Rossander’s Security Reader

I got two spam messages today that I just have to share. (example 1 and example 2) They are such blatant examples of the Nigerian 419 scams that I laughed out loud.

Sadly the answer is “yes”, these scams do still work. The FBI continues to report hundreds of millions of dollars in losses to these frauds each year. Some are this blatant but some are quite a bit more subtle. Variant scams target non-profits. One recent wave alleged that the charity was the beneficiary in an unnamed donor’s will. A surprising number of charities let blind hope get in the way of common sense. Wikipedia has an extensive list of the variants.

So what can you do about it? Some people retaliate. There are whole organizations dedicated to wasting the scammers’ time. They respond with equally false stories about how they are “excited to be notified about the windfall” but because of a religious tenet, need a picture of you (the scammer) “in white robes balancing a loaf of bread on your head while holding a fish under each arm” before they can send the money. Here is one group that collects and publishes the ‘trophy’ pictures of scammed scammers.

While it’s emotionally satisfying to think about retaliation, I strongly recommend that you just delete them. I also encourage you to think about friends and family who might not be as aware of these scams as you are. Do you have a dependent elder who is more trusting than he/she should be? Do you have a friend or co-worker who is a great person but a bit gullible? Send them copies of these scams so they learn what to look for. Help them to set up the spam filters and other computer protections. These scams are amazingly profitiable. They will continue as long as we continue to fall for them.

Some background: The broader name for this kind of scam is the “advance-fee fraud”. Following the collapse of Nigerian economy in the 1980s, a large portion of the educated and computer-savvy population were unable to find gainful employment and turned their skills to crime in order to feed their families. The preponderance of such scam emails coming from Nigeria’s 419 area code led to the current name even though the same scam has also been found originating from England, Spain, Ireland, USA, Canada, The Netherlands, Australia, etc. An older version of this scam was carried out by regular mail in the early 1900s under the Spanish Prisoner name.

Cybercrime is no longer the realm of pimply-faced pizza-eating nerds and computer wizards. If you need proof, read this article about a recent breach notice from Lexis/Nexis where they describe the connections to an old-school mafia family.

Why are they doing it? Because it works. Hacking, phishing and identity theft make money and lots of it. Don’t let yourself become a victim.

Online scams are up sharply since the start of the latest recession. According to MarkMonitor, phishes in Q1 2009 are up 36 percent over the same quarter 2008. The current trend is toward mortgage refinancing traps and phony get-rich-quick investments.

At the same time, the quality of the scams is dramatically better than in years past. Fraudulent “advertising” sites look just like the real sites. They pepper their pages with trusted financial, TV and/or newspaper brands to give the impression of legitimacy. Some even include encryption to give a greater appearance of legitimacy.

There is also a new trend to use social media to find and con victims. Just because it looks like a blog, if the author is bragging about how much money they got and has a link to a “home business kit”, it’s still a scam. Beware of any offer that asks you for personal information up front.

MarkMonitor also reports a huge increase in suspicious domain registrations, especially domains including the keywords “foreclosure”, “mortgage”, “refinance” and “unemployed”. These keywords are being combined with legitimate company names or domains to create fraudulent clone sites. And while most phishes are still targetted against large companies, an ever-increasing number are exploiting the trust and brand of small businesses. (This is especially true if your legitimate site accepts payments over the web. Payment services frauds are up 285 percent over last year.)

Be on the the watch for scams. And help your customers watch, too. In this economy, you have a right to be a little bit paranoid about offers that look too good to be true.

To read more, download MarkMonitor’s whitepaper on “brandjacking” at markmonitor.com.

According to the latest study from the Ponemon Institute, 88% of all breaches in 2008 were the result of negligent insiders.

That’s not to say that our employees are malicious – most are basically good people. But you didn’t hire them to be security experts. The care and justifiable suspicion needed to detect and deflect data breaches do not come naturally to most people. They need constant reminding of the importance of security and of the tactics to protect your customers’ data.

According to the Ponemon report, here are the top risks your staff take with your data.

Not protecting personal equipment. Stolen laptops and other portable media accounted 20% of all reported breaches. Make sure that your team understands that they are personally responsible for the device and the data on it.
You can also reduce your exposure to lost equipment through whole-harddrive encryption or by restricting or segmenting the data on the laptop such that customer names can not be tied to identifiers such as SSN or credit card number.

Trusting insiders too much. While most people are basically good, every company has it’s share of disgruntled staff. Insider theft is relatively rare but tends to be very severe when it happens. Pay attention to changes in behavior or attitude. Most insiders showed clear signs of their dissatisfaction well before beginning their crimes. Watch for unusually heavy uses of your databases or other information systems.
Minimize your exposure by setting role-based permissions for your team members based on their business need to the application or data. If they need it for their job, great – if not, take it away. That’s less risk for both of you.

Bypassing your security controls in the name of efficiency. The next largest category of breaches are the result of well-meaning insiders who are trying to improve the company but who don’t understand the implications of the change they are making. The store manager at TJ Maxx who installed his own wireless router is a classic example. He thought he was increasing the flexibility of his operations. His poor security configuration, however, exposed the company’s entire network to any hacker with a wireless laptop in the parking lot.
Never let anyone but your designated IT staff install equipment or make changes to your systems. And have their changes regularly tested.

Bypassing your security controls in the mistaken belief that it’s their computer. It’s not. It’s the company’s computer. Have a firm policy that they can not install peer-to-peer or other high risk software on the computer. Incidental personal use may be okay. Installing software is not.

Not watching your vendors as closely as you watch yourselves. According to the study, you should be watching your vendors far more closely. Breaches by outsourcers, contractors, consultants and business partners accounted for 44% of all breaches reported in 2008. Statistically, they were also more expensive, costing the company 35% more in direct and indirect costs than an equivalent breach of the company’s own systems. Vet your vendors carefully and set clear expectations on your security needs. Then follow up and check on their security practices. Conduct your own audits and ensure their compliance.

There’s a lot more in the Ponemon study worth reading. This is their fourth annual study of the costs of a data breach and the trends are enlightening. You can download a copy at encryptionreports.com.

If the Heartland story wasn’t depressing enough, the Veteran’s Administration just announced their settlement of a class-action lawsuit stemming from that lost laptop back in 2006. If you remember the case, a VA data analyst lost a laptop and external drive when his house was broken into. The device contained the names, birth dates and SSNs of over 25 million veterans. The laptop was later recovered intact by the FBI and a forensic analysis of the laptop and drive confirmed that no data was compromised.

That didn’t stop the lawsuits, though. Five groups alleging to represent the affected veterans filed suit asking for $1000 per person.

After three years in court, the VA agreed to pay $20 million into a fund which will pay out $75 to $1500 to any veteran who can “show harm from the data theft”. Any money left over will go to “veterans’ charities agreed to by the parties”. The judge still has to approve the settlement at this point that appears to be a formality.

The kicker here is that the veteran must show harm. Since the laptop was recovered intact and no data was compromised, I don’t see how anyone can make that claim in good faith. Maybe some people overreacted and canceled credit cards or paid for unnecessary monitoring services but I don’t see how that counts as harm. I didn’t cancel my credit cards when I got my notice from the VA. I don’t see why my tax dollars should pay for their overreaction. The payout is also available to anyone who “found themselves in extreme emotional distress” as a result of the breach. Again, this is a claim that I don’t see how anyone can make in good faith.

The only people who I see making money from this are the lawyers. I haven’t seen anything definitive yet on their take but one unofficial report estimates it at $5.5 million. Regardless of the amount, it’s going to come from your tax dollars.

This breach should never have occurred. But it did and the people responsible have already been fired. So were lots of other people at the VA. Congress held intrusive hearings and policies have been rewritten. For a non-breach, this breach has already been expensive enough. The settlement closes out the VA’s legal liability and admittedly, $20 million is less than the $25 billion that the suit originally sought but I just can’t convince myself that this outcome will be best for society.