Wednesday, March 31, 2010

Gaming Apps Increase Spam, Phishing by 50 Percent

Gamers beware – the next person you add to your gaming social network could be a spammer or phisher.

A new report from BitDefender found that gaming applications increase spam and phishing by more than 50 percent in social networks.

While most users of social networks are somewhat selective in who they add to circle of friends – filtering out those they suspect to be spammers – gamers often willingly add suspicious friends in an effort to expand their player community. Some entertainment apps require users to amass a large number of friends and supporters in order to attain high scores, prompting players to add people they might not normally add.

The most "successful" spammers are those that copy existing profiles.

BitDefender researchers created fake accounts to test this theory – one with no photo and few details, another with a photo and limited information, and a third with a photo and detailed personal information.

BitDefender used these profiles to subscribe to a generic interest group. After an hour, the first profile made 23 connections, the second made 47, and the third made 53. When BitDefender subscribed to social games groups, however, the acceptance rate increased. After 24 hours, the first profile had 85 connections, the second had 108, and the third had 111 connections.

"Users are more likely to accept spammers in their friends list when they are in a social network than in any other online communication environment," George Petre, BitDefender threat intelligence team leader and author of the case study, said in a statement.

Once spammers or phishers are accepted into a group, members run the risk of data and ID theft, hijacked accounts due to malware, and other threats. BitDefender found that 24 percent of people who accepted friend requests from the dummy accounts clicked a shortened URL even though they didn't know the person or where the link led.

Facebook Bug Exposes Users’ Hidden E-mail Addresses

Last night Facebook experienced a hiccup during an update to the site’s code that publicly exposed members’ private e-mail addresses.

The privacy blunder was first discovered by Gawker — which estimates that e-mail addresses were exposed for 30 minutes late Tuesday night — and has been confirmed by Facebook.

A representative from Facebook() explained the glitch in the following statement sent to us via e-mail:

“Last night during Facebook’s regular code push, a bug caused hidden e-mail addresses to be visible briefly. The bug was detected within minutes and corrected."

Monday, March 29, 2010

Personal Data on 3.3 Million Student-Loan Borrowers Is Reported Stolen

ECMC Group Inc., a student-loan guarantee agency in Minnesota, acknowledged on Friday a data breach in which the personal information of 3.3 million borrowers, including their Social Security numbers, was compromised.

Guarantee agencies such as ECMC are the private entities that, under the U.S. government's system of federally subsidized student loans, collect government money and then turn around and pay it to private loan companies when borrowers default on their student loans.

ECMC said in a written statement that the affected borrowers would be notified and given free credit protection and monitoring services. "We deeply regret that this incident occurred and the stress it has caused our borrowers," ECMC's president and chief executive, Richard J. Boyle, said in the statement.

ECMC's admission of the data theft came one day after Congress voted to shut down the bank-based system of student lending in favor of direct lending by the Education Department, in part because of the cost and complexity of the bank-based system.

Thursday, March 25, 2010

Suspected Twitter infiltrator: 'I'm a nice hacker'

He's unemployed and isn't much of a computer expert. The Frenchman accused of infiltrating Twitter and peeping at the accounts of President Barack Obama and singers Britney Spears and Lily Allen says he wanted to reveal just how vulnerable online data systems are to break-ins — and he says he didn't mean any harm.

"I'm a nice hacker," suspect Francois Cousteix told France 3 television Thursday, a day after he was released from police questioning, adding that his goal was to warn Internet users about data security.

"Hacker Croll," as he was known online, is accused of breaking into Twitter administrators' accounts and copying confidential data — as well as peeping at Obama's and the singers' accounts, though he didn't have access to sensitive information about them, a French prosecutor said.

FBI agents sat in on the sessions while French police questioned the young man for two days, said Jean-Yves Coquillat, prosecutor in Clermont-Ferrand, where the suspect will be tried in June for hacking.

If convicted on the charge of breaking into a data system, he risks up to two years in prison and a euro30,000 ($40,068) fine. The suspect lives near Clermont-Ferrand in central France.

"He says it's the challenge, the game, that made him do it," Coquillat said. Officials say preliminary investigations suggest Hacker Croll did not tweet in other peoples' names or try to make money out of his information.

"He had access to elements that were so confidential that he could very well have profited from them" through blackmail, for example, said Adeline Champagnat of the French police office on information technology crimes.

She compared the hacker's actions to "a burglar breaking into the headquarters of a big company, able to look at the files of the all employees and clients, with their passwords and confidential information."

"In a way, he succeeded in taking control of Twitter," Champagnat said. AFP

Inside a global cybercrime ring

Hundreds of computer geeks, most of them students putting themselves through college, crammed into three floors of an office building in an industrial section of Ukraine's capital Kiev, churning out code at a frenzied pace. They were creating some of the world's most pernicious, and profitable, computer viruses.

According to court documents, former employees and investigators, a receptionist greeted visitors at the door of the company, known as Innovative Marketing Ukraine. Communications cables lay jumbled on the floor and a small coffee maker sat on the desk of one worker.

As business boomed, the firm added a human resources department, hired an internal IT staff and built a call center to dissuade its victims from seeking credit card refunds. Employees were treated to catered holiday parties and picnics with paintball competitions.

Top performers got bonuses as young workers turned a blind eye to the harm the software was doing. "When you are just 20, you don't think a lot about ethics," said Maxim, a former Innovative Marketing programer who now works for a Kiev bank and asked that only his first name be used for this story. "I had a good salary and I know that most employees also had pretty good salaries."

In a rare victory in the battle against cybercrime, the company closed down last year after the U.S. Federal Trade Commission filed a lawsuit seeking its disbandment in U.S. federal court.

An examination of the FTC's complaint and documents from a legal dispute among Innovative executives offer a rare glimpse into a dark, expanding -- and highly profitable -- corner of the internet.

Innovative Marketing Ukraine, or IMU, was at the center of a complex underground corporate empire with operations stretching from Eastern Europe to Bahrain; from India and Singapore to the United States. A researcher with anti-virus software maker McAfee Inc who spent months studying the company's operations estimates that the business generated revenue of about $180 million in 2008, selling programs in at least two dozen countries. "They turned compromised machines into cash," said the researcher, Dirk Kollberg.

The company built its wealth pioneering scareware -- programs that pretend to scan a computer for viruses, and then tell the user that their machine is infected. The goal is to persuade the victim to voluntarily hand over their credit card information, paying $50 to $80 to "clean" their PC.

Scareware, also known as rogueware or fake antivirus software, has become one of the fastest-growing, and most prevalent, types of internet fraud. Software maker Panda Security estimates that each month some 35 million PCs worldwide, or 3.5 percent of all computers, are infected with these malicious programs, putting more than $400 million a year in the hands of cybercriminals. "When you include cost incurred by consumers replacing computers or repairing, the total damages figure is much, much larger than the out of pocket figure," said Ethan Arenson, an attorney with the Federal Trade Commission who helps direct the agency's efforts to fight cybercrime.

Groups like Innovative Marketing build the viruses and collect the money but leave the work of distributing their merchandise to outside hackers. Once infected, the machines become virtually impossible to operate. The scareware also removes legitimate anti-virus software from vendors including Symantec Corp, McAfee and Trend Micro Inc, leaving PCs vulnerable to other attacks.

When victims pay the fee, the virus appears to vanish, but in some cases the machine is then infiltrated by other malicious programs. Hackers often sell the victim's credit card credentials to the highest bidder.

Removing scareware is a top revenue generator for Geek Choice, a PC repair company with about two dozen outlets in the United States. The outfit charges $100 to $150 to clean infected machines, a service that accounts for about 30 percent of all calls. Geek Choice CEO Lucas Brunelle said that scareware attacks have picked up over the past few months as the software has become increasingly sophisticated. "There are more advanced strains that are resistant to a lot of anti-virus software," Brunelle said.

Anti-virus software makers have also gotten into the lucrative business of cleaning PCs, charging for those services even when their products fall down on the job.

Charlotte Vlastelica, a homemaker in State College, Pennsylvania, was running a version of Symantec's Norton anti-virus software when her PC was attacked by Antispyware 2010. "These pop-ups were constant," she said. "They were layered one on top of the other. You couldn't do anything."

So she called Norton for help and was referred to the company's technical support division. The fee for removing Antispyware 2010 was $100. A frustrated Vlastelica vented: "You totally missed the virus and now you're going to charge us $100 to fix it?"


"It's sort of a plague," said Kent Woerner, a network administrator for a public school district in Beloit, Kansas, some 5,500 miles away from Innovative Marketing's offices in Kiev. He ran into one of its products, Advanced Cleaner, when a teacher called to report that pornographic photos were popping up on a student's screen. A message falsely claimed the images were stored on the school's computer.

"When I have a sixth-grader seeing that kind of garbage, that's offensive," said Woerner. He fixed the machine by deleting all data from the hard drive and installing a fresh copy of Windows. All stored data was lost.

Stephen Layton, who knows his way around technology, ended up junking his PC, losing a week's worth of data that he had yet to back up from his hard drive, after an attack from an Innovative Marketing program dubbed Windows XP Antivirus. The president of a home-based software company in Stevensville, Maryland, Layton says he is unsure how he contracted the malware.

But he was certain of its deleterious effect. "I work eight-to-12 hours a day," he said. "You lose a week of that and you're ready to jump off the roof."

Layton and Woerner are among more than 1,000 people who complained to the U.S. Federal Trade Commission about Innovative Marketing's software, prompting an investigation that lasted more than a year and the federal lawsuit that sought to shut them down. To date the government has only succeeded in retrieving $117,000 by settling its charges against one of the defendants in the suit, James Reno, of Amelia, Ohio, who ran a customer support center in Cincinnati. He could not be reached for comment.

"These guys were the innovators and the biggest players (in scareware) for a long time," said Arenson, who headed up the FTC's investigation of Innovative Marketing.

Innovative's roots date back to 2002, according to an account by one of its top executives, Marc D'Souza, a Canadian, who described the company's operations in-depth in a 2008 legal dispute in Toronto with its founders over claims that he embezzled millions of dollars from the firm. The other key executives were a British man and a naturalized U.S. citizen of Indian origin.

According to D'Souza's account, Innovative Marketing was set up as an internet company whose early products included pirated music and pornography downloads and illicit sales of the impotence drug Viagra. It also sold gray market versions of anti-virus software from Symantec and McAfee, but got out of the business in 2003 under pressure from those companies.

It tried building its own anti-virus software, dubbed Computershield, but the product didn't work. That didn't dissuade the firm from peddling the software amid the hysteria over MyDoom, a parasitic "worm" that attacked millions of PCs in what was then the biggest email virus attack to date. Innovative Marketing aggressively promoted the product over the internet, bringing in monthly profits of more than $1 million, according to D'Souza.

The company next started developing a type of malicious software known as adware that hackers install on PCs, where they served up pop-up ads for travel services, pornography, discounted drugs and other products, including its flawed antivirus software. They spread that adware by recruiting hackers whom they called "affiliates" to install it on PCs.

"Most affiliates installed the adware product on end-users' computers illegally through the use of browser hijacking and other nefarious methods," according to D'Souza. He said that Innovative Marketing paid its affiliates 10 cents per hijacked PC, but generated average returns of $2 to $5 for each of those machines through the sale of software and products promoted through the adware.

Tuesday, March 23, 2010

Symantec names riskiest U.S. cities for cybercrime

Seattle No. 1, Boston, DC, San Francisco, Raleigh round out top five

Seattle is the most dangerous city in the U.S. when it comes to cybercrime, Symantec said today.

The Northwest sported two of the top 10, with Portland, Ore., ranked No. 10 in the list of the nation's 50 largest metro areas. Rounding out the first five were Boston, Washington D.C., San Francisco and Raleigh, N.C. Atlanta, Minneapolis, Denver, and Austin, Texas completed the top 10.

At the bottom, as in least dangerous, were Detroit (No. 50); El Paso, Texas (No. 49); and Memphis, Tenn. (No. 48).

"I look at it like driving a car," said Dan Nadir, the director of product management for Symantec. "Your risk of an accident is going to be greater the more you drive. If you're online more, you need to be more cautious, just like the more you're on the road, the more you should wear your seatbelt, have airbags and rotate your tires."

Symantec partnered with Sperling's BestPlaces to come up with the rankings, which relied on data from the former's security response team for factors including the number of malicious attacks, infected machines and spam-spewing zombies per capita. Sperling's contributed data on the prevalence of computer ownership, Internet use and potentially-risky online activities, including online banking and online shopping. Also factored into the rankings was the number of free WiFi hotspots per capita.

"WiFi is a big concern," acknowledged Nadir, "because it's something most people don't understand, and most don't know who is behind that hotspot, or if it's even legitimate."

Each city's score was calculated by adding the point totals for each criteria, which were based on their relation to other cities' scores. A city with the highest total for each factor -- indicating the riskiest of the 50 -- was scored as 100, while the city with the lowest total was given 0.

Seattle topped the list with a total score of 188.2, beating second-place Boston and Washington D.C., which scored 176.6 and 174, respectively. Last place Detroit, meanwhile, came in with a score of 7.5.

Seattle, which counts Amazon and Microsoft among area technology companies, received the riskiest city award because it scored in the top 10 in every criteria, and took the No. 2 spots for both WiFi availability and risky behavior. By Symantec's definition, the latter includes such chores as buying goods online, banking online and simply going online multiple times each day.

Nadir was surprised by Seattle's ranking. "I would have said San Francisco," he admitted, citing that city's reputation for being an even hotter hotbed of technology than Seattle, as well as its lead in public WiFi locations. The only reason why San Francisco wasn't the most dangerous was because its cybercrimes rating -- the number of attacks, potential infections, infected bots and spamming systems -- was a relatively low No. 17.

"That's what separated it from Seattle," Nadir said.

Like any scoring system, whether for best places to live, most expensive to eat in, or in this case, most dangerous to people wielding a computer, the Symantec ranking doesn't portray the experiences of everyone who lives there, Nadir acknowledged. "The number one thing take away from this, I think, is the awareness that if you're online more, you need to be more cautious," he said.

Complete Rankings – Cybercrime Cities Worst to Best

1. Seattle

2. Boston

3. Washington, D.C.

4. San Francisco

5. Raleigh, N.C.

6. Atlanta

7. Minneapolis

8. Denver

9. Austin, Texas

10. Portland, Ore.

11. Honolulu

12. Charlotte, N.C.

13. Las Vegas

14. San Diego

15. Colorado Springs, Colo.

16. Sacramento, Calif.

17. Pittsburgh

18. Oakland, Calif.

19. Nashville-Davidson, Tenn.

20. San Jose, Calif.

21. Columbus, Ohio

22. Dallas

23. Kansas City, Mo.

24. New York

25. Indianapolis

26. Albuquerque, N.M.

27. Miami

28. Omaha, Neb.

29. Virginia Beach, Va.

30. Los Angeles

31. Cincinnati, Ohio

32. Houston

33. St. Louis, Mo.

34. Phoenix,

35. Chicago

36. Baltimore

37. Oklahoma City

38. Philadelphia

39. Jacksonville, FL\la.

40. Tulsa, Okla.

41. San Antonio

42. Milwaukee

43. Cleveland

44. Tucson, Ariz.

45. Long Beach, Calif.

46. Fort Worth, Texas

47. Fresno, Calif.

48. Memphis, Tenn.

49. El Paso, Texas

50. Detroit,  Mich.

Sunday, March 21, 2010

Malware Infected Memory Cards of 3,000 Vodafone Mobiles

Malware-tainted memory cards may have ended up on as many as 3,000 HTC Magic phones, a greater number than first suspected, Vodafone said Friday.

The problem came to light earlier this month after an employee of Panda Security plugged a newly ordered phone into a Windows computer, where it triggered an alert from the antivirus software.

Further inspection of the phone found the device's 8GB microSD memory card was infected with a client for the now-defunct Mariposa botnet, the Conficker worm and a password stealer for the Lineage game.

Vodafone said then it was an isolated incident, but an employee at Spanish security company S21sec discovered another phone with an infected card, which it sent to Panda. That phone was purchased directly from Vodafone's Web site in the same week as the first phone, according to Panda.

It is unclear how the batch of memory cards became infected although an investigation is under way, said a spokesman for Vodafone in Spain. There are no problems with either the HTC Magic phone or its Android OS. The malware only affected phones sold in Spain.

Vodafone will send a letter along with a new memory card to affected customers, the spokesman said. The letter will contain instructions for how customers can give their PCs free antivirus scans on Panda's Web site, which partners with Vodafone. He said Vodafone will give security software to people whose computers have become infected as a result of plugging in an infected HTC phone.

Saturday, March 20, 2010

Bad BitDefender update clobbers Windows PCs

Users of the BitDefender antivirus software started flooding the company's support forums Saturday, apparently after a faulty antivirus update caused 64-bit Windows machines to stop working.

The company acknowledged the issue in a note explaining the problem, posted Saturday. "Due to a recent update it is possible that BitDefender detects several Windows and BitDefender files as infected with Trojan.FakeAlert.5," the company said.

The acknowledgement came after BitDefender users had logged hundreds of posts on the topic. Some complained of being unable to reboot their systems.

"EVERY file that is trying to run is getting quarantined," one user, identified as lhmathys, reported. "Windows Explorer and even Bitdefender update itself is being quarantined. Someone really screwed this one up."

"We are in a really terrible position now," wrote another user, identified as ufitec. "We have 150 business clients and most of the pcs [on] which BitDefender thinks everything is virus does not boot any more!!!!"

Craigslist Phishing Scam Alert!

If you get an email that looks like this it is a scam...

Security Account Review!

Craigslist.Account: Log In

We recently noticed an attempt to log in to your, account from a foreign IP address and we have reason to believe that your account was used by third party without your authorization.

If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you. Therefore, if you are the rightful account holder, click on the link below to log into your account for verification.


If you choose to ignore our request, you leave us no choice but to temporarily suspend your account.

If you received this notice and you are not authorizes account holder, please be aware that it is in violation of our, policy to represent oneself as another craigslist, user.

Such action may also be in violation of local, rational, and/or international law. Craigslist is committed to assist law enforcement with any inquires related to attempts

to misappropriate personal information with the intent to commit fraud or theft. Information will be provided at the request of law enforcement agencies to ensure that

impersonators are prosecuted to the fullest extent of the law.

Thank you for your patience as we work together to protect your account.


Craigslist.Account Review Department

Basketball, Facebook and Gossip Are Malware Targets

Cybercriminals have been spreading malware by targeting the subjects users are most interested in. From the Facebook Password Reset Scam to basketball and gossip, web users are getting infected. Basketball brackets are promoting malware and hackers are getting their sites ranked high in searches for actress Sandra Bullock's marriage problems.

Cybercriminals have been busy this week running scams that target Facebook users, college basketball fans, and celebrity gossip watchers. Security experts are warning about recent attacks with nasty payloads.

One widespread attack was a common ploy security researchers call the Facebook Password Reset Scam. The cybercriminals send an e-mail addressed to "user of Facebook" that reads, "Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in the attached document."

McAfee reports that this scam is global. The attachment is malware with downloaders, password-stealing Trojans, fake antivirus software, or bots. The scam ranked six on McAfee's Global Virus Map Top 10, and accounted for as much as 10 percent of the infected e-mail that its software-as-a-service unit is witnessing.

"As we had previously discussed in our 2010 Threat Predictions, social-networking sites will continue to be a favorite social-engineering lure for cybercriminals to distribute malware," said David Marcus, research labs manager at McAfee. "Make sure you are protected and educated."

Facebook Password Reset Email Scam

If you get one of these do not open the attachment, it is a virus!!!

Facebook Password Reset Confirmation!

Customer Message.Friday, March 19, 2010 8:16 PM
From: "Facebook Accounts" Add sender to ContactsTo:

Message contains attachments1 File (48KB)

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.


Your Facebook.

Wednesday, March 17, 2010

How Privacy Vanishes Online

If a stranger came up to you on the street, would you give him your name, Social Security number and e-mail address?

Probably not.

Yet people often dole out all kinds of personal information on the Internet that allows such identifying data to be deduced. Services like Facebook, Twitter and Flickr are oceans of personal minutiae — birthday greetings sent and received, school and work gossip, photos of family vacations, and movies watched.

Computer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number.

“Technology has rendered the conventional definition of personally identifiable information obsolete,” said Maneesha Mithal, associate director of the Federal Trade Commission’s privacy division. “You can find out who an individual is without it.”

In a class project at the Massachusetts Institute of Technology that received some attention last year, Carter Jernigan and Behram Mistree analyzed more than 4,000 Facebook profiles of students, including links to friends who said they were gay. The pair was able to predict, with 78 percent accuracy, whether a profile belonged to a gay male.

So far, this type of powerful data mining, which relies on sophisticated statistical correlations, is mostly in the realm of university researchers, not identity thieves and marketers.

But the F.T.C. is worried that rules to protect privacy have not kept up with technology. The agency is convening on Wednesday the third of three workshops on the issue.

Its concerns are hardly far-fetched. Last fall, Netflix awarded $1 million to a team of statisticians and computer scientists who won a three-year contest to analyze the movie rental history of 500,000 subscribers and improve the predictive accuracy of Netflix’s recommendation software by at least 10 percent.

On Friday, Netflix said that it was shelving plans for a second contest — bowing to privacy concerns raised by the F.T.C. and a private litigant. In 2008, a pair of researchers at the University of Texas showed that the customer data released for that first contest, despite being stripped of names and other direct identifying information, could often be “de-anonymized” by statistically analyzing an individual’s distinctive pattern of movie ratings and recommendations.

In social networks, people can increase their defenses against identification by adopting tight privacy controls on information in personal profiles. Yet an individual’s actions, researchers say, are rarely enough to protect privacy in the interconnected world of the Internet.

You may not disclose personal information, but your online friends and colleagues may do it for you, referring to your school or employer, gender, location and interests. Patterns of social communication, researchers say, are revealing.

“Personal privacy is no longer an individual thing,” said Harold Abelson, the computer science professor at M.I.T. “In today’s online world, what your mother told you is true, only more so: people really can judge you by your friends.”

Collected together, the pool of information about each individual can form a distinctive “social signature,” researchers say.

The power of computers to identify people from social patterns alone was demonstrated last year in a study by the same pair of researchers that cracked Netflix’s anonymous database: Vitaly Shmatikov, an associate professor of computer science at the University of Texas, and Arvind Narayanan, now a researcher at Stanford University.

By examining correlations between various online accounts, the scientists showed that they could identify more than 30 percent of the users of both Twitter, the microblogging service, and Flickr, an online photo-sharing service, even though the accounts had been stripped of identifying information like account names and e-mail addresses.

“When you link these large data sets together, a small slice of our behavior and the structure of our social networks can be identifying,” Mr. Shmatikov said.

Even more unnerving to privacy advocates is the work of two researchers from Carnegie Mellon University. In a paper published last year, Alessandro Acquisti and Ralph Gross reported that they could accurately predict the full, nine-digit Social Security numbers for 8.5 percent of the people born in the United States between 1989 and 2003 — nearly five million individuals.

Social Security numbers are prized by identity thieves because they are used both as identifiers and to authenticate banking, credit card and other transactions.

The Carnegie Mellon researchers used publicly available information from many sources, including profiles on social networks, to narrow their search for two pieces of data crucial to identifying people — birthdates and city or state of birth.

That helped them figure out the first three digits of each Social Security number, which the government had assigned by location. The remaining six digits had been assigned through methods the government didn’t disclose, although they were related to when the person applied for the number. The researchers used projections about those applications as well as other public data, like the Social Security numbers of dead people, and then ran repeated cycles of statistical correlation and inference to partly re-engineer the government’s number-assignment system.

To be sure, the work by Mr. Acquisti and Mr. Gross suggests a potential, not actual, risk. But unpublished research by them explores how criminals could use similar techniques for large-scale identity-theft schemes.

Tuesday, March 16, 2010

The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft

As many as nine million Americans have their identities stolen each year. The crime takes many forms. But when identity theft involves health care, the consequences can be particularly severe.

Medical identity theft happens when a person seeks health care using someone else’s name or insurance information. A survey conducted by the Federal Trade Commission (FTC) found that close to 5% of identity theft victims have experienced some form of medical identity theft. Victims may find their benefits exhausted or face potentially life-threatening consequences due to inaccuracies in their medical records. The cost to health care providers — left with unpaid bills racked up by scam artists — can be staggering, too.  
The Red Flags Rule, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft. Is your practice covered by the Red Flags Rule? If so, have you developed your Identity Theft Prevention Program to detect, prevent, and minimize the damage that could result from identity theft?

Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”

 Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.

On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.
The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.

The Red Flags Rule gives health care providers flexibility to implement a program that best suits the operation of their organization or practice, as long as it conforms to the Rule’s requirements. Your office may already have a fraud prevention or security program in place that you can use as a starting point.

If you’re covered by the Rule, your program must:

  • Identify the kinds of red flags that are relevant to your practice;
  •  Explain your process for detecting them;
  • Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
  • Spell out how you’ll keep your program current.

What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule — available at — sets out some examples, but here are a few warning signs that may be relevant to health care providers:

Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Did the patient give you other documentation inconsistent with what he or she has told you — for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere? Under the Red Flags Rule, you may need to ask for additional information from that patient.

Suspicious personally identifying information. If a patient gives you information that doesn’t match what you’ve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesn’t match information on file or from the insurer, fraud could be afoot.

Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or she didn’t get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft.

Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.

Once you’ve identified the red flags that are relevant to your practice, your program should include the procedures you’ve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? For example, if the patient provides a photo ID that appears forged or altered, will you request additional documentation? If you’re notified that an identity thief has run up medical bills using another person’s information, how will you ensure that the medical records are not commingled and that the debt is not charged to the victim? Of course, your response will vary depending on the circumstances and the need to accommodate other legal and ethical obligations — for example, laws and professional responsibilities regarding the provision of routine medical and emergency care services. Finally, your program must consider how you’ll keep it current to address new risks and trends.

No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if your organization or practice doesn’t have a Board, by a senior employee. The Board or senior employee may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers — for example, those who manage your patient billing or debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures.

Rule requires veterinarians to have identity theft prevention programs

Veterinarians are not exempt from a new federal rule to prevent identity theft. The Red Flags Rule, which the Federal Trade Commission will begin enforcing May 1, requires creditors to develop programs to prevent, detect, and mitigate identity theft.

The FTC proposed the Red Flags Rule in late 2007, and it took effect in 2008. The commission delayed enforcement until this year because many organizations did not consider themselves to be creditors—not in the same sense as financial institutions, which also fall under the rule. Nevertheless, the rule applies to most organizations that make arrangements to defer payment of debts, including almost all health care providers. Health care providers are creditors under the rule, for example, if they bill clients after completing medical services.

The FTC has offered guidelines for creating identity theft prevention programs that satisfy the requirements of the Red Flags Rule.

The first step is for organizations to identify major warning signs of identity theft, or red flags, that they come across in their line of work. Categories of warning signs include alerts from consumer reporting agencies; suspicious documents, personal information, or account activity; and notices from customers, victims of identity theft, law enforcement authorities, or other entities.

Each organization must write, implement, and administer an ongoing program to detect warning signs and respond appropriately to prevent or mitigate identity theft after finding a red flag. Responses to warning signs could include monitoring accounts or changing account numbers.

Finally, organizations should update their programs periodically to reflect changes in identity theft risks.

The intent behind the Red Flags Rule is good, said Dr. Patricia Wohlferth-Bethke, an assistant director in the AVMA Membership and Field Services Division.

If a veterinarian does not prevent breeches in the security of clients' information, she noted, some clients may choose not to visit that veterinarian again. Also, according to the Principles of Veterinary Medical Ethics of the AVMA, veterinarians and their associates should protect the personal privacy of clients.

Sunday, March 14, 2010

Should Feds Remove Small Practices from Red Flags Compliance?

An author on Red Flags Rule compliance tells HealthLeaders Media that eliminating small practices from complying with the FTC's identity theft prevention program regulation would lead to more identity violations.

In December 2009, the U.S. District Court issued a summary judgment in favor of the American Bar Association that said the Red Flags Rule does not apply to attorneys or law firms.

Piggybacking off that decision, a group that includes the American Dental Association, American Medical Association, American Osteopathic Association, and the American Veterinary Medical Association wrote a letter to the FTC urging it to remove them from compliance. Also, the House passed a bill last year that calls for removing entities with 20 or fewer employees from Red Flags Rule compliance.

The FTC's compliance date with Red Flags has been in effect for nearly a year and a half (November 1, 2008). The enforcement date, however, has been delayed four times. It is now June 1, 2010.

Randy Berry, BA, CPA, financial leader and Red Flags Rule compliance expert with Columbus Healthcare & Safety Consultants in Columbus, OH, says it would be unfortunate if entities with 20 or fewer employees are let off the compliance hook.

"Smaller businesses with small multi-tasking staffs have fewer controls and are more at risk than that of larger businesses with a larger staff size," says Berry, author of the Red Flag Manual and Training CD Package. "Small businesses are more prone to customer identity theft."

Cybercrime surge pushes 2009 losses to 559 million dollars

Losses from cybercrime and online scams more than doubled in 2009 to 559 million dollars as Internet criminals used more sophisticated techniques, an FBI-led task force said Friday.

The report from the Internet Crime Complaint Center (IC3), said losses in the United States linked to online fraud shot up 110 percent from 265 million in 2008, when losses were up just 11 percent.

"The figures contained in this report indicate that criminals are continuing to take full advantage of the anonymity afforded them by the Internet," said Donald Brackman, director of the National White Collar Crime Center, which runs the IC3 with the Federal Bureau of Investigation.

"They are also developing increasingly sophisticated means of defrauding unsuspecting consumers. Internet crime is evolving in ways we couldn't have imagined just five years ago."

Of those complaints reporting monetary loss that were referred to law enforcement, the average loss was 5,580 dollars and the median loss was 575 dollars. This reflects a small number of cases in which hundreds of thousands of dollars were reported to have been lost by the complainant.

One of the newest schemes is a variant of the "hitman scam" which has been used for several years to extort money. A victim receives an email from a member of an organization such as the "Ishmael Ghost Islamic Group" claiming to have a mission to assassinate the person but offering a pardon if money is wired to the scammer.

A familiar scam which has resurfaced offers free astrological readings to persons who provide their birth date and birth location.

These schemes and others such as phony anti-virus software are often tied to identity theft, which is one of the biggest categories, accounting for 14 percent of losses.

Non-delivery of items bought on the Internet was the biggest source of fraud, accounting for 19 percent of losses, and credit card and auction fraud each accounted for 10 percent.

Advance fee fraud -- which includes the so-called Nigerian bank scheme in which a person is asked to wire funds to receive a large sum of money -- remained a major problem, representing 9.8 percent of complaints.

Overall complaints to the center rose 22 percent to 336,655 in 2009.

FBI officials said the surge in online fraud highlights the need for increased consumer vigilance. AFP

Friday, March 12, 2010

Super Ninja Hacker Girl Talks Cyber Security

My kind a' girl!

VoIP and Cybersecurity Regulation

The United States is intensifying its consideration of cybersecurity issues. Congress has introduced legislation that would require the president to establish or designate a cybersecurity panel to advise the president on United States cybersecurity status, vulnerability, and response. The president also has released a cyberspace policy review plan, which outlines the president’s strategy to appointment a cybersecurity coordination official charged with preparation of policies to secure the national information and communications infrastructure, as well as cybersecurity response plans.

The Federal Trade Commission also has adopted recently cybersecurity regulations, often called the “red flag” rules, which will require certain entities, including some VoIP providers, to undertake measures against identity theft. The rules require “creditors” holding “covered accounts” to develop and use an identity theft prevention program to help the entity identify, detect and respond to “red flags,” which may indicate identity theft has occurred. The FTC (News - Alert)’s new rules apply to companies that bill for services in arrears, offer installment payment plans, or otherwise defer payment for goods or services. Covered entities can include VoIP providers, carriers, ISPs, and even equipment vendors, depending on how they manage customer accounts and billing. At the request of Congress, the FTC has delayed the enforcement of the “red flag” rules until June 1, 2010.

Rape and Murder of Teenage Girl puts Pressure on Facebook to provide a Panic Button

As a consequence of the tragic death of a teenage girl caused by a man she met on facebook, a very popular social networking site, Facebook is receiving a lot of pressure from British officials to get a Panic Button showing on the site's web pages.

There has been a whole lot of uproar about the safety of social networking site members specially vulnerable teenagers.

British Child protection authorities have been gathering support for the installation of one click panic button on networking sites which can get a person immediate police help, if he/she feels there is any risk.

The 17 year old girl Ashleigh Hall was kidnapped, raped and murdered by a man named Peter Chapman who created a bogus facebook profile to get close to her online.

Looks like facebook is going to have to do something about the Panic Button issue as Ashleigh Hall facebook issue will not seem to die down without some thing being done .The Ashleigh Hall Peter Chapman story has once again highlighted the dangers of meeting people online. Lets hope Ashleigh Hall will teach us at least a lesson and will help many more teenagers understanding the dangers and avoiding them while making friends online.

Thursday, March 11, 2010

Stranger steals identity of grieving Wash. couple's dead baby

A local couple is outraged after finding out their daughter is being claimed as a tax write-off by a total stranger.

Adding insult to injury - the baby is dead. The Whatcom County couple is still grieving.

They contacted the Problem Solvers after the Internal Revenue Service rejected their electronic tax return. Jessica Struthers says she feels violated.

"Because this is our daughter that has passed away," she said, fighting back tears.

Last August, her 21-month-old daughter Ava drowned in the family's above-ground swimming pool in Blaine. The toddler's death made headlines, and left a huge wound for the couple and their two other children.

That wound was torn open when father Matt Bock filed his 2009 taxes - then got a call from the tax preparer.

"My return had been rejected, and that somebody else had claimed my daughter."

Matt says the stranger who claimed Ava, didn't just use her social security number - they also used her name and birthdate. But because of privacy laws, Matt could not get any information about the person who used his daughter's private information.

Child I.D. theft cases are turning up across the country. Social security numbers of children, including dead children, continue to be a hidden source of I.D. theft. According to the federal government a shocking number of claims filed for the First Time Home Buyer Tax Credit used social security numbers tied to kids.

Matt and Jessica are left to only guess who stole the identity of their Ava.

"Since she passed away, the only people who have access to her social security number were the hospital, the coroner and I believe the coroner forwarded over the information to the funeral home," said Matt.

Local Radio Host Scammed By Facebook Fraud Reporting

There's an impostor out there and Sharyn Fein of North Dallas is not happy.

"I'm absolutely terrified and I'm very upset."

Someone hacked into Fein's Facebook profile and contacted nearly 50 of her friends.

"I soon discovered that somebody was acting as me. Somebody had been studying who I was and had all my personal information to talk to all of my different friends."

The impostor sent each friend a very convincing message: "I'm in London, I've been robbed and I need your help."

Facebook friend, Mike Rhyner received the message and immediately replied. "Is there anything I can do? She said we don't have any money. Our money and credit cards and cell phone were taken."

Rhyner is co-host of The Hardline on 1310 the Ticket. He says he didn't think twice when he wired his dear friend more than $1,000. "This woman is on my no questions asked list. If she needs something from me, I'm there; period, case closed."

But when serious doubt settled in, the well-known radio host did some checking and discovered his friend was not in London.

"I was grateful because Mike has my back and it's nice to be loved, but I didn't want to come at that great loss. That was a lot of money" says Fein.

Rhyner was able to stop the wire transfer and ultimately got his money back. Fein says she complained to Facebook, but got no results. So the sports talk-show host took to the airwaves to warn his listeners.

LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False

LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False.

LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.

In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service.

According to the FTC’s complaint, LifeLock has claimed:

“By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.”

“Please know that we are the first company to prevent identity theft from occurring.”

“Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”

The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.

The FTC’s complaint further alleged that LifeLock also claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false.

In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed:

“Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”

“All stored personal data is electronically encrypted.”

“LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”

The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

The FTC and state settlements with LifeLock bar deceptive claims, and prohibit the company from misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service.” They also bar misrepresentations about the risk of identity theft, and the manner and extent to which LifeLock protects consumers’ personal information. In addition, the settlements require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.

The Attorneys General of Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in this settlement.

In addition to LifeLock, the FTC complaint named co-founders Richard Todd Davis and Robert J. Maynard, Jr., who will be barred from the same misrepresentations as LifeLock.

The Commission vote to authorize staff to file the complaint and the settlement with LifeLock and Richard Todd Davis was 4-0. The Commission vote to authorize staff to file the settlement with Robert J. Maynard, Jr. was 3-1, with Commissioner J. Thomas Rosch dissenting. The documents were filed in the U.S. District Court for the District of Arizona.

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and at

Tuesday, March 9, 2010

Energizer USB Charger Software Contains Malware

A USB charger from Energizer uses software that contains a Trojan, according to US-CERT. The software was apparently developed outside the U.S. and may have been giving hackers access to PCs since 2007. An analyst said trust in the Energizer bunny may have led many consumers to install the DUO USB charger malware even with a warning.

Some Windows PC users may hope the Energizer bunny didn't keep going and going. It turns out the Energizer DUO USB battery charger is a vehicle for attacks on PCs, according to the Department of Homeland Security's Computer Emergency Readiness Team.

US-CERT researchers said Friday that the software that installs with the Energizer charger contains a Trojan horse that gives malicious hackers a back door into Windows machines.

"An attacker is able to remotely control a system , including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user," US-CERT said. "Removing the Energizer USB charger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts."

A Trusted Source

Although the fix seems relatively easy for consumers who are aware they have been infected, the path in was also straightforward. Rob Enderle, principal analyst at the Enderle Group, said consumers were probably not expecting the Energizer software to carry a malicious payload.

"Typically in a Windows 7 or even a Windows Vista install, if you mess around with ports you should get a warning," Enderle said. "Because consumers got the software from a trusted source, chances are you'll bypass the warning and go ahead and install it because you think you are only installing the battery monitor. This is a nasty piece of work."

Enderle questioned the origin of the software, noting that Trojans seem to make their way into programs when the software is developed outside the U.S. Chances are, he said, the software was developed in China or some other foreign country.

Monday, March 8, 2010

Cyberwar declared as China hunts for the West’s intelligence secrets

It is estimated that in the past year the number of attacks on US government agencies rose to 1.6 billion per month. Systems in the EU are even more vulnerable

Urgent warnings have been circulated throughout Nato and the European Union for secret intelligence material to be protected from a recent surge in cyberwar attacks originating in China.

The attacks have also hit government and military institutions in the United States, where analysts said that the West had no effective response and that EU systems were especially vulnerable because most cyber security efforts were left to member states.

Nato diplomatic sources told The Times: “Everyone has been made aware that the Chinese have become very active with cyber-attacks and we’re now getting regular warnings from the office for internal security.” The sources said that the number of attacks had increased significantly over the past 12 months, with China among the most active players.

In the US, an official report released on Friday said the number of attacks on Congress and other government agencies had risen exponentially in the past year to an estimated 1.6 billion every month.

The Chinese cyber-penetration of key offices in both Nato and the EU has led to restrictions in the normal flow of intelligence because there are concerns that secret intelligence reports might be vulnerable.

Sources at the Office for Cyber Security at the Cabinet Office in London, set up last year, said there were two forms of attack: those focusing on disrupting computer systems and others involving “fishing trips” for sensitive information. A special team has been set up at GCHQ, the government communications headquarters in Gloucestershire, to counter the growing cyber-threat affecting intelligence material. The team becomes operational this month.

British and American cyber defences are among the most sophisticated in the world, but “the EU is less competent”, James Lewis, of the Centre for Strategic and International Studies, said. “The porousness of the European institutions makes them a good target for penetration. They are of interest to the Chinese on issues from arms sales and nuclear non-proliferation to Tibet and energy.”

The lack of routine intelligencesharing between the US and the EU also contributes to the vulnerability of European systems, another analyst said. “Because of Britain’s intelligence-sharing relationship with America our systems have to be up to their standards in a way that some of the European systems don’t,” he explained.

Jonathan Evans, Director-General of MI5, warned in 2007 that several states were actively involved in large-scale cyber-attacks. Although he did not specify which states were involved, security officials have indicated that China now poses the gravest threat. Beijing has denied making such attacks.

Robert Mueller, FBI Director, has warned that, in addition to the danger of foreign states making cyber-attacks, al-Qaeda could in the future pose a similar threat. In a speech to a security conference last week, Mr Mueller said terrorist groups had used the internet to recruit members and to plan attacks, but added: “Terrorists have \ shown a clear interest in pursuing hacking skills and they will either train their own recruits or hire outsiders with an eye towards combining physical attacks with cyber-attacks.”

He said that a cyber-attack could have the same impact as a “well-placed bomb”. Mr Mueller also accused “nation-state hackers” of seeking out US technology, intelligence, intellectual property and even military weapons and strategies.To help to fight the growing threat, the Office of Cyber Security, set up last year as part of the Government’s national security strategy, liaises with America’s so-called cyber czar, Howard Schmidt, who was appointed by President Obama to protect sensitive government computers.

British officials said that everyone in sensitive jobs had been warned to be especially cautious about disseminating intelligence and other classified information. Whether British intelligence is involved in retaliatory attacks is never confirmed. However, officials said that there was a significant difference between being part of an information war and indulging in aggressive attacks to disrupt another country’s computer systems.

Dr Lewis said that neither the US nor any of its Western allies had formed an effective response to the Chinese threat, which has its origins in a massive boost to Chinese technology ordered by Deng Xiaoping, the late Chinese leader, in 1986. The West’s own cyber offensives have so far been directed largely at terrorists rather than nation states, giving China virtually free rein to penetrate Western systems with its own world-class hackers and increasingly popular Chinese-made components. “You almost have to admire them,” Dr Lewis said. “They have been very consistent in their goals.”

Facebook messages preceded robberies

Two February Roslyn robberies began with the victims communicating with the same person on Facebook. In both robberies, the victims both met Emily Clendening, 19, of the 500 block of Enfield Road, Oreland, on Facebook, and Clendening was present for both crimes, according to Abington police.

The first robbery occurred Feb. 10, around the area of Patane and Edgewood avenues, police said. It began when four friends, Dante Dunbar, Avery Jones, Courtney Blodget and Emily Clendening lured the victim, who Clendening met on Facebook, to meet up with the two females.

All four went to meet up with the victim, who was assaulted by Dunbar and Jones, while trying to meet up with Blodget and Clendening, according to police. Dunbar and Jones punched and kicked the victim, according to police. Then they took his cell phone, but left his wallet after finding only $3 in it. The victim identified Dunbar, 21, of the 500 block of King Street, Philadelphia, as they had gone to high school together.

Dunbar, Jones and Blodget were all arrested in connection with the robbery. Dunbar and Jones were both charged with robbery, simple assault, theft by unlawful taking or disposition and receiving stolen property. Blodget was charged with conspiracy for robbery and conspiracy for assault after admitting to police that she knew Jones’ and Dunbar’s “intentions were harmful,” police said.

Police said Clendening was not charged in this robbery, though they did not specify why.

The second robbery, on Feb. 16, happened on the 1200 block of Nolen Road in Roslyn. The victim was told by the same Emily Clendening, whom he told police he met on Facebook, that he could stay with her after he fought with his parents. Police said the victim met with Clendening, who had three males in the car with her, and was told to follow them.

The victim followed the car to Nolen Road, when one of the males got out of the car, showed what appeared to be a semi-automatic gun, knocked the victim to the ground and began kicking him, police said. He then took the victim’s cell phone and $105 in cash.

When speaking to police, the victim used Facebook to identify Clendening.

Serial Sex Offender Admits Using Facebook To Rape And Murder Teen

Peter Chapman, a registered sex offender, was sentenced to life in prison for kidnapping, raping, and murdering Ashleigh Hall, 17, whom Chapman courted and lured to her death using Facebook.

Chapman was arrested in October 2009 for a minor traffic violation and later led police to the body of a girl, Hall, he had kidnapped, raped, and murdered just hours earlier. Police found Hall 'strangled and dumped in a farmer's field near Sedgefield, County Durham,' the Times Online reports.

According to the Telegraph, Chapman, 33, fooled the girl into thinking he was 'Peter Cartwright, or DJ Pete, a 17 year old labourer living in the Stockton on Tees area.'

The Telegraph goes on to report:

[His fake Facebook profile] attracted interest from 14,600 visitors, almost 3,000 becoming online "friends" and all of whom were females ranging from the age of 13 to 31.

He would then attempt to redirect them to private chatrooms where he would invite them to provide sexual explicit details.[sic][...]Chapman set up two profiles on the Netlog site and there were others on at least nine other sites when he was arrested for killing Ashleigh Hall.

Chapman has been investigated for six violent sexual crimes but convicted only twice.

In 1992, at the age of 15, he was investigated for and, four years later, accused of raping a girl he had befriended. The victim became pregnant, but the charges were dropped.

Four years later, Chapman was accused of assaulting two teenaged prostitutes. He was sentenced to seven years' imprisonment, released in 2001, and arrested again in 2002 for the kidnap and rape of an Ellesmere Port prostitute. The latter case was discontinued.

A UK judge ruled that Chapman must spend at least 35 years in prison before being eligible for release.

Despite Facebook's attempts to safeguard its users from sexual predators, tens of thousands of registered sex offenders have been able to slip through the cracks in security. In 2009, both Facebook and MySpace cracked down on potential predators, but in doing so, they also revealed the weaknesses in their defense measures.

Sunday, March 7, 2010

US agencies needs clear cybersecurity roles: GAO report

US government cybersecurity efforts are being hampered by a need to better define the roles of the agencies responsible for defending against cyber threats, a US Congressional watchdog said Friday.

The need for more clearly defined responsibilities for agencies tasked with defending against cyberattacks was one of a number of "challenges" to effective cybersecurity raised in the report by the Government Accountability Office.

The GAO report looked at the Comprehensive National Cybersecurity Initiative (CNCI), which was launched by former US president George W. Bush in 2008 to reduce vulnerabilities and protect federal systems against cyberattack.

In its report, the GAO cited "defining roles and responsibilities" as among the "challenges" to cybersecurity efforts.

"Federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it is unclear where overall responsibility for coordination lies," the GAO said.

Other challenges raised by GAO were "coordinating actions with international entities" and "establishing an appropriate level of transparency."

"The federal government does not have a formal strategy for coordinating outreach to international partners for the purposes of standards setting, law enforcement, and information sharing," the GAO said.

"Few of the elements of CNCI have been made public, and the rationale for classifying related information remains unclear, hindering coordination with private sector entities and accountability to the public," the GAO said.

"Until these challenges are adequately addressed, there is a risk that CNCI will not fully achieve its goal to reduce vulnerabilities, protect against intrusions, and anticipate future threats against federal executive branch information systems," it said. AFP

Killer Whale Video Spreading Viruses

Hackers Exploiting Interest In Death Of Sea World Trainer

The IT and security firm Sophos is warning computer uses to beware of messages and Web sites that claim to show video or pictures of the death of killer whale trainer Dawn Brancheau.

Hackers have created Web pages stuffed with content that appears to be video footage of the trainer's death, but the sites are actually designed to infect computers.

Brancheau was killed when the 12,000-pound killer whale named Tilikum dragged her into its pool and thrashed the woman to death as audience members watched in horror.

"It's hard to believe that anyone would want to watch video footage of this horrible death, but it's currently one of the very hottest search terms on the Internet," said Sophos Senior Technology Consultant Graham Cluley in a news release.

"These poisoned pages can appear on the very first page of your search engine's results, and if you visit the links you may see pop-up warnings telling you about security issues with your computer. These warnings are fake and designed to trick you into downloading dangerous software or handing over your credit card details," Cluley said.

Scareware and fake anti-virus attacks like this have become an increasingly common weapon. They have been seen following the deaths of several high-profile individuals including Patrick Swayze and Natasha Richardson.

"You could argue that anyone hunting for footage of this horrific accident deserves everything that's coming to them, but the real sick ones here are the hackers who are trying to profit from the death of an innocent woman in a tragic accident," Cluley said.

Microsoft confirms rootkit cause of Windows XP blue screen of death

Microsoft has confirmed that a rootkit is responsible for the blue screen problems currently occurring with Windows XP following a recent update intended to fix a 17-year old security vulnerability in the virtual DOS machine. According to a post on Microsoft's Security Response Center blog, all of the affected systems were infected with the Alureon rootkit.

The company says that the rootkit made several modifications to the system's behaviour, which caused the systems to become unstable. It also determined that 64-bit systems are not affected.

SunbeltLabs detects surge in trojans during February

Sunbelt Software's list of top malware infections seen during February claims to show that there was a sizeable surge in trojans during the month.

Compiling data from its VIPRE anti-malware software and CounterSpy, its anti-spyware application, SunBelt Labs, the firm's research arm, reported that eight of the top 10 types of malware seen during February were trojan horse programs.

New entries in the top 10 during the month were Trojan.Win32.Generic.pak!cobra, a rootkit infection; Trojan-Spy.Win32.Zbot.gen, a password stealing trojan; and Trojan.Win32.Agent, a fake windows service application which modifies users' PC system settings.

According to Sunbelt, there was also a surge in scareware or rogue security products.

Their continued prominence in the top 10 is also due in part to interest in sporting events such as the Winter Olympics, which has encouraged many to visit untrusted websites in search of live video from the various events at the Winter Games.

This surge in traffic to untrusted and potentially malicious websites has, says the IT security vendor, generated higher incidences of scareware, as well as conventional malware threats.

The rogues, once downloaded, present a fake malware scan of a victim's computer then display false warnings that the machine is infected. The malware then urges the user to purchase rogue security software on the promise that it will disinfect their PC, when in fact it does nothing or further infects the target computer.

Tom Kelchner, Sunbelt's research centre manager, said that, along with trojans and bot-installing malware, the spectrum of malware threats out there continues to be quite broad.

"The old standards continue to circulate online and gain increased penetration whenever Internet use peaks, as with events such as the recent Winter Olympics", he said.

"Adware and its associated malcode bundlers, downloaders and installers don't make the news much anymore, but collectively they make up 10% of our ThreatTrack detections", he added.

According to Kelchner, during the month of February, ThreatTrack tabulated over 1,100 discrete adware threats.

The trend of scareware will, says Sunbelt, increase as the world heads towards the 2010 World Cup in June. infosecurity

Friday, March 5, 2010

US agencies need clear cybersecurity roles

The GAO report looked at the Comprehensive National Cybersecurity Initiative (CNCI), which was launched by former US president George W. Bush in 2008 to reduce vulnerabilities and protect federal systems against cyber attack.

In its report, the GAO cited "defining roles and responsibilities" as among the "challenges" to cybersecurity efforts.

"Federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it is unclear where overall responsibility for coordination lies," the GAO said.

Other challenges raised by GAO were "coordinating actions with international entities" and "establishing an appropriate level of transparency."

The federal government does not have a formal strategy for coordinating outreach to international partners for the purposes of standards setting, law enforcement, and information sharing," the GAO said.

"Few of the elements of CNCI have been made public, and the rationale for classifying related information remains unclear, hindering coordination with private sector entities and accountability to the public," the GAO said.

"Until these challenges are adequately addressed, there is a risk that CNCI will not fully achieve its goal to reduce vulnerabilities, protect against intrusions, and anticipate future threats against federal executive branch information systems," it said.

The White House took issue with the GAO's conclusion that the roles of the various agencies tasked with cybersecurity were not well defined.

In a letter to the director of the GAO, Chief Information Officer Vivek Kundra said "the roles and responsibilities of agencies participating in the CNCI are clearly defined."

Kundra also pointed out that President Barack Obama had made cybersecurity a top priority of his administration, had conducted a 60-day cybersecurity review and had appointed an overall cybersecurity coordinator in December.

FBI director warns of growing cyber threat

Militant groups, foreign states and criminal organizations pose a growing threat to U.S. security as they target government and private computer networks, FBI Director Robert Mueller said on Thursday.

In a speech to an Internet security conference, Mueller said militant groups like al Qaeda had primarily used the Internet to recruit members and plan attacks, but had made clear they also see it as a target.

"Terrorists have shown a clear interest in pursuing hacking skills and they will either train their own recruits or hire outsiders with an eye toward combining physical attacks with cyber attacks," Mueller said.

He noted a cyberattack could have the same impact as a "well-placed bomb."

Mueller added that some foreign governments, which he did not identify, also posed a threat by seeking to use the Internet for espionage.

"Apart from the terrorist threat, nation-states may use the Internet as a means of attack for political ends," he said.

"Nation-state hackers or mercenaries for hire" as well as rogue hackers or international criminal syndicates are targeting government networks, Mueller added.

"They seek our technology, our intelligence, our intellectual property, even our military weapons and strategies."

The comments came in the wake of several international Internet security incidents.

In January, Google Inc (GOOG.O), the world's No. 1 Internet search engine, said it had detected a sophisticated online attack on its systems that originated in China and said it believed at least 20 other companies had been targeted.

According to Google, one of the primary goals of the attacks was accessing the personal e-mail accounts of Chinese human rights activists.

Earlier this week, Spanish police arrested three men accused of masterminding one of the largest computer crimes to date, in which more than 13 million PCs were infected with a virus that stole credit card numbers and data.

Threat of Cyber Terrorism ‘Real and Expanding’ says FBI Director Mueller

The threat from terrorists using cyberspace as another attack vector is growing, according to FBI Director Robert Mueller. “The FBI, with our partners in the intelligence community, believe the cyber terrorism threat is real, and it is rapidly expanding,” he said.

Mueller stated that, while large scale cyber attacks by terrorists which destroy a network have not yet occurred, terrorists “have executed numerous denial-of-service attacks. And they have defaced numerous websites, including Congress’ website following President Obama’s State of the Union speech.”

The terrorist presence on the web has continued to grow in the past decade, with terrorists utilizing the Internet for recruitment, training grassroots terrorists and disseminating propaganda.

Thursday, March 4, 2010

NATO chief says enemy might be 'everywhere' in cyberspace

NATO must be ready to address the security threats posed by potential enemies in cyberspace, the secretary general of the western military alliance, Anders Fogh Rasmussen, said Thursday.

"Several actors on the international scene are quite interested in what is going on in NATO, and they also use cyberspace to achieve their goals," Rasmussen told reporters at a crisis management seminar in Helsinki.

While the territorial defence of its 28 member states and their populations remained NATO's core function, it was not enough to "line up soldiers and tanks and military equipment along the borders," Rasmussen said.

We "really have to address the threat at its roots, and it might be in cyber space," he said, adding that an "enemy might appear everywhere in cyberspace".

NATO is currently updating its Strategic Concept to reflect changes in the emphasis of global security challenges -- including terrorism, energy supplies and climate change -- since the last revision in 1999.