- Email: [email protected]
Phisher jailed under CAN-SPAM Act
NEWS
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Editor: Alan Stubley Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Coca-Cola IP thieves jailed Corporate rival PepsiCo helped put them there
A
former Coca-Cola employee and a co-conspirator have been jailed for stealing trade secrets after PepsiCo told of their attempts to sell classified information.
Former executive administrative assistant Joya Williams will serve eight years in prison and three years of supervised release while her co-conspirator, Ibrahim Dimson, 31, will be jailed for five years. Last May, PepsiCo passed a suspicious letter from a person calling himself Dirk to its rival Coca-Cola. Dirk claimed to be employed at a high level in Coca-Cola and offered “very detailed and confidential information.” After receiving the letter, Coca-Cola went to the FBI, which launched an undercover investigation. The Feds established that Dirk was actually Dimson and further investigation identified that another “go-between” in the planned transaction was Edmund Duhaney, who is awaiting sentencing. Phone records later showed that the source of the classified material was Williams who worked in the soft drinks giant’s Atlanta office. An undercover agent posed as a potential buyer and so-called Dirk supplied 14 pages of a document marked “Classified – Confidential” and “CLASSIFIED – Highly Restricted” containing valuable trade secrets. Dimson posing as Dirk demanded US$10 000 for the documents and emailed: “I must see some type of seriousness on there part, if I’m to maintain faith to continue with you guys, or if I need to look towards another entity that will be interested in a relationship with me. I have the capability of obtaining information per request. I have information that’s all Classified and extremely confidential, that only a handful of the top execs. at my company have seen. I can even provide actual products and packaging of
certain products, that no eye has seen, outside of maybe five top execs.” The fraudster also negotiated to be paid US$75 000 for a highly prized new product sample from Coca-Cola. Meanwhile the company gave the FBI film footage of Joya Williams stuffing confidential papers into her handbag and with a new product sample in her possession. In July, last year, the FBI arrested the trio with enough evidence garnered to send them to prison. United States Attorney David E. Nahmias said: “As the market becomes more global, the need to protect intellectual property becomes even more vital to protecting American companies and our economic growth. This case is an example of good corporate citizenship leading to a successful prosecution, and that unlawfully gaining a competitive advantage by stealing another’s trade secrets can lead straight to federal prison.”
Phisher jailed under CAN-SPAM Act The first to be convicted by a jury under the act
A
jury has convicted the first person under the CAN SPAM Act of 2003.
Phisher Jeffrey Brett Goodin, 47, has been jailed for nearly six years for carrying out identify theft, credit card fraud, witness harassment and other offences. The Lost Angeles judge, Christina A. Snyder, also ordered Goodin to pay nearly US$1 million to ISP Earthlink. The 47-year-old sent thousands of emails through an Earthlink Internet connection to America Online users appearing to come from AOL’s billing department. AOL customers were prompted to enter their personal and credit card details on fake AOL websites controlled by Goodin. He then used the stolen credit card information to buy goods via unauthorized transactions. ISP Earthlink said it cost nearly US$1 million to track Goodin’s phishing schemes.
July 2007
NEWS The Azusa man was also sentenced on 10 other counts including: • Wire fraud. • Aiding and abetting the unauthorized use of an access device (credit card). • Possession of more than 15 unauthorized access devices. • Aggravated identity theft. • Misuse of the AOL trademark.
Orange & Littlewoods breach data protection
C
orporations Orange and Littlewoods have breached the UK’s Data Protection Act.
The Information Commissioner’s Office (ICO) has judged that the companies mishandled customers’ personal data. At Orange Personal Communications Services Limited, new members of staff shared user names and passwords when logging on to the company IT system. The ICO judged Orange did not keep its customers’ personal information secure and, therefore, breached the Data Protection Act. In a separate investigation, the ICO found that Littlewoods Shop Direct Home Shopping failed to process customer records in accordance with the legislation. The breach was revealed after a customer had to stop the company using her records for direct marketing.
Despite her objections, the clothing company kept bombarding her with marketing materials. Both companies have now signed a formal undertaking to comply in the future. The ICO has threatened prosecution if they fail again to conform to regulations. In May the Information Commissioner appealed for stronger powers for the office to inspect and audit organizations to ensure compliance. Current measures mean the Commissioner must gain consent before inspecting a company. Anyone who processes personal information must comply with eight principles to ensure information is: • Fairly and lawfully processed. • Processed for limited purposes. • Adequate, relevant and not excessive. • Accurate and up to date. • Not kept for longer than is necessary. • Processed in line with your rights. • Secure. • Not transferred to other countries without adequate protection.
Bush and Estonian President talk cybersecurity
E
stonia’s President brought cybersecurity to the attention of US leader George Bush when they met on June 25.
In Brief EUROPEAN BANKS MUST WARN ACCOUNT HOLDERS OF US MONITORING Banks in Europe must let customers know if there is likelihood that their transactions may be monitored by US Government security agencies. The Article 29 Working Party, which consists of European data protection officials, said the banks must inform customers by September. MAN ARRESTED IN SPAIN FOR MOBILE VIRUS A 28-year-old man was arrested in Spain for creating a high-end mobile phone virus that struck more than 115 000 handsets. The virus affected Bluetooth phones on Symbian operating systems. It falsely advertised porn, sports updates or virus software. INFORMATION COMMISSIONER LAUNCHES DATA PROTECTION AWARD A UK-based data protection watchdog has launched a European award of excellence to recognise public sector agencies, which show best practice in protecting information. The Information Commissioner’s Office hopes the award will increase awareness of best practice in data protection around Europe. David Smith, Deputy Commissioner, said: “Many UK organizations demonstrate good practice in information handling – a fact that was reinforced last year when this prestigious prize was awarded to an organization in the UK. As privacy issues resonate more and more with the public, data protection compliance has never been so important. I encourage those organizations in the public sector to submit applications highlighting their achievements not just in the hope that they might win the award, but also so that UK expertise in data protection can be shared with the rest of Europe.” Last year, a division within the Calderdale and Huddersfield NHS Trust won the UK-based award. Applications must be received before 3 October and winners will be announced later in 2007. CREDIT BUREAUS TRY TO STOP CREDIT REPORT FREEZING BY ACCOUNT HOLDERS Credit Bureaus are trying to curb legislation that allows customers to freeze their credit reports in the US. USA Today reports that by the end of the year, more than 35 states will have the laws compared to very few a couple of years ago. Customers want to have the power to combat rising identity theft against them.
President George W. Bush meets with President Toomas Ilves of Estonia (White House photo by Eric Draper)
July 2007
BELGIAN TEEN ARRESTED OVER POLICE WEBSITE DEFACEMENT A teenager has been arrested in Belgium for allegedly hacking a federal police website and posting a message taunting it about poor security levels. The 17-year-old has since been released and will appear before a minor’s court.
Computer Fraud & Security
3
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Editor: Alan Stubley Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Coca-Cola IP thieves jailed Corporate rival PepsiCo helped put them there
A
former Coca-Cola employee and a co-conspirator have been jailed for stealing trade secrets after PepsiCo told of their attempts to sell classified information.
Former executive administrative assistant Joya Williams will serve eight years in prison and three years of supervised release while her co-conspirator, Ibrahim Dimson, 31, will be jailed for five years. Last May, PepsiCo passed a suspicious letter from a person calling himself Dirk to its rival Coca-Cola. Dirk claimed to be employed at a high level in Coca-Cola and offered “very detailed and confidential information.” After receiving the letter, Coca-Cola went to the FBI, which launched an undercover investigation. The Feds established that Dirk was actually Dimson and further investigation identified that another “go-between” in the planned transaction was Edmund Duhaney, who is awaiting sentencing. Phone records later showed that the source of the classified material was Williams who worked in the soft drinks giant’s Atlanta office. An undercover agent posed as a potential buyer and so-called Dirk supplied 14 pages of a document marked “Classified – Confidential” and “CLASSIFIED – Highly Restricted” containing valuable trade secrets. Dimson posing as Dirk demanded US$10 000 for the documents and emailed: “I must see some type of seriousness on there part, if I’m to maintain faith to continue with you guys, or if I need to look towards another entity that will be interested in a relationship with me. I have the capability of obtaining information per request. I have information that’s all Classified and extremely confidential, that only a handful of the top execs. at my company have seen. I can even provide actual products and packaging of
certain products, that no eye has seen, outside of maybe five top execs.” The fraudster also negotiated to be paid US$75 000 for a highly prized new product sample from Coca-Cola. Meanwhile the company gave the FBI film footage of Joya Williams stuffing confidential papers into her handbag and with a new product sample in her possession. In July, last year, the FBI arrested the trio with enough evidence garnered to send them to prison. United States Attorney David E. Nahmias said: “As the market becomes more global, the need to protect intellectual property becomes even more vital to protecting American companies and our economic growth. This case is an example of good corporate citizenship leading to a successful prosecution, and that unlawfully gaining a competitive advantage by stealing another’s trade secrets can lead straight to federal prison.”
Phisher jailed under CAN-SPAM Act The first to be convicted by a jury under the act
A
jury has convicted the first person under the CAN SPAM Act of 2003.
Phisher Jeffrey Brett Goodin, 47, has been jailed for nearly six years for carrying out identify theft, credit card fraud, witness harassment and other offences. The Lost Angeles judge, Christina A. Snyder, also ordered Goodin to pay nearly US$1 million to ISP Earthlink. The 47-year-old sent thousands of emails through an Earthlink Internet connection to America Online users appearing to come from AOL’s billing department. AOL customers were prompted to enter their personal and credit card details on fake AOL websites controlled by Goodin. He then used the stolen credit card information to buy goods via unauthorized transactions. ISP Earthlink said it cost nearly US$1 million to track Goodin’s phishing schemes.
July 2007
NEWS The Azusa man was also sentenced on 10 other counts including: • Wire fraud. • Aiding and abetting the unauthorized use of an access device (credit card). • Possession of more than 15 unauthorized access devices. • Aggravated identity theft. • Misuse of the AOL trademark.
Orange & Littlewoods breach data protection
C
orporations Orange and Littlewoods have breached the UK’s Data Protection Act.
The Information Commissioner’s Office (ICO) has judged that the companies mishandled customers’ personal data. At Orange Personal Communications Services Limited, new members of staff shared user names and passwords when logging on to the company IT system. The ICO judged Orange did not keep its customers’ personal information secure and, therefore, breached the Data Protection Act. In a separate investigation, the ICO found that Littlewoods Shop Direct Home Shopping failed to process customer records in accordance with the legislation. The breach was revealed after a customer had to stop the company using her records for direct marketing.
Despite her objections, the clothing company kept bombarding her with marketing materials. Both companies have now signed a formal undertaking to comply in the future. The ICO has threatened prosecution if they fail again to conform to regulations. In May the Information Commissioner appealed for stronger powers for the office to inspect and audit organizations to ensure compliance. Current measures mean the Commissioner must gain consent before inspecting a company. Anyone who processes personal information must comply with eight principles to ensure information is: • Fairly and lawfully processed. • Processed for limited purposes. • Adequate, relevant and not excessive. • Accurate and up to date. • Not kept for longer than is necessary. • Processed in line with your rights. • Secure. • Not transferred to other countries without adequate protection.
Bush and Estonian President talk cybersecurity
E
stonia’s President brought cybersecurity to the attention of US leader George Bush when they met on June 25.
In Brief EUROPEAN BANKS MUST WARN ACCOUNT HOLDERS OF US MONITORING Banks in Europe must let customers know if there is likelihood that their transactions may be monitored by US Government security agencies. The Article 29 Working Party, which consists of European data protection officials, said the banks must inform customers by September. MAN ARRESTED IN SPAIN FOR MOBILE VIRUS A 28-year-old man was arrested in Spain for creating a high-end mobile phone virus that struck more than 115 000 handsets. The virus affected Bluetooth phones on Symbian operating systems. It falsely advertised porn, sports updates or virus software. INFORMATION COMMISSIONER LAUNCHES DATA PROTECTION AWARD A UK-based data protection watchdog has launched a European award of excellence to recognise public sector agencies, which show best practice in protecting information. The Information Commissioner’s Office hopes the award will increase awareness of best practice in data protection around Europe. David Smith, Deputy Commissioner, said: “Many UK organizations demonstrate good practice in information handling – a fact that was reinforced last year when this prestigious prize was awarded to an organization in the UK. As privacy issues resonate more and more with the public, data protection compliance has never been so important. I encourage those organizations in the public sector to submit applications highlighting their achievements not just in the hope that they might win the award, but also so that UK expertise in data protection can be shared with the rest of Europe.” Last year, a division within the Calderdale and Huddersfield NHS Trust won the UK-based award. Applications must be received before 3 October and winners will be announced later in 2007. CREDIT BUREAUS TRY TO STOP CREDIT REPORT FREEZING BY ACCOUNT HOLDERS Credit Bureaus are trying to curb legislation that allows customers to freeze their credit reports in the US. USA Today reports that by the end of the year, more than 35 states will have the laws compared to very few a couple of years ago. Customers want to have the power to combat rising identity theft against them.
President George W. Bush meets with President Toomas Ilves of Estonia (White House photo by Eric Draper)
July 2007
BELGIAN TEEN ARRESTED OVER POLICE WEBSITE DEFACEMENT A teenager has been arrested in Belgium for allegedly hacking a federal police website and posting a message taunting it about poor security levels. The 17-year-old has since been released and will appear before a minor’s court.
Computer Fraud & Security
3