[SecurityRatty] tag: detective

"Would you feel safe with this man looking after you?

Sun, 28 Sep 2008 16:44:00 +0000

That was the caption under the picture of Rocker,Ted Nugent, in last Tuesday's Guardian. Nugent had volunteered to be Sir Paul McCartney's "Bodyguard" when he played a concert in Israel.

Unfortunately,this is what our industry has to tolerate. Many people, from broken down celebrity deer hunters to jail guards think that if you know how to shoot a rifle or open a gate for inmates to go to the yard, it automatically follows that you know everything about protecting the life of a executive.

So, Ted Nugent knows how to play guitar and shoot deer. Just what part of that background would equip him to keep the former Beetle safe in the Middle East? It is certainly not like Mr. Nugent is trying to pull the wool over our eyes when it comes to any specialized training he may have received. "I'm Dirty Harry with a ponytail", claims the singer.

First of all Mr. Nugent, "Dirty Harry" was a film produced by Hollywood to entertain people, not a "training aid". Secondly, even if we were to stretch our imaginations and consider Harry Callaghan's actions, we would recall that the character was a Police Detective and as such, would have undergone rigourous training at a professional Police Academy.

Refering to reported Islamic Extremist Death Threats made against McCartney if he insisted on playing the concert, Nugent informed us that he "will not bend or waiver to Voodoo Religions or Whackjobs".

It is unknown whether or not Mr. Nugent thinks that Islamic Extremists come from Haiti, but if he is serious about a future career in Executive Protection, we would advise him to attend our upcoming course in Dubai next month where he will not only learn first hand the Art of Personal Protection, but he will also learn about Middle Eastern Cultures, Tradition and Religion.

Unfortunately, there's no way of predicting how much culture we may be able to pass on to Mr. Nugent, as the course is only a little over a week long. We will also be teaching etiquette and which knife and fork to use when attending a formal event with your Principal. That's right Ted, you don't get to tear the meat from the bone with your hands.

Someone call the U.A.E. and let the Hilton know that we may have to stay longer than planned.

D.C. Police Detective Arressted for Propositioning a "Prostitute".

Sat, 12 Jul 2008 14:58:00 +0000

Some time clients call us up and ask if we can send them off-duty cops for Executive Protection assignments. My first inclination is to tell them why we are reluctant to use off-duty police.

Yesterday, WTOP radio reported that a Detective Wheeler from the Washington D.C. Metropolitan Police had been arrested for trying to hire a Prostitute. Unfortunately for Detective Wheeler, the "prostitute" was an undercover Police Detective herself.

The story gets better, however. It seems that Detective Wheeler is assigned to the Vice Unit. For those of you who don't know what a Vice Unit does, they set up "stings" and dress female Police officers to look like prostitutes in order to arrest those who try and do business with "prostitutes". One wonders if Detective Wheeler should be charged with the prostituion charge or one involving gross stupidity.

Just becaause a Police officer carries a gun, does not mean that this qualifies him or her to do everything security related. While most of them are decent, hard working indivduals, there are also some who break laws and circumvent the system for their own benefit. When you hire an "off-duty cop", you do not know what you are getting. Perhaps you will get a bad apple(s) who will do more harm than good. Afterall, what way is there to vet them?

A professional security company like ours, train their own people and enforce from day one a strong sense of Ethics. We have a zero policy for any behaviour that might be detrimental to us or the client. On the rare occassion when someone does something that we do not condone, they are terminated. There is no room for Union intervention or "three strikes, you're out" or any other delaying tactic.

Our reputation is too important. Then again, we do not have "jobs for life" but must instead earn buisness by constantly performing. The next time you need a security person, keep this in mind.

Florida's Agency for Health Care Administration reports a breach

Wed, 09 Jul 2008 07:15:38 +0000

Technorati Tag: Security Breach

Date Reported:
7/7/08

Organization:
State of Florida

Contractor/Consultant/Branch:
Agency for Health Care Administration

Victims:
registered organ donors

Number Affected:
"about 55,000"

Types of Data:
"names, addresses, birth dates, driver license numbers and Social Security numbers"

Breach Description:
"TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers."

Reference URL:
AHCA FAQs
Sarasota Herald-Tribune
WCTV CBS News
Orlando Sentinel

Report Credit:
Sarasota Herald-Tribune

Response:
From the online sources cited above:

TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers.

The Agency for Health Care Administrations said Monday it has corrected the flaw, which may have allowed unauthorized users to view the personal information of roughly 55,000 donors.

"We stopped all access to the database, identified the flaws and corrected them."
[Evan] This breach makes me wonder a couple of things. Is information security testing part of the development lifecycle and change control? I also wonder if AHCA uses a formal change control process with segregated development, test, and production environments.

The database includes donors' names, addresses, birth dates and driver license numbers.

The agency is sending letters to inform individuals of the flaw.
[Evan] What kind of flaw, do you suppose? A Code flaw, an administrative/process flaw, a configuration flaw?

AHCA Secretary Holly Benson said they have not received any indication that the information was accessed inappropriately.
[Evan] No logging? Logging of the systems, processes, and people accessing confidential information is a must. Extensive logging would be able to determine if the information "was accessed inappropriately" (assuming the logs weren't subject to unauthorized modification).

The breach happened on June 20 and was fixed a day later, but officials say they thought it best to make the public aware.
[Evan] What does the "breach happened on June 20" mean? It could mean that a flaw was detected on June 20, but could have been in existence for longer. It could mean that a vulnerability was actually exploited on June 20. I guess it really depends on your definition. I assume that the author means that something changed (code push, updated information, configuration, etc.) on June 20.

"If you have not received a letter our logs note that your information was not affected by this security flaw."

A couple of FAQs:
Q: If I have additional questions regarding this issue, what should I do?
A: You can call 866 757 0677. This number is open Monday through Friday from 8AM to 7PM Eastern.

Q: If I am a registered donor and I receive a letter, does this mean that I am a victim of identity theft?
A: No. It is unlikely that someone has accessed your information or used it inappropriately. It does not mean that you are a victim of identity theft or that the information may be used to commit fraud. The Agency for Health Care Administration wanted to let you know about the incident so you are aware and may take steps as you see fit.
[Evan] Again, poor logging and other detective controls lead to statements such as "It is unlikely that someone accessed...".

Commentary:
Ugh! I am left with too many questions about this breach. On the surface, this breach doesn't look all that significant unless of course, you are a victim. When I read into it more, I realize that I have some serious concerns surrounding process, control, and detection mechanisms used at AHCA. With less detail, it is easier to imagine.

Past Breaches:
State of Florida:
January, 2008 - Five stolen Florida Department of Children and Families laptops

University of Florida student information online for years

Thu, 12 Jun 2008 06:41:30 +0000

Technorati Tag: Security Breach

Date Reported:
6/11/08

Organization:
University of Florida

Contractor/Consultant/Branch:
Office for Academic Support and Institutional Services

Victims:
Students

Number Affected:
"more than 11,300"

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public."

Reference URL:
University of Florida
Miami Herald
Inside UF
United Press International

Report Credit:
University of Florida

Response:
From the online sources cited above:

GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public.
[Evan] Not "may have been". The information was accessible to the public and was not even protected by a password.

The student information was actively used from 2003 through 2005 and remained posted until it was recently discovered during a routine audit of UF systems.
[Evan] If I am reading this right, this means that some of the personal information was available publicly for ~5 years!

School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.
[Evan] There is no security through obscurity.

"The risk of someone outside actually finding this information and using it inappropriately is very low," - Steve Orlando, UF Spokesman
[Evan] I wonder how Mr. Orlando came to the conclusion that the risk of disclosure and misuse is "very low". As I understand, the server was publicly accessible, presumably via the internet. If so, was the site indexed by search engines like Google, Yahoo, and Microsoft? It is much easier to find information through a search index because folder structure is much less relevant. The fact that this information was available for 3-5 years adds to the risk too. I only know what I read and based on this and experience, I wouldn't classify this as a "very low" risk situation. Either way, the risk was increased due to poor information security practice and was not necessary.

"We've done computer forensics, and we don't have any evidence that anybody accessed this information," he added.
[Evan] This indicates poor logging and monitoring which are both essential detective controls (in most situations). Information security personnel (or admins) should be empowered to reconstruct events.

"But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution," Orlando said.
[Evan] I am NOT a fan of the "abundance of caution" claims that seem more popular in breach notifications lately. Organizations would be best advised to use an "abundance of caution" in the prevention and early detection of breaches by applying sound information security principles.

Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."

The information has been removed and is no longer available online or elsewhere in the UF systems.

The breach occurred when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program.

The student employees posted the information online so that they could work with it from remote locations, but they did not install security measures to keep others from accessing it as well
[Evan] I have so many questions and arguments. Were the students aware of the risks? If not, then there is probably an information security training and awareness problem. Why was it necessary to include Social Security numbers in the records? Why were the seemingly untrained students allowed to post the information without being stopped or detected? I have many more questions, but I am starting to confuse myself now.

The university sent letters of notification to about 11,300 students whose information is believed to have been potentially compromised.
[Evan] Here's my take on the word "compromised". If an organization cannot provide reasonable assurance that the information has not been subject to unauthorized disclosure, modification, or destruction, then the information has been "compromised".

University officials were unable to find contact information for about 570, so they are asking students who were enrolled in CLAS from 2003 to 2005 and did not receive a letter but who believe their information may have been compromised to call UF’s Privacy Office Hotline at 866-876-HIPA and provide the requested information.

Anyone who thinks he or she may be one of the 570 people who were not notified is urged to go to privacy.ufl.edu and read the information posted there before calling the privacy hotline.

"This would certainly appear to be the largest privacy breach we've had," Orlando said.

We're in the process of strengthening some of those policies regarding what information can be posted and what security measures should be in place
[Evan] Good start.

Victim Reaction:
"Why would it be necessary to use a Social Security number instead of something else?" asked Reixach, pointing out that students were given ID numbers. "It's just silly".

"It's negligence on their part, especially if anyone has been affected with identity theft,"

Johann Arias, a spring CLAS graduate, had not heard about the breach Wednesday and said UF should be doing more to notify those affected.

"They always make information very prominent when you have a hold or owe them money," Arias said.

Commentary:
This is a case where poorly trained students are granted access or obtained access to confidential information and posted the information to an unsecured location which went undetected for years. Bad all around.

Past Breaches:
May, 2008 - University of Florida doctor loses job over breach
November, 2007 - University of Florida student info online

Online theft and fraud involves OSU Bookstore customers

Thu, 05 Jun 2008 05:42:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/3/08

Organization:
Oregon State University

Contractor/Consultant/Branch:
OSU Bookstore, Inc.*

*OSU Bookstore is a nonprofit corporation that has been serving Oregon State University and the town of Corvallis since 1914. Our main store is located in the Memorial Union on the Oregon State University campus. Today, as in 1914, the bookstore is governed by a Board of Directors composed of faculty, staff, and students of Oregon State University.

Victims:
Online customers

Number Affected:
"as many as 4,700"

Types of Data:
Personal information including credit card numbers

Breach Description:
"The Oregon State Police is investigating the theft of personal information from as many as 4,700 online customers of the OSU Bookstore who used credit cards to purchase items."

Reference URL:
Albany Democrat Herald
Associated Press via KVAL Channel 13 News
KVAL Channel 13 News

Report Credit:
Albany Democrat Herald

Response:
From the online sources cited above:

CORVALLIS, Ore. (AP) - Oregon State officials say credit card scammers may have defrauded 4,700 online customers of the school's bookstore.

In March, OSP began investigation into a report that approximately 30 OSU Bookstore customers’ personal information may have been compromised following online orders.
[Evan] Unfortunately, the bookstore did not appear to be monitoring web traffic to and from the server to detect unusual (and potentially attack) traffic. The fact that this detective control was missing from the security architecture meant that the bookstore had to rely on customers to tell them something was wrong. An incident response should have probably been initiated at this point (March not May).

Then last week, telephone calls and e-mails began coming into the bookstore from customers who had noticed fraudulent charges on their credit cards almost immediately after placing online orders

Bookstore General Manager Steve Eckrich says servers were shut down when the security breach was discovered.
[Evan] 2+ months after the bookstore was originally notified that something was wrong. At the time of this post, the site is still down.

"They tried different attacks and our Web site evidently had one vulnerability in it," said General Manager Steve Eckrich.
[Evan] I would bet my cup of coffee that the Web site had more than on vulnerability! I love my coffee. Where is the IDS/IPS?

The Bookstore has alerted its online customers who had made a purchase

State Police Lieutenant Jeff Lanz says the security breach appears to have originated outside the university, but where is unknown.

The OSU Bookstore has hired an outside agency to help with its own investigation and to provide guidance on strengthened security safeguards for its computing network.
[Evan] Good call it just stinks that the bookstore was reactive and not proactive.

"We'll be using their recommendations not only to solve that particular problem that was exploited but to add additional layers of security on top of that so that information is not exposed or cannot be exposed in the way that it was,"
[Evan] Another good call.

Commentary:
Obviously the OSU Bookstore did not employ the proper security controls to #1 secure the site, #2 detect a breach, and #3 respond to a breach. Three strikes. Poor planning and poor implementation. I hope that OSU Bookstore, Inc. takes the proper steps to formalize their information security program and reduce risk. We'll see.

Past Breaches:
Unknown

1st Source Bank reissues all debit cards in response to breach

Thu, 05 Jun 2008 05:09:56 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
1st Source Bank

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Debit card information including Track 2 data contained on magnetic stripes and some PIN numbers

Breach Description:
"South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data. No fraud has been discovered as a result of the intrusion"

Reference URL:
Digital Transactions News
WSBT TV News
South Bend Tribune
The Journal Gazette

Report Credit:
WSBT TV News

Response:
From the online sources cited above:

South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data.
[Evan] I wonder how many debit cards are in its "entire portfolio". I'm guessing that the number is in the tens of thousands.

a hacker broke into the system from the outside and compromised the system.

No fraud has been discovered as a result of the intrusion

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data, says James Seitz, senior vice president of consumer and electronic banking. "We immediately saw that and shut it down," says Seitz.
[Evan] It appears as though the bank employs a managed security services provider for intrusion detection monitoring and alerting (and possibly more). Using a third-party provider as a part of information security strategy is probably a good idea for organizations that do not have, cannot afford, or do not want to build in-house expertise. Managing third-party service agreements can sometimes be quite a challenge.

The bank notified law-enforcement authorities and hired outside forensic firms to analyze the breach.

"The server that holds our debit card information they were in there and they transferred information out. But we can't really tell if it was 10, 20, or 30 percent of our card holders," said Seitz.

They did, however, get Track 2 data contained on magnetic stripes, including account numbers, according to Seitz, as well as PINs in at least some cases. "They got some PIN numbers, but a very small percentage compared to the debit card base that we have," says Seitz.

Exactly how the hackers tapped the server isn’t publicly known.
[Evan] This will be determined as part of the forensic investigation, but publicly this may never be known. We can only speculate. The information that was compromised is very sensitive and should have never been accessible from the "outside". Who knows if the server was actually compromised directly or through another avenue of attack. See, I am speculating. Thankfully, the bank had detective controls in place.

1st Source Bank is sending out letters reminding their customers to check their recent bank account activity.
[Evan] As people should anyway.

"Out of an overabundance of care, we’re reissuing new debit cards to all our customers"
[Evan] We could argue "overabundance".

the bank is reissuing all cards, which are MasterCard-branded, as a precaution

1st Source also is offering customers free credit-report monitoring for a year.

He adds that he couldn’t comment about the state of the bank’s compliance with the Payment Card Industry data-security standard, or PCI.
[Evan] The Visa U.S.A. Cardholder Information Security Program (CISP) "List of Compliant Service Providers - All" is here (a little different, but good information nonetheless).

"We are working with law enforcement to find these bad guys, and we didn't want to tip them off," said James Seitz
[Evan] Chances are that the "bad guys" already know what the have.

"Our number one priority is our customers. We shut everything down right away and hired the best people we could get our hands on to see what happened here and to make sure it doesn't happen again," said Seitz.

1st Source began working with law enforcement and called in a forensic computer specialist team from the Washington, D.C., area to shut down the breach immediately and to help determine who was behind it.
[Evan] 1st Source should be commended for not hesitating to bring in outside help.

It has taken a while to get all the information out about the breach, Seitz said, since the bank had to spend time going through all of its laptops and computer systems.

"You've got to understand what you have," he said.
[Evan] A high-priority task for information security governance is to understand what you have. During an incident response is not a good time to figure out what you have.

Though the breach is something rather new for 1st Source, Seitz said these types of breaches seem to be hitting businesses in general more and more this day and age.

"Certainly, it's never happened to us before," Seitz said. "But it's becoming more prevalent. Daily, banks are going through this."
[Evan] Breaches are as prevalent or more prevalent than they have ever been. I agree with Mr. Seitz. Recognizing this fact, what excuses do organizations have for not investing in and properly managing information security programs? I am not saying that 1st Source does not, I am writing in general terms.

Bank officials have yet to tally the cost of mailings to customers, creating new debit cards, consultants’ fees, paying for identity theft protection and employee overtime related to the security breach. Seitz called it a "considerable cost."

"Actually, our customers have been very understanding," he said. "Obviously, this is something that puts a little stress on that relationship."

Customer Reactions:
"My main worry is that my money is going to be gone tomorrow when I got to my account," said Jeremy Reinke, a 1st Source Bank customer.

"Is my money still in my account, and can they correct this so it doesn't happen again?" asked Chris Stump, another customer who hadn't heard about the May 12 security breach. "I guess in some ways I would have liked to know by now."

Commentary:
Judging from the customer comments I have read, people are concerned about the breach, but not angry with 1st Source Bank. I think this is because they perceive the bank's response to be open and genuine. The bank did employ proper controls to identify this breach early on and provided notice to customers in a timely manner. The fact that the bank took additional steps like re-issuing cards and providing credit monitoring only adds to the favorable perception.

I am still interested in knowing more detail around how an unauthorized outside entity was able to access this sensitive information in the first place.

Past Breaches:
Unknown

London's Cameras Don't Reduce Crime

Wed, 07 May 2008 02:53:36 +0000

News here and here:

Massive investment in CCTV cameras to prevent crime in the UK has failed to have a significant impact, despite billions of pounds spent on the new technology, a senior police officer piloting a new database has warned. Only 3% of street robberies in London were solved using CCTV images, despite the fact that Britain has more security cameras than any other country in Europe.
[...]

Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. "CCTV was originally seen as a preventative measure," Neville told the Security Document World Conference in London. "Billions of pounds has been spent on kit, but no thought has gone into how the police are going to use the images and how they will be used in court. It's been an utter fiasco: only 3% of crimes were solved by CCTV. There's no fear of CCTV. Why don't people fear it? [They think] the cameras are not working."

This is, of course is absolutely no surprise.

Privacy and Power

Tue, 11 Mar 2008 03:09:57 +0000

When I write and speak about privacy, I am regularly confronted with the mutual disclosure argument. Explained in books like David Brin's The Transparent Society, the argument goes something like this: In a world of ubiquitous surveillance, you'll know all about me, but I will also know all about you. The government will be watching us, but we'll also be watching the government. This is different than before, but it's not automatically worse. And because I know your secrets, you can't use my secrets as a weapon against me.

This might not be everybody's idea of utopia -- and it certainly doesn't address the inherent value of privacy -- but this theory has a glossy appeal, and could easily be mistaken for a way out of the problem of technology's continuing erosion of privacy. Except it doesn't work, because it ignores the crucial dissimilarity of power.

You cannot evaluate the value of privacy and disclosure unless you account for the relative power levels of the discloser and the disclosee.

If I disclose information to you, your power with respect to me increases. One way to address this power imbalance is for you to similarly disclose information to me. We both have less privacy, but the balance of power is maintained. But this mechanism fails utterly if you and I have different power levels to begin with.

An example will make this clearer. You're stopped by a police officer, who demands to see identification. Divulging your identity will give the officer enormous power over you: He or she can search police databases using the information on your ID; he or she can create a police record attached to your name; he or she can put you on this or that secret terrorist watch list. Asking to see the officer's ID in return gives you no comparable power over him or her. The power imbalance is too great, and mutual disclosure does not make it OK.

You can think of your existing power as the exponent in an equation that determines the value, to you, of more information. The more power you have, the more additional power you derive from the new data.

Another example: When your doctor says "take off your clothes," it makes no sense for you to say, "You first, doc." The two of you are not engaging in an interaction of equals.

This is the principle that should guide decision-makers when they consider installing surveillance cameras or launching data-mining programs. It's not enough to open the efforts to public scrutiny. All aspects of government work best when the relative power between the governors and the governed remains as small as possible -- when liberty is high and control is low. Forced openness in government reduces the relative power differential between the two, and is generally good. Forced openness in laypeople increases the relative power, and is generally bad.

Seventeen-year-old Erik Crespo was arrested in 2005 in connection with a shooting in a New York City elevator. There's no question that he committed the shooting; it was captured on surveillance-camera videotape. But he claimed that while being interrogated, Detective Christopher Perino tried to talk him out of getting a lawyer, and told him that he had to sign a confession before he could see a judge.

Perino denied, under oath, that he ever questioned Crespo. But Crespo had received an MP3 player as a Christmas gift, and surreptitiously recorded the questioning. The defense brought a transcript and CD into evidence. Shortly thereafter, the prosecution offered Crespo a better deal than originally proffered (seven years rather than 15). Crespo took the deal, and Perino was separately indicted on charges of perjury.

Without that recording, it was the detective's word against Crespo's. And who would believe a murder suspect over a New York City detective? That power imbalance was reduced only because Crespo was smart enough to press the "record" button on his MP3 player. Why aren't all interrogations recorded? Why don't defendants have the right to those recordings, just as they have the right to an attorney? Police routinely record traffic stops from their squad cars for their own protection; that video record shouldn't stop once the suspect is no longer a threat.

Cameras make sense when trained on police, and in offices where lawmakers meet with lobbyists, and wherever government officials wield power over the people. Open-government laws, giving the public access to government records and meetings of governmental bodies, also make sense. These all foster liberty.

Ubiquitous surveillance programs that affect everyone without probable cause or warrant, like the National Security Agency's warrantless eavesdropping programs or various proposals to monitor everything on the internet, foster control. And no one is safer in a political system of control.

This essay originally appeared on Wired.com.

Why you nearly need a P.I. to help you hire a private investigator

Sat, 01 Mar 2008 17:28:00 +0000

So, you need a private investigator to help you catch your cheating spouse, or to work undercover in your business to find out who has been stealing or to follow the employee who is claiming workman’s comp, but you’ve heard he plays golf every weekend. What are you to do?

The first thing I would tell you is NOT to go to the yellow pages and pick out 5 phone numbers and ask how much they charge an hour. Hourly charges mean nothing. Think about it, how many of us would call up a doctor or dentist’s office and ask how much they charge an hour? Not to compare investigators with the medical profession, but your first priority should be: are they qualified to do the job?

This is the information age. You can research anything you want in mere seconds, without leaving the comfort of your own home. If you are looking for a private investigator in Washington D.C., or San Francisco, go to one of the main search engines and bring up all of the investigators located within a 30 - 50 mile radius. Do not worry if they are a little further away. Eventhough they will all charge you mileage, the more professional companies will have investigators spread out around the State or city in which they operate.

This is where you need to think like an investigator yourself and it doesn’t matter if you are the CFO of a $100 million dollar corporation or a stay-at-home mom. Her are some points you should seriously consider:
• Do they have a website
• Do they list a physical address
• Does their website list everything out clearly and concisely or do you feel more confused after reading it for five minutes
• Do they belong to reputable associations, both local and national
• Do they accept major credit cards
• Are they known for anything else – published books, white papers, speaking engagements, seminars, etc.

In 2008, there is absolutely no reason why a company would be without a website. A website “under construction” is nearly as bad. Several years ago it could be chalked up to cost. Smaller companies could not afford to pay many thousands for a site but these days you can have a website up and running in days for a couple hundred dollars.

A company who does not have a website, for the most part, is a company who is either not legal and must “fly under the radar”, or who is not making enough money to spend on one. If you hire a) an illegal company, you yourself could wind up being sued and if you hire b) the company who nobody else is hiring, you’ll soon find out why – but not before you have wasted your hard-earned money.

Any legitimate security company needs to let people know who they are and what they do. In order to achieve this, they belong to professional associations – local, national and even international. International associations are a good indicator that this firm is held in such a high regard that they command the respect of investigators around the world. Examples of international associations are: The Council of International Investigators (www.CII.org), INTELNET and the Society of International Business Fellows (SIBF).

Once again, do not be fooled because a security person tells you their company does international work or because he calls the company “Smith Worldwide Protection”. Ask for references. Most of the time, clients need to remain confidential, so ask for the name of the Chamber of Commerce to which they belong. Call up the Chamber, or the investigation association or the State Agency where they say they are licensed and ask if they are: 1) known, 2) currently licensed and insured and 3) have any complaints filed/received any disciplinary action.

Remember, the best source will always be a personal referral. Failing that, decide after you have done a little bit of research. ALWAYS ask to see their investigator’s license or registration AND a copy of their insurance certificate. If they can not show you insurance, walk away or close the door. If I am hiring a plumber or carpenter or electrician, I will always ask for their insurance. If they do not have it and anything goes wrong, what will be your recourse? Even if you are hiring a security guard for your business – make sure that guard’s company provides a copy of insurance.

I would even go as far to say make sure that they just don’t have minimum coverage. Even though the Department of Criminal Justice mandates that security companies in Virginia only need $100,000 worth of coverage, we voluntarily carry liability insurance of $5 million. We do this to better protect our clients. If a person ever sues, they are probably going to go for millions, not thousands.

If the security company you hire only carries the minimum $100,000 and a customer is suing for $1 million, who do you think they are going to go after? You of course. On the other hand, had the security company carried a higher amount of liability insurance, they could have just sued the security company.

There will not be a huge difference in price wherever you are. In the Washington D.C. area, prices vary from around $100 - $150 per hour. It is normal to want the best deal that can be had and nearly everybody likes to save money. However, if you wind up hiring an inexperienced company who nobody has heard of and who uses young inexperienced people to conduct the investigations, then the money that you thought you were “saving” could turn out to be a total waste.

Here is an example: Company “A” is run by a young ex-soldier who joined the army at 18 and separated from the military after four years of service. He was a corporal and after he got out, he went to work for a local security company for a couple of years as a supervisor visiting buildings where other guards stood on post.

According to the State regulations, he could be granted a security business license based on having three years of supervisory security experience. He can not afford to hire anyone else so he went to a training school for one week and became registered as a private investigator.

Company “B” is run by a retired Police Detective with 15 years experience investigating homicides, five years in the transportation unit where he specialized in vehicular manslaughter investigations and is a court certified expert in accident reconstruction and cold-case murders. He too owns his own company and employees a retired F.B.I. agent and three former detectives with decades of experience in white-collar crime, gang activities, narcotic trafficking and sexual predators.

They both ask for a retainer of $1500.00 (retainers are usually $1500 - $3,000, depending on the length of time your case is estimated to take). You choose company “A” because they tell you that they charge $95.00 an hour while company “B” charges $145.00. However, after attempting to follow a subject for four days and losing them for the first three days and getting caught by the person they are following, Company “A” is forced to drop out or else you fire them (most likely ending). You can not even hand the case over to another company as the person you had followed knows he is being watched.

Company “A” then gives you an invoice for $20.00, since his botched attempts took 16 hours, which at the “bargain rate” of $95.00 per hour, totals $1520.00. Even if you refuse to pay the additional $20.00, you are out $1500.00 with nothing to show for it. Most probably the more exspensive company, “B”, would have accomplished the goal in about 2 days, at 5 hours a day, costing you $1450. With company “B” you would have had a professional product/service and had an investigator capable of testifying in court to support your case if that was subsequently needed.

The motto is: Beware of false bargains, for at the end of the day, you get what you pay for. Good luck with your search and don’t rush into it.

Burglars make off with Crosslines Ministries files

Mon, 18 Feb 2008 13:46:17 +0000

Technorati Tag: Security Breach

Date Reported:
2/15/08

Organization:
Crossline Ministries of Carthage (MO)*

*"Crosslines is a food pantry and clothing bank for low-income families in the Carthage area." - Source: KOAM-TV
"Crosslines has been working to help the less fortunate in Carthage for 23 years" - Source: The Carthage Press

Contractor/Consultant/Branch:
None

Victims:
Clients

Number Affected:
2,000

Types of Data:
Names, ages, and Social Security numbers

Breach Description:
The Crosslines Ministries of Carthage offices were burglarized sometime between 5PM Thursday and 8AM Friday, February 15th 2008. Computer equipment and files containing sensitive personal information belonging to clients are missing.

Reference URL:
The Carthage Press online story
The Carthage Press online story (updated)
The Joplin Globe online story
KOAM-TV Channel 7 News story

Report Credit:
John Hacker, The Carthage Press

Response:
From the online sources cited above:

One of the largest aid agencies in Carthage was burglarized overnight Thursday night or Friday morning

(Carthage Police Detective Randee) Kaiser said among the items stolen were paper files containing names, addresses, social security numbers and other personal information of 2,000 individuals served by Crosslines.
[Evan] Why does Crosslines collect and store Social Security numbers? I don't understand the need to give a Social Security number in order to donate or receive aid. Nuts.

"They stole files, hard copies, a whole box of papers from the ministry," Kaiser said. "We can't say what else they took and we have no indication of why they took the box of papers in the first place or whether they knew what they were taking."
[Evan] There isn't any real value in paper (of this quantity), so it's a pretty good guess that the theives are interested in the information.

Kaiser recommended that anyone who has given personal information belonging to themselves or family members to Crosslines should take steps to avoid potential identity theft.

Kaiser said the burglar or burglars forced their way into the ministry.

Kaiser said with the files missing, Crosslines doesn't have any way to notify the people affected of the incident, which is why the police, in cooperation with Crosslines are reaching out to potential victims through the media.
[Evan] No backup information either, so Crosslines does not know who may be affected.

An emotional Belle Lown, director of Crosslines Ministries, vowed to continue helping people in and around Carthage despite the burglary

Lown said the person who broke into the building sometime late Thursday or early Friday seemed to know what he or she was looking for

Lown said whoever got into the building breached a fairly sophisticated security system to get in.

"We're beefing up security in the building," Lown said.

Lown said the burglar also got her computer system. The burglar also seemed to be looking for specific items in Crosslines' inventory of clothing, food, soap and toiletries, and other products.

Commentary:
This is a sad breach to read and write about. I admire what Crosslines Ministries does and I feel for the people involved. The person or persons responsible for this breach took this a little too low by stealing the personal information. If the burglar(s) only took hardware, food, and clothing than this would be almost (ephasize almost) acceptable.

I am very curious to know why Crosslines needs to accept and store personal information, and I wonder what the options are for doing things in a better way. If Crosslines MUST collect and store personal information, then obviously they should do so more securely.

Maybe there is an information security consultant (preferably local to Carthage, MO) out there that would like to donate some free service? Crosslines can be reached at (417)358-1577

Past Breaches:
Unknown