[SecurityRatty] tag: reputable

What is the best way to find a P.I.?

Fri, 14 Nov 2008 02:32:00 +0000

Where would you find a good P.I.? Should you even settle for good? Wouldn't it make more sense to find a great one? PInow.com Investigation news gave some useful pointers in their editorial yesterday.

I decided to write about this after seeing a request on a local listserve. I wrote and advised the person that it would be difficult to judge the quality of the investigator by such a general posting. To my amazement, the reply came back; "I know...some time I just post the job, close my eyes and hope for the best".

Hope for the best? Surely nobody would say such a thing to their client when they are getting that retainer. I can understand "hoping" for the weekend to be dry if you are having a picnic, or "hoping" that your football team wins the game on Sunday...but "hoping" an investigator does a decent job?

One of the better and more professional way to find a reputable investigator or investigaive agency, is to contact a local State association such as PIAVA (www.piava.org), or an international association such as the Council of International Investigators (www.cii2.org). Members of these associations have not only been carefully vetted, but they are held accountable since their professional reputations are riding on every assignment.

Good investigators can help your attorny win that child custody case, save the company from a false suit by an unethical employee claiming a make believe injury, help you find the fraudster that ran off with the company's clients or funds and many other useful tasks. A bad one can take your money and give you next to nothing in return.

Please make sure you only ever hire the good ones.

XSS Comedy III: Tax Cheats with Small Equipment

Wed, 12 Nov 2008 13:52:00 +0000

As part of an ongoing series, if I may I, the third in a series on the absurd, inane, and perhaps even funny. Lest you forget: the first and second in the series.
I don't know about you, but I enjoy occasionally watching offerings like the History Channel, AMC, or the Military Channel. I'm a 40ish, white male and as such I likely fit the general demographic as perceived by the marketing geniuses who buy the late evening advertising blocks on these channels.
That does NOT mean that I cheat of my taxes and thus need the services of a plethora of scam artists selling tax relief. Nor does it mean that I have any interest in "enhancement" opportunities like Enzyte or ExtenZe.
I just love people who choose to skip out on a primary obligation of citizenship that most of us choose to meet, and expect to magically turn $100,000 in tax debt into $999. Then there are the "businesses" who exploit these folks and willingly convince them of their "success" via the power of advertising, at which point my patience just snaps, as it did last night.
Thus, part one of this rant is a mighty bugger off to all the "tax relief" companies. To their patrons, may I suggest simply paying taxes like the rest of us?
Here's an XSS vulnerability in the Freedom Financial Network, "as seen on TV", designed to express precisely how I feel:

http://www.freedomfinancialnetwork.com/tax_debt.php?pid=ffn+go&key=%22%3E%3Cmarquee%3E%3Ch1%3ENOTHING_IS_FREE!%3C%2Fh1%3E%3C%2Fmarquee%3E

If and when they fix this issue, here's the video for posterity.

Part two of this rant will get you more bang for your buck, and I'm not talking enhancement.
Thanks to my utter disdain for the endlessly annoying advertising I went to the ExtenZe site to see what might be broken which immediately led me to discover an entire platform vulnerability in the ColdFusion application built by Internet Direct Response (IDR), the wankers who proudly bring you Maxoderm, Vivaxa, Vazomyne, Smoke Away, and Hydroxydrene; all such reputable products, and all repetitively wearing me out via DirectTV. At the ExtenZe site I spotted a variable that seemed worthy of building a Googledork from, and I soon discovered that it was a consistent variable in most of the sites pimping this crap; specifically, microppcsite. You can follow all the search results back to our friends at IDR.
A little experimentation and I quickly discovered that the similar microppcterm variable was vulnerable to entertaining XSS exploitation so I started with:

http://www.extenzeforlife.com/?microppcsite=googleµppcterm=%22%3E%3Cmarquee%3E%3Ch1%3EToo_short,_Morningwood?%3C%2Fh1%3E%3C%2Fmarquee%3E&gclid=CJ3T2NXH8JYCFQQCagod7xyBrA

Pick your poison, it works on most IDR gems.

http://www.enzyte-male-enhancement.com/google/?microppcsite=googleµppcterm=%22%3E%3Cmarquee%3E%3Ch1%3EBob_just_wants_your_money.%3C%2Fh1%3E%3C%2Fmarquee%3E

Again, a video, should IDR choose to fix their app.

And now, the grand prize for pathetic: The ExtenZe site is McAfee Secure.

I couldn't make this stuff up if I tried.
You thought www stood for world wide web. Try wee willy wankers. *sigh*

del.icio.us | digg | Submit to Slashdot

Network skill level gap is growing, but growth opportunities abound!

Mon, 25 Aug 2008 17:06:07 +0000

A recent IDC report sponsored by the Cisco Learning Institute reveals a huge networking skills gap is emerging in North America, which spells trouble for enterprises. Listen to this: “600,000 IT workers were needed to install, configure, manage and secure networks in North America in 2007, 14% of the total IT workforce.” However, IDC reports that another 180,000 engineers with wireless as well as traditional network engineering experience will need to be added by 2011 to keep pace with advances in technology that is transforming the role of the network.

The convergence of voice and video traffic are quickly transforming the growing complexity of networks at a torrid pace. IDC estimates that the skills gap in VOIP should grow to 19% by 2011.

This changing profile in the role of the network plays a key role in the skills shortage. Network enabled collaboration tools such as social networking apps and the Webex conferencing/collaboration solutions we use in our business each and every day are demanding a new set of IT skills to deliver business value.

My perspective is two-fold on this issue; the first is what I have seen in the resources we have attempted to hire! We give a very straightforward quick written/oral test to all new technical hires. This requires basic networking knowledge and some Unix commands. On average, (after filters from reputable recruiting firms, some with 5-10 years experience) less than 10% pass muster for the first filter we use in our hiring process. This is a troubling fact, which has cost us considerable time and effort to secure the right resources with competent skills. So I can say from our market assessment in a very strong technological job skills market, core Unix and networking foundation skills are slipping.

The second is that we as an IT Operations Management (ITOM) industry need to keep pushing hard to build better proactive and intuitive solutions to aggregate instrumentation from all Data Center tools, including more work around VOIP, video streaming, and collaboration so that we can ease this transition. If ITOM solutions become more proactive across the typical Cisco infrastructure that is commonly installed in the Data Center, we can free up some additional time for advanced “emerging technologies” training where existing IT workers can enhance their core skills and re-invigorate their careers. We have to do a much better job of getting our existing IT professionals trained on emerging technologies!

While there’s less that ScienceLogic can do around training, we certainly strive to do our part to enhance a day in the life of the networking engineers who use our solutions to simplify monitoring of increasingly complex networking, Wireless, VOIP, and collaboration needs.

U.S. Arms Dealer Tests Legal Bounds in Middle East Arms Bazaar

Thu, 03 Jul 2008 18:00:00 +0000

Former congressman Curt Weldon is helping broker deals between Russian and Ukranian weapons suppliers and the Iraqi and Libyan governments as part of his new job with a private American defense consulting firm, Wired.com has learned.

Weldon, who is currently being investigated by the FBI over alleged corruption during his time in office, visited Libya in March to discuss a possible military deal, according to a letter describing the trip from Weldon to Defense Solutions CEO Timothy Ringgold. In May, Weldon, together with Ringgold and another company representative, traveled to Moscow to discuss working with Russia's weapons-export agency on arms sales to the Middle East.

Both trips were part of the company's effort to tap into the growing -- and often legally murky -- market for selling weapons from former Eastern Bloc countries to the Middle East and Afghanistan.

Ex-Rep. Curt Weldon, R-Penn., is helping broker deals between Russian weapons suppliers and the Iraqi and Libyan governments through his company, Defense Solutions.
Photo: H. Rumph Jr/AP

The Russians want to sell weapons to Iraq directly, but "must go slow on Iraq because of political reasons" and want to work with an "intermediary" like Defense Solutions, CEO Ringgold subsequently wrote to colleagues. "They have not spoken with any American company that can offer the quid pro quo that we can or that has the connections in Russia that we have," he boasted.

A few years ago, an American company proposing to sell weapons to Libya might have triggered a congressional hearing. So, too, would have a proposal to conduct arms deals with Russia, which the United States has accused of selling high-tech weapons to Syria and Iran.

However, U.S. government efforts to rapidly equip countries like Afghanistan and Iraq -- which have largely Soviet-origin weapons -- have created legal ambiguities and loopholes in export controls that didn't exist in years past and given rise to a new class of arms trade middlemen. So, even though both Libya and the Russian arms export agency are on official U.S. blacklists, government officials and analysts involved in weapons sales say the rules have become unclear as the push to equip allies in the global war on terror has blazed new but uncertain legal ground.

Eagerly stepping into that virgin territory is Defense Solutions, a Pennsylvania-based company that is carving out a small but lucrative niche in a new international arms bazaar. The firm boasts as its advisors a number of influential Washington insiders, such as retired General Barry McCaffrey, the former White House drug czar.

Helping the firm make key connections is Curt Weldon, a former Republican congressman from Pennsylvania at the center of an FBI investigation into alleged conflicts of interest during his time in office. Weldon, now a key executive at Defense Solutions, is working with the company to set up these weapons deals.

Defense Solutions has also proposed refurbishing Libya's BTR-60 armored personnel carriers, according to a sales proposal seen by Wired.com. Defense Solutions denies drafting a sales proposal to Libya.

It's an unusual, if not an entirely unexpected chapter for Weldon, whose time in office included frequent trips to Russia. As an influential member of the House Armed Services Committee, Weldon pushed for multibillion-dollar defense programs, like ballistic missile defense, and earned a reputation as a foreign policy gadfly, boasting of his contacts with officials in nations labeled by the administration as "rogue states" such as Libya and North Korea. Weldon's wild claims about a 9/11 cover-up and his sensationalist book warning of an Iranian terror plot, sometimes earned him official scorn and public ridicule, but it was accusations that he steered contracts to Eastern European businesses linked to his daughter's lobbying firm that drew the government's attention.

Weldon was voted out of office in 2006 just weeks after the FBI raided his daughter's home, and that of one of her associates.

Weldon did not respond to e-mails and phone requests to be interviewed or comment for this article. But in a 2006 interview, before the FBI probe was public, Weldon spoke enthusiastically about setting up a "front company" to work with the Russian arms agency, Rosoboronexport. Weldon hoped this company could sell weapons to the Middle East, and other regions, particularly to countries where the U.S. has strained relations. He claimed the director of Rosoboronexport approached him to work with "an American company that would act as a front for weapons these nations want to buy."

Weldon called the proposal an "unbelievable offer."

The administration, he acknowledged at the time, did not welcome the idea of an American company selling Russian weapons to potentially unfriendly countries. But two years later, Weldon, now a private citizen and chief strategic officer for Defense Solutions, appears to be working on precisely that sort of deal. And whether illegal or not, Defense Solutions' business represents a new phenomenon in the international arms trade business.

In years past arms brokers -- firms or individuals who serve as middlemen to facilitate weapons sales between countries -- were largely the stuff of spy thrillers. Unlike traditional American defense companies, like Lockheed Martin or Boeing, which typically sell weapons directly to NATO countries or other governments regarded as friendly to the United States, brokers are often small outfits run by people with sometimes questionable experience and reputations they will sell to anyone. One of the most infamous arms brokers, a Russian named Viktor Bout, is charged by the United States, United Nations, Interpol and others of funneling arms to terrorists and rebels around the world. He was recently arrested in Thailand. The United States is requesting his extradition on charges of supplying arms to a terrorist organization.

Two Marines lower the trim vane on the front of an Iraqi BMP-1 mechanized infantry combat vehicle that was captured during Operation Desert Storm. The American defense consulting firm Defense Solutions has proposed refurbishing Libya's aging fleet of BMP-1s. Defense Solutions denies drafting a sales proposal to Libya.

But ironically, Iraq has fueled a new market for these professional middlemen; the United States is funneling billions of dollars into modernizing Iraq's army so that the country's government can fend for itself after coalition troops withdraw. And Iraq's largely Soviet-equipped military is a natural market for Eastern European countries brimming with old or out-of-date equipment they would like to unload. The middlemen, in these cases, serve a key role by allowing the U.S. government to do business with an American company, which in turn buys equipment from Eastern Bloc countries in deals worth hundreds of millions of dollars, much of it financed with U.S. taxpayer dollars.

One of Defense Solutions' sales -- a deal to sell Hungarian-owed T-72 tanks to Iraq in 2005 -- was typical of these new foreign military sales. But on the more questionable side is the company's plans to work with Rosoboronexport, which is barred from doing business with the U.S. government, and Libya, which is still on the State Department's arms embargo list.

The Eastern European-Middle East arms-brokering business, while in some cases sanctioned by the U.S. government, has run into problems, including outright corruption and quality. Defense contractor Dale Stoffel, the president of Wye Oak Technology, and another American were gunned down in Iraq in December 2004 after Stoffel alleged that the Iraqi Ministry of Defense was involved in a kickback scheme. Like Defense Solutions, the company Stoffel worked for was refurbishing the Iraq's army Eastern Bloc equipment.

Another problem is quality. Weapons from the former Soviet Bloc, which the U.S. military euphemistically calls "nonstandard equipment," have been flagged as substandard, acknowledges Brigadier General Charles Luckey, who is in charge of security assistance at Multi-National Security Transition Command-Iraq. In an interview from Iraq, Brigadier General Luckey said: "One of the frustrating things about buying nonstandard [weapons], is that I'm the guy who has to deal with the fact that some broker I've never heard of allowed weapons to get to Iraq before they were inspected."

Defense Solutions is carving a new niche in the arms trade, selling Soviet-made weapons to Middle Eastern countries like Afghanistan and Iraq. Defense Solutions sold Hungarian-owed T-72 tanks to Iraq in 2005.

In one high-profile case, Iraqi officials alleged that a corrupt firm sold them $400 million in shoddy helicopters from Poland. More recently, a company led by a 21-year-old and a former masseur was offered a U.S. government contract worth nearly $300 million to sell ammunition to Afghanistan. The ammunition turned out to be outdated and of dubious origin and several people connected with the company have been indicted. A congressional investigation concluded that the company, which was on a State Department watch list, was able to take advantage of regulatory loopholes by using middlemen.

For those concerned about illicit arms trade, this new wave of weapons deals is rife with the potential for corruption and abuse, but for companies eager to pursue markets once regarded as dubious, it represents a lucrative business opportunity. The problem in these cases, according to those familiar with arms sales, is that it's no longer clear what's legal and what's not.

Rachel Stohl, an expert on international arms trade and a senior analyst at Center for Defense Information, says that in many ways, the rush to equip Iraq has led the United States to throw caution to the wind. She points to a report by the Government Accountability Office last year that found that some 190,000 weapons sold to Iraq have gone missing. "I think the reality is we won't know, until way after the fact, about all of these irregularities with the Iraq weapons provision program," she said. "We were providing them all these assault rifles that have gone missing. Why? They were not following the standard procedures that were in place."

But Iraq and Afghanistan aren't the only markets available to arms brokers like Defense Solutions. The gradual normalization of relations with Libya opens another door into a quasi-legal area of sales.

Like Iraq, Libya has a substantial arsenal of Soviet-origin military weapons, offering a potential market for brokers working with Russia and other former Soviet states. But even when there's not an outright ban, sales to the Middle East are often fraught with controversy, particularly to countries like Libya, which was under international sanction for more than a decade. Even as sanctions against it have been lifted, European companies proposing to sell arms to Libya have faced steep criticism, particularly since the country is still ruled by dictator Muammar Gaddafi, who took power in a military coup in 1969.

While the United States lifted Libya's "state sponsor of terrorism" designation in 2006, other restrictions, such as on the sale of arms, remain in place. A State Department spokesperson confirmed that exports of "lethal munitions" to Libya, such as tanks or related equipment, are still banned, although sales of nonlethal equipment are now allowed on a case-by-case basis.

In late March, Weldon traveled to Libya for a weeklong trip at the invitation of the Gaddafi Foundation, a group run by the son of Libya's leader, and the chairman of Libya's foreign affairs committee, according to the report he sent to Defense Solutions (.pdf), a copy of which was obtained by Wired.com. The trip reports states: "Agreement reached for Weldon to quickly return to Libya for meetings with son [of Libyan leader Gaddafi] Morti regarding defense and security cooperation."

A document dated April 16, just two weeks after Weldon's trip, outlines Defense Solutions' proposal to Libya to refurbish the country's fleet of armored vehicles, including its T-72 tanks, BMP-1 infantry fighting vehicles, and BTR-60 armored personnel carriers. A copy of the sales proposal, also provided to Wired.com, is on Defense Solutions' letterhead, appears to bear the signature of company CEO Timothy Ringgold, and is addressed to Libya's defense procurement council. "Defense Solutions is committed to delivering a full end-to-end solution to its clients," the proposal states. "Besides refurbishing these vehicles, we are capable of providing a full logistics support package, including a two year supply of spare parts, maintenance and repair services, and operator, maintenance, and repair training."

In an interview with Wired.com, Ringgold admitted that he's interested in doing business in Libya and confirms receiving Weldon's trip report from Libya, but denies drafting or signing an arms-sale proposal. "I've never made such a document to Libya," Ringgold insisted, after being read the proposal, and told that his signature is on it.

In addition to the Libyan arms-deal document, Wired.com has also reviewed copies of e-mails from Ringgold discussing the Libyan deal.

While Ringgold denies proposing an arms sale to Libya, he is open about speaking with Rosoboronexport, which has been on a U.S. government sanctions list since 2006, after the Russian state agency allegedly violated the Iran and Syria Nonproliferation Act. An April e-mail provided to Wired.com describes Ringgold, Weldon and Stephan Minikes, a senior advisor to Defense Solutions and a former ambassador, meeting with Rosoboronexport. The conversations included a number of potential deals, including supplying Mi-17 helicopters to Afghanistan and spare parts for Iraq's infantry fighting vehicles. Ringgold wrote to colleagues following the visit, describing the meetings as a "spectacular success," saying the Russian agency "has the ability to undercut all cost proposals from brokers."

Ringgold confirmed those discussions and said that his company has sought to do business with Rosoboronexport. Asked whether Ringgold considers his dealings with Russia to be legal, he argued that U.S. companies could work with Rosoboronexport on a "case-by-case" basis. "The particular purpose of the meeting we had -- and I want to be crystal clear -- was in response to a U.S. government requirement," he said.

A number of officials at the State Department and in the Pentagon, when contacted for this article, could not say whether working with Rosoboronexport is legal or not. A Pentagon spokeswoman said she was familiar with the issue, but deferred the question to the State Department. When asked about Rosoboronexport's status on the blacklist, John Herzberg, a State Department spokesman replied: "What's on there is on there."

Asked whether, given the ban, there was any way a company could legally work with Rosoboronexport, as Ringgold suggested, Herzberg provided an equivocal answer. "At the stage of the process we're at, I'm unable to give you an answer," he said. "You can try elsewhere in government, and maybe they'll be braver than me."

In an interview from Iraq, General Luckey conceded it was a murky area, but said, "My understanding is they are currently on our no-go list."

The confusion over debarred parties has even led the U.S. government into its own legal tangles, according to Jim McAleese, a Washington attorney who specializes in government contracting and foreign military sales. Because the Russian government violated U.S. nonproliferation laws, even NASA had to go to Congress to ensure it could work with Russia on Soyuz flights to the international space station. "What I'm warning you about is, don't be surprised by the confusion," McAleese said. "There are a whole bunch of different statutes that were adopted piecemeal and were never intended to be reconciled."

But it's the very ambiguity of the law that troubles those who monitor export control. "It's highly unusual to do anything with the Russians, particularly Rosoboronexport," said Scott Jones, director of Export Control Programs at the Center for International Trade and Security at the University of Georgia.

Legal or not, reputable American companies simply don't want to work with banned entities, Jones said, for fear of risking their reputations and business. "Even if it's not an outright prohibition, most companies don't want to put themselves in a liability situation that has really bad PR … and they stay away from it," Jones said. "But if that's your business, pimping out arms from the U.S. or Russia, that's the way it works, and you push as much as possible."

Finding any U.S. defense company working with the Russian government at this point would be "remarkable," Jones added.

In the meantime, the future for Weldon is unclear. The FBI investigation continues and Weldon's former chief of staff recently pleaded guilty to a conspiracy charge and is cooperating with the government, notes Melanie Sloan, the executive director of Citizens for Responsibility and Ethics in Washington, which filed a complaint against Weldon in 2004. Sloan speculated that Weldon may be charged with "honest service fraud" for misusing his office for personal gain. "It's an easier standard than bribery," she said. "I wouldn't be surprised [if he's charged] with bribery, but I think it will be honest services fraud."

Ringgold insists that he and Weldon are on the right side of the law. "Everything we do is in strict compliance with international and U.S. law and we operate only in the best interests of the U.S. government," he said. "I didn't serve 30 years in the United States Army to throw that away on a whim."

Asked if Weldon is still working for the company, Ringgold replied: "Absolutely, proudly so."

Gmail, Yahoo and Hotmails CAPTCHA Broken

Thu, 03 Jul 2008 04:36:21 +0000

It's one thing to start efficiently registering thousands of email accounts at reputable email providers by automatically breaking their CAPTCHA authentication, and entirely another to build a business model on the top of it next to the opportunity to abuse if for your own malicious purposes. Which is exactly what we have here, an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second.

Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers :

"Breaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services."

Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers.

Related posts:
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Your online security problem is out problem!

Fri, 25 Apr 2008 13:47:40 +0000

This I think, is a very bad idea.
I cant wait to see the mess this will make.

clipped from blogs.ittoolbox.com

Wake up call - Companies can be found liable for doing business with terrorists and ID thieves

Federal Trade Commission’s “Red Flag” program gets ready to go into implementation November first 2008, did you even hear about this?

While a good chunk of this is geared towards identity theft, part of this is based in the original OFAC from the FTC to combat identity theft, and ensure that companies are doing business with reputable people who are really who they say they are. However, many people are not going to be prepared for a mandatory compulsive check of everyone they do business with.

Irish jobs site compromised and personal information accessed

Mon, 31 Mar 2008 06:13:21 +0000

Technorati Tag: Security Breach

Date Reported:
3/27/08

Organization:
Jobs.ie

Contractor/Consultant/Branch:
None

Victims:
Job seekers and applicants

Number Affected:
Unknown

Types of Data:
Information contained on CVs (or resumes) often times including names, addresses, email addresses, phone numbers, job histories and other personal information.

Breach Description:
"A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database."

Reference URL:
Jobs.ie Important Notice
SiliconRepublic
The Irish Times
ElectricNews.net Ltd.

Report Credit:
Jobs.ie

Response:
From the online sources cited above:

A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database.
[Evan] Hacked?

It is understood that the hackers used an illegally obtained log-in and password given to employers who are registered with Jobs.ie to access the job applications area of the site. They then downloaded personal information from CVs submitted, along with job applications.
[Evan] How do you suppose that the "hackers" came into the possession of a log-in and password? Did they get it from a stolen laptop or other piece of equipment? Did they get it from someone's Post-It note? Did they socially engineer a legitimate user? Let's suppose that the "hackers" obtained the log-in through social engineering, or a social engineering type of attack. When most people think of a "hack" they think of some sophisticated and sleuthy high-tech intrusion. Although these "hacks" do exist, this is not how most criminals access confidential information without authorization. Many intrusions take place through relatively easy exploits such as convincing someone to give you their password (i.e. social engineering, phishing, etc.).

Several CVs were downloaded before Jobs.ie was alerted. While the company has not yet given exact figures on the number of its members who had private data stolen, it says an investigation is now under way
[Evan] Social engineering attacks are typically very difficult to prevent AND detect. Monitoring "legitimate" username and password access to data and looking for patterns of possible abuse is a sophisticated science and the amount of collected information can be enormous. It is usually easy to detect common network and host-based technical attacks because the patterns of traffic and commands differ from what would be considered "normal". Social engineering attacks can and often do go unnoticed.

Most of the stolen information relates to archive CVs rather than those of people now looking for jobs.

All site members whose CV was downloaded illegally were contacted immediately by Jobs.ie and alerted to the hacking
[Evan] Kudos to Jobs.ie for doing the right thing. Immediate notification is excellent.

The email stated: "Unfortunately your CV was one of the records taken. I understand and apologise for the concern this will cause you and I want to assure you that we are taking steps to prevent this happening again."

The email, signed by Huw Taylor, general manager of Jobs.ie, goes on to warn those whose personal data has been compromised to "exercise extra caution while conducting online activity".

It warns users of the possibility of being contacted by someone claiming to be a reputable company and asking for personal details or banking information.

Brian Honan of online security consultancy BH Consulting says on his firm’s official blog that there are no mandatory breach disclosure laws in Ireland and that Jobs.ie should be "commended for coming clean about the incident" and doing so within 24 hours of the breach.
[Evan] I agree with Brian.

Contrary to media reports, the DPC told ENN that, as of Monday morning, it had yet to be formally contacted in relation to the matter. The DPC said that the nature of the potential data lost was a cause for concern.

An IT professional who’s CV was one of those downloaded from Jobs.ie told siliconrepublic.com: "The worst that could happen is identity theft. It depends how much information you have on your CV too, some people are really foolish and put on PPS numbers and all sorts. Stealing CVs can be really handy for guessing or resetting peoples passwords."
[Evan] I wonder if this is a misquote. "The worst that could happen is identity theft."

Because most people would include an email address and mobile phone number on their CV, he said that as well as phishing or identity theft, there was also a risk of spamming.

Anthony Gibbons, another affected Jobs.ie member, said to siliconrepublic.com: "This is far more significant than the loss of encrypted personal data from the blood services."

"The fact that this information was illegally gathered increases the possibility of it being illegally used. This would include seeking personal loans and credit cards, identity theft, seeking false ID such as a driving licence or birth certificate, and identity cloning."

"Most people are reasonably aware about the dangers associated with unsolicited e-mails but they might be more inclined to be more responsive to someone who rang them claiming to be from their bank,"

Victims of the security breach who contacted The Irish Times said they had "grave concerns" in relation to their exposure to identity theft.

A dedicated 24 hour customer helpline has been set up to deal with any further questions or concerns you may have. Please call +353 (0)1 680 8699 or email info@jobs.ie

Commentary:
It is unlikely that a criminal could use the information obtained in this attack for identity theft, directly. The information could be used to glean further information from the victims, which in turn could lead to identity theft. The criminals gained information that wasn't meant for general public consumption. If I were a victim, I would be much more vigilant and on alert.

Past Breaches:
"Jobs.ie, one of the State's largest recruitment sites, said it had never before had such a breach."

Why you nearly need a P.I. to help you hire a private investigator

Sat, 01 Mar 2008 17:28:00 +0000

So, you need a private investigator to help you catch your cheating spouse, or to work undercover in your business to find out who has been stealing or to follow the employee who is claiming workman’s comp, but you’ve heard he plays golf every weekend. What are you to do?

The first thing I would tell you is NOT to go to the yellow pages and pick out 5 phone numbers and ask how much they charge an hour. Hourly charges mean nothing. Think about it, how many of us would call up a doctor or dentist’s office and ask how much they charge an hour? Not to compare investigators with the medical profession, but your first priority should be: are they qualified to do the job?

This is the information age. You can research anything you want in mere seconds, without leaving the comfort of your own home. If you are looking for a private investigator in Washington D.C., or San Francisco, go to one of the main search engines and bring up all of the investigators located within a 30 - 50 mile radius. Do not worry if they are a little further away. Eventhough they will all charge you mileage, the more professional companies will have investigators spread out around the State or city in which they operate.

This is where you need to think like an investigator yourself and it doesn’t matter if you are the CFO of a $100 million dollar corporation or a stay-at-home mom. Her are some points you should seriously consider:
• Do they have a website
• Do they list a physical address
• Does their website list everything out clearly and concisely or do you feel more confused after reading it for five minutes
• Do they belong to reputable associations, both local and national
• Do they accept major credit cards
• Are they known for anything else – published books, white papers, speaking engagements, seminars, etc.

In 2008, there is absolutely no reason why a company would be without a website. A website “under construction” is nearly as bad. Several years ago it could be chalked up to cost. Smaller companies could not afford to pay many thousands for a site but these days you can have a website up and running in days for a couple hundred dollars.

A company who does not have a website, for the most part, is a company who is either not legal and must “fly under the radar”, or who is not making enough money to spend on one. If you hire a) an illegal company, you yourself could wind up being sued and if you hire b) the company who nobody else is hiring, you’ll soon find out why – but not before you have wasted your hard-earned money.

Any legitimate security company needs to let people know who they are and what they do. In order to achieve this, they belong to professional associations – local, national and even international. International associations are a good indicator that this firm is held in such a high regard that they command the respect of investigators around the world. Examples of international associations are: The Council of International Investigators (www.CII.org), INTELNET and the Society of International Business Fellows (SIBF).

Once again, do not be fooled because a security person tells you their company does international work or because he calls the company “Smith Worldwide Protection”. Ask for references. Most of the time, clients need to remain confidential, so ask for the name of the Chamber of Commerce to which they belong. Call up the Chamber, or the investigation association or the State Agency where they say they are licensed and ask if they are: 1) known, 2) currently licensed and insured and 3) have any complaints filed/received any disciplinary action.

Remember, the best source will always be a personal referral. Failing that, decide after you have done a little bit of research. ALWAYS ask to see their investigator’s license or registration AND a copy of their insurance certificate. If they can not show you insurance, walk away or close the door. If I am hiring a plumber or carpenter or electrician, I will always ask for their insurance. If they do not have it and anything goes wrong, what will be your recourse? Even if you are hiring a security guard for your business – make sure that guard’s company provides a copy of insurance.

I would even go as far to say make sure that they just don’t have minimum coverage. Even though the Department of Criminal Justice mandates that security companies in Virginia only need $100,000 worth of coverage, we voluntarily carry liability insurance of $5 million. We do this to better protect our clients. If a person ever sues, they are probably going to go for millions, not thousands.

If the security company you hire only carries the minimum $100,000 and a customer is suing for $1 million, who do you think they are going to go after? You of course. On the other hand, had the security company carried a higher amount of liability insurance, they could have just sued the security company.

There will not be a huge difference in price wherever you are. In the Washington D.C. area, prices vary from around $100 - $150 per hour. It is normal to want the best deal that can be had and nearly everybody likes to save money. However, if you wind up hiring an inexperienced company who nobody has heard of and who uses young inexperienced people to conduct the investigations, then the money that you thought you were “saving” could turn out to be a total waste.

Here is an example: Company “A” is run by a young ex-soldier who joined the army at 18 and separated from the military after four years of service. He was a corporal and after he got out, he went to work for a local security company for a couple of years as a supervisor visiting buildings where other guards stood on post.

According to the State regulations, he could be granted a security business license based on having three years of supervisory security experience. He can not afford to hire anyone else so he went to a training school for one week and became registered as a private investigator.

Company “B” is run by a retired Police Detective with 15 years experience investigating homicides, five years in the transportation unit where he specialized in vehicular manslaughter investigations and is a court certified expert in accident reconstruction and cold-case murders. He too owns his own company and employees a retired F.B.I. agent and three former detectives with decades of experience in white-collar crime, gang activities, narcotic trafficking and sexual predators.

They both ask for a retainer of $1500.00 (retainers are usually $1500 - $3,000, depending on the length of time your case is estimated to take). You choose company “A” because they tell you that they charge $95.00 an hour while company “B” charges $145.00. However, after attempting to follow a subject for four days and losing them for the first three days and getting caught by the person they are following, Company “A” is forced to drop out or else you fire them (most likely ending). You can not even hand the case over to another company as the person you had followed knows he is being watched.

Company “A” then gives you an invoice for $20.00, since his botched attempts took 16 hours, which at the “bargain rate” of $95.00 per hour, totals $1520.00. Even if you refuse to pay the additional $20.00, you are out $1500.00 with nothing to show for it. Most probably the more exspensive company, “B”, would have accomplished the goal in about 2 days, at 5 hours a day, costing you $1450. With company “B” you would have had a professional product/service and had an investigator capable of testifying in court to support your case if that was subsequently needed.

The motto is: Beware of false bargains, for at the end of the day, you get what you pay for. Good luck with your search and don’t rush into it.

The US Air Force declares war on blogs!

Wed, 27 Feb 2008 17:44:15 +0000

Whenever I read about China censoring internet access to its citizens, forcing Google and Yahoo to not show certain sites, I smile a smug, holier than thou smile and shake my head about how a government can do that to its people and get away with it. Why would those people put up with it? So I must say "in a day that will live in infamy" I was very chagrined to read this article in Wired by Noah Shactman, reporting that just about any site with the word blog in it is banned from our troops in the Air Force. From what I understand this is limited to the Air Force and not our other armed services.

I use the term our troops, not their troops, because this isn't some foreign, totalitarian country or despotic dictatorship we are talking about, where the troops have to be watched so they don't cross over to the other side. These are the men and woman who put their butts on the line, risking their lives every day for us all to enjoy the freedom to read any damn site on the internet we want to. The irony of these very same front line heroes who provide the blanket of freedom that we all sleep under, not being able to read any blog they feel like is not lost on me and should not be lost on you either! If they are smart enough and good enough to protect our country they should be smart enough to be allowed to choose what they want to read on line and should have the freedom to read news and commentaries on blogs as they see fit.

The idea that we are censoring the news our service men and woman can read disturbs me on many levels. Besides what it says about a lack of trust in our troops, it also disturbs me that someone actually says "they can still access news sources that are "primary, official-use sources," said Maj. Henry Schott, A5 for Air Force Network Operations. "Basically ... if it's a place like The New York Times, an established, reputable media outlet, then it's fairly cut and dry that that's a good source, an authorized source," Who decides what primary, official-use sources? It gets worse, "Often, we block first and then review exceptions," said Tech. Sgt. Christopher DeWitt, a Cyber Command spokesman. Shoot first and ask questions later, huh? The arrogance of this galls me. If you told me this was some North Korean General or Politburo member from the old Soviet Union, I could see it in a second. But spokespeople of the US Air Force? Where have we gone wrong?

Some make the argument that blogs are not really media outlets. Can the people making policy at the Air Force be that naive? Others say that there is so much BS on blogs that Air Force folks are "baited" into commenting and possibly giving away operational security information. That sounds to me like a social engineering problem, not a blog problem.

Yeah, I know there is a war on. Are we afraid our Air Force men and woman are going to all go to some Arabic-Al Queda web sites and be brainwashed? Is their some terrorist worm they will get by going to a web site that spouts ideas different than "primary, official-use sources? What scares the Air Force so much that they would take such action? If you feel like I do about this, lets do something about it. Lets write to the Secretary of Defense, Joint Chiefs of Staff, Congressmen, Senators, whoever, but lets return freedom of the press and freedom of speech to our troops who put their lives on the line so we can enjoy those rights!

The US Air Force declares war on blogs!

Wed, 27 Feb 2008 16:44:35 +0000