A decision from the U.S. District Court for the Northern District of California held that the costs associated with the tracking and discovery of the identity of the person who stole proprietary information from a company does constitute "loss" for the purposes of calculation of damages under the Computer Fraud and Abuse Act (CFAA).

The dispute in the case was between a company and its competitor.  Plaintiff alleged that the defendant competitor company accessed privileged parts of plaintiff’s computer information system to, among other things, create a disparaging PowerPoint slide show.  Plaintiff based its claim under CFAA which prohibits unauthorized access to a protected computer and any person who suffers damage or loss in excess of $5,000 due to another’s misuse may maintain a civil action. 

Plaintiff relied on CFAA and its $5,000 threshold by arguing that the costs to identify that it was the competitor company who broke into its systems should be counted towards the $5,000 threshold. Defendant disagreed and moved for summary judgment, in reliance of Tyco Int’l v. Does, which holds that CFAA allows recovery for losses beyond mere physical damage to property but additional types of damages have generally been limited to accessing the damage caused to the system or to resecure the system following the attack.

The court distinguished the Tyco case on the facts and held that the costs of "responding to [the] offense" should include the costs, as in this case, of determining that defendant was one of the hackers who did access the computer system without authorization.

 

Data breaches happen every day and, unfortunately, we are getting so used to hearing news about the most recent breach that it no longer creates an interesting report.  Most businesses of any significance will, soon or later, become a victim of some sort of breach.  So the question becomes not whether you will suffer a data breach, but how are you going to respond to one when it happens.

The Wall Street Journal Business Technology Blog (WSJ) writes about the University of Miami’s (UM) response to their recent breach when thieves stole backup tapes containing two million medical records belonging to the University out of the back of a van last month.  WSJ notes that although the breach is nothing to be proud about, the response by University of Miami is pretty impressive.

What made UM’s response so good? The university provided a detailed, but clear, response to what exactly happened and why the breach poses low risk.  UM hired outside consultants to conduct testing and to determine the likelihood of successful access to the data.  After the consultants reported that such likelihood was low, UM released the notification with clear and common sense explanation.

Hopefully this practice should become the model to responding to security breaches.

We have written in the past about the freedom of border agents to search laptops at the border crossing points.

A new opinion (PDF) in United States v. Arnold by the Ninth Circuit Court of Appeals dated April 21, 2008, confirms this trend by holding that customs officers may examine electronic contents of a passenger’s laptop without reasonable suspicion. 

The Facts.  Arnold, a 43-year old arrived at Los Angeles International airport from the Philippines.  At Customs, he was asked for secondary inspection, where the officer asked him to turn on his laptop to determine whether it was functioning.  Once the computer booted up, the desktop showed folders named "Kodak Pictures" and "Kodak Memories."  The agents opened the folders and noticed pictures of nude women.  The agents then questioned Arnold about his computer, his trip, and upon review of the images, determined that there are several images which the agents believed were child pornography. 

The Opinion.  After a district court granted Arnold’s motion to suppress evidence, the Ninth Circuit reversed.  The Ninth Circuit based its opinion on Supreme Court precedent which held that the right of the United States to protect its border is paramount; however, such authority is not unlimited.  The two major exceptions for border searches without reasonable suspicion are searches  which cause "exceptional damage to property" or if the search was conducted in a "particularly offensive manner."  The Ninth Circuit held that the record did not support finding on either of the two exceptions and therefore the search was proper.

No, I am not talking about the obvious use of digital cameras to secretly take photos of confidential documents, of secret installations, or to record some activity which is supposed to remain unrecorded. With relatively high quality digital cameras being built into increasingly smaller cases or as part of mobile phones, it is clear how many organizations or government agencies are banning digital cameras or phones which have digital cameras altogether.

This article focuses on another aspect of digital photography - the Exif (Exchangeable image file format) [sample here]. As many readers know, this is a format used by digital cameras to store information about the photo (metadata) which can describe techinical aspects of the photo (e.g. camera manufacturer and model, exposure time, flash, date and time photo taken, etc.) Such technical information does not seem to pose much of a security risk - knowing the model of the camera taken may be relevant in some cases to show ownership of the camera or to somehow authenticate the picture, but such use is limited. However, many photographers, professional and amateur alike, use Exif data to "tag" their photos and to store photo description and other relevant information. The advantage of this method is that once a photo is taken and subsquently tagged by the photographer with location, description, and other relevant information, anyone who has the digital file can read the Exif information. The disadvantage, unfortunately, is that anyone can read the Exif information.

There are two types of Exif information - automatically stored and user-created. Both are potentially dangerous in different ways. Let’s focus on the user-created Exif information first.

More than a year ago, a high profile article on the WashingtonPost.com illustrated how Exif data can be misused. An article by Brian Kerbs, "Invasion of the Computer Snatchers" interviewed a hacker, known online as "0×80" and allegedly promised anonimity. The story included a nice photo of the alleged hacker taken from an angle and with light effects as to mask the identity of the hero of the story. However, the Washington Post editors forgot to remove the Exif information from the photo. Incidentally, it contained some very revealing information, one of them "LOCATION: Roland, OK" which is a small town with population of 2,842. By confessing to controlling thousands of compromised PCs for malicious use, and by having his location revealed, the alleged hacker’s identity is almost openly revealed which may tip the authorities and subject him to criminal prosecution for variety of computer crimes.

The Washington Post gaffe shows how Exif data can be inadvertently "leaked" onto the Internet and can lead to potentially disastrous effects. I am not aware of any adverse consequences to the hacker into Post story but hopefully the point is made.

The second type of Exif information is the automatically stored data that is created most often by the camera. As indicated above, such data may be the time and date when the photo was taken, flash, resolution, camera type and model. However, one additional piece of automatically stored information may be GPS location. Some modern cameras (and increasing number of new models) come with either GPS device built-in or capable of attaching to one. The result is that the camera now will automatically store the GPS coordinates of each photo into its Exif data. This could be a very convenient tool - after all, everybody would like to have his or her pictures neatly placed on a map based on where they were taken. Professional photographers would also appreciate the convenience. But as the Washington Post story suggests, taking a photo of a secret object and leaving the Exif data intact before posting the photo on the Internet may pose problems.

Exif also often contains a thumbnail image of the original photo. We see many digital photos on the Internet where the face or another part of the photo is blurred out or redacted in some way. Unfortunately, many of the posters of those photos do not realize that the digital photo’s Exif information may contain a thumbnail version of the original, unedited, photo. This is an example of a photo in which the subject of the photo’s identity was masked only to be left intact in the Exif thumbnail embedded in the photo.

So, what is the solution? There are two prongs. One of procedural and one is technical. First, check what type of Exif information your camera can store and make adjustments, if necessary. Second, think twice before tagging photos with keywords or other descriptions especially if you are in the business of posting images online or sharing digital image files with others. Don’t forget that once you post or send a digital image with "dangerous" Exif information, there is no way to get it back. Third, use Exif removal software.

Hopefully this article would raise the awareness of Exif and would prevent future embarassing "accidents" like the Washington Post one from last year.

It is not often when the Securities and Exchange Commission is involved in prosecution of cybercrimes. But in this case the SEC has successfully prosecuted cybercriminals for allegedly hacking into protected systems containing nonpublic information about publicly traded companies and then using the information to make trades for profit.

According to the SEC complaint, Blue Bottle Limited, a Hong Kong chartered company and Matthew Charles Stokes of Guernsey “fraudulently gained access to material nonpublic information through fraudulent devices, schemes, or artifices, which may include, but are not limited to, hacking into computer networks or otherwise improperly obtaining electronic access to systems that contain information about imminent news releases.” As a result, the defendants used the information to trade and make a profit of $2,707,177.

The SEC claims are under Section 17(a) of the Securities Act of 1933, Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act), and Exchange Act Rule 10b-5. The complaint sought permanent injunctions, disgorgement of illegal profits plus prejudgment interest, and civil money penalties and on March 7, 2007, a United States District Court for the Southern District of New York entered a preliminary injunction order against the defendants.

It is interesting that it is the SEC bringing this action and not the Department of Justice. The Computer Fraud and Abuse Act would seemingly provide a better deterrent for criminals as it provides for jail time. However, the DOJ may not have been able to successfully prosecute the defendants as they may not be under the US jurisdiction. The SEC, on the other hand, can impose asset freeze and provide a relief when jurisdictional and other issues prevent successful criminal prosecution.

The Wall Street Journal has an interesting article ($ reg. required) (and WSJ Law Blog commentary) about Department of Justice’ patterns of bringing cybercrime cases in, sometimes, distant to the defendants forums.

Cybercrimes give the feds enormous leeway to pick jurisdictions where they brings cases, reports today’s WSJ. The Sixth Amendment holds that federal criminal cases should be tried in the state and district in which an offense was committed, but some critics say that the government is “forum shopping” when it comes to prosecuting alleged Internet offenses such as online child pornography or gambling.

The government denies it is seeking a home-court advantage. Prosecutors may pick venues based on the locale of the FBI office that initiates a case, says an FBI spokesman.

The article points to a recent case where DOJ brought a suit against a Connecticut defendant in Alexandria, VA on the ground that the SEC’ Edgar system, which is located in Alexandria, VA, allows the case to be brought in Alexandria. The federal district court in Alexandria, known as the “rocket docket” for its speedy case management, granted defendants’ request to transfer the case because of inconvenience.

In case you need to track who printed a particular page - EFF has done some good work in cracking the “tracking dot” code some printers secretly print on every page.

The DocuColor series prints a rectangular grid of 15 by 8 miniscule yellow dots on every color page. The same grid is printed repeatedly over the entire page, but the repetitions of the grid are offset slightly from one another so that each grid is separated from the others. The grid is printed parallel to the edges of the page, and the offset of the grid from the edges of the page seems to vary. These dots encode up to 14 7-bit bytes of tracking information, plus row and column parity for error correction. Typically, about four of these bytes were unused (depending on printer model), giving 10 bytes of useful data. Below, we explain how to extract serial number, date, and time from these dots.

More.

CNET reports on an Internet surveillance technique adopted by the FBI. According to CNET,

Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.

Essentially, instead of monitoring what a single IP address is doing (the IP address of the target,) the FBI is capturing the traffic for an entire IP block (we are not sure how big this block is, and presumably this depends on the circumstances of a particular case) and then using data-mining techniques to try to filter and analyze the traffic of their initial target.

According to Paul Ohm, a former federal prosecutor and now a law professor, this "vacuum cleaner" approach has become federal agents’ favorite method of gathering Internet surveillance data. One reason this may pose a legal issue is the requirement under law that law enforcement perform what is called as "minimization." 18 U.S.C. 2518 (Procedure for interception of wire, oral, or electronic communications) says that law enforcement must minimize the interception of communications not otherwise subject to interception and keep the supervising judge informed of what is happening.

In the voice surveillance context, this is known as the two-minute rule, which allows agents to listen in on a phone call for two minutes at a time, with at least one minute elapsing between the spot-monitoring sessions. Even though the statute does not provide for storage of captured information, it provides for storing the intercepted communication in the event that the communication is in code or foreign language and in such case the minimization should be accomplished as soon as possible after interception. § 2518(5).

How does this play out in the electronic surveillance field? The statute was enacted originally enacted in 1968 and although it was subsequently modified to include electronic surveillance, it leaves unclear the question of whether an electronic communication is "code or foreign language" just because the Internet traffic is a huge amount of information and it is impossible to monitor it in real time. In addition, there are evidentiary issues. For example, if in the process of full-pipe surveillance, the agents discover incriminating information about a user who was not the target of the investigation but whose data was captured in the "full pipe," can the prosecution use this as evidence in prosecution of the user.  In other words, when casting a large "net" for a target, can prosecution keep all it "catches" which is not related to the target?

Courts have wrestled with the minimization requirement for a long period of time, although in a different context. In 1978, the U.S. Supreme Court in Scott v. United States upheld wiretaps of people suspected in selling illegal drugs. The Court said that broad surveillance may be unconstitutional if it goes too far. Writing for the majority, Justice Rehnquist wrote, "if the agents are permitted to tap a public telephone because one individual is thought to be placing bets over the phone, substantial doubts as to minimization may arise if the agents listen to every call which goes out over that phone regardless of who places the call." Similarly, it can be argued that FBI’s full-pipe surveillance may go too far just because they suspect one individual may be using a particular subnet of IP addresses.

It is likely that this debate will continue over the next months and, obviously, it is just a matter of time before the a challenge on such surveillance takes place.

While we are on the subject of conducting forensic investigations by local (usually small) law enforcement units, here is another story from Connecticut.

A Norwich, Conn. substitute teacher was convicted on charges that she endangered her pupils when the students saw pornographic pop-ups that appeared on her schoolroom computer. While prosecutors maintained that the teacher visited pornographic Web sites while at work and wondered why she didn’t just turn off the computer, a forensics expert testified that an innocent hairstyling Web site that the teacher had visited installed spyware on her computer and led to the pop-up pornographic ads, according to an article in the Norwich Bulletin. Moreover, police investigators apparently did little forensics investigation on the computer and the school did not maintain the security software on the systems that could have prevented the spyware from installing, according to reports on the case.

Moral of the story - in the interest of justice, especially when life or liberty is at stake, insist that proper forensic investigations take place on the computer in question.

steganography (n.) The practice of hiding messages, often by writing them in places where they may not be found. Often (wrongly) used to mean the same as cryptography which relates to encoded messages.

Why Use Steganography?

Unlike encryption, steganography (or stego for short) is useful to "hide" data in a way that a third party would not know of its existence and hence would not try to break its encryption or force the encryption key from its owner.

There are many uses for steganography, especially in the information security and privacy field. You may want to exchange sensitive information like passwords or shared secrets over an insecure transmission protocol, such as email or ftp. You can embed secret files that should be available to selected audience. You can embed copyright information into digital files and control distribution of content. You can store your own sensitive information in an image, upload it to a flickr, and have the information available anywhere in the world (subject to decryption, of course.)

Stego Tools

There are a variety of tools that allows steganography. Here  is a sample of few.
- Hide in Picture (Win) - allows you to embed a file into a GIF or BMP image and lets you set a password to retrieve the hidden file.
- wbStego (Win) - allows you to embed files into PDF, HTML, or bitmaps.
- mp3Stego (Win) - allows you to embed files into MP3s
- PictEncrypt (Mac) - adds text to GIF, JPEG, TIFF, PNG, and MacPICT images.

More tools and tutorials.

« Previous entries