[SecurityRatty] tag: daughter

[Offtopic] Beginning Hacker

Sun, 10 Aug 2008 15:43:00 +0000

My daughter and I were playing a little online Dora computer game today. As we got to one of the screens where you're supposed the click the letters Dora tells you to, Elise decided it would be more fun to experiment with the game to see what happens when you click the wrong letters instead. She liked the reaction from the game as it repeatedly tried to tell her the "right" thing to do and she deliberately ignored it.

Makes me pretty proud - don't do what the software expects you to do, break the rules instead and see what happens.

Courtesy of my friends at iSec Partners, here she is dressed in her hacker garb.

Fugitive spammer dead in apparent murder-suicide

Fri, 25 Jul 2008 07:29:26 +0000

Spammer and escaped convict Eddie Davidson shot his wife and three-year-old daughter before turning the gun on himself Thursday night in Bennet, Colorado.

It's a crime-filled week in IT land

Thu, 24 Jul 2008 20:00:00 +0000

In an unusual week for IT news, headlines were dominated by alleged crime, actual crime and crime that could be in the offing. Technical details of the dreaded DNS flaw were inadvertently released, leading to publication of the attack code, there were more twists and turns in the story of the jailed San Francisco network administrator, and a convicted spammer who walked away from a minimum-security prison apparently killed his wife, their young daughter and himself. And, we sadly learned that Carnegie Mellon professor Randy Pausch died -- he inspired countless people with his "Last Lecture" that is a YouTube classic.

How personal information wound up at the side of the road is a mystery

Thu, 10 Jul 2008 06:50:31 +0000

Technorati Tag: Security Breach

Date Reported:
7/10/08

Organization:
Liberty Furniture*

*"a North Carolina based company with Mid-South ties to Cromcraft - a furniture warehouse in Tate County", Mississippi. According to the report, Liberty Furniture may have gone out of business more than 20 years ago.

Contractor/Consultant/Branch:
Unknown

Victims:
Former employees

Number Affected:
"hundreds, maybe even thousands of people"

Types of Data:
Personal information including W-2 forms and tax forms containing names, addresses, and Social Security numbers

Breach Description:
"Eyewitness News Everywhere Uncovers the personal information of hundreds, maybe even thousands of people - dumped along a Mid-South road."

Reference URL:
Eyewitness News Everywhere

Report Credit:
Kevin Holmes, Eyewitness News Everywhere

Response:
From the online source cited above:

Eyewitness News Everywhere Uncovers the personal information of hundreds, maybe even thousands of people - dumped along a Mid-South road.
[Evan] For those readers who may be unsure where this "Mid-South" is located, in this case it is Mississippi.

We even found W-2 forms, tax forms with people's names, addresses and social security numbers.

Investigators in Tate County are trying to figure out how the papers got there.

Larry Davis made the discovery.

He says he was driving into town when he came across thousands of forms.

"That's just uncalled for...you are entrusting these people with a lot of information that could ruin you very quickly, but yet they treat it like it's trash," said Davis.
[Evan] I think most people share Mr. Davis' feelings. It is puzzling. What was the person who dumped the information on the side of the road thinking, supposing the the person was thinking and supposing the information was dumped and not lost (i.e. fell off a truck).

Financial records, shipping order forms, and W-2's of former employees

"Stupidity on the person that threw it out on the road. The people who disposed of these, there should be some legal action against them, but to me that's mismanagement," said Davis.
[Evan] Again, I think many people share the same feelings as Mr. Davis.

Many of the records are from Liberty Furniture, a North Carolina based company with Mid-South ties to Cromcraft - a furniture warehouse in Tate County

"There all from North Carolina, how did they get here? This is Mississippi. We got some strong wind, but they ain't that strong," says Davis.

Even Cromcraft employees were shocked when we brought this to their attention.

Most of the W-2's are from the late 1970's and early 80's.
[Evan] Wow! These W-2's are 20-30+ years old?!

we're told Liberty Furniture went out of business more than twenty years ago.

Larry Davis' daughter Susan Herron said, "This could be someone's grandparents on fixed income, now their social security number is floating around somewhere and it's awful, people need to be more careful."

Eyewitness News Everywhere caught up with one of the former employees whose personal information was exposed.

"My initial feeling was a very sinking, horrified, scared, feeling....You feel vulnerable and hope your social security number hasn't fallen into the wrong hands. So I have to be diligent in checking my credit report," said the employee.
[Evan] It is interesting to read how a person feels when they learn that their personal information has been compromised. I feel bad for these people. This employee doesn't need to feel "horrified and scared", but he/she does nonetheless, and it's all due to negligence. This is just one reason why information security is so personal to me.

Other former Liberty Furniture employees tell Eyewitness News Everywhere they will be doing the same thing - checking their credit report.

Eyewitness News Everywhere will keep those forms in a secure place until we hand them over to the proper authorities.

Commentary:
There is a lot of mystery surrounding this breach. How did the information get there? Why was the information still kept? Who was in possession of the information before it was found on the side of the road? Why wasn't the information already destroyed if the company who was responsible for it is no longer in business?

Past Breaches:
Unknown

U.S. Arms Dealer Tests Legal Bounds in Middle East Arms Bazaar

Thu, 03 Jul 2008 18:00:00 +0000

Former congressman Curt Weldon is helping broker deals between Russian and Ukranian weapons suppliers and the Iraqi and Libyan governments as part of his new job with a private American defense consulting firm, Wired.com has learned.

Weldon, who is currently being investigated by the FBI over alleged corruption during his time in office, visited Libya in March to discuss a possible military deal, according to a letter describing the trip from Weldon to Defense Solutions CEO Timothy Ringgold. In May, Weldon, together with Ringgold and another company representative, traveled to Moscow to discuss working with Russia's weapons-export agency on arms sales to the Middle East.

Both trips were part of the company's effort to tap into the growing -- and often legally murky -- market for selling weapons from former Eastern Bloc countries to the Middle East and Afghanistan.

Ex-Rep. Curt Weldon, R-Penn., is helping broker deals between Russian weapons suppliers and the Iraqi and Libyan governments through his company, Defense Solutions.
Photo: H. Rumph Jr/AP

The Russians want to sell weapons to Iraq directly, but "must go slow on Iraq because of political reasons" and want to work with an "intermediary" like Defense Solutions, CEO Ringgold subsequently wrote to colleagues. "They have not spoken with any American company that can offer the quid pro quo that we can or that has the connections in Russia that we have," he boasted.

A few years ago, an American company proposing to sell weapons to Libya might have triggered a congressional hearing. So, too, would have a proposal to conduct arms deals with Russia, which the United States has accused of selling high-tech weapons to Syria and Iran.

However, U.S. government efforts to rapidly equip countries like Afghanistan and Iraq -- which have largely Soviet-origin weapons -- have created legal ambiguities and loopholes in export controls that didn't exist in years past and given rise to a new class of arms trade middlemen. So, even though both Libya and the Russian arms export agency are on official U.S. blacklists, government officials and analysts involved in weapons sales say the rules have become unclear as the push to equip allies in the global war on terror has blazed new but uncertain legal ground.

Eagerly stepping into that virgin territory is Defense Solutions, a Pennsylvania-based company that is carving out a small but lucrative niche in a new international arms bazaar. The firm boasts as its advisors a number of influential Washington insiders, such as retired General Barry McCaffrey, the former White House drug czar.

Helping the firm make key connections is Curt Weldon, a former Republican congressman from Pennsylvania at the center of an FBI investigation into alleged conflicts of interest during his time in office. Weldon, now a key executive at Defense Solutions, is working with the company to set up these weapons deals.

Defense Solutions has also proposed refurbishing Libya's BTR-60 armored personnel carriers, according to a sales proposal seen by Wired.com. Defense Solutions denies drafting a sales proposal to Libya.

It's an unusual, if not an entirely unexpected chapter for Weldon, whose time in office included frequent trips to Russia. As an influential member of the House Armed Services Committee, Weldon pushed for multibillion-dollar defense programs, like ballistic missile defense, and earned a reputation as a foreign policy gadfly, boasting of his contacts with officials in nations labeled by the administration as "rogue states" such as Libya and North Korea. Weldon's wild claims about a 9/11 cover-up and his sensationalist book warning of an Iranian terror plot, sometimes earned him official scorn and public ridicule, but it was accusations that he steered contracts to Eastern European businesses linked to his daughter's lobbying firm that drew the government's attention.

Weldon was voted out of office in 2006 just weeks after the FBI raided his daughter's home, and that of one of her associates.

Weldon did not respond to e-mails and phone requests to be interviewed or comment for this article. But in a 2006 interview, before the FBI probe was public, Weldon spoke enthusiastically about setting up a "front company" to work with the Russian arms agency, Rosoboronexport. Weldon hoped this company could sell weapons to the Middle East, and other regions, particularly to countries where the U.S. has strained relations. He claimed the director of Rosoboronexport approached him to work with "an American company that would act as a front for weapons these nations want to buy."

Weldon called the proposal an "unbelievable offer."

The administration, he acknowledged at the time, did not welcome the idea of an American company selling Russian weapons to potentially unfriendly countries. But two years later, Weldon, now a private citizen and chief strategic officer for Defense Solutions, appears to be working on precisely that sort of deal. And whether illegal or not, Defense Solutions' business represents a new phenomenon in the international arms trade business.

In years past arms brokers -- firms or individuals who serve as middlemen to facilitate weapons sales between countries -- were largely the stuff of spy thrillers. Unlike traditional American defense companies, like Lockheed Martin or Boeing, which typically sell weapons directly to NATO countries or other governments regarded as friendly to the United States, brokers are often small outfits run by people with sometimes questionable experience and reputations they will sell to anyone. One of the most infamous arms brokers, a Russian named Viktor Bout, is charged by the United States, United Nations, Interpol and others of funneling arms to terrorists and rebels around the world. He was recently arrested in Thailand. The United States is requesting his extradition on charges of supplying arms to a terrorist organization.

Two Marines lower the trim vane on the front of an Iraqi BMP-1 mechanized infantry combat vehicle that was captured during Operation Desert Storm. The American defense consulting firm Defense Solutions has proposed refurbishing Libya's aging fleet of BMP-1s. Defense Solutions denies drafting a sales proposal to Libya.

But ironically, Iraq has fueled a new market for these professional middlemen; the United States is funneling billions of dollars into modernizing Iraq's army so that the country's government can fend for itself after coalition troops withdraw. And Iraq's largely Soviet-equipped military is a natural market for Eastern European countries brimming with old or out-of-date equipment they would like to unload. The middlemen, in these cases, serve a key role by allowing the U.S. government to do business with an American company, which in turn buys equipment from Eastern Bloc countries in deals worth hundreds of millions of dollars, much of it financed with U.S. taxpayer dollars.

One of Defense Solutions' sales -- a deal to sell Hungarian-owed T-72 tanks to Iraq in 2005 -- was typical of these new foreign military sales. But on the more questionable side is the company's plans to work with Rosoboronexport, which is barred from doing business with the U.S. government, and Libya, which is still on the State Department's arms embargo list.

The Eastern European-Middle East arms-brokering business, while in some cases sanctioned by the U.S. government, has run into problems, including outright corruption and quality. Defense contractor Dale Stoffel, the president of Wye Oak Technology, and another American were gunned down in Iraq in December 2004 after Stoffel alleged that the Iraqi Ministry of Defense was involved in a kickback scheme. Like Defense Solutions, the company Stoffel worked for was refurbishing the Iraq's army Eastern Bloc equipment.

Another problem is quality. Weapons from the former Soviet Bloc, which the U.S. military euphemistically calls "nonstandard equipment," have been flagged as substandard, acknowledges Brigadier General Charles Luckey, who is in charge of security assistance at Multi-National Security Transition Command-Iraq. In an interview from Iraq, Brigadier General Luckey said: "One of the frustrating things about buying nonstandard [weapons], is that I'm the guy who has to deal with the fact that some broker I've never heard of allowed weapons to get to Iraq before they were inspected."

Defense Solutions is carving a new niche in the arms trade, selling Soviet-made weapons to Middle Eastern countries like Afghanistan and Iraq. Defense Solutions sold Hungarian-owed T-72 tanks to Iraq in 2005.

In one high-profile case, Iraqi officials alleged that a corrupt firm sold them $400 million in shoddy helicopters from Poland. More recently, a company led by a 21-year-old and a former masseur was offered a U.S. government contract worth nearly $300 million to sell ammunition to Afghanistan. The ammunition turned out to be outdated and of dubious origin and several people connected with the company have been indicted. A congressional investigation concluded that the company, which was on a State Department watch list, was able to take advantage of regulatory loopholes by using middlemen.

For those concerned about illicit arms trade, this new wave of weapons deals is rife with the potential for corruption and abuse, but for companies eager to pursue markets once regarded as dubious, it represents a lucrative business opportunity. The problem in these cases, according to those familiar with arms sales, is that it's no longer clear what's legal and what's not.

Rachel Stohl, an expert on international arms trade and a senior analyst at Center for Defense Information, says that in many ways, the rush to equip Iraq has led the United States to throw caution to the wind. She points to a report by the Government Accountability Office last year that found that some 190,000 weapons sold to Iraq have gone missing. "I think the reality is we won't know, until way after the fact, about all of these irregularities with the Iraq weapons provision program," she said. "We were providing them all these assault rifles that have gone missing. Why? They were not following the standard procedures that were in place."

But Iraq and Afghanistan aren't the only markets available to arms brokers like Defense Solutions. The gradual normalization of relations with Libya opens another door into a quasi-legal area of sales.

Like Iraq, Libya has a substantial arsenal of Soviet-origin military weapons, offering a potential market for brokers working with Russia and other former Soviet states. But even when there's not an outright ban, sales to the Middle East are often fraught with controversy, particularly to countries like Libya, which was under international sanction for more than a decade. Even as sanctions against it have been lifted, European companies proposing to sell arms to Libya have faced steep criticism, particularly since the country is still ruled by dictator Muammar Gaddafi, who took power in a military coup in 1969.

While the United States lifted Libya's "state sponsor of terrorism" designation in 2006, other restrictions, such as on the sale of arms, remain in place. A State Department spokesperson confirmed that exports of "lethal munitions" to Libya, such as tanks or related equipment, are still banned, although sales of nonlethal equipment are now allowed on a case-by-case basis.

In late March, Weldon traveled to Libya for a weeklong trip at the invitation of the Gaddafi Foundation, a group run by the son of Libya's leader, and the chairman of Libya's foreign affairs committee, according to the report he sent to Defense Solutions (.pdf), a copy of which was obtained by Wired.com. The trip reports states: "Agreement reached for Weldon to quickly return to Libya for meetings with son [of Libyan leader Gaddafi] Morti regarding defense and security cooperation."

A document dated April 16, just two weeks after Weldon's trip, outlines Defense Solutions' proposal to Libya to refurbish the country's fleet of armored vehicles, including its T-72 tanks, BMP-1 infantry fighting vehicles, and BTR-60 armored personnel carriers. A copy of the sales proposal, also provided to Wired.com, is on Defense Solutions' letterhead, appears to bear the signature of company CEO Timothy Ringgold, and is addressed to Libya's defense procurement council. "Defense Solutions is committed to delivering a full end-to-end solution to its clients," the proposal states. "Besides refurbishing these vehicles, we are capable of providing a full logistics support package, including a two year supply of spare parts, maintenance and repair services, and operator, maintenance, and repair training."

In an interview with Wired.com, Ringgold admitted that he's interested in doing business in Libya and confirms receiving Weldon's trip report from Libya, but denies drafting or signing an arms-sale proposal. "I've never made such a document to Libya," Ringgold insisted, after being read the proposal, and told that his signature is on it.

In addition to the Libyan arms-deal document, Wired.com has also reviewed copies of e-mails from Ringgold discussing the Libyan deal.

While Ringgold denies proposing an arms sale to Libya, he is open about speaking with Rosoboronexport, which has been on a U.S. government sanctions list since 2006, after the Russian state agency allegedly violated the Iran and Syria Nonproliferation Act. An April e-mail provided to Wired.com describes Ringgold, Weldon and Stephan Minikes, a senior advisor to Defense Solutions and a former ambassador, meeting with Rosoboronexport. The conversations included a number of potential deals, including supplying Mi-17 helicopters to Afghanistan and spare parts for Iraq's infantry fighting vehicles. Ringgold wrote to colleagues following the visit, describing the meetings as a "spectacular success," saying the Russian agency "has the ability to undercut all cost proposals from brokers."

Ringgold confirmed those discussions and said that his company has sought to do business with Rosoboronexport. Asked whether Ringgold considers his dealings with Russia to be legal, he argued that U.S. companies could work with Rosoboronexport on a "case-by-case" basis. "The particular purpose of the meeting we had -- and I want to be crystal clear -- was in response to a U.S. government requirement," he said.

A number of officials at the State Department and in the Pentagon, when contacted for this article, could not say whether working with Rosoboronexport is legal or not. A Pentagon spokeswoman said she was familiar with the issue, but deferred the question to the State Department. When asked about Rosoboronexport's status on the blacklist, John Herzberg, a State Department spokesman replied: "What's on there is on there."

Asked whether, given the ban, there was any way a company could legally work with Rosoboronexport, as Ringgold suggested, Herzberg provided an equivocal answer. "At the stage of the process we're at, I'm unable to give you an answer," he said. "You can try elsewhere in government, and maybe they'll be braver than me."

In an interview from Iraq, General Luckey conceded it was a murky area, but said, "My understanding is they are currently on our no-go list."

The confusion over debarred parties has even led the U.S. government into its own legal tangles, according to Jim McAleese, a Washington attorney who specializes in government contracting and foreign military sales. Because the Russian government violated U.S. nonproliferation laws, even NASA had to go to Congress to ensure it could work with Russia on Soyuz flights to the international space station. "What I'm warning you about is, don't be surprised by the confusion," McAleese said. "There are a whole bunch of different statutes that were adopted piecemeal and were never intended to be reconciled."

But it's the very ambiguity of the law that troubles those who monitor export control. "It's highly unusual to do anything with the Russians, particularly Rosoboronexport," said Scott Jones, director of Export Control Programs at the Center for International Trade and Security at the University of Georgia.

Legal or not, reputable American companies simply don't want to work with banned entities, Jones said, for fear of risking their reputations and business. "Even if it's not an outright prohibition, most companies don't want to put themselves in a liability situation that has really bad PR … and they stay away from it," Jones said. "But if that's your business, pimping out arms from the U.S. or Russia, that's the way it works, and you push as much as possible."

Finding any U.S. defense company working with the Russian government at this point would be "remarkable," Jones added.

In the meantime, the future for Weldon is unclear. The FBI investigation continues and Weldon's former chief of staff recently pleaded guilty to a conspiracy charge and is cooperating with the government, notes Melanie Sloan, the executive director of Citizens for Responsibility and Ethics in Washington, which filed a complaint against Weldon in 2004. Sloan speculated that Weldon may be charged with "honest service fraud" for misusing his office for personal gain. "It's an easier standard than bribery," she said. "I wouldn't be surprised [if he's charged] with bribery, but I think it will be honest services fraud."

Ringgold insists that he and Weldon are on the right side of the law. "Everything we do is in strict compliance with international and U.S. law and we operate only in the best interests of the U.S. government," he said. "I didn't serve 30 years in the United States Army to throw that away on a whim."

Asked if Weldon is still working for the company, Ringgold replied: "Absolutely, proudly so."

Your 419 Mail Roundup

Wed, 25 Jun 2008 09:29:29 +0000

Are you ready for more 419 missives?

Of course you are. Plenty of winning lottery tickets, fictitious banks, a wonderfully sick "Robert Mugabe" themed mail and, er, someone called "Captain Frank Bojo" after the jump...
Subject:
HELLO DEAR
From:
"abavanagift13 Gazeta.pl"
Date:
Sat, 21 Jun 2008 12:26:24 +0000
BCC:

Hello Dear,

My name is Blessing Abavana, the elder daughter of Mr. paul Abavana of Zimbabwe, I am 17 years old with my younger brother (Micheal), we are in Ghana as refuge/asylum since we lost our parents because of the recent war that occurred in our country.please do go through this web page for better understanding with full details:

http://www.rte.ie/news/2000/0418/zimbabwe.html

I am looking for one who will honestly assist my younger brother and I to realize our inherited funds into your account and as well as invest it into a lucrative business.

During the recent war against the farmers in Zimbabwe from the supporters of our President, Robert Mugabe to claim all the white -owned farms to his party members and his followers, he ordered all the white farmers to surrender all their farms to his party members and his followers.

My father being one of the few rich and successful black farmers in our country was also victimized because of his opposition to Mugabe's policies. And because he did not support Mugabe's ideas, Mugabe's supporters invaded my father's farm and burnt everything in the farm, killed my father and made away with a lot of items in my father's farm. This action was taken because my late father felt the growing tension on the farm issue, but I guess he never anticipated the tragedy that brought their brutal and sudden death.

However with the benefit of hindsight, owing to the looming but deteriorating crisis in my country, Zimbabwe, my father, before his unfortunate death deposited with International Commercial Bank (ICB) here in Accra Ghana the sum of US$ 35MUsd (Thirty Five Million United States Dollars), with the sole aim of acquiring and buying some dredging equipments in setting up of a dredging firm with his partner. With his death and all his assets seized at home and accounts frozen, the family is now in a very difficult situation.

After the death of my father, my brother and I escaped to the Republic of Ghana where he had deposited the money in the Bank . And we were permitted to reside here as Political Refugees.

So Because of our present and unpleasant status here we decided to contact an overseas firm / individual that can assist us to move this money out Of Ghana because, as asylum seekers, we are not allowed to operate any financial transaction of such amount within Ghana and also to assist in providing me and my brother a permanent residential permit in your country after the money must have been transferred to your account.

We have agreed to offer you 30% of the total sum for your assistance, and the rest will be for my brother and I, to Invest in your country under your assistant

All I want you to do is to furnish me with the below information including your readiness to assist me achieve this transaction for investment purposes in your country under your supervision. Kindly re-confirm to me the followings:

1) Your Full Name:
2) Phone, Fax and Mobile
3) Profession, Age and Marital Status.
4) Nationality

I have to re-assure you that this transaction is 100% risk free and should be treated with absolute confidentiality. All the vital documentation/certification that has to do with the origin of the fund is with me for the security reasons.And I will send them to you when we progress.And I guarantee you that this fund is not government fund, drug money, or from arms deals.

I will detail you more about the bank immediately I receive your acceptance response. I hope this is the beginning of a prosperous relationship between us.Thanks and God bless you

Regards

Blessing/Micheal Abavana

(Wow, spectacularly sick. Not that we're expecting scammers to have any morals, of course).

*********************************************************************************************

Subject:
Lycos Online Lottery Notification
From:
"LHOUTY MOHAMMED HASSANE"
Date:
Sun, 22 Jun 2008 02:42:53 -0000
BCC:

LYCOS LOTTERY ONLINE
8th Floor
1 Stephen Street
London
W1T 1AL

WINNING NOTIFICATION
This is to inform you that your email address has won the Lycos Lottery for the year 2008. your email has won you the sum of ?952,350.00 (Nine Hundred And Fifty Two Thousand, Three Hundred And Fifty pounds sterling).
You are advised to keep this notice confidential to avoid misinterpretation of funds and unauthorize claims, cheating or fraud.
To claim your funds please contact us with the information below.
Name: Dr. George Stevenson
Tel:+447031991681
Email:lycosclaimsdpt@gmail.com

It is mandatory that you send us your full names, address, phone number,
age, sex and occupation to enable us arrange your claim.

Note: Winners were selected through a computer ballot system drawn from Microsoft users from company and individual email addresse users. All winning must be claimed not later than 21 working days from the time of notification. After this date all unclaimed funds will be returned to European Union Treasury as unclaimed funds.

Congratulations from mambers and staff of Lycos
Lhouty Mohammed Hassane.
Lycos Lottery Co-ordinator

(A "Lycos Lottery" and they're using a GMail address? Doh).

*********************************************************************************************

Subject:
Yukos Oil
From:
Mr. Timinskiy Vladimir
Date:
Wed, 25 Jun 2008 5:38:17 -0400
To:

I have a profiling amount in an excess of US$100.5M, which I seek you in accommodating for me. You will be rewarded with 4% .If intrested, please reply me for moredetails...
Regards
Mr. Timinskiy Vladimir

(Short. Sweet. Pointlessly fake).

*******************************************************************************

Subject:
Immediate Release of Your FUND Via ATM CARD
From:
"Mr. Mark Louis"
Date:
Wed, 25 Jun 2008 01:45:09 -0700
To:
undisclosed-recipients:;

SUBJECT: Immediate Release of Your FUND Via ATM CARD

Attention: ATM Card Beneficiary,

I wish to use this medium to inform you that your CONTRACT/INHERITANCE Paymen of USD$10,000,000.00 (Ten Million United States Dollars) from CENTRAL BANK
OF NIGERIA have been RELEASED and APPROVED for onward transfer to you via an ATM CARD which you will use to withdraw all the USD$10,000,000.00 in any
ATM SERVICE MACHINE in any part of the world, but the maximum you can withdraw in a day is USD$10,000.00 Only.

We have mandated IBTC CHARTERED BANK PLC, to send you the ATM CARD and PIN NUMBER which you will use to withdraw all your USD$10 Million Dollars in
any ATM SERVICE MACHINE in any part of the world. You are therefore advice to contact the Head of ATM CARD Department of IBTC CHARTERED BANK PLC;

Contact Person: Dr. Olu James
Office email address: pcfc_nigeria@yahoo.com
Private: +2347084501007
Office:018969906

Tell Dr. Olu James that you received a message from the CENTRAL BANK OF NIGERIA. Instructing him to send you the ATM CARD and PIN NUMBER which you will use
to withdraw your USD$10 Million Dollars in any ATM SERVICE MACHINE in any part of the world, also send him your direct phone number and contact address
where you want him to send the ATM CARD and PIN NUMBER to you. We are very sorry for the plight you have gone through in the past years. Thanks for adhering to this instruction and once again accept our congratulations.

Best Regards.
Mr. Mark Louis.
Executive Governor,

Central Bank of Nigeria {CBN}.

(Ah, the old "Let's lure them in with the magical bank card" trick).

******************************************************************************************

Subject:
CONTACT THE FEDEX COMPANY FOR YOUR FUNDS
From:
"SAMUEL DUNBAR"
Date:
Fri, 20 Jun 2008 12:33:43 +0100
BCC:

Dear Friend,

Compliment of the new year, I have been waiting for you since to come down here and pick your Bank Draft which my boss left with me before he travelled to England but I did not hear from you since that time till today. I went to the bank to confirm whether the draft is getting close to expire as it had been long time my boss issued the draft. The director of the bank told me that before the draft will get to you, that it will expire. Then I told him to help me and cash the cashier bank draft of $1,500.000.00 to cash payment.

However, I have successfully cashed the draft and packaged it in a box and have registered it in the Fedex Express Company Service here in Benin Republic because I will travell to see my boss in England and will not come back till August 20th 2008. You have to contact the Fedex Express Company Service to know when they will deliver your package to your address. I have paid for the delivering charges and insurance fees. The only money you have to send to them is their security keeping feeswhich is USD$135.00 USD to receive your package. Don't be deceived by any body.

This is their Contact Address;
Attn: Cheif Mr. George Kobra (Director)
Tel: +229-9799 2240
E-mail: fc.bj@sify.com

Send them your contacts information to enable them locate you
immediately they arrived in your country with your package.

This is the information they needed from you.

1. Your full name:.....
2. Your shipping/home address:.....
3. Your tel no #......
4. Your current office tel no #
5. A copy of your passport.

Try to contact them as soon as possible to avoid increasement of the security keeping fees Note; I didn't tell the Fedex Express Company Service that it's money inside the box, I registered it as a church of a Church Minister Materials. This is to avoid delay or any upfront problem during the delivery. So, do not let them know that the package contents money. Do let me know as soon as you received your package. You will contact me only through e-mail as my phone is no longe available now that I am out from our country. Contact me at samdunbar1986@yahoo.com and I will reply as soon as I can.
I wish you and your family Long Life,
Prosperity and Happy 2008.

Thanks and Remain Blessed.

Yours sincerely,
Mr.Samuel Dunbar
(Secretary)

(Honestly, if you contact FedEx they'll give you tons of money....)

****************************************************************************************

That's your lot for another week....

2.2 million billing records missing on stolen backup tape

Wed, 11 Jun 2008 08:33:06 +0000

Technorati Tag: Security Breach

Date Reported:
6/10/08

Organization:
University of Utah

Contractor/Consultant/Branch:
University of Utah Hospitals & Clinics
Perpetual Storage, Inc.

Victims:
Patients

Number Affected:
"approximately 2.2 million"

Types of Data:
"names, related demographic information and diagnostic codes" additionally, "Records for a subset of 1.3 million patients also contained Social Security numbers"

Breach Description:
"SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center"

Reference URL:
University of Utah Hospitals & Clinics
The Salt Lake Tribune
Associated Press via KUTV Channel 2 News

Report Credit:
University of Utah Hospitals & Clinics

Response:
From the online sources cited above:

SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center
[Evan] There is no mention of encryption in any of the news reports I have read regarding this breach, so I am going to go ahead and assume that it was not used. As you read through the publicly available details of this breach below, you will probably agree that the courier driver made an idiotic mistake that he almost certainly regrets, but the University of Utah Hospitals & Clinics is the custodian of this information that should have identified the risks involved with transporting confidential patient records off-site. One of those risks is the possibility that a backup tape may become lost of stolen, which is obviously the case in this breach. Where were preventative controls to account for this unacceptable (in most cases) risk, like encryption?

The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years

people would be notified by a letter at a cost of $500,000 just for stamps and envelopes
[Evan] How much would it have cost to encrypt the information on the tapes? The State of Utah has an exemption in their breach notification law for encrypted information.

The hospital also pledged free credit monitoring

The records were in a gray metal box

The courier, whose name was not released, picked them up in his Ford Explorer on June 1

instead of driving directly to a storage center, he worked a second job and then went home
[Evan] This is the idiotic mistake I was writing about earlier.

The next day, he discovered that someone had broken into his Ford Explorer outside his Kearns home and taken the box

The driver worked for Perpetual Storage Inc. for 18 years and was fired.

Authorities declined to say how easy or difficult it would be to read the records.

The sheriff believes the thief probably thought the box contained money.
[Evan] What it contains could probably be turned into a helluva lot of money!

"The investigation indicates that the theft was probably a random car burglary, and there is no evidence that the information on the tapes has been accessed or used for identity theft," said Salt Lake County Sheriff Jim Winder.
[Evan] Eight days (June 2nd - June 10th) is probably a little too soon for evidence to appear of identity theft.

There's no evidence any of the information on the tapes has been accessed; besides, anyone trying to use the tapes would need specialized equipment to view the contents, Winder said.
[Evan] Specialized equipment like a tape drive?

Eighty percent of the 2.2 million people live in Utah or Idaho, Betz said. The hospital is offering a $1,000 reward for the records. (Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences)

The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked. Those wishing to claim the reward may call the Sheriff’s Department at (801) 743-7000.
[Evan] To think of this in pure financial terms. A person could return the tape for $1,000 or could access the tape, sell the information and make maybe $5,000.000+. Maybe a good preventative control for organizations is to assume that criminals are stupid as part of your risk management program (seriously though, it's not).

"We understand this is unwelcome news to our patients," said Betz.

The university had worked with Perpetual Storage for 12 years before the theft

The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data.

Additionally, the health-care system is taking the following steps on behalf of its 2.2 million patients.

Mailing notification letters to all 2.2 million patients and guarantors;
Providing free credit monitoring and restoration service to patients whose records included Social Security numbers;
Providing a toll-free information line at 1-866-581-3599 to respond to questions; and
Establishing a website at healthcare.utah.edu/billingrecordstheft that provides information and resources.

Victim Reaction:
Tuesday's news was especially unsettling for people like Will Taylor, of West Valley City, whose premature daughter is a patient at University Hospital. Taylor has already been the victim of identity theft once, when thieves racked up credit card charges in his name.

"I will ask [the hospital] what precautions I can take and what they are doing about it," he said.

"If our information isn't safe, then what is?" patient Dan Christenson, of Salt Lake City, said Tuesday after learning of the theft.

Commentary:
I would be more understanding if this were the first breach ever reported where a backup was stolen that contained personal information, but it's not. Employing backup tapes without encryption is a very well documented risk, so why do large organizations still accept it?

Past Breaches:
March, 2008 - Stolen University Health Care laptop requires notification of 4800

Sometimes danger lurks right under our nose.

Thu, 05 Jun 2008 18:23:00 +0000

When Executive Protecion Specialists think and speak about "Threat Assessment", they are usually focusing on a known or suspected danger that may prove life-threatening. Sometimes, that danger may already have made itself at home and is silently destroying lives and eating away at victims like a cancerous growth.

One such story was highlighted by the "Washington Post Magazine" on May 25th, 2008. It involved a young girl who had been molested and raped by her own father. A man who was something of a hero to many. A man who had walked side by side with Dr. martin Luther king and who was only a few feet away from the Civil Rights leader when he was assasinated. That man is James Bevel.

I had the pleasure of listening to Col. Dave Grossman speaking at UCLA last April. He was eloquent in his description of how young lives are taken and families estroyed by School killings. He also spoke about those who prey on the less suspecting. He equated it to the Wolves hunting down and eating sheep. Mr. Bevel appears to be one of those parasitic wolves.

For years he raped his little daughter, telling her it was something of an "experiment". In his mind, he didn't think that it mattered. His unfathomable belief (and apparently remains the same until this day) is that all women are prostitutes until they reach a certain age, when sex is set aside for procreation. This beleif allowed him to allegedly rape his eight year old daughter on many occassions.

His daughter, Aaralyn Mills, finally found the courage to step foward and contact the Police in 2005. She assisted the Leesburg authorities to tape record her conversation with her father. In that conversation, James Bevel admitted raoping his daughter and that it was part of a scientific process. Unfortunately, her mother, like many other mothers, did not want or couldn't face the truth. This gave the big, bad wolf all the space he needed to desecrate the little sheep.

Sadly, men like this are living throughout our communities. they come in all shapes, sizes nd colors. Some are Doctors, Community leaders, Priests, Police Officers, Electricians and Preachers. If you have been entrusted with the job of protecting an innocent lamb, be a strong and fearful sheepdog and protect your flock, with your very life if need be. Be brave like Aaralyn Mills. She stepped forward at this time in her life because her father who has many children with many different women has now a young daughter and her half-siter is afraid that he will rape her too.

Two HSBC breaches with similar circumstances

Mon, 02 Jun 2008 05:40:52 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")

Contractor/Consultant/Branch:
HSBC Branch at Bayview & Major Mackenzie (CA)
HSBC Branch in UK (Cheshire)

Victims:
Customers

Number Affected:
Unknown, "hundreds of bank customers" in Canada

Types of Data:
"personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK

Breach Description:
Two breaches were reported in the past week affecting HSBC customers in Canada and the UK. In Canada, "A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road." In the UK "papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street."

Reference URL:
CTV News Toronto
Wigan Observer

Report Credit:
CTV News Toronto and Richard Bean at the Wigan Observer

Response:
From the online sources cited above:

In Canada:
A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road.

He took the bag to a police station after a quick peek inside revealed the personal information of hundreds of bank customers.
[Evan] Information security aims to reduce the risk of unauthorized disclosure, modification, and destruction of confidential information to an "acceptable level" no matter what form the confidential information takes. Unauthorized disclosure of confidential information on paper is just as damaging as unauthorized disclosure of confidential information on a backup tape, CD, laptop, etc.

he was in the Bayview Avenue and Major Mackenzie Drive area when he spotted the redbag at the side of the road with the HSBC bank logo emblazoned at the front.
[Evan] I presume that this bag was lost in shipment. Was the information in the bag or the bag itself inventoried? Do you suppose the bank would have ever noticed that the bag was missing?

the bag belonged to the HSBC branch at Bayview and Major Mackenzie

"There were about 300 of them," he told CTV Toronto Saturday night. "There were more documents in there destroyed by the rain."

he tried to contact the bank but didn't have much luck

York Regional Police are speaking with bank officials as they investigate how the sensitive information ended up on the side of a road.

In the UK:
An investigation is under way after bank details of Wigan customers were found dumped in Cheshire.
[Evan] Does "dumped" mean thrown away, like in a dumpster?

The confidential 60-page sheaf of A4 documents, featured lists of customers of high street bank HSBC.

Among the information contained in the papers were credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers.
[Evan] Sheesh. A bad guy (or gal) could do a helluva lot of damage with this information.

The papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street.

Lynne Stewart, 47, whose children found the documents, has informed the police and is waiting for them to collect them

She said: "I would be extremely worried and angry if I was a customer of theirs because this is just the type of stuff that criminal gangs would love to get their hands on." She has now filled a bag with as many of the computer print-offs she could find, although fears that many more have blown away on the windiest day of the year.

The papers were initially found by her nine-year-old daughter Xxxxxx who then alerted her brother Xxxxxx, 12.
[Evan] My comment here is not related to the breach itself, but I feel a little uncomfortable using children's names publicly.

Neither understood the significance of the papers – although Mrs Stewart immediately did.

She said: "Reece had been to get his ball back after it had bounced into a sub-station and says he saw a pile on top of the transformer and they were whistling around in the gale.

"But it was Jessica who grabbed one as it blew past her in the street and showed it to me.

"I have counted at least 15 pages of lists of names and account details before you even start to talk about letters applying for credit cards and photo copies of personal documents which people have sent to the bank when they have made these applications.
"I find it very alarming that this kind of information is just blowing about in the street.
[Evan] No doubt!

"Surely in this day and age when ID fraud is all over the news the bank should be more careful about this information being printed out on paper."

A spokesman for HSBC, which has branches in Mesnes Road and Wallgate, said: "HSBC is investigating the find of documents found in Greater Manchester over the weekend.

"The security of our customers' personal information is of paramount importance and we have stringent procedures in place to guard against their loss.
[Evan] Is everyone aware of and following the "stringent procedures"?

"Without speculating on how this occurred, something has clearly gone wrong, and we are extremely disappointed to hear of these particular circumstances.

"When the cause of the incident has been determined, we will be reviewing our processes to ensure this does not happen again."
[Evan] In my opinion, promises that are made but cannot be fulfilled lead to a loss of confidence.

A UK Victim's Reaction:
"I can't believe it. The first I knew was when I was contacted by the person who found them. It is unforgivable that the bank would firstly lose such confidential details and then fail to tell its clients what had happened."

"I have been with this bank since I was a young lad and it is very disappointing indeed."

Commentary:
Let's take this from both sides for a second. Poor information security practice led to these two breaches. Real lives are affected when these things happen and HSBC should be more careful in the way they protect confidential personal information. I count five publicly reported breaches from HSBC in the past six months including the two in this post. There are likely more that weren't reported publicly as well.

Now the other side, for arguments sake. HSBC is a huge company with ~10,000 offices in 83 countries and territories around the world. I presume that they also have hundreds of thousands of customers (maybe millions). Information security breaches in companies this large and diverse are bound to happen. It isn't possible to eliminate them, so the best you can hope to do is reduce risk to a level that is "acceptable" to management and shareholders. Information security personnel are not in the risk elimination business, we are in the risk reduction business. This is reality.

Past Breaches:
May, 2008 - HSBC loses a server in branch renovation
April, 2008 - HSBC loses disc with 370,000 customer details
February, 2008 - Five-year-old wanders into bank branch after-hours

Watching CNN can ruin your day!

Mon, 28 Apr 2008 08:45:21 +0000

When I work from my home office I usually keep CNN on in the background to keep up on the world. However, I have to say that it is just too damn depressing. A sample of today's news:

Gas prices continue to go up about a penny or two a day, over 30 cents in last few weeks!
Oil hit new highs
Credit card companies are raising interest rates and fees drastically
Food staples like wheat, rice, etc. are up from 10% and up
Some crazy nut in Austria locked his daughter in a dungeon for 24 years and fathered 7 children with her, one who died and he disposed of the body (This is just a disgusting story)
Home prices remain depressed and foreclosures remain high
Airlines either have to merge or go out of business

Geez, what this country needs is a good fantasy for us to lose ourselves in. A new Star Wars or something to take our mind off of dealing with reality. It has got to get better, doesn't it?