Cybersecurity & Cybercrime : Security, Privacy and The Law

Balancing Privacy and Security in an Age of Instant, Ubiquitous Communications

Posted on August 3, 2010 by Colin J. Zick

In a recent article in the New York Times discussed the "growing tension between communications companies and governments over how to balance privacy with national security." This tension is not limited to that context, however. Nearly every workplace that uses email faces a similar tension between open access and secure communications. And this debate splits people. An ongoing informal survey by The Economist suggests that the number of people who want more control and restrictions over communication are nearly equally balanced by those who chafe at such restrictions.

So, what's the right answer? It would seem that continual balancing and re-balancing between too much/too little privacy and too much/too little security is the necessary (if not quick or easy) solution. In the workplace, that means not always siding with one faction or the other on these issues, but addressing issues pragmatically as they arise.

Tags: Cybersecurity & Cybercrime, balance, privacy, security, tension

One More Reason to Secure Your Wireless Network

Posted on July 5, 2010 by Colin J. Zick

In a federal court case decided earlier this year, United States v. Ahrndt, the court held that an individual had no reasonable expectation of privacy in the use of an unsecured wireless network. The details of this decision are instructive for those still looking at questions of network privacy and security.

This case had its start in 2007, when a woman referred to as JH was using her personal computer at her home in Oregon. She was connected to the internet via her own wireless network, but when her wireless network malfunctioned, her computer automatically picked up another nearby wireless network. JH opened the shared library and found a subfolder called "Dad's Limewire Tunes." JH opened "Dad's Limewire Tunes" and observed files with names that indicated they were child pornography. That shared library was traced back to the defendant, Mr. Ahrndt, a convicted sex offender.

Ahrndt moved to surpress much of the evidence that was found on his computer, arguing that the Fourth Amendment provides a reasonable, subjective expectation of privacy in the contents of a shared iTunes library on a personal computer connected to an unsecured home wireless network. The court held that society recognizes a "lower expectation of privacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network." The opinion went on to note that "[s]ociety's recognition of a lower expectation of privacy in unsecured wireless networks, however, does not alone eliminate defendant's right to privacy under the Fourth Amendment. In order to hold that defendant had no right to privacy, it is also
necessary to find that society would not recognize as reasonable an expectation of privacy in the contents of a shared iTunes library available for streaming on an unsecured wireless network." And that is precisely what the Court concluded: "When a person shares files on LimeWire, it is like leaving one's documents in a box marked 'free' on a busy city street."

Tags: Cybersecurity & Cybercrime, LimeWire, expectation of privacy, iTunes, unsecured wireless network

Ponemon Study Finds Average Cost of Data Breach Was $3.4 million in 2009

Posted on May 3, 2010 by Gabriel M. Helmer

Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports]. The highlights of the survey were announced in PGP's press release. Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, the average cost of a data breach was $3.4 million. That is $142 per customer affected by the breach.

Unfortunately for U.S. businesses, the survey found that data security breaches In the U.S. were more expensive that in other countries, $204 per customer on average. The survery found that the existence of breach notification laws, such as the 45 state notification laws adopted in the U.S., correspond to substantially increased costs of data breaches.

The survey's other findings include:

The most expensive breach remediation cost one U.S. company $31 million, while the least expensive was $750,000.
35% of all breaches involved outsourced data provided to third parties, while 36% of breaches were caused by hackers.
Businesses that have a Chief Information Security Officer (CISO) incurred reduced costs for data breaches, 21% less on average.

Tags: Cost of Data Breach, Cybersecurity & Cybercrime, Data Breach, PGP Corporation, Ponemon, study, survey

Albert Gonzalez Gets 20 Years for TJX / Heartland Breaches

Posted on April 2, 2010 by Gabriel M. Helmer

Last week was a tough week for Albert Gonzalez, the so-called "leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government." Gonzalez received a sentence of 20 years of imprisonment in two separate federal cases against him. The hacker, known variously as "segvec," "soupnazi" and "j4guar17" pled guilty in the New Jersey and Massachusetts cases for his role as mastermind of the two largest financial data breaches ever, those involving TJX and Heartland Payment Systems.

The federal court sentencing entries states that after Gonzalez serves his 240-month sentence, he will be subject to 3 years of supervised release, fines and substantial restitution, to be determined at hearings scheduled in June. The Department of Justice press release (.pdf) details some of Gonzalez's activities, which included:

Wardriving: "driving around in a car with a laptop computer looking for unsecure wireless computer networks of retailers."
Installation of sniffer programs to capture credit and debit card numbers used at retail stores.
Selling credit and debit card numbers to others for fraudulent use.

The DOJ press release also indicates that while six of Gonzalez's co-conspirators have been captured (as far away as in Germany and Turkey), Gonzalez's activities may have compromised "tens of millions of credit and debit card numbers, affecting more than 250 financial institutions."

In January, we posted details from the debate during Gonzalez sentencing including his claim that he suffered from "internet addiction." At that time, Gonzalez's attorneys requested a sentence of 15 years for his crimes.

Tags: Albert Gonzalez, Cybersecurity & Cybercrime, Department of Justice, Identity Theft, hacking, retail, sentencing

Internet Crime Complaint Center (IC3) Releases 2009 Report on Internet Crime

Posted on March 12, 2010 by Gabriel M. Helmer

Today, the Internet Crime Complaint Center (IC3), a federal organization run as a partnership between the FBI and National White Collar Crime Center, released its 2009 Internet Crime Report (.pdf). Highlights include:

IC3 received 336,655 complaints in 2009, an increase of 22% over the prior year.
The dollar loss caused by incidents reported to IC3 increased more than 100% to $559.7 million.
146,663 complaints were referred to local, state and federal law enforcement agencies.
Complaints were typically not referred to authorities when "there was no documented harm or loss (e.g., a complainant received a fraudulent solicitation email but did not act upon it)" or when there was no jurisdictional tie to the United States.
16.6% of all complaints involved fraudsters pretending to be affiliated with the FBI.
11.9% of all complaints involved a seller's failure to deliver items purchased online or a buyer's failure to pay for goods delivered.

Tags: 2009 Internet Crime Report, Cybersecurity & Cybercrime, FBI, IC3

FTC Tells Businesses, Schools and Local Governments: Stop Sharing Personal Information On Peer-To-Peer Filesharing Networks

Posted on February 23, 2010 by Gabriel M. Helmer

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data.

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention, including from the FTC. For our coverage on P2P security issues, see our prior posts here ("Congressional Aide Shares Secret Ethics List With The World"), here ("Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft") and here ("Rep. Mary Bono Mack Introduces Informed P2P User Act To Combat Inadvertent File Sharing").

The danger with P2P filesharing software is that failure to select the proper settings can result in opening up all documents on a computer to anonymous users on the Internet. As the FTC warned in its press release: "when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network." The problem commonly arises when a business' staff load P2P filesharing software on company computers to access music or other downloads (which can be illegal in itself), but fail to properly configure the software.

The FTC has provided the following examples of the notification letters it has mailed to entities: FTC Sample Letter A (.pdf), FTC Sample Letter B (.pdf) and FTC Sample Letter C (.pdf). The FTC has also directed these entities to its newly-unveiled guide to taking proper security measures to prevent unauthorized P2P access. The FTC has indicated that it "has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks."

Tags: Cybersecurity & Cybercrime, FTC, Government Enforcement, Identity Theft, P2P, peer-to-peer, software

Incident(s) of the Week: February A Tough Month For Hackers

Posted on February 19, 2010 by Gabriel M. Helmer

1. Arrested: Russian Hacker Responsible for Two Minutes of Roadside Porn

The hacker who managed to compromise computer servers controlling a large commercial advertising screen in Moscow was arrested recently by Russian authorities. On January 14, 2010, commuters on Moscow's Garden Ring Road passed a large-scale video screen and instead of the normal commercial advertisements saw two minutes of hard-core pornography. The video, as well as the resulting traffic problems, was thanks to a hacker who is described as a 40 year old, unemployed man living in Novorossiisk. Apparently, the hacker directed his attack from computers in Chechnya believing that Russian authorities would not bother to track him down. A month later, the hacker is pleading guilty to criminal charges, insisting that "he only wanted to entertain people."

2. China Shuts Down Largest Hacker Training Site

Last week, Chinese officials arrested three individuals allegedly responsible for running the Black Hawk Safety Net, a website that was known as the largest hacker training site in China. The site apparently disseminated training materials and offered users the ability to download virus software, trojan programs and other hacker tools. According to China Daily, Black Hawk Safety Net had more than 170,000 users and collected more than 7 million yuan in membership fees by the time authorities shut it down. Authorities seized $1.7 million yuan, 9 servers and one automobile in the raid.

Tags: Black Hawk Safety Net, China, Cybersecurity & Cybercrime, Incident of the Week, Russia, hacker, porn

Incident(s) of the Week: Recent Updates from Prior Incidents

Posted on January 22, 2010 by Gabriel M. Helmer

1. The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas. The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program. We first posted on this case a year ago, after the FTC filed its complaint (.pdf).

In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage. According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.

(See Complaint (.pdf), Para. 9). Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.

2. Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"

In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies. We posted on his indictment last August and again on his curious role as government informant. The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime. Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:

As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him. In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.

*    *    *

Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room. Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it. Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.

*    *    *

[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life. This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong. It did not, and he knew when he turned to cyber-crime that it was wrong. What it did do, however, was contribute to his inability to stop himself. What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .

*    *    *

Computers . . . had become the center of his life, his raison-d'etre, if you will. He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.

Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted. Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range.

Tags: 7-Eleven, Albert Gonzalez, Cybersecurity & Cybercrime, Data Breach, FTC, Government Enforcement, Gregory Navone, Heartland Payment Systems, Incident of the Week

Incidents of the Week: Iranian Cyber Army Targets Twitter & $26 Software Application Intercepts U.S. Military Satelite Feeds In Iraq

Posted on December 18, 2009 by Gabriel M. Helmer

1. Iranian Cyber Army Puts Twitter On Hold

Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army. Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site. During that time, links circulated on Twitter that allowed users to participate in DoS (Denial of Service) attacks on Iranian government websites. Given the name adopted by Twitter's hackers, it may be no coincidence that the New York Times interview with a U.S. computer security expert in June 2009 described the Twitter DoS attacks as allowing Twitter users to "'become part of the cyber-army,' in Iran."

2. $26 Russian Software Has Been Intercepting U.S. Military Drone Video Feeds In Iraq

Ever since Iraq invaded Kuwait in 1990, we laypeople have been introduced to video from U.S. military missiles right before something like a building exploded in fuzzy black and white. Then came more advanced military drones, remote controlled airplanes, with greater resolution and improved arsenal. If you have been craving some low res military action, it may only cost you a satellite dish and $26. Using a $26 software package developed by Russian software company called SkyGrabber, Iraqi insurgents have reportedly been tapping into live video feeds from U.S. drone aircraft. This news comes from a U.S. official speaking anonymously with the Wall Street Journal who reported that U.S. troops have recovered laptops used by the insurgents with "days and days and hours and hours" of intercepted military video.

The SkyGrabber software, which allows users to tap into unencrypted satellite connections, apparently has been successfully used against the military feeds because they were (you guessed it) unencrypted. U.S. military officials commented to CNN that encrypting the signals is problematic because it slows down video transmissions that need to be seen by a number of different operators at the same time. Query as to whether having your adversaries monitoring your battlefield surveillance will justify adding encryption to the military's systems. (Just remember when you do that another Russian software application is capable of decoding the WPA encryption standard.)

Lest we begin criticizing the military too strongly, however, a moment of self-reflection might be worthwhile. The next time you connect to the Internet using a wireless connection, whether at home or at a coffee shop, ask yourself whether you are taking any precautions to prevent your activity from being intercepted or whether you are just rolling the dice that no one in 100 yards has purchased some software from Russia recently.

Tags: CNN, Cybersecurity & Cybercrime, Drone, Incident of the Week, Iran, Iranian Cyber Army, SkyGrabber, Twitter, Wall Street Journal

Incident of the Week: U.S. Law Firms and Public Relations Firms Hit By E-mail Attack

Posted on November 19, 2009 by Gabriel M. Helmer

Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week. On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using "spear phishing" attacks -- personalized emails drafted to look like they come from a trusted or reputable source and designed to induce the reader to click an attachment or link that will infect his or her computer with malicious software. "Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link."

While the FBI indicates that it may not be possible to flag the emails attacks themselves, system administrators will be able to detect the malware infection once a computer has been compromised:

Once executed, the malicious payload will attempt to download and execute the file ‘srhost.exe’ from the domain ‘http://d.ueopen.com’; e.g. http://d.ueopen.com/srhost.exe. Any traffic associated with ‘ueopen.com’ should be considered as an indication of an existing network compromise and addressed appropriately.

The FBI has asked that firms that have detected a breach direct incident response notifications to the Department of Homeland Security and U.S. CERT.

FBI unit chief Bradford Bleier commented to the Associated Press: "Law firms have a tremendous concentration of really critical, private information," and infiltrating those computer systems "is a really optimal way to obtain economic, personal and personal security related information."

Allen Paller, director of research at SANS Institute, told reporters that an attack on a major New York law firm in 2008 has been linked to a group of Chinese hackers. Paller told the AP that the hackers going after law firms, "often target companies that are negotiating a major international deal -- anything from seeking a patent on a sensitive new technology to opening a plant in another country." "The best documents to steal are in the law firm that represents that company."

As hackers become more organized and strategic, law firms may need to reassess the risks they face in light of the value of the information they manage for their clients.

Links:

Tags: Allen Paller, Bradford Bleier, Cybersecurity & Cybercrime, DHS, FBI, Incident of the Week, U.S. CERT, spear phishing

Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On "Key Monitoring Tool"

Posted on October 23, 2009 by Gabriel M. Helmer

This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. According to the FTC, the breach occurred because ChoicePoint implemented a security tool designed to detect unauthorized access to its databases, but "failed to detect that the security tool was off" for a period of four months. Apparently, during this outtage, "an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers." The unauthorized access apparently occurred between August 8, 2008 and September 8, 2008. According to ChoicePoint, the incident occurred because "a former ChoicePoint government customer failed to properly safeguard one of its user IDs." (See ChoicePoint's news release.) ChoicePoint voluntarily approached the FTC when it discovered the breach.

ChoicePoint, which suffered a more significant breach in 2005, was already subject to a 2006 order requiring that the company implement a comprehensive information security program. (See the FTC's materials on the prior breach.) The FTC and ChoicePoint dispute whether the current breach was the result of failing to meet its security obligations under the 2006 order. The supplemental stipulated judgment entered this week (.pdf) provides that ChoicePoint will pay $275,000 into a fund to redress potential harm to consumers and submit to biennial security assessments.

This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools. In practice, many companies react to information security regulations by purchasing a suite of security products. But are these tools being utilized effectively? At least according to the FTC, companies may face sanctions if their adopted security measures are not turned on and managed appropriately.

Links:

Tags: ChoicePoint, Cybersecurity & Cybercrime, Data Breach, FTC, Incident of the Week, information security program

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

Posted on October 8, 2009 by Jeff Bone

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected. According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com. The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected. The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack. But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that . These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered. Exactly how many passwords have been compromised, and from how many companies? Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online? Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

Tags: Cybersecurity & Cybercrime, Data Breach, Incident of the Week, Microsoft, aol, comcast, earthlink, email, hotmail, password, phishing, yahoo

Incident(s) of the Week: Double Feature

Posted on October 1, 2009 by Jeff Bone

Incident 1: UNC Data Breach Exposes Information On Over 100,000 Women Listed In Mammogram Registry

The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000. Original reports estimated that more than 200,000 women were affected. The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."

Evidently, the breach was discovered in July, but it may have occurred over two years ago. According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server. The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected. To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.

Links:

Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers

On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility. A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources. Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator's username and password, the prison's internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel. He also used the computer to send email and download publicly-available photographs and videos.

A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf). In the plea agreement (.pdf) recently reached with the U.S. Attorney's Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko's guilty plea to charges under the Computer Fraud and Abuse Act. Janosko has agreed to accept an additional incarceration of 18 months for the hack. Sentencing in the case is scheduled for December 15th.

Tags: Chapel Hill, Correctional Facility, Cybersecurity & Cybercrime, Data Breach, Francis G. Janosko, Healthcare Industry Spotlight, Incident of the Week, Plymouth County, Social Security Number, UNC, University of North Carolina, cybersecurity, hacker

Massachusetts Attorney General Announces Opening of New Computer Forensics Lab

Posted on September 22, 2009 by Jeff Bone

In a press release issued last week, Massachusetts Attorney General Martha Coakley announced the opening of a "new, state-of-the-art Computer Forensics Lab in Boston" as part of the Attorney General's Cyber Crime Initiative. Under the Initiative, the Attorney General's office received funding from the U.S. Department of Justive to "develop a sustainable cyber crime information sharing program in Massachusetts" for the Massachusetts law inforcement community.

According to the press release, the lab "will expand the office's forensic capabilities, allowing it to conduct exams on a variety of digital media such as computers, cell phones, laptops, PDAs and GPS devices." The lab is 3,000 square feet and is the largest of its size for any attorney general's office in New England. It will have the latest technology available to forensic investigators to allow them to extract information such as text messages, videos and pictures from mobile devices, and will also have imaging machines that can be used to capture information that cannot be extracted from a device or hard drive. In addition, lab space will be used to train police officers on how to "bag and tag," using the proper techniques for evidence seizure at a crime scene.

According to the press release, the Attorney General's Office has trained more than 1,000 Massachusetts law enforcement officers and cyber crime experts from across the nation, focusing primarily on investigation of identity theft. While it certainly seems that Attorney General Coakley has made prevention of cyber-crime one of her top priorities (indeed, the office recently received and award from the National White Collar Crime Center for its work in cyber crime), it will be interesting to see what happens if she is successful in her candidacy for the U.S. Senate.

Links:

Tags: Cybersecurity & Cybercrime, Identity Theft, Martha Coakley, cybercrime, enforcement, forensics

Informants & Alberto Gonzalez: She Swallowed the Spider to Catch the Fly

Posted on September 17, 2009 by Aaron Wright

In August, Albert Gonzalez was indicted for the theft of credit and debit card information from Hartland Payment Systems, the largest known breach of its kind, while awaiting trial for a similar attack against TJX, the second largest known breach of its kind. Last week, Gonzalez pleaded guilty to nineteen charges relating to his role in the TJX breach (see Gonzalez's 2008 indictment (.pdf) for list of the various charges).

One of the most interesting facts that has come out about Mr. Gonzalez in the wake of news that he was responsible for the Heartland incident is that he was employed by the Secret Service as an informant in the TJX matter. It appears that Mr. Gonzalez first became an informant when he was arrested in 2003 as the leader of an identity theft ring, and he apparently continued to work as an informant for the government even while he was allegedly committing these thefts.

Interestingly, there are some indications that Mr. Gonzalez may have been aided by another government informant in committing the Heartland attack. The indictment for the Heartland attack lists an unindicted coconspirator by initials only, which means, in the words of Mark Rasch, a former Justice Department cyber crime prosecutor, “[I]t's quite likely that the government is using an informant against Gonzalez, their previous informant.” So, of the four people the government believes to have been involved in the Heartland attack, fully half of the alleged hackers (and the only Americans believed to have been involved in the attack) were apparently employed by the Federal Government to help prevent attacks of just this sort.

Links:

AP, “Man Charged with Stealing 130M Credit Card Numbers in Record Identity Theft”, Devlin Barrett, 8/18/09 (as reprinted in the Chicago Tribune).
NPR, “Massive ID Theft Charges Betray Government Trust”, Interview of Mark Rasch by Scott Simon, 8/22/09.
Security, Privacy, and the Law, “Incident of the Week (Year?): Hacker Responsible for Largest Data Breach in U.S. History Indicted” Jeff Bone, 8/18/09.
Snitching Blog, “Committing Crime While Working for the Government”, Alexandra Natapoff, 8/18/09.

Tags: Albert Gonzalez, Cybersecurity & Cybercrime, Heartland Payment Systems, Secret Service, TJX, informant, snitch

Incident of the Week: Indictments Issue Against The Individuals Behind RNS, Pirate Site for "Pre-Release" Music

Posted on September 10, 2009 by Gabriel M. Helmer

Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release. According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS obtained and distributed a number of notable albums before they were released, including "Blue Print 2" by Jay-Z, "Encore" by Eminem and "How to Dismantle an Atomic Bomb" by U2.

The indictment claims that Adil R. Cassim, who used the handle "Kali," was the leader of RNS, while Matthew D. Chow ("RL"), Bennie L. Glover ("ADEG") and Edward L. Mohan, II ("MistaEd") all played high-level roles in the group. According to federal investigators, these individuals set up and maintained a number of file transfer sites containing thousands of copies of copyrighted music, movies, video games and commercial software. The Department of Justice press release states that, if convicted, the RNS Four face five years of jail time and a $250,000 fine.

Tags: ADEG, Adil R. Cassim, Bennie L. Glover, Cybersecurity & Cybercrime, Edward L. Mohan, II, FBI, Incident of the Week, Kali, Matthew D. Chow, MistaEd, RNS, Rabid Neurosis, copyright

Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant's Penetration Testing)

Posted on September 3, 2009 by Gabriel M. Helmer

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware. The NCUA warned "Should you receive this package or a similar package DO NOT run the CDs." The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union.

As it turns out, the credit union was undergoing security penetration testing and the security firm involved, MicroSolved, Inc., put together the fake Fraud Alert to test whether the credit union was secure against this sort of social engineering scam. When it learned of this wrinkle, the NCUA issued an update to its Fraud Alert stating:

This was an unauthorized and improper use of the NCUA logo, and also included a falsified signature of then-Chairman Michael Fryzel. The bogus alert was forwarded to NCUA, prompting the issuance of the August 25 Fraud Alert. The false Fraud Alert appears to be confined to that credit union, and is not wide-spread.

It appears that the original credit union passed its security test with flying colors. ComputerWorld obtained a number of noteworthy comments in its article on the subject, but one that stands out is from SANS Institute security researcher, Johannes Ullrich, who observed that the tactic of sending fraudulent regulatory alerts with malware was something seemingly invented by security consultants. "I thought, 'Finally this is in the wild, because I've only seen it in pen tests before.'"

Tags: Cybersecurity & Cybercrime, Fraud Alert, Incident of the Week, Johannes Ullrich, Legislation & Regulation, MicroSolved, NCUA, National Credit Union Administration, SANS, penetration testing

Incident of the Week (Year?): Hacker Responsible for Largest Data Breach in U.S. History Indicted

Posted on August 18, 2009 by Jeff Bone

According to a press release from the United States Attorney's Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history." According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1" and "Hacker 2") stole "more than 130 million credit and debit card numbers together with account information" from Heartland Payment Systems, 7-Eleven, Inc., and Hannaford Brothers Co.," and also hacked into two unidentified corporate victims.

Note that this is the same Albert Gonzalez that is awaiting trial for his role in the notable attack suffered by TJX that is now only the second largest known breach of its kind.

The indictment alleges that, between October 2006 and May 2008, Gonzales and an uncharged co-conspirator named "P.T." identified potential corporate victims by, among other things, reviewing a list of Fortune 500 companies. They would then travel to retail stores of potential victims to identify point of sale terminals (checkout machines) and learn about potential vulnerabilities of those systems. P.T. would visit the corporate websites of potential victims to identify vulnerabilities in the payment processing systems the victims used. According to the indictment, the conspirators maintained computers in New Jersey and around the world that stored malware and other information critical to the hack. Gonzalez, P.T. and Hackers 1 and 2 then hacked into the victims' networks using various methods, including SQL injection attacks, which is a well-known attack that exploits security vulnerabilities between an online interface and the back-end customer database.

Once they had hacked into the computer networks, the conspirators placed malware on the victims' networks that enabled them to access the networks at a later date. They would then find credit and debit card data and transmit it to servers they controlled. At the same time, they installed "sniffer" programs, which would conduct real-time interception of data being processed by the victims and periodically transfer this data to the conspirators. The indictment alleges that the conspirators often worked together on a real-time basis via instant messaging to advise each other how to navigate the victims' networks. The conspirators concealed their actions in numerous ways, including disguising the IP addresses of their computers through intermediary (or "proxy") servers, and by placing additional malware on the victims' networks that could evade anti-virus software and would erase traces of the malware's presence on the networks.

Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the gain from the crimes, whichever is greater. According to the press release, Gonzalez is currently in jail in Brooklyn, New York and awaiting trial in New York and Massachusetts related to prior instances of data theft.

While it is certainly good to know that the Department of Justice continues to take an active role in large-scale incidents, the description of the scheme in the indictment should give retailers and other institutions pause and perhaps a reason to review information security measures. While the perpetrators in this case are obviously skilled programmers, it appears that they obtained some of the information essential to executing their scheme simply by observing check out registers and visiting corporate websites. [Editor's note: the FTC has considered SQL injection attacks to be "commonly known or reasonably foreseeable" since at least 2000, see FTC's enforcement action against Guess? and comments by the FTC's chief privacy officer. If your company has not hardened its website to these attacks, it may be assuming an undue risk.] Moreover, it appears from the indictment that three of the four individuals are still at large, and of course there are likely numerous individuals out there with both the means and the motive to perpetrate similar schemes. Because the indictment is fairly general in the details of the mechanics of the hacks, it will be interesting to see what details come out in the prosecution of the case and what lessons, if any, companies can learn from those details.

Links:

Tags: 7-Eleven, Albert Gonzalez, Cybersecurity & Cybercrime, DOJ, FTC, Hannaford Brothers, Heartland Payment Systems, Incident of the Week, U.S. Attorney, credit cards, data theft, hacking, malware

Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft

Posted on August 13, 2009 by Gabriel M. Helmer

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft. The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network.

Especially when a household computer is shared between parents and children, the installation of peer-to-peer software may make tax returns, bank statements and other personal information saved on that computer available to everyone else on the peer-to-peer network. During questioning by state and federal investigators, Wood explained that "kids put Limewire on the computer and the parents don't know." As a result, Wood was able to obtain personal information from approximately 120 different individuals from Massachusetts, New York, Georgia, Florida, Ohio, Iowa, Louisiana, Oregon and California. He then used this information to create counterfeit checks and driver's licenses and to open credit accounts in the victim's names.

Note that failing to limit the files shared by peer-to-peer software is not just a problem for household computers. In an earlier post, we discussed the problems caused when an employee installed LimeWire at work. Also note that LimeWire's user guide and FAQ provide directions on how to make sure you are not sharing personal or sensitive information with the world.

Wood's scheme was discovered after he posted an ad on Craigslist.com purporting to sell a "brand new" Apple MacBook Pro for $1,500 and instead shipped a box containing a book and a glass vase instead of a computer. Working with Seattle Police, the victim set up a meeting with Wood and he was arrested. Upon investigation, Seattle Police discovered that Wood possessed a number of counterfeit driver's licenses and sought the assistance of the Social Security Administration's Office of Inspector General. The Kings County Sherriff's Office, FBI, U.S. Postal Inspection Service and U.S. Secret Service's Electronic Crimes Unit also assisted in the investigation.

Wood pled guilty to violations of federal laws governing identity theft (18 U.S.C. sec. 1038(A)), wire fraud (18 U.S.C. sec. 1343) and the Computer Fraud and Abuse Act (18 U.S.C. sec. 1030(a)(4)). He is also required to pay over $25,000 in restitution to a number of parties, including Bank of America, American Express and other financial institutions (for the complete list, see the judgment filed in court earlier this week (.pdf)).

Tags: Computer Fraud and Abuse Act, Craigslist.com, Cybersecurity & Cybercrime, FBI, Frederick Eugene Wood, Identity Theft, Incident of the Week, Seattle, Seattle Police Department, Secret Service, Social Security Administration, Washington, Wire Fraud

Incident of the Week: Lativan Internet Service Provider Shut Down After Being Linked to Cybercrime Ring

Posted on August 6, 2009 by Gabriel M. Helmer

Earlier this week, Latvian internet service provider Real Host was shut down by its upstream providers Junik and TeliaSonera after security experts linked Real Host to a number of criminal activities. Among the many activies allegedly conducted through Real Host were the use of malware to steal banking credentials, SPAM email campaigns and the service provider was running command and control servers for the Zeus botnet (i.e., millions of infected computer slaves or "bots" used by cybercriminals to steal information and attack other computers). The expert who linked Real Host to these activites and who goes by the pseudonym "Jart Armin," told Network World in an interview that Real Host may be "one of the top European centers of crap." Armin's site, HostExploit.com, has published a report on the rogue ISP (requires registration) and even has an abstract video of the take-down occuring.

The take-down of rogue ISPs by upstream service providers has become more common in the United States with the removal of Atrivo and McColo, two service providers shut down at the end 2008. Where service providers did not take action, the Federal Trade Commission filed suit in federal court in California in June of this year to remove the rogue ISP Pricewert/3FN. The complaint filed by the FTC (.pdf) alleged that, in becoming an active participant in a range of cybercrimes, the ISP committed unfair or deceptive acts or practices in violation of the FTC Act, 15 U.S.C. sec. 45(a). (Note also that the temporary restraining order and preliminary injunction entered in that action not only shut down the ISP, but also ordered the seizure of assets and a number of other extraordinary protections.)

Links:

HostExploit.com, and its report on Real Host (requires registration)
Network World's story on the shut down of Real Host

Tags: 3FN, Atrivo, Cybersecurity & Cybercrime, FTC, ISP, Incident of the Week, Jart Armin, Junik, McColo, Pricewert, Real Host, TeliaSonera, botnet

Secret Service and Europe Plan a Cybercrime Task Force

Posted on July 20, 2009 by Jeff Bone

According to recent reports from the Wall Street Journal and Computerworld, on June 30 the United States Secret Service, the Italian police and Italian postal service reached an agreement for the establishment of an international task force to fight cybercrime, including identity theft and computer hacking. Mark Sullivan, the director of the Secret Service, stated that cybercrime "is not a borderless crime and we believe there needs to be a reaction at an international level." While it may seem odd at first for the Secret Service, whose most obvious mission is to protect members of the U.S. government and visiting heads of state, to be involved in a fight against cybercrime, the agency actually has a dual mission: both to protect heads of state and "to safeguard the nation's financial infrastructure and payment systems to preserve the integrity of the economy. Moreover, Congress has given the agency authority to investigate offenses under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030(d).

The task force will be named the European Electronic Crime Task Force, will be based in Rome and, according to Italian police, will be open to other European countries. Its main focus will be to combine the resources and efforts of the United States and European Union nations in order to fortify cyber-defenses for government sites hosting sensitive data. The Italian Postal Service (and, presumably, other entities that decide to contribute) will exchange alerts with the Secret Service, monitor computer networks across Europe using Italian Postal Service software for threats, and coordinate to quickly respond to attacks. According to the articles, the Italian Postal Service now makes more money from banking and insurance services than from traditional sending of letters and packages. Given this shift in focus, it has developed a software that can review electronic monetary transfers for suspcious signs.

Ironically, and as discussed in more detail elsewhere, the announcement of this new task force came just a few days before the Secret Service's website, along with the websites of the Treasury Department and Federal Trade Commission, were paralyzed due to cyberattacks, which government officials speculate originated from North Korea. Perhaps the Secret Service should have first established a task force with Asia?

Links:

Tags: Cybersecurity & Cybercrime, Europe, Identity Theft, Secret Service, cybercrime, cybersecurity

Incident of the Week: French Hacker Compromises Twitter Employee Passwords, Steals Company Documents

Posted on July 16, 2009 by Gabriel M. Helmer

This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter's internal company documents. The hacker, who goes by the handle "Hacker Croll," has apparently emailed a collection of 310 internal Twitter documents to TechCrunch, including a presentation for a proposed reality television show called "Final Tweet" and a February 2009 financial forecast. Many wait to see what other documents will come to light while TechCruch negotiates with Twitter's lawyers.

Postings on the French website Korben.info claim that Hacker Croll obtained a list of employees, along with employees' credit card numbers, telephone numbers, meeting reports, time sheets, salary information, confidential Twitter contracts with Microsoft, Nokia, Samsung and other companies, as well as a list of celebrity "High Profile Users." (an English translation of the French website is available here).

Twitter's Evan Williams stated "This had nothing to do with the security of twitter.com, and there were no user accounts compromised here." This was reiterated in Biz Stone's post on the Twitter blog, appropriately entitled "Twitter, Even More Open Than We Wanted." Stone notes "This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."

This is not the first time that poor password security has led to a noteworthy breach (see WIRED Magazine's account of how one hacker used publicly available information to hack into Sarah Palin's email). This may serve as a good reminder to many of us that we may want to take the time to change our passwords today (and select a combination with at least 6 characters, at least one capital letter and at least one number).

Links:

TechCrunch's report and follow up posts on Final Tweet and Twitter's financial projections
Twitter Blog Post, "Twitter, Even More Open Than We Wanted"

Tags: Biz Stone, Cybersecurity & Cybercrime, Evan Williams, Final Tweet, Hacker Croll, Incident of the Week, TechCrunch, Twitter

U.S. and South Korea Targeted in Ongoing Denial of Service Attacks

Posted on July 8, 2009 by Aaron Wright

On the 4^th of July an organized series of Denial of Service (DOS) attacks were launched against a number of U.S. government websites (including the White House, Treasury Department and the Federal Trade Commission websites), as well as several websites associated with the South Korean government and a handful of corporate targets (the Washington Post and Nasdaq stock exchange). [If you are wondering what a DOS/DDOS attack is, brief explanations are available from U.S. Computer Emergency Response Team (CERT) and CNET.]

The U.S. government routinely faces threats like these (note coverage of prior events in 2001 and 2000), but the recent attacks have been especially long lasting, apparently very well coordinated and sophisticated, and “remarkably successful”. In fact, a number of government websites were brought down over the weekend and some are still experiencing service problems as a result of this attack. [As of this posting, the FTC website is still showing signs of overload.] Of particular note is that the website of at least one agency charged with investigating cybercrime violations in the United States, the Secret Service website, was successfully brought down by this attack.

At the moment, the source of the attack is unknown, but some are reporting that North Korea is behind the attack. In particular, there is some suggestion that North Korea may be running a “cyber warfare unit” which is tasked with hacking into military websites and disrupting traffic to those sites. If such reports are accurate, then we have seen a demonstration that a hostile government has the capability to disrupt traffic to government websites, even the websites of government agencies involved in cyber security. Of course, the apparent impact of these attacks has been minimal, they have effectively disrupted the use of public websites, but there appears to be little lasting impact.

U.S. officials have not issued any public comment on the attacks.

Links:

Baldor, Lolita C., AP, at Boston Globe, “White House Among Targets of Sweeping Cyber Attack”
SANS Internet Storm Center coverage
CNet News, 2/9/00, “How a Denial of Service Attack Works”
MSNBC, 7/8/09, “North Korea Blamed for ‘Massive’ Cyber Attacks” part 1 and part 2
Secret Service website

Tags: Cybersecurity & Cybercrime, DOS, Denial of Service, FTC, North Korea, Secret Service, Treasury Department, cybersecurity, government

Incident of the Week: FBI Arrests Hacker Posing as Security Guard Who Infiltrated Texas Hospital Days Before "Devil's Day" Attack

Posted on July 2, 2009 by Gabriel M. Helmer

This week, the U.S. Attorney's Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital's computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.

McGraw had given his one week notice to hospital security contractor, United Protective Services, and was scheduled to depart on July 3, 2009. His intrusion into hospital systems was allegedly made in preparation for a larger attack on July 4th, a day he referred to as "Devil's Day." The story behind the arrest is laid out in the criminal complaint and supporting affidavit filed in federal court (.pdf); however, a number of other details have emerged over time that demonstrate how vulnerable many institutions may be to insiders.

Tags: Carrell Clinic, Cybersecurity & Cybercrime, Electronik Tribulation Army, GhostExodus, Healthcare Industry Spotlight, Incident of the Week, Jesse William McGraw, Texas, United Protective Services, Inc., Wesley McGrew, XXxxImmortalxxXX

Conficker Worm Still Lurking, Threat Remains

Posted on June 29, 2009 by Ramzi Ajami

While the media frenzy surrounding the Conficker worm may have died down over the past several months, recent reports suggest that the computer worm is alive and well, and continues to expose PC users worldwide to the risk of identity theft and other mischief.

Conficker (also known as Downup, Downandup, Conflicker, and Kido), a computer worm that attacks Microsoft Windows operating systems, was pegged by the media to wreak havoc worldwide on April Fool’s Day of this year. In the weeks leading to what some experts dubbed our “digital Pearl Harbor,” numerous reports surfaced documenting the sheer scope of the worm’s reach: in addition to infecting millions of Windows operating systems worldwide, the worm also reportedly infiltrated the French government’s naval systems – forcing the French to ground their warplanes – and the British Parliament’s computer network.

Despite the massive media furor, April Fool’s Day passed with relatively little disruption. However, recent reports suggest that Conficker not only remains active – but that it has begun its bid to steal users’ private and financial information.

Tags: Conflicker, Cybersecurity & Cybercrime, Downandup, Downup, Kido, Microsoft, Windows, conficker, scareware, virus, worm

FTC Chairman Pushes for Increasingly Specific "Self" Regulation of Behavioral Advertising

Posted on May 20, 2009 by Stacy Anderson

In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups. Consumers' concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled, to the impact of behavioral advertising on vulnerable consumers. In recent statements, Leibowitz has suggested that he remains unsatisfied with industry efforts to address these concerns.

Tags: Cybersecurity & Cybercrime, FTC, Legislation & Regulation, behavioral advertising,, privacy

How far do anti-hacking statutes extend?

Posted on May 12, 2009 by Aaron Wright

An appellate court in Ohio was recently called upon to analyze that state’s cybercrime statute, OCR Ann. §2913.04, which criminalizes unauthorized access to protected computers. In Ohio v. Wolf the court held that a city employee who was using a city computer during work hours to view pornography, visit adult “dating” websites, and solicit sexual activity, had exceeded his authorized access to the computer and was guilty of the felony of “unauthorized use of property; computer, cable, or telecommunication property or service” (or “hacking”). The court concluded that the employee has exceeded his authorized access despite the fact that there was no city computer use policy or software that placed limits on employees' use of city computers.

This ruling, which appears to expand the scope of anti-hacking statutes, has been criticized in the media. For a detailed analysis of the case, see the Wired article “Court Upholds Hacking Conviction of Man for Uploading Porn Pics from Work Computer”

Links:

18 U.S.C.A. §1030
OCR Ann. §2913.04
Ohio v. Wolf (pdf)
Scott Lowe, 5/11/09, TechRepublic, “Visit an adult site at work and go to prison”
Kim Zetter, 5/7/09, Wired, “Court Upholds Hacking Conviction of Man for Uploading Porn Pics from Work Computer”

Tags: 18 U.S.C.A. § 1030, CFAA, Computer Fraud and Abuse Act, Cybersecurity & Cybercrime, Ohio v. Wolf, hacking

Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database

Posted on May 5, 2009 by Colin J. Zick

Wikileaks is reported to have published a copy of the ransom note (please pardon the grammar and language in the original): "I have your [expletive] in *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password." Neither the Wikileaks site nor the Virginia site is not accessible as I write this. A spokesman for the FBI's Richmond, Virginia office said today that the agency was investigating a referral from the Virginia Information Technologies Agency. Assuming this breach is real, it carries with it a certain amount of irony, in that encryption is being used as part of the extortion plot. Could this breach have been prevented? It is also hard to believe that hackers would be able to access the backup files as well. There are more questions than answers at this point, but there will surely be lessons to be learned.

Tags: Cybersecurity & Cybercrime, Encryption, breach, prescription, ransom

Cyberespionage Threats Driving New Military Cybersecurity Command

Posted on April 22, 2009 by Andrew Orsmond

Coming on the heels of recent cyberespionage news, the Wall Street Journal reported today on Pentagon plans to create a new military command focused on cyberwarfare. The new command will coordinate both offensive and defensive cyberwarfare efforts, focusing, in the latter case, on assisting the National Security Agency (NSA) and the Department of Homeland Security's National Cyber Security Division (NCSD), the lead agency for domestic cybersecurity efforts.

This development is not surprising, given that cyberespionage is a rapidly growing and serious threat. Earlier this month, the Wall Street Journal published a story on cyberespionage attacks originating from China against the U.S. power distribution grid (reported earlier in this blog). And yesterday the Journal reported that computers holding data concerning both the developmental F-35/Joint Strike Fighter (JSF) and the United States Air Force's air-traffic-control system had been breached. In the case of the Joint Strike Fighter breach, it appears that hackers were able to copy several terabytes of design information on the aircraft, potentially including information relating to its electronics system. Lockheed Martin, the lead contractor in the Joint Strike Fighter program, disputes the article's representation of successful attacks, claiming that "there has never been any classified information breach."

Tags: Computer Network Attack, Computer Network Operations, Cyberespionage, Cybersecurity & Cybercrime, Cyberwarfare, GhostNet, Information Warfare, National Cyber Security Division, National Security Agency

New Law Would Require ISPs to Retain User Logs and Subscriber Records for Two Years

Posted on April 10, 2009 by Stacy Anderson

In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today's Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years. Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address." According to a recent announcement from Senator Cornyn, the new retention provision is needed to enable law enforcement officers to identify individuals involved with online child pornography. Several privacy advocates have taken issue with the bill’s data retention requirements. According to senior attorney with the Electronic Frontier Foundation, Kevin Bankston, those requirements “unnecessarily threaten the privacy and anonymous speech rights of every law-abiding internet user” and would “create vast new troves of data vulnerable not only to government overreaching but also to any civil litigant wielding a subpoena.”

The legislation has been referred to committee in the House and Senate.

Links:

Tags: Cybersecurity & Cybercrime, EFF, Electronic Frontier Foundation, Internet SAFETY Act of 2009, John Cornyn, Lamar Smith, Legislation & Regulation, Stopping Adults Facilitating the Exploitation of Todays Youth, data retention, internet service providers

Cyberspies Penetrate U.S. Power Grid

Posted on April 9, 2009 by Jeff Bone

According to a recent report from the Wall Street Journal, cyberspies from China, Russia and other countries have penetrated into the U.S. electrical grid and left behind software that could disrupt the system. According to officials, the spies have not actually damaged the grid or any other key infrastructure, but appear to have been attempting to navigate the electrical system. More importantly, the intruders could attempt to damage the system during a war or other national security crisis.

Evidently, there have been a growing number of intrusions over the past year, most of which were detected by intelligence agencies and not the companies actually in charge of the infrastructure. According to officials, the software left behind "could be used to destroy infrastructure components," and "water, sewage and other infrastructure systems were at risk." These same officials cautioned, however, that "the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger."

The Journal also notes that "protecting the electrical grid and other infrastructure is a key part of the Obama's administration cybersecurity review, which is to be completed next week" (Aaron Wright's post on this blog regarding the review can be found here). One also wonders if news of this breach will increase momentum for a cybersecurity bill recently introduced in the Senate (see my post here). That bill would give the President power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network (which would presumably include the electricity grid) and would also require that infrastructure companies meet new security standards.

Links:

Wall Street Journal Article: "Electricity Grid in U.S. Penetrated by Spies"

Tags: Cybersecurity & Cybercrime, Wall Street Journal, government, infrastructure, legislation

New Cybersecurity Legislation Introduced in the Senate

Posted on April 8, 2009 by Jeff Bone

As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation. Last week the Senators introduced two bills. The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President. The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network. The other provisions of the legislation are summarized in my previous post.

Whether the legislation has any chance of passing remains to be seen. However, some groups are already criticizing aspects of the legislation. The President of the Center for Democracy and Technology, for example, has stated "[t]he cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy." The bills have been referred to the Committee on Homeland Security and Government Affairs.

Links:

A draft of S.778 (.pdf)
A draft of S.773 (.pdf)
The CDT's post on the legislation can be found here.
April 6, 2009 Computerworld Article: "Yet Another Government Attempt At Cybersecurity"

Tags: Bill Nelson, Center for Democracy and Technology, Cybersecurity & Cybercrime, Cybersecurity Act of 2009, Executive Office of the President, Jay Rockefeller, Legislation & Regulation, Office of National Security Advisor, Olympia Snowe, S. 778, S.773, internet

Big Bump in Federal Cybersecurity Spending?

Posted on April 7, 2009 by Aaron Wright

The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation's computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to be in the billions of dollars annually and that future attacks could cause physical harm or serious financial chaos.

While future spending levels will not be set until after the White House's 60-day review of the nation's information infrastructure is completed, the potential move has sent major defense contractors and consulting groups scrambling to capture a share of the potential spending. The Journal reports that defense contractors are adding, growing, and consolidating their cybersecurity capabilities and bumping up against already established consulting firms in the process. Foreign defense contractors are also apparently looking to become involved and are buying smaller firms and making strategic hires to position themselves.

Links:

Tags: 60-day review, Cybersecurity & Cybercrime, Data Breach, Wall Street Journal, government

OPSEC, Data Security and A-Rod

Posted on March 31, 2009 by Andrew Orsmond

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players, but numerous athletes from other sports whose drug test results were seized by government investigators in 2004. Yet the entire story might never have existed had good OPSEC practices been in place.

OPSEC – an acronym for Operations Security – is one of the cornerstones of counterintelligence strategy. The Department of Defense definition of OPSEC (.pdf) is “a process of identifying critical information and analyzing friendly actions . . . and other activities to (1) identify actions that can be observed by adversary intelligence systems, (2) determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries, and (3) selecting and executing measures that eliminate or reduce… the vulnerabilities of friendly actions to adversary exploitation.” But OPSEC does not just apply to military organizations. It should be a foundational principle for all security architecture.

Tags: A-Rod, Alex Rodriguez, BALCO, Bay Area Laboratory Co-operative, Comprehensive Drug Testing, Cybersecurity & Cybercrime, Data Breach, MLB, Major League Baseball, OPSEC, Quest Diagnostics, Security Programs & Policies, drug testing

Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama's Passport Records

Posted on March 25, 2009 by Aaron Wright

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers, phone numbers, emergency contact information, and photographs.

Tags: 'Department, Barack Obama, CFAA, Cybersecurity & Cybercrime, Data Breach, Dwayne Cross, Gerald Leuders, Government Enforcement, Lawrence Yontz, State", of, passport, personal information

Senate Drafting Cybersecurity Law - Seeks To Appoint National "Cybersecurity Czar"

Posted on March 24, 2009 by Jeff Bone

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports. The proposed legislation would also

require intelligence and Homeland Security officials to perform vulnerability assessments;
create a clearinghouse for information sharing between the government and private sector; and
fund scholarships for those interested in cybersecurity.

The proposed legislation follows on the heels of three incidents where computers in Senator Nelson's office were hacked . The current draft legislation contains provisions similar to those recommended by the Commission on Cybersecurity for the 44th Presidency, which released a report in December 2008.

Links:

The post on Senator Nelson's website can be found here.
The March 23, 2009 CNET News article, "A bill to shift cybersecurity to the White House" can be found here.
The December 2008 report from the Commission on Cybersecurity for the 44th Presidency is available here.

Tags: Bill Nelson, Cybersecurity & Cybercrime, Identity Theft, Jay Rockefeller, Legislation & Regulation, Olympia Snowe, hacking

Departing Employees Are Increasingly Stealing Company Information

Posted on March 19, 2009 by Jeff Bone

As discussed by Mike Rosen on Foley Hoag's Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company information also admitted that they used that information to leverage a new job.

As I posted back in early February, another recent report, this one from McAfee, concluded that the shrinking economy and growing ranks of unemployed were increasing incentives for insiders to steal confidential information. The Ponemon report seems to bear this out.

What's troubling is that the Ponemon report found that only "15% of respondents' companies review or perform an audit of the paper and/or electronic documents employees are taking. If they conduct a review, 45% say it was not complete and 29% say it was superficial." According to the McAfee report, however, 68% of the senior IT decision-makers surveyed cited insider threats as the top threat to essential information. Taking these two reports together, it appears that companies understand that their (and their customers') confidential information is vulnerable to insider threats, yet they are not taking the necessary steps to secure that information from departing employees. In this current climate, where data breaches are expanding (both in terms of numbers and size), it is imperative for companies to adopt and implement comprehensive approaches to ensure the security of proprietary information accessible to a departing employee and to minimize the accessibility of such information.

Links:

The Washington Post Article "Data Theft Common by Departing Employees" can be found here.
The cnn.com article can be found here.
The Ponemon report is available for download here (requires registration).
The post on the Ponemon report at the Massachusetts Noncompete Law Blog can be found here.

Tags: Cybersecurity & Cybercrime, Data Breach, Ponemon Institute, Symantec, employee, survey, theft