Junior Staffer Leaks House Documents On P2P

Would you prefer a diligent government employee or a security-minded one?  I would prefer one that’s both, but if I had to choose, I’d think I’d go with the security-oriented one.  According to the Washington Post, a junior staffer was behind a government document leak:

The 22-page “Committee on Standards Weekly Summary Report” gives brief summaries of ethics panel investigations of the conduct of 19 lawmakers and a few staff members. It also outlines the work of the new Office of Congressional Ethics, a quasi-independent body that initiates investigations and provides recommendations to the ethics committee. The document indicated that the office was reviewing the activities of 14 other lawmakers. Some were under review by both ethics bodies.

So, did the junior staffer do this on purpose?  No.  At least, it doesn’t sound like it.

P2P software to be blamed

Apparently, the staffer took the documents home to work on them.  But, he also had P2P software installed on his home computer.  Once he had saved the documents to his computer, if was available to anyone on the file-sharing network.

Those familiar with P2P networking software will ask “why did the guy put these documents in a folder shared with the entire network?”

There are plenty of P2P software out there that will, by default, share any documents found on the computer (it’s a matter of configuring the software…but many people forget to do that when searching for free movies). Apparently, this is not true anymore, with most P2P applications not sharing all contents by default.  This is a far cry from when I dabbled with file sharing software…almost 5 years ago.  I decided at the time it wasn’t worth it because of all the trojans floating around…

Of course, this still doesn’t excuse the junior staffer.  Taking sensitive files home to work on them?  What was he thinking?

Update: apparently, it was a she:

…she told committee leaders she had saved a copy of the investigation summary to her personal computer without realizing it, a congressional source said, speaking on the condition of anonymity because of the sensitivity of the matter. The file was stored in a part of her computer files where peer-to-peer file-sharing software could operate, but she told the leaders that she did not realize that it was actively running.

Keeping Passwords Private

Here’s a very interesting story on insider trading:

It was also big enough to alert authorities to Grmovsek’s and Cornblum’s audacious 46-deal, 14-year insider trading scheme — Canada’s largest ever. Over that span, they netted more than $9 million, according to Canada’s securities regulator.

The scheme came to light less than two weeks after the biggest hedge fund insider trading case in history, involving the Galleon Group as well as executives at several blue chip U.S. firms.

One of the ways the duo got advanced notice of M&As was by getting access to computers by using passwords handed out to the word processing department.

The sharing of passwords seems to be playing a big role when it comes to big-time fraud.  Société Générale, for example.

You want to keep those private.  I don’t know that I agree that they should be changed every 6-months and made as long and as incomprehensible as possible (it works in theory, never in practice), but they really shouldn’t be shared.  At all.

Canada Passes Tougher ID Theft Law

The Canadian federal government has passed new legislation to toughen up its ID theft laws.  Bill S-4 makes illegal the below illegal, and tacks on prison sentences of up to 5 years:

• Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime.
• Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information.
• Unlawfully possessing or trafficking in government-issued identity documents that contain the information of another person.

Furthermore, the apprehended and convicted can be ordered to pay restitution.

However, many seem to be wondering how effective it will we.  Among the oft-repeated questions by commentators:

• What did it take so long to pass something like the above?
• Will it actually help?  How’s it supposed to “prevent” ID theft, like so many politicians seem to be claiming?
• Just enforce the ones you have in place already!

Of course, no law prevents crime from happening.  The way it works is, you pass a law making something illegal; someone breaks the law and is convicted for it; people take notice and decide not to break the law.  And in that sense, it’s prevention (show me a country where the law actually works to actively prevent illegal doings, and I’ll show you a country with the Stasi-spirit in place).

Breach In Spain, Credit Card Issued Again in Finland

It is a sign of the interconnect world we live in.  A credit card breach revealed in Spain is forcing banks in Finland to re-issue credit cards.

Details of the breach are still sketchy, but according to the linked article:

• The large volume of cards affected may mean “the criminals have managed to gain access to payment processing data”
• Nearly 10,000 customers of The OP Bank Group were affected, with one thousand cards re-issued
• Handelsbanken, Sampo Bank, and Ålandsbanken are also re-issuing cards

It’s noted that such breaches happen “nearly on a weekly basis,” but that this latest episode is one of the largest in European history.

Opinion

What can I say?  There’s nothing inherently wrong with the statement that such things happen on a weekly basis.  And by “nothing inherently wrong” I mean that it doesn’t fall far from the truth.  Interestingly enough, you normally can’t get banks to admit to it.

They’ll usually point towards their latest data security installations, data loss prevention (DLP) solutions, encrypted data, etc., and state how they’re sure they can avert any attacks.  Those Scandinavians…they’re too honest.

RBN Bribed Russian Police

According to ZDNet UK, the Russian Business Network bribed local police.

The RBN, if you’re not familiar, is a criminal, virtual ISP.  They’re the guys who provide the infrastructure to blackhat hackers an on-line pedophiles.  Because they’re virtual (they supposedly use hacked servers to provide this infrastructure), they’ve never been caught.  And, even if someone manages to shut them down, they spring up somewhere else.

If ZDnet’s reporting is correct, now we can see why RBN was so successful in evading capture.  There’s no reason to doubt the reporting, though, seeing how it’s the Serious Organised Crime Agency (SOCA) directly experienced the results of the palm-greasing.

SOCA found that local police kept hindering their investigation.

Top Scams Of 2000s According To Shrink

I happened on this post from Bill Shrink.  According to him, these are the top 12 scams of the 2000′s (I’m guessing he means 2001-2009?  ’Cause the other interpretation is that he’s referring to the 21st century…and there’s a good deal of time left on that one).

Anyhow, according to him, these are the top 12:

1. Nigerian 401 scams
2. Impostor bank websites
3. PayPal hoaxes
4. Work from home (just buy our instructional package!)
5. Postal forwarding / reshipping (works with the 401 scams)
6. You won a free (whatever) ads
7. Auction fraud
8. Spyware
9. Advance fees for pre-approved credit cards
10. Lottery scams
11. Disaster relief scams and other donation-based scams
12. Travel scams

When you take a look at these, you’ll notice that all of them involve the internet in one way or another.

Gizmodo Spreading Around Malware?

Blame it on Macs and Linux. Gizmodo, a site I frequent quite often, has announced and apologized for spreading “malvertisement”: malware that infects users’ computers via ad space.

Guys, I’m really sorry but we had some malware running on our site in ad boxes for a little while last week on Suzuki ads. They somehow fooled our ad sales team through an elaborate scam. It’s taken care of now, and only a few people should have been affected, but this isn’t something we take lightly as writers, editors and tech geeks. (And we would have noticed sooner except everyone on staff is on OS X or Linux for production machines.) Everything should be cleared up but you should be checking “qegasysguard.exe” if you’re experiencing random popups. Be careful, load up some antivirus and make sure your system is clean. I’m sorry.

Well, I guess I can’t blame them, really.  I mean, they decided to use either the most expensive stuff or the cheapest stuff–but either way, they’re safer than Windows boxes because most malware is written for the OS with the largest distribution.

24601: UK Criminal Records Held For 100 Years, No Matter How Minor

• What A Novel And The UK’s Justice System Has In Common (Opinion)

One of the greatest novels of the 19th century, if not the greatest, begins with a convict being released from prison.  Having served a 19-year sentence–five for stealing a loaf of bread and another fourteen for attempts at escape–he is required to carry a “passport” identifying him as a convict.  This man is, of course, Jean Valjean, and he is the central protagonist of Les Misérables.

The story of his fall and rise (and not the other way around, for in truth he never fell, but started from the bottom) would not have been possible if he had not committed an additional crime upon his release.

I’m not referring to the theft of silverware from the Bishop of Digne, or the theft of a coin from a child.  I’m referring to his crime of hiding his past as a convict.  Otherwise, it is doubtful that Valjean could have become a wealthy factory owner and mayor (yes, I stand accused of mixing fact and fiction.  A novel can take whatever twists and turns the author feels like making).  For who is willing to give a criminal a second chance?  Not many.

I imagine many, if not most, would share my belief that Valjean would have been relegated to a life of crime if he had remained “honest” and openly acknowledged his past.  How many of us are willing to take in a criminal as a colleague or neighbor, one that has spent nearly twenty years in the slammer?  Would the original theft, a loaf of bread, make a difference on how we perceive him?  Or would we be more afraid of how he was hardened while “institutionalized”?

Would we still point self-righteous fingers at someone who stole a loaf of bread?

The UK Law Would

Apparently, the answer is “yes, we’d love to” when it comes to the UK judicial system.  The chief constables of the Humberside, Staffordshire, Northumbria, West Midlands, and Greater Manchester police forces have appealed–and won–against a ruling that would delete criminal conviction records in their data bases.

According to the justices that ruled on the matter,

“If the police say rationally and reasonably that convictions, however old or minor, have a value in the work that they do, that should, in effect, be the end of the matter,” said Lord Justice Waller, sitting with Lord Justices Carnwath and Hughes.

But then, what else would the police say?  I’m not an imbecile–I do realize that, when it comes to people, past history can be a very good indicator of future actions.  But, even if it were not, would the police admit to it?  Then they’d be in a tight situation where they’d have to explain their database.  Nobody wants to be accused of being a modern-day Stasi.

Getting A Job

I’d like to comment on a couple of things:

Ian Readhead, Acpo director of information, told the BBC: “This data assists police officers in their work in preventing crime and protecting the public and the loss of such valuable information would have been detrimental to that.

Also,

The police added if the original ruling had been upheld, the result would have been a “liars’ charter” – where people would be able to deny criminal convictions on job applications if they knew the deletion deadline had passed.

I’d say that’s the point.  If you stole a loaf of bread fifteen years ago…is that so important?

Because, as far as I can tell, if you check “yes” on a job application to the question, “have you ever been criminally convicted,” you will be denied an interview.  The “bread” usually does not factor in.

Furthermore, take into consideration that a lot of hires take this information on-line.  Do you really think that those job application filters in place will separate the bread stealers from rapists and kidnappers?

The assumption is, of course this doesn’t happen anymore.  Think again.

The original ruling came about after five people complained to the information commissioner because their criminal records showed up when they applied for jobs.

One of the cases was a record held by Humberside Police about the theft of a 99p packet of meat in 1984. The person involved, who was under 18 at the time, was fined £15.

Another, held by West Midlands Police, referred to a theft which took place more than 25 years ago, for which the individual was fined £25.

And a third, held by Staffordshire Police, related to someone under 14 who was cautioned for a minor assault.

Under current policy, criminal records remain on the police national computer for up to 100 years.

What are the chances these people will at some revert to crime–not minor ones at that–because they could not get a decent job? I guess the police would be more right than ever, that even the smallest crimes to lead to more crimes, no matter how old. Talk about ills begetting ills…

Hackers Penetrate Guardian Jobs Site

Guardian Jobs, a UK jobs site, was hacked last Friday.  Its sister site in the US was not affected, since its data is held on a separate server (both operations are independent of each other).

The data breached will affect anyone who has created a job application at the site.

This hack is reminiscent of other similar hacks involving US companies, including monster.com and hotjobs.com.  If fact, there were several different hacking attempts on such sites, including phishing attempts–where the phishers pretended to be reps of monster.com, for example–which involved trojan horses.

The trojan horses would install keystroke loggers, and the phisher/hackers would gain usernames and passwords in this manner.  It was something of a virulent circle, where each wave of hacks would increase the fea

The Next Web[Link]

Hacker Identifies Himself To Kapersky

Hm.  Maybe blackhats are born, not bred.  A whitehat-turned-blackhat hacker identified himself to Kaspersky labs.

The Kaspersky team looked into an AV (antivirus) tracker website–catering to malware writers–as well as a spy program it was spreading around.  The team was contacted by the owner of the dubious site.  He revealed his identity in his e-mail, and demanded €2,000 as renumeration…god knows for what.

Kaspersky did their research on the guy (not just relying on the e-mail) and handed the results of their investigations to its lawyer.

I’m no hacker, but it seems that rule #1 of being a blackhat should be similar to rule #1 of Fight Club: You do not talk about it.