Defendant in Fraud, Identity-Theft Ring in N.Y., N.J. is Sentenced to Probation
A woman who was a minor player in a major identity theft and fraud ring has been sentenced to probation. Song-Ja Park is among 53 defendants in a case federal authorities say stretched from Korean communities in New York and New Jersey to U.S. territories in the Pacific. Park pleaded guilty to conspiracy and fraud charges and volunteered to return to her native Korea. She was sentenced last week in federal court in Newark. Read the full NJ.com story here.

Companies Pick and Choose Which Data Breaches to Report
One in 7 information technology companies have not reported data breaches or losses to outside government agencies, authorities or stockholders. In addition, only 3 out of 10 said they report all data breaches and losses suffered related to intellectual property, while 1 in 10 organizations will only report data breaches and losses that they are legally obliged to report, and no more. Six in 10 said they currently “pick and choose” the breaches and losses of sensitive data they decide to report, “depending on how they feel about them. Those were some of the key findings from a McAfee and Science Applications International Corp. (SAIC) survey that queried 1,000 technology managers in the U.S., United Kingdom, Japan, China, India, Brazil and the Middle East on questions about intellectual property and security. Read the full Network World story here.

DOD Revises Cyber Budget Upward By $1 Billion
Protecting the nation’s security networks from cyber bandits and hackers will cost $1 billion more than the Defense Department previously thought, bringing the total to $3.2 billion, writes Aliya Sternstein in Nextgov. The first request, announced in mid-February, included funding for department information assurance programs such as public-key infrastructure, digital certificates and projects such as the Comprehensive National Cybersecurity Initiative. Read the full Washington Technology story here.

DHS Seeks Cybersecurity Interns
For cybersecurity students who are attending or have just completed college and graduate school, the Department of Homeland Security has launched its first cybersecurity internship programs, aimed at hiring qualified IT security professionals. “We are looking to build a cybersecurity workforce from the ground up, rather than hire those already trained,” says Nicole Dean, Deputy Director of the National Cyber Security Division at DHS. “We are looking to hire the best and the brightest and provide them the opportunity to grow professionally.” Read the full GovInfoSecurity.com story here.

Cyber Attacks on Fed Networks up 40 Percent
Cyber attacks against the federal government increased almost 40 percent last year, according to government data. Federal agencies suffered 41,776 cyber attacks in 2010, up from 30,000 the previous year, according to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), which is tasked with defending the dot-gov domain and sharing information with industry and local governments. The data is included in an annual report on federal cybersecurity efforts by the Office of Management Budget. Of the attacks reported last year, 12,864 — or 31 percent — were classified as malicious code. Another 11,336 (27 percent) are under investigation or labeled as “other.” Unauthorized access, denial of service, improper usage and scans probes and attempted access made up the remaining incidents. Read the full Federal Times article here.

Law Protects Hackers’ Ability To Screen DUI Checkpoints
Want to avoid DUI checkpoints? There are apps for that. And while lawmakers called on smart phone companies last week to ban the programs that could enable drunk drivers to steer clear of police traps, legal experts say the law protects hackers who install unapproved software onto their phones. So far Research in Motion, the company that makes Blackberry, is the only company that has complied with the request from four Democratic Senators. But even if companies were to ban all DUI dodging apps from their online store, customers would still have a legal right to bypass security software independently. Read the full ABC News story here.

If you are a high-profile person, you may want to change your Facebook password on a regular basis?  Why?  Well, a hacker recently took over French President Nicolas Sarkozy’s Facebook account and posted a fake announcement that he was abandoning plans to run for re-election.   And, now the wunderkind of the Internet, Mr. Mark Zuckerberg, just had has personal Facebook account hacked.

An unknown person who posted a status update suggesting that the site should let people invest in it rather than going to the banks.  Here’s the actual messge from the hacker:

“Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ’social business’ the way Nobel Prize winner Muhammad Yunus described it? What do you think? #hackercup2011.”

Invest in Facebook in a social way?  Hmmm…not a bad idea actually. And, this person is suggesting that we cut out the middle-man: banks.  What this is really all about is irony.  Mr. Zuckerberg has made a vast amount of wealth off of pilfering our private data for profit.  It is the core of Facebook’s business model.  What we say and post on Facebook provides deep insights into what motivates us — and is perfect information for advertisers (note the irony)!

So, Mr. Zuckerberg just experienced a breach of his privacy on Facebook.   Although it was not advertisers watching his every move who violated his privacy, it was a hacker offering an interesting investment idea.

Welcome to the Friday’s Food for Thought post from the ITAC blog.  There have been a number of stories this week that point to the simple fact that hackers are gaining traction, momentum and some would even say getting more powerful.

We recently wrote a post about a PandaLabs report that highlights how hackers are getting able to be more financially successful these days. And, as we all know, were there are dollars people will follow — even if that have a weaker morale code than the rest of us. On top of that, we also did a post about a report from Symantec that stated that cyber attack toolkits are becoming more accessible and easier to use, allowing criminals with little technical expertise to turn to cybercrime. As a result, the company believes that the incidence of cybercrime is set to increase with the proliferation of this pre-made hacking software that will be used by less sophisticated criminals.

And, finally hackers have broadened their reach beyond Windows and are focusing now on smart phones, tablet computers, and mobile platforms. Since many PC application vendors have been more aggressive in patching vulnerabilities and thus hackers have broadened into the mobile frontier as a means for making money.

So, let’s think about this. Hackers are making more money. There are new toolkits that make it easier to be a hacker, and now there are new mobile platforms for them to target. Sounds like a recipe for disaster. We imagine the new cycle will be flush with more stories like these, and many industry members will be stepping up to try to minimize the power that hackers are gaining.

It’s going to be an uphill battle and yes, the cyber war is raging on. Welcome all thoughts, comments and feedback.

In the classic fable Henny Penny, Chicken Little (a hare actually) is disturbed by falling fruit that he believes is the sky is falling, and that the earth is essentially coming to an end. This irrational hysteria whips all the other animals in the forest into raging stampede. Thankfully, a lion halts them, investigates the cause of the panic and restores calm. The ultimate point of this fable is to teach the necessity for deductive reasoning and subsequent investigation.

On the topic of cyberwars and cyber security, do we have too many Chicken Littles running around scaring up irrational fear? is a cyberwar eminent? According to a study released yesterday by the Organization for Economic Cooperation and Development, there are great exaggerations happening and a cyber attack would not create problems like global pandemics or financial crises.

So, who are these Chicken Little’s scaring up fear among government leaders, members of industry and even consumers? According to the NY Times, it’s books like “Cyber War: The Next Threat to National Security and What to Do About It” by Richard A. Clarke, the former U.S. counterterrorism chief, and Robert K. Knake of the Council on Foreign Relations that are doing the bidding:

This particular book describe a digital “Day After” in which large parts of the U.S. transportation, energy and communications systems have been wiped out by Internet-borne attackers, leaving the authorities struggling to maintain control and consumers scrambling for food.

Scrambling for food?  That does sound s bit extreme and it’s good that the Organization for Economic Cooperation and Development is injecting a dose of reality and rationality into our collective psyche. Does this mean though that we should be resting on our laurels and not worry about cyber warfare?   Our gut is telling us “no.”  And, thankfully the government is stepping up its cybersecurity efforts with the groundbreaking of a new cyber security center for the NSA.  The NSA is also enhancing its war for talent by developing a recruiting app.

So, yes, good to know that a cyber “Day After” will not happen.  However, we are not Switzerland and the U.S. will continue to be a target by nefarious hackers.  No cyber war happening, but there are plenty battles happening in the field these days.

Welcome all thoughts and feedback!

When Candrick was arrested in December 2009, she was living under the name of a person whose identity she had stolen and she used stolen personal identification information of others to pay for living expenses, vehicles and other items.

This was clearly an inside job. Joe Gottlieb, CEO of SenSage, told SC Magazine that cybercrimes involving insiders often are committed by employees who have access to sensitive data, and their company fails to perform any monitoring, he said. The case also is an example of the slow, steady increase in successful cybercrime prosecutions. He also said that “the 15-year sentence is substantial and thus helps establish the deterrent of real punishment that has generally been missing in the cybercrime world.”

15 year sentence = good. Rise in insider threats = not good. Beyond doing the standard background checks (via Human Resources), what can organizations do to prevent insider threats? Companies entrust their employees with very sensitive information. Certainly there is more that can be done. Welcome all thoughts comments and feedback.

Welcome to the Monday Morning News Kick Off post from the ITAC blog. It never ceases to amaze us at just how much identity theft, data breach and cyber security news is out there. Are you a young journalist looking to make it big in the news business? Go after the cyber security beat. It’ not going anywhere. Or you could start an identity theft-related blog (wink wink). Anyhow, once again, we have complied all the news you need. And as we said earlier, there’s plenty of it!

U.S. Studying Australian Internet Security Plan: Report
U.S. officials are reviewing a number of plans to help improve Internet security, including a plan by Australian authorities to limit Internet access for infected computers. The U.S. government is reviewing plans by Australia to allow Internet service providers to keep compromised computers off the Internet and alert customers if their computers are hijacked by attackers, according to media reports. White House Cybersecurity Coordinator Howard Schmidt reportedly told the Associated Press that the United States is studying a number of ways to help both businesses and the public protect themselves online. According to the AP, that includes the Australian plan, though U.S. officials are hesitant to advocate the part of the plan that allows ISPs to quarantine users who do not clean their infected machines. Read the full eWeek article here.

DoD, DHS Team on Cyber Security
The Department of Homeland Security and the Department of Defense authorized an agreement laying out some of the ways they will work together to fight cyber-threats. The Department of Defense and the Department of Homeland Security have agreed to work closer to fight threats to military and civilian computer systems and networks. The new memorandum of agreement was reached to coordinate and improve efforts to secure the country’s cyber-infrastructure, according to the document (PDF). “With this memorandum of agreement, effective immediately, we are building a new framework between our departments to enhance operational coordination and joint program planning,” Defense Secretary Robert Gates and Homeland Security Secretary Janet Napolitano said in a joint statement. “It formalizes processes in which we work together to protect our nation’s cyber networks and critical infrastructure, and increases the clarity and focus of our respective roles and responsibilities.” Read the full eWeek article here.

Identity Thieves: Crafty and Prolific
It’s everywhere you don’t want it to be. From skimming your debit card at a gas pump to phony financial e-mails hitting your cell phone or computer, identity theft is as crafty as it is continuous. More than 11 million of us fell victim to identity theft last year, according to an annual report by Javelin Strategy & Research. “It’s really the crime that won’t go away. It’s so insidious,” said Gail Cunningham, spokeswoman for the National Foundation for Credit Counseling, which launched national Protect Your Identity week today with the Council of Better Business Bureaus. Read the full Sacramento Bee article here.

Facebook Faces Suit Over Earlier Breach
A lawsuit moving through a California court alleges Facebook Inc. violated federal and California law and breached a contract with users when it sent data to advertisers that could identify users without their knowledge. The suit references a Wall Street Journal article in May that exposed Facebook’s practice of sending Facebook ID codes under some circumstances when users clicked on an ad. The codes can be used to look up individual profiles, which could include a person’s real name, age, hometown, or other details. Facebook has since discontinued the practice. More recently, the Journal’s Emily Steel and Geoffrey Fowler found that applications on Facebook also were sending such data to ad networks. Read the full WSJ blog post here.

Facebook ID Theft Leak Due to Farmville
Social network game developer, Zynga, who has achieved great success over the past few years with its highly popular free-to-play games, such as Farmville and Mafia Wars, is now smack bang in the centre of a Facebook identity-theft scandal. According to a Wall Street Journal investigation, personal information from millions of Facebook users using such applications has been leaked to at least 25 advertising companies, some of which have been selling details on. User who play the following Zynga games may be affected: FarmVille, Texas HoldEm, Café World, Mafia Wars, Treasure Isle and FrontierVille. Zynga has said that it doesn’t have any knowledge of how the identity leaks happened and a spokesperson for the company said it will be looking at ways to prevent it happening in the future. Read the full HEXUS post here.

Inside an Insider Crime
These are strange days indeed. When I first read the words bank fraud and identity theft in the headline of a press release from the Department of Justice, I thought, “Well, rack up another insider on charges.” We’re all aware that insider fraud is at an all-time high, with the Association of Certified Fraud Examiners (ACFE) saying total fraud losses are at $2.9 trillion. Financial institutions are especially vulnerable to damage caused by employee fraud, when monetary loss, reputation and customer confidence are all considered. Read the full BankInfoSecurity post here.

We have all gotten used to receiving the scam emails trying to bilk us out of money. Many of these faux emails are from relatives in dire need of money, but they are so poorly written, we know they are fake. Well, we came across a story of a woman who was the target of a cybercrime that went a bit deeper that the usual fake email scam.

Julie Burkhart-Haid of Hudson, NY, knew immediately that something was wrong when on the morning of Oct. 1 friends from all over the nation started to call her with concern. According to the Hudson Star Observer, a number of Julie’s friend had received a long e-mail message for her detailing the fact that they had taken an unexpected trip to Wales and had been robbed at gunpoint. The email from Julie also said that she was injured and nearly raped in front of her son (also identified) and Joseph was seriously injured and still being treated. It went on to say while they still had their passports, they needed $1,800 dollars to pay the hotel bill and buy return tickets.

While this type of cybercrime is not all that new, it does go a bit deeper. Cyber criminals can easily find out the names of our children, spouses and siblings via Facebook and the social networks. So, really, all it takes is someone hacking into a Hotmail or Yahoo! Mail account, drafting up a well-written/convincing email, then you are off to the races.

We all have gotten anesthetized to the poorly written emails that we receive from hackers. But now, they are taking it to the next level. And what does this mean? We need to be smart and vigilant. Don’t fall for this one.

Well, the egg-on-your-face situation has caused the U.S. Air Force to take some proactive PR measures that will help mitigate any reputational damage from this event, while also funding something that could be really great. The Air Force has awarded a $750,000 contract to Wombat Security Technologies for the creation of a “micro-game platform” that trains people not to fall for phishing schemes. Wombat is best known for anti-phishing training games with cartoon-like graphics and names like Anti-Phishing Phyllis, Anti-Phishing Phil, and PhishGuru.

We often say that good things can come out of bad PR situations. Will the Wombat ant-phishing game actually catch on and have an impact on the general public? Who knows. It can’t hurt, right?

Well, there is a new breed of identity thieves who take the idea of the high-life to the next step. Called “Creepers,” these are criminals that sneak into hundreds of offices and make off with checks, credit cards and personal information, which they turned into boatloads of cash. And, they take all this money and buy designer suits, watches and carry themselves with an “Oceans Eleven” swagger.

We came across this story of the ring leader of a “Creeper” ring who lived the jet-setting lifestyle, but ultimately got busted in Portland, Oregon. Antione L. Lawrence, was sentenced today to eight years in prison and ordered to pay his victims more than $600,000 in restitution.

The word is that Lawrence and his crew, from 2001 to 2007, traveled from Indianapolis to Maui, Hawaii, targeting the offices of doctors, dentists, lawyers, accountants and insurance agents because they were more likely to keep petty cash, corporate credit cards or prescription drugs on hand.

According to federal prosecutors, the team posted lookouts and communicated with two-way radios or prepaid cell phones. They picked locks or walked into offices at the end of work days, sometimes making off with master keys or employees’ key cards They often struck on Friday nights, which gave them time to cash stolen checks on Saturdays, when the businesses were closed.

Watch out…this new breed of identity thief is smart and organized.

Homeland Security to Test Iris Scanners
The Homeland Security Department plans to test futuristic iris scan technology that stores digital images of people’s eyes in a database and is considered a quicker alternative to fingerprints. The department will run a two-week test in October of commercially sold iris scanners at a Border Patrol station in McAllen, Texas, where they will be used on illegal immigrants, said Arun Vemury, program manager at the department’s Science and Technology branch. “The test will help us determine how viable this is for potential (department) use in the future,” Vemury said. Iris scanners are little used, but a new generation of cameras that capture images from 6 feet away instead of a few inches has sparked interest from government agencies and financial firms, said Patrick Grother, a National Institute of Standards and Technology computer scientist. The technology also has sparked objections from the American Civil Liberties Union. Read the full USA Today article here.

Security Experts Warn of Wi-Fi Hot-Spot Dangers
Employees are exposing personal and professional information unknowingly as they log onto public Wi-Fi hot spots at hotels, airports and coffee shops, experts say. Ryan Crum, former director of information security at PricewaterhouseCoopers Advisory Services, said he has observed unprotected Social Security numbers, corporate financial data and information about mergers and acquisitions circulating on public Wi-Fi networks, particularly in e-mails. Read the full ComputerWorld article here.

California Hospital Appeals Security Breach Fine
The Lucile Packard Children’s Hospital at Stanford University is appealing a whopping $250,000 fine imposed by California Department of Public Health (CDPH) for its alleged delay in reporting a data breach that exposed confidential patient data. In a statement Thursday, the hospital contended that it had reported the breach in accordance with requirements. “We are appealing the timeline,” a hospital spokesman said today. He added that the breach was self-reported by the hospital to CDPH. The fine was levied in April under a state statute passed in 2008 that allows state agencies to, among other things, penalize organizations that fail to report data breaches as required by the state. Read the full Computerworld article here.

Analysis: Cybersecurity Bill on List for Passage This Year
Capitol Hill staffers have made progress stitching together cybersecurity proposals into a huge bill, aides said, with Senate leadership putting it on their short list for passage this year. But stiff industry opposition and partisan tensions still make it unlikely comprehensive legislation will pass in 2010. The legislation would require companies who sell the government $80 billion in hardware and software each year to bake in a certain level of security — a potentially expensive prospect. Senate Majority Harry Reid has put the measure on his list of top-priority bills to get through the Senate this year, the sources said. Read the full Reuters story here.

NSA Chief: “Internet is Fragile”
The United States’ increasing reliance on the Internet makes securing our networks from online threats more crucial than ever, according to National Security Agency director and U.S. Cyber Command commander Keith Alexander. Speaking at the Gov 2.0 Summit on Tuesday in Washington, Alexander warned against the growing threat from hackers and enemy states seeking to penetrate American networks, which are more vital to the nation’s security and economy than ever before. “The Internet is fragile. Our economic and national security, privacy and civil liberties are fully dependent on the Internet,” Alexander said. “It is critical we improve our security posture. The threats are real. Malicious actors a continent away can exploit our networks. They’re becoming better organized and sophisticated at exploiting weaknesses in our technologies.” Read the full The Hill post here.