[SecurityRatty] tag: prosecute

DOJ's e-mail privacy stance might hamper prosecution in Palin case, EFF claims

Tue, 23 Sep 2008 00:00:00 +0000

The Department of Justice's continuing opposition to a 2003 court ruling on e-mail privacy raises questions about how it might prosecute the hacker who accessed Sarah Palin's e-mail account, according to the Electronic Frontier Foundation.

Judge lets privacy advocate keep Social Security numbers on Web site

Wed, 27 Aug 2008 09:00:00 +0000

A federal judge ruled that the state of Virginia can't prosecute operators of Web sites that post Social Security numbers obtained legally from government Web sites.

Indictments Against Largest ID Theft Ring Ever

Thu, 07 Aug 2008 08:45:29 +0000

It was really big news yesterday, but I don't think it's that much of a big deal. These crimes are still easy to commit and it's still too hard to catch the criminals. Catching one gang, even a large one, isn't going to make us any safer.

If we want to mitigate identity theft, we have to make it harder for people to get credit, make transactions, and generally do financial business remotely:

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what's been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.

Proposed fixes tend to concentrate on the first issue -- making personal data harder to steal -- whereas the real problem is the second. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

I am, however, impressed that we managed to pull together the police forces from several countries to prosecute this case.

Know what the Alt-F4 command does?

Tue, 05 Aug 2008 19:36:47 +0000

Great article, ya gotta read it. Great tips on staying secure.
Well done!

clipped from itknowledgeexchange.techtarget.com

Nine Steps to System Security - 2008

It isn’t getting any better on The Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration, web-based attacks are more prevalent than ever, especially those that rely on JavaScript and other scripting languages.

Do You Speak E-Discovery? You Should, Even in Europe

Thu, 24 Jul 2008 08:05:25 +0000

How often have you watched the news on television and seen people carrying boxes full of electronic media and digital files out of some well-known company's headquarters? It's a familiar scene in the United States, because of the number of companies subject to e-discovery actions. But even though this subject is disturbing the sleep of CIOs in companies large and small in the U.S. - and even though vendors of tools supporting e-discovery are all looking for the next "killer app" - most Europeans just look on and say, "What on earth is this 'e-discovery'?"

The concept of legal discovery (called "e-discovery" when electronic information is involved) is unique to the "common law" countries - notably the U.S., the U.K., Canada, Australia and New Zealand. Discovery in common-law civil litigation is a form of interrogatory in which both parties agree to the pretrial exchange of information, so that the plaintiff can prosecute a cause for action and the defendant can build a defense. By contrast, in countries with legal systems based on the Roman or Napoleonic traditions - which is to say, most of continental Europe - the obligation to produce information that is relevant to the cause for action is nowhere as comprehensive as the obligation attached to discovery in common law.

There is an important difference between criminal and civil litigation, irrespective of a country's legal system. In a criminal case, if the authorities have a warrant or an indictment, the subject is obligated to produce relevant information, and this is true both in common-law countries and in continental Europe. In civil litigation, however, only common law requires the pretrial production of information and its exchange between affected parties. In non-common-law civil litigation, the relevant information is produced before the judge for consideration and evaluation.

Despite these differences, there are some important lessons for all Europeans about e-discovery and about legal discovery in general. The first is that if an external party demands information, whether during civil or criminal proceedings, it pays to deliver that information quickly. Gartner has seen many cases where enterprises simply didn't know how to find the requested information or couldn't produce it for several days - just long enough to generate some damaging media coverage.

The second lesson: It also pays to be able to deliver precisely the information requested. Law enforcement officers may seize folders and binders, disks and tapes, files and e-mails, reports and logs - anything they can get their hands on, really. This may include information that is not relevant to the case, and it may include information that is highly sensitive. This information will be reviewed, processed and analyzed, and some of this sensitive information might leak to the public or to competitors. It's much better to be prepared to hand over just the requested and required information.

The e-discovery landscape is made even more confusing by international jurisdictional differences. In the global economy, a business relationship with an entity in the U.S. is becoming more the rule than the exception. But a company's duty to release information following a U.S. legal discovery claim - for example, for a European subsidiary - and how that would be seen in relation with European privacy legislation remain unclear at best. E-discovery rules require quick delivery of information that has not been tampered with, but privacy protection requires that personal data be removed first.

E-discovery simply does not exist in most European legal systems, but European companies would be well-advised to familiarize themselves with the concept, in case an e-discovery claim originates elsewhere. Companies that have processes and automation for information archiving and retrieval, document and records management, and a retention policy (including disposal when information is no longer needed) will be well-prepared for any e-discovery claims that arise.

Two students access confidential Dominican University files

Wed, 14 May 2008 18:40:18 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
Dominican University

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
5,215

Types of Data:
"names, addresses, phone numbers, birthdays and Social Security numbers"

Breach Description:
"CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk. The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007."

Reference URL:
WMAQ NBC Channel 5 News
RiverForest-Leaves
Dominican University

Report Credit:
Dominican University

Response:
From the online sources cited above:

Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment.

Two computer science sophomores who had password access through their work-study employment discovered three Excel files, containing a total of 5,215 student records.

These files were in an unsecure location that was to be accessible only to specific staff members.
[Evan] Is this password misuse or just poorly secured files and poor security? The confidential files were stored in an unsecure location that was supposed to be accessible by specific staff. Does this make any sense to you?

One of the students came forward earlier this month with the information that they had accessed files that were to be available to staff only. The students then disclosed the full extent of their access to the exposed data and demonstrated to the administration how the access occurred.
[Evan] I wonder if the school would have ever found out if the student didn't come forward. My guess is not.

We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

A letter was sent to all affected students and alumni on April 18 when the extent of the exposure could be determined.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions.

The students are expected to return to classes next fall "under a lot of supervision, as you'd expect,"
[Evan] I don't know. There are probably students doing worse things on campus that probably need a lot more supervision than these two. Judging only by what I have read, these students seem to have been pretty honest. They came forward, they cooperated with the investigation and even demonstrated what they did.

The university is conducting a complete security audit and internal review.
[Evan] This should be done a regular basis anyway. All good information security programs conduct regular audits, assessments and reviews.

Dominican has conducted a complete internal security audit and has hired an external consultant to review all security processes.
[Evan] I endorse the school's decision to enlist a third-party consultant, assuming that the consultant is good at what they do. The last statement contained the word "conducting", this statement contains "conducted".

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.

"Steps have been taken to make something like this more difficult to do in the future. We've significantly tightened security,"
[Evan] If I had a dime for every time I heard this, I could retire very comfortably. If there are no details or facts to support statements like this, they don't mean much to me

If I have more questions, who should I call? You can call our toll-free number: (877) 387-8310.

Student Reaction:
"I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away,"

"I think that's crazy, because ... people can get your information, know things about you (and) you can't do anything about it,"

"Someone actually just charged on my debit card something. (It was) unrelated to this, I think, but it freaks me out every day now,"
[Evan] This student didn't just buy some Adobe education version software, did he/she?

Commentary:
I'm not sure if I am reading this right or not, but it seems almost like these students stumbled upon the confidential files and informed officials of their findings. I don't sense an dishonesty on their part. I could be wrong, but it also seems like the school didn't (and maybe still doesn't) properly secure confidential information. The statement about a secure file in an unsecured location is puzzling.

If assumptions are correct, then it may be ill-advised to sanction these students. Does anyone else see this the same way, or would you say that I am off base here?

Past Breaches:
Unknown

U.S. Congress should pass cyber-crime legislation this year -- when will the House of Representatives finally act?

Tue, 22 Apr 2008 20:00:00 +0000

As I mentioned in a blog post in late October 2007, the IT industry and other stakeholders have been calling for the U.S. Congress to pass legislation that would help empower law enforcement to more effectively investigate and prosecute cyber criminals -- while updating penalties in U.S. criminal code so that the punishment fits the crime. It's stunning to me that the Congress has not yet sent legislation to the President for his signature to address this important issue...

What should done about employees stealing in the workplace?

Thu, 21 Feb 2008 02:25:00 +0000

Q: I think that an employee may be stealing from my company. I called the Police but they said they needed more proof before they could get involved. They suggested that I contact a private investigation company. How can I find out what's going on when I am not there to watch?

A: Even though a case may be criminal in nature – such as in the case of an employee stealing, with all of the known and pressing problems that the Police have to handle on a daily basis, they usually do not have the manpower to act on a “hunch” or suspicion.

If it was a case of suspected drug trafficking or gang activity, they probably would be able to dispatch some undercover units since there would be a very real risk of personal injury and/or serious felonies being committed.

When it comes to the private sector, clients really need to take the matter into their own hands in the majority of cases. By “their own hands”, I don’t mean they need to investigate it themselves, but they need to hire a professional investigator with the training, skills, experience and license to deal with the matter.

A carefully chosen private security firm will be able to sit down and advise them on their options. After the initial meeting they should have a good idea of: 1) the costs involved, 2) the time it will take to resolve the matter and 3) how best to deal with their findings – termination of employee, filing criminal charges, initiating a civil suit.

Some time ago we were approached with an identical problem facing a local business owner. He believed one of his senior managers to be stealing materials from the warehouse and selling it to other individuals. The owner had heard stories circulating about the manager’s dishonesty but chose to disregard it for many years. We advised him that we would use different investigators and vehicles to follow the manager around and video tape him where he went and document the addresses.

From day one, our investigators had discovered that the manager would load up his truck with building materials from the warehouse and head out without telling anyone where he was going. Once he arrived at a location, our investigator would call the client and tell him the address while another investigator video taped the transaction at the site. Nearly all of the time - at least 90% of the time, the manager would go to a site that was not one of the employer’s sites. He was taped handing over stolen materials on several occassions. Other times he would have unauthorized persons in his company truck. If they had been hurt in an accident, they most likley would have sued the business owner for having been allowed to be carried in the vehicle.

After two weeks, we had compiled enough information on the manager to show that he was involved in a company on the side with members of his family that were known to the employer upon viewing the video. Just on one transaction alone, we discovered that the employee had managed to steal a $45,000.00 dollar contract that should have been handled by his employer’s company. A conservative estimate of the employee's thieving over the years amounted to in excess of $1,000,000.00.

Even though our client’s main goal at the beginning of the investigation was to fire the manager if he turned out to be a thief, he was so disturbed by what he discovered that he asked us to work with the authorities to prosecute him. Our investigators took the final report with their findings along with the video to the prosecutor and in a couple of short weeks the Police had obtained warrants for grand larceny and had brought the manager to trial as a defendant. Based on the evidence obtained by our investigators, he plead guilty and received a jail sentence.

Not all clients will want to go to that extent and many have no intentions of prosecuting an employee. It is still a good idea to pursue a dishonest employee and gather evidence that they are stealing or conducting illegal activities on the company property. The benefits of such an investigation are many. If an employee is conducting an illegal activity such as using or trafficking in drugs, they may be directly responsible for an accident in the work place that could not only injure themselves but an innocent co-worker.

Since the employer has a duty to provide a safe work place for his/her employees, looking the other way or hoping that nothing happens could lead to a devastating law suit that might put the owner out of business and lead to the loss of jobs for every one there. If the situation persists and the local police get to hear about the problem, then they will take the matter into their own hands.

Screeching car loads of Police officers jumping out in front of your building with blue lights flashing and sirens blazing will not leave a good impression on your clients. Nor will seeing staff being led out in handcuffs make them feel confident about doing business with you in the future.

It would be far better to have the matter dealt with by a private company who could send in an undercover investigator to gather evidence and if it turned out that there was such illegal activity going on, those involved could be given the option of resigning or having the matter turned over to the police. It has been our experience that they prefer the option of walking away from their job rather than being driven away in the back of a Police cruiser.

One should also consider some of the other benefits involving the uncovering of employee problems and dealing with them in a firm manner. In the case of the thieving manager, we found out from talking with and interviewing other staff members that he had actually boasted about some of the things that he was doing. He became so conceited that others were beginning to fear him or worse still, admire him for his actions.

When it finally became known that the owner had hired investigators to find out the truth and then had personal protection specialists escort the disgraced manager off of the property, the other employees realized that the owner meant business. There was little chance that anyone there would be imitating the convicted felon any time soon. The owner could finally concentrate on making the company profitable and making sure that his employees had a stable future.

MySpace, states team up for children's safety

Sun, 13 Jan 2008 21:00:00 +0000

An agreement between MySpace and most U.S. state attorneys general will significantly increase the safety of minors on the popular social network and boost the ability of police to catch and prosecute sexual predators who use the Web, said MySpace and several participating attorneys general Monday.