It is hard to be Microsoft. I mean this in a sense that anything they do is subject to attacks, criticism, and doubt. I am doing neither in this post, I only want to illustrate a hard dilemma they are facing.
Microsoft announced that they will require Windows users to verify that they have a valid (read licensed) copy of the operating system before users can apply patches or fixes to their operating system. (CNNfn, News.com) Under the new program, called Genuine Advantage, legitimate users will be entitled to download and install timely patches, security fixes, and add-ons that Microsoft decides to release. According to CNN, the program is to start in mid-2005. Microsoft also says that users who do not own a legal version of its software will still be able to download and install patches and fixes, but not the add-ons.
I understand that Microsoft is facing difficult choices and the decision to implement the new program surely did not come easily. On one hand, Microsoft is losing large sums of money to unauthorized copies of software, sold mainly abroad. Microsoft is protecting its legitimate interest to fight software piracy, one of the biggest arms of cybercrime today. On the other hand, Windows is cited as the #1 reason for the current "chaotic" state of the Internet - worms, viruses, spyware - they all attribute some of their existence and "success" to Windows and its state of insecurity. Despite Microsoft efforts to prevent illegal software distribution, a substantial portion of the Internet users use non-licensed Windows versions and preventing them from updating their systems with patches and security fixes will have a dramatic effect on the spread of Internet malware.
Even though Microsoft claims that non-licensed Windows versions will still be eligible for patches, the Genuine Advantage program will likely either delay the delivery of critical security fixes or prevent it altogether. By knowing that Microsoft actively monitors the legality of each Windows version, majority of the users with illegal Windows versions will not even try to seek security fixes for their machines.
This presents a difficult dilemma for Microsoft - to protect their corporate interests or protect the Internet. Walking between these two issues is a thin line and a wrong step in either direction can backfire on Microsoft.
Gibson, a London-based FBI agent had some harsh words against Yahoo and Hotmail during a Computer Crime Conference in London. The agent chided Hotmail and Yahoo for hampering the global fight against cybercrime by poor controls, lax compliance with local laws, which creates a relaxed environment for cybercriminals.
Under the Regulation of Investigatory Powers Act 2000,
an UK law, police and other investigative authorities have authority to
intercept communications, conduct covert or encrypted electronic data
surveilance, or tackle strong encryption schemes. Gibson’s complaint is
that many large ISP, such as Yahoo and Hotmail, use their international
multi-jurisdictional presence as an excuse for not complying with
British laws, such as RIPA.
"With Hotmail and Yahoo! you can’t get data using RIPA [the Regulation
of Investigatory Powers Act] because information is stored in the US,"
Gibson said. "Why aren’t ISPs required to comply with the laws of this
The basic problem is that many of the Internet criminals use free webmail, often provided by Yahoo or Hotmail, to conduct their illegal activities around the globe. The lack of workable mechanisms for law authorities to obtain information from ISP hampers their efforts, at least delaying detection and investigation on, in most cases, time-sensitive in nature crimes. What is the solution? According to Gibson - simple - better cooperation by ISPs and law enforcement - the laws are there, just cooperation is required. On the other hand, companies such as Yahoo and Hotmail may be interested in preserving the privacy of its US-based customers, for example, from intrusion by law enforcement agencies in another country. International, multi-jurisdictional issues such as this one, especially in a fast moving and little regulated area such as the Internet are likely to be very tricky as the line between privacy, independence, and law enforcement is very thin.
While law enforcement, sports leagues of all levels, and concerned parents are trying to deter the sweeping use of illegal steroids among young and not-so-young athletes, many of the users do not actually have to leave their home to get the steroids. MSNBC reports how illegal drug sellers list them as books or as other "drug-related" categories to circumvent EBay’s technological and human crime-detection units.
During an investigation dozens of items that seem to be anabolic steroids were listed on EBay (screenshot of EBay auction). Many of them were listed as a "book/pamphlet on Dbol," apparently a common EBay name for the actual drug among EBay drug sellers and buyers. Once notified, EBay took responsibility that the auctions "slipped" though their detection mechanisms. Rob Chestnut, EBay’s VP who is a former federal prosecutor admitted that EBay let these listings "slip."
The problem with EBay and most of the online auction sites is that unless they have strict policies and mechanisms to police their listings, they are likely to be misused by drug sellers. Although dealing illegal steroids through EBay is not something that we have seen often on "Law & Order," it certainly has the potential of becoming a new medium for drug distribution. If sellers are smart enough they can obtain a great level of anonymity in conducting their operations.
The MSNBC article writes that EBay were notified of the problem last year and the problem was discussed in Senate hearings last summer. Isn’t this sufficient to put EBay on notice of the problem so that the recent drug sales over their network shouldn’t have happened at all?
Many of you would remember that as of November 12th, ICANN made a change on its domain ownership rules. Under the new policy, if a the registrar of record fails to respond within five calendar days to a notification by the Registry regarding a transfer, this will result in a default approval [emphasis added].
It appears that the recent case of Panix.com, an ISP whose domain name was hijacked was caused exactly by this change of ICANN policies. The domain name panix.com thus was reassigned to somebody else who, in turn, repointed the domain to a Canadian server. As a result, all incoming mail for Panix’s customers, including sensitive emails, passwords, etc, went into the Canadian unauthorized server. Imagine what they can do with this.
This incident comes at a time of increased criticism of ICANN’s change of policies. The policy change was intended to allow companies looking to move their domains from one registrar to another. Ease of transfer, appears to be balanced by ease of hijacking. Domain name owners can and should "lock" their domains. Locking a domain against transfer requires a formal authorization before a transfer takes place, but not all registrars lock the domains automatically after the new policy went into effect. [Thanks IPTAblog and InternetNews]
"Anyone that doesn’t have their domain locked down at the registrar is at risk to a registrar that has a loophole in their system or doesn’t follow the appropriate guidelines," he said. "They’re basically at risk to more than 200 accredited ICANN registrars that have the ability to submit a command to request transfer of the domain and we have no way to know whether that command was authorized or wasn’t authorized."
As a reslt of the Panix.com incident many registrars are locking their domains by default, but there are and will be more who do not do so. Moral of the story - if you are a domain name owner - make sure it is locked at the registrar level, or risk public embarassment, information leak, or lawsuits by angry customers.
The Department of Justice is stepping up its efforts to help the entertainment industry battle the increasing threat of P2P. As many of our readers know, the entertainment industry, represented mostly by RIAA and MPAA has been suing illegal movie and music swappers. Now the target has changed - from going after the users to going after the operators of peer-to-peer hubs which provide information to individual users as to what files are located where on the network.
Trowbirdge of New York and Chocoine of Texas each pleaded guilty in the U.S. District Court for the District of Columbia to one count of conspiracy to commit felony copyright infringement. Both operated P2P hubs offering wide variety of computer games, music, and movies.
"Those who steal copyrighted material will be caught, even when they
use the tools of technology to commit their crimes," U.S. Attorney
General John Ashcroft says in a statement. "The theft of intellectual
property victimizes not only its owners and their employees, but also
the American people, who shoulder the burden of increased costs for
goods and services."
This is another of series arrests or pleas that the feds have reached in their increasing efforts to stop criminal copyright violations under the Copyright Act. Although copyright violations, large scale ones, are a major problem in the cyberspace, they are not nearly as dangerous of the problems that hackers and cyber-criminals pose to the critical infrastructure that almost all of the United States businesses rely on (which network do you think your bank uses to transmit info between branches?)
Although large amount of attention is paid to often teenage copyright violators who are arrested by brave officers, arraigned, and put to jail, very little attention is paid to serious networks of zombies, for example, that have the potential and capability to bring down a major Internet server, or worse. It seems like such intense federal efforts are driven by a deep-pocket interest in the United States, in the current case - the entertainment industry. Shouldn’t other deep pockets such as banks, utility companies, and ISPs join hands in lobbying Congress and the federal agencies in DC to step-up the true "criminal" threat online?
A new type of cyberfraud is on the rise - click fraud. Google and Yahoo are among the leading providers of advertising links, usually targeted to the audience based on the contents of a page (see below for example of Google’s AdSense/AdWords ads.) Newsweek has an article about the rise of "click fraud" and how Google and Yahoo are struggling to adjust the definition of "good-faith click," their policies, and methods of preventing this new type of fraud.
One of the major goals for the Internet advertisers is to figure out how to measure "real" clicks and filter out scripts or other software or devices that simulate clicks and run the bill for some innocent advertiser. Because advertisers pay based on number of clicks, there are many instances where an advertiser pays a premium dollar for highly sought keyword (can be as much as $12 per click for ‘refinance,’ for example) only to find that the clicks did not result in any meaningful traffic or leads. Google, Yahoo, and others are afraid that this rise in fraud may scare advertisers off to other media such as TV or print.
Based on stories of small advertisers or web site operators who spend $100 on an AdWords budget and see their budget disappear in dubious clicks, it seems like Google and Yahoo should get serious about a major revamp on how they detect fraudulent clicks and protect their advertisers who pay per click. For example, one of the methods Google uses currently is to track the IP address of the "clicker" and then match this against other clicks from this IP within certain intervals. I suspect that this information is also included in some "expected" clicks algorithm that should try to "guess" whether the clicks was real or not (by real I mean ‘good-faith’ click with the purpose of obtaining more information about the good/service offered.)
Another way AdWords is abused is for competitors to "click" on each other’s advertisements, trying to "zero" each other’s advertising balances. With increased methods and tactics of ad-clicking, this starts to look like a cyber-war between tech-savvy competitors where Google (or Yahoo, or other companies) are providing the weapons and the battlefield. The increased sophistication of the fraudsters is demonstrated by how they use zombie computers or worms all over the Internet to generate false "clicks" so that Google’s fraud detection technology can be fooled as the traffic would seem to come from different and geographically separated machines.
How big is this problem? It is big. According to Newsweek it is a $9B per year market and if the rise in click fraud continues, it is likely that this pie will shrink dramatically.
Texas’ Attorney General sued in federal court on Monday trying to stop and impose civil penalties against two individuals who allegedly sent unsolicited email worldwide through their companies PayPerAction and LeadPlex. The Texas AG charges that the two individuals used as many as 250 assumed business names to send emails with misleading subject lines; under the CAN-SPAM Act the subject line must clearly indicate that the email is an advertisement. CAN-SPAM doesn’t prohibit sending advertising email but it requires it to confirm to some specific requirements, among which is that the subject line clearly identify that the contents is commercial, that there be no misleading or fraudulent content, among others.
A wrinkle in the case is that both individuals sold their interest in their companies in March to a Hong-Kong based company. The HK company is also named in the suit, although it is not clear whether it is subject to jurisdiction in Texas an whether the company plans to appear at all.
In addition to CAN-SPAM, Texas’ AG seeks damages under the Texas Electronic Mail Solicitation Act and the Texas Deceptive Trade Practices Act. Total damages, based on more than 24,000 e-mails collected as evidence and potential penalties of more than $20,000 for each violation, could reach almost $500 million.
Follow-up on the earlier post about hacking and stealing T-Mobile’s customers’ personal information - this is how affected (or suspecting) customers should go about protecting their credit reports and identities:
Use the numbers below to contact different and private agencies about fraud. Especially important are the credit agencies - if you suspect that your personal information has been compromised, you should contact the credit bureaus and place a "fraud alert" on your record. This should slow down (but not completely prevent) people from stealing your identity. A "fraud alert" attached to your record tells the credit bureaus to contact you when someone tries to open a new line of credit on your account. More information on the "fraud alert."
Bureau Fraud Departments
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92634-6790
Consumer Fraud Division
Phone: 800-525-6285 or: 404-885-8000
P.O. Box 740241
Atlanta, GA 30374-0241
Experian’s National Consumer Assistance
P.O. Box 2104
Allen, TX 75013
Federal Trade Commission
U.S. Postal Inspection Service
Social Security Administration
To report the fraudulent use of your checks:
Phone: 800 552-1900
Phone: 800 366-2425
SecurityFocus’ Kevin Poulsen has a very interesting and quite chilling account of how an Internet hacker compromised T-Mobile’s servers, was able to extract personal information for some of its 13 million customers, and how he was able to spy on customers (secret service agents and celebrities among them) and reach their email and mobile photo communications.
A sophisticated computer hacker had access to
servers at wireless giant T-Mobile for at least a year, which he used
to monitor U.S. Secret Service e-mail, obtain customers’ passwords and
Social Security numbers, and download candid photos taken by Sidekick
users, including Hollywood celebrities, SecurityFocus has learned.
The story is a detailed account of how the hacker reached the servers and how the Secret Service set-up honeypots and used digital investigation and forensics tools to track and apprehend him. Also, it is interesting how T-Mobile kept quiet (and apparently still is) about the breach and did not notify its customers about the breach. This is a violation of at least California’s anti-identity theft law which requires companies to notify its California customers if it is believed that their information has been compromised. Unless T-Mobile falls under any exception, such as law enforcement cooperation, they may be in trouble in California.
A highly recommended read.
How much damage to your financial life can be caused by a helpdesk employee? Substantial. Philip Cummings, the 35-year old employee of a software company which helps lenders access major credit databases was sentenced by a New York judge to 14 years in prison in what is believed to be the largest ID theft ever.
Cummings had access to clients’ codes to access major credit databases and apparently used these codes to obtain people’s credit reports, pass them on to an accomplice who would sell the information and share the proceeds with Cummings. Losses have been estimated between $50M and $100M, but it would be very difficult to pinpoint the exact number because many victims may not be aware that their identity and financial live has been ruined.
Judge George B Daniels said the case "emphasised how
easy it is to wreak havoc on people’s financial and personal lives",
and added that consequences for individual victims were "almost
Cummings and his associate would sell a stolen identity for about $60 which can be then used to access the victim’s bank accounts, open new lines of credit, or have new ATM cards mailed directly to them.
This story underlines again the need for better protection of essential information such as credit report and personally identifiable information. Identity theft is raging in the US and it can take months for a victim to "clean" its credit history after he or she discovers. It may even take years before the victim realizes what happened. Many credit bureaus are trying to improve their business methods to secure the information, but apparently this is not sufficient. A harder approach, one to make stiffer penalties for identity theft would be more helpful.