Archive for June, 2008

CTV is running a four-part series looking into the “epidemic of identity theft” in Vancouver, part of which is due to the volume of stolen mail in the city.

Sgt. Ken Athans, who runs the Vancouver Police Department’s identity theft task force, says identity theft is huge business in Vancouver, and only getting bigger.

“It’s high gain and low risk, more people are going to get into it and that’s what’s happening in Vancouver,” Ken Athans said.

Areas like Yaletown and the West End are prime targets for mail thieves, where the affluent lifestyle attracts people to search for credit card applications or bank statements to initiate fraud. Peter Stabler, a crown prosecutor, convicts an identity thief every other business day in the city. That said, there is a high proportion of repeat offenders who view jail time as part of the “job.”

Vancouver is the mail theft capital of Canada, and CTV has learned that Canada Post has delayed the replacement of improperly secured mail boxes for as many as five years. Only about a third of improperly security mailboxes have been replaced, leaving many open to theft by easily forged keys.

Canada Post does not record statistics of stolen mail, only undelivered mail. This makes it difficult to understand the extent of the problem. Once mail is delivered, Canada Post will no longer claim responsibility for it, and it’s up to local law enforcement to investigate the theft of what, at that point, is personal property. You can read some of what Canada Post had to say here.

What do you think about the issue? Does Canada Post have a responsibility to protect the mail, even after its been delivered?

Image: maps.google.com ; Tags: mail theft, vancouver, id theft, identity theft, security, mail security, mail, canada post, ctv

The Department of Justice (DoJ) has put out a report in May entitled “Data Breaches: What the Underground World of ‘Carding’ Reveals” [PDF].

Carding, defined as “a process to verify the validity of stolen card data” is used by thieves to determine if the stolen card is still active. [Wikipedia] The term “carding” has also been expanded to include the theft and fraudulent use of credit & debit card numbers via other schemes such as hacking and phishing. The report looks to large scale data breaches and the organized “carding” organizations that exploit the stolen data.

The new DoJ report indicates that the trading of individual pieces of sensitive information is being overshadowed by “identity packages” with multiple types of sensitive information. In addition, criminals are aiming for large scale breaches affecting thousands or millions of people. Given that stolen information can disseminate quickly over the Internet, criminals can profit quickly from the fraud – often before the theft is even detected.

Pricing for Sensitive Information (first half of 2007):

• Credit card information: $0.50 to $5.00 per card
• Bank account information: $30.00 to $400.00
• Full identity information: $10 to $150.79

The report gives examples of some of the well-known carding forums, about legislation, and about challenges & solutions to the issue. You can download the report here [PDF].

Via: emergent chaos, network world ; Image credit: cohdra @ morguefile ; Tags: carding, carding organizations, card forums, carding forums, credit card fraud, fraud, breach, data breach, data breaches, identity theft, security

It may sound far-fetched, but a coffee maker has been found to be a security threat. Perhaps not so far-fetched when you know that said coffee maker is connected to the Internet.

The Jura Impress F9 coffee maker, as shown, is an “automatic coffee center” that, aside from grinding and brewing many types of coffee beverages, is Internet-enabled. Why? Coffee specialties can be chosen and the settings memorized, and new coffee drink options can be downloaded from the web.

Given that the Jura machine connects to the Internet, it opens up a new security hole. An Australian man found that there are several security vulnerabilities in the Jura machine that could allow a remote attacker to take over his PC. He posted the vulnerabilities to an email list, and many websites have now picked up the thread.

With a wave of Internet-enabled appliances already starting to flood the market, do you see these as a future risk for corporate security?

Via CNet ; Image: Jura via Amazon.com ; Tags: jura, jura f9, security risk, internet appliances, internet coffee machine, coffee machine, security, web security

The AMW Safety Center and the National Consumers League have put together a public awareness video about secure online shopping.

Some of the tips in the above video include:

• Looking for https or shttp domain names
• Don’t fall for pop-up boxes
• Look over return and privacy policies
• Use a credit card to protect your interests (fraud departments can help you get money back)

Of course, if you remember the survey we posted last week, legitimate websites host 68% of the malware online, so trusting a website is not a guarantee of safety any longer.

Tags: online shopping, security, web security, shopping, secure shopping, consumer, awareness, web security

We have talked a lot in the past about the benefits of social media in education. We’ve also talked about some of the risks of social media, in terms of cyberbullying. One thing we haven’t talked about, however, is the caution required when teachers (or public figures of any sort) engage in these social networks in their personal lives.

One thing to remember when going online is that it is not a private space. Even if you designate something to be private, you should consider that it may not stay that way. The BBC has written an article on this topic, which warns teachers to be wary about the dangers of putting personal information online.

Social networking between teachers and students is becoming a regular occurrence – as part of an aim to increase the learning experience. However, a teacher must be aware of which tools to use when working with students. It may be prudent, for example, to not connect with students directly via any social networking site.

Teachers in Scotland have been asked to adhere to a new code of conduct created by the General Teaching Council of Scotland. It asks teachers to be wary of online exchanges with students. Some fear teachers could land in situations with accusations that have ruined careers. Teachers should avoid situations where online relationships could form with students.

“In school there are guidelines to say don’t be in a classroom alone with a pupil, all doors should be open, and from that point of view we are covered.

“Online we are not and teachers should be wary of involvement with pupils, particularly through social networking sites.” – Gary McDonald, teacher at Balerno Community High School

Finding the balance between rapport and educational support with distance and formality has been difficult, and is only more complex now with the advent of these social networking tools. Codes of conduct can go far in helping to define what is, and what is not, appropriate behavior online, and how to deal with circumstances that may arise.

If you want to understand more about Social Networking, check out this great video by Commoncraft:

On May 10, Iowa enacted its own breach notification law, becoming the 42nd US state to do so. The bill will come into effect on July 1.

Bill S.F. 2308 requires businesses and government agencies to notify residents if their personal information has been accessed (if it is likely to do financial harm). Notice is not required if an investigation by the law enforcement agencies deems no financial harm can come of the risk. Encrypted information is not exempt from the notification requirement, unlike in many states. Given that many data breaches can be ruled out if they pose no risk for financial harm, it is my opinion that there will be a lot of public criticism of breaches when they do come to light. Such an investigation will likely delay the breach notification, which inevitably increases public scrutiny after a breach incident.

If you were to plot the adoption of data breach notification laws against time, the remaining states should all adopt their own law by some time in late 2011. Check out the graph here, realizing (of course) that statistics cannot be depended on to accurately gauge when (if ever) all states will adopt such a law.

I think it would be interesting, statistically speaking, to see if the trends in data breaches and legislative maneuvering could predict when one of the many data breach bills would pass at the national level.

Via emergent chaos, electran Tags: iowa, breach, breach notification, breach law, legislature, legal system, business, security, personal information

Barack Obama has been a leader in his use of “web 2.0” techniques in his presidential campaign. Now that he has the presidential nomination, his campaign has a larger target on it than ever. Now, Barack is hiring a web security expert.

Barack Obama’s website was built by Facebook co-founder Chris Hughes and hinges on social networking. While this has been important in driving the majority of the campaign’s contributions, it does open them up with more avenues for attack. The site was hacked two months ago, and a similar attack could cost the campaign millions of dollars if it was heightened to breach status. Such an attack would also tarnish the reputation of Obama and his staff in this crucial time.

“Attacks like SQL injection would be far more of a concern,” said Oliver Friedrichs, a director with Symantec Security Response who has written about computer security and the 2008 presidential election. “If I was able to get access to the database that houses their donor information, that would be very concerning.”

Although Internet security is taken seriously in all political campaigns, Obama has used his website (for the first time in political campaign history) to advertise for a web security expert. The expert would be responsible for analyzing network architecture, overhauling existing security systems, developing a strategy to respond to attacks, and managing “the security posture of the online campaign.”

If you were a supporter of Barack Obama, would you be deterred in your vote by any web attack or breach?

Does Barack’s advertisement of the job position help him appear more transparent or authentic?

Via intergovworld Tags: obama, barack obama, web security, hacking, hack, barackobama.com, website, data security

A new study from ScanSafe, that compared more than 10 billion web requests from May 2007 to May 2008, indicates that legitimate websites pose the greatest risk for malicious code. The study looked only to corporate customers, so the data represents risks present in the office.

The study found that 68% of all web-based malware blocked during May 2008 was found on legitimate sites, up 407% from May 2007. There has been a huge series of attacks that infect legitimate sites with malicious scripts to deliver password stealers and backdoors to visiting computers.

“The compromise techniques being used now allow hackers to quickly ‘colonize’ thousands of legitimate sites, from big brand name sites like Wal-Mart, to smaller but equally legitimate sites,” says Mary Landesman, senior security researcher at ScanSafe.

Malware overall is up 220% during this 12-month period. The greatest growth was in backdoor and password-stealing malware. These indirect attacks are more stealthy and leverage legitimate brands to get at consumer trust. Sensitive data is at a high risk by these invisible backdoor attacks. Corporate users faced a three-fold increase in the volume of Web-based malware exposure during this time period.

There are a wide variety of tools available for attackers to compromise websites. The tools, easy and often free, make it easy for even an unskilled attacker to reap returns. ScanSafe has indicated that the security status in the present environment is very high.

Via security focus Tags: security, it security, malware, corporate security, security planning

Miguel Guhlin has been having some conversations with Absolute Software about how Computrace works. He’s published some of those conversations, with CEO John Livingston and with Senior Manager Craig Clark, on his blog in these articles:

• Computrace CEO Clarifies (January 22, 2007)
• Computrace Revisited (January 24, 2007)
• Audiocast: Interview with John Livingston, CEO of Absolute Software’s Computrace (April 10, 2007)
• Computrace Clarifies Part Deux (June 1, 2008)

Miguel was genuinely interested in how the Computrace technology works, on which platforms and if it could be bypassed by creative thieves. Absolute Software appreciates the opportunity to address these concerns, and has been in contact with Miguel for some time now. In the latest conversation with Miguel, Craig Clark addresses the Computrace alternative, LocatePC, which can track your computer when lost (but which does not come with recovery service).

“Only Absolute Software maintains a licensed investigative team whose sole purpose is to investigate computer thefts, gather evidence using Computrace and then complete the investigation by assisting local police with a search warrant or subpoena to search a home and physically recover a stolen computer…

So, while there are competing recovery services on the market, only Computrace is complemented by the physical investigation team required to successfully recover stolen computers on a consistent basis.”

If you have comments about Absolute Software or any of our products, we’d love to hear from you. Drop a comment anywhere on our blog, or contact us!

Tags: computrace, computrace complete, absolute software

As mentioned previously, Absolute Software was named a finalist for Company of the Year in the 2008 Technology Impact Awards put on by the BCTIA.

I’m happy to report that Absolute Software has been selected from the finalists as Company of the Year!! Congratulations to everyone at Absolute Software for this achievement!

For more information, read the Absolute Software press release.

Tags: absolute software, tia, award, bctia, bctia awards, technology, company, vancouver technology, company of the year