No, I am not talking about the obvious use of digital cameras to secretly take photos of confidential documents, of secret installations, or to record some activity which is supposed to remain unrecorded. With relatively high quality digital cameras being built into increasingly smaller cases or as part of mobile phones, it is clear how many organizations or government agencies are banning digital cameras or phones which have digital cameras altogether.
This article focuses on another aspect of digital photography - the Exif (Exchangeable image file format) [sample here]. As many readers know, this is a format used by digital cameras to store information about the photo (metadata) which can describe techinical aspects of the photo (e.g. camera manufacturer and model, exposure time, flash, date and time photo taken, etc.) Such technical information does not seem to pose much of a security risk - knowing the model of the camera taken may be relevant in some cases to show ownership of the camera or to somehow authenticate the picture, but such use is limited. However, many photographers, professional and amateur alike, use Exif data to "tag" their photos and to store photo description and other relevant information. The advantage of this method is that once a photo is taken and subsquently tagged by the photographer with location, description, and other relevant information, anyone who has the digital file can read the Exif information. The disadvantage, unfortunately, is that anyone can read the Exif information.
There are two types of Exif information - automatically stored and user-created. Both are potentially dangerous in different ways. Let’s focus on the user-created Exif information first.
More than a year ago, a high profile article on the WashingtonPost.com illustrated how Exif data can be misused. An article by Brian Kerbs, "Invasion of the Computer Snatchers" interviewed a hacker, known online as "0×80" and allegedly promised anonimity. The story included a nice photo of the alleged hacker taken from an angle and with light effects as to mask the identity of the hero of the story. However, the Washington Post editors forgot to remove the Exif information from the photo. Incidentally, it contained some very revealing information, one of them "LOCATION: Roland, OK" which is a small town with population of 2,842. By confessing to controlling thousands of compromised PCs for malicious use, and by having his location revealed, the alleged hacker’s identity is almost openly revealed which may tip the authorities and subject him to criminal prosecution for variety of computer crimes.
The Washington Post gaffe shows how Exif data can be inadvertently "leaked" onto the Internet and can lead to potentially disastrous effects. I am not aware of any adverse consequences to the hacker into Post story but hopefully the point is made.
The second type of Exif information is the automatically stored data that is created most often by the camera. As indicated above, such data may be the time and date when the photo was taken, flash, resolution, camera type and model. However, one additional piece of automatically stored information may be GPS location. Some modern cameras (and increasing number of new models) come with either GPS device built-in or capable of attaching to one. The result is that the camera now will automatically store the GPS coordinates of each photo into its Exif data. This could be a very convenient tool - after all, everybody would like to have his or her pictures neatly placed on a map based on where they were taken. Professional photographers would also appreciate the convenience. But as the Washington Post story suggests, taking a photo of a secret object and leaving the Exif data intact before posting the photo on the Internet may pose problems.
Exif also often contains a thumbnail image of the original photo. We see many digital photos on the Internet where the face or another part of the photo is blurred out or redacted in some way. Unfortunately, many of the posters of those photos do not realize that the digital photo’s Exif information may contain a thumbnail version of the original, unedited, photo. This is an example of a photo in which the subject of the photo’s identity was masked only to be left intact in the Exif thumbnail embedded in the photo.
So, what is the solution? There are two prongs. One of procedural and one is technical. First, check what type of Exif information your camera can store and make adjustments, if necessary. Second, think twice before tagging photos with keywords or other descriptions especially if you are in the business of posting images online or sharing digital image files with others. Don’t forget that once you post or send a digital image with "dangerous" Exif information, there is no way to get it back. Third, use Exif removal software.
Hopefully this article would raise the awareness of Exif and would prevent future embarassing "accidents" like the Washington Post one from last year.
"The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS’s 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. ‘Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller … The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.’"
A congressional report scheduled to be released on August 3 but reported by the Washington Post alleges that the U.S. government’s main border control system has many security weaknesses, placing at risk of theft or manipulation the data of millions of passengers, including passport, visa, Social Security numbers, and biometrics, such as fingerprints.
The US-VISIT system has been in place for several years and it is considered one of the first lines of defense aimed at stopping terrorists or other unauthorized persons from entering the United States at hundreds of airports, seaports, and land crossings. The system collects passengers’ personal information and stores it in a massive database which can be data-mined for various border control and immigration purposes. The US-VISIT system is said to store facial images and fingerprints of 90 million individuals and is used to vet 54 million border crossings each year. Adding the biometric information on top of the detailed personal information stored in the system, it makes it a pretty attractive target for cyber criminals or hostile foreign governments.
According to the report, "[w]eaknesses existed in all control areas and computing device types reviewed."
"These weaknesses collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information," GAO investigators said in the report.
It is not hard to imagine the possible national security and individual privacy consequences that a breach of this vast system may have. Let’s hope that the vulnerabilities are closed quickly.
A Philadelphia Federal District Court held that an accountant who used his computer to copy information about his previous employer’s clients to share with his new employer did not violate the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, but the act might have been in violation of the fiduciary duty owed to his employer by soliciting clients for his new employer while still working for his old employer. The case is Brett Senior & Assocs. v. Fitzgerald, E.D. Pa., No. 06-1412, 7/13/07.
The defendant, Stephen Fitzgerald, was an accountant who was employed by the law firm of Brett Senior & Associates since 1989. He did not sign an employment agreement at the time he was hired but in 1999 he signed a conflict of interest agreement that said employees were not allowed to "disclose to a competitor confidential or proprietary information, including client lists, if the information is not generally known to the public."
In early 2005, Fitzgerald interviewed for a job with Fesnak & Associates. In November 2006, Fitzgerald told BSA that he had accepted a job with Fesnak and just before leaving BSA a month later, Fitzgerald copied tax information from his work files information regarding BSA clients. BSA warned Fitzgerald not to use confidential information; however, Fitzgerald approached 20 clients to follow him to Fesnak and 15 of those 20 did. Subsequently more clients followed Fitzgerald to his new employer. As a result, BSA sued, alleging, among other claims, that Fitzgerald violated the Computer Fraud and Abuse Act.
The Court’s Holding
The court’s reasoning in dismissing the computer fraud claim under section 1030 was that a computer fraud claim must show an unauthorized procurement or alteration, not mere misuse or misappropriation. The court said that 10 U.S.C. 1030(a)(4) prohibits the unauthorized procurement or alteration of information, not its misuse or misappropriation. Because Fitzgerald had full and legally authorized access to BSA’s computer system when he copied the information before he left the firm, the court could not hold that he accessed BSA’s computers without authorization or that he exceeded his authorization.
The court, however, held that Fitzgerald’s actions may constitute a breach of fiduciary duty because Fitzgerald contacted 20 BSA clients to join him in moving to Fesnak while he was still employed at BSA.
Split of Authority?
The outcome of this case on the computer fraud claim is interesting because it goes against what other courts have held in the past. We wrote in August 2006, on similar facts in Lockheed Martin Corp. v. Speed (M.D. Fla.,) that an employee who copies computer files prior to departing for a rival firm has not "exceed[ed] authorized access" as that key phrase is defined under the Computer Fraud and Abuse Act. The Fitzgerald case and the Lockheed Marting cases have similar outcome on somewhat similar facts. However, they both seem to contradict what the 7th Circuit Court of Appeals held earlier in 2006.
Judge Richard Posner of the Seventh Circuit in International Airport Centers LLC v. Citrin, 440 F.3d 420 (7th Cir. 2006), held that CFAA imposed liability on the premise that the employee’s authorization vanished once he breached a duty of loyalty to the employer. Presumably, this may be long before the employee is terminated, so the employee "exceeds authorization" whenever he or she takes substantial steps towards breaching the duty of loyalty to the original employer - e.g. contracting a competitor, etc.
The Fitzgerald court held that he may have breached the fiduciary duty owed to his current employer by copying information to be used for the new employer. If the court had followed Judge Posner’s Citrin reasoning, then the Fitzgerald outcome must have come out differently because Fitzgerald breached his duty of loyalty before he was terminated (or quit) and he accessed BSA’s computer systems during and after this breach. Therefore, in the Seventh Circuit, this case should have came out the other way.
Is Citrin the Rule of the Exception?
It is unclear. Citrin certainly provides good Circuit Court authority for employers who want to go after they departing employees for breach of loyalty under the CFAA. But District Court opinions such as Fitzgerald and Lockheed Martin may slowly start undermining Citrin’s authority and gradually lead to its rejection in other circuits.
We have written about the prevalence of botnets and the fact that they are one of the major causes of modern-day cyberattacks. This is hardly in any dispute today. The debate is what should be done to fight the increasingly powerful botnets and there does not seem to be an easy answer.
Some have suggested that ISPs should be responsible for botnets as they (the ISPs) are the party in the channel of Internet traffic closest to the infected at-home zombie PC that is most capable of stopping the proliferation of malicious Internet traffic either originating from an already infected zombie PC or targeting with the purpose to infect a PC within the ISPs network.
A recent report by the the Internet Security Operations Task Force (ISOTF) suggests that many ISPs not only fail to address a substantial number of botnet complaints, but some ISPs indicated in the report did not address any of the complaints directed at them.
The ISOTF report suggests that many ISPs are slow to react to botnet complaints. This is a troubling fact because the ISP is put on notice of a problem customer or a computer and the ISP fails to do anything to stop an already identified threat. This is not proactive scanning, detection, or prevention which may require sophistication network traffic shaping or detection. This is simple customer relationship management in approaching the complaint and resolving it in a timely fashion. In fairness to ISPs, many of which are small operations, they may not have the manpower and resources to deal with a large-scale botnet attack on their network and respond to all complaints in a timely fashion.
On the other side of the equation is the proactive botnet prevention. There are commercial services which provide real-time monitoring for ISPs. For example (and without any endorsement or personal interest), Arbor Networks offers a service called PeakFlow that continually monitors networks to look for threats such as DoS attacks. Of course such services cost money, but the ISP is in the best position to spread the cost throughout the subscribers. The customers would get at least some assurance that their at-home PCs would work better and be less likely to become botnet zombies. The ISP would free some resources from having to deal reactively with botnet complaints and be able to shift these resources to more productive tasks.
There are other aspects of this debate. For example, some would argue that it is not the ISPs business to filter traffic and determine on its own what kind of traffic should be filtered or not — a modified version of a net neutrality argument. Others argue that it is the end-user’s responsibility to ensure that his or her PC is properly protected and, if infected, to properly clean it up. However, such arguments seem to miss the point. ISPs should be able to protect their own infrastructure by having the sole authority to determine what is malicious traffic and act in appropriate way to stop such traffic. And although individual users should be responsible for their own PCs, the cumulative effect of zombie PCs within an ISPs network is to potentially threaten the ISPs operations and, again, the ISP should be able to act to protect itself.
There is no silver bullet for this problem. But if good technological solutions are available for ISPs to use, and if such solutions are economically feasible, an ISP should deploy them for their own networks’ sake and for the sake of the security of the Internet as a whole.