From shin at adachi.us Wed Jan 2 13:48:00 2008 From: shin at adachi.us (Shin_ADACHI) Date: Wed, 02 Jan 2008 13:48:00 -0800 Subject: [SIG-IDtheft] Privacy: The Worst Quotes of the Year In-Reply-To: References: Message-ID: <477C0690.3090900@adachi.us> Of your possible interest. <> -- Shin_ADACHI, CISSP, PMP shin at adachi dot us PGP_Key_ID:0xF9EAD9DF +1-650-331-0604 From Jeff.Hodges at neustar.biz Sun Jan 6 23:42:23 2008 From: Jeff.Hodges at neustar.biz (=JeffH) Date: Sun, 06 Jan 2008 23:42:23 -0800 Subject: [SIG-IDtheft] fyi: Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Message-ID: <4781D7DF.2070605@neustar.biz> An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Jason Franklin Carnegie Mellon University jfrankli at cs.cmu.edu Vern Paxson ICSI vern at icsi.berkeley.edu Adrian Perrig Cylab/CMU perrig at cmu.edu Stefan Savage UC San Diego savage at cs.ucsd.edu http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf ABSTRACT This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from ?hacking for fun? to ?hacking for profit? has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year. From bob at bobpinheiro.com Mon Jan 7 10:53:26 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Mon, 07 Jan 2008 13:53:26 -0500 Subject: [SIG-IDtheft] REMINDER: Next ID Theft SIG Call Wednesday, January 9 Message-ID: <0JUA0020OF437PD3@vms173003.mailsrvcs.net> We will have our next ID Theft SIG call on Wednesday, January 9, at 9:30 AM PT / 12:30 PM ET / 17:30 UTC. Please note that calls will now be held on Wednesdays, to accommodate more people. Also note the new call-in numbers below, as well as the link for new international call-in numbers. Agenda will be to discuss possible SIG activities in 2008. Possible activities include: * Identity Assurance and Authentication: The Liberty Identity Assurance Framework has the goal of fostering the adoption of "identity assurance" services that could enable large-scale authentication networks. Such networks, if they support consumer authentication applications, could potentially help prevent identity theft by providing a way to authenticate the identity claims of individuals who seek to obtain identity-related services from service providers with whom they have no prior relationship. Can the SIG help to ensure that the Liberty IAF supports consumer authentication applications at appropriate assurance levels? (The Liberty Identity Assurance Framework v1.0 can be found here.) One tie-in might be the newly formed Identity Assurance SIG, which will hold its first meeting in Washington DC on January 30. Might there be opportunities for collaboration? * Privacy and Management of Personal Information: Some of the work that Liberty has done related to privacy can be found here. Is there anything the ID Theft SIG can/should do to support existing or new Liberty initiatives related to privacy of personal information? * Public Policy Expert Group: It's been suggested that the ID Theft SIG could collaborate with PPEG on some activities of joint interest. What are some of those activities? * Short Position Papers: It's been suggested that the SIG might pull together several very short position papers on relevant topics. Proposed topics include: out-of-band authentication and its implications for the Liberty technical framework; and "watermarking" of personal data. * Liberty Plenary Meeting in March: Should the ID Theft SIG plan some activity for this meeting? * Others? Although these are all potentially useful and interesting activities, the reality is that many on the SIG mailing list may have neither the time nor inclination to participate in these activities. The ability of the SIG to contribute to these or other activities really depends on whether interested people are willing to become involved. So if any of these topics, or others that may be related to identity theft, are of interest to you, please consider joining the SIG calls. Wednesday, January 9, 2008 9:30 AM PT / 12:30 PM ET / 17:30 UTC US toll-free number: 866-469-3239 US toll number: 650-429-3300 Attendee Code: 00119954 # International numbers can be found at wiki.projectliberty.org/index.php/IntlDialInNum ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC (908) 654-1939 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080107/843b202f/attachment.html From shin at adachi.us Thu Jan 10 15:25:07 2008 From: shin at adachi.us (Shin_ADACHI) Date: Thu, 10 Jan 2008 15:25:07 -0800 Subject: [SIG-IDtheft] SANS Top20 Security Risks In-Reply-To: <0JUA0020OF437PD3@vms173003.mailsrvcs.net> References: <0JUA0020OF437PD3@vms173003.mailsrvcs.net> Message-ID: <4786A953.6040409@adachi.us> I just noticed I did not share this info with this SIG but you can find pretty interesting summary on breach of unecrypted laptops and removable media on SANS Top 20 Security Risks annual report released a couple of months ago. The entire report is very interesting while pretty long but that specific article is at <> regards, Shin -- Shin_ADACHI, CISSP, PMP shin at adachi dot us PGP_Key_ID:0xF9EAD9DF +1-650-331-0604 From bob at bobpinheiro.com Mon Jan 14 20:51:53 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Mon, 14 Jan 2008 23:51:53 -0500 Subject: [SIG-IDtheft] Next ID Theft SIG Call Wednesday, January 16 Message-ID: <0JUO00GC85SUA4E2@vms044.mailsrvcs.net> The next ID Theft SIG call will be Wednesday, January 16, at 9:00 AM PT / 12 Noon ET / 1700 UTC. Members of the Identity Assurance SIG are also invited to join the call. John P. Hopkinson, Security Strategist at EWA Information & Infrastructure Technologies Inc., and Chief Technical Officer (and Past President) of ISSEA, the International Systems Security Engineering Association, will provide a short overview of information security and privacy standards developed by ISO (the International Organization for Standardization). John will also provide some additional perspective about the relationship of Canadian Information and Privacy Commissioners to standards, as well as how standards support the work of the Privacy Commissioners. John joined /IIT in May 2001 and is responsible for /IIT's Standards and Consortia activities and liaison. He develops strategies with regard to standards and consortia activities, and action plans to fulfill those strategies. John has over 35 years of experience in the security field in the military and commercial sectors. He has conducted research in many areas related to information technology security, with a particular focus on assurance, risk analysis, risk management, and security metrics. John was a key contributor to the development of the SSE-CMM, and responsible for its conversion into an ISO/IEC standard, 21827. Wednesday, January 16, 2008 9:00 AM PT / 12 Noon ET / 1700 UTC US/Canada toll-free number: 866-469-3239 US toll number: 650-429-3300 Attendee Code: 00119954 # International numbers can be found at wiki.projectliberty.org/index.php/IntlDialInNum ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC (908) 654-1939 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080114/c576f755/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Stds-Ovr-General-Nov07-full.pdf.ZIP Type: application/octet-stream Size: 338440 bytes Desc: not available Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080114/c576f755/attachment-0001.obj From bob at bobpinheiro.com Wed Jan 16 11:01:44 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Wed, 16 Jan 2008 14:01:44 -0500 Subject: [SIG-IDtheft] Catalog of ISO SC27 Standards Message-ID: <0JUR00GGU3GYB166@vms173003.mailsrvcs.net> In our call today with John Hopkinson regarding security and privacy standards, John mentioned that a catalog of the latest ISO SC27 standards is available online. This catalog can be found by first going to www.jtc1sc27.din.de/sce/SD7. This will take you to a new page with a single link in the middle of the page. Click this link to download a zip file containing two html files to be opened in your browser. The larger file is the catalog itself; the other is the cover sheet to the catalog. The catalog lists those standards that have already been issued, as well as those currently in development. Most ISO standards are not free and must be purchased. For a list of free ISO standards, go to standards.iso.org/ittf/PubliclyAvailableStandards/index.html. If you have any questions about any of these standards, you may contact John directly at john.hopkinson at magma.ca ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC (908) 654-1939 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080116/1e3e7dde/attachment.html From britta at projectliberty.org Thu Jan 17 12:17:24 2008 From: britta at projectliberty.org (Britta Glade) Date: Thu, 17 Jan 2008 12:17:24 -0800 Subject: [SIG-IDtheft] Study on online privacy concerns, etc. Message-ID: Of potential interest to both groups.... http://apnews.excite.com/article/20080116/D8U74HT80.html *Study: Online Privacy Concerns Increase* Jan 16, 1:09 PM (ET) By ANICK JESDANUN NEW YORK (AP) - Privacy concerns stemming from online shopping rose in 2007, a new study finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels. Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Before last year, that figure had largely been dropping since 2001. People who do not shop online tend to be more worried, as are newer Internet users, regardless of whether they buy things on the Internet, according to the survey from the Universityof Southern California's Center for the Digital Future. The study, to be released Thursday, comes as privacy and security groups report that an increasing number of personal records are being compromised because of data breaches at online retailers, banks, government agencies and corporations. The Identity Theft ResourceCenter, for instance, listed more than 125 million records reported compromised in the United States last year. That's a sixfold increase from the nearly 20 million records reported in 2006. Data breaches often result from lost or stolen computer equipment such as laptops , though the single largest breach was a case of online hacking. Early last year, TJX Cos. (TJX ) disclosed that a data theft had exposed tens of millions of credit and debit cards to potential fraud. The card numbers were typically collected during brick-and-mortar retail transactions at T.J. Maxx, Marshalls and other TJX chains. The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami - an entry point that led the hackers to eventually break into TJX's central databases. Nonetheless, concerns about credit card security have largely stabilized, with 57 percent very or extremely concerned last year. It was 53 percent in 2006, a difference within the survey's margin of sampling error of 3 percentage points in either direction. As of 2007, two-thirds of adult Internet users shop online, compared with just half a year earlier. Most spend $100 or less a month, and two-thirds of online shoppers have reduced buying at brick-and-mortar stores. "You'd think the logical attitude would be to look at this level of concern and say I'm not going to shop on the Web, but it's not happening," said Jeff Cole, director of the Center for the Digital Future. "The advantages, the conveniences are so extraordinary." With credit card fraud, a customer's liability is capped at $50, and even that amount is often waived. Customers often know of fraudulent charges quickly if they check their accounts online or are notified by their banks, which have security measures in place to flag suspicious transactions. Identity theft, on the other hand, can take months and sometimes years to find out about and resolve, Cole said, possibly explaining the greater concern over privacy. Among other findings in the annual survey, online parents are more likely than ever to withhold Internet use as punishment - 62 percent in 2007, compared with 47 percent a year earlier and 32 percent in 2000. For the first time, denying Internet access is on par with banning televisionfor bad behavior. "What we've seen over those seven years is parents really now seeing that the Internet has lots of great stuff on it and can be really important, but also can be a time waster," Cole said. "They view it much closer to the way they see television." Nearly two-thirds of parents, meanwhile, worry about kids participating in online communities and about half believe online predators to be a threat, notwithstanding other research showing fewer youths receiving sexual solicitations over the Internet as they become smarter about where they hang out and with whom they communicateonline. "The perception is higher than reality, but the perception is significant and leads to how much access you give your kids and whether you let them (surf) unsupervised," Cole said. Internet penetration continues to show signs of plateauing. The percentage of former users who say they have no intention of going back online continues to increase, and less than half of those who have never used the Internet plan to log on in the coming year. Newer users are more likely than veterans to access the Internet through a dial-up connection, and newer users tend to spend an average of 1.2 hours a week more than veterans playing online games. Veterans are more likely to read a newspaper or listen to the radio over the Internet. Twenty-one percent of Internet users have stopped a newspaper or magazine subscription because they could get it online, while half of the Americans who read a print edition of the paper said they would miss it if it were to go away. The study of 2,021 Americans was conducted Feb. 28 to Aug. 6, with participants selected randomly by telephone. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080117/e9fb75ba/attachment.html From bob at bobpinheiro.com Mon Jan 28 18:37:56 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Mon, 28 Jan 2008 21:37:56 -0500 Subject: [SIG-IDtheft] Next ID Theft SIG Call Wednesday, February 6 Message-ID: <0JVD00A1JWNR95K0@vms044.mailsrvcs.net> We'll have our next ID Theft SIG call on Wednesday, February 6. Agenda to follow. Wednesday, February 6, 2008 9:00 AM PT / 12 Noon ET / 1700 UTC US/Canada toll-free number: 866-469-3239 US toll number: 650-429-3300 Attendee Code: 00119954 # International numbers can be found at wiki.projectliberty.org/index.php/IntlDialInNum ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC (908) 654-1939 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080128/5805e1a2/attachment.html From bob at bobpinheiro.com Thu Jan 31 08:20:58 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Thu, 31 Jan 2008 11:20:58 -0500 Subject: [SIG-IDtheft] ANSI/BBB ID Theft Report and Webinar Today, January 31 Message-ID: <0JVI000A1O5ICWL3@vms044.mailsrvcs.net> The ANSI/BBB Identity Theft Prevention and Identity Management Standards Panel (IDSP) has released its final report and recommendations today (January 31). There will be a webinar from 2 - 3 PM ET today to introduce these results to the public, followed by industry analyst perspectives given by James Van Dyke of Javelin Strategy and Research, and Larry Ponemon of the Ponemon Institute. Document downloads and webinar registration can be found here: www.ansi.org/standards_activities/standards_boards_panels/idsp/report_webinar08.aspx?menuid=3 ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC (908) 654-1939