An interesting story floats around many NBC stations and other major news outlets about a site that protects you from identity theft. It goes along the lines of, "Do you want to make sure your social security and credit card numbers are not stolen? Then come to this website, enter your social security number or your credit card number and we will check for you."

I will not name the site because in my opinion it does not deserve any additional traffic. The point is that although it may seem a great idea and would seem very appealing to the mainstream media in times of heightened sensitivity of identity theft, this kind of services pose more dangers than benefits. It may be also somewhat ironic - by trying to prevent your social security number from appearing on the Internet, you go on the Internet and you voluntarily type it into a search engine, which, in turn, searches some portion of the Internet to figure out whether there is a match. This just sounds wrong.

The site owners make a statement in their defense (and in attempt to appease people like me who feel this is not right),

Your credit card number or social security number alone has little value. These numbers can only be used to commit fraud when they are attached to an address, name, date of birth, expiration date, CVV2, etc. We never know any of this information; therefore, searching for a number with StolenID Search carries little risk of harming you, even in the worst case scenario.

Although true, this statement doesn’t tell the entire story. Having somebody’s social security or credit card by itself may not be enough, but it is the most essential piece of information in attempting to steal one’s identity or money. If criminals had the social security number and IP address of a person who searched for this social security they can easily either social engineer or IP-lookup the name and address of the user at a particular IP address. In many cases this will not work, but in many cases it would. In addition, motivated hackers can penetrate the machine at the originating IP and obtain the necessary name and address needed to steal somebody’s identity.

I hope that I am wrong and that this site provides more help than damage. But as of now I don’t feel right about it.

CNET reports on an Internet surveillance technique adopted by the FBI. According to CNET,

Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.

Essentially, instead of monitoring what a single IP address is doing (the IP address of the target,) the FBI is capturing the traffic for an entire IP block (we are not sure how big this block is, and presumably this depends on the circumstances of a particular case) and then using data-mining techniques to try to filter and analyze the traffic of their initial target.

According to Paul Ohm, a former federal prosecutor and now a law professor, this "vacuum cleaner" approach has become federal agents’ favorite method of gathering Internet surveillance data. One reason this may pose a legal issue is the requirement under law that law enforcement perform what is called as "minimization." 18 U.S.C. 2518 (Procedure for interception of wire, oral, or electronic communications) says that law enforcement must minimize the interception of communications not otherwise subject to interception and keep the supervising judge informed of what is happening.

In the voice surveillance context, this is known as the two-minute rule, which allows agents to listen in on a phone call for two minutes at a time, with at least one minute elapsing between the spot-monitoring sessions. Even though the statute does not provide for storage of captured information, it provides for storing the intercepted communication in the event that the communication is in code or foreign language and in such case the minimization should be accomplished as soon as possible after interception. § 2518(5).

How does this play out in the electronic surveillance field? The statute was enacted originally enacted in 1968 and although it was subsequently modified to include electronic surveillance, it leaves unclear the question of whether an electronic communication is "code or foreign language" just because the Internet traffic is a huge amount of information and it is impossible to monitor it in real time. In addition, there are evidentiary issues. For example, if in the process of full-pipe surveillance, the agents discover incriminating information about a user who was not the target of the investigation but whose data was captured in the "full pipe," can the prosecution use this as evidence in prosecution of the user.  In other words, when casting a large "net" for a target, can prosecution keep all it "catches" which is not related to the target?

Courts have wrestled with the minimization requirement for a long period of time, although in a different context. In 1978, the U.S. Supreme Court in Scott v. United States upheld wiretaps of people suspected in selling illegal drugs. The Court said that broad surveillance may be unconstitutional if it goes too far. Writing for the majority, Justice Rehnquist wrote, "if the agents are permitted to tap a public telephone because one individual is thought to be placing bets over the phone, substantial doubts as to minimization may arise if the agents listen to every call which goes out over that phone regardless of who places the call." Similarly, it can be argued that FBI’s full-pipe surveillance may go too far just because they suspect one individual may be using a particular subnet of IP addresses.

It is likely that this debate will continue over the next months and, obviously, it is just a matter of time before the a challenge on such surveillance takes place.

The Computer Fraud and Abuse Act (18 U.S.C. 1030) was intended to criminalize criminal hacking into protected computers. However, one of its effects (unintended -?) was to create a private cause of action which is very easy to bring in today’s business environment. Essentially, in almost any commercial dispute where a computer is or has been involved to store or process relevant (and important) information, a litigant may raise a CFAA claim merely arguing that the opposing party "exceeded authorization" when accessing information  stored on a computer and can therefore be liable under CFAA for damages if the damages exceed $5,000.

In the past, courts have struggled to decide what exactly constitutes damages under CFAA. For example, we have discussed cases  holding that lost productivity constitutes damages while lost profits does not. A recent case from the Fifth Circuit fleshes the damages argument a little bit further. In Fiber Systems Intl v. Roehrs, the Fifth Circuit held that hiring a data loss consultant for a cost of $26,000 to analyze potential loss of information after defendants allegedly copied information on their way out of the company does constitute damages under CFAA and satisfies the $5,000 minimum.

Fiber Sys. Int’l v. Roehrs, 470 F.3d. 1150. Full opinion.

While we are on the subject of conducting forensic investigations by local (usually small) law enforcement units, here is another story from Connecticut.

A Norwich, Conn. substitute teacher was convicted on charges that she endangered her pupils when the students saw pornographic pop-ups that appeared on her schoolroom computer. While prosecutors maintained that the teacher visited pornographic Web sites while at work and wondered why she didn’t just turn off the computer, a forensics expert testified that an innocent hairstyling Web site that the teacher had visited installed spyware on her computer and led to the pop-up pornographic ads, according to an article in the Norwich Bulletin. Moreover, police investigators apparently did little forensics investigation on the computer and the school did not maintain the security software on the systems that could have prevented the spyware from installing, according to reports on the case.

Moral of the story - in the interest of justice, especially when life or liberty is at stake, insist that proper forensic investigations take place on the computer in question.

steganography (n.) The practice of hiding messages, often by writing them in places where they may not be found. Often (wrongly) used to mean the same as cryptography which relates to encoded messages.

Why Use Steganography?

Unlike encryption, steganography (or stego for short) is useful to "hide" data in a way that a third party would not know of its existence and hence would not try to break its encryption or force the encryption key from its owner.

There are many uses for steganography, especially in the information security and privacy field. You may want to exchange sensitive information like passwords or shared secrets over an insecure transmission protocol, such as email or ftp. You can embed secret files that should be available to selected audience. You can embed copyright information into digital files and control distribution of content. You can store your own sensitive information in an image, upload it to a flickr, and have the information available anywhere in the world (subject to decryption, of course.)

Stego Tools

There are a variety of tools that allows steganography. Here  is a sample of few.
- Hide in Picture (Win) - allows you to embed a file into a GIF or BMP image and lets you set a password to retrieve the hidden file.
- wbStego (Win) - allows you to embed files into PDF, HTML, or bitmaps.
- mp3Stego (Win) - allows you to embed files into MP3s
- PictEncrypt (Mac) - adds text to GIF, JPEG, TIFF, PNG, and MacPICT images.

More tools and tutorials.

An interesting article from ComputerWorld shows another angle direction from which an organization may be attacked electronically. It is not enough that security managers and ISOs need to worry about compromised PCs, servers, or smart phones but now they have also to worry about their printers.

At the Black Hat conference in Las Vegas in August, O’Connor delivered a blow-by-blow presentation on how to bypass authentication, inject commands at the root level and create shell code to take over printers in Xerox Corp.’s WorkCentre line of printers, which run on Linux operating systems. He described the kinds of mischief you could do with a compromised printer, including password-catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program.

More at ComputerWorld.

The Department of Justice has released a 137-page "Investigations Involving the Internet and Computer Networks" manual aimed at local (and unsophisticated in fighting cybercrime) law enforcement units. The DoJ’s concern seems to be that local law enforcement who lack the resources to train/employ forensic analysts may either miss entirely cybercrimes or wrongfully prosecute.

This manual comes after several local law enforcement agencies bungled  some high-tech investigations.  The Pennsylvania Supreme Court rejected prosecutors’ attempts to seize newspaper reporters’ hard drives, and the 8th Circuit Court of Appeals ruled that police illegally seized a computer in a methamphetamine investigation. A federal judge permitted an Internet service provider to sue police after it was raided because of Usenet posts its employees knew nothing about.  Also, in a dawn raid, Arizona police stormed into the house of a 16-year-old boy named Matthew Bandy and accused him of downloading child pornography–which carried a maximum penalty of 90 years in prison — only to later find out that his computer was thoroughly infected by malware.

The manual is not only aimed at local law enforcement agencies.It should also prove to be useful to small organizations, schools, or small IT departments who do not have the resources to hire a forensic analyst but want to get a very basic idea of what may be happening. Having said that, it is very important to understand that if you suspect you are a victim of cybercrime, it is imperative that you 1) report the crime to the appropriate law enforcement agency; and 2) do not touch the original media, do not boot the computer, or do anything that may otherwise affect the storage media which contains the possible evidence - failure to do so may render law enforcement unable to prosecute if they discover useful, but tampered with evidence.

Many information security officers (ISOs) share a complaint - "our users do not listen to us when we ask them to be security conscious; it is hard to motivate them to use good practices, etc."

The problem is large indeed. Most of the security incidents come from internal users, either purposefully or inadvertently, so focusing on the internal users makes sense to most ISOs. However, new security policies are often met with resentment - users complain that having to pick a stronger password is inconvenient, they do not want to password-lock their screensaver, or they are unwilling to spend two seconds typing a password in their blackberry before they check for email. All this leads to a constant tug-of-war between information security professionals and users. The balance is tricky indeed, but it is important to continue insisting on strong information security policies.

How to Justify a New Security Requirement

A new security requirement imposed by the information security officer in an organization will almost inevitably be challenged by management or by users. The good news is that many ISOs can easily justify a new security requirement by pointing to the negative consequences of a data breach (the headlines over the recent months provide plenty of material for this.)

Most often in the private commercial sector ISOs can point to the dangers of bad publicity of a data breach, the potential of million dollar lawsuits, and the negative impact on the business. Customers and vendors may take their business elsewhere, shareholders may dump their shares, even employees may quit the company. Of course, if the information breached involves third parties (which it almost always does) then lawsuits or regulatory fines are likely.

Government and education can similarly point to the danger of loss of reputation or the loss of public trust and funds to justify new security requirements — if a university, for example, suffers a serious information security breach then alumni and donors are less likely to donate money, thus negatively affecting the entire institution for years to come. Similarly, the government (local, state, federal) uses public money to conduct its affairs and negative publicity or massive security breaches undermine its credibility and its power.

Thus, suggesting that a new security policy or requirement has a direct impact on every member of management and the user base is important step in raising security awareness and gathering support for security initiatives. The battle does not end there, but it helps level the playing field.

Information security and privacy professionals use a variety of tools in their day-to-day work to help identity vulnerabilities, analyze a computer forensically, scan a machine locally or remotely, etc. We will try to start a collection of the most useful information security and privacy tools with links and short descriptions. If your favorite tools is not listed here, please let us know by posting a comment on this page or emailing us.

Active Ports [free] [Windows]. A tool allowing you to monitor all open TCP/IP and UDP ports on the local machine. Also displays remote IP address for each connection and allows terminating it. Useful for detecting malware.

Nessus [free][cross-platform] Perform system vulnerability scans using this free tool. You have to obtain a free registration to get the latest plugins (with a week delay; pay to register and get them in real-time). Very useful for evaluating potential vulnerabilities on machines - servers or workstations. Make sure to have permission or authority before you run scans because the scans may be very intrusive and trigger IDSes.

SenfTrac [free][cross-platform]. Sensitive Number Finder - scans local or network drives for files containing sensitive numbers. Run this against your computer or network to easily determine whether you store SSN, etc. in plain text readable to anyone. Although this tool is not 100% accurate, it is a good starting point.

Steganography [free][cross-platform]. A variety of tools for using steganography to embed secret images in other files.

TrueCrypt [free/open source] [cross-platform]. On-the-fly encryption of drives. Extremely useful for protecting any sensitive content. Allows strong encryption with almost no degradation of performance.

It it is connected to a computer - then it can be hacked. Two L.A. city employees are charged with hacking traffic lights over labor dispute. The two men, Gabriel Murillo and Kartik Patel, are charged by the L.A. district attorney’s alleging that the men illegally accessed the city’s Automated Traffic Surveillance Center last August and disconnected four signal control boxes at key intersections. Traffic engineers in the center operate a sophisticated computerized network that monitors road conditions. The engineers can react to traffic jams by adjusting signal timing to improve the flow of vehicles through intersections.

According to the DA’s office, the disruption took place shortly before a job action by members of the Engineers and Architects Association, a union representing employees, such as Murillo and Patel, that run the city’s traffic center.

Murillo is charged with one count each of unauthorized access of a city computer and identity theft. Patel is charged with one count of unauthorized access of a computer and four counts of unauthorized disruption or denial of computer services.

« Previous entries