Friday, September 30, 2011

Theresa May loses her diary: It reveals police meetings and, er, a booking to open a furniture shop

Home Secretary Theresa May was left red-faced after her personal engagements diary was left at a concert hall.

The document contained a print-out of her weekly engagements and included mobile phone numbers, details of meetings with top police officers, and even records of her gym visits.

Scotland Yard was yesterday investigating the blunder, although Home Office officials insisted that the incident was an embarrassment rather than security breach.

The five-page A4 document is circulated every week to officials and detectives.

Loss: Home Secretary Theresa May and Scotland's First Minister Alex, centre, at the police memorial event in Glasgow where her diary was lost
Loss: Home Secretary Theresa May and Scotland's First Minister Alex Salmond, centre, at the police memorial event in Glasgow where her diary was lost


It was reportedly mislaid by a member of Mrs May’s protection team at Glasgow’s Concert Halls on Sunday, where the Home Secretary had attended a National Police Memorial Day to honour fallen officers.

According to the diary, she was set to meet Keith Bristow, chief constable of Warwickshire, to discuss the role of head of the National Crime Agency.

 

Other events included the opening of a furniture repair shop called Chissock Woodcraft, near Reading, and a charity cabaret evening at Wentworth Golf Club. 

Keith Vaz, Labour chairman of the Home Affairs Select Committee, said: ‘It’s serious that someone with the security importance of the Home Secretary should have her security compromised in this way. It is very disappointing that this has happened.’

Embarrassment: The lost diary belonged to Mrs May, tasked with the nation's domestic security
Embarrassment: The lost diary belonged to Mrs May, tasked with the nation's domestic security


Shadow home affairs minister Vernon Coaker added: ‘We’ve been warning for some time that you can’t trust Theresa May with public safety and security. 

‘This just confirms our worries. She needs to get a grip – not just on her diary, but also her brief.’

The diary – which had the words ‘News of the World’ scribbled in black pen on its front page – was passed to Police Review magazine, which returned it to the Home Office. 

A Scotland Yard spokesman said: ‘We are aware that a document was misplaced and are looking into the circumstances of how this occurred. Security was not compromised.

'Following an investigation, and as part of the MPS misconduct process, an officer has been subject to local management action. The officer has not been suspended.'
Britain’s biggest data security breach occurred in 2007, when two discs containing all 25million child benefit records were lost in the Government’s internal postal system.

The diary also revealed a lunch in Glasgow with Police Minister Nick Herbert last Sunday after talks with Strathclyde Police about gang warfare.

Wednesday, September 28, 2011

'We didn't mean to track you' says Facebook as social network giant admits to 'bugs' in new privacy row

Facebook has admitted that it has been watching the web pages its members visit – even when they have logged out.

In its latest privacy blunder, the social networking site was forced to confirm that it has been constantly tracking its 750million users, even when they are using other sites.

The social networking giant says the huge privacy breach was simply a mistake - that software automatically downloaded to users' computers when they logged in to Facebook 'inadvertently' sent information to the company, whether or not they were logged in at the time.

Most would assume that Facebook stops monitoring them after they leave its site, but technology bloggers discovered this was not the case.

In fact, data has been regularly sent back to the social network’s servers – data that could be worth billions when creating 'targeted' advertising based on the sites users visit.

The website’s practices were exposed by Australian technology blogger Nik Cubrilovic and have provoked a furious response across the internet.

Facebook claims to have 'fixed' the issue - and 'thanked' Mr Cubrilovic for pointing it out - while simultaneously claiming that it wasn't really an issue in the first place.

Mr Cubrilovic found that when you sign up to Facebook it automatically puts files known as ‘cookies’ on your computer which monitor your browsing history.

This is still the case. But Facebook claims the cookies no longer send information while you are logged out of its site. If you are logged in to Facebook, the cookies  will still send the information, and they remain on your computer unless you manually delete them.
Monitoring all: Facebook founder and chief executive, Mark Zuckerberg


They send Facebook your IP address - the 'unique identifier' address of your PC - and information on whether you have visited millions of websites: anything with a Facebook ‘like’ or ‘recommend’ button on it.

'We place cookies on the computer of the user,' said a Facebook spokesperson - and admitted that some Facebook cookies send back the address of users' PCs and sites they had visited, even while logged out.

'Three of these cookies inadvertently included unique identifiers when the user had logged out of Facebook. We did not store these for logged out users. We could not have used this information.'

However, the site spokesperson said that the 'potential issue' had now been 'fixed' so that the cookies will no longer broadcast information: 'We fixed the cookies so they won't include unique information in the future when people log out.'

'It's just the latest privacy issue to affect a company that has a long history of blunders relating to user's private information.

Mr Cubrilovic wrote: ‘Even if you are logged out, Facebook still knows and can track every page you visit.

‘The only solution is to delete every Facebook cookie in your browser, or to use a separate (web) browser for Facebook interactions.

‘This is not what "logout" is supposed to mean’.

The admission is the latest in a series of privacy blunders from Facebook, which has a record of only correcting such matters when they are brought to light by other people.

Earlier this year it stopped gathering browser data from users who had never even been to Facebook.com after it was exposed by a Dutch researcher.

The site was forced into a partial climbdown over changes to privacy settings which many claimed made too much public.

It also came under attack for launching a ‘stalker button’ which allowed users to track another person’s every move in a list which was constantly being updated.

New Design: Mark Zuckerberg talks about a new look for Facebook at a conference earlier this month
New Design: Mark Zuckerberg talks about a new look for Facebook at a conference earlier this month

Arturo Bejar, one of Facebook’s directors of engineering, admitted that users continue to be tracked after they log out but said that the data was deleted right away.

He said it was to do with the way the ‘like’ feature works, which is a button users can click on to show they like something.

He said: ‘The onus is on us is to take all the data and scrub it. What really matters is what we say as a company and back it up.’

On technology blog CNET, however, users were outraged at what was going on.
One wrote: ‘Who the hell do these people think they are? ‘Trust us?’ Why? Why should we trust a company that spies on us without our knowledge and consent?’
Another added: ‘Holy wow.... they've just lept way past Google on the creepy meter’.

According to U.S. reports Facebook has recently set up its own Political Action Committee, an American term for a lobbying outfit to get its views heard on Capitol Hill.

So far this year it has already spent £352,000 on lobbying, already ahead of last year’s total of £224,000.

The website has also been forced to deny Internet rumours it will begin charging for its services and said it will ‘always be free’.

A spokesman for Facebook said that the login and log out measures were designed for security and were there to prevent fraud.

He added: ‘We to do not use this information to target adverts’.

By Daniel Bates

Thursday, September 22, 2011

Pistols Allowed on a Plane

Police called it a “scary mistake”. But how did it all actually happen? by Zebunnisa Mirza
 
Aaron Haight was travelling from Vancouver to Collingwood, Ont. for a shooting competition on June 14th, 2011.

With him, he carried a Glock 22 and Baby Eagle 941. Both were legitimately licensed to him. He was given permission by the RCMP to travel with the weapons.

“You’re supposed to declare these and they’re supposed to go through special baggage,” Haight told CTV News. “That’s not what happened this day.”

Air Canada’s customer service agents were on strike. At the check-in counter, Haight told a manager he had two guns. He asked for the form that he knew he needed to fill out in order to bring his firearms with him.

He never said he was a police officer, but what he was handed was police paperwork. The form looked unfamiliar to Haight. But since he was asked to, he went ahead and filled it out anyway. On it he specified that the RCMP had authorized his travel with firearms.

While going through airport security, he was told not to walk through the metal detector. Instead, he was once again asked for his badge. Haight said he didn’t have one and produced his gun license instead. He was allowed to proceed.

“They proceeded me onto the plane,” Haight said. “I was looking around and wondering why are they letting me on here with two pistols in a briefcase?”

Before boarding the flight, Haight asked if it would be a problem to bring the guns on the plane. He was told to give the case to a flight attendant who brought them on board for him.

Midflight, he was asked to produce a badge. Once again he said he didn’t have one. This is when the pilot sounded the alarm and police were called.

Haight was arrested and jailed for three hours before release. The charge? – impersonating an officer.

“Through the investigation it was determined that there was no mention whatsoever on his part that he was a police officer,” Cst. Thomas Ruttan from the Peel Regional police told CTV News. “At some point someone believed he was a police officer, gave him the proper documentation to fill out to actually board the plane with his firearms. It’s a scary mistake.”

A mistake that worries Haight for more than the obvious reason.

“Now as a Canadian I’m wondering, how lenient are we being?”

In a statement issued by Steven Fletcher of the Ministry of state transport he said:

“There are stringent security regulations in place and we expect them  to be followed. We take all allegations very seriously.”

Both the airline and the Canadian Airline Transportation Safety Authority (CATSA) have acknowledged the error.

CATSA says they have investigated and taken steps to identify proper paperwork.

Air Canada has also moved to remind their employees of the proper procedures around such dealings.

Let’s hope such a mistake doesn’t happen again.

Monday, September 12, 2011

Now You See It, Now You Don't

Company Check and Credit Card Fraud


check-fraudPaul Rodrigues, CFE, CPA, MST, CFF, closed the manila case folder and pondered its contents. A company had engaged his firm to investigate an apparent — but difficult to identify — embezzlement.

Rodrigues heads the fraud and litigation practice and is a principal at Chortek & Gottschalk, LLP, a CPA and business advisory firm specializing in forensic accounting and government and private sector auditing in Chicago, Milwaukee and Washington, D.C.

Pulling out a legal pad, he briefly recapped the facts of the case: $1.2 million missing, and neither the client nor the external auditors had any idea how, when and who might have committed it. "Clever," Rodrigues thought. "What kind of person would be smart and knowledgeable enough to pull this off?" he asked himself.

With 20 years of experience, it did not take Rodrigues long to come up with an answer: someone who knows the client's books inside out and has close tabs on what the auditors look at. Primary suspect: the CFO, who was a CPA and arranged the company's external audits.

Doodling on the pad, Rodrigues next asked himself what a person with that kind of power and information would do to conceal her embezzlement: Perform the illicit transactions during a period outside the audit scope.

That query led to another: Even if the CFO had succeeded in hiding the evidence from the auditors during the review period, how did she hide it from everyone in the company for the rest of the fiscal year?

Rodrigues thought that a key clue in this fraud just might resemble one in Arthur Conan Doyle's "Silver Blaze," a short story that appeared in The Strand magazine in December 1892.

RECOGNIZING WHAT IS MISSING

"The solution to this case depended on a detection technique that's far from new, but that investigators sometimes overlook," Rodrigues said.

He recounted how, in Doyle's intricate tale, Sherlock Holmes is engaged to investigate a case of horse-racing-related fraud. In short order, Holmes noticed that a typical and reasonable occurrence mysteriously had not taken place in this case. It all began in the dead of night when a fraudster abducted Silver Blaze, a champion stallion, from its guarded stable. The horse's groom could not alert anybody because the thief had drugged him. But that was not all.

Here is how Dr. Watson chronicled Holmes's detection of a further clue — one both elusive and informative — that Inspector Gregory of Scotland Yard and everyone else had missed: the stable guard dog had never barked.

" 'Is there any other point to which you wish to draw my attention?' [Gregory asked Holmes].

'To the curious incident of the dog in the night-time.'

'The dog did nothing in the night-time.'

'That was the curious incident,' remarked Sherlock Holmes."

APPLIED ANALYSIS

Rodrigues reasoned that the absence of incriminating transactions during the audited period might spur the auditors to review payments made during the rest of the year. However, unless those payments were suspicious, they would be difficult to distinguish from legitimate ones. Was the only alternative a painstaking and expensive review of the documentation for every transaction over the past year? No, there was a better way, Rodrigues decided. He would look for a typical and reasonable occurrence that had not taken place.

In "Silver Blaze," Holmes correctly concluded that if a stranger had approached the stable, especially at night, the dog would have barked loudly. It therefore was clear that the dog had kept silent because the nocturnal visitor was familiar to him. In fact, the trainer had abducted the horse to inflict a hard-to-detect wound that would hobble the champion in an upcoming race and enrich the crooked trainer, who bet against it.

Analogously, Rodrigues looked for apparently legitimate transactions that occurred throughout the year but not during the period under audit.

"That's exactly what was going on," Rodrigues said. "The CFO knew that the auditors typically examined transactions made during the first and fourth quarters."

Rodrigues saw that seemingly normal payments to certain vendors recurred from April through September each year but not during the auditor's testing periods. That subtle red flag led him to examine those remittances.

"Some of them were 'double' payments to a vendor the CFO's employer did business with," Rodrigues said. "She had obtained a personal credit card from the same issuer that served the company. Because all her personal billing statements went to her home, no one at work knew she had her own account. When the CFO's personal credit card bills were due, she paid them by executing fraudulent transactions at work. Unless you had examined the documentation of the company's payments, you wouldn't have suspected that some of them were for the company's debts and others were for the CFO's personal debts, which of course were not documented in the company's records. The hard part was knowing exactly which payments to look for."

But Rodrigues had made the hard part easy by identifying apparently routine payments that were absent during audit periods. That promptly led him to the fraudulent "needles" in a "haystack" of legitimate transactions. Thus, he quickly solved the case at minimal expense to the greatly relieved and appreciative client. The fraudster avoided prosecution by agreeing to an out-of-court structured settlement that confiscated the proceeds of her company retirement account. The company's insurer also covered part of the embezzlement loss.

TRACKING DOWN THE TRACES
Armed with specialized knowledge and access to every part of an organization's accounting system, such fraudsters as the CFO above can do great damage quickly while leaving few visible signs of their crimes.

"This type of perpetrator won't leave any evidence of disbursements to themselves," Rodrigues said. "And they'll also keep the books in balance by recording off-setting transactions. So, after you've preserved the accounting system's evidence by creating a forensic image, look for changes in check numbers, payees and amounts."

Accounting systems of all sizes have options for maintaining a transaction history. If this feature is turned on, auditors and investigators can use it to examine transactions and determine who executed them and when, Rodrigues said. Even if the log has been disabled, the system still might contain valuable evidence a CFE can retrieve with the help of the system vendor.

The objective is to identify all modified, deleted or voided transactions. Focus first on any modified checks, Rodrigues said, and request images of them from the client company's bank. Then compare each image to how its related disbursement is recorded in the system. This should reveal any instances in which a fraudster has issued checks to himself or to a shell company and modified the system to falsely reflect disbursements to legitimate payees.

In this manner, a CFE also can determine whether fraudsters have altered check payment amounts or check numbers. Rodrigues recalled a case in which a fraudster forged five checks, all with the same check number. Amazingly, the bank paid them all, he said, demonstrating its inattention to protecting depositor funds.

Likewise, CFEs should compare deleted and voided transactions with checks that actually cleared. Send the bank a list of the numbers of all deletes and voids, and request images of any paid checks bearing those numbers. Any matches are leads to whoever endorsed those checks and to the bank where they deposited them.

Equally dangerous and resourceful are fraudsters who cannot modify transactions but succeed in adding phony vendors to the accounting system.

Most businesses search their records monthly or quarterly for vendors that are unapproved or have a name or address similar to that of an employee, Rodrigues said.

"That process will detect the clumsy fraudster," Rodrigues acknowledged. "But a clever fraudster will add to the system an illegitimate vendor he controls, cut a check to that account and then immediately change its status to 'inactive.' Often that conceals the fraud; many companies review only their active vendors. So CFEs should check for payments to inactive vendors. In one of my cases, whenever the fraudster wanted to steal some money, he re-activated the illegitimate vendor he had created, printed a check payable to it, and then changed the status back to 'inactive.' "

A THIEF IN IPANEMA

Chortek & Gottschalk partner David Friedman, CFE, CPA, CFF, CICA, also plays a key role in the fraud and litigation practice, investigating a wide range of check and payment frauds. A common factor in such cases, he said, is insufficient or nonexistent segregation of duties.

"One big case I worked on years ago had this problem in spades," Friedman said. The controller of a small accounting department of a manufacturing company had complete autonomy, including the ability to make wire transfers into and out of — for investment purposes — the $50-million profit-sharing plan. Senior management just did not want to get involved; they found monitoring the plan activity too detailed and tedious.

On the Friday before Labor Day, under the guise of investing, the controller fraudulently wired $9 million from the profit-sharing plan to his bank in Baltimore. He subsequently moved the money to a bank in Miami, then to Bermuda and then on to his bank in Brazil. Saturday morning he flew to Rio de Janeiro.

By the time his employer realized what had happened, the controller had escaped. He had planned and executed his fraud perfectly, knowing that the extradition treaty between the U.S. and Brazil does not apply to money-laundering charges. Years later, he returned to the U.S. after agreeing to return what was left of the money in return for not being prosecuted.

"The moral," Friedman said, "is to segregate all duties that might enable an employee to single-handedly commit such frauds without anyone realizing it."

Do not judge the effectiveness of a transaction approval process solely on quantitative criteria, Friedman cautioned. It is also a matter of which — not just how many — employees are involved. For example, no single officer should be capable of unilaterally authorizing large transactions. Obtaining a second officer's OK should be mandatory.

PAPER'S PRICE AND PERILS


The 2010 Federal Reserve Payments Study observed that although more than three quarters of noncash payments are electronic, paper checks will be with us for some time to come. In 2009 — the most recent period for which data are available — U.S. businesses and individuals wrote 27.5 billion checks.

CFEs therefore must strive to maintain and strengthen their employers' and clients' awareness and mitigation of the risks of paper checks. The ACFE's "Fraud Examiners Manual" and the ACFE website (ACFE Check Fraud Resources) offer extensive technical background and practical guidance on this topic.

Friedman described a client company that devised and then neglected its own unusual plan for protecting its paper check stock.

"A small company converted a gun safe into a storage case for thousands of blank checks," Friedman said. "The storage case was unlocked all day. If a check had disappeared from the bottom of a pile, no one would have noticed for months. Forging a signature was no big deal. Unless the company had additional protection, that check would clear."

Banks offer businesses two versions of additional protection: positive pay and reverse positive pay.

With positive pay, every time a business writes checks, it sends its bank a list of their numbers, amounts, dates and payees, which shows that the checks are valid and that the bank should honor them. The bank will not pay checks that are not on the list. Typically, the system automatically generates the list and sends it to the bank.

With reverse positive pay, the bank notifies the client when someone presents a check for payment. The bank will honor the check unless —within a brief period — the client says not to.

"CFEs should advise their clients never to agree to reverse positive pay," Friedman said. "If you somehow don't timely instruct the bank not to pay a check you don't recognize, the bank has the right to honor it and stick you with the loss if the check turns out to be fraudulent. Positive pay is the safer alternative."

Friedman said he knows of a business that used reverse positive pay because it was cheaper than positive pay. And the company chose an unusual option that Friedman suspects might no longer be available: When a check would come in, the bank would ask the company for permission to honor it. If the company said no or did not answer, the bank would not clear the check.

For a while, the company diligently responded to the bank's requests, and there were no problems. However, when the company closed for the December holidays, the bank did not. Unfortunately, many of the company's checks still had not yet been presented. And when the bank contacted the company no one was there to answer.

"Hundreds of valid checks bounced because the bank never received permission to clear them," Friedman said. "The company had to stop payment on the originals and re-issue them. It reimbursed clients for any losses and changed its procedures, but the damage had been done. It hurt their reputation and cost them $100,000."

Recently, another reason emerged for some companies to consider positive pay.

"Increasingly, businesses that decline positive pay might have to sign a waiver in which they release their bank from liability for any check fraud that would have been discovered if the company had accepted positive pay," Friedman said. "One of the larger banks has implemented this policy, and many smaller ones are following its lead. Positive pay isn't cost-effective for every company. But it's good insurance, and CFEs should recommend it to clients that write numerous checks. Right now it's one of the best ways to protect yourself from counterfeit checks."

Robert Tie is a New York business writer. 


The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to FraudMagazine@ACFE.com

Tuesday, September 6, 2011

Hackers steal SSL certificates for CIA, MI6, Mossad

Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue 'death sentence' 

Computerworld - The tally of digital certificates stolen from a Dutch company in July has exploded to more than 500, including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.

The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531, said Gervase Markham, a Mozilla developer who is part of the team that has been working to modify Firefox to blocks all sites signed with the purloined certificates.

Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service.

"Now that someone (presumably from Iran) has obtained a legit HTTPS cert for CIA.gov, I wonder if the US gov will pay attention to this mess," Christopher Soghoian, a Washington D.C.-based researcher noted for his work on online privacy, said in a tweet Saturday.

Soghoian was referring to assumptions by many experts that Iranian hackers, perhaps supported by that country's government, were behind the attack. Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users.

All the certificates were issued by DigiNotar, a Dutch issuing firm that last week admitted its network had been hacked in July.

The company claimed that it had revoked all the fraudulent certificates, but then realized it had overlooked one that could be used to impersonate any Google service, including Gmail. DigiNotar went public only after users reported their findings to Google.

Criminals or governments could use the stolen certificates to conduct "man-in-the-middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted.

Google and Mozilla said this weekend that they would permanently block all the digital certificates issued by DigiNotar, including those used by the Dutch government.

Their decisions come less than a week after Google, Mozilla and Microsoft all revoked more than 200 SSL (secure socket layer) certificates for use in their browsers, but left untouched hundreds more, many of which were used by the Dutch government to secure its websites.

"Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar," Heather Adkins, an information security manager for Google, said in a Saturday blog post.

Johnathan Nightingale, director of Firefox engineering, echoed that late on Friday.

"All DigiNotar certificates will be untrusted by Mozilla products," said Nightingale, who also said that the Dutch government had reversed its position of last week -- when it had asked browser makers to exempt its DigiNotar certificates.

"The Dutch government has since audited DigiNotar's performance and rescinded this assessment," Nightingale said. "This is not a temporary suspension, it is a complete removal from our trusted root program."

On Saturday, Piet Hein Donner, the Netherlands's Minister of the Interior, said the government could not guarantee the security of its websites because of the DigiNotar hack, and told citizens not to log into its sites until new certificates had been obtained from other sources.

The DigiNotar breach is being audited by Fox-IT, which told the Dutch government that it was likely certificates for its sites had been fraudulently acquired by hackers.

Several security researchers said the move by browser makers puts an end to DigiNotar's certificate business.

"Effectively a death sentence for DigiNotar," said Jeremiah Grossman, CTO of WhiteHat Security, in a Friday tweet.

Mozilla was scathing in its criticism of DigiNotar.

Nightingale ticked off the missteps that led Mozilla to permanently block all sites signed with the company's certificates, including DigiNotar's failure to notify browser vendors in July and its inability to tell how many certificates had been illegally obtained. "[And] the attack is not theoretical," Nightingale added. "We have received multiple reports of these certificates being used in the wild."

Markham went into greater detail on the hack and its ramifications. "It has now emerged that DigiNotar had not noticed the full extent of the compromise," said Markham in a Saturday post to his personal blog. "The attackers had managed to hide the traces of the misissuance -- perhaps by corrupting log files."

Because the Google certificate that prompted DigiNotar to acknowledge the intrusion was obtained before most of the others, Markham speculated that there had actually been two separate attacks, perhaps by different groups.

"It is at least possible (but entirely speculative) that an initial competent attacker has had access to [DigiNotar's] systems for an unknown amount of time, and a second attacker gained access more recently and their less-subtle, bull-in-a-china shop approach in issuing the [hundreds of] certificates triggered the alarms," he said.

Last week, Helsinki-based antivirus company F-Secure said it had found signs that DigiNotar's network had been compromised as early as May 2009.

Mozilla will update Firefox 6 and Firefox 3.6 on Tuesday to permanently block all DigiNotar-issued certificates, including those used by the Dutch government.
On Saturday Google updated Chrome to do the same.


covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer, on Google+ or subscribe to Gregg's RSS feed Keizer RSS. His e-mail address is gkeizer@computerworld.com.