Personal information on a few thousand ABM Amro Mortgage Group (unit of Citigroup) customers has been leaked out to anybody in the world through a peer-to-peer (P2P) software. The names, Social Security numbers, and mortgage information of some 5,200 people which was stored on an employee laptop was shared via the LimeWire P2P software.

While it is unclear how many times the information has been downloaded over the P2P network, the fact that a computer containing a large amount of personal information was allowed to run P2P software is inexcusable. In all likelihood, Citigroup (or ABM Amro Mortgage) have some sort of restrictions (administrative policy or an IT set of software restrictions) which prohibit P2P sharing in general and in all likelihood the employee who used the laptop in question did so without authorization. Even so, the problem remains at Citi and their IT security personnel for failing to prevent or detect such software earlier. Placing the blame on the individual user is not an excuse as it is Citi’s reputation (and possibly checkbook after claims by these 5,200 affected people are filed) on the line.

According to Pike & Fischer, in testimony at a July House subcommittee hearing on P2P risks, LimeWire Chairman Mark Gorton said that a "small fraction" of users override safe default settings that come with the program, despite the company’s warnings and precautions. The company is working on a "new generation of user interfaces and tools designed with neophyte users in mind," making it "even easier for users to see which files they are sharing and to intuitively understand the controls available to them," he said.

Even if LimeWire is successful in preventing users from ‘inadvertently’ sharing their business documents folders, a company which takes its intellectual property and information security and privacy seriously should, in most cases, take proactive steps to weed out P2P software from its networks.

Many businesses run their own wireless infrastructures and many know well to protect it. But how do you know when it is time to use a stronger encryption algorithm to protect the data sent wirelessly?

Generally, there are two possibilities. One is to wait until hackers break into your network by exploiting the easy-to-break WEP encryption you have on your wireless network and as a result steak millions of customers’ credit card numbers and personal data. Example: the TJX story.

The second, and the better possibility, is to do it before your (or your client’s) organization is prominently featured in the Wall Street Journal. Example: the TJX story.

Here’s a short excerpt of what should make every IT director to think about switching from WEP to WPA or better.

Investigators found that TJX was using a weak encryption protocol to protect its consumer data in July 2005, when hackers first broke into its computer system. The protocol, known as Wired Equivalent Privacy, or WEP, isn’t recommended by securities experts even for wireless home networks because it is so vulnerable to hackers.

TJX decided to upgrade to a more secure Wi-Fi Protected Access encryption protocol at the end of September 2005, Canadian officials said. By then, however, hackers had been able to access the company’s internal transaction database. They did so initially from outside two stores in Miami, the probe found.

- TJX’s Security System Faulted in Canada Probe, Wall Street Journal, September 26, 2007.

This happened to me very recently. I applied to join a certain credit union. The credit union has a wonderful website and, as it should, it has an online application which seems secure enough. I filled out the necessary personal information and submitted my application over the SSL connection. Among the standard questions were few security questions such as mother’s maiden name, favorite teacher, and others.  In response to my completed application, I received an email which also seemed to meet adequate financial institution information security and privacy requirements (e.g. no account numbers, login names, passwords, etc. being sent in plain text over email.)

Everything seemed fine. Until the next day when I received a phone call from an "unknown name/unknown number" phone. The lady on the other end identified very politely as X from the credit union, welcomed me to the union, and asked me whether I would be willing to talk with her briefly about my finanical needs and how the credit union may be able to help. This was nice customer service, I thought, and agreed to talk with her for a "couple of minutes." The next thing she asked me was whether I can verify the security information on my account and proceeded to ask me about my mother’s maiden name.  The call ended shortly after this question and after I calmly tried to explain to X that asking such questions during an outbound phone call is not a good idea because anybody could, in theory, make this phone call and obtain my security information.

I went to the credit union’s website and was impressed by the thorough explanations they have on Internet security and in the effort they make to "teach" their customers not to respond to phishing emails asking for personal login or financial information. I am sure the credit union has a policy prohibiting outgoing emails from soliciting customers’ security information. But did anyone at the credit union think to put in place the same security policy for outgoing phone calls to customers?  Apparently not.

No, I am not talking about the obvious use of digital cameras to secretly take photos of confidential documents, of secret installations, or to record some activity which is supposed to remain unrecorded. With relatively high quality digital cameras being built into increasingly smaller cases or as part of mobile phones, it is clear how many organizations or government agencies are banning digital cameras or phones which have digital cameras altogether.

This article focuses on another aspect of digital photography - the Exif (Exchangeable image file format) [sample here]. As many readers know, this is a format used by digital cameras to store information about the photo (metadata) which can describe techinical aspects of the photo (e.g. camera manufacturer and model, exposure time, flash, date and time photo taken, etc.) Such technical information does not seem to pose much of a security risk - knowing the model of the camera taken may be relevant in some cases to show ownership of the camera or to somehow authenticate the picture, but such use is limited. However, many photographers, professional and amateur alike, use Exif data to "tag" their photos and to store photo description and other relevant information. The advantage of this method is that once a photo is taken and subsquently tagged by the photographer with location, description, and other relevant information, anyone who has the digital file can read the Exif information. The disadvantage, unfortunately, is that anyone can read the Exif information.

There are two types of Exif information - automatically stored and user-created. Both are potentially dangerous in different ways. Let’s focus on the user-created Exif information first.

More than a year ago, a high profile article on the WashingtonPost.com illustrated how Exif data can be misused. An article by Brian Kerbs, "Invasion of the Computer Snatchers" interviewed a hacker, known online as "0×80" and allegedly promised anonimity. The story included a nice photo of the alleged hacker taken from an angle and with light effects as to mask the identity of the hero of the story. However, the Washington Post editors forgot to remove the Exif information from the photo. Incidentally, it contained some very revealing information, one of them "LOCATION: Roland, OK" which is a small town with population of 2,842. By confessing to controlling thousands of compromised PCs for malicious use, and by having his location revealed, the alleged hacker’s identity is almost openly revealed which may tip the authorities and subject him to criminal prosecution for variety of computer crimes.

The Washington Post gaffe shows how Exif data can be inadvertently "leaked" onto the Internet and can lead to potentially disastrous effects. I am not aware of any adverse consequences to the hacker into Post story but hopefully the point is made.

The second type of Exif information is the automatically stored data that is created most often by the camera. As indicated above, such data may be the time and date when the photo was taken, flash, resolution, camera type and model. However, one additional piece of automatically stored information may be GPS location. Some modern cameras (and increasing number of new models) come with either GPS device built-in or capable of attaching to one. The result is that the camera now will automatically store the GPS coordinates of each photo into its Exif data. This could be a very convenient tool - after all, everybody would like to have his or her pictures neatly placed on a map based on where they were taken. Professional photographers would also appreciate the convenience. But as the Washington Post story suggests, taking a photo of a secret object and leaving the Exif data intact before posting the photo on the Internet may pose problems.

Exif also often contains a thumbnail image of the original photo. We see many digital photos on the Internet where the face or another part of the photo is blurred out or redacted in some way. Unfortunately, many of the posters of those photos do not realize that the digital photo’s Exif information may contain a thumbnail version of the original, unedited, photo. This is an example of a photo in which the subject of the photo’s identity was masked only to be left intact in the Exif thumbnail embedded in the photo.

So, what is the solution? There are two prongs. One of procedural and one is technical. First, check what type of Exif information your camera can store and make adjustments, if necessary. Second, think twice before tagging photos with keywords or other descriptions especially if you are in the business of posting images online or sharing digital image files with others. Don’t forget that once you post or send a digital image with "dangerous" Exif information, there is no way to get it back. Third, use Exif removal software.

Hopefully this article would raise the awareness of Exif and would prevent future embarassing "accidents" like the Washington Post one from last year.

From Slashdot.org:

"The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS’s 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. ‘Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller … The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.’"

 

A congressional report scheduled to be released on August 3 but reported by the Washington Post alleges that the U.S. government’s main border control system has many security weaknesses, placing at risk of theft or manipulation the data of millions of passengers, including passport, visa, Social Security numbers, and biometrics, such as fingerprints.

The US-VISIT system has been in place for several years and it is considered one of the first lines of defense aimed at stopping terrorists or other unauthorized persons from entering the United States at hundreds of airports, seaports, and land crossings. The system collects passengers’ personal information and stores it in a massive database which can be data-mined for various border control and immigration purposes. The US-VISIT system is said to store facial images and fingerprints of 90 million individuals and is used to vet 54 million border crossings each year. Adding the biometric information on top of the detailed personal information stored in the system, it makes it a pretty attractive target for cyber criminals or hostile foreign governments.

According to the report, "[w]eaknesses existed in all control areas and computing device types reviewed."

"These weaknesses collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information," GAO investigators said in the report.

It is not hard to imagine the possible national security and individual privacy consequences that  a breach of this vast system may have. Let’s hope that the vulnerabilities are closed quickly.

A Philadelphia Federal District Court held that an accountant who used his computer to copy information about his previous employer’s clients to share with his new employer did not violate the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, but the act might have been in violation of the fiduciary duty owed to his employer by soliciting clients for his new employer while still working for his old employer. The case is Brett Senior & Assocs. v. Fitzgerald, E.D. Pa., No. 06-1412, 7/13/07.

The defendant, Stephen Fitzgerald, was an accountant who was employed by the law firm of Brett Senior & Associates since 1989. He did not sign an employment agreement at the time he was hired but in 1999 he signed a conflict of interest agreement that said employees were not allowed to "disclose to a competitor confidential or proprietary information, including client lists, if the information is not generally known to the public."

The Story

In early 2005, Fitzgerald interviewed for a job with Fesnak & Associates. In November 2006, Fitzgerald told BSA that he had accepted a job with Fesnak and just before leaving BSA a month later, Fitzgerald copied tax information from his work files information regarding BSA clients. BSA warned Fitzgerald not to use confidential information; however, Fitzgerald approached 20 clients to follow him to Fesnak and 15 of those 20 did. Subsequently more clients followed Fitzgerald to his new employer. As a result, BSA sued, alleging, among other claims, that Fitzgerald violated the Computer Fraud and Abuse Act.

The Court’s Holding

The court’s reasoning in dismissing the computer fraud claim under section 1030 was that a computer fraud claim must show an unauthorized procurement or alteration, not mere misuse or misappropriation. The court said that 10 U.S.C. 1030(a)(4)  prohibits the unauthorized procurement or alteration of information, not its misuse or misappropriation. Because Fitzgerald had full and legally authorized access to BSA’s computer system when he copied the information before he left the firm, the court could not hold that he accessed BSA’s computers without authorization or that he exceeded his authorization.

The court, however, held that Fitzgerald’s actions may constitute a breach of fiduciary duty because Fitzgerald contacted 20 BSA clients to join him in moving to Fesnak while he was still employed at BSA.

Split of Authority?

The outcome of this case on the computer fraud claim is interesting because it goes against what other courts have held in the past. We wrote in August 2006, on similar facts in Lockheed Martin Corp. v. Speed (M.D. Fla.,) that an employee who copies computer files prior to departing for a rival firm has not "exceed[ed] authorized access" as that key phrase is defined under the Computer Fraud and Abuse Act. The Fitzgerald case and the Lockheed Marting cases have similar outcome on somewhat similar facts. However, they both seem to contradict what the 7th Circuit Court of Appeals held earlier in 2006.

Judge Richard Posner of the Seventh Circuit in International Airport Centers LLC v. Citrin, 440 F.3d 420 (7th Cir. 2006), held that CFAA imposed liability on the premise that the employee’s authorization vanished once he breached a duty of loyalty to the employer. Presumably, this may be long before the employee is terminated, so the employee "exceeds authorization" whenever he or she takes substantial steps towards breaching the duty of loyalty to the original employer - e.g. contracting a competitor, etc.

The Fitzgerald court held that he may have breached the fiduciary duty owed to his current employer by copying information to be used for the new employer. If the court had followed Judge Posner’s Citrin reasoning, then the Fitzgerald outcome must have come out differently because Fitzgerald breached his duty of loyalty before he was terminated (or quit) and he accessed BSA’s computer systems during and after this breach. Therefore,  in the Seventh Circuit, this case should have came out the other way.

Is Citrin the Rule of the Exception?

It is unclear. Citrin certainly provides good Circuit Court authority for employers who want to go after they departing employees for breach of loyalty under the CFAA. But District Court opinions such as Fitzgerald and Lockheed Martin may slowly start undermining Citrin’s authority and gradually lead to its rejection in other circuits.

We have written about the prevalence of botnets and the fact that they are one of the major causes of modern-day cyberattacks. This is hardly in any dispute today. The debate is what should be done to fight the increasingly powerful botnets and there does not seem to be an easy answer.

Some have suggested that ISPs should be responsible for botnets as they (the ISPs) are the party in the channel of Internet traffic closest to the infected at-home zombie PC that is most capable of stopping the proliferation of malicious Internet traffic either  originating from an already infected zombie PC or targeting with the purpose to infect a PC within the ISPs network.

A recent report by the the Internet Security Operations Task Force (ISOTF) suggests that many ISPs not only fail to address a substantial number of botnet complaints, but some ISPs indicated in the report did not address any of the complaints directed at them.

The ISOTF report suggests that many ISPs are slow to react to botnet complaints. This is a troubling fact because the ISP is put on notice of a problem customer or a computer and the ISP fails to do anything to stop an already identified threat. This is not proactive scanning, detection, or prevention which may require sophistication network traffic shaping or detection. This is simple customer relationship management in approaching the complaint and resolving it in a timely fashion. In fairness to ISPs, many of which are small operations, they may not have the manpower and resources to deal with a large-scale botnet attack on their network and respond to all complaints in a timely fashion.

On the other side of the equation is the proactive botnet prevention. There are commercial services which provide real-time monitoring for ISPs. For example (and without any endorsement or personal interest), Arbor Networks offers a service called PeakFlow that continually monitors networks to look for threats such as DoS attacks. Of course such services cost money, but the ISP is in the best position to spread the cost throughout the subscribers. The customers would get at least some assurance that their at-home PCs would work better and be less likely to become botnet zombies. The ISP would free some resources from having to deal reactively with botnet complaints and be able to shift these resources to more productive tasks.

There are other aspects of this debate. For example, some would argue that it is not the ISPs business to filter traffic and determine on its own what kind of traffic should be filtered or not — a modified version of a net neutrality argument. Others argue that it is the end-user’s responsibility to ensure that his or her PC is properly protected and, if infected, to properly clean it up. However, such arguments seem to miss the point. ISPs should be able to protect their own infrastructure by having the sole authority to determine what is malicious traffic and act in appropriate way to stop such traffic. And although individual users should be responsible for their own PCs, the cumulative effect of zombie PCs within an ISPs network is to potentially threaten the ISPs operations and, again, the ISP should be able to act to protect itself.

There is no silver bullet for this problem. But if good technological solutions are available for ISPs to use, and if such solutions are economically feasible, an ISP should deploy them for their own networks’ sake and for the sake of the security of the Internet as a whole.

Despite numerous reports, directives, and promises by the Federal Government that they are making their IT systems more secure, a July 27, 2007, GAO report suggested that the government continues to provide inadequate data security to protect critical operations and personal information maintained by various agencies.

"Significant weaknesses in information security policies and practices threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies," the GAO concluded. Information security continues to be a governmentwide high-risk issue, GAO said.

According to the GAO report, every one of 24 major federal agencies and departments reviewed had weaknesses in at least one major data security area. The report recommended that agency inspector generals cover in greater detail information security processes such as system testing and evaluation, training, and incident reporting.

Read the full GAO report, "Information Security: Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses" (GAO-07-837)

If you haven’t already done so after the launch of the new design, please update your RSS feed to the new location - it is http://www.cybercrimelaw.org/feed/. The old feed will be discontinued shortly.

« Previous entries Next entries »