OneDOJ, the proposed master database consolidating a wide range of public (and non-public) records for law enforcement is well underway. Crucial anti-terrorism tool or ID thief buffet? Time will tell. Wired offers a brief update on the progress.

-- MDT

Labels: database, OneDOJ, privacy, public records

Codename: ONE DOJ. While I can't say for sure, this sounds much like the "The Matrix" or Multistate Anti-Terrorism Information Exchange. This was a similar system that was proposed, developed and shelved a few years back. Is this the same program under a new, less machine-led-humans-as batteries-armageddon moniker?

The Maxtrix was designed to aggregate public records along with private data sources (credit headers, etc.) to create one massive personal info chopper. For the time being, ONE DOJ appears to be a much more modest effort, geared toward nation-wide availability of casefiles and investigative reports from around the country.

Techdirt, for its part, will tell you why this is a bad idea (again).

-- MDT

Labels: database, Matrix, Techdirt, Total Information Awareness

Highly appropriate based on this week's resurgence of Enron-related news --> Want a window into the disintegration of the company that perpetrated one of the great corporate frauds of all time?

Check out this amazing resource, Trampoline's Enron Explorer which contains a searchable, graphically relatable database of all the emails flitting about Enron revealed in the course of the investigation into the energy trader. You can seach globally on full text or sort by individual and then drill down or even render a web of their contacts with others (not unlike the sadly seldom updated They Rule - another site you really must visit if you have never seen it).

Found at the always entertaining (and no certainly need of link-backs from little ol' me) blogging all-star, BoingBoing.

-- MDT

Labels: database, Enron, EnronExplorer

Its not as if we didn't see this coming with. The ever-interesting Techdirt has the latest.

-- MDT

Labels: database, Techdirt

A government background check database which combines Social Security and immigration sources to verify a potential employee's immigration status may be expanded for general use, complete with a billion dollar price tag to get it up and running on a large scale. The database is designed to help employers distinguish legal and illegal immigrants applying for work. Not a bad idea in theory, but small scale tests haven't exactly shown the system to be error free. Hence the billions. Homeland Security is offering a voluntary program for business owners to test usage of the system, with 6,000 employers currently enrolled.

For more info on the system and its potential pitfalls, click here.

-- MD

Labels: background checks, database

The Cyber-Security Enhancement and Consumer Data Protection Act of 2006 would require disclosures on breaches involving more than 10,000 names or illegal/inadvertent access of any government database.

No word on whether the recent disclosures of comprehensive NSA phone record tracking have any bearing on this...

See the bill details here.

-- MDT

Labels: data breech, database

Salomon Grey Financial, a Dallas, Texas-based brokerage that was first registered in 1998 has been dealt a severe penalty by the National Association of Securities Dealers. Salomon Grey went out of business since Febuary but has been in regulators sites for the past several years. In August 2004 Salomon Grey and owner Kyle Browning Rowe agreed to a $100,000 fine on charges relating to money laundering, poor supervision, employing brokers with past disciplinary problems and conducting unauthorized searches of an NASD database. Rowe was also suspended for two weeks by the NASD (Sept. 7 - Sept. 20, 2004) in relation to the same charges. In paying the $100,000 fine, neither Rowe nor his firm were required to admit any wrongdoing. However, as of late last month the NASD made their assessment of the situation very clear, with the decision to expel Salomon Grey and to ban Kyle Rowe for life. Time to keep the eagle-eyes out for where Mr. Rowe and the rest of the crew from Solomon Grey's 14 offices land next.

More on the story can be found here. And for the the NASD's press release on Rowe's lifetime ban and Solomon Grey's shady activities, click here.

--MDT

Labels: database, money laundering

Recall this story from last summer about the Federal government's abandoned plans for The Matrix, (or The Multistate Anti-Terrorism Information Exchange) a proposed database that would aggregate public records and commercially obtained data (read, credit headers, cell phone numbers and whatever else commerical firms can get their hands on) and make the information available to local law enforcement.

While the Feds discontinued their plans for the database, much to the relief of privacy advocates, Florida, for its part is apparently continuing to develop a similar system that would be powered by Lexis Nexis's Seisint. It is worth noting that Seisint was affilicated by a major personal info heist that touched off last summer's tidal wave of data breach news coverage and increased governmental, media and consumer attention to the issues surrounding personal data security.

-- MDT

Labels: data breech, database, homeland security, Lexis Nexis, Matrix, Seisint, terrorism

There is no doubt that low-level background checks have become a commodity. You can search the web to find any number of automated searches promising things like a "comprehensive, nationwide criminal background check." Unfortunately, The Daily Caveat is here to tell you that no such animal exists and the advice your parents gave you still holds true - if it sounds too good to be true, it probably is.

Now, not every job or business decision necessitates "the Cadillac plan." There is no question that there is a difference in the due diligence burden for a new fry cook at McDonalds versus the new chief executive of a milti-billion dollar company. But in every case, no matter how big or small the budget, please be wary of an services that seems to offer a high level of risk mitigation at an impossibly low pricepoint. At the end of the day, you are most likely getting only as much as you paid for.

Investigations, to be worth anything must be thorough, concise and most of all, conducted by human beings, not just search fields in a database. Whether you opt to work with Caveat Research or one of our many competitors, my advice is, to the extent possibly, do not shop on price. Make your choice, rather, on the investigator's ability to help you understand the work undetaken on your behalf. Only through that understanding can a true accounting for costs be obtained. Failing to understand your own investigation is what leads to situations like this one, in Indiana:

Screening missed teacher's drug case - Case of a Hoosier's Florida arrest record exposes limitations of background checks

By Staci Hupp
April 2, 2006
Indianapolis Star

"It's scary that someone could be prosecuted in another state and come to Indiana and we don't know about it," said Rep. Robert W. Behning, R-Indianapolis, who heads the House Education Committee.

At least 41 other states have switched to FBI screenings that use fingerprints to scan criminal records nationwide. Teachers who apply for licenses in Indiana are subject only to the state's limited criminal history check, a computer screening that relies on incomplete records from county courthouses.

Money typically is the sticking point, according to Indiana State Police officials who have pushed for changes. Schools would have to pay up to $39 for FBI background checks, while the state system is available for free.

No one knows how many offenders have slipped through screening in Indiana. A check of newspaper stories from the past decade shows that at least three school employees convicted of violent crimes passed background checks.

Indiana bars those convicted of drug dealing, crimes involving children and some other felonies from teaching.

But first it has to spot them...

More here.

-- MDT

Labels: background checks, database

But don't week for the fine folks at Choicepoint. According to this recent article from MSN Money, their revenue in 2005 exceeded $1 billion., with projections for 2006 looking to be up 7 to 9%. More on the FTC fine, via Business Week:

FTC Fines ChoicePoint Over Data Breach

January 26, 2006
BusinessWeek
By Harry R. Weber
AP Business Writer

The Federal Trade Commission said Thursday that data warehouser ChoicePoint Inc. will pay $15 million to settle charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The FTC said it had fined the Alpharetta, Ga.-based company $10 million -- the biggest the agency has ever imposed -- and that Choicepoint would pay an additional $5 million that will be used to compensate consumers.

Company shares sank nearly 7 percent on a day it also reported a more than 29 percent decline in its fourth-quarter profit. Choicepoint had revealed last year that its massive database of consumer information was accessed by thieves. The data breach involved thieves posing as small business customers who gained access to ChoicePoint's database, possibly compromising the personal information of 145,000 Americans. The FTC said the number now stands at 163,000. The company discovered the breach more than four months before disclosing it to the public in February 2005. ChoicePoint has said authorities asked it to keep the information secret initially.

Authorities have said at least 750 people were defrauded in the scam that has fueled consumer advocates' calls for federal oversight of the loosely regulated data-brokering business. The FTC said the number of victims now stands at about 800, but ChoicePoint has noted that charges brought in Los Angeles against one of the thieves involve only 16 victims. The company also is a defendant in several lawsuits and complaints arising from the breach, and several government agencies are investigating.

"The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves," Deborah Platt Majoras, chairman of the FTC, said Thursday in a statement. The $10 million fine is the largest ever levied by the FTC, Majoras said during a news conference. Previously, the largest FTC fine was for $7 million against medical device maker Boston Scientific Corp. related to competition issues, she said. "This is an important victory for consumers," Majoras said.

The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program and to obtain audits by an independent third-party security professional every other year until 2026.

The company, which is also is the subject of a pending Securities and Exchange Commission probe, did not admit to any wrongdoing in the FTC probe. ChoicePoint collects data on individuals, including Social Security numbers, real estate holdings and current and former addresses. It has about 19 billion records, and its customers include insurance companies, financial institutions and federal, state and local agencies.

The SEC is examining stock trades by Derek Smith, ChoicePoint's chief executive officer, and Doug Curling, chief operating officer. Curling and Smith made a combined $16.6 million in profit in the months after the company learned of the data breach and before the breach was made public. ChoicePoint has said the stock trading was prearranged and approved by the company's board.

Company officials said Thursday they continue to cooperate with the SEC probe. They did not give details of the status of the probe. The settlement came hours after the company reported its fourth-quarter profit fell to $27.68 million, or 30 cents a share, in the quarter ended Dec. 31 compared to a profit of $39.22 million, or 43 cents a share, for the same period a year ago. The results missed Wall Street expectations.

Excluding one-time expenses related to the data breach announced in February 2005, ChoicePoint said it earned $39.74 million, or 44 cents a share. On that basis, analysts surveyed by Thomson Financial were expecting earnings of 45 cents a share. Revenue rose 11 percent to $257.85 million, compared to $232.46 million a year ago.

For all of 2005, ChoicePoint said it earned $140.66 million, or $1.53 a share, compared to a profit of $147.96 million, or $1.62 a share, for the same period a year ago. Twelve-month revenue rose to $1.06 billion, compared to $918.71 million in 2004.

ChoicePoint said it expects 2006 full-year internal revenue growth to be in the 7 percent to 9 percent range, exclusive of any acquisitions. ChoicePoint shares fell $3.10, or 6.7 percent, to $43.20 in midday trading on the New York Stock Exchange.

The original article appears here.

-- MDT

Labels: data breech, database

The Daily Caveat has posted previously about Bristol-Myers Squibb's continuing legal issues. This week saw a notable settlement in securities class action case brought against the pharmaceutical giant in relation to the never marketed hypertension drug Vanlev. Word of the settlement first appeared months ago but only recently have the exceedingly interesting details been made public.

The plaintiffs alledged in the case that BMS did not play straight with investors when reporting potential problems with BMS's long-in-the pipeline supposed high-blood-pressure uber-drug, Vanlev. While BMS had seemed willing to take this case to trial, Bruce Carton at Securities Litigation Watch called it correctly back in June'05 when he predicted that the case would settle out. The suit, brought on behalf of Amalgamated Bank settled for $185 million dollars.

Potentially severe side-effects and the drug’s ultimately ho-hum performance relative to products already on the market meant that Vanlev would never make it to the street. But according to attorneys at lead plaintiff firm Labaton Sucharow, that didn’t stop BMS from coasting for a few quarters on the good word of mouth Vanlev had been getting. Their complaint alledged that BMS withheld negative findings in early 2000, prior to the announcement that the drug was DOA.

Now what makes this case and the terms of this settlement more intriguing than your usual run of the mill securities investigation is the product involved. Bristol-Myers Squibb doesn’t make some obscure techno-widget that fits inside your computer, toaster or flat-screened television - they manufacture the drugs that are designed to make and keep us all well. Thus, not half so interesting as the high dollar figure are the other mandates of the settlement, to which BMS will be bound for the next decade.

Along with the close-to $200 million dollar figure involved in the settlement, the court has mandated a variety of new procedures for BMS's drug development and disclosure process that go beyond simply censuring overzealous execs. While you won't find hide nor hair of any mention of a legal settlement on BMS's website, what you will now find is a publicly accessible database for their clinical trial disclosures, warts and all which will include any and all drugs approved for marketing to the public.

BMS is bound to the terms of this agreement for ten years and, get this, any change that could potentially reduce the level of disclosure must be approved by the former lead plaintiffs in the case, Amalgamated Bank. Again, not that you will find mention of this on BMS's website. They do tout their Clinical Trial Communication Commitment they just don't happen to mention that their "commitment" was apparently court-mandated.

View the Labaton press release on Vanlev settlement terms.

-- MDT

Labels: database

Business Week is featuring a brief article suggesting that investors would be well served by doing their own due diligence before trusting their finances to an investment advisor.

This uncontroversal advice goes without saying, I think - that one should seek both anecdotal opinions and conduct a personal review of potential regulatory and legal issues that might be an early warning sign of porential recklessness or illegalities is hardly earth shattering news. However, is should be noted that in no way does this sort of preliminary review replace a proper due diligence investigation.

The savvy or sophisiticated investor certainly does not consider "googling" adequate DD in making an investment decision. Google (or your search engine of choice) is an imprecise tool and, while it might produce some quick hits that may warn one away from a bad egg or risky deal the volume of responses can also hide crucial tidbits amid a sea of search returns. Moreover, there is no guarantee that any relevant details may show up in Google.

As the article rightly points out, one should supplement Google with other resources - litigation databases, indices of regulatory filings and the like. But this is only where a proper investigation begins. For those opportunities that pass this "whiff test" having professionals review the matter for other potential liabilities is essential. A thorough background review of the entities involved comprised informed by database info as well as on-site court searches and first person interviews / references checks is the surest way to avoid horror stories such as the recent HMC debacle.

The article:

Hedge Funds: Do-It-Yourself Due Diligence - A little sleuthing online can turn up information that may signal trouble ahead

January 16, 2006
By Anne Tergesen
BusinessWeek

Hedge funds generally don't make it easy for investors to get information about their inner workings. But the 80-odd investors in the most recent hedge fund to collapse, tiny HMC International Fund of Montvale, N.J., could have saved themselves trouble and money simply by using the Internet to do some due diligence on HMC's managers.

One, Bret Grebow, left a trail of legal problems that include a property lien, an arrest on charges of possessing drug paraphernalia, and failure to repay much of a loan to a former employer.

Grebow and co-manager Robert Massimi now face Securities & Exchange Commission charges of securities fraud and the misappropriation of more than $5.2 million of the $12.9 million invested in HMC. The managers "sent investors false monthly account statements that portrayed their investments as profitable when, in reality, Grebow was systematically looting the Fund's trading account," the SEC alleges in a Dec. 21 complaint filed in the Southern District of New York. Among the items the duo is alleged to have paid for with investor funds are rent and furniture for a Manhattan apartment.

What warning signs were detectable? A search of public databases -- including those maintained by Google (), LexisNexis, and various federal, state, and county courts -- dredged up enough dirt on Grebow to cause alarm. The record includes arrests in 1994 and 1995 in Arizona -- where Grebow attended college, according to HMC's Web site -- on charges of possessing marijuana and drug paraphernalia and damaging property worth less than $100. According to the Pima County Justice Court in Tucson, the drug-related charges were dismissed in July, 1996. Grebow pleaded guilty to a lesser charge -- unlawful acts regarding alcohol -- and was fined $284. According to the court, there is an outstanding warrant for Grebow's arrest on the damage charge because of his failure to complete a drug education course. "It was staggeringly easy to get this information," says Michael Allison, CEO of International Business Research of Princeton, N.J., a company that performs background checks on hedge funds and managers (Personal Business, Nov. 21, 2005).

That's not all. In 2002, Grebow's former employer, defunct New York brokerage Bluestone Capital, won a judgment against him for not repaying a loan of more than $118,000, says Eric Streich, an attorney who represented Bluestone. Grebow has since repaid $3,212, he says. Court records also show an October, 2004 judgment against Grebow for failing to pay his former wife, Jamie Grebow, some $127,000 in support. An attorney who represented Jamie Grebow didn't return calls. Bret Grebow's attorney declined to comment on the SEC charges or his client's past. With hedge fund blowups becoming common, do some sleuthing before you write a check.

The original article appears here.

-- MDT

Labels: background checks, Bret Grebow, database, HMC International, Robert Massimi

According to a recent AP report, Daily Caveat former employer, The National Archives, is planning to expand access to its holding by providing an online free-text search of its full database. Read more about it here.

Spotted in the latest issue of The Virtual Chase.

-- MDT

Labels: database

Here's a long feature from the Baltic Times on the continuing tale of two young traders from Estonian Investment Firm who alledgedly conspired to gain an advantage on trades by hacking into Business Wire's embargoed press release database and accessed not-yet-released announcements from U.S. public companies.

The firm in question, Lohmus Haavel, had previously suspended five traders including, Oliver Peek and Kristjan Lepik who have been previously named in the SEC probe. Rain Lohmus, a company founder, has also stepped down as his account was used in teh illegal trading. While the SEC probe against verious Lohmus employees is continuing, the company has reached an out-of-court settlement with the SEC. Full - and The Daily Caveat means FULL - details follow:

Investment firm reaches settlement with SEC, avoids lengthy investigation

November 11, 2005
By Kairi Kurm
Baltic Times

TALLINN - Lohmus, Haavel & Viisemann, the Estonian investment firm whose employees were accused by the U.S. Securities and Exchange Commission of using insider information on stock trades, reached an out-of-court agreement with the market watchdog and thereby avoided a possible embarrassing hearing that had been scheduled for Nov. 8.

“Last night an agreement was made to cancel the court session and ease the arrest of assets,” Rain Tamm, LHV Group board chairman, said on Nov. 8, adding that a U.S. judge would have to approve the settlement. Tamm stressed that the agreement did not automatically imply LHV’s guilt.

Piret Loone, an Estonian representing LHV through Shearman & Sterling in the U.S. court, released a statement saying that the agreement was an important step forward but didn’t guarantee that the company’s accounts, arrested last week by a U.S. court, would be freed up. LHV officials said they wanted to cooperate with both the Estonian Financial Supervisory Authority and the U.S. SEC in order to clarify all accusations related to the firm.

The SEC has claimed that the firm’s employees profited from trade on U.S. public companies by using more than 360 confidential press releases belonging to Business Wire, a real-time business news agency used by brokers and traders around the world. The watchdog believes that the traders may have racked up some $7.8 million in profits on the illegal trades.

The employment contracts of Kristjan Lepik, Oliver Peek and three other employees suspected in the illegal trades, have been suspended. Peek was a member of LHV’s investments services team, and Lepik an LHV partner and head of the bank’s trading department. Rain Lohmus, one of the firm’s founders, and whose account was reportedly involved in illegal trading, stepped down from his position as chairman of the firm’s council.

Many were surprised to learn that Lohmus had also been a client of Oliver Peek. “Usually we do not comment on our customers’ data, but we found that it was important to say [Lohmus was involved],” said Tonis Haavel, one of the firm’s founders. Lohmus left for Moscow on Nov. 2, the morning news of the scandal broke, and didn’t return before Nov. 4. Haavel couldn’t say if Lohmus had been aware of possible illegal trading.

According to one report, Lohmus opened a $2-million account with LHV Trader in April this year, with the money eventually being deposited with U.S.-based Interactive Brokers. As a result of subsequent transactions, the size of his account swelled to $8.3 million by November.

According to the SEC, the illegal trading activity involved five different accounts, including those of Peek and Lepik. Peek reportedly received $2 million and Lepik $200,000 in nine months this year. “The in-house investigation is ongoing, and we are giving [the SEC] the information they request. It is very voluminous,” Haavel told The Baltic Times.

The firm LHV claims that young the men were trading as private individuals. In every statement, it emphasizes that the investment bank had nothing to do with any possible illegal trading of its former employees, and that the company has in no way profited from any such trading.

Still, the accusations have damaged the company’s reputation. Several customers have pulled their funds from LHV’s accounts, and Vilniaus Akropolis, Lithuania’s largest mall operator, cancelled its contract with LHV. Vilniaus Akropolis had been planning an IPO with the firm.

The SEC has frozen the accounts of about 180 LHV customers. Currently only those who used the LHV Trader investment services on the U.S. market through certain brokers cannot receive their money.

“Our lawyers have spoken to [the SEC]. The commission is in principle ready to unfreeze the accounts of our other clients. When it will happen, we don’t know,” Haavel said, adding that LHV has a total of 4,500 customers. “According to the securities’ act, companies like us keep clients’ assets totally separate.”

The firm’s partners have pledged to increase owners’ equity to $1 million if necessary to cover the claims. The SEC investigation was launched after a drug company, InKine, noticed a spike in trading on its shares on June 23, just before news was released about a planned merger. About 46 percent of the volume came from Estonian traders, who earned some $300,000 by selling the shares immediately after the merger was announced.

The same scheme was used in July when various earning announcements were released by eBay and Yahoo. In those cases, even larger sums were used. Business Wire made a statement defending the integrity of its data system, stating that traders could not have acquired secret access. Still, Tamm told the press that Peek and Lepik may have come across a security gap in Business Wire’s system.

Estonia’s Financial Supervision Authority has started a separate supervisory procedure into the matter. Meanwhile, a U.S.-based hedge fund manager, speaking on the condition of anonymity, told The Baltic Times that she had assumed on June 23 that whoever placed the order was related to InKine, Salix, one of the investment banks advising on the deal, or perhaps lawyers who had worked on the transaction.

“I just knew someone got very lucky that day, and I assumed it wasn’t luck that prompted them to take that big of a piece of some biotech firm in Philly no one had ever heard of before,” she said. “I had no idea who placed them. Just that someone sure was very timely and bold.” In the fund manager’s opinion, had the traders been “less greedy” on InKine, they never would have been caught, since the total share volume that day would have been within “normal” ranges.

She said that their other deals would have never aroused suspicion anywhere except among the inside compliance people of LHV and U.S. brokers Cyber Trader and InterActives. The latter are supposed to alert regulators if a client is making too many so-called “in-the-money-trades” ahead of major news stories, she said.

Jakob Frenkel, a former SEC enforcement lawyer and former U.S. federal criminal prosecutor, told The Baltic Times, “In cases like this, the SEC probably will demand penalties of $15 – 20 million, plus recovery of the profits from trading. But the SEC will first need to build its case and bring into the grasp of the U.S. courts the individuals charged.”

Frenkel, who is now with Shulman, Rogers, Gandal, Pordy & Ecker, added, “Of greater concern should be whether the SEC is working with U.S. federal or Estonian criminal prosecutors with the objective of criminal prosecutions and jail as the consequence. The allegations are of the type that would suggest the SEC will try to get criminal prosecutions too.”

The fund manager said that, if those traders cooperate, they might only pay a civil fine and avoid prosecution. “I think the Estonian securities regulators will deal with them, unless the Department of Justice wishes to make ‘examples’ of them.”

Other local investment bankers panicked about what the scandal could do to the industry’s reputation. Allan Martinson, managing partner of Martinson Trigon Venture Partners, said, “I can’t see a single person who won from this case. LHV lost, and the work of many years disappeared. Investors lost, Estonia lost, even the U.S.A. lost. This loss is a fact. What caused the loss, a crime or a work accident, is not that important. The effect of the LHV story is bigger than the conviction or justification of two boys,” he said.

As the U.S. fund manager said, “In a way, I respect how bright those boys were. I hope they cooperate - much more leniency is given to those who admit they made a mistake and clean up their act –at least over here [in the U.S.A.]. The regulators are overworked, and they hate it when people lie or refuse to cooperate. It makes them have to work much harder which means other matters get overlooked.”

The original article appears here.

-- MDT

Labels: database, Department of Justice, insider trading

The SEC is seeking emergency action against the Lohmus Haavel & Viisemann. In a an admirably creative, if illegal scheme employees at Lohmus successfully hacked Business Wire's embargoed press release database to get a jump on market announcements. From the SEC press release:

"We acted today to stop a clever and pernicious securities fraud and to preserve funds for investors. This case highlights that even when fraudsters invent new ways to violate the securities laws, the Commission will track them down and stop them, wherever they are located," said Daniel M. Hawke, Associate District Administrator of the Commission's Philadelphia District Office.

The Commission's complaint alleges that, in June 2004, Lohmus became a client of Business Wire for the sole purpose of gaining access to Business Wire's secure client website. Once defendants had access, they surreptitiously utilized a software program, a so-called "spider" program, which provided unauthorized access to confidential information contained in impending nonpublic press releases of other Business Wire clients, including the expected time of issuance.

The complaint further alleges that the information fraudulently stolen by the defendants has allowed them to strategically time their trades around the public release of news involving, among other things, mergers, earnings, and regulatory actions. Using several U.S. brokerage accounts, the defendants have bought long or sold short the stocks of the companies whose confidential press release information they have stolen, and purchased options to increase their profits.

Named in the Commission's complaint are the following defendants.

Lohmus Haavel & Viisemann, headquartered in Tallinn, Estonia, is an investment bank established in 1999. Lohmus, which also has offices in Latvia and Lithuania, provides corporate financing, private equity, asset management, investment services, and structured financing services to the Eastern European market.

Oliver Peek, age 24, is a citizen of Estonia currently residing in Tallinn. Peek is employed by Lohmus and works for its investment services team.

Kristjan Lepik, age 28, is a citizen of Estonia currently residing in Tallinn. Lepik is a partner at Lohmus.

Read the rest here.

-- MDT

Labels: database

Via the SeattleTimes.com:

ChoicePoint tries to regain trust

October 3, 2005
By Brian Bergstein
The Associated Press

In August, the police in Corona, Calif., got a surprising phone call. The caller said an auditor needed to examine the department's facilities and take pictures inside. To the security-conscious police, the photo demand seemed ridiculous, especially given its source: the data broker ChoicePoint, one of the department's information suppliers. A Corona crime analyst refused the request and asked to speak to a ChoicePoint supervisor. She never heard back.

The episode reveals the delicate balance ChoicePoint is trying to strike as it recovers from a staggering identity-theft scandal in which con artists posing as customers accessed personal information on 145,000 Americans. As it seeks to show iron resolve against fraud, the data giant is struggling not to alienate key customers in the process.

Indeed, the Alpharetta, Ga.-based company has cut off some customers entirely, including debt collectors and other small businesses that once were able to obtain full background reports on people from ChoicePoint. Other customers — including news organizations such as The Associated Press — are finding the last four digits of Social Security numbers masked in ChoicePoint reports.

Such moves — which have won praise — are expected to trim company revenue by up to $20 million a year and earnings by up to 12 cents per share. (Overall, ChoicePoint earned $1.62 per share in 2004 on sales of $884 million.) Meanwhile, customers who still get access to the most sensitive data, including driver's license numbers, are being subjected to site visits and other audits to ensure they are who they say they are — even if those customers are the police.

In fact, the company recently discovered that an unauthorized Miami police officer had used someone else's log-in and password to mine ChoicePoint records. The officer was relieved of duty. Law enforcement accounts for 5 percent of ChoicePoint's revenue — most sales come from companies that use ChoicePoint to assess job, insurance or other consumer applications — but it is a high-profile segment, often touted by the company as proof that society benefits from its amassing of so much data on individuals. The FBI alone queried ChoicePoint files 1.2 million times last year.

Private investigators also are being subjected to new scrutiny. ChoicePoint stumbled early in the crackdown when representatives called many private eyes and asked them to fax over personal and professional information about themselves, according to Brian McGuinness, a Miami investigator who heads the National Council of Investigation and Security Services. "That was kind of ill-conceived," he said. "You're asking these investigators who are very aware of scams to send this sensitive information to some number," without first sending a letter or other confirmation the call was legitimate.

Some riled private eyes called for a ChoicePoint boycott. But ChoicePoint responded by clarifying the process, McGuinness said. Other investigators see the aggressive audits as an overreaction or a public-relations ploy. Cynthia Hetherington, a private investigator in New Jersey, had to send ChoicePoint a copy of her investigator's license twice. The company agent also wanted bank-account information "and stuff that has nothing to do with my credentials or the nature of my business." "It's absolutely intrusive," she said. Hetherington remains a ChoicePoint customer, but she and many other investigators are quick to note rival providers with fewer hassles.

Indeed, when ChoicePoint stopped selling detailed background reports to debt collectors, there were plenty of other options, said Ramona Featherby, who runs a San Diego collection firm and is president of the California Association of Judgment Professionals. She cited such names as Merlin Information Service, LexisNexis' Accurint, LocatePlus and Westlaw. "They have taken a sledgehammer to the ant ... [by] cutting off databases from one industry entirely, no matter how long they've been in business, no matter how pristine their record," Featherby said of ChoicePoint.

After ChoicePoint called for interior pictures of the Corona police department, discussion ensued in an online forum frequented by law-enforcement personnel. Carol DiBattiste, ChoicePoint's new privacy and compliance officer, responded to the group in a message that dismissed the story. "While the requirement for site visits is true, contrary to rumors, ChoicePoint is not performing site visits that require photographs or access to sensitive facilities," she wrote.

But the photo request was no mere rumor. DiBattiste acknowledged that ChoicePoint's checklist for site inspectors did include internal photos. But she said she ordered it not apply to customers in government and law enforcement because photos could endanger the offices' security. Apparently, she said, the Corona police got their call before the policy had been rescinded. She said she did not believe any police agencies actually had the inside of their offices photographed, though she added: "I can't guarantee that 100 percent."

ChoicePoint had inspected some customers who got personal data in the past, but stepped up the system after February's identity-theft disclosure, one of many high-profile data breaches to surface this year. That fraud — which resulted in at least 750 identity-theft cases — sent ChoicePoint's stock tumbling 24 percent in the ensuing weeks. About two-thirds of that lost value has been regained.

Many ChoicePoint customers now get inspections when they open a new account or re-sign a contract for sensitive data, DiBattiste said. Making the visits is necessary because "an identity thief could make believe he's the local sheriff in a town of 2,000 people," she said. The inspector does not access customers' computers or databases, she said. The auditor spends less than an hour confirming that the customer is legitimate and appears to have reasonable security practices.

DiBattiste wouldn't give specifics. But one thing the Corona police were told was that the inspector would need to ensure that workstations where ChoicePoint databases were accessed were not left unmonitored. Although ChoicePoint contends that few, if any, customers have defected rather than submit to inspections, DiBattiste acknowledged that the auditing is a work in progress. For one, ChoicePoint now lets customers apply for a waiver, which DiBattiste must approve, if they have a long relationship with ChoicePoint or already have been contacted recently by someone from the company.

As senior counsel with the Electronic Privacy Information Center, Chris Hoofnagle has been a ChoicePoint critic. He says the company deserves credit for its inspections, though he wants them to go further. "I think ChoicePoint should randomly audit users of the database," he said, "and make them show why they pulled a file of an individual."

The original article appears here.

-- MDT

Labels: database, identity theft

And speaking of the GAO...

Via Reuters:

Congress' Arm says SEC Slow in Disbursing Fines

Oct 3, 2005
Reuters

The U.S. Securities and Exchange Commission has returned to investors only a small fraction of the $4.8 billion collected under a post-Enron program for penalizing violators of securities laws and returning the money to those harmed, said a congressional watchdog on Monday. The Government Accountability Office (GAO), Congress' investigative arm, also criticized the SEC for shortcomings in efforts to track collections of fines imposed on violators, as well as for its management of stepped-up collection efforts.

The GAO said in a draft report that the SEC has vigorously exploited the Fair Fund program adopted by Congress as part of a reaction to the corporate scandals that started in 2001. The program gave the SEC new power to return to investors money paid out as punishment by corporate wrongdoers. "However, to date, only a small amount of the funds have been distributed. According to SEC, distribution is often a lengthy process … We also found that SEC lacked a reliable method by which to identify and collect data on Fair Fund cases," the GAO said in the draft report's findings.

The GAO said the SEC estimated that as of April 2005 it had designated $4.8 billion in penalties and disgorgements to be returned to harmed investors. But only about $60 million had been distributed and another $25 million was being readied for disbursement at the time of the GAO's review, the GAO said.

Pennsylvania Democratic Rep. Paul Kanjorski said he was pleased the GAO found that the SEC had made some progress on collecting fines, and that some Fair Funds had been disbursed. But he said, "I am deeply troubled by the difficulties the agency has encountered in expeditiously returning these funds to American investors." He and Massachusetts Democratic Rep. Barney Frank called for congressional hearings to be held on the issue. Both lawmakers sit on the House of Representatives Financial Services Committee, which oversees the SEC.

The original article appears here, courtesy ABC news.

The GAO has also recently chided the SEC for insufficient regulation of mutual funds as well as poor database security.

-- MDT

Labels: database, Enron, GAO

Regular readers of The Daily Caveat are probably aware of my fandom of the GAO, the congressional oversite body for government spending and program implementation. GAO reports provide some of the most interesting reading to come out of the federal bureaucracy and often point the way to problems that don't filter their way into the mass consciousness until much later. One recent report may garner some attention, given the Bagdad on the Bayou theme that has started to emerge on editorial pages in the wake of Iraq-style no-bid contracts being awared for hurricane disaster relief projects.

The GAO recently published a paper [PDF required] highlighting the poor performace of the federal government's database of excluded constractors. The database is designed to prevent the rehiring of contractors who have been found guilty of past abuses of their government contracts. Federal agencies are obligated to check potential contractors against the database, in order to, in the GAO's own words,

"...help ensure excluded contractors do not unintentionally receive new contracts during the period of exclusion, the Federal Acquisition Regulation requires contracting officers to consult the Excluded Parties List System --a government-wide database on exclusions--and identify any competing contractors that have been suspended or debarred."

According to the Washington Business Journal, the GAO found that due to problems with the database, "Some government contractors that have been suspended or debarred because of past problems may be getting new contracts..." The GAO also found that, "Nearly 99 percent of the records in the database do not include contractor identification numbers, a GAO sampling found. Without that number, agencies have to search the database by the contractor's name. Some contractors may slip through the cracks if their name has changed, according to GAO."

The GAO describes the problems a bit further in their report summary:

"...as of November 2004, about 99 percent of records in EPLS for the 6 agencies we reviewed in depth did not have contractor identification numbers--a unique identifier that enables agencies to conclude confidently whether a contractor has been excluded. In the absence of these numbers, agencies use the company's name to search EPLS, which may not identify an excluded contractor if the contractor's name has changed. Further, information on administrative agreements and compelling reason determinations is not routinely shared among agencies. Such information could help agencies in their exclusion decisions and promote greater transparency and accountability."

Check out the full Washington Business Journal article here. The GAO report summary is located here and the full report can be found here. Warts and all, the Federal Contractors Abuse Database is searchable here.

-- MDT

Labels: database, GAO

Via TelephonyOnline.com:

Sycamore: Former employees falsified records

By Ed GubbinsSeptember 13, 2005

Sycamore Networks filed restated financial reports for the fiscal years 2000 through 2004 to increase net losses this week, after an internal investigation of stock option grants issued between 1999 and 2001 revealed that some employee records were deliberately falsified to affect the value of stock option grants. According to documents filed by Sycamore with the U.S. Securities & Exchange Commission, that internal investigation showed that the start dates on six employee records were “deliberately modified” to yield a lower exercise price for their stock options, Sycamore said, and six existing stock option grants were deliberately cancelled and reissued to allow a lower exercise price.

The investigation also focused on options that were granted under an April 14, 2000 program in which the number of options granted was probably not determined until April 26, 2000. The company also failed to record accurate charges for three stock option grants that continued to vest after the owner’s employment status changed. And one stock option grant was improperly reported in an inadvertent accounting error. “The employees directing the stock option program in the period from 1999 to 2001 are no longer employed by the company,” Sycamore said in the filing.

In June 2001, Sycamore offered its employees a chance to exchange their existing stock options for a tenth as much restricted stock. The company exchanged 17.6 million options for 1.7 million shares of restricted stock, recording $12.6-million in deferred compensation in the process. However, in the first and last quarters of its 2002 fiscal year, the company laid off a total of 464 employees, and some of that restricted stock was cancelled, as restricted stock was subject to forfeiture if an employee left the company before the stock vested. Therefore, the $12.6-million in deferred compensation was reduced to $7.3 million. Six months later, when the company expected to grant options to purchase 15.9 million shares, they instead granted 12.6 million, as a result of the workforce reductions.

When the original stock options were exchanged, the company stopped reporting compensation costs for them. The value of the restricted stock offered in exchange was calculated as of the dates they were granted and recognized over their vesting periods. “This treatment was incorrect since it failed to also include the unamortized stock compensation balance that remained on the original stock options,” Sycamore said. As a result, the company restated its compensation expenses for 2004, 2003 and 2002 with increases of $94.4 million, $110.1 million and $187.5 million, respectively.

The restatement had a negligible effect on Sycamore’s earnings for the 2004 fiscal year (which ended July 31, 2004), but it increased the company’s net loss for the fiscal years 2001, 2002 and 2003 by $29.9 million, $1.6 million and $0.8 million, respectively. Sycamore said it has taken several steps to correct the weaknesses in its accounting practices revealed by the investigation. It adopted a process to certify employee start dates, it revoked the stock administration group’s access to the stock option database and it rescinded the power of executive officers to authorize broad-based stock option grants. In addition, in July 2003, stock administration duties were placed under the direct supervision of the corporate controller.

The original article appears here.

-- MDT

Labels: database

The ever indispensible Virtual Chase had a note recently about the launch of a new public database being launched by the U.S. Copyright Office. The new resource, called eCO Search will be searchable for all mander of copyright documents dating back to 1978. The new database will most likely resude here where the Copyright Office offers a few additional details:

eCO Search offers new features including keyword searching and the use of a single database containing records for monographs, serials, and recorded documents. All of the approximately 20 million records for registrations and recorded documents in the current system will be migrated to the eCO Search database, a similar system used by other parts of the Library of Congress for searching collections.

Should be a great resource. The original Virtual Chase post can be read here.

-- MDT

Labels: database

Kevin Drum is a popular blogger who first became widely known during his coverage of the 2004 presidential election. Subsequently he moved from his initial, homegrown, perch at Calpundit to anchoring the homepage of the Washington Monthly with his "Political Animal" blog. Earlier this week he pulled out the mallet on Choicepoint regarding their response to recent data thefts at the company:

PROTECTING YOUR PERSONAL INFORMATION....NOT....Is ChoicePoint a piece of work or what? Here's how they've responded to the theft of hundreds of thousands of private consumer records from their database:

Elizabeth Rosen was plenty angry when ChoicePoint Inc. sent her a form letter acknowledging that crooks might have perused some of her most sensitive personal and financial data.

But the Hollywood nurse was flabbergasted when the company, one of the nation's largest collectors of consumer records, also offered to sell her some of the same information so she could see what might have been compromised.

....Rosen's experience highlights a paradox in the recent string of thefts of personal information: Many of the same companies responsible for safeguarding reams of sensitive data that have fallen into the hands of scammers are now trying to cash in by pledging to protect consumers' privacy.

Information brokers infiltrated by con artists, banks that have lost unencrypted financial data and peddlers of online background checks are pitching fraud-detection plans that cost from $25 a year to more than $150.

Information collection agencies should be required by law to do everything in those "fraud-detection plans" — and more — as a normal course of business. And they would, too, if the cost of losing data were made high enough.

Someday there's going to be an unholy consumer backlash against these guys, and they're going to deserve every last bit of it. The gall is simply beyond belief.

Ouch... Click on over to Drum's blog for more.

-- MDT

Labels: background checks, database

The National Council of Investigative and Security Services exists to represent and protect the interests of the investigative industry. NCISS's Chairman of the NCISS Legislative Committee, Bruce Hulme, sends out regular notices to their mailing list regarding the status of relevant bills being considered on the hill and in state legislatures from around the country.

In a recent mailing, he provided the text of a Congressional Quarterly article describing the recent trials and tribulations of our lobby in the wake of data piracy scandals at prime investigative vendors, Choicepoint and Lexis Nexis:

Private Eyes Try Getting Tough on Congress

By Shawn Zeller, CQ Staff
CQ WEEKLY - VANTAGE POINT
Aug. 1, 2005 Page 2089

In the popular imagination, American private investigators are the toughest of tough customers, impervious to saps, slipped Mickeys and seductresses. But private eyes now fear they may be meeting their match in Congress. The detective industry says legislation aimed at redressing identity theft and data breaches among companies collecting consumer data could put it out of business. The proposal, by Senate Judiciary Chairman Arlen Specter , R-Pa., would erect barriers to ready acquisition of Social Security numbers - and that, in turn, would enormously complicate missing-persons and witness-location work, mainstays of the detective trade.

The bill (S 1332), which Judiciary panel Democrats Patrick J. Leahy of Vermont and Russell D. Feingold of Wisconsin are cosponsoring, would bar the sale or purchase of any Social Security number without its holder's consent. Similar language is in a bill (S 1408) by Gordon H. Smith , R-Ore., that the Senate Commerce Committee approved last week. (Story, p.2125)

In May, representatives of the National Council of Investigation and Security Services - the private detectives "trade group" met with data brokers and agreed to lobby against provisions limiting investigators' ability to purchase the numbers. D.C. lobbyist Lawrence Sabbath is leading the charge. Sabbath singles out Rep. Pete Sessions , R-Texas, as the investigators' top ally. Sessions also helped bounty hunters and bail bondsmen to get business-friendly provisions in a House immigration bill this February - even though that language later died in conference.

Large database companies, such as LexisNexis Group and ChoicePoint, sell partial Social Security numbers to private investigators, but not to the general public. But the law surrounding their sale is murky, and some companies will sell full numbers to anyone.

Investigators also hired Washington PR man Joseph Ricci to boost their image in Washington. Last month, the investigators hosted an "ID Fraud Summit" at a hotel in Washington with representatives from the Secret Service and the Justice Department. Among the participants was John Stoll, who was convicted of child molestation in California and served 20 years in prison before a private investigator discovered information that exonerated him.

But consumer groups are mounting their own PR campaign in support of the Specter bill. They say uneven state licensing rules - some don?t require licenses at all - are reason enough to prevent the investigators from buying the numbers. They also point to cases such as that of Amy Boyer, a New Hampshire woman killed in 1999 by a stalker who obtained personal information about her from an Internet-based firm run by a P.I. in Florida.

Without a law closing off much of the traffic in identity data, advocates say the status quo will deteriorate. P.I.s "are virtually unregulated in too many states," says Edmund Mierzwinski of the U.S. Public Interest Research Group. "There's no question that there will be massive data misappropriations."

Another more recent article, which appeared in The Hill (and forward along by NCISS) provides further details about the investigative lobby's efforts to insert their voice into the valid and somewhat volatile debate over how best to address growing concerns about the security of sensitive data:

Data Protection turf war pleases lobbyists

By Elana Schor
The Hill
August 17, 2005

The many data-security bills wending their way around the Hill are sparking a turf war in the Senate but relief on K Street, where lobbyists in several industries welcome the crush of options as a much-needed drag on momentum.

While acknowledging the need to regulate trade in consumers' personal information to prevent identity theft, lobbyists say the universe of companies potentially affected by new data-security standards presents challenges that lawmakers have yet to address fully. By next month, two more congressional committees are likely to join the four already working on the issue.

''It's difficult to even define an industry here because you have so many different kinds of companies who have suffered breaches - data providers, banks, credit-card providers. It's difficult to decide who would have jurisdiction,'' said Abby Stewart, a lobbyist at Jefferson Consulting Group, which represents one of the businesses that recently has endured the public-relations nightmare of a personal-data breach.

The Senate Commerce Committee cleared the first hurdle just before the August recess, unanimously approving an anti-ID-theft bill that prevents the trading of Social Security numbers without their owners' consent and allows easy freezing of consumer-credit reports. But banking lobbyists, and Senate Banking Committee Chairman Richard Shelby (R-Ala.), were displeased with Commerce's quick movement.

"The Fair Credit Reporting Act is a Banking Committee issue, and Senate Commerce just ripped it out and put it in their bill," said one banking lobbyist who asked not to be identified. "his is the problem with all the bills; it's a huge jurisdictional fight."

Bob Davis, top lobbyist for America's Community Bankers, sent a letter to Commerce Chairman Ted Stevens (R-Alaska) and ranking member Daniel Inouye (D-Hawaii) urging them to withhold support for the bill over two provisions: credit freezing, which banks fear could inadvertently discourage consumers from signing up for new credit cards, and permitting state attorneys general to sue nationally regulated banks for noncompliance. Stevens and Inouye nonetheless endorsed the bill, which was introduced by Sens. Bill Nelson (D-Fla.) and Gordon Smith (R-Ore.).

Stewart echoed the banking lobbyist's sentiment when discussing the Senate Judiciary Committee, which postponed consideration of three separate data-security bills until the end of recess. "It's an intriguing concept that they would have jurisdiction at all," she said.

The lead Senate Judiciary bill, sponsored by Chairman Arlen Specter (R-Pa.) and ranking member Patrick Leahy (D-Vt.), attracts criticism from lobbyists because it could let states wriggle free from some aspects of new national data-security rules. Another Judiciary bill, written by Sen. Dianne Feinstein (D-Calif.), has a crucial cheerleader in ChoicePoint, the data broker that disclosed the first of this year's high-profile security breaches.

"We'd like to see a vehicle like that get through," said David Davis, vice president of government affairs at ChoicePoint, referring to Feinstein's bill. The company supports Feinstein's language about the definition of "real harm" posed to consumers, sometimes call the "California standard," which would trigger automatic notification of an ID-theft risk.

Davis praised Stevens's promise to hold up floor consideration of the Senate Commerce bill until chairmen can resolve their jurisdictional clashes but noted the realities of a legislative clock ticking down into] fall. "If all the stars were aligned, and Banking and Judiciary stepped back, then you would still have the House," he said.

ChoicePoint is one of only a few stakeholders actively pushing for a bill to pass this year. Most other lobbyists were not discouraged by the likelihood that Congress's crammed calendar would make consensus on data security unreachable before 2006.

So far only the House Financial Services Committee has tackled the question of who pays for consumer notification after a security breach, one of the most pressing priorities for banks and credit-card issuers. That committee's bill, introduced by Reps. Deborah Pryce (R-Ohio) and Mike Castle (R-Del.), requires the company responsible for the information exposure to foot the bill for "reasonable and actual costs."

One financial-services lobbyist said an accountability vacuum in the aftermath of a large-scale data compromise could be hazardous. "If there is a fear of liability, about what happened and who's paying, the flow of information gets severely restricted."

Giving too many concessions to banks and credit cards could alienate data brokers such as ChoicePoint and Lexis-Nexis, which was hacked by ID thieves in March in a breach the company first projected as one-tenth of its actual size.

In addition to requiring responsible companies to pay for notification, some lobbyists would like to see banks get reimbursed for the new credit cards that often must be issued after a breach.

In the House, the Energy and Commerce and Judiciary committees remain in the process of drafting their data-security bills. The former version will likely give blanket enforcement power to the Federal Trade Commission, an annoyance to banks that want their financial regulators to take on data-security duties to avoid creating new bureaucracy.

Yet another player in the game is the private-investigation community, which has formed a lobbying coalition and embarked on a vigorous publicity push to remind lawmakers that access to Social Security numbers does not solely affect public law enforcement.

Lawrence Sabbath, who lobbies for the National Council of Investigation & Security Services (NCISS), said the substitute amendment in Stevens's committee ironically could keep private eyes from tracking down the same fraudsters who perpetrate ID thefts. "They recognize that there are potential problems," Sabbath said. "There is some indication that that [Social Security] provision may not remain in the bill."

You can read more about the activities of NCISS and pending legislation of relevance to the investigative community here.

-- MDT

Labels: data breech, database, Department of Justice, identity theft

Scott Levine, the operator of the now defunct noted "Spam factory," Snipermail.com has been convicted on more that one hundred counts of illegally acccessing personal data via marketing vendor Acxiom Corp (and in what is undoubtedly a coincidence, read about Acxiom's escalated commitment to fraud prevention here).

The data access irregularities at Snipermail were first discovered two years ago. In total some 1.6 million records were accessed illegally by the company after Levine utilized a "security flaw" in Acxiom's FTP server to gain access to personal records held by the data company. After adding that data to Snipermail's existing database, Mr. Levine also approached credit bureau, Experian about buying the company.

Via the Washington Post:

Marketer Found Guilty Of Data Theft

Associated Press
Saturday, August 13, 2005; Page D02

LITTLE ROCK, Ark., Aug. 12 -- A Florida man was found guilty Friday of stealing information from data-management company Acxiom Corp. in what prosecutors said was the largest federal computer theft trial ever.

A jury convicted Scott Levine, the owner of defunct e-mail marketing contractor Snipermail.com, on 120 counts of unauthorized access to data, two counts of access device fraud and one count of obstruction of justice. Jurors cleared Levine of 13 counts of unauthorized access of a protected computer, one conspiracy count and one count of money laundering.

Statutory maximum sentences for his convictions total 640 years in prison and fines of $30.7 million, but his punishment likely will be much less under federal sentencing guidelines. Sentencing was set for Jan. 9.

Prosecutors said Levine and his company stole 1.6 billion customer records, including names, e-mail and postal addresses. The government did not charge anyone with identity theft.

Six Snipermail employees pleaded guilty to conspiracy charges and testified against Levine in the case.

"We're very pleased with the outcome," U.S. Attorney H.E. "Bud" Cummins said outside U.S. District Court. "These are very serious crimes, a huge amount of data that was stolen for monetary gain and he should be held accountable."

Levine's lawyer, David Garvin, said the verdicts were "compromised" because the jury found Levine guilty based on the same evidence jurors acquitted him on in the other counts.

Little Rock-based Acxiom, which serves large corporations by collecting and managing information for marketing purposes, said it has tightened its security since the unauthorized access was discovered two years ago.

Labels: database, identity theft, money laundering

Via BeSpacific:

NIST Launches Database of Computer Vulnerabilities

"The new National Vulnerability Database (NVD) from the National Institute of Standards and Technology (NIST) will make it easier for system administrators and other security professionals to learn about vulnerabilities and how to remediate them. The NVD is a comprehensive database that integrates all publicly available U.S. government resources on vulnerabilities and provides links to many industry resources. NVD is built upon a dictionary of standardized vulnerability names and descriptions called Common Vulnerabilities and Exposures." [NIST Alert]

Check out the original post here.

-- MDT

Labels: database

Speaking of identity theft (see previous post), long-time friend of Caveat Research, Charlie Pinck (a former Mintz Group alum and currently Senior VP of Investigations for Global Options) recently had a letter published in the magazine of the American Society for Industrial Security. Charlie's letter (from their June issue) takes on some of the prevailing notions about allowing access to sensitive data.

Not only does Charlie do a nice job of provide some much needed explanation regarding the indispensibility of personal (but public) data to the work of investigators, but he also provides a vivid description of how this information is put to work in service to the goal of transparency, accuracy and integrity. While the ASIS publication is not iself available online (the horror), here's a clip:

...access to personal identifying information benefits our society in many ways. Before legislation is passed that severely restricts such access, we should first consider the negative impacts that such laws could have. As a professional investigator, I use this data in many different ways: to track down important witnesses and uncover critical information in complex litigation; to conduct criminal background checks; to find stolen assets; and to investigate white collar crime, fraud, and other forms of criminal activity--including identity theft; and in many other investigations.

One of the most important uses of this information is conducting criminal record searches, an important component in many investigations. Since there is no publicly available national criminal record database (the Justice Department maintains such a database known as NCIC, but provides access only to law enforcement agencies), investigators must first gather an address history for the subject, then conduct searches of each jurisdiction identified.

We need access to Social Security numbers or another form of identifying information. This is typically drawn from the top portion of a credit report (called the credit header)--which contains someone's name, Social Security number, and current and prior addresses--without that, such searches become close to impossible to thoroughly conduct, thereby exposing people to serious potential risks.

For instance, in a recent investigation of a client's household employee, I found a criminal record involving a minor. The offense occurred nearly 10 years earlier in a different state. Without the ability to construct an address history for the employee. I never would have found it, and the client and his family would be in jeopardy.

In another case that occurred some years ago. I was investigating an individual who was being considered for a senior-level position within a Fortune 500 company. Using similar techniques, I not only found a criminal record for assault and battery but discovered that this person attempted to expunge his criminal record within a few days of his interview with our client.

I was also retained to investigate a potential business partner and discovered a multimillion-dollar fraud that he had committed. The complaint listed a number of fraudulent claims that the subject person had made about his background; he had also given my client the same fraudulent claims practically verbatim. Armed with this knowledge, my client decided not to pursue a $ 7 million investment that most surely would have been lost. There are many more examples like these.

If I have learned anything from my 15 years of investigative experience, it is that people lie, especially when they are trying to hide past bad acts. Far too often, potential employers or partners do not ask the right questions (or any questions, for that matter) or check information supplied by business partners and others until it is too late and the damage has been done. Reagan's axiom "trust but verify" applies here as much as it does in arms control.

Another important use of personal identification information is to differentiate between people with common names. Imagine the difficulty in searching for criminal records for someone named John Smith absent any other information unique to this person, such as his Social Security number and date of birth. This is the daunting scenario we would face were current proposals to restrict access to such information enacted.

Identity theft is a real concern and needs to be dealt with in a serious manner. However, limiting access to such information in as draconian a manner as is now under consideration would limit the ability of private citizens to protect themselves against a variety of equally dangerous threats. It may also embolden those who commit crimes, because they will know that investigating them will be more difficult and expensive.

Professional investigators play an important role because law enforcement agencies are not in the business of checking out a person's background to assess the potential risk of hiring them or doing business with them. Thus, people hire professional investigators. In certain circumstances, the information they gather may eventually convince law enforcement to become involved.

For all of these reasons, investigators are needed, and they need access to information to do their jobs. They should not be hampered by the actions of information brokers who failed to check the credentials of new customers and allowed themselves to be victimized in the process.

Thanks Charlie.

-- MDT

Labels: background checks, database, Department of Justice, identity theft

Via the very fine LegalDockets.com:

USDOJ Launches National Sex Offender Public Registry

July 23, 2005

The site, www.nsopr.gov, does not contain information not already made available on the Internet by each state. However, it allows researchers to determine whether an individual who has been convicted in one state has moved to another. The site is difficult to access due to high volume, but I'm sure this resource will continue to improve and expand in the near future.

After you've finished running your daughter's boyfriend through the database (and your boss and the names of minor celebrities - oh yeah and that creepy guy you knew in high school that no one seems to know exactly what happended to) please take sometime to visit our friends Legal Dockets Online. The original LDO post can be found here.

-- MDT

Labels: database

The always interesting Virtual Chase as a great link to an article appearing in the July Issue of Optimize Magazine. The article, entitled The Background Check Challenge, which describes the difficulties inherent in conducting background investigations with an international focus. VC, in the same post, links over to an article (written by VC grand vitara Genie Tyburski) appearing at LawOfficeComputing.com that purports to offer The Truth Behind Standard Criminal Checks, highlighting the reality behind the services provided by high-volume, database-oriented pre-employment screening firms.

The article highlights many of the same shortcoming and regulatory restrictions that The Daily Caveat describes to clients requesting these services. Caveat Research always recommends a local court search to accompany any database work conduct on a client's behalf. Not only are there usage restrictions on certain data collections relative to their use in pre-employment screening (as described at length in the article), but many times database coverage in a given area is markedly poor, necesitating a local search to ensure accurate results.

-- MDT

Labels: background checks, database

A very interesting - and cautionary - article from Baseline Magazine for public record database afficionados, such as The Daily Caveat. Here's the tease:

Choicepoint: Blur

By Deborah Gage
and John McCormick
June 14, 2005

Steven Calderon was into his second week working as a security guard for Fry's Electronics when Anaheim, Calif., police walked in and arrested him. Fry's had requested a background check on Calderon, which was done by The Screening Network, a service of ChoicePoint. Calderon spent the next week in jail. No one stopped to question—or verify—whether the background check was accurate in the first place. It wasn't.

The full article appears here and it is essential reading for anyone who has ever entrusted employee background checks or due dilligence research to an automated service, rather than real live investigators.

-- MDT

Labels: background checks, database

While the Federal Government abandonded plans back in April for The Matrix, a database that allows local authorities to seach and review aggregated public records along with commercially collected information, many states are pushing forward with the development of their own systems.

No reaction yet from our anonymous robotic overloards, but privacy advocates are a might chagrined.

Via ResourceShelf:

Hated by Privacy Advocates, Database Search Engine Lives On

DAVID ROYSE
Associated Press
July 10 2005

...Florida, Ohio, Connecticut and Pennsylvania still use software that lets investigators quickly cull through much of the data about people that reside in cyberspace. However, without the federal grant for the Matrix data-sharing system, they won't be routinely searching through digital files from other states - at least for now.

Privacy advocates still don't like the idea, saying government shouldn't have easy access to so much information about people who haven't done anything wrong. But law officers bent on keeping the Matrix alive say the information is already out there anyway for companies to use for less noble purposes. Law enforcement has always used such information; it just never had a big computer search tool to quickly find links between people and places.

"The media uses that data, attorneys use it, banks use it," said Mark Zadra, the Florida Department of Law Enforcement agent in charge of the system. "We've been using online data like that for 10 to 15 years. What this does is link those. ... What took law enforcement so long to use technology and get into the 21st century?"

Matrix - the ominous name is shorthand for Multistate Anti-Terrorism Information Exchange - was born as an anti-terrorism tool in the wake of the Sept. 11 terrorist attacks. Created by Florida law enforcement officials working with a one-time drug-running pilot-turned-millionaire computer whiz named Hank Asher, it was conceived as a way for states to combine data they have on people - driving records and criminal histories, for example - with similar records from other states.

The company that Asher founded but no longer works for, Seisint Inc., also added to Matrix information gathered in the private sector, including some of what credit card companies collect, such as names, addresses and Social Security numbers - though actual credit histories were not included.

Together, the program would give states a powerful tool that could link someone to several addresses or vehicles, and possibly to other people who lived at those same houses or drove the same car. Those links could help thwart terrorism or solve crimes in which witnesses could provide only partial information, like half of a license plate and the make of a car. The technology is credited in part with helping police crack the Washington, D.C., sniper case in 2002.

Matrix impressed federal officials enough that the program was seeded with $12 million from the Departments of Justice and Homeland Security. Thirteen states eventually signed on or expressed interest in feeding their data into the system, representing half the U.S. population. But over time, several states pulled out, partly because of concerns about the cost or laws governing the transfer of data out of state. California's attorney general decided Matrix "offends fundamental rights of privacy."

Those objections were nothing compared to the criticism Matrix encountered from the right and the left, including from the American Civil Liberties Union. "It is essentially an electronic file on everyone whether they are suspected of criminal activity or not," said Howard Simon, executive director of the ACLU in Florida. "I can't think of anything more un-American."

When the federal grant for Matrix ended in April - there is dispute over whether the privacy issues may have killed the government's interest - the database itself officially ended as well. But Florida and the three other states are still using its database-searching software. Florida is continuing to seek out companies that can help them build another, larger cache of information. And officials envision one day sharing that data with other states again

Read the rest of the article here.

Seisint, it should be noted, was the source of the recent Lexis Nexis data thefts which affected somewhere around 300,000 people. Some 150,000 individuals actually had their data stolen directly from The Matrix itself.

-- MDT

Labels: database

Labels: database, identity theft

The National Memorial Institute for the Prevention of Terrorism, a non-profit group partially funded by the Department of Homeland Security, has made available through the National Counter Terrorism Center's Worldwide Incident Tracking System, a fully searchable database of terrorist incidents.

A bit more about the MIPT in their own words:

The [MIPT] is a non-profit organization dedicated to preventing terrorism on U.S. soil or mitigating its effects. MIPT was established after the April 1995 bombing of the Murrah federal building in Oklahoma City, and it is funded through the Department of Homeland Security's Office for State and Local Government Coordination and Preparedness (OSLGCP).

The United States Congress directed MIPT to conduct “research into the social and political causes and effects of terrorism” through our automated information systems and to “serve as a national point of contact for antiterrorism information sharing among Federal, State and local preparedness agencies, as well as private and public organizations dealing with these issues.” MIPT firmly believes that the accurate dissemination of knowledge on terrorism is a critical ingredient for combating terrorism. Serving the needs of emergency responders, counterterrorism practitioners, policymakers, and the public, MIPT offers access to a wealth of information resources including its knowledge base initiatives, its website, and its library collection.

Designed as a clearinghouse for information on terrorist activities, the data contained in the MIPT database is draws from multiple sources:

The MIPT Terrorism Knowledge Base is the one-stop resource for comprehensive research and analysis on global terrorist incidents, terrorism-related court cases, and terrorist groups and leaders. The Terrorism Knowledge Base illuminates the current status of terrorism today. It takes users through the history, affiliations, locations, and tactics of the terrorism entities operating across the world at this moment. The database features interactive maps, biographies on key terrorist personalities, dynamic graphs, and succinct summaries on who is who and what is what inside the shadowy world of terrorism today.

In order to create the premier source for anti-terrorism information, the Terrorism Knowledge Base integrates data from the RAND Terrorism Chronology 1968-1997; RAND®-MIPT Terrorism Incident database (1998-Present); Terrorism Indictment database (University of Arkansas); and DFI International's research on terrorist organizations.

The Terrorism Knowledge Base is a dynamically-integrated website that effectively displays in-depth terrorism research, data, and multimedia in a user friendly, intuitive, and inter-connected format for researchers, policymakers, journalists, first responder emergency personnel and the general public.

And how. The user interface for the database is amazingly deep with variables ranging from date and location to the type of attack, nature of target and the monetary level of damage. Statistics are also available on the number killed, wounded or taken hostage, making the "TKB" a very intense tool for investigators active in country risk analysis and other such endeavors.

You can try the database here. The MIPT has additional information about their information gathering methodology here.

-- MDT

Labels: database

Saw this on Kevin Drum's Political Animal blog at the Washington Monthly. I'll let him lay it out for you:

It's long annoyed me that reports from the Congressional Research Service aren't available to the public. After all, $100 million per year of our tax dollars funds their work. Today, though, I learned about Open CRS, an effort to collect CRS reports and put them in a single searchable archive on the web.

So far they've collected 8,223 CRS reports on subjects ranging from CAFTA to random drug testing. This is a great resource for policy wonks of all stripes. CRS reports are commissioned by congressmen on a wide variety of topics, they're generally nonpartisan and reliable, and most of them run 5-10 pages, which makes them terrific introductions to complex issues.

Someday Congress may decide that CRS itself should collect and index all their reports online, but until they do Open CRS is the best we've got. Highly recommended.

For those who aren't terribly familiar, what exaclty IS the Congressional Research Service and why don't they share? Well...

The Congressional Research Service is the public policy research arm of the United States Congress. As a legislative branch agency within the Library of Congress, CRS works exclusively and directly for Members of Congress, their Committees and staff on a confidential, nonpartisan basis.

Congress created CRS in order to have its own source of nonpartisan, objective analysis and research on all legislative issues. Indeed, the sole mission of CRS is to serve the United States Congress. CRS has been carrying out this mission since 1914, when it was first established as the Legislative Reference Service.

Renamed the Congressional Research Service by the Legislative Reorganization Act of 1970, CRS is committed to providing the Congress, throughout the legislative process, comprehensive and reliable analysis, research and information services that are timely, objective, nonpartisan, and confidential, thereby contributing to an informed national legislature.

Prior to the Open CRS projecty, the enterprizing research would have to seek out topic specific databases of these reports made a vailable by a variety of private entities. Many such enterprises who are fed data by the CRS have for some time been taking it upon themselves to provide expanded public access to stingy CRS's findings. For example, the National Library for the Environment (a division of the non-profit National Council for Science and the Environment) has this to say:

The Congressional Research Service (CRS), part of the Library of Congress, prepares its reports for the U.S. Congress. CRS products undergo review for accuracy and objectivity and contain nontechnical information that can be very useful to people interested in environmental policy. CRS does not itself provide these documents to the general public. Although CRS documents are prepared specifically for Congress and not widely distributed, their distribution is not protected by law or copyright. NCSE is committed to expanding, maintaining and updating its database of reports, making them available and searchable for the public.

Via their website the NLE provides an advanced search page that access some 1700 or so CRS reports relating to environmental quality issues. You can find it here.

Open CRS provides access to the NLE collection as well as many others, with the goal of disseminating much needed information and just generally providing the American public with much better bang for their buck:

American taxpayers spend nearly $100 million a year to fund the Congressional Research Service, a "think tank" that provides reports to members of Congress on a variety of topics relevant to current political events. Yet, these reports are not made available to the public in a way that they can be easily obtained. A project of the Center for Democracy & Technology through the cooperation of several organizations and collectors of CRS Reports, Open CRS provides citizens access to CRS Reports already in the public domain and encourages Congress to provide public access to all CRS Reports.

CRS Reports do not become public until a member of Congress releases the report. A number of libraries and non-profit organizations have sought to collect as many of the released reports as possible. Open CRS is a centralized utility that brings together these collections to search.

A tremendous tool for researchers of all stripes. We wish'em luck.

-- MDT

Labels: database

Over the weekend Mastercard announced that company data, including names account numbers and expiration dates for potentially 40 million of its card-holders (that's one-in-seven) had been compromised. The security breach arose via illegal access to the database of CardSystems Solutions Inc., a transaction processor for credit card companies.

Those numbers would have made this incident the largest such data security failure yet witnessed by an incredulous public as well as increasingly irritated state and federal regulators. The credit card giant has subsequently announced that it anticipates that only 200,000 customers face serious risk of fraud.

How comforting.

-- MDT

Labels: data breech, database

The Daily Caveat has a soft spot for National Archives and Records Administration. The agency, where at least one Caveat Research partner began his professional career, serves as organ of our nation's memory and exists to provide the ready access to essential evidence that, quite frankly, is a prerequisite for the continued function of democracy in American. Of its institutional mandate, NARA says:

[The National Archives] is a public trust upon which our democracy depends. NARA enables people to inspect for themselves the record of what government has done. NARA enables officials and agencies to review their actions and helps citizens hold them accountable for those actions. And NARA ensures continuing access to essential evidence that documents the rights of American citizens, the actions of Federal officials, and the national experience.

In service of that public trust, the Archives is now embarking on a project of epic proportions that will come to shape the way we view transparency in government for the next century. The National Archives has been charged with the responsibility of establishing a system for accessioning, organizing and storing governmental records that are "born digital." At this moment decisions are being made at NARA which will determine how the history of our era is written and what tools historians will have available to write it.

In The Fading memory of the State, Technology Review magazine offers some insight into this looming $100 million "Manhattan Project" for digital data storage. The parameters of the - no joke, Herculean - project look something like this:

According to NARA's specifications, the system must ultimately be able to absorb any of the 16,000 other software formats believed to be in use throughout the federal bureaucracy--and, at the same time, cope with any future changes in file-reading software and storage hardware. It must ensure that stored records are authentic, available online, and impervious to hacker or terrorist attack.

NARA plans to roll out the database between 2007 and 2011. The agency is working with two primary contractors, Harris Corporation and Lockheed Martin in the design and implementation of the system. And the rollout can't come soon enough.

...managing growing data collections is already a crisis for many institutions, from hospitals to banks to universities. Tom Hawk, general manager for enterprise storage at IBM, says that in the next three years, humanity will generate more data--from websites to digital photos and video--than it generated in the previous 1,000 years. "It's a whole new set of challenges to IT organizations that have not been dealing with that level of data and complexity," Hawk says...

...Still, NARA's problem stands out because of the sheer volume of the records the U.S. government produces and receives, and the diversity of digital technologies they represent. "We operate on the premise that somewhere in the government they are using every software program that has ever been sold, and some that were never sold because they were developed for the government," says Ken Thibodeau, director of the Archives' electronic-records program. The scope of the problem, he adds, is "unlimited, and it's open ended, because the formats keep changing."

The Archives faces more than a Babel of formats; the electronic records it will eventually inherit are piling up at an ever accelerating pace. A taste: the Pentagon generates tens of millions of images from personnel files each year; the Clinton White House generated 38 million e-mail messages (and the current Bush White House is expected to generate triple that number); and the 2000 census returns were converted into more than 600 million TIFF-format image files, some 40 terabytes of data. A single patent application can contain a million pages, plus complex files like 3-D models of proteins or CAD drawings of aircraft parts. All told, NARA expects to receive 347 petabytes (see "Definitions") of electronic records by 2022.

Currently, the Archives holds only a trivial number of electronic records. Stored on steel racks in NARA's 11-year-old facility in College Park, the digital collection adds up to just five terabytes. Most of it consists of magnetic tapes of varying ages, many of them holding a mere 200 megabytes apiece--about the size of 10 high-resolution digital photographs. (The electronic holdings include such historical gems as records of military psychological-operations squads in Vietnam from 1970 to 1973, and interviews, diaries, and testimony collected by the U.S. Department of Justice's Watergate Special Prosecution Force from 1973 to 1977.) From this modest collection, only a tiny number of visitors ever seek to copy data; little is available over the Internet.

Because the Archives has no good system for taking in more data, a tremendous backlog has built up. Census records, service records, Pentagon records of Iraq War decision-making, diplomatic messages--all sit in limbo at federal departments or in temporary record-holding centers around the country. A new avalanche of records from the Bush administration--the most electronic presidency yet--will descend in three and a half years, when the president leaves office. Leaving records sitting around at federal agencies for years, or decades, worked fine when everything was on paper, but data bits are nowhere near as reliable--and storing them means paying not just for the storage media, but for a sophisticated management system and extensive IT staff.

Academic departments coast to coast - from the San Diego Supercomuting Center to the Massachusetts Institute of Technology have been set to work on how to manage and convert data from literally every format ever invented into an archival standard practical for preservation, cataloging and continuing access.

The the problems whith a technological challenge of this scale are mammoth, but what is at stake in this "moon shot" level project is at least as significant, argues KenThibodeau, director of the National Archives Electronic Records program, "there's every reason to say that in 25 years, you won't be able to read this stuff." Without their work, warns Thibodeau. "Our present will never become anybody's past."

TDC highly recommends taking a gander a the full article, which can be found here.

-- MDT

Labels: database

Businesses already made tense by government posturing regarding dire consequences for lack of customer data security are facing an increased risk based on the ubiquitousness of mobile media storage devices, of which Apple's iPod is the most prominent. Every pair of white earphones seen connected to the hip, briefcase or shirt pocket of your subway riding bretheren is a potential secuity catastrophe waiting to happen.

Via Vnuet.com:

Pods open backdoor for data theft - UK firms still ignore dangers of portable media drives

Robert Jaques
vnunet.com
13 Jun 2005

The majority of UK firms are leaving their networks open to malware and data theft by turning a blind eye to widespread employee use of removable media devices such as iPods, MP3 players and USB flash drives. Research published today claims that a staggering two-thirds of IT professionals who use USB flash drives at work admitted that they did not protect them with encryption even though they are aware of the associated dangers.

According to the survey of 300 UK IT professionals, most UK organisations have yet to address the problem of removable media. The poll found that such devices are being used in 84 per cent of companies and, on average, a third of employees are using them in the office. Some 90 per cent of those surveyed said they were aware of the potential danger that removable media presents, and a third of organisations admitted that removable media is being used without authorisation.

"With removable media plummeting in price, soaring memory capacity and more people using them at work, companies need to be aware of how easy it is for staff to use them, lose them or take competitive information away on them, all in the palm of their hands," the study, commissioned by mobile security firm Pointsec, warned...

Martin Allen, managing director at Pointsec UK, added "There seems little point in companies spending vast sums of money on information security if they're letting staff use these devices at work which allow unhindered access to vast quantities of sensitive company information."

The full article appears here.

Now The Daily Caveat won't be surrendering its iPod anytime soon (you can have it when you pry it from my cold, dead hands) but considering that even your six dollar-an-hour data entry temp drone can afford enough mobile data storage to download the personal details of every man and woman listed in the company database, business in both the U.S. and the U.K. may want to consider strategies to pre-empt potential thefts and the potential public relations disasters the inevitably follow.

-- MDT

Labels: Apple, database

We have met the enemy and it is public records.

At least according to Betty "BJ" Ostergren, that is. Betty, described in The Washington Post as "a feisty 56-year old" based near Richmond, is seeking to shame public figures into addressing what she sees as the all-too-ready access to public records enabled by commercial database, internet and document imaging technologies.

Encapsulating her fears in one favorite example, Betty lays it all out for Post's resident identity-theft reporter, Jonathan Krim:

"Don't you think if I can get Tom DeLay's Social Security number ... that some guy in an Internet cafe in Pakistan can, too?" she asks, her voice rising with indignation. "It's just ridiculous what we're doing in this country."

Utilizing such arguments, Betty, under the banner of The Virginia Watchdog is attempting to organize activists to beat back the tide of easy access to public records, particularly on the local level:

A wealth of documents -- including marriage and divorce records, property deeds, and military discharge papers -- containing Social Security numbers, dates of birth and other sensitive information is accessible from any computer anywhere. Many of the online records are images of original documents, which also display people's signatures.

Ostergren began organizing citizens and harassing officials on the issue in 2002, when a title examiner called to warn her that her county was about to put a slew of documents online, including pages with her signature.

A longtime activist in local politics, Ostergren swung into action, bringing enough pressure on Hanover County officials that they halted their plans. Then she broadened her attack, targeting other counties in Virginia and elsewhere.

Betty expounds a bit further (with copious use of exclamation) on her website:

No one has to fake an identity to get into ChoicePoint, no one has to break the law/hack into any website, no one has to dumpster dive, and no one has to dig into the neighbor's trash anymore to get SSNs. No, all it takes to find SSNs is getting into a Clerk's/Recorder's/Register of Deeds' website and ANYONE can since they are public records!

The Clerks etc. are spoon feeding criminals by putting these records online - the same records they took an oath to protect!!! Every Clerk/Recorder should pull the plug on this ONLINE RECORDS mess and get them offline! It will take the legislature (thru pressure from the citizens) to make them do it though. Tell your state legislators that if someone wants to see your records, make them take off from work and drive to the courthouse!

This, unfortunately, is the histrionic end of identity theft anxiety, fostered by content-starved local news and fueled good old fashioned black-helicopters-over-Kansas American paranoia. As a nation we are really, really good at frothing up over this kind of thing, but never did The Daily Caveat think to see the day when ready access to essential public records verges on initiating a moral panic.

While TDC disagrees with Betty's approach (and her rampant abuse of exclamation points), there is a vaild point in the potential need to redact sensitive data from internet versions of certain public records. However, perhaps rather than attempting to curtail access to public records, the ready availability of which has immense social benefits (Frankly, The Daily Caveat feels that Senator Delay is might bit shifty and bears a close eye.) one could consider addressing the other factors that actually serve to make access of these details potentially threatening to the average person.

Easy Access to Credit - I am looking at YOU...

The full Washington Post piece can be found here.

And to join The Movement, click here.

-- MDT

Labels: database, identity theft

While most of the scams that we encounter via the internet are new versions of old tricks, for fraudsters, the internet has added incredible economies of scale to their tried and true tactics.
While law enforcement is certainly attempting to contain this web-endabled explosion of low-level financial crimes, there are several home-grown groups that exist and operate in what could generously be called beyond the standard regulatory regime who have made it their business to frustrate would-be phishers, 419 scammers and other such internet con artists.

Take for example this recent story, via Yahoo UK about hacker-types using their skills to deface phony bank websites employed by internet scammers:

Vigilante hackers use Old West tactics for cyberspace justice

Wednesday May 25, 06:53 PM

WASHINGTON (AFP) - Angered by the growing number of Internet scams, online "vigilantes" have started to take justice into their own hands by hacking into suspected fraud sites and defacing them. These hackers have targeted fake websites set up to resemble the sites of banks or financial institutions in recent weeks, and have inserted new pages or messages. Some say "Warning - This was a Scam Site," or "This Bank Was Fraudulent and Is Now Removed." The efforts by the self-proclaimed "hero hackers" come amid a surge in online schemes known as "phishing" in which victims are lured to fake websites to get passwords or other personal data...

..."While phishing is undoubtedly an illegal activity, the legality of defacing phishing sites is also quite questionable, but in cases observed by Netcraft so far it is reasonable to assume that only the fraudsters themselves have been disadvantaged," the security firm said. Some of the hackers are boastful. "We only deface fake banks. Nothing else. Our targets are illegals and hosts that don't take down illegal sites," said a message posted on the website SecurityFocus by the purported "white-hat" British hacker group called The Lad Wrecking Crew....

... Peter Cassidy, secretary general of Anti-Phishing Working Group, an industry alliance, acknowledged there was a "gap" in law enforcement action against the schemes, but that hacking was not the solution. "This is similar to what we've experienced before in the Old West," Cassidy said. But hackers defacing websites "could leave the brand holder open to further retaliation," including efforts to hack into the real website of the bank or company...

The full article can be found here.

Another group, Artists Against 419 offers a novel way to combat scammers who use phoney bank websites to perpetrate their crimes. AA419's website is designed to steal bandwidth from phoney bank sites (which are themselves, in the interest of scammer versimilitude, illegally displaying images that contain the names and logos of legitimate institutions).

Most web hosting companies set a daily limit on the quantity of data that can be exchanged via a hosting account. By hot-linking images from the phony sites so that every time a web surfer views the AA419 site it draws against the scammer-sites' daily bandwidth limit. When that limit is exceeded the phoney site is pulled off the web for the day or until their bandwidth limit is reset, usually presenting potential visitor-victims with an error message that looks something like this:

Bandwidth Limit Exceeded

The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.

Apache/1.3.27 Server at Port 80

AA419's philosphy is that any downtime they can force upon scammer sites is time that people aren't bing victimized. AA419 also maintains a fascinating fake bank link database, in case you are curious about how folks can be taken in by these sites, some of which look pretty convincing, others less so.

Another group has taken a less technological and more personal approach to fighting back against internet fraud, choosing to make a hobby of actually scamming the scammers, or scambaiting as they call it. 419eater.com is one such group mainained by a cadre of crack anti-phishers who actively engage with scammers attempting, essentially, to waste the con-artists time and thereby prevent scammers from vitimizing others.

"419" is the Nigerian legal code for an advance fee fraud scam which by now every man, woman and child with an email address has encounted in a form somewhat resembling this:

The most prevalent and successful cases of Advance Fee Fraud is the fund transfer scam. In this scheme, a company or individual will typically receive an unsolicited letter by mail from a Nigerian claiming to be a senior civil servant. In the letter, the Nigerian will inform the recipient that he is seeking a reputable foreign company or individual into whose account he can deposit funds ranging from $10-$60 million that the Nigerian government overpaid on some procurement contract...

...The sender declares that he is a senior civil servant in one of the Nigerian Ministries, usually the Nigerian National Petroleum Corporation (NNPC). The letters refer to investigations of previous contracts awarded by prior regimes alleging that many contracts were over invoiced. Rather than return the money to the government, they desire to transfer the money to a foreign account. The sums to be transferred average between $10,000,000 to $60,000,000 and the recipient is usually offered a commission up to 30 percent for assisting in the transfer....

...The goal of the criminal is to delude the target into thinking that he is being drawn into a very lucrative, albeit questionable, arrangement. The intended victim must be reassured and confident of the potential success of the deal. He will become the primary supporter of the scheme and willingly contribute a large amount of money when the deal is threatened. The term "when" is used because the con-within-the-con is the scheme will be threatened in order to persuade the victim to provide a large sum of money to save the venture.

In response to such requests and being led by their intrepid leader, Shiver Metimbers, the 419Eater crew has vexed international scammers with all manner counter-scams. They approach their work with an unmatched verve and an equally unmatched perverse sense of humor (for all TDC readers of the Lindsay Lohan demographic, please ask a parent or guardian's permission before visiting the site).

While not advocating or approving anti-fraud tactics that stray beyond the bounds of international law, The Daily Caveat can recommend that you check out 419Eater's F.A.Q., Letter Archive and Audio Files, all detailing real correspondence between 419's intrepid scambaiting crew and various international fraudsters. Particularly recommended for review are The Tale of the Painted Breast letter exchange and the Martins David / Shiver Metimbers audio exchange (in which Timbers engages in a telephone conversation with a scammer using only Arnold Schwarzenegger sound files).

For more on the subjects of phishing and internet facilliated financial crimes, check out the Anti-Phishing Working Group, the Secret Service's financial crimes page and Nigeria's Economic and Financial Crimes Commission.

Viva la resistance.

-- MDT

Labels: database

Many thanks to excellent Inter-Alia.net blog who ran accross this equally excellent set of links at Justia, a Legal Search Engine Optimization Blog. Justia seems to be a great resource and I am definitely going to add it to my daily reading. You should too.

The following choice links are drawn from a much longer and more comprehensive series of competitive intelligence-related posts at Justia over the last few days. All feature free access to interesting data. Many of these links you will no doubt be familiar with but there were certainly a few that were new to me (accompanying commentary originates from Justia):

Yahoo! - Industry Center. For background research, Yahoo covers industry news, statistics and profiles, as well as top performing companies within the industry. Yahoo also provides an earnings calendar to track upcoming events.

bizjournals.com - Industries & Communities. bizjournals.com aggregates news articles by industry from different local business journals. They even offer a My Industries custom page where they will display news headlines from industries you have selected.

BNET - White Papers RSS Feeds by Job Function and Industry. BNET offers white papers that span a broad range of job functions and industries. This is another great resource that you can feed into My Yahoo. You have to register in order to read the white papers though.

Moreover Technologies - Free RSS News Feeds Listing. Moreover offers news feeds by industry.

bizjournals.com - RSS Feeds. bizjournals.com also offers RSS feeds of local news and industry news.

Onecle- Sample Contracts and Business Forms. Onecle has compiled a database of material contracts extracted from SEC filings. This collection is both searchable and browsable, and includes employment agreements, services agreements, license agreements, manufacturing agreements, severance agreements and more. This is the insider source for corporate contracts and other actionable intelligence.

PwC - EdgarScan PricewaterhouseCoopers offers a different twist on SEC filings. Their focus is on financial data, which they've extracted and may be displayed as an MS Excel spreadsheet or as a chart.

SEC Info. SEC Info offer yet another spin on SEC filings. This site includes both SEC EDGAR and CSA SEDAR securities filings, and also includes SEC-deleted filings. Why would a company request that the SEC delete a filing? Because there was either an error in the filing or the company inadvertently disclosed something that it now wishes to redact. So, even when the SEC deleted a copy of a filing from its own site, you may be able to find an archival copy on SEC Info.

bizjournals.com - Legal Services Features news about the legal services industry from local business journals.

LexisNexis Mealey Publications - Legal News via RSS. LexisNexis offers free (gasp!) RSS feeds for legal news. They also provide individual feeds for different practice areas, including insurance, products liability, litigation, intellectual property and more. While reading the news headlines and summaries is free, you do need a paid subscription to view the full-text of any articles or cases.
Moreover Technologies - Law News.

Jaffe Legal News Service - Law Firm News. Offers RSS feeds for top stories, law firm news and breaking news.

GoogSpy. GoogSpy offers a tremendously powerful strategic intelligence tool. The Ranks in the Top 10 on these Search Terms section tells you where a web site currently ranks for certain keywords. So, instead of manually entering keywords into Google to see how your web site or a competitor's web site ranks, a simple search using GoogSpy takes care of this tedious task. Another advantage of using GoogSpy is that you may discover that your web site is ranking highly for certain keywords that you did not intend to target. The disadvantage of using GoogSpy is that its data set is not complete. So, not all web sites or keyword combinations appear in the GoogSpy database. You may also consider optimizing portions of your own site to capture your competitor's higher ranking keywords. Just be careful that you don't end up de-optimizing your site for your existing keywords in the process.

Greedy Associates Board. The Greedy board is the destination for those seeking the latest law firm gossip and rumors. Associates on this board frequently talk about law firm culture, salaries and other issues.

Yahoo! - Venture Capital. Offers venture capital news. As I've discussed in a prior tip, you can even set-up a customized news feed to target a specific venture capital firm. For example, here's an RSS news feed for Draper Fisher Jurvetson.

BusinessWeek Online - Deal Flow. BusinessWeek blog on venture capital and startups. Also available by RSS.

Yahoo! - Mergers & Acquisitions. M&A news feed.

CNNMoney - M&A Databank. Features reports on recent M&A deals, including transaction details and information on the target and acquiror.

BNET - Mergers and Acquisitions. Features RSS feed of mergers and acquisitions updates. BNET also provides an RSS feed for mergers and acquisitions white papers.

Onecle - Mergers Agreements. Features mergers and acquisitions agreements that were disclosed in SEC filings.

To see the rest, navigate over to Justia.

-- MDT

Labels: database

This story continues to unfold with initial estimates of 500 thousand records accessed being bumped up to 670,000. Nine arrests have been made by New Jersey authorities following months of investigation. Via ComputerWorld:

The case has already led to criminal charges against nine people, including seven former employees of the four banks. The crime ring apparently accessed the data illegally through the former bank workers. None of those employees were IT workers, police say. ...the suspects manually built a database of the 676,000 accounts using names and Social Security numbers obtained by the bank employees while they were at work. The information was then allegedly sold to more than 40 collection agencies and law firms, police say.

The suspects pulled up the account data while working inside their banks, then printed out screen captures of the information or wrote it out by hand, Lomia says. The data was then provided to a company called DRL Associates, which had been set up as a front for the operation. DRL advertised itself as a deadbeat-locator service and as a collection agency, but was not properly licensed for those activities by the state, police say.

Read more here and here.

Multiple federal agencies are now participating on the investigation, including the Treasury Department and the Internal Revenue Service. And in a move that should reverberate through the legal industry for some time, authorities have state that the next phase of their investigation will include targeting law firms and collection agencies who purchased data from the crime ring.

-- MDT

Labels: database

You don't know how long The Daily Caveat has been trying to find a way to work America's favorite blond, bubble-headed celebutante into our daily news. Finally the day has arrived. I don't think I can add much more to this crazy story beyond what you can read below:

Federal Investigators Remove PCs, Discs From Several Locations; LexisNexis Break-In Linked to Paris Hilton Phone Hacking

By Brian Krebs
Washingtonpost.com Staff Writer
Thursday, May 19, 2005

The federal investigation into the massive theft of sensitive personal records from database giant LexisNexis Inc. intensified this week with the execution of search warrants and seizure of evidence from several individuals across the country, according to federal law enforcement officials.

Three people targeted in the investigation confirmed that federal investigators had served warrants at their homes. The group included a minor who has been in contact with a washingtonpost.com reporter for three months and who said he was directly involved in the LexisNexis breach...

...The minor, whose identity is not being revealed because he is a juvenile crime suspect and because he communicated with a washingtonpost.com reporter on condition of anonymity, said federal officials "raided" his home this week and seized his computer. He said investigators "got everybody" involved in the digital break-in.

Nine people in all were served search warrants by investigators, according to a senior federal law enforcement official who asked not to be identified because of his role in this and other ongoing investigations. The official said several members of the group are also believed by investigators to be involved in the much-publicized hacking in February of hotel heiress Paris Hilton's T-Mobile cell phone account, but he did not specify which members...

...The link between the LexisNexis and Paris Hilton investigations is supported by online conversations that a washingtonpost.com reporter had with the minor whose home was searched. The minor said he was involved in both intrusions and provided an image of what he said was a Web page that only T-Mobile employees would have access to...

...According to an account provided by the teenaged member of the hacker group -- and confirmed by the law enforcement source who insisted on anonymity -- the LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers, many of whom only knew each other through online communications, sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her computer keyboard.

According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data. Other officers' login information may have been similarly stolen, the law enforcement source said.

The young hacker said the group members then created a series of sub-accounts using the police department's name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California. washingtonpost.com has not been able to reach the young source to seek comment about the sale of personal information.

Much more intrigue at the WashingtonPost.com.

-- MDT

Labels: data breech, database, identity theft

Brock Romanek at TheCorporateCounsel.net has a link to the now up-and-running SEC disclosure comment letter database (within EDGAR):

Lot of members asking how to find the SEC Staff's comment letters on the SEC's site. Here is some insight from Brink Dickerson: Comment letters are starting to appear in the SEC’s EDGAR database. They are assigned one of two form types, “upload” for letters generated by the SEC staff, and “corresp” for letters generated by filers. As with other filings, they are indexed by filer name, so the primary way to access the letters is to search for the filer and then look for the form type. To search across filers, go to the EDGAR archives – which is within the “Search for Company Filings” area on the main EDGAR page – and search for “form-type=” either “upload” or “corresp.”

So far the selection is not that large, with twenty-four examples - but it should grow at the rate of roughly 300 letters per month. Further, except in a few cases, the letters available so far are either just the correspondence or just from the SEC - but not both.

A list of all currently available letters can be found here.

-- MDT

Labels: database

The Daily Caveat comments following the article...

Via WBAY TV Online:

School Districts Consider P.I. for Background Checks

April 25, 2005
By Sarah Thomsen

Both the Green Bay and Oconto Falls school districts are considering using a private investigative firm to conduct their background checks. The school districts are looking at their options after the Green Bay public school district's background check failed to show out-of-state felony convictions against student liaison Frank Smith, who resigned last month after his arrest on charges of drug possession and domestic abuse.

A year-and-a-half ago, Oconto Falls started running checks through a Department of Justice web site, the same one that Green Bay school district officials say failed them. When Oconto Falls superintendent Dave Polashek realized that, he started considering a private investigator. Though it only takes a minute for Oconto Falls administrators to pull up a criminal history on the DOJ web site, the district says it's not good enough any more.

"Has to do with people coming in from out of state. That's more of a challenge trying to get those databases that may exist in other places, so that's something we may refer to a private investigator," Polashek said. The district says its two Internet searches have limited databases and a private investigator could find a lot more than it could. "It's the issue of balance of time, cost, and really how much more do they provide compared to what you get right now," Polashek said.

Craig Warrick is a retired assistant principal-turned-private investigator. He says schools need outside help. When new teachers apply for a license, the Department of Public Instruction runs a check on them but by law only crimes related to children are reported to the district; the district has to find out the rest themselves. "The law, statute, says 'substantially related to welfare of children,' therefore DPI is doing their job in not reporting some crimes that they're not supposed to but that also puts the onus back on the school district," Warrick said.

If the schools go ahead with this option, both Green Bay and Oconto Falls administrators tell us they would probably go through a private investigation firm, get a subscription to the national databases, then pay about $20 for each person they put through checks on those databases.

The original article can be found here here.

I would not be surprized to find other school districts following the examples of Green Bay and Oconto Falls. And while resources are scant in our school systems, administrators would do well to remember that background investigations are much like any other consumer arena - you more often than not get what you pay for. As we saw in the TIAA-CREF / Kroll debacle from last week sometimes the basic package just doesn't cut it.

Incidents like the one in Green Bay show the importance of conducting proper background checks. When conducting a background search, investigative firms usually be able to access home address information for the last ten (possibly fifteen) years. From this list of past addesses an investigative firm will plot the path of its litigations searches - what local, state and federal jurisdictions it will include. However, litigation databases are not perfect and seldom are their holdings complete.

For any school system considering expanding their employee background investigations beyond the standard DOJ database search, I would suggest taking a hands-on approach in selecting the right firm for their needs and taking the time to understand the coverage (or lack of coverage) that a background check includes. Be sure to ask a potential vendor about the specific coverage for your state but also remember that people in this day and age move around unpredictably and a search in any state is up for grabs.

It is vitally important that any investigative report received describes not just the "hits" but also what it doesn't include. Choosing the right firm and the right budget point are difficult decisions but the right firm is the one that is willing to discuss their limitations with you candidly and offer you the best search possible, not just the cheapest. Anything less is a waste of scant resources offering only a false sense of security.

-- MDT

Labels: background checks, database

From the Dayton Business Journal:

LexisNexis Launches Japanese Legal Database

Dayton Business Journal
April 18, 2005

The Japanese subsidiary of LexisNexis is launching an online legal information service in the Japanese language.

Miami Township-based LexisNexis announced late Sunday that LexisNexis Japan Co. Ltd. is starting the service that offers legal case information and commentaries, as well as information on statutes codes and laws using a standard Web browser. The site is legal.lexisnexis.jp.

The initial coverage of the Japanese database includes 206,000 judgments dating from 1862; 42,000 case commentaries published from law journals; and all 7,200 current Japanese statutes, codes and laws. LexisNexis has plans to expand the offering to include a broad range of Japanese legal and regulatory information, along with business news considered relevant for customers in law firms, academic institutions, government organizations and corporate legal departments.

Read the rest here.

-- MDT

Labels: database

To fight terrorism, of course. And you have the Alberto Gonzales guarantee that none of that Patriot Act business will ever be used to go after regular folks. Just the bad guys.

But while we honest citizens can sleep soundly, the banking industry is more than a little concerned about how this expansion of government oversight will effect their own reporting and compliance obligations.

From the New York Times:

U.S. Seeks Access to Bank Records to Deter Terror

By ERIC LICHTBLAU
New York Times

WASHINGTON, April 9 - The Bush administration is developing a plan to give the government access to possibly hundreds of millions of international banking records in an effort to trace and deter terrorist financing, even as many bankers say they already feel besieged by government antiterrorism rules that they consider overly burdensome.

The initiative, as conceived by a working group within the Treasury Department, would vastly expand the government's database of financial transactions by gaining access to logs of international wire transfers into and out of American banks. Such overseas transactions were used by the Sept. 11 hijackers to wire more than $130,000, officials said, and are still believed to be vulnerable to terrorist financiers.

Government officials said in interviews that the effort, which grew out of a brief, little-noticed provision in the intelligence reform bill passed by Congress in December, would give them the tools to track leads on specific suspects and, more broadly, to analyze patterns in terrorist financing and other financial crimes. They said they were mindful of privacy concerns that such a system is likely to provoke and wanted to include safeguards to prevent misuse of what would amount to an enormous cache of financial records.

The provision authorized the Treasury Department to pursue regulations requiring financial institutions to turn over "certain cross-border electronic transmittals of funds" that may be needed in combating money laundering and terrorist financing.
ADVERTISEMENT

The plan for tracking overseas wire transfers is likely to intensify pressure on banks and other financial institutions to comply with the expanding base of provisions to fight money laundering, industry and government officials agreed. The government's aggressive tactics since the attacks of Sept. 11, 2001, have already caused something of a backlash among banking compliance officers - and even some federal officials, who say the effort has gone too far in penalizing the financial sector for lapses and has effectively criminalized what were once seen as technical violations.

The initiative, still in its preliminary stages, reflects heightened concerns by administration and Congressional officials about the government's ability to track and disrupt financing for terrorist operations by Al Qaeda and other groups - an effort identified by President Bush as a top priority in the campaign against terrorism.

Terrorist money has been difficult to identify, much less seize, in part because terror operations are conducted on relative shoestring budgets. Planning and operations for the attacks on Sept. 11, 2001, were believed to have cost Al Qaeda $400,000 to $500,000, with no unusual transactions found, according to the 9/11 commission, and the 1998 embassy bombings in East Africa cost only $10,000.

While counterterrorism officials have made some inroads in tracking terrorist money, clear successes have been few and sporadic, experts say, and a number of recent reports have pointed up concerns about the government's ability to deter and disrupt such financing.

"I don't think we really have a full grasp of how to deal with the problem yet," said Dennis M. Lormel, the former head of the Federal Bureau of Investigation's terrorism-financing unit, who is now in the private sector. "The framework is certainly getting better, but in general, we don't have the full capability yet to get at the money."

The federal government has taken a number of aggressive steps since the Sept. 11 attacks to disrupt terrorist financing. It has expanded its list of terrorist-related groups banned from financial dealings with the United States, it has set up new investigative offices to track terrorist financing, and it has required more financial data and tighter compliance from financial industries as part of the antiterrorism law known as the USA Patriot Act and other measures.

Senior officials throughout the administration have emphasized repeatedly that they want the financial sector to be a full partner in the stepped-up efforts to deter terrorist financing.

But in a letter in January to Treasury Department officials, 52 banking associations around the country said that a "lack of clarity" by the government in explaining what is expected of them in complying with regulations to deter terrorist financing and money laundering has "complicated, and in some cases undermined" those efforts.

The result, banking officials say, is that many banks, now in a defensive mode, are sending the government far more reports than ever before on "suspicious activities" by their customers - and potentially clogging the system with irrelevant data - for fear of being penalized if they fail to file the reports as required.

Some smaller community banks have sold out to larger companies for fear of increased liability, banking officials say, and banks have dropped some money-transmittal businesses that do significant business overseas because of the risk. Some executives, meanwhile, are steering away from serving on bank boards, concerned that they will be hit with punitive measures, banking industry officials say.

"It seems like the rules keep changing on us, and there's a lot of confusion and anxiety in the industry about what constitutes a proper compliance program," said John Byrne, who oversees compliance issues for the American Bankers Association.

Of particular concern to industry officials are five criminal enforcement actions in the last several years against banks for failing to comply with laws to combat money laundering. None of the cases involved terrorist financing, but prosecutors say most centered on egregious lapses by banks in turning a blind eye toward possible money laundering, for instance, by accepting duffel bags from drug dealers with hundreds of thousands of dollars in cash.

Tensions over the issue broke into public display last month in Hollywood, Fla., at a conference sponsored by Money Laundering Alert, an industry newsletter, as even some federal officials expressed sympathy for the bankers and criticism of what they characterized as overly aggressive tactics by the Justice Department.

By sharply increasing prosecutions against banks over compliance failures, "law enforcement is shooting the messenger," said Herbert A. Bierne, a senior enforcement official with the Federal Reserve System's board of governors. "You shoot the messenger, you stop getting the messages."

The Federal Reserve System has begun meeting with Justice Department officials to resolve internal friction over the enforcement actions, and it is seeking changes that would require such prosecutions to be overseen by Justice Department officials at headquarters in Washington, rather than at the discretion of federal prosecutors in the field, officials said.

Lester Joseph, a Justice Department official who oversees money-laundering cases, told the conference that the department, despite its keen interest in tracking terrorist financing, had no interest in singling out banks for technical violations and had begun no concerted crackdown.

But he added, "When we detect evidence of what we perceive as a crime, we're going to pursue that."

The Treasury Department's Financial Crimes Enforcement Network, or Fincen, which is leading the effort to gain access to international wire transfers, has created a working group with about 20 employees; begun meetings with the Federal Bureau of Investigation, the Department of Homeland Security and other agencies; and developed a general concept for how to proceed. Officials also have begun looking at similar models in Canada and Australia.

A final plan is not expected until the end of the year, and a senior official at Fincen, speaking on the condition of anonymity because the plan is still in development, acknowledged in an interview that numerous logistical and legal issues must still be worked out.

For instance, although some rough estimates cited by Fincen suggest that there are at least a half-billion international wire transfers a year totaling trillions of dollars, officials want to develop clearer data. The financial data demanded by Fincen is likely to total several hundred million records, and the agency wants to minimize the logistical and financial disruption to banks, officials said.

Officials are looking at whether to give higher priority to wire transfers from the Middle East or other regions considered high risk, but they said they want to avoid provoking a public outcry over charges of ethnic profiling or driving terrorist financiers out of banks and into underground markets.

Advocates see the international transfers as a vital tool in tracking terrorist financing.

"The idea is for the government to make it more difficult and more risky for terrorists to move money, and right now international wire transfers provide the fastest, cheapest and most reliable way for the terrorists to do that," said John Roth, a former staff member for the Sept. 11 commission and a co-author of its terrorist financing report.

But some within the financial industry are skeptical.

"This strikes me as a fruitless exercise, an impossible task," said Charles A. Intriago, a former federal prosecutor who runs Money Laundering Alert. "This risks further burdening the industry, and it's tough to see how it will produce much if any useful data for the government in tracking terrorist financing."

Via GoUpstate.com.

-- MDT

Labels: database, money laundering

Inter-Alia.com had a quick post this morning on a few new web search tools that have come on line recently. One mentioned that is of particular interest to The Daily Caveat is Ziggs.com, which is in Beta mode for the time being. Like Zoominfo.com (which has been discussed here previously) Ziggs.com focuses on name and affiliation based searching to locate profiles of business professionals.

Also like Zoominfo.com, Ziggs.com allows users to upload their own profile information to beef up the database and Ziggs claims to house over two million profiles from business people at over 40,000 companies (Zoominfo's claim is 25 million execs).

Unfortunately, unlike Zoominfo, Ziggs does not appear to combine these manually entered bios with on-the-fly profiles constructed via web crawl. For example, Ziggs doesn't know who Bill Gates is (you know, the Microsoft guy). Zoominfo, on the other hand, has a pretty good idea.

Reviewing the scant literature available on the site, it appears that Zigg's is really a marketing tool masquerading slightly as a search function. Most of their promotional data focuses on marketing and how they can help you and your compamy raise your web profile. Their search does not appear to extend beyond the personal biographical data entered by site visitors.

In their own words:

The Ziggs Index includes public profiles of user-generated content already available on the Web today. It includes corporate profiles that companies have submitted to Ziggs for inclusion, leveraging their investment in existing profiles on their own website. And equally important, the Ziggs Index includes professional profiles created by individuals like you.

Not a bad start, but seemingly not yet competetive with other similar tools available in the marketplace and not yet something the serious researcher should turn to.

Full Disclosure:

After writing (and somewhat critically I might add) about Zoominfo.com's transition from Eliyon.com to its current format, I was contact by Zoominfo.com's communications department and offered a "guest account" trial subscription to their services. I have not, as yet, taken them up on the test drive. At some point I probably will and you will read about it here.

-- MDT

Labels: database

Google.com doesn't have a good record when it comes to the French. The 800 pound gorilla of internet searching has already run afoul of French media firm, Agence France Presse and French hotel chain Le Meridien. Now, according to an article in The Economist, (and thanks to Techliberation.com for the link) French President Jaques Chirac is calling for an alternative to Google.fr which currently accounts for more than 70% of French web searches.

According to Robert MacMillan at The Washington Post, it was Jean-Noel Jeanneney, president of France's Bibliotheque National that brought the Google situation onto Chirac's radar. Jeanneney had sounded the alarm to the French head of state about Google's ongoing endeavor to create a searchable online database of 15 million of the world's most prominent books, which in Jeanney's estimation (and MacMillan's paraphrasing) "constitutes the sunrise of an American hegemony over information and literature."

In an article in the International Herald Tribune, Jeanneney said of his reaction to the Google plan, "I am not anti-American - far from it...But what I don't want is everything reflected in an American mirror. When it comes to presenting digitized books on the Web, we want to make our choice with our own criteria." Jeanneney put things a little more bluntly in a recent interview with LeMonde (with link thanks to ICT Etcetera):

The real issue is elsewhere. And it is immense. It is confirmation of the risk of a crushing American domination in the definition of how future generations conceive the world.

The libraries that are taking part in this enterprise are of course themselves generously open to the civilizations and works of other countries ... but still, their criteria for selection will be profoundly marked by the Anglo-Saxon outlook.

...It would have meant The Scarlet Pimpernel triumphing over Ninety-three (Victor Hugo's eulogistic account of the revolution); valiant British aristocrats triumphant over bloody Jacobins; the guillotine concealing the rights of man and the shining ideas of the Convention...

Ahem. Well...hyperbole, nationalism and Charles Darney aside, the French seem to be taking action.

Culture Minister Renaud Donnedieu de Vabres has been put in charge of the French project, with Chirac's directive "to study how French and European library collections could be rapidly made available on the Web. The statement concluded: "A vast movement of digitizing knowledge is under way across the world. Blessed with exceptional cultural heritage, France and Europe should play a central role in this" (From the IHT article cited above).

Whether the French effort is based on good sense or simply extreme paranoia rooted in the reptile-brain collective memory of being conquered more than a milennia ago matters little. At the end of the day it is the researcher who will benefit, with more avenues of information on the table than he or she would have otherwise.

-- MDT

Labels: database

Data aggregators are getting picked on a great deal these days for their security lapses, but the data thefts from Choicepoint and Lexis are only two have a half-dozen or so recent thefts, resulting either from fraudulent data purchase, physical theft of records or computer database hacking. Of all these potential avenues for mass theft of personal data, computer system security is arguable the most pervasive problem facing American industry.

Not only is this a basic security issue, but as we've seen in recent weeks, it is becoming a serious liability issue as well.

John Oltsik, the author of a January 2005 report on data security from the Enterprise Strategy Group. has summarized his findings in an article for ZDnet.com. Oltsik's report report includes data from a survey of security professionals at 229 U.S. firms and found that almost a quarter of these firms had experienced an internal security breach in the last year. An even larger number of respondants couldn't say one way or the other whether they had been breached or not.

From ZDnet.com:

Black Eye for Privacy

By Jon Oltsik, Special to ZDNet
Published on ZDNet News: April 4, 2005, 10:48 AM PT

First it was a security breach that left ChoicePoint's treasure chest of personal information (145,000 accounts) vulnerable to prying eyes. Less than a fortnight later, Bank of America backup tapes containing data on 1.2 million accounts went missing. More recently, someone hacked into a confidential database containing as many as 32,000 records at Seisint, a company owned by LexisNexis.

Bad guys are targeting corporate databases because, obviously, that's where the money is. But the bigger concern is that many of these confidential "bet the business" databases (and other critical systems) still remain woefully insecure.

The Enterprise Strategy Group recently surveyed 229 U.S.-based security professionals from organizations with more than 1,000 employees. The majority of respondents (52 percent) came from organizations with more than $1 billion in annual revenue. Our goal was to get an objective metric of just how bad the internal security threat really is.

The results paint a frightening picture. For example, 23 percent of respondents reported their organization had suffered an internal security breach in the past 12 months, while 27 percent didn't know if it had or not. Note to self: Make sure the people you do business with know whether they've been hacked or not.

Read the rest of the article.

Also an executive summary of the ESG research report can be found here.

-- MDT

Labels: data breech, database, identity theft

The venerable folks at VirtualChase.com have pointed to an article at infotoday.com that discusses new search features and data sources that are now available through Amazon.com's search engine, A9.com:

Amazon’s New OpenSearch Enables Search Syndication

by Richard W. Wiggins

March 28, 2005 — This month Amazon introduced a new service called OpenSearch, which allows a content provider to syndicate the ability to search the provider’s site. Announcing the new service at the O’Reilly Emerging Technology conference, Amazon founder Jeff Bezos proclaimed the OpenSearch mantra: “We want OpenSearch to do for search what RSS has done for content.”

The A9 OpenSearch page is essentially a "clearinghouse" for open data sources (other websites, rss feeds, etc.) and offers creates a portal of sorts that enables to researchers to take advantage of the source site's own search engine functions, rather than relying on the sometimes blunt instrument of the A9 global search engine for a site specific search. The infotoday.com article describes the process thusly:

"As you select each content provider, A9 sends a query to the corresponding content provider’s search engine in real time. Subsequent A9 searches will search all the content providers you’ve selected and present results in the columnar display. If the content provider’s search engine is unreachable or unresponsive, the corresponding column will show an error message."

For example,

"...Bezos demonstrated searching for “Vioxx” in a conventional search engine. Most of the results in a linear hit list will present the most popular Web pages containing that term. But if you use Amazon’s A9 as your search engine, you can select PubMed as one of your trusted “columns.” Then search A9 for Vioxx and you’ll see scientific and clinical results from PubMed in addition to the traditional Web results."

The rest of the article is well worth a read to understand the mechanisms behind the new "OpenSearch" features. It also provides a good primer if you are not familiar with A9's particular interface which allows for custom column-organized search results as well as the ability to save and revisit past searches. A pretty nifty tool all around. For those of you used to the Macintosh interace (and for the rest of you...what are you waiting for?), you might find the A9 experience similar to the finder tool's lay-out of nested indices and file structures.

Currently, the list of interesting sources that have added their content to the OpenSearch page includes: wikipedia.com, The New York Times, Pub Med, the National Institute of Standards & Technology database, the Indeed.com jobsearch, the Consumer Product Safety Commision recall database, CSPAN, and the Yellow Pages.

Many more sources of interest are sure to follow making this a must-visit page for researchers.

-- MDT

Labels: database

Move over plastics, there's a new phrase for the future - total information awareness.

Or so argues Victor Rozek over at ITJungle.com's The Four Hundred online newsletter. Due to continuing concerns regarding national security, he contends that Choicepoint and it's competing data aggregators will be on the look-out for more than a few good men (and women) over the next few years:

"Total Information Awareness" was the concept suggested by former admiral, national security advisor, and five-count felon John Poindexter, (conviction later overturned on a technicality). The idea was to fuse information resident in intelligence databases with the data from public and commercial databases. Add pattern recognition software, stir, and voila, everyone suddenly has an "information signature" that will supposedly allow astute analysts to differentiate the bad guys from the good. Well, apparently too many good guys objected to federal intrusion into their private business, so "Total Information Awareness" morphed into "Terrorist Information Awareness," and the project proceeded much as it had before.

The government, however, soon realized that even with its formidable spying capability, there was a great deal of information it did not possess, nor could it legally gather. Data-massing efforts were historically focused on foreign targets. Domestic surveillance was regulated by the courts and therefore required the annoying preamble of probable cause.

But no such restrictions existed in the private sector. Corporations could gather whatever information they wished about their clients or prospective clients. And those who didn't have the in-house capability to collect their own data could purchase it from firms whose sole function was trafficking in personal information. After 9/11, the government became another customer, trading in its court-sanctioned one-rod fishing expeditions for drift nets.

One of the companies the government turned to is ChoicePoint, an unauthorized collector of private information. It boasts a database of over 10 billion records and sells information to some 35 government agencies and about 400 of the nation's Fortune 1000. Senator Paul Sarbanes of Maryland called ChoicePoint "the world's largest private intelligence operation." Intelligence, in this instance, is a relative term since the company recently announced it was socially-engineered out of personal records belonging to 145,000 unsuspecting Americans.

But in terms of job opportunity, companies like ChoicePoint may be the future of the domestic IT industry.

Click on over to read the rest if you want to feel good about job security in the investigative world. If you want to feel good about personal privacy, best just point your browser elsewhere. Rozek cites a GAO report that lists some 200 or so data mining projects planned or proceeding within the federal government alone.

To take a gander at that report, click here (PDF).

-- MDT

Labels: database, GAO

House of Butter has tracked down the details on a new offering from media giant Bloomberg:

"...according to this small piece in the Maryland Daily Record... Bloomberg have entered the legal database market

Bloomberg makes its move

Business news source enters field dominated by Westlaw, LexisNexis

By ANN W. PARKS
Daily Record Assistant Legal Editor

The walls of a law school’s computer lab tell the story. One half of the room is decorated in Westlaw blue; the other, LexisNexis red. There’s simply no room for a third major player or is there? Enter Bloomberg LP. Long a force in providing business and financial news and data, it has quietly entered the legal market with a product called Bloomberg Law.

HOB after a little searching has found the following press release from Bloomberg dated January...

About Bloomberg Law
Bloomberg Law is an all-inclusive tool providing in-depth legal analysis, filings, opinions, real-time and archival news, indexes, rankings, company and biographical information, research and streaming live trial coverage on a single, integrated desktop platform. Bloomberg Law is part of the comprehensive Bloomberg terminal. Bloomberg Law allows Bloomberg users access to a powerful suite of legal and regulatory research tools including real-time and historic online legal databases, daily litigation and regulatory summaries, plus real-time legal, regulatory and compliance reports. Bloomberg users can conduct research across fully comprehensive US Federal and State case law histories, legal case filings and dockets. Bloomberg Law provides access to Bloomberg's comprehensive regulatory databases (including SEC, NASD and NYSE) as well as academic legal journals, legal practice manuals and updates, plus a range of other legal current awareness services, all fully integrated with Bloomberg's powerful search tools. Bloomberg Law is accessible on the Bloomberg terminal at BLAW.

Sign me up for that free trial."

-- MDT

Labels: database

House of Butter has the details on how legal industry powerhouse, Westlaw, plans to amend its services to address the currend rising tide of concern about data security:

Westlaw will, we learn, sharply limit subscriber access to Social Security numbers in its database. This move was announced after the company's top executives met on Wednesday night with Sen. Charles Schumer, D.-N.Y., a sponsor of one of several bills before Congress addressing identity theft.

After the meeting Schumer characterized Westlaw's action as a model for the rest of the data-brokerage industry. "This is a victory for consumers and a big loss for criminals who want to steal your Social Security number and your identity,"

In an E-mail message to InformationWeek, Peter Warwick, CEO of Westlaw publisher Thomson West, said events of the past months in which personal information was stolen from competitors' databases illustrates the importance of tougher controls. "The ultimate test for us as a business is to do the right thing," he said.

According to Sen Schumer, Westlaw had now eliminated access to 85% of its clients, mostly lawyers and government agencies--including the U.S. Senate.

Westlaw will also no longer will sign contracts granting full access to Social Security numbers. Individual passwords will be given to law-enforcement officials deemed eligible to view full Social Security numbers.

House of Butter credits an InformationWeek.com article, which you can read here.

-- MDT

Labels: database, identity theft

Or so reports the Better Business Bureau, which in 2004 declared that a stolen purse or wallet was still the leading route to identity theft for American consumers. Most identity theft arises from stolen personal documents rather than data housed or transmitted electronically.

Sheila Gordon, director of victim services at the Identity Theft Resource Center suggests what and decent investigator knows implicitly - that dutiful use of a cross-cut shredder can keep one out of a great deal of trouble. Gordon also offers a number of other positives steps consumers can take both to ward off potential trouble as well as suggestions of how to act quickly to minimize the damage when a theft has occured.

Some states do a better job than others of protecting their residents. For example, as Choicepoint's incremental response to their own data theft showed, California has had an active law on the books since 2003 (SB 1386) requiring prompt notification of consumers in the event of a potential i.d. theft. This law has it's roots in a 2002 incident in which, hackers cracked the state payroll database and acquired personal information on over 250,000 state employees. At the time it took a month for for the theft to be discovered and another two weeks before the victims were informed.

For a run-down of the California law's requirements...see this link (PDF). In California, consumers can also lock down their credit reports, so that new accounts require a PIN number. Other states also have pending or are considering similar laws, including: Louisiana, Vermont, Texans, Oregon, Connecticut, Massachussets, Illinois and a half-dozen others.

-- MDT

Labels: database, identity theft, Louisiana