About the increased role of digital investigation and forensics in solving crimes:

In the end, it wasn’t a fingerprint or a blood spatter that led
authorities to the woman suspected of strangling a mother-to-be and
cutting the baby from her womb. It was an 11-digit computer code.

ABC News reports how investigators used the IP address to track and find the suspect in this disturbing case. The investigators examined online message boards where the victim and the accused exchanged messages and were able to trace an IP number to a computer of the accused’s home. The article does not mention the exact methods of tracing used by law enforcement, but most likely the sequence was:

1. Subpoena the IP of the poster from the message board service provider or website;
   
2. Do a reverse DNS lookup on the IP;
3. Contact and subpoena tha record of the subscriber who was assigned the particular IP at the particular time;
4. Knock on the door.

The moral is: law enforcement officers - don’t forget to check for digital forensics when investigating a crime - more and more often a computer and Internet are involved in a crime and, especially with non-computer experts, the information can be reliable, accurate, and very useful. 

 A great book that contains similar and useful information about digital forensics, including IP tracking, is Digital Evidence and Computer Crime, find it at Amazon or search by ISBN 0121631044. 

Netcraft, one of the leading Internet security firms, has released an anti-phishing toolbar, similar to the toolbars that Google and others released in the past to battle another Internet problem - the pop-up ads.

Phishing attacks are most often done by sending an fraudulently designed email to users asking them to visit a website and enter a piece of personal information - in  many cases bank passwords, credit card numbers, or similar. The reason phishing attacks are so successful is that phishers use some browser vulnerabilities to "hide" the address of the page being shown or make it look like it is coming from the bank’s website.

In essence, the Netcraft toolbar (only in IE right now, Firefox extension in the works) will provide an easy way for users to identify whether they are being targets of a phishing attack by showing the site’s hosting location - so if you see that your Bank of America login page is hosted in Bangladesh, for example, you should be suspicious. Also, the toolbar allows users to report phishing attacks, which are reviewed by Netcraft and then are propagated to other toolbar users - a sort of a community protection mechanism. Another important protection tool is the ability to control and limit cross-site scripting or other invalid characters in URLs which are used only to exploit and to deceive.

Netcraft’s toolbar is an initial but very important step towards curbing the spread of phishing. It is very important for similar tools to achieve wide adoption and help curb threats. One of the problems with this toolbar is likely to be the fact that users are not visibly annoyed or distracted by what the toolbar seems to protect against. Google’s pop-up blocking toolbar was widely adopted because users were annoyed by the amount of pop-up ads they were receiving. Unlike Google, Netcraft’s toolbar prevents from a threat that is hard to see and perceive. While the phishing threat is imminent for evrey Internet user, many users will have low or no incentive to install this protection measure.

A great idea and a great tool from Netcraft, but I believe that more incentives and steps to popularize the product will be necessary for its adoption and success.

Stating the obvious, News.com and the Honeynet Project report that it takes an average of three months to compromise an unpatched Linux machine, compared to 10 minutes that it takes to compromise a Windows machine after it is plugged into the network, as we wrote in November. The Honeynet Project also reports that a similar study in 2001 revealed that it took an average of 72 hours to compromise a Linux system - this shows a great improvement in the Linux configuration and kernel to fend-off most of the attacks.

The two main reasons that the Honeynet Project researchers cite are 1) the hardened default configurations that Linux comes with; and 2) the fact that hackers are concentrating on attacking Windows machines as their return on time invested is greater (and you thoight that hackers didn’t obey the laws of economics?)

“Everybody is focused on Windows,” Spitzner [Honeynet's president] said. “There is more money (for an attacker) to be made on the Windows systems.”

This research shows the ever-increasing security gap between Windows and Linux, in general, although I am not aware of any Linux distribution that is not more secure than any Windows installation. It shows that for mission critical applications, be it server applications, or even reliable desktops, Linux is the better choice.

In another setback to federal anti-spam legislation, Federal District Judge Hellerstein rejected a guilty plea that prosecutors reached with Smathers, a former AOL employee, who allegedly stole 92 million e-mail addresses from AOL servers and selling them to spammers for more than $100,000.

The prosecution convinced Smathers to plead guilty under the CAN-SPAM law which took effect in January. But the judge, who himself admitted dropping his AOL account because of spam, did not agree with the prosecution that a crime under the CAN-SPAM Act has even been committed,

Everybody hates spamsters, there’s no question about that. I’m not prepared to go ahead, Mr.
Siegal [the prosecutor]. I need to be independently satisfied that a crime has been
created.

The judge’s reasoning is that for a crime to be committed under CAN-SPAM, there must be an element of deception, and this element was not presented in this case. If the elements of a crime are not met, the prosecution’s plea with the accused may be baseless. The rejection of the guilty plea does not mean that Smathers will be off the hook, it just means that the prosecution will have to present further evidence and show that Smathers used deception. Absent deception, CAN-SPAM would not apply.

This is another example of how CAN-SPAM fails to deliver the tools prosecutors need to go after spammers and their accomplices. The same case and guilty plea would have been properly made and accepted under many states’ now-preempted spam laws, but not under the CAN-SPAM Act.

In a review of the most common cyber scams, one of the top places in popularity is the credit or debit card fraud. In most cases the cyber criminals use a victim’s illegally obtained credit card number to purchase goods or services online.

Among the reasons this scam is so widely spread is the increase of phishing attacks. Very often a phishing scheme would trick the user into entering his or her credit card number and other personal information. The personal information can further be used to steal the person’s identity by opening new credit cards or lines of credit lines. InternetNews reports that in 2003 online fraud losses some of which are linked to stolen identities or credit cards amounted to $437M.

Many new credit and debit card providers start to provide ‘liability-free’ cards where the users are not liable if their credit card is stolen in response to the increasing numbers of such attacks and increased reluctance by people to use their cards. This gives the users a piece of mind when using their cards to purchase an item online, but the costs and damages are not avoided - they are merely shifted from the users to the credit card provider, or their insurance company. Arming users with liability-free cards also seeks to promote the ‘moral hazard’ problem in the law and insurance business - by removing some of the incentives from the users to be careful to whom they give their credit card number, the credit card companies are indirectly responsible for the high numbers of credit card fraud, which in turn makes cyber criminals more aggressive.

I don’t mean to blame the credit card companies for the high level of fraud in this field, but I am willing to hold them accountable for not doing much to educate their customers of what is safe and what is not when it comes to credit cards and the Internet.

InformationWeek reports about the sentencing of the Wi-Fi hacker who used Lowe’s unsecured WiFi network to access the central network and steal personal and credit card information from Lowe’s. The 21-year old defendant was sentenced to nine years in prison for breaking into the network, the longest ever term imposed in the US for hacking.

Defendant and his two co-conspirators were sitting in a car in Lowe’s parking lot and accessed the network via Wi-Fi from their car. They were caught because of a vigilant system administrators who spotted the unusual network traffic. Also, critical in breaking the conspiracy was the car with “suspicious-looking” antennas.

The Associated Press reports this is the harshest ever prison sentence for hacking into a computer network. The second harsh is Kevin Mitnick’s sentence in 1999 for 5 years and 8 months. The harsh sentence was imposed mainly because of a stipulated potential losses of over $2.5 million in defendant’s plea agreement.

It is interesting that one of the co-conspirators was exonerated, but pleaded guilty eventually on a misdemeanor charge for checking his email over Lowe’s network. This one qualifies for the “stupid criminals” column of Jay Leno.

Via InternetWeek and SecurityFocus.

The Department of Homeland Security leads by example, unfortunately in the “How not to…” column of cyber security. The agency entrusted to keep America safe from attacks both on the ground and through the Net was the target of a security vulnerability testing by security auditors,

Earlier this year security auditors armed with ISS’s Internet Scanner,
@stake’s L0phtCrack and Sandstorm Enterprises’ PhoneSweep 4.0 spent
five months probing hosts, attacking passwords and war dialing the
Department.



They found that me of the hosts designed to allow home workers
and other trusted users access to DHS networks by modem or over the
Internet lacked the authentication measures called for by official NIST
guidelines and recommendations by the National Security Agency, like
minimum password lengths and password aging.

So, according to this research, you and your organization should:

1. Impose a minimum password length and enforce it (and make sure all accounts have some password)
   
2. Keep patches up to date, especially the critical ones.
3. Keep phone lines connected to modems secured and accounted for (modem war dialing, although what old, is still a thing to try if you are a hacker)

More by SecurityFocus.

November and December are two of the big shopping months - and with it comes an ever increasing amoung of phishing attacks. News.com reports that in November the phishing attacks increased by 29 percent. A total of 51 brands were hijacked under different circumstances, different pretexts, but all of them managed to attract victims and collect personal information, many times without the victims even suspecting.

One of the problems with phishing is its latency. It may take months before a victim realizes that his or her identity is stolen, credit card used, or bank account compromised. Many times the reason is unknown, many times the victim remembers that suspicious-looking email from their bank that asked them for their password. This latency makes detection very hard, prevention after the incident is hard. What is left - prevention before the incident - and this requires user education, stricter penalties for phishers, and better use of technology to fight this problem.

In an unfortunate ruling, a Maryland County Court struck down Maryland’s anti-spam law. This law allowed Maryland residents to sue for emails containing misleading or fraudulent information. A law student (doesn’t he have exams to take anyway, instead of dealing with spammers?) who has a company incorporated in Maryland sued a New York-based e-mail marketer for damages under the Maryland’s 2002 Commercial Electronic Mail Act.

In 2002 the Maryland Commercial Law Code, Title 14, Subtitle 30, made it illegal to send a UCE message that uses a third party’s domain name without permission or one that contains false or missing routing information or one that has a false or misleading subject line. The law applies if a message is sent from within Maryland or if the sender knows that the recipient is a resident or if the registrant of the domain name contained in the recipient’s address will confirm upon request that the recipient is a Maryland resident. A person who violates this law is liable for reasonable attorney’s fees and for damages to the recipient of commercial electronic mail in an amount equal to the greater of $500 or the recipient’s actual damages; to the third party without whose permission the third party’s internet domain name or e-mail address was used, in an amount equal to the greater of $500 or the third party’s actual damages; and to a service provider, in an amount equal to the greater of $1,000 or the service provider’s actual damages.

The judge struck down the Act as unconstitutional mainly because of the configuration of the parties and their location. Eric Menhart, the law student who brought the case, has a company incorporated in Maryland, but actually lives in the District of Columbia. So when an email is sent to presumably Maryland-based email address, it is probably actually downloaded in DC, without passing or touching Maryland’s territory (or more accurately a router or server located in Maryland.) Thus, the judge ruled, the Maryland law cannot regulate interstate commerce outside its borders.

It is unfortunate that this law was struck down because it provides tools to individual consumers to sue spammers. After the federal CAN-SPAM Act went into effect in January, many state laws dealing with spam were preempted. However, several state laws dealing with fraudulent email communications, such as Maryland’s, were not preempted. Although observers believe that the Act will be upheld on appeal, I am somewhat concerned because of the facts on the case. I don’t think Eric Menhard’s fact situation makes a good test case for appeal, mainly because of his location in DC and the fact that the email may not really affect Maryland in any way.

The appeal, if and when it happens, is likely to be exteremely interesting. Stay tuned.

ZDNet is warning that very soon virus writers, phishers, and hackers are uniting their efforts and creating ways to exchange information that could be cross-used for faster and more efficient attacks. ZDNet is warning that in the near future we should expect this to lead to very quick exploits of newly discovered vulnerabilities. The exchange of information among the “malware” writers is likely to decrease the time needed to create and distribute an exploit.

Virus writers are combining their efforts with hackers and spammers to
launch Swiss Army knife-like malware attacks on users, Kaspersky Labs
warned this week.

Swiss Army knife-like attack? Not sure exactly how this would work in reality, but the possibilities of collaboration between the attackers are scary.

« Previous entries