I resisted writing about the British Tax Authorities’ blunder disclosed last week when they lost two CDs full of sensitive information (bank accounts and social benefits information) of 25 million UK families.  The story received enough mainstream press attention and I was afraid that many of our readers are starting to suffer from "breach fatigue" - hearing all too often about security breaches and missing personal information.

The fundamental reason why the breach occurred are all too common these days - e-mails released by the U.K.’s National Audit Office have confirmed that officials at the Revenue and Customs, did not want to remove sensitive information from child benefit data sent to the auditors because doing so would cost extra (although some experts have said that the cost of "sanitizing" the data could have cost less than the equivalent of $10,000).

Anyway, I could not resist writing about the recent development from the UK for a different reason.  As a response to the initial breach, the Revenue & Customs decided that it owed an apology to the families affected by the breach.  So it decided to mail them a personalized apology letter.  The letter, however, was too personalized - it included name, address, national insurance and child benefit numbers.  The information contained in this letter is all that is needed by identity thieves to open bank accounts, claim benefits or even apply for passports on behalf of somebody else. 

The UK authorities urge people who received the letters to destroy them after they receive them and read them.  But there are a large number of families who will never receive their - either because they moved or because somebody ‘conveniently’ picked the letter out of their mailbox on their behalf. 

So what follows next? A second apology letter to apologize for the loss of the CDs and the first apology letter? No, instead the Revenue & Customs authorities are shifting the blame to the concerned citizens who did not receive the letter by saying that they should have updated their mailing address.

James Paulick, currently pursuing a Juris Doctor decree at Duquesne University in Pittsburgh, Pennsylvania, will be joining us in writing and contributing to this site.  James received his Bachelor of Science in Computer Science from Wheeling Jesuit University and his interests include digital evidence reliability in cybercrimes and property rights in virtual words. 

We are happy to welcome James onboard and we are looking forward to his contributions.

We wrote in May, under the title "Cost of Insecurity" about TJX Companies’ costs in connection with the security breach suffered in 2003/2004.  In a footnote in its November 13 earnings announcement (Edgar report), TXJ increased its estimate of pre-tax charges for the credit card breach to $216 million (compare with the August estimate of $168 million) for the 9-months ending on October 27, 2007.

This charge equals to $0.28 per share.  TJX’s earnings per share are $1.43 and the total divident for the past year was $0.34.  When the charge related to a security breach equals  one-fifth of the EPS and  four-fifths of the annual divident, it should raise a big red flag to other companies to make sure that their data is secure. 

Many of our readers know that the principal cybercrime statute in the United States is the Computer Fraud and Abuse Act, 18 U.S.C. 1030.  It has served well over the years since enaction but some prosecutors (and civil plaintiffs to which it also applies) have complained that it does not keep up with newer types of cybercrime. Possibly in response to these critics, Senators Hatch (UT), Biden (DE), and Cochran (MS) have introduced an amendment to Section 1030.

The new bill, "Cyber-Crime Act of 2007" (S. 2213) (Thomas tracker) would make three substantial amendments:

First, it would prohibit "conspiracy to commit an offense" as well as the offenses actually committed. Currently Section 1030 does not cover explicitly "conspiracy" to commit any of its prohibited offenses, although prosecution was possible under other "conspiracy" provisions of Title 18. This makes it explicit now.

Second, the bill seeks to expand the required damage to protected computers threshold from $5,000 in a one-year period to "damage affecting 10 or more protected computers during any one-year period."  Currently, in order to be able to prosecute a cybercriminal under some provisions of 1030, there must have been a minimum threshold of $5,000 in damages caused by the alleged cybercrime.  In many cases this was not an issue, for example where the cybercrime had a direct financial loss of $5,000. However, other cases may not be so clear-cut. For example, if a small company’s computer is breached and the company expends some time and effort to investigate and fix the problem, the question becomes whether the expenses that the company incurred meet the $5,000 threshold.  Should full-time employees’ time be calculated on a per-hour basis to determine damages? How should loss of good will be calculated if the breach becomes public? In some cases these questions have created difficult questions.

Other reasons to introduce the damages to 10 computers requiremens are a couple of relatively new types of crime - Distributed Denial of Service (DDoS) and botnets. Both are very closely interrelated in that the cybercriminal obtains control of a high number of computers (sometimes called ‘zombies’ and almost always substantially more than 10) which they use to disable Internet resources, send spam or phish emails, or use the substantial aggregate computing and network power of these botnets for other evil purposes.  Because by definition the owners of the zombie computers would not know that they are part of the botnet, they would not be able to assert damages and meet the $5,000 threshold.  Creating a 10 or more damaged computers provision would allow prosecution of botnet operators under Section 1030 without having to show monetary damages to a particular zombie machine. 

The reality is that botnet operators can possibly be targeted under Section 1030 for the damages they do as a result of using the botnet to commit a specific act (e.g. spam, phish, DDoS); however, the new proposed provision would allow prosecution before the cybercriminals strike, not after.  Kudos for giving tools for proactive legal measures against such acts.

The third of the proposed substantial amendments adds cyber-extortion and threats to reveal confidential information illegally obtained from computer to be computer damage and thus eligible for prosecution under 1030. This provision also aims to deal with a frequent type of cybercrime where there is no verifiable damage.  Cyber-extortion can take many forms, but most often the cybercriminals seek to obtain money or something of value in exchange of either i) not attacking or disabling a certain computer or network resource or ii) not releasing confidential information obtained in an illegal way.  The new provision covers these and similar situations.

The proposed amendments to Section 1030 are a good step towards catching up with cybercriminals. Senator Biden’s statement in connection with the proposed bill says that, the "[c]urrent law hasn’t kept up with the fast pace of new criminal technologies–right now there are holes in the law that cyber-criminals can readily exploit. The Cyber-Crime Act will fix this, update the law and put us one step ahead of the cyber-criminals, instead of one step behind."

The challenge in the information security field today does not usually lie in the transmission; instead, it lies in securing the end points. There is a lot of mainstream press about Switzerland’s approach to securing their electronic elections by using quantum cryptography.  Most of the press touts the Swiss’ decision to "use ‘unbreakable’ encryption method in upcoming elections" as the solution to all of the recent woes in securing electronic elections.  The Swiss will use individual particles of light — or quantum technology — to encrypt election results as they are sent for central processing.

That sounds great, and many of the news stories seem to suggest that the Swiss have found the silver bullet to having secure elections. This cannot be further from the truth and many of the news accounts are misleading at best.  What the Swiss did was to find another (fancy-sounding) way of transmitting data securely. But this is not what bothers security researchers and governments wishing to conduct electronic elections. It is not the transmission, it is the endpoints that are causing the most security breaches. There are various (and pretty decent) solutions for securing traffic - PGP, SSL, SSH, VPN - but few good solutions of securing the actual voting machine. In fact, by writing about the ‘unbreakable’ security of the Swiss voting, the press does a disservice to anybody but the folks who are trying (and maybe succeed) to penetrate a voting machine.

The Swiss should be given credit for trying to strengthen the transmission security. But the press should tell the whole story.

Eric Goldman writes about how Federal Courts calculate spam damages for federal sentencing purposes. Interesting reading, considering that such spam damages are very difficult to attribute to a party. Is it the spam recipient’s damage from having to delete the emails, is it the ISP having to block or investigate complaints, or is it the spammer’s profits that should guide the damages? The number under each category can vary significantly, so this case is important.

In US v. Kilbride, 2007 WL 2774487 (D. Ariz. Sept. 21, 2007) the the judge ignores any alleged harm to end user-recipients because there was no evidence that the individuals suffered a pecuniary loss. Second, the court ignores the government’s argument that the loss should be measured by the defendants’ gain (over $1.1M in profits attributed to the spamming). Instead, the judge only gives credit to the evidence showing that the ISP (AOL) suffered less than $10,000 of "loss" from the spam, computed by AOL’s cost to investigate complaints over the spam (the government did not present evidence for other email service providers).

The Wall Street Journal reports on a troubling new vector of cyber attacks - emails carrying Trojan-infected Microsoft Word attachments directed to senior executives in major corporations. The emails purported to be from an employment service and offered attachments supposedly containing information on potential job candidates. Luckily for these executives, the emails were captured by MessageLabs, an email security company, which monitors the incoming email traffic of its clients for spam and viruses.

According to MessageLabs, during a two-hour period on June 24, 514 messages tailored to senoir executives were captured. On Sep. 12 and 13, the company captured 1,100 messages in a 16-hour period. Although email security experts are well familiar with phishing, this form of attack seems to go beyond the mass-scale fraudulent emailing with the hope that even a very low response rate would yield some personal information. The new email attack has been seen in the past but in smaller numbers and mainly directed to sensitive personnel in government or military. The new attacks suggest that a fairly low-tech attack can yield an open-door access to a major executive’s computer and all the information stored on it. This potentially places high-value information, such as incoming deals, regulatory or other action, at the hands of criminals who can abuse it directly or profit from it by trading securities before the news reaches the public.

All major news sources this morning are running the story of Jammie Thomas, the Minnesota woman who was the first to take the RIAA illegal file sharing accusations to court, and the jury judgment of $220,000 against her and in favor of the recording industry. [WaPo]

I will not comment on the merits of this lawsuit. Instead, I will mention one of Ms. Thomas’ defenses and its merits. During trial, Thomas defended on the ground that someone else was using her Internet connection. Her lawyer suggested in his questioning that someone other than Thomas — someone outside her window, or a neighbor — could have been responsible if she used a wireless router. That could have allowed anyone nearby to utilize her Internet connection, using the same IP address that led the record companies to Thomas.

If the jury had believed this possibility, they would not have found against Thomas. And this may be because of the specifics of this case - Thomas used the same login name in her P2P file sharing software as she used to login to her computer and myspace. If you are a neighbor stealing bandwidth, would you still use your neighbor’s unique login name to connect to file sharing services? Would you even know what the login name is? In theory, this information should be easily obtainable but I cannot think of a good motive to use such login name except maybe malice.

Seems like the "open wireless" defense becomes a staple for all cybercrime defense lawyers - it casts a shadow of a doubt on whether the defendant was the one actually using the connection at the time of the alleged wrongdoing. Almost every home now has a wireless router and there are statistics out there suggesting that a large portion of them have no or weak protection at all. (See more on wireless protection here.) But the Minnesota case shows that not every case is appropriate for this defense. In addition, at some point courts and juries may decide that if it is your wireless access point, you are responsible for what goes through it, with or without your knowledge. Currently the state of law is such that we are far from wireless point strict liability, but after a sufficient number of cases where such this defense is rejected, its usefulness may be zero.

There are many ways, but one is, by not filing a federal lawsuit against Google alleging that plaintiff’s Social Security number, turned upside-down, spells "Google" and violates plaintiff’s right to privacy. Publishing your Social Security number and other personal information in a (quite unusual) public filing against one of the most famous brands in the world is probably one of the most effective ways to undermine your privacy.

Handwritten complaint here. And prompt sua sponte dismissal order here.

« Previous entries Next entries »