33 million records.

That’s the number of consumer records that have been exposed so far in 2008, a record year for data breaches, according to statistics from the Identity Theft Resource Center , which tracks breaches reported by U.S. organizations. And that count may only be the tip of the iceberg; without a federal requirement for organizations to quantify the amount of consumers affected by data breaches, the real figure is likely much higher.

With the fact in mind that over 80 percent of these breach events were due to electronic data breaches, it’s little wonder that states throughout the U.S. are pushing to enact strong data security regulations to ensure that businesses protect sensitive customer data that is stored on computers or transmitted electronically via websites and e-mail.

Nevada is the first of several U.S. states to adopt new laws mandating that businesses better protect their customers’ digital confidential information. As of October 1, 2008, Nevada law requires businesses in the state that engage in the electronic transmission of certain personal information — including names and credit card numbers — to encrypt such transmissions.

The law is affecting the way organizations do business, and presents unexpected hardships for many. Charity organizations, which often store vast amounts of confidential information — including client names and addresses, as well as donor credit card information — are among the hardest hit by the new mandate, forced to overhaul their data systems while still carrying out the vital work they do.

One such group affected by the law is the Foundation for Positively Kids (FPK), a non-profit organization dedicated to providing comprehensive care to medically dependent and terminally ill children in Las Vegas, Nevada.

“We are trying to take care of sick and dying kids — why do I have to worry about a new Nevada encryption law?” Fred Schultz, CEO and founder of FPK, asked rhetorically in a recent NonProfit Times article which reported on the new requirements for secure transmission of donor and client information.

According to Schultz, the difficulty lies not in encryption itself, but in setting up the necessary security systems to accommodate the new law.

“All personal items on families we serve is sent or received by e-mail or fax. This must now be encrypted,” Schultz said.

Organizations in Nevada are not the only ones affected by increased encryption measures. Massachusetts has recently enacted an even wider-encompassing data privacy and security measure than Nevada’s. The law, which takes effect on January 1, 2009, includes encryption of data stored on laptops and other portable devices.

With Nevada’s law in effect, and Massachusetts’ legislation ready to move forward, other states are expected to follow with similar measures. Michigan and Washington state are also considering such regulations. At the same time, companies based outside of these states may also need to take heed of the new regulations; since the laws apply to out of state companies that operate or have customers within the state’s limit, even specific state regulations have the potential to affect many.

“This may well be a telling example, indicating the type of legislative and accountability measures to come in the future. These types of encryption laws serve as a reminder of the importance of protecting personal information, and the steps that can be taken — by both consumers and businesses — to safeguard sensitive data. While encryption is not the only step that companies should be taking to protect private data, it is certainly a critical one,” said Jason King, Lavasoft CEO .

“While these laws may present initial compliance issues for some organizations, the mandates are sure to trigger more awareness of the need to adopt security measures to protect private data, which is, ultimately, a positive step for consumers,” King said.

Senior military leaders took the exceptional step of briefing President George W. Bush this week on a severe and widespread electronic attack on Defense Department computers that might have originated in Russia, posing unusual concern among commanders and potential implications for national security.

Defense officials would not describe the extent of damage inflicted on military networks. But they said the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones.The attack also penetrated at least one highly protected classified network.

Military computers are regularly beset by outside hackers, computer viruses and worms. But Defense officials said the most recent attack involves an intrusive piece of malicious software, or “malware,” apparently designed specifically to target military networks.

“This one was significant; this one got our attention,” said one Defense official, speaking on anonymity when discussing internal assessments.

Although officials are withholding many details, the attack underscores the increasing danger and potential significance of computer warfare, which defense experts say could one day be used by combatants to undermine even a militarily superior adversary.

Bush was briefed this week on the threat by Navy Adm. Michael G. Mullen, chairman of the Joint Chiefs of Staff. Mullen also briefed Defense Secretary Robert M. Gates.

Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether it had Russian government sponsorship. Defense experts might never be able to answer such questions, officials said.

The Defense official said the military has also not learned whether the software’s designers might have been specifically targeting computers used by troops in Afghanistan and Iraq.

However, suspicions of Russian involvement come at an especially delicate time because of sagging relations between Washington and Moscow and growing tension over U.S. plans to develop a missile defense system in Eastern Europe. The two governments have also traded charges of regional meddling after U.S. support for democratic elections in former Soviet states and recent Russian overtures in Latin America.

U.S. officials have worried in recent years about the possibility of cyberattacks from other countries, especially those originating in China or Russia, whether sponsored by governments of those countries or launched by individual computer experts.
An electronic attack from Russia shut down government computers in Estonia last year. And officials believe that a series of electronic attacks were launched against Georgia at the same time as hostilities erupted between Moscow and Tbilisi last summer. Russia has denied official involvement in the Georgia attacks.

The first indication of a problem in the Pentagon’s computers came last week, when officials banned the use of external computer flash drives. However, officials at the time did not indicate the extent of the attack or the fact that it might have targeted Defense systems or posed national security concerns.

The invasive software, known as agent.btz, has circulated among nongovernmental U.S. computers for months. But only recently has it affected the Pentagon’s networks. It is not clear if the version responsible for the cyber intrusion of classified networks is the same as the one affecting other computer systems.

The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the flash drives.

Defense officials acknowledged that the worldwide ban on external drives was a drastic move. Such drives are used constantly in Iraq and Afghanistan, and many officers keep flash drives loaded with critical information on lanyards around their neck.

Banning their use made sharing information in the war theaters more difficult and reflected the severity of the cyber intrusion and the threat from agent.btz, a second official said.

Officials would not describe the exact threat from agent.btz, or say whether it can shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

Identity theft is an ever-increasing threat for all consumers — one that could damage your credit ratings and cost you thousands of dollars. And teenagers are among the most vulnerable.

Suzanne Boas, president, Consumer Credit Counseling Service, has seen the damage first-hand. “It is frightening to think what can happen to you when someone gets a hold of your identity,” she says.

Hailey Lowe, 18, has heard of one way thieves can steal identities. “I guess they could … get online – I’ve heard of people doing that – get online, take your identity and buy stuff,” she says.

And that’s just the beginning. Boas says, “If they’ve managed to get a hold of your Social Security number and take out credit card applications in your name, that may go on for months before you realize it and it may actually take you years to resolve the problem.”

The far-reaching effects of identity-theft create countless hurdles to overcome. “You may have difficulty getting a job where a credit report is required. You may have trouble renting an apartment. You may have trouble leasing a car. You may have all sorts of difficulties that you can’t even imagine now,” says Boas.

While everyone is at risk, why are teenagers being singled out? Boas says, “A teenager is a perfect target; just by virtue of their age, they’ve got an unblemished credit record to begin with.” That’s why, experts say, parents need to help kids protect themselves.

“Number one would be leave your Social Security card at home,” says Boas. “Secondly, make sure you protect your credit cards all the time, and your checkbook. Don’t take them when you’re going out partying.”

And third, remember that your identity can be stolen online. “So if you’re going to use a credit card on the Internet,” says Boas, “make sure that you’re going into a secure website.” Knowing the risks of theft is the first step in protecting your identity and your financial future. And Hailey Lowe is now more aware.

“I think I’ll try harder definitely, knowing that it’s a bigger risk than I thought before,” she says.

Tips for Parents

In recent years, identity theft has become a very serious threat, due in part to the Internet and the availability of online activities, such as banking, shopping, and gaming. Consider the following statistics:

* The average cost to an identity-theft victim is more than $1,000 to remedy damages. Sometimes it takes years to set things straight.

* Consumer groups estimate that as many as 750,000 people a year are victims of identity theft.

* Identity theft is the most popular form of consumer fraud, in part because it is the most profitable. Identity thieves stole nearly $100 million from financial institutions last year, or an average of $6,767 per victim.

One of the first question parents ask is, “How do thieves steal my information, or my child’s information?” According to the Identity Theft Resources Center, thieves work in a number of ways. They can:

* Go through your trash, looking for straight cut or un-shredded papers and records.

* Steal your mail, wallet or purse.

* Listen in on conversations you or your child have in public.

* Trick you or your child into giving them information over the telephone or by email.

* Buy the information via the Internet or from someone else who might have stolen it.

* Steal it from a loan or credit card application you or your child may have filled out, or from files at a hospital, bank, school or business that you deal with. Thieves may obtain these records from trash dumpsters outside of such companies.

* Get it from your computer, especially those without firewalls.

* Be someone you know – even a friend or relative — who has access to your information.

If you or your child becomes a victim of identity theft, experts at the Federal Trade Commission (FTC) offer the following suggestions:

* Contact the fraud department of any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will automatically be notified to also place fraud alerts. Each bureau will send you credit reports free of charge.

* Close any of your accounts that you suspect have been tampered with, as well as any new accounts that have been opened fraudulently. Use the ID Theft Affidavit when disputing new unauthorized accounts.

* File a police report, and get a copy of the report to submit to your creditors and others that may require proof of the crime.

* File your complaint with the FTC. The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Filing a complaint also helps the FTC learn more about identity theft and the problems victims have.

Ongoing research to be published in the International Journal of Liability and Scientific Enquiry suggests that there is a huge amount of sensitive data still on redundant computer hard disks. These devices are often disposed of or sold into the second-hand market by corporations, organizations, and individuals with the data intact. The report’s authors say that this data represents a significant level of risk for commercial sabotage, identity theft, and even political compromise, and suggest that better education is essential to reduce the risk of harm.

It is not well known among computer users that simply deleting a file from the hard disk does not actually remove it from the computer but simply deletes its entry in the index for the hard drive. To remove all traces of a file requires the actual data to be wiped using “digital shredding” software. Such software is readily available and should be run as a high priority by individuals, companies and organizations intending to pass on their legacy computer hardware to third parties.

Andrew Jones, Head of Information Security Research, at British Telecommunications, in Martlesham Heath, UK, working with Glenn Dardick of Longwood University, in Farmville, Virginia, and colleagues Craig Valli, of Edith Cowan University, Western Australia, and Iain Sutherland of the University of Glamorgan, UK, have analyzed data that remained on a number of second hand hard disks that had been obtained on second-hand markets.

“The research revealed that a significant proportion of the disks that were examined still contained considerable amounts of information, much of which would have been of a sensitive nature to the organization or individual that had previously owned the disk,” the researchers explain.

The team adds that the percentage of disks that have been effectively wiped had fallen significantly, from 45% to 33%, since the previous year’s survey. “With only 33% of working second-hand disks having been effectively wiped, it is reasonable to comment that this is an area where there is significant potential for improvement,” they say.

They make several recommendations for improved data security – with regard to hard disks and other storage media, including memory cards, mobile phones, and other devices, and suggest that public awareness campaigns by Government, the media, commerce and/or academia ought to be run to help reduce the risk of sensitive data entering the information black-market.

The 2007 study is being made available in its entirety through the International Journal of Liability and Scientific Enquiry. The team is now completing the 2008 analysis and will announce those results shortly as well. However, the initial results for the 2008 study show that there is still a long way to go regarding the decommissioning of computer hard disk drives. The team expects that the complete 2008 study will be made available for publication by the end of the year.

Adapted from materials provided by Inderscience, via AlphaGalileo.

Federal identity theft convictions increased 26 percent in 2007 from the year prior, according to a Bush administration task force report on identity theft unveiled Tuesday.

According to the “Identity Theft Task Force Report,” as many as 1,534 people were convicted in 2006, and a year later, 1,943 were convicted nationwide on various identity theft violations. The report, however, said there are about 1.6 million complaints of identity theft on file with the Federal Trade Commission.

“The profiles, purposes, and methods of the perpetrators are continually changing. Identity theft today can be the product of organized crime rings here and abroad using increasingly sophisticated technologies, such as installing malicious software, phishing, spoofing, and a database hacking, to tap into repositories of consumer data,” the task force wrote.

The 70-page document also includes 31 recommendations to combat identity theft. The recommendations state the obvious, but are important nonetheless. Among them, the task force wants to see a reduction in the use of Social Security numbers in the public and private sectors, more law enforcement training and better cooperation between the states and with other nations.

The report has a couple of interesting recommendations: the creation of a “National Identity Theft Law Enforcement Center” and providing victims of identity theft with a so-called passport “to prove they are who they say they are.”

“Such documentation is particularly important where a suspect has used the victim’s name in the commission of a crime,” the report said. The Identity Theft Center would act as an intermediary among the nation’s 50 states and federal government to investigate identity theft, the report said.

The report also calls for lobbying to “encourage other countries to enact suitable domestic legislation criminalizing identity theft.”

A Review of LifeLock vs Trusted ID

Now that 2008 has reached a new high in security breaches, identity theft protection is on the minds of more people than ever before. Two of the most popular protection plans are LifeLock and Trusted ID. Both of them offer outstanding protection at a reasonable price.

How are LifeLock and Trusted ID the same?

• Fraud Alerts (Called ‘Lender DoubleCheck’ by TrustedID)
• Opt-out of pre-approved credit offers
• Order yearly credit reports
• Have a $1,000,000 warranty
• Wallet protection
• Scan internet black markets looking for misuse of your information
• 24/7 on call helpline

Both services have strong scanning features that watch for your personal information being sold or traded on the black market. They look for your name, DOB, address and social security number. You can give TrustedID your bank account and credit card numbers and they will watch for them, too. You’ll be notified immediately if any activity with your info is found.

Wallet protection is a nice feature. The last time I thought I’d lost my wallet, I went into total panic mode. It’s like losing a part of your life. Knowing you have someone to call who will walk you through the steps necessary to replace your driver’s license and insurance cards, cancel and replace your debit or credit cards. And because you have the identity protection coverage, you’ll also be at less risk for the identity theft that goes hand-in-hand with a stolen wallet.

As you can see, both companies are quite similar and have the same basic features.

Here are a few differences in how their coverage works:

TrustedID sets your fraud alerts for you every 90 days like LifeLock. They also give you the option of placing a security freeze on your credit files if you prefer that. You have to pay the additional fee (usually $10) at each credit bureau to freeze and/or unfreeze your credit. The handy part about this is that they’ll administer this process for you, which can be a real nightmare if you lose your PIN number.

[Keep in mind that with a security freeze, no one can open any new credit – not even you – until the freeze is removed.]

In addition to watching for your information on the black market, LifeLock regularly scans the post office databases looking for a change of address. If they find you in there, they’ll contact you to confirm you made the change. Address changes are a popular way thieves hi-jack your mail and financial accounts.

An unsecure computer is a prime target for hackers and malicious software. Your passwords and email/financial account info are an open book to thieves if your computer gets infected. Trusted ID gives you an anti-spyware program you can install on up to 3 computers. This software is updated each day and is free for as long as you have your TrustedID membership. A good anti-spyware program is about $30 a year, so you’ll be saving the cost of that.

The biggest difference between TrustedID and Life Lock is the way they deal with an actual identity theft. Nothing can 100% stop a determined identity thief, so you get a million dollar warranty with your membership.

LifeLock has a service warranty that does the recovery for you. They’ll hire attorneys, investigators and case managers for you.

TrustedID has an identity theft kit that gives you the step-by-step process of what to do. You’ll be responsible for hiring any outside help but you’ll be reimbursed for expenses – including lost wages for things like having to appear in court to dispute a fraudulent account.

COST

The cost is nearly identical if you want individual coverage. Trusted ID has the better deal on family coverage. All adult family members (including elderly parents) and children living at the same address are covered with one low-priced membership.

PROMOTION CODES AND DISCOUNTS

LifeLock – get a 10% discount and 30 days free – use the promo code – JBAZ35.

Adult – 16 and over

• $9 per month ($11 per month without coupon)
• $99 per year ($110 per year without coupon)

Children (per kid)

• $2.25 per month
• $22.50 per year

TrustedID – get a 10% discount.Just click here.
No Promotion Code Needed.

Adult

• $90 annual membership ($99 per year without coupon)
• $9 per month ($10 per month without coupon)

Family (all family members included)

• $170.99 per month ($189.99 without coupon)
• $17.99 per month ($19.99 without coupon)

LifeLock and TrustedID are both excellent companies that have stood the test of time. Either of them is a good choice.

I do like the anti-spyware program now included with Trusted ID’s service. I currently pay $30 a year for Spyware Doctor to protect me from all the nasty things trying to get into my computer. TrustedID will save me from having to renew that in a few months.

If you’re looking for coverage for a spouse and/or children, TrustedID has the best pricing available when you take advantage of the discount.

Whichever you choose, you’ll be able to stop worrying about identity theft because you’ll have a good company guarding your back. You’ll have unlimited help if you ever become an identity theft victim and you’ll never have to be alone to figure out what to do to restore your identity.

Republican presidential candidate John McCain made Samuel Joseph Wurzelbacher, otherwise known as “Joe the Plumber,” famous during the October 15 debate with Democrat Barack Obama, and in subsequent television advertisements. Since then, numerous personal details have been disclosed about this working class Ohio guy who did not want pay higher taxes on income over $250,000 that he had not yet earned.

And now, according to the Columbus Dispatch, it appears that government computers in Ohio may have been used to illegally access personal information about Wurzelbacher. In the days after the debate, information on Wurzelbacher’s driver’s license or his sport utility vehicle was retrieved from the Ohio Bureau of Motor Vehicles database three times, the Dispatch reported. With access to such information limited to legitimate law enforcement and government business, state and local officials are investigating whether the information was obtained illegally.

An Ohio spokesman for the McCain campaign told the Dispatch that the information breach may have been politically motivated. The Obama campaign has refuted the claim.

A college student who with her boyfriend stole the identities of friends and neighbors was sentenced Friday to five years in prison and ordered to pay more than $100,000 in restitution.

Jocelyn Kirsch, a former Drexel University student, and then-boyfriend Edward Anderton used the money for expensive salon visits, exotic vacations and fancy dinners.

Federal guidelines called for a prison sentence of 70 months, but U.S. District Judge Eduardo C. Robreno credited Kirsch for her apparent remorse and for her July 14 guilty plea to aggravated identity theft and other counts. Kirsch, 23, and Anderton acknowledged stealing the identities of friends and neighbors in the Philadelphia area in 2006 and 2007 to net more than $116,000 in goods and services.

The scheme unraveled when an employee at an upscale salon told police that a check for Kirsch’s $2,250 hair extension job had bounced. About the same time, a neighbor of the couple told police a package she did not order had been sent to her.

Police released photos showing the two posing in matching red swimsuits by a luxury hotel pool and kissing near the Eiffel Tower. Anderton, a 25-year-old University of Pennsylvania graduate originally from Everett, Wash., is to be sentenced Tuesday.

Deutsche Telekom’s German mobile phone subsidiary T-Mobile lost a disk containing personal information about 17 million of its customers in early 2006, the company said Saturday. Silent about the data loss for more than two years, the company published its version of events on Saturday following a report in German news magazine Der Spiegel that the data were being offered for sale on the Internet. T-Mobile’s data breach appears to be confined to customers of its German subsidiary. Data on the disk included customers’ name, date of birth, address and mobile phone number, and in some cases the customers’ e-mail addresses. No banking details were lost, the company said.

When the loss of the disk was discovered, the company reported the loss to the state prosecutor, and began monitoring Internet forums and sites where such stolen information is offered for sale, it said. T-Mobile found no evidence in the months following the loss that the missing data was on the market, it said.

That changed on Saturday, however, with Der Spiegel’s revelation that the data is now for sale on the Internet. The data for sale includes the home addresses and unlisted phone numbers of many German celebrities, business leaders, billionaires, religious representatives, government ministers and politicians, according to the report.

T-Mobile maintains that there is no evidence that the data has been used to harass or to steal the identity of any of its customers. The company has improved its security procedures since the disk was lost, it said. Those procedures now include the use of stronger passwords and access controls, and the logging of accesses to customer databases. However, no one at the company was immediately available to explain how the loss occurred. Customers worried about the disclosure of their mobile phone number can have it changed for free, the company said.

Deutsche Telekom is also in hot water for paying a little too much attention to the personal details of some of its customers. Its internal security staff are accused of spying on the private phone use of members of its board of directors, whom the company suspected of leaking sensitive information to journalists. The company said in May that it had called for an independent investigation of the affair.

The best defense against ID theft is to be educated on the subject and have a backup plan if someone were to get your personal information. LifeLock is the #1 Identity theft protector and if you would like a discount on a LifeLock membership use LifeLock Promotion code, JBAZ35.

Ten thousand users of LinkedIn, a social networking site for professionals, were recently targeted in a “spear phishing” email scam trying to lure them into downloading a malicious software attachment.

In a blog post Wednesday, Brian Krebs of the Washington Post, who first reported the story, said recipients of the email were addressed by name, aiding in the authenticity of the email.

What sets spear phishing attacks apart from traditional malware attacks is that the sender includes information about the intended target in hopes of lending even more legitimacy to the email, David Marcus, director of security research and communications for McAfee Avert Labs, told SCMagazineUS.com Thursday.

The message was sent from the domain “support[at]linkedin[dot]com” with a subject line of “Re: business contact.”

The email read: “We managed to export the list of business contacts you have asked for.” The message then directed the recipient to open an attachment that was supposedly a list of business contacts that the user requested. In reality, it loaded malicious software to steal data such as usernames and passwords from the victim’s computer.

According to Marcus, the success rate of spear phishing attacks is significantly higher than traditional malicious attacks. Most people have received some sort of spam or phish message reading, “Dear banking customer” and deleted it. But not many people have gotten an email specifically addressed to them, he said.

“The likelihood that you’re going to think its real is certainly going to go up,” Marcus said.

To pull off an attack like this, fraudsters must already have obtained a certain amount of information about their targets, Marcus said.

Generally, an attacker would have acquired a database of information with names, email addresses and other identifying information either through a previous hack or having bought the information from cybercrime markets, he said. The attacker would use that information to craft a legitimate looking email directed to their target.

“It’s certainly troubling that the person who instigated the attack had pieces of information on 10,000 people,” Marcus said.

Attackers are targeting the users of social networking sites such as LinkedIn because members are used to receiving emails from the site.

Marcus recommended that if users receive the phishing scam, they should monitor their bank and credit statements because it means that someone already has some information about them.

Krista Canfield, spokeswoman for LinkedIn, told SCMagazineUS.com Thursday that the emails were not sent by LinkedIn.

“LinkedIn never advocates that its users be ‘open networkers,'” Canfield said in an email. “In fact, it can be downright dangerous. We always advocate that our users keep their network tightly knit. Users should only connect to people that they know and trust, or people that they have actually met and worked with before.”