and began participating. "I know, I know it happened, we have to get passed this, it's not going to change anything between you and me," Judy Schlicker said. "You're still my son and I love you no matter what OK? I'll be there whenever you need me." Judy Schlicker then started crying. When she asked Hughstan why he shot his father, he said, "I didn't really mean to. I was just planning to scare him." Hughstan then contradicted what he had told detectives earlier, telling his mother that he accidentally squeezed the trigger and shot his father.

Retrieved March 2, 2008 from http://www.azcentral.com/news/articles/0305dadmurder0306-on.html

Posted by Dr. Kardasz at 02:24 AM | Permalink

Posted by Dr. Kardasz at 08:52 PM | Permalink

1. Know the threat. The online world is a dangerous place. Just like any city or town, there are “good” neighborhoods and “bad” ones. Likewise, the Internet community has an overwhelming number of good, decent people mixed in with a few “bad guys.” The bad guys can be right next door or across the globe, but both can be equally harmful to you and your personal data.

2. Use the tools. Every home or small business user should install commonly available security tools such as anti-virus software, anti-spyware software and a personal firewall. It’s also important these programs and the computer’s operating system must be maintained with the most recent patches or updates. Probably the most common – and most easily remedied – security problem in home or small business computers is out-of-date software.

3. Be smart online. Like the physical world, cyberspace has its “con-artist side” typified by bogus e-mails advertising “get-rich-quick” schemes, “can’t-miss” stocks and come-ons from the opposite sex who “can’t wait” to chat. All too often, these are teasers drawing users to Web sites with viruses, bot programs or other cyber risks. In many cases, anything goes and relatively few rules apply. Remember, if it is too good to be true, it probably is.

4. Never respond to unsolicited requests for personal information. Be wary of e-mails from organizations or individuals asking for your personal information. Always ask or look for contact information on unsolicited requests and be skeptical. No reputable bank, for example, will e-mail you asking you to provide personal information for “account verification.” If you believe the content may be suspect, contact the company directly to verify.

5. Beware of “phishing” e-mails. Phishing is one of the fastest-growing forms of online fraud for identity thieves. Phishing e-mails appear legitimate, often addressing you by name, which makes them even more convincing. Thieves sending these e-mails usually ask you to click on a link in the email that takes you to a phony Web site – if you are interested, it is best to go to the site yourself by typing the Web site name directly into your browser rather than clicking on the link provided in the e-mail. A skeptical attitude toward unsolicited e-mails is always the best policy, especially if you have never done business with a company before receiving an e-mail solicitation from it.

6. Do not use personal information for passwords. Using information such as Social Security numbers, birth dates, names, e-mail addresses or telephone numbers as passwords can make you an easy target. Be sure your passwords contain at least eight characters and include numbers or symbols. To avoid misuse, do not write down passwords.

7. Review privacy and security policies for the companies you do business with online. All reputable companies post a privacy and security policy or statement on their Web site. This should tell you what information the company collects, how it is used and what is shared. If you are concerned about your information being shared with other companies, make sure there is an option to keep your information confidential.

8. Monitor online activity regularly. If you conduct business online, review your account statements regularly and consider using a separate credit card for online purchases or payments to ensure all transactions are in order. By reviewing online statements and transactions frequently, you could detect a theft and limit its damage. Identity thieves typically use stolen information for only a short period of time to avoid being caught. If you suspect a security breach, act quickly by contacting the companies you do business with immediately.

Retrieved October 31, 2007 from http://www.eds.com/news/releases/4069/?rss=141&filterid=0

Posted by Dr. Kardasz at 07:09 PM | Permalink

From the Herald Sun. By Stefanie Balogh.10/28/07

A jury recommended killer Lisa Montgomery be sentenced to death for cutting a baby out of a mother's womb in one of the US's most chilling murders.

Jurors reached their death penalty decision after more than five hours of deliberations in Kansas City, Missouri. The judge sentencing Montgomery, 39, is obligated to consider their recommendation.

Earlier, Montgomery was convicted of kidnapping and slaughtering eight-months pregnant Bobbie Jo Stinnett on December 16, 2004, to steal her unborn child, Victoria Jo. Montgomery was arrested the day after the strangulation murder, which she planned for weeks, if not months, and researched on the internet how to perform a caesarean section.

Montgomery, who had faked pregnancies to gain financial benefits, was found at her home in Melvern, Kansas, where she was showing off Victoria Jo as her child. Victoria Jo is now a healthy three-year-old who has been reunited with her father, Zeb Stinnett.

Assistant US Attorney Matt Whitworth told the court that every time Victoria Jo had a birthday, "it will be the anniversary of the slaughter of her mother". Federal prosecutor Roseann Ketchmark said Montgomery had committed the "worst crime" and violated the expectant mother "in the most wicked way possible".

Victoria Jo was nearly four weeks premature and prosecutors said Montgomery had not sought medical attention for her. Montgomery's defence team asked for mercy, saying she was mentally ill and did not fully comprehend what she was doing because she had suffered physical and sexual abuse as a child.

Montgomery met the Stinnetts at a dog show in April 2004 and struck up a casual acquaintance over the internet. At the same time, Montgomery told people she was pregnant. After she learned about Ms Stinnett's pregnancy online, she created an online identity and set up a meeting on the pretence of buying a puppy.

She strangled Ms Stinnett with a rope and cut Victoria Jo from her mother's womb in the Stinnett home in Skidmore, Missouri. A sentencing date has not been set.

Retrieved October 28, 2007 from http://www.news.com.au/heraldsun/story/0,21985,22659039-663,00.html

Posted by Dr. Kardasz at 01:31 PM | Permalink

By Trisha Volpe, KARE 11 News. Photo of Katherine Ann Olson

Katherine Ann Olson had accomplished a lot in just 24 years. She was co-valedictorian at her high school in Cottage Grove. She studied theatre at St. Olaf. She traveled the world, even joined the circus in Argentina and worked as a nanny in Turkey.

Her family says Katherine hoped that experience would help find her a job at home in the TwinCities. They also say Katherine often found the internet, and Craig's List, in particular to be a helpful tool to meet people and find opportunities.

This week, police say a man used the internet to lure Katherine to her death. Authorities say Katherine was looking for a job on Craig's List, an internet web site for classified advertising, when police say she saw a posting that peaked her interest - someone looking for a babysitter in Savage. Katherine had some nanny experience and applied for the job police say.

She left her home in Minneapolis Thursday morning to answer the ad and meet the person who posted it, but she never returned. The next day, after her roommate told police she hadn't seen Katherine since Thursday morning, and after someone found Katherine 's purse and a towel full of blood at a Savage ball field, police found Katherine 's body. She was in the trunk of her own car, about a mile away. The car was parked at Kramer Patk Reserve in Burnsville.

Police say Katherine Olson simply answered the Craig's List ad, and the person who posted it killed her. That man is 19-years-old and from Savage. He's now in the Scott County jail on suspicion of murder.

"It's not the typical, by any means, homicide where most of them there's some type of relationship between the victim and the suspect. And we have not, at this point, other than the Craig's List connection determined anything further than that," says Captain David Muelken with the Savage Police Department.

At this point police are still trying to determine where and how Katherine was killed and why. The man now accused in her murder is expected to be charged officially on Monday.

Police say the suspect was actually arrested at the Minneapolis-Saint Paul International Airport Friday, where he worked. Friends tell us it was a new job, fueling airplanes.

Retrieved October 28, 2007 from http://www.kare11.com/news/news_article.aspx?storyid=268340

Posted by Dr. Kardasz at 01:19 PM | Permalink

10/26/07. Associated Press

A 34-year-old woman has been charged with using the Internet to try to get revenge on an old boyfriend by breaking up his marriage. Pilar Stofega has been charged with second-degree harassment and breach of peace and released on $2,500 bond.

Waterford police say she created phony profiles of the former boyfriend's current wife on some adult Web sites that included the wife's home and work phone numbers and high school yearbook picture.

Stofega said she did to it "to be vindictive, knowing that the profiles would create marital problems between" the victim and her husband, according to court documents.

The plot came to life when strange men started calling a Waterford woman's house over the summer, saying they had seen her profile on an adult Web site.

The man Stofega had dated eight years ago used his own computer to investigate and discovered someone had created a profile for his wife on several Internet sites, according to court records.

Police say the husband did more online investigating and was able to find out that the person behind the phony profiles of his wife was the woman he dated in 1999. He passed the information on to Waterford police, leading to Stofega's arrest last week.

Waterford police got a court order to seize Stofega's Internet records. They reviewed the account records before searching her house in late September.

Stofega was at the house when police served the warrant. Officers said she provided them with a sworn written statement in which she admitted to intentionally creating the profiles in the victim's likeness on the adult Web sites.

Stofega is scheduled to appear in New London Superior Court on Monday. Court records did not list an attorney and her phone number was not listed.

Information from: The Day, http://www.theday.com

Retrieved October 27, 2007 from http://news.yahoo.com/s/ap/odd_internet_revenge;_ylt=AjLuj1pZKKxoEn5QxdJ3cTIE1vAI

Posted by Dr. Kardasz at 03:06 AM | Permalink

Associated Press, Sept. 5, 2007

OKLAHOMA CITY - Two people accused of killing an Oklahoma City man went to his home in a robbery plot after getting his personal information in an Internet chat room, according to court papers.

Deborah Jean Hopson, 24, and Robert Edwin Tyson III, 27, were arrested in Phoenix and charged with first-degree murder in the death of Matthew Powell, 19, who was killed Aug. 26, police said.

Powell's death came after he apparently directed a woman he met online to his Oklahoma City home, according to court documents.

Hopson and Tyson were arrested after police in Arizona responded to a call about a possible abduction, Oklahoma City police Sgt. John George wrote in an affidavit. During a brief standoff, Hopson told officers the pair had been involved in a killing in Oklahoma City, Phoenix police say.

"We found evidence directly linking them to the victim and the crime," Phoenix police Sgt. Joel Tranter said, but he declined to detail that discovery.

Hopson told Phoenix police they tried to knock out Powell with a rag soaked in some kind of automotive cleaner, but it did not work, George wrote.

Tyson struggled with Powell until he told Hopson to get something he could use to tie up the other man, according to the affidavit. They used telephone cords to bind Powell's hands and feet.

Hopson said Tyson demanded money from Powell and became angry when the younger man said he didn't have any, George wrote. He kicked Powell in the head and tried to drown him in a plastic bag filled with water.

Tyson ended up holding Powell's head underwater in a plastic tub until he drowned, the affidavit alleges.

Tyson admitted to planning the robbery and fighting with Powell before tying him up, but he said Hopson was the one who drowned him, according to the affidavit.

Powell's grandfather, Daniel Troyer, found his body when he returned home from church that night, relatives said.

"We couldn't come up with a reason why Matt should be dead," great-aunt Sharon Coursey said Tuesday. "Nothing added up."

She said there was no reason to think it could have been a botched robbery because Powell had nothing of value.

A video game system, some games, two phones and Powell's high school class ring were missing after his body was discovered, according to court papers.

Tyson had been wanted for violating his parole on a 1999 conviction for sexual conduct with a minor.

Court records list an address in Arpelar in Pittsburg County for Tyson, while Hopson is from Glenpool.

Retrieved September 7, 2007 from http://www.azcentral.com/offbeat/articles/0905internetkilling05-on.html#

Posted by Dr. Kardasz at 03:36 AM | Permalink

Dr. Kardasz: The following informed testimony of Lt. Ritter last year succinctly described some possible solutions for the ISP data retention issue.

---------------------------------------------------------

July 10, 2006
STATEMENT OF THE NEW JERSEY STATE POLICE, Lieutenant Anthony W. Ritter, Assistant Bureau Chief, Computer Crimes and High Technology Surveillance Bureau

Before the SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS, of the COMMITTEE ON ENERGY AND COMMERCE United States House of Representatives
 
Good morning Mr. Chairman, Ranking Member Stupak and members of the Subcommittee, I am Lieutenant Anthony Ritter, Assistant Bureau Chief of the Computer Crimes and High Technology Surveillance Bureau within the Special Investigations Section of the New Jersey State Police.  I appreciate the opportunity to discuss with you our issues regarding combating predators on the Internet.

I.Introduction

I have been a member of the New Jersey State Police for 22 years and have been involved in both technology and cyber investigations for the last 17 years.The Computer Crimes and High Technology Surveillance Bureau coordinates the efforts of the New Jersey Internet Crimes Against Children (ICAC) Task Force.

II.Challenges

I would like to address some of the challenges that face our task force and that of cyber law enforcement in general.

A.Data Retention
There has been much testimony before the committee on the subject of data retention by Internet Service Providers (ISPs) and I would like to address the three major concerns brought forth by ISPs generally.  First, the ISPs are not clear who will be able to access records of someone’s online behavior.  The law enforcement process begins with reasonable suspicion to develop required probable cause and operates under legal guidance and court orders.  I think unauthorized insider access to records is of graver concern to the ISPs.  Second, the ISPs are not clear who would pay for the data warehousing of these additional records.  I think everyone will bear part of the cost.  And third, ISPs say it is not clear that police are hindered by current law as long as they move swiftly in the investigative process.  In this case, they may be partly correct.  There needs to be a consistent, measured approach to data retention and an increase in the speed of the investigative process.  We both must work more efficiently.  Although we are pleased to see the ISPs moving forward, voluntarily, to address our concerns where they can, we seek to have a standard established for the retention of data by ISPs.   All ISPs should be required to have the capability of isolating targeted traffic and upon receipt of a court order, deliver that content to a law enforcement monitoring facility in a standardized manner.  This capability needs to extend to all methods of communication services supported by this industry.

B.Quality of Service
Quality of service is an industry recognized term that is important to a business’s ability to maintain and increase its customer base.  In our case, law enforcement is the customer and poor customer service equates to a delayed law enforcement action.  These delays can result in an inability to continue investigative leads in a timely manner.  Our goal here is to institute industry wide standards to ensure the efficient and timely return of the information sought by law enforcement.

C. Costs
There is an explosion in technology and it is the convergence of telephony networks and data networks on portable data assistants (PDA), cell phones and other wireless devices.  Current costs for intercepting conventional wireless devices can reach as much as $2600 per intercept order.  Our fear is that the costs associated with IP intercept will exceed the costs of conventional intercepts and will price many law enforcement agencies out of this investigative crime fighting tool.

D.Personnel
The need for skilled investigators is as critical as data retention.  Without the data we cannot investigate, without the detective we cannot investigate.  In New Jersey’s Peer-to Peer (P2P) initiative we have over 83,000 leads and as LTC Rodgers stated, we have 10 full time detectives with half working proactively.  The other half are working reactively on referrals and direct complaints.  And what about being proactive in other areas of the Internet?  Most people only know of browsing the web, but there are many other ways of communicating across the Internet and each one could keep a whole squad of detectives busy 24 hours a day.

E. Tools
Additional research and development needs to be conducted by law enforcement, technology corporations, and institutions of higher learning to close the large gaps impeding our ability to fight technology crime against Internet predators.  We need to:

- collect technical data and present it in an easy to view graphical format.
- automate the process of locating network log files regardless of operating system.
- overcome the obstacles of anonymizers, IP spoofing, encrypted data and steganography.
- forensically capture a computer’s Random Access Memory (RAM) without modification or alteration.
- provide real time IP intercept on data networks in a standardized format, with the ability to isolate the target and capture the communication inclusive of all activities such as instant messaging, voice over IP phone calls, web cams, emails and web browsing.
- facilitate an automated and standardized stored data handover interface for the return of historical records requested by subpoena or court order.
- develop tools to locate the physical position of devices connected to wireless networks.

III. Solutions   
There have been many suggestions from the men and women fighting Internet Crimes Against Children in New Jersey on ways to improve and streamline our mission.  Here are some of their thoughts:

A.Increase ISP record retention to not less than two years to include, but not be limited to, subscriber information, method of payment, types of devices connected and all in and out IP logging records.

B.Mandate that out-of-state subpoenas and warrants be recognized as valid legal documents.

C. Create a website rating system much like the one used by the motion picture industry so that parents can more easily block content.

D. Sponsor a national Internet Safety campaign through television and movie theaters.

E. Evaluate the Counterdrug Technology Assessment Center’s (CTAC) technology transfer program and model a similar program to support agencies combating Internet predators.

F. Recognize the FCC’s Second Report and Order and Memorandum Opinion and Order that addresses several issues regarding implementation of the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994. The primary goal of the Order is to ensure that Law Enforcement Agencies have all of the resources that CALEA authorizes, particularly with regard to facilities-based broadband Internet Service Providers and interconnected voice over Internet Protocol (VOIP) providers.  Although the VOIP issue has now been addressed, other packet based services such as instant messaging, picture messaging and a host of other Internet based communication services have been excluded from CALEA standards.  This needs to be corrected.

G. Endorse, support and promote the expansion and implementation of Internet Protocol version 6 (IPv6) which will allow ISPs the ability to give every internet accessible device its own unique static IP address and eliminate the nightmare of dynamic IP addressing issues.  The United States Government has specified that the network backbones of all federal agencies must deploy IPv6 by 2008.

IV. Conclusion
With the proper resources, states can and will do much more to continue the fight against Internet predators.  We remain committed to maintaining existing operations without minimization and are honored to be a partner in the fight against Internet child victimization.

SUMMARY OF TESTIMONY
Lieutenant Anthony W. Ritter
Assistant Bureau Chief
Computer Crimes and High Technology Surveillance Bureau
New Jersey State Police

Before the
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
of the COMMITTEE ON ENERGY AND COMMERCE
United States House of Representatives

July 10, 2006

1.Introduction
a. 22 years law enforcement experience
b. Oversees operation of the New Jersey Internet Crimes Against Children Task Force

2. Challenges

a. Data Retention
1) Need to establish standards for data retention
2) Should apply to all methods of communication services

b. Quality of Service
1) Need for industry wide standards for return of information to law enforcement

c. Costs
1) Costs for intercept of data may prove prohibitive

d. Personnel
1) There is a serious lack of skilled investigators

e. Tools
1) Development of additional investigative technology tools is needed

3. Solutions
1) Increase ISP record retention without limitations
2) Recognition of out-of-state subpoenas and warrants
3) Institute a website rating system
4) Sponsor a national Internet Safety campaign
5) Empower technology transfer programs to provide needed tools
6) Expand CALEA to fully support all IP based communication services
7) Support rapid deployment of IPv6

 

Posted by Dr. Kardasz at 08:19 PM | Permalink

From Bernama.com. Malaysian National News Agency.  06/22/07.

KUALA LUMPUR, June 22 (Bernama) -- The Securities Commission (SC) has blocked access to another two websites, namely www.danafutures.com and www.planet.time.net.my/KLCC/danafutures offering illegal investment schemes.

The action was taken together with the Malaysian Communications and Multimedia Commission and CyberSecurity Malaysia, it said.

In a statement, SC said with this latest exercise, it has blocked a total of eight websites since it started the operation last month.

"This exercise to block access to illegal investment websites is an ongoing process, with further websites to be blocked in the future as the SC continues its investigations," it said.

The SC will take all measures to combat investment scams including taking appropriate enforcement action against operators and agents of illegal investment websites, it added.

Retrieved June 23, 2007 from http://www.bernama.com.my/bernama/v3/news_business.php?id=269015

Posted by Dr. Kardasz at 04:15 AM | Permalink

Courtesy of Information Week. 06/05/07

The FBI's investigation into a data breach that compromised sensitive information on 300,000 people in Illinois is pointing to an outside hacker.

A hacker broke into the computer network at the Illinois Department of Financial and Professional Regulation this past January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. Susan Hofer, spokeswoman for the department, said in an interview that about a quarter of the stored information was compromised.

The server, according to Hofer, held sensitive information -- names, addresses, Social Security numbers -- on people who hold or have applied for loan origination licenses or for real estate broker and agent licenses. The server also was being used to test new software.

The FBI and the Illinois State Police are investigating.

She added that the breach appears to have happened in January, though it wasn't discovered until May 3. The department then contacted the FBI, which asked them to hold off on releasing any information about the breach until they could launch the investigation. Hofer said when they received the OK from the FBI on May 17, the department began sending out letters to those affected.

People who think they may have been impacted by the breach and identity theft should check their credit card statements for suspicious activity, the department said. The state's Web site also suggests contacting the credit reporting bureaus and file a police department report if appropriate.

Retrieved June 16, 2007 from http://www.darkreading.com/document.asp?doc_id=125714

Posted by Dr. Kardasz at 11:41 PM | Permalink

From news.com.au. Article from: AAP. 06/15/07.

A syndicate of Australian investors has been defrauded of more than $1.5 million in a variation of the Nigerian money transfer scam, Queensland computer crime police say.

The computer crime investigation unit has warned that the confidence tricksters have spread from Nigeria into other African nations and into Europe.

The scam typically involves requests for money over the internet to pay fees or bribes to facilitate moving huge amounts of cash out of a troubled country, in return for a large cut.

Police said Queensland resident Steven Baker was lured into handing over cash after he was contacted by a friend who had been approached by someone claiming to be a Liberian solicitor.

Mr Baker told police he made the payments to help his friend to gain an inheritance of $US17 million ($20.38 million) from the estate of a relative who had recently died in the country.

After paying a string of supposed fees and taxes, Mr Baker even went to Spain to meet his contact and was shown a case of US currency that was claimed to be the inheritance, police said.

“These fraudsters have links worldwide and it is not unusual to see Australian victims involved in Nigerian-styled scams being operated out of European countries such as Spain,” Detective Acting Superintendent Brian Hay of the Fraud and Corporate Crime Group said.

“We see that victims are induced to believe that they are to receive a large sum of money after the payment of several fees.

“However, their dreams end up becoming a nightmare as the fees and charges continue until the victim is financially destitute.”

Queensland Police will hold a press conference tomorrow at 9am (AEST) with Mr Baker at their Brisbane headquarters.

Retrieved June 16, 2007 from http://www.news.com.au/story/0,23599,21914862-1702,00.html

Posted by Dr. Kardasz at 06:35 PM | Permalink

Here is a link to an interesting web site with information and links about data theft, identification theft incidents and data loss.

http://attrition.org/dataloss/

Posted by Dr. Kardasz at 03:41 PM | Permalink

From Southern Maryland Online. 06/13/07

The FBI estimates Over 1 Million Potential Victims of Botnet Cyber Crime.
Victims May Not Be Blameless Since Their Computers Were Likely Misappropriated Due To Poor Computer Securty Habits.

WASHINGTON - Today the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle botherders and elevate the public's cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity. A botnet is a collection of compromised computers under the remote command and control of a criminal botherder.

Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy. "The majority of victims are not even aware that their computer has been compromised or their personal information exploited," said FBI Assistant Director for the Cyber Division James Finch. An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.

The FBI also acknowledged industry partners, such as the Microsoft Corporation and the Botnet Task Force, in referring criminal botnet activity to law enforcement. Cyber security tips include updating anti-virus software, installing a firewall, using strong passwords, practicing good email and web security practices. Although this will not necessarily identify or remove a botnet currently on the system, this can help to prevent future botnet attacks. The FBI will not contact you online and request your personal information so be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact the nearest FBI office or police department, and file a complaint online with the Internet Crime Complaint Center, www.ic3.gov.

To date, the following subjects have been charged or arrested in this operation with computer fraud and abuse in violation of Title 18 USC 1030, including:

* James C. Brewer of Arlington, Texas, is alleged to have operated a botnet that infected Chicago area hospitals. This botnet infected tens of thousands of computers worldwide. (FBI Chicago);

* Jason Michael Downey of Covington, Kentucky, is charged with an Information with using botnets to send a high volume of traffic to intended recipients to cause damage by impairing the availability of such systems. (FBI Detroit); and

* Robert Alan Soloway of Seattle, Washington, is alleged to have used a large botnet network and spammed tens of millions of unsolicited email messages to advertise his website from which he offered services and products. (FBI Seattle)

The FBI says they will continue to aggressively investigate individuals that conduct cyber criminal acts.

Retrieved June 14, 2007 from from http://somd.com/news/headlines/2007/6020.shtml

Posted by Dr. Kardasz at 03:30 PM | Permalink

From Siliconrepublic.com. By John Kennedy. 06/13/07

Web users are being warned that hackers are using a new crimeware technique that attempts to dupe users into viewing a YouTube video masquerading as a Trojan horse. In what is an ironic twist on the current situation that sees music companies and sports TV firms suing YouTube for allegedly distributing stolen content, users who download the mysterious file end up seeing their own information being stolen.

According to Internet security firm Websense, users who stumble onto the YouTube decoy end up downloading a Trojan horse. A file called YouTube04567 is then downloaded onto a user’s PC. The payload code is a Trojan horse designed to grab information from the user’s PC. It then uploads any sensitive information from the user’s PC to an undisclosed remote location.

Websense says that although it has captured this code on the web it is highly likely that there are still email and instant message lures for this URL still lingering on the web.

The company has created a simple video of the code in action and, for ironic value, posted it on YouTube at http://www.youtube.com/watch?v=pzKmzO_Xq3k
Retrieved June 13, 2007 from http://www.siliconrepublic.com/print/index.html

Posted by Dr. Kardasz at 08:56 PM | Permalink

06/11/07. The Kentucky Post (online). By Alice Haymond. Post staff reporter

Scam artists are targeting small banks and their customers, including Boone County's Heritage Bank, by sending seemingly legitimate e-mails requesting account information. The e-mails are phishing attacks, a rising problem on the Internet, said Major Jack Prindle of the Boone County Sheriff Department.

The people behind it create a copy a banking institution's Web site and send out e-mails alerting the recipients to a problem with their accounts and a link to the fraudulent site, said Prindle, commander of the sheriff's Electronic Crime Division. "People will log in and provide account information, which can be used in a variety of fraud schemes," Prindle said.

After securing a pin number, for example, the scammer can then create a duplicate card and use it in ATMs to access money in the account. Heritage Bank Vice President Lee McNeely said people who've received such e-mails have called him from across the nation. Most are not customers of the bank, he said.He doesn't know of any customers who have been scammed and encourages anyone who receives such an e-mail to delete it. "There's not much we can do at this end other than alert our customers to the problem," McNeely said. "Initially we try to get copies of the e-mails and turn them over to the Federal Deposit Insurance Corp. and they try to get the sites shut down."
New sites however, inevitably pop up soon afterward, he said.

Although that type of Internet crime is international, local banks like Heritage are ideal targets because they don't have the Web site security that larger banks do, Prindle said. There are national organizations that deal with such scams, the Internet Crime Complaint Center and the United States Emergency Readiness Team, through which e-mails recipients can find information on phishing and send complaints. "We gather as much evidence as we can, work with authorities and share information so these perpetrators can be prosecuted and we can put an end to these types of crimes," Prindle said. "If we don't, it will get even more out of hand than it already is."

Anyone with information or concerns about the scams should call the sheriff's office at (859) 371-1234.

Retrieved June 11, 2007 from http://news.kypost.com/apps/pbcs.dll/article?AID=/20070609/NEWS02/706090334/1014&template=printpicart

Posted by Dr. Kardasz at 03:44 PM | Permalink

They can yield good deals, but make sure you read the fine print

Detroit Free Press (online).06/10/07, By Ellen Creager, Free Press Travel Writer

Long Beach, Calif. - The grungy hotel room was reeking of smoke. The bathtub was rusty. The bedspread and furnishings were dingy relics. But I couldn't leave. I'd already paid $155 in an online travel auction for the Queen Mary Hotel room -- $91 for the room, $20 commission, $24 in taxes and $20 to upgrade to a room with a window. I'd taken a risk. And lost.

Online travel auctions promise fabulous bargains on vacations, hotels and airfare to glamorous places, playing on travelers' desires to get a steal of a deal.Sometimes they work out wonderfully. Sometimes they don't. "Since the beginning of man, people have always wanted more for less," says Greg Donewar, manager of the federal Internet Crime Complaint Center in Fairmont, W.Va. "If it sounds too good to be true, beware." Ah, the old caveat emptor.

What's the catch?
Travel auction sites come in two flavors -- nonprofit and for-profit. Some sites charge buyers commission. Some are actually travel agencies or consolidators. Others, like eBay's travel section, simply provide online auction space. Some sell last-minute unsold or even distressed products, while others specialize in high-end trips. A few are altruistic, donating your purchase price to charity.
But travel auctions, like other online auctions, are all about getting delivery of the exact product promised.

Your biggest risk in a travel auction is failing to read the fine print -- blackout dates, commissions, fees, surcharges, taxes or other catches that can boost the price or lower the value of your winning bid. Every year, complaints about online auctions top the list of reports to the Internet Crime Complaint Center, which is run by FBI and the federal White Collar Crime Task Force. In 2006, 2,600 Michiganders were victims of auction fraud (travel auctions are not broken out as a separate category), center data show.

One good piece of news? Complaints about auction fraud are slowly dropping, Donewar says. That indicates that sites are stricter and consumers are smarter.
At least, most consumers are.

Price of ignorance
In my case, I registered on www.SkyAuction.com, then looked for an interesting California hotel, settling on a room at the historic, retired Queen Mary cruise ship. I bid $12 to start for a room, then went up to $14, $30, $45 and $91. I got a message the next day telling me I'd won. Then I paid $20 to upgrade from an inside stateroom (no window) to an outside stateroom (porthole window), and the $20 commission to SkyAuction. I requested lodging dates. My credit card was charged. The reservation was non-refundable and non-changeable. (I never checked the hotel's own rates. If I had, I would have found that its own Web site offered better rooms for as low as $99 a night plus tax.) I'm not picky, but when I got to room A-028 at the Queen Mary, I almost cried. It was appalling. I returned to the front desk and requested something less smoky and dingy. The clerk gave me a slightly larger, non-smoking room. It, like the rest of the 350-room hotel ship, was direly in need of renovation, but at least it wasn't uninhabitable. But I couldn't understand why the hotel was in such bad shape. Later, when I returned to Detroit, I found out why. The Queen Mary is bankrupt. In fact, it has been in bankruptcy proceedings for two years. Its operators owe millions to the city of Long Beach, so they're not exactly going to be springing for new stuff on the ship. Ironically, the lease to run the place is being auctioned off this summer. The hotel gets a low grade of D from the Better Business Bureau because of complaints. Still, SkyAuction features the Queen Mary Hotel every week on its online auctions. Its ad says, "Guests slumber in elegant Art-Deco staterooms."

Seller's rules
SkyAuction's president Michael Hering points out that many travel sites like Expedia and Orbitz sell rooms at the Queen Mary, too. If buyers don't do their homework or read the fine print, they have nothing to complain about, he says.
SkyAuction is the only travel auction site with an unsatisfactory rating by the Better Business Bureau, based on a pattern of complaints.
"But if you look at it, we have had only 16 complaints in the last 12 months, which is minimal out of 150,000 passengers per year," Hering says. "There are always going to be complaints when you talk about travel, because it's subjective. People don't read our terms and conditions.
"It says on our site, all auctions are not changeable or refundable. We don't give refunds. We don't guarantee that every date will be available. On airline seats, we don't guarantee every class of service."
People want both a fabulous auction deal and total flexibility, he says, but that's not realistic.
Auctioning travel

Here are the main travel auction sites. If you're smart, you may find good deals:
• Luxury Link (www.luxurylink.com) is a for-profit Los Angeles-based travel agency that negotiates with high-end providers. Its Web site clearly states the retail value of the offer, lowest bid and any fees or taxes. It charges buyers a $20 commission -- not much for a $10,000 trip, but a lot if you're trying to score a $79 hotel room.
Named to multiple "best of the Web" lists, Luxury Link has a satisfactory record with the Better Business Bureau.
A typical offer: Lodging at a Tuscan castle in Italy that sleeps 20. The minimum bid for seven nights' lodging is $10,699 -- plus taxes, staff pay and cleaning fees of about $4,600. Retail value of the trip? $23,800.
• eBay (www.ebay.com/travel), based in San Jose, Calif., fights fraud by limiting who can sell travel on its site, said spokeswoman Kim Rubey. Vacation packages, cruises, airline tickets and trips must be sold by licensed travel agents or businesses that own travel property (an airline or hotel, for example).
Individuals are limited to selling travel vouchers or travel gift certificates and even then, they can sell only one per month. Also, the voucher must be transferable and cannot be travel club memberships or "travel choice" certificates. Under certain circumstances individuals may list a timeshare they own for rent.
EBay has a satisfactory record with the Better Business Bureau.
A typical offer: A 2-night package at Embassy Suites Niagara Falls June 10-12, with a 2-room suite, whirlpool and view of the falls. Starting bid? $350, a good deal. The same package is $416 on the hotel's Web site. Embassy Suites itself is the seller.
• SkyAuction (www.skyauction.com) is a New York-based travel site that auctions hotel rooms, trips, airline tickets and more.
In business since 1999, it charges a $20 commission to buyers. It started off concentrating on airfare auctions but now offers a wide assortment of travel. It is popular with travel auction fans. A typical offer: One night at the Westin Copley Place Hotel in Boston, blackout dates apply, for $200. It could be a good deal; summer rates at the Copley run from $179 to $329 per night, depending on the date.
• Generous Adventures Travel Auctions (www.generousadventures.com) is a nonprofit based in Homer, Alaska. When you buy a trip, the company donates 100% of profits (about 45% of income) to charities.
Described by Frommer's travel guides as eco-friendly and "one of the good guys," it is the only all-travel online benefit auction. It auctions everything from kayak trips to backpacking adventures to vacations abroad. The site is not rated by the Better Business Bureau.
A typical offer: Three-day guided trek for two at Yosemite National Park, worth $1,100; high bid was $425 midway through the auction.
• Bidding For Good (www.biddingforgood.com), based in Cambridge, Mass., is a site used by many nonprofit groups to auction off trips, airline vouchers and vacations (as well as other items) that have been donated to the groups to raise money. The site is owned by cMarket, which has a satisfactory record with the Better Business Bureau.
A typical offer: Two round-trip ticket vouchers on Northwest Airlines for travel in the U.S. lower 48, offered by Hillel of Metro Detroit. The vouchers sold for $673, raising money for the Jewish nonprofit (and also possibly giving a deal for the buyer, depending on destination).
Hillel paid the site a $450 fee to run the auction, plus a 7% commission on items sold. The group made $10,000 to $15,000 on the auction, says Sheri Ginis, Hillel's director. "Overall, it was incredibly positive," she says.
And that's what you want with your online travel auction experience as a buyer, too -- something incredibly positive.

Contact ELLEN CREAGER at 313-222-6498 or ecreager@freepress.com.
Retrieved June 11, 2007 from http://www.freep.com/apps/pbcs.dll/article?AID=/20070610/FEATURES07/706100515&template=printart

Posted by Dr. Kardasz at 02:52 PM | Permalink

From the U.S. Department of Justice

A Chicago man was named today in a federal criminal complaint that alleges he uploaded the first four episodes of this season’s "24" earlier this year before they were originally aired on the Fox television network.

Jorge Romero, 24, is accused of uploading the first two episodes of this season’s "24" to the LiveDigital.com website on January 6 – eight days before it was broadcast on Fox. Romero is accused of uploading the second two episodes of "24" to the same website on January 7, the same day that he allegedly posted links to the uploads on other websites, which made it easier for people interested in seeing the unauthorized episodes to find them. Fox broadcast the first four episodes of "24" on January 14 and 15, and subsequently released the four-episode season premier on DVD.

According to the affidavit in support of the criminal complaint, Fox discovered the illegal uploads on LiveDigital.com on January 8. On April 4, special agents with the Federal Bureau of Investigation interviewed Romero, who admitted that he had obtained the pirated copies from another website, that he uploaded the episodes of "24" to LiveDigitial.com prior to them being aired by Fox, and that he put links to the uploads on another website.

Romero is charged in the criminal complaint with uploading copyrighted material to a publicly accessible computer network knowing the work was intended for commercial distribution, a felony that carries a statutory maximum sentence of three years in federal prison.

A criminal complaint contains allegations that a defendant has committed a crime. Every defendant is presumed to be innocent until proven guilty in court.

This case is the result of an investigation by the Federal Bureau of Investigation

Retrieved June 5, 2007 from http://losangeles.fbi.gov/dojpressrel/pressrel07/la060107usa.htm

Posted by Dr. Kardasz at 02:05 PM | Permalink

By Sharon Gaudin.  Information Week. 06/01/07

The man the feds have dubbed the "Spam King" was arrested this week on charges of identity theft, fraud, and money laundering.

Robert Alan Soloway, 27, the owner of Newport Internet Marketing Corp. of Seattle, is looking at five counts of identity theft, mail fraud, wire fraud, fraud in connection with electronic mail, and money laundering. If convicted on all the charges, he could face up to 75 years in prison.

"Spam is a scourge of the Internet, and Robert Soloway is one of its most prolific practitioners," said Jeffrey C. Sullivan, U.S. attorney for the Western District of Washington, in a written statement. "Our investigators dubbed him the 'Spam King' because he is responsible for millions of spam e-mails."

Soloway is a major player in the spammer community. He first appeared in the Spamhaus Block List in 2001, according to an announcement on the spam fighter's site. In 2003, he even made the Spamhaus "worst of the worst" list of criminal spammers. In its announcement, Spamhaus called Soloway a "long-term nuisance on the Internet."

"This is huge," said Dmitri Alperovitch, a principal research scientist for Secure Computing, in an interview. "For the law enforcement community looking at this as the first federal prosecution under the Can-Spam Act, it is significant."

The prosecutor's office was quick to note that it expects to see a drop in spam because of Soloway's arrest.

And spam numbers have dropped in the past two days, according to Craig Sprosts, manager of the analysis group at IronPort Systems -- but maybe not as much as some were expecting.

Sprosts said in an interview that in the last few days the amount of spam has dropped 8%, which is equal to 6 billion messages. The issue, though, is that the numbers dropped from 80 billion to 74 billion, leaving levels not so far below their historic level of 80 billion.

"If you take one of these people down, there will be another one to take his place," said Rand Wacker, a senior product manager with IronPort. "Taking down one guy may have a single-digit impact, but it won't be all that noticeable."

According to the indictment, between November 2003 and May 2007, Soloway operated Newport Internet Marketing, which offered a "broadcast e-mail" software product and services. The government contends that these products and services constituted spam that was relayed using a network of proxy computers or botnets.

The government also said in the indictment that Soloway made a number of false and fraudulent claims about the products and services on his Web site, including a claim that the e-mail addresses used for the product and services were "opt-in" addresses. The Web site also promised a satisfaction guarantee with a full refund to customers who purchased the broadcast e-mail product. However, the indictment alleges that customers who later complained or asked for refunds were threatened with additional financial charges and referred to a collection agency.

The government also contends that Soloway spammed tens of millions of e-mail messages to advertise his Web site. And he constantly moved the Web site, which prosecutors said was hosted on at least 50 domains.

Prosecutors also said that in at least one instance Soloway used another person's credit card to pay for the domain name that hosted his Web site.

Soloway also is being accused of using the e-mail addresses and domain names of unsuspecting people to send out waves of spam, causing the victims' legitimate addresses to be blacklisted as spam sources. The government contends that Soloway refused to remove e-mail addresses from his distribution lists, leaving some victims with no choice but to close their e-mail accounts or cancel established domain names to stop the spamming. Prosecutors say he has been the subject of hundreds of complaints to the Federal Trade Commission, the Better Business Bureau, and the Washington State Attorney General's Office.

While some in the industry say fighting the spammers is a losing battle since many of them are outside of the United States and outside of the fed's reach, Alperovitch said it's a big deal for the government to arrest someone who has consistently appeared on Spamhaus' Top 10 spammers list. "If you look at the Top 10 list, several of them are from the U.S. and those who aren't frequently travel to the U.S. so you can nab them then. There's lots of ways to get these guys in orange jumpsuits. ... It's not so easy to send spam from jail."

Retrieved June 3, 2007 from http://www.darkreading.com/document.asp?doc_id=125396

Posted by Dr. Kardasz at 12:47 PM | Permalink

By Brian Amble. 05/31/07. From Management-Issues.com

If you're not worried about the security of personal data being demanded from you by a growing army of companies and official bodies, perhaps you ought to be. Because a new survey has found that almost a third of IT staff abuse their trusted positions to snoop on the confidential information held on their company's computer systems.

A survey conducted by Cyber-Ark Software at last month's Infosecurity Exhibition Europe revealed that one in three IT staff admit to snooping through company systems and peeking at confidential information such as private files, wage data, personal emails, and HR data.

One IT Administrator laughed out loud as he answered the survey, saying: "Why does it surprise you that so many of us snoop around your files, wouldn't you if you had secret access to anything you can get your hands on!"

As if that weren't bad enough, more than third of IT professionals also admit that lax network security meant that they were confident they would still be able to access their company's network if they left their current job.

What's more, more than a quarter said they knew of another IT staff member who still had access to networks even though they'd left the company long ago.

The research is the latest to highlight that human failings and shoddy security are the "weakest link" in the data security chain. And it comes just months after research by privacy research group, the Ponemon Institute, revealed that a third of executives don't trust their own companies with private or sensitive information and don't think that most of their business partners are trustworthy, either.

According to Cyber-Ark, a large part of this security shambles is caused by the mismanagement of passwords.

One-fifth of all organisations admitted that they rarely changed their administrative passwords with seven per cent saying they never change administrative passwords – which may explain why so many people said they could still access their network even if they left the company.

Moreover, more than half of respondents said they wrote critical administrative passwords on sticky notes, while eight in 10 IT professionals just try to remember administrative passwords in their heads – which might explain why, as another IT professional said, "we just pick one password for all the systems and write it down."

"It's surprising to find out how rife snooping is in the workplace," said Calum Macleod, European director for Cyber-Ark, said.

"Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information. Now all you need to have is the administrative password and you can snoop around most places.

"Companies need to wake up to the fact that if they don't introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife," he added.

Retrieved June 3, 2007 from http://www.management-issues.com/2007/5/31/research/it-staff-snoop-on-personal-data.asp

Posted by Dr. Kardasz at 02:27 AM | Permalink

By Daniel Borunda / El Paso Times(online).  06/02/07

Lorenzo Fonseca of El Paso holds a 5-week-old Yorkshire terrier puppy, one that his family bred and is selling. Authorities are warning people that an e-mail scam from Africa is targeting pet lovers to buy pedigree dogs for low prices.

Jodie Buckingham's plan to get a Yorkshire terrier for her family by answering an Internet classified ad turned into a $200 loss in an international e-mail scam using puppies as bait.

"They post pictures of absolutely adorable puppies. They are so fluffy. Whoever these people are, they definitely are running a scam real well," Buckingham said.

Buckingham was the victim of a scam using online and print classified ads for Yorkshire terriers, English bulldogs and other popular breeds that was the topic of a warning issued this week by the American Kennel Club and and the Council of Better Business Bureaus.

The phony ads have only an e-mail contact, typically from sites such as Yahoo! or Hotmail. The scammer may claim to be part of a religious group in a foreign country.

"They play on people's heartstrings. It's amazing how persistent some of these folks are," said Special Agent Andrea Simmons, a spokeswoman for the FBI office in El Paso. "They are very hard for law enforcement to catch because they often are in a foreign  country. They move around. Sometimes they are organized crime entities."

Buckingham at first was hesitant because the sale was not in person, but it was a bargain price for an AKC-registered Yorkie puppy that needed a good home, a record of exchanged e-mails between Buckingham and a "Peter Brooks" showed.

"He said 'Oh, we are missionaries loving Christ. We are in Nigeria.' That is the hook. (I thought) 'Oh, somebody who is religious, they wouldn't scam you.' Oh, yes they do," Buckingham said.

The scam occurred about two months ago, while Buckingham lived El Paso with her children while her husband, who was in the military, was away in Korea. The family recently moved to Alaska.

After several e-mail exchanges, including photos of the supposed dog, Buckingham wired $200 to Nigeria to pay for the pet's air shipping. Brooks asked for an additional $400 to pay for a problem at customs. "At that point, I started doing research É I got so angry, so bitter, so hurt," Buckingham said.

"Nobody can replace the $200 I lost. I'm glad I learned a lesson, but I absolutely hate anybody else would be scammed like this. There are gullible fools like me. People don't realize if you are sending money to a foreign country, you are screwed," Buckingham said.

Buckingham filed a report with the federal Internet Crime Complaint Center (www.ic3.gov).

She eventually bought two pups, this time in person.

Buckingham said she first saw the phony online classified ad linked to the El Paso Times Web site, but cases have been reported from Arizona to New York. The ads, which have similar wording in a stilted English, are placed through the Internet.

"We do what we can to remove ads that are obviously fraudulent. But considering the hundreds of thousands of (classified) ads that run in our newspaper, occasionally a fraudulent ad that appears legitimate runs in our publications," El Paso Times Classified Advertising Manager Jim Weddell said.

Detective Robert Hanner of the El Paso police White Collar Crime Unit said it is unknown how many puppy-scam victims are in the city. "People who realize they are victims are ashamed about being victimized. I believe there are a lot more case of Internet scams than are reported," Hanner said.

Investigators said the basic rule is that if a deal appears too good to be true, it probably is a fraud. The FBI also cautioned that U.S. law enforcement does not have jurisdiction in other countries.

The American Kennel Club advised buyers to take their time and educate themselves.

East Side resident Claudia Patrie, who owns and has sold Yorkie pups, said she was not surprised by the lure of the tiny dog. "It's a really small breed. They are high maintenance. People are getting them. They are really cute," she said.

Daniel Borunda may be reached at dborunda@elpasotimes.com; 546-6102.

Retrieved June 3, 2007 from http://www.elpasotimes.com/ci_6043462

Posted by Dr. Kardasz at 02:05 AM | Permalink

Inadequately protecting sensitive information can invite intruders.
By Alana Semuels, L.A. Times Staff Writer, 05/22/07

COMBING through the guts of the website for the Los Angeles County Community Development Commission, an information technology worker for the agency came across an intruder. Someone with an Internet provider address in Germany had broken in and looked at private information normally accessible only to commission employees.

The worker immediately shut the system down.

"The intruder was poking around and came in through the outside of our network," said Richard Peters, the agency's information technology manager. "They were probably looking for confidential data."

Small organizations often think they are less of a target for hacking than large companies. But small businesses are often targeted by hackers who know that their security procedures might not be as technologically advanced as those of a bigger business with more resources.

"It can happen to anyone who has or collects people's information," said Melanie Bedwell, information officer for the California Office of Privacy Protection. "You don't have to be a major corporation to have issues come up."

After shutting down its website, the commission launched a probe to see what was compromised. It determined that the hacker had not reached confidential information, such as the names, Social Security numbers and dates of birth of 4,800 public-housing residents.

A systems upgrade recommended by a security consultant in 2005, a year before the hacking incident, increased security just enough to foil the intruder, Peters said.

The security update had separated the servers, preventing the hacker from accessing the next level of the network, he said. The agency, which has 650 employees and a tech staff of 30, had learned an important lesson: "The most important thing is to have a security review by an outside auditor," Peters said.

The commission is one of many U.S. organizations whose security has been breached in the last year. Most businesses, however, have not emerged as unscathed as the agency.

Big organizations including Bank of America Corp., UCLA and TJX Cos., the parent of the T.J. Maxx and Marshalls clothing chains, have fallen victim to hackers in recent months, according to the Privacy Rights Clearinghouse. More than 150 million records containing sensitive personal information have been involved in security breaches nationwide since 2005.

Smart security practices are not just important to protect customers' information; they are required by California law, Bedwell said.

The state requires that any business that collects and stores personally identifiable information, which includes a combination of a name and another data set such as a Social Security number, address or driver's license number, put "reasonable" security practices into place, she said. This might include having the latest security software, such as anti-spyware and anti-virus products, and making sure the information is encrypted.

There are several steps companies should take to protect information from outside hackers and unauthorized employees, said Barry Mozian, president of Fountain Valley security company Talon Executive Services Inc.

Business owners should create passwords made up of words not in the dictionary and change them frequently, even if it is a hassle to do so, Mozian said.

They should also install anti-virus and anti-spam software and intrusion detection systems that alert companies to any changes to a network.

Many small businesses skip these steps because they think they won't be targeted, said Ira Winkler, author of the book "Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day" (Wiley, 2005). But information is often stolen in surprising ways — such as an employee or friend who "borrows" a company's client list and uses it to start a business.

Businesses of any size — including a lawn-mowing company that uses a computer sporadically and a healthcare provider that has thousands of private medical records online — can benefit from hiring an outside security consultant.

Vendors such as Santa Clara, Calif.-based McAfee Inc. can help provide security services around the clock to businesses that are too small to have their own technology security staff, said Lillian Wai, McAfee's senior product marketing manager for small businesses.

Even with the latest technology and protection from outside hackers, small businesses often fall victim to hacking from the inside. More than 70% of all acts of malfeasance that affect small businesses can be attributed to an internal problem, Talon's Mozian said. Small-business owners should restrict internal access to important information, he said, and do background checks before hiring any employee.

Carey Boyarsky learned this the hard way. The Modesto resident ran a beverage supply company called Classic Beverage Inc. Overburdened with work, he hired an extra employee who he hoped would one day become a business partner. The man, who used to sell Boyarsky paper products, took control of processing payments.

Boyarsky later suspected that the employee had been issuing checks to himself and his family, allegedly making false computer entries that the money went to a vendor while channeling the funds to his own bank account. Boyarsky was forced to declare bankruptcy and still has not recouped any of the $60,000 allegedly stolen from him.

Boyarsky says he should have paid closer attention to business matters and potential discrepancies between the computer entries and his checkbook.

"I should have personally overlooked things, but I was tired and I wanted some help," he said. "Besides, I trust people."

Good management plays a large role in preventing security breaches, said Stan Stahl, president of Citadel Information Group Inc. and the Los Angeles chapter of the Information Systems Security Assn. Often, company leaders don't know what security steps are needed and ignore system needs.

"Management must be proactive and work to change the culture so that people are aware," he said. This includes outlining procedures so that employees won't damage the system inadvertently. It also includes protecting the network from malicious insiders.

"We didn't use to have to lock our doors at night, and now we have to," Stahl said. "It's the same thing when it comes to protecting our sensitive information."

alana.semuels@latimes.com

Retrieved May 29,2007 from http://www.latimes.com/technology/la-fi-smallbiztech22may22,1,821195.story?coll=la-headlines-technology&ctrack=2&cset=true

Posted by Dr. Kardasz at 01:53 PM | Permalink

05/25/07. By David Doerr. Tribune-Herald staff writer

Sean Erickson, a 17-year-old high school student under investigation by Waco school officials for accessing sensitive information on a district computer system, says he’s not the malicious hacker some might assume. To paraphrase the tag line from the movie Hackers, the poster for which hangs in his bedroom: His crime was curiosity, he says. nd he disputes Waco Independent School District officials’ claim that he “acquired unauthorized access” to one of the district’s servers, saying they left it wide-open for anyone to enter. “The door was unlocked, it was open and you had your giant plasma screen TV sitting there for anybody,” he said.

In this case, the potential loot for any would-be criminals was confidential information such as Social Security numbers, which can be misused to conduct financial misdeeds.

On Wednesday, Waco ISD officials disclosed that they were investigating whether sensitive student and staff personal information was compromised when two high school seniors allegedly used software on their personal computers to gain unauthorized access to a portion of one of the district’s servers. On Thursday, officials said the students attended A.J. Moore Academy, the district’s magnet school specializing in career and technology education.

Erickson, a senior set to graduate on Saturday, says he was simply pursuing the hobby he hopes to turn into a career — testing computer network security. “I was just looking at some of the servers they had,” Erickson told the Tribune-Herald. “I thought they would have it pretty well secure. It never hurts to try something. I just came across one that didn’t have a password or user name (protection). It didn’t ask me for anything.” Once inside the server, Erickson said he found names, addresses and Social Security numbers for students and district employees. He said he looked up his information, that of his younger brother and of his friend, a fellow computer-savvy A.J. Moore senior also caught up in the investigation.

Erickson said his friend, who he declined to name, “freaked out” when he told him about the unprotected information on the district’s server. He said his friend, who he has known since elementary school, told him he should probably tell school officials about the problem but worried that Erickson would be kicked out of school if he did.

Sgt. Ryan Holt of the Waco Police Department, which is not involved in the investigation, said knowingly accessing a computer network without the owner’s permission would constitute “breach of computer security,” a Class B misdemeanor. However, it was unclear Thursday night if the charge applied to servers that are left unsecured.

Erickson said he did not download any information from the Waco ISD server.

The event in question occurred in December, Erickson said, but Waco ISD officials were not made aware until two weeks ago, when Erickson found himself in the middle of another controversy at school involving other students testing their network wizardry. Erickson said he had shown his friends an “exploit” on the computer network at A.J. Moore Academy that allowed them to install software enabling them to take control over computers remotely. When one of his classmates tried the trick on a computer where a teacher was updating her digital grade book, the students found themselves in trouble, he said. Erickson said he intended to tell school officials about the unprotected server after he graduated, so they couldn’t punish him. But when school officials began investigating the remote-controlled computers incident, he knew their attention would turn to him because he had shown his friends how to do it. ‘I might as well tell them’ “I figured if they were going to kick me out about that, I might as well tell them about the unprotected site so they could fix it,” he said.

Erickson said he told A.J. Moore principal Debra Bishop about the computer server with the unprotected Social Security numbers on May 11, when he was called in for questioning about the other incident. Since then he says he has cooperated with the investigation by handing over the laptop he used to access the server to district officials and answering their questions.

The friend he told about the unprotected server back in December refused to hand over his personal computer and district officials seized it with a search warrant, Erickson said.

Erickson said his friend is a “good kid” and doubted he was involved in any malicious activity. He said he didn’t know whether his friend had downloaded any sensitive information.

Since the investigation began two weeks ago, Erickson and his friend were suspended for three days, had their final exam exemptions revoked and their technology privileges removed. He and the “six or seven” kids involved in the remote-controlled computers incident had to take their finals under supervision, apart from the rest of the student body.

District officials plan to let Erickson and his friend participate in graduation activities on Saturday. No charges have been filed against the two, though they are still being investigated by Waco ISD police. Erickson said he “probably shouldn’t have messed with their network in the first place.” However, Waco ISD should have done more to protect its sensitive data, he said. In a statement issued Thursday, Waco ISD officials said they take the incident “very seriously” and are looking for ways to aggressively tighten network security.

The WISD statement blamed the security breach on “software that had been misconfigured by an outside vendor for use by child nutrition services.” Once the breach was discovered, Waco ISD computer technicians changed the software to prevent further “unauthorized access.”

The district is notifying parents about the security breach and informing them of ways to prevent the unauthorized use of personal information, according to the statement.

Erickson’s parents were present when he was interviewed by the Tribune-Herald Thursday evening. They declined to be identified for this article but vouched for their son’s integrity. His mother says he has been interested in computers since his grandfather gave him his first Packard Bell computer when he was in the fifth grade. Three days after he received it he took it apart so he could see how it worked, she said.

Erickson, who said he has earned the distinction as A.J. Moore’s Information Technology Student of the Year for the last three years, said he hopes the incident doesn’t get in the way of his college ambitions. He wants to pursue a degree in network security from Texas State Technical College.

ddoerr@wacotrib.com

RetrievedMay, 26, 2007 from http://www.wacotrib.com/news/content/news/stories/2007/05/25/05252007wacwisdhack.html

Posted by Dr. Kardasz at 12:15 AM | Permalink

Six dirty tricks to be aware of

Link to an interesting article by Tim Wilson about dirty computer tricks that business owners should be aware of. From www.darkreading.com

http://www.darkreading.com/document.asp?doc_id=113460

Posted by Dr. Kardasz at 09:05 PM | Permalink

An action plan for protecting corporate data. Link to a nice article by Patricia Keefe

Action plan: Don't be a a victim company

May, 24, 2007 

From  www.darkreading.com

See: 

http://www.darkreading.com/doc