Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

22-year old U.S. Army intelligence analyst Bradley Manning is reportedly in custody in Kuwait after claiming that he sent 260,000 classified documents to the WikiLeaks website. According to WIRED, Manning, who served at Forward Operating Base Hammer near Baghdad in Iraq, made the admission after reaching out to former hacker Adrian Lamo in a series of Internet chats beginning on May 21st.  Manning ominously began the conversation with the following:

(1:41:12 PM) Bradley Manning: hi
(1:44:04 PM) Manning: how are you?
(1:47:01 PM) Manning: im an army intelligence analyst, deployed to eastern baghdad, pending discharge for “adjustment disorder” [. . .]
(1:56:24 PM) Manning: im sure you’re pretty busy…
(1:58:31 PM) Manning: if you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week was an unusually optimistic one for hundreds of thousands of Facebook users who found that their accounts were automatically endorsing numerous oddly entitled websites.  If you have been avoiding Facebook, your closest Facebook user (anyone under the age of 30 is a safe guess) can explain that one way users have to share things with their friends, including websites, musicians, television shows, ideas and other users, is to click the ever-present "Like" button.  Some have begun to call this new exploit "likejacking."

The culprit for this unintentional optimism appears to be a "clickjacking" worm that exploited a vulnerability in web browsers used to access the victim's Facebook account.  While the victim is logged in to Facebook, his or her account will spontaneously "Like" web links with titles such as "LOL This girl gets OWNED after POLICE OFFICER reads her STATUS MESSAGE."  As a result, a user's Facebook friends are encouraged to visit the sites.  Clicking the link will take users to a website that states "Click here to continue" and clicking the message apparently causes subsequent users' accounts to begin the same automatic referrals to their friends. 

If you have begun to notice that you are "Like"-ing websites more than usual, Sophos makes the following recommendation to users who have been infected:

If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your "Likes and interests" section.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, Facebook took down their Chat services to patch a flaw in Facebook's new privacy settings that allowed users to listen in on private chat conversations.  This apparently came hours after  TechCrunch EU blogger Steve O'Hear  taught the world how to exploit the flaw in his TechCrunch post and video.  O'Hear was "tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their 'friends'." 

Facebook rolled out its Facebook Chat feature in February of this year.  The service allowed users to send live text messages to other Facebook users on their "Friends" list.  The flaw apparently allowed users to listen in on these conversations, as well as see other private information about friends' Facebook accounts.

Once Facebook was informed of the exploit, Chat services quickly became unavailable.  A few hours later, Facebook provided the following statement:

For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.

This is an ironic twist in Facebook's recent efforts to combat criticism of the service by adding more advanced privacy features; however, the problem appears to have been resolved. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, a federal grand jury in New York issued an indictment (.pdf) against Anthony Digati based on his threats to use spam email and the www.newyorklifeproducts.com domain to drag New York Life Insurance Company "through the muddiest waters imaginable."  Both the U.S. Attorney's Office press release (.pdf) and the FBI press release announced the indictment. 

Digati was arrested on March 8, 2010 for violations of 18 U.S.C. Sec. 875(d), which prohibits extortionate communications "containing any threat to injure the property or reputation of the addressee."

The resident of Chino, California, was a former agent and manager at New York Life, but the relationship apparently soured after Digati purchased a variable universal life insurance policy.  When Digati was disappointed by the financial returns on his investment, he began to demand a refund a refund of the $49,576 in premiums he had paid. These demands apparently escalated to around $200,000 and then $3 million.

When his demands were denied, Digati allegedly registered the www.newyorklifeproducts.com domain and threatened to use the site, along with his presence on social networking sites and spam email sent to millions of potential customers to smear New York Life.  The indictment provides some colorful excerpts from Digati's threats, including:

At this point, you're probably asking yourselves why should I even listen to this crazy fool, what can he do and why should I pay him.  NUISANCE VALUE is why, I am going to cause you millions of dollars in lost revenue, good faith and general trust in your company.

I have 6 MILLION emails going out to couples with children age 25-40, this email campaign is ordered and paid for.  2 million go out on the 8th and every two days 2 million more for three weeks rotating the list.  Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.

I am huge social networker, and I am highly experienced.  200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.

New York Life turned Digati's emails over to the FBI, who investigated and ultimately arrested him in California.  Digati faces a maximum sentence of 2 years in prison and $250,000 fine. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, a federal grand jury in Maryland indicted Thomas A. Drake, a former employee of the National Security Agency (NSA), on charges that he emailed classified NSA documents and information to Siobhan Gorman, then a reporter for the Baltimore Sun.  Drake worked for the NSA first as a contractor and then as a high level employee in the NSA's Signals Intelligence Directorate between 1991 and 2008, when he resigned following the suspension of his security clearance. 

The 14-page indictment (.pdf) alleges that in 2005 Drake received Gorman's contact information from "Person A," an unnamed congressional staffer that had a "close, emotional friendship" with Drake.  Drake allegedly obtained an anonymous email account with Hushmail and contacted Gorman to "volunteer[ ] to disclose information about NSA." 

After Gorman obtained her own Hushmail account, Gorman allegedly emailed her hundreds of times with information about the NSA and its Signals Intelligence (SIGINT) activities.  Drake is also accused of smuggling classified documents out of the NSA, including his own handwritten notes, and doctoring documents so he could provide them to Gorman without the markings that identified the information as classified.  Based on these emails, Gorman published a series of articles between 2006 and 2007 that federal prosecutors claim contain classified information.  Drake is charged with violations of the Espionage Act, as well as lying to FBI agents, destroying evidence and obstructing the investigation of his activities. 

In its press release on Thursday, the U.S. Department of Justice stated that:

As alleged, this defendant used a secret, non-government e-mail account to transmit classified and unclassified information that he was not authorized to possess or disclose. As if those allegations are not serious enough, he also allegedly later shredded documents and lied about his conduct to federal agents in order to obstruct their investigation

The federal public defender representing Drake, James Wyda, told the New York Times that “Mr. Drake loves his country.  We look forward to addressing these matters in a public courtroom.”

Hushmail is an encrypted email service that allows users a certain level of anonymity.  Hushmail's website states:

Hushmail can protect you against eavesdropping, government surveillance, unauthorized content analysis, identity theft and email forgery. But using Hushmail does not put you above the law.

and

We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located.

From the face of the indictment in the Drake case, it appears that the FBI and federal prosecutors managed to obtain a court order in Canada to obtain the release of Drake's email archives.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In late February and early March, around 100 cars in and around Austin, Texas either would not start or would not stop honking.  This was apparently caused by 20 year old hacker, Omar Ramos-Lopez, who remotely triggered the vehicle immobilization system installed by dealership Texas Auto Center. 

Apparently the dealership installed the GPS-enabled devices so that cars can be immobilized and repossessed when a customer fails to make scheduled payments. The web-based system developed by Pay Technologies apparently lets auto dealerships trigger the horn and disable the car's ignition system from the relative safety of the Internet.  (Something you may want to be aware of if you are financing a car these days.)

Ramos-Lopez was laid off from Texas Auto Center in February (Wired reports this event as a "workforce reduction") and apparently retained a username and password to the dealership account.  Weeks later, he used the credentials from home to access the account and trigger the immobilization devices.  His reign of terror, which included changing customer names to "Tupac," was apparently somewhat modest.  While he had access to all 1,100 cars in the system, the 100 cars affected were the result of Ramos-Lopez going through the customer database in alphabetical order.  Austin's High Tech Crime Unit arrested Ramos-Lopez on Wednesday after police traced the IP address he used to his home.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week the Incident of the Week title decisively goes to the Israeli soldier who updated his status on Facebook to identify the secret military raid on a town in the West Bank.  His status apparently read: "On Wednesday we clean up Qatanah, and on Thursday, god willing, we come home" and provided the exact time of the raid.  After detecting the clear breach of OPSEC, the Israeli Defense Force (IDF) canceled the raid and jailed the soldier for 10 days. 

The IDF has apparently begun distributing posters depicting a fake Facebook page with friend requests from Iranian and Syrian presidents as well as a Hezbollah chief with the question: "You think everyone is your friend?"

• Email This
• Print
• Comments
• Trackbacks
• Share Link

1.  Arrested: Russian Hacker Responsible for Two Minutes of Roadside Porn 

The hacker who managed to compromise computer servers controlling a large commercial advertising screen in Moscow was arrested recently by Russian authorities.  On January 14, 2010, commuters on Moscow's Garden Ring Road passed a large-scale video screen and instead of the normal commercial advertisements saw two minutes of hard-core pornography.  The video, as well as the resulting traffic problems, was thanks to a hacker who is described as a 40 year old, unemployed man living in Novorossiisk.  Apparently, the hacker directed his attack from computers in Chechnya believing that Russian authorities would not bother to track him down.  A month later, the hacker is pleading guilty to criminal charges, insisting that  "he only wanted to entertain people."

2. China Shuts Down Largest Hacker Training Site

Last week, Chinese officials arrested three individuals allegedly responsible for running the Black Hawk Safety Net, a website that was known as the largest hacker training site in China.  The site apparently disseminated training materials and offered users the ability to download virus software, trojan programs and other hacker tools.  According to China Daily, Black Hawk Safety Net had more than 170,000 users and collected more than 7 million yuan in membership fees by the time authorities shut it down.  Authorities seized $1.7 million yuan, 9 servers and one automobile in the raid.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week cryptographers Karsten Nohl from University of Virginia and Erik Tews of the Darmstadt University of Technology announced that they had broken the DECT encryption standard.  Who cares, you ask?  The Digital Enhanced Cordless Telecommunications or DECT standard is what prevents someone parked outside your house from being able to listen in on telephone conversations you are having on your 1.9 GHz DECT cordless phone.  (So, that's what that label on the receiver means.) 

Nohl told Dan Goodin from The Register that he cracked the code by putting the DECT chip under the electron microscope and then comparing his findings with information disclosed in the published patent(s).  According to Nohl, it might take him 4 hours of monitoring to listen in on a particular telephone call, but only 10 minutes to crack the DECT encrypted credit card transmissions at a restaurant.  Even more worrisome, is Nohl's expectation that better hackers are likely to be able to decode these transmissions even more quickly.  "We expect that some smarter cryptographers than ourselves will find better attacks, of course. . . We found the algorithm and then implemented the first attack. It's almost guaranteed that this is not the best attack."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Back in October you may remember our post on Elcomsoft, a Russian software company that came out with program to decrypt common wireless network signals.  Well, they're back this week with a program that will "enable[ ] forensic access" to password-protected backups for Apple iPhone and iPod touch devices.  In other words, if someone obtains access to the computer you use to sync your iPhone they could also get access to "backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache."  And while the program is in beta testing, Elcomsoft is even giving the program away for free. 

The program apparently uses the computing power of the latest generation of video cards to perform a dictionary or "wordlist-based attack" to recover the password needed to unlock the backup files.  This means that if your password can be found in a dictionary or a hacker's wordlist, there is a program out there that will unlock it.  With technology like this out there to decode commercially available encryption schemes, the best protection we may have is to select a sufficiently complex password to defeat wordlist based attacks (and not to use the same password for all your online activities as Twitter's recent incident and Trusteer's recent survey (.pdf) have suggested are rampant problems). 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A report entitled A Review of the Federal Bureau of Investigation's Use of Exigent Letters and Other Informal Requests for Telephone Records (.pdf) from the Department of Justice Office of the Inspector General (OIG) indicates that between 2003 and 2005, FBI routinely "circumvented the requirements of the Electronic Communications Privacy Act (ECPA)" by using so-called "exigent letters" to obtain telephone call data from telecommunications companies.  The ECPA, 18 USC Sec. 2702, provides that service providers will not provide customer data to government authorities, absent a national security letter signed by the Director of the FBI or a subpoena. 

The 700+ "exigent letters" examined by the OIG became common after the terrorist attacks on September 11, 2001.  In reaction to the attacks, a telecommunications company (referenced as "Company A" in the report) provided a "fraud detection analyst" to the FBI's New York field office to access telephone records in response to subpoenas from the U.S. Attorney's Office.  Apparently, over time the Company A analysts began to provide the requested customer data in response to "placeholder" letters signed by FBI special agents while the grand jury subpoenas were in the process of being obtained.  These letters, which claimed "exigent circumstances" and requested the production of customer data before the submission of a subpoena, became known as "exigent letters."  When the FBI's investigation moved to Washington, D.C., three service providers moved analysts into the FBI's offices to respond to the requests for telephone data covered by the ECPA.  

Observations from the OIG report include:

• The "concept of using exigent letter originated as a time-saving technique" in the wake of 2001 terror attack, but over the years the embedding of service provider analysts with the FBI "led to a culture in which exigent letters and other even less formal and equally inappropriate requests for information became the [FBI Communication Analysis Unit's] accepted and customer method of conducting business."
   
• Some letters called for the production of thousands of telephone numbers and customer transaction data.
   
• OIG concluded that exigent letters were issued and customer records were obtained even though the "circumstances . . . were not exigent," including "media leak investigations . . . and other investigations that did not include exigent or life-threatening circumstances."
   
• The FBI special agent responsible for signing over 100 exigent letters told OIG investigators "that the communications service providers' employees often gave him exigent letters to sign after he had already been given the requested records -- and he simply signed the letters.  This SSA also said that while he realized the exigent letters inaccurately states that grand jury subpoenas had been submitted, he signed the letter because he 'thought it was all part of the program coming from the phone companies themselves[.]'"
   
• Another FBI special agent responsible for a large number of the letters told the OIG that the telecommunications analyst from "Company A" informed him about the letters and told him that the letters had been approved by legal counsel.
   
• When asked, the FBI unit chief described the exigent letters as "standard operating procedure."
   
• Telecommunications company analysts interviewed by the OIG described pressure from the FBI to accept the "placeholder" exigent letters.  One noted: "personally, it wasn't my place to police the police."
   
• FBI sought court orders under the Foreign Intelligence Surveillance Act (FISA) using customer data obtained through exigent letters in violation of the ECPA.  Howeveragents mischaracterized how the FBI had obtained the data -- suggesting that the data had been properly produced in response to a national security letter or subpoena.
   
• OIG "found that numerous, repeated, and significant management failures led to the FBI's use of exigent letters and other informal requests for telephone transactional records over an extended period of time."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas.  The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program.  We first posted on this case a year ago, after the FTC filed its complaint (.pdf). 

In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage.  According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously.  We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.

(See Complaint (.pdf), Para. 9).  Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.

 2.  Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"

In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies.  We posted on his indictment last August and again on his curious role as government informant.  The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime.  Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:

As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him.  In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.

*    *    *

Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room.  Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it.  Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.

*    *    *

[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life.  This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong.  It did not, and he knew when he turned to cyber-crime that it was wrong.  What it did do, however, was contribute to his inability to stop himself.  What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .

*    *    *

Computers . . . had become the center of his life, his raison-d'etre, if you will.  He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.

Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted.  Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Rumors are circulating that Special Agents from the Transportation Security Administration (TSA) have been posing as a Connecticut blogger on Twitter to find out who leaked airport security screening procedures put in place after the recent attack by the "underwear bomber."  This is a new twist in what some are describing as an overzealous investigation of government documents posted online.

As many of us found out on Christmas Day, a 23 year old Nigerian man identified as Umar Farouk Abdulmutallab apparently ignite an incendiary or explosive device in his lap while he was sitting on Northwest Airlines Flight 253 to Detroit.  While no passengers were harmed, the same cannot be said for the would-be bomber's lap, which combusted.  In reaction to the attack, issued Security Directive 1544-09-06 directing TSA airport officers to pat down 100% of all passengers, "concentrating on upper legs and torso," with the notable exception of heads of state. 

Two days later on December 27, 2009, the TSA Security Directive was posted to the Flying with Fish blog run by Steven Frischling and Chris Elliot's blog at Elliot.org.  TSA was not pleased with this attention.  Apparently, the TSA considered the Security Directive secret, even though it was sent to thousands of airports and airlines around the world and arguably was somewhat obvious to anyone in an airport around Christmas-time.  The agency launched an immediate investigation, sending agents and subpoenas to Frishling's and Elliot's homes (the text of which is available at his blog). 

Frischling ultimately cooperated with the probe, gave them access to his BlackBerry, iPhone and computers and let TSA agents know that his source had contacted him anonymously using a free email service. 

Then an unusual message appeared on blogger Steven Frischling's Twitter account:

To the gentleman who sent Flying With Fish the TSA Security Directive … Thank You! Can you drop me an email?I have a question. Thanks-Fish.

According to sources interviewed by Wired, a TSA agent took possession of Frischling's BlackBerry, typed the Twitter update into the device and then directed Frischling to click on the “send” button to post the message to his Twitter page.  According to Wired's source, this was an attempt to induce the anonymous informer to send Frischling an email and draw him or her out of hiding.  Of course, implicit in this strategy is that the TSA already had or expected to gain access to Frischling's email, as well.  The TSA deny this account.  Other bloggers, such as TechCrunch's Michael Arrington, have pointed the finger at Frischling and have criticized him for caving to government pressure and cooperating in the effort to oust his own confidential source.

No doubt, the TSA is under considerable pressure to heighten its security since early December, when an employee inadvertently posted online the agency's highly classified airport security operating manual.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

1.  Iranian Cyber Army Puts Twitter On Hold

Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army.  Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site.  During that time, links circulated on Twitter that allowed users to participate in DoS (Denial of Service) attacks on Iranian government websites.  Given the name adopted by Twitter's hackers, it may be no coincidence that the New York Times interview with a U.S. computer security expert in June 2009 described the Twitter DoS attacks as allowing Twitter users to "'become part of the cyber-army,' in Iran."

2. $26 Russian Software Has Been Intercepting U.S. Military Drone Video Feeds In Iraq

Ever since Iraq invaded Kuwait in 1990, we laypeople have been introduced to video from U.S. military missiles right before something like a building exploded in fuzzy black and white.  Then came more advanced military drones, remote controlled airplanes, with greater resolution and improved arsenal.  If you have been craving some low res military action, it may only cost you a satellite dish and $26.  Using a $26 software package developed by Russian software company called SkyGrabber, Iraqi insurgents have reportedly been tapping into live video feeds from U.S. drone aircraft.  This news comes from a U.S. official speaking anonymously with the Wall Street Journal who reported that U.S. troops have recovered laptops used by the insurgents with "days and days and hours and hours" of intercepted military video. 

The SkyGrabber software, which allows users to tap into unencrypted satellite connections, apparently has been successfully used against the military feeds because they were (you guessed it) unencrypted.  U.S. military officials commented to CNN that encrypting the signals is problematic because it slows down video transmissions that need to be seen by a number of different operators at the same time.  Query as to whether having your adversaries monitoring your battlefield surveillance will justify adding encryption to the military's systems.  (Just remember when you do that another Russian software application is capable of decoding the WPA encryption standard.) 

Lest we begin criticizing the military too strongly, however, a moment of self-reflection might be worthwhile.  The next time you connect to the Internet using a wireless connection, whether at home or at a coffee shop, ask yourself whether you are taking any precautions to prevent your activity from being intercepted or whether you are just rolling the dice that no one in 100 yards has purchased some software from Russia recently.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Compared to security breaches that involve credit card and bank account information, other breaches in security often get somewhat shortchanged in the media, notwithstanding the occasional hack of a celebrity cell phone.  The same cannot be said of the purloined emails one hacker posted online that are alleged to the the back and forth between climate change researchers at the University of East Anglia in the United Kingdom which are at the center of new controversy in public debate over climate change.  

In November, an anonymous user posted 160 MB of email, over 1000 pieces of correspondence from the University's Climatic Research Unit (CRU), to a Russian FTP site.  While it remains unclear whether all of the published emails are accurate, Phil Jones, the Director of the CRU at the time of the hack, has stated that at least one of the emails is genuine, but "has been taken completely out of context."  Other emails appear in various forms on a number of websites (see sites here and here).  At the heart of the storm are comments deriding climate change skeptics and a reference to one statistical operation as a "trick."

Climate change naysayers have seized on the opportunity to call into question whether global warming is in fact caused by human activities.  Republican Representative James Sensenbrenner of Wisconsin recently stated that the leaked emails "read more like scientific fascism than scientific process."  Others have described the leak as part of a smear campaign intended to undermine efforts to reform fossil fuel emissions and other environmental standards.  Also useful to note, if not humorous, is RealClimate's observation that:

More interesting is what is not contained in the emails. There is no evidence of any worldwide conspiracy, no mention of George Soros nefariously funding climate research, no grand plan to ‘get rid of the MWP’, no admission that global warming is a hoax, no evidence of the falsifying of data, and no ‘marching orders’ from our socialist/communist/vegetarian overlords. The truly paranoid will put this down to the hackers also being in on the plot though.

The controversy, now dubbed "Climategate," recently led to Phil Jones resignation as Director of the CRU. 

Links:

• University of East Anglia's November 24, 2009 announcement of the breach
• Andrew C. Revkin, Hacked E-Mail Is New Fodder for Climate Dispute, New York Times, November 20, 2009
• CNN Coverage of the Climategate story
• RealClimate's November 20, 2009 Posting
• Wikipedia's well-annotated entry

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week.  On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using "spear phishing" attacks -- personalized emails drafted to look like they come from a trusted or reputable source and designed to induce the reader to click an attachment or link that will infect his or her computer with malicious software.  "Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link." 

While the FBI indicates that it may not be possible to flag the emails attacks themselves, system administrators will be able to detect the malware infection once a computer has been compromised:

Once executed, the malicious payload will attempt to download and execute the file ‘srhost.exe’ from the domain ‘http://d.ueopen.com’; e.g. http://d.ueopen.com/srhost.exe. Any traffic associated with ‘ueopen.com’ should be considered as an indication of an existing network compromise and addressed appropriately.

The FBI has asked that firms that have detected a breach direct incident response notifications to the Department of Homeland Security and U.S. CERT.

FBI unit chief Bradford Bleier commented to the Associated Press: "Law firms have a tremendous concentration of really critical, private information," and infiltrating those computer systems "is a really optimal way to obtain economic, personal and personal security related information." 

Allen Paller, director of research at SANS Institute, told reporters that an attack on a major New York law firm in 2008 has been linked to a group of Chinese hackers.  Paller told the AP that the hackers going after law firms, "often target companies that are negotiating a major international deal -- anything from seeking a patent on a sensitive new technology to opening a plant in another country."  "The best documents to steal are in the law firm that represents that company."

As hackers become more organized and strategic, law firms may need to reassess the risks they face in light of the value of the information they manage for their clients. 

Links:

• FBI e-Scams News Release
• Lolita C. Baldor, FBI says hackers targeting law firms, PR companies, Associated Press (Nov. 17, 2009)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers.  According to the FTC, the breach occurred because ChoicePoint implemented a security tool designed to detect unauthorized access to its databases, but "failed to detect that the security tool was off" for a period of four months.  Apparently, during this outtage, "an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers."  The unauthorized access apparently occurred between August 8, 2008 and September 8, 2008.  According to ChoicePoint, the incident occurred because "a former ChoicePoint government customer failed to properly safeguard one of its user IDs."  (See ChoicePoint's news release.) ChoicePoint voluntarily approached the FTC when it discovered the breach. 

ChoicePoint, which suffered a more significant breach in 2005, was already subject to a 2006 order requiring that the company implement a comprehensive information security program.  (See the FTC's materials on the prior breach.)  The FTC and ChoicePoint dispute whether the current breach was the result of failing to meet its security obligations under the 2006 order.  The supplemental stipulated judgment entered this week (.pdf) provides that ChoicePoint will pay $275,000 into a fund to redress potential harm to consumers and submit to biennial security assessments.

This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools. In practice, many companies react to information security regulations by purchasing a suite of security products. But are these tools being utilized effectively? At least according to the FTC, companies may face sanctions if their adopted security measures are not turned on and managed appropriately.

Links:

• ChoicePoint, Inc. announcement
• FTC announcement
• FTC site on enforcement efforts against ChoicePoint, Inc.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its  software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia.  This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted with the WPA or WPA2 algorithms.  British security consultancy Global Secure Systems says that this is "extremely worrying" and has indicated that this means that WiFi networks are no longer secure.

Decrypting wireless traffic by guessing the encryption key, a "brute force" decryption, has been a possibility for some time; however, the computing power of most personal computers has prevented this from becoming a realistic threat (e.g., a computer attempting to guess the right password might take months or years to guess correctly).  New leaps in computing power has changed this landscape.  Computer graphics card companies like Nvidia have opened up the computing power bottleneck by allowing developers to run programs on high-powered parallel processors used in consumer graphics cards.  The end result is that buying a new video card and a $1,200 software package reportedly could speed up a brute force decryption 10,000 percent (and the same graphics card will let you play the newest PC games and speed up a variety of other, more innocent applications like Adobe Photoshop).  As a result, our use of wireless networks, everything from passwords to email, could be intercepted and decrypted relatively easily. 

David Hobson of Global Secure Systems indicates that anyone with a high-end graphics card has “a machine capable of tumbling wireless keys out of the ether and decrypting them in a matter of hours rather than months."  In an interview with SC Magazine, Hobson takes the view that additional security measures, such as running an encrypted VPN (Virtual Private Network), are now necessary to comply with the UK Data Protection Act. Similarly, U.S. companies in the EU Safe Harbor Program or complying with U.S. information security rules, such as Gramm Leach Blilely Act regulations, HIPAA or federal and state identity theft rules, need to consider whether their wireless networks are appropriately secured against this threat.  Businesses transferring regulated information on WiFi networks may need to adjust their information security programs and practices accordingly.

Links:

• ElcomSoft Co. Ltd. website
• Dan Raywood, "WiFi is no longer a viable secure connection," SC Magazine, Oct. 10, 2008
• Davey Winder. "WiFi encryption cracked by Russians using Nvidia graphics cards," ITWire, Oct. 11, 2009
• Nvidia's site on applications developed for use on its graphics cards

• Email This
• Print
• Comments
• Trackbacks
• Share Link

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected.  According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com.  The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected.  The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack.  But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that .  These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered.  Exactly how many passwords have been compromised, and from how many companies?  Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online?  Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

• Keizer, Gregg, "Hacker Leaks Thousands of Hotmail passwords say site,"  Computerworld, October 5, 2006.
• Keizer, Gregg, "Gmail, Yahoo join Hotmail; passwords exposed," Computerworld, October 6, 2009.
• Keizer, Gregg, "Researcher refutes Microsoft's account of hijacked Hotmail passwords," Computerworld, October 7, 2009.
• Richmond, Riva, "More E-Mail Account Details Leaked Online," New York Times, October 6, 2009.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Incident 1: UNC Data Breach Exposes Information On Over 100,000 Women Listed In Mammogram Registry

The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000.  Original reports estimated that more than 200,000 women were affected.  The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."

Evidently, the breach was discovered in July, but it may have occurred over two years ago.  According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server.  The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected.  To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.

Links:

• Ferreri, Eric, "Hacker breaks into research study data," Charlotte Observer, September 29, 2009.
• "UNC says hacker got into fewer files than reported," The News & Observer, October 1, 2009.

Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers

On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility.  A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources.  Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator's username and password, the prison's internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel.  He also used the computer to send email and download publicly-available photographs and videos.

A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf).  In the plea agreement (.pdf) recently reached with the U.S. Attorney's Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko's guilty plea to charges under the Computer Fraud and Abuse Act.  Janosko has agreed to accept an additional incarceration of 18 months for the hack.  Sentencing in the case is scheduled for December 15th.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans' personal and financial information.  According to WIRED, the FBI's National Security Branch Analysis Center (NSAC) has compiled a database of  "more than 1.5 billion government and private-sector records" and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database dwarfs the largest know data breach to date, which involved a mere 130 million records. One hopes that they have policies in place to prevent abuse.]  The records include:

• International travel records of citizens and foreigners
• Financial forms filed with the Treasury by banks and casinos
• 55,000 entries on customers of Wyndham Worldwide, which includes Ramada Inn, Days Inn, Super 8, Howard Johnson and Hawthorn Suites
• 730 records from rental-car company Avis
• 165 credit card transaction histories from Sears
• Nearly 200 million records transferred from private data brokers such Accurint, Acxiom and Choicepoint
• 17,000 traveler itineraries from the Airlines Reporting Corporation

This program is picking up speed. Declassified documents obtained by WIRED apparently show that the FBI has 103 full-time employees and contractors devoted to the protect and has requested funding for 71 more.   Funding for the program has expanded from $47.5 million in 2007 to $78.7 million in 2008.  A U.S. Department of Justice document (.pdf) indicates that in 2009 alone, NSAC received 18 new employees and a more than $10 million increase in its budget.

This is not the first data mining project developed for the purposes of investigating terrorism and criminal activities.  In the wake of the September 11, 2001 attack, the U.S. government began development on a data mining project called "Total Information Awareness" or "TIA" which would analyze vast amounts of information regarding financial transactions, travel, health records and other types of customer data to detect terrorism and criminal activity.  The Defense Advanced Research Projects Agency (DARPA) and the Pentagon's short-lived Information Awareness Office was chiefly responsible for this project.  Based on concerns about the scope and privacy implications of the project, Congress pulled funding for the TIA program and shuttered the Information Awareness Office in September 2003. 

The current NSAC program makes it clear that the governments has not given up on efforts to use large-scale data mining in criminal investigations.  To many, however, the program implicate the same privacy concerns as TIA and should be subject to strict scrutiny and oversight.  In 2007, congressmen Brad Miller and James Sensenbrenner sent a letter (.pdf) to the Government Accountability Office asking them to look into the NSAC project. One year later, congressman Miller sent a second letter (.pdf) to the House Committee on Appropriations demanding that funding to NSAC be suspended until the FBI outlines the program's purpose and provides "a clear idea of how NSAC intends to ensure that the program complies" with privacy guidelines.  According to congressman Miller, the U.S. Department of Justice refused to provide any information on the FBI's plan for the program and what information they planned to obtain.  In addition, the FBI apparently told GAO officials that the NSAC program was "not yet 'operational'" in an April 3, 2008 meeting.  In contrast, documents obtained by WIRED apparently indicate that the NSAC data mining operations have been used in prosecuting a number of individuals.

Links:

• Ryan Singel, "Newly Declassified Files Detail Massive FBI Data-Mining Project," WIRED Magazine (Sept. 23, 2009)
• The Federal Bureau of Investigation (FBI) and its page on the National Security Branch Analysis Center (NSAC
• 2007 letter (.pdf) from Congressmen Miller and Sennsenbrenner to the GAO requesting an investigation into the activities of the NSAC
• 2008 letter (.pdf) from Congressman Miller to the House Committee on Appropriations.
• EPIC's page on the "Total Information Awareness" Program

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Thomas Raffanello, global director of security for Stanford Financial Group (SFG), now faces charges of obstruction of justice based on claims that he directed employees at SFG's Fort Lauderdale office to shred evidence of fraud. 

In February, the Securities and Exchange Commission (SEC) filed a complaint against SFG (.pdf) in Texas alleging that the double-digit returns it promised potential customers was part of a fraudulent scheme.  Prosecutors obtained a temporary restraining order (.pdf) that expressly prohibited any attempt to destroy documents (among a litany of other bad behavior).  In the indictment filed against Raffanello (.pdf), federal prosecutors allege that on the day SFG received the SEC's complaint and court order, Raffanello and another executive corresponded by email and planned to hire a commercial shredding service to pay a visit to SFG 's office so they could unload a 95 gallon container of evidence.

Apparently, during their hurry to destroy the evidence, they did not manage to delete the emails discussing their plan.  This reminds me of something a friend once told me: if you are setting out to bury the truth, remember to bury the shovel too.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release.  According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS obtained and distributed a number of notable albums before they were released, including "Blue Print 2" by Jay-Z, "Encore" by Eminem and "How to Dismantle an Atomic Bomb" by U2. 

The indictment claims that Adil R. Cassim, who used the handle "Kali," was the leader of RNS, while Matthew D. Chow ("RL"), Bennie L. Glover ("ADEG") and Edward L. Mohan, II ("MistaEd") all played high-level roles in the group.  According to federal investigators, these individuals set up and maintained a number of file transfer sites containing thousands of copies of copyrighted music, movies, video games and commercial software.  The Department of Justice press release states that, if convicted, the RNS Four face five years of jail time and a $250,000 fine.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned "Should you receive this package or a similar package DO NOT run the CDs."  The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union. 

As it turns out, the credit union was undergoing security penetration testing and the security firm involved, MicroSolved, Inc., put together the fake Fraud Alert to test whether the credit union was secure against this sort of social engineering scam.  When it learned of this wrinkle, the NCUA issued an update to its Fraud Alert stating:

This was an unauthorized and improper use of the NCUA logo, and also included a falsified signature of then-Chairman Michael Fryzel. The bogus alert was forwarded to NCUA, prompting the issuance of the August 25 Fraud Alert. The false Fraud Alert appears to be confined to that credit union, and is not wide-spread.

It appears that the original credit union passed its security test with flying colors. ComputerWorld obtained a number of noteworthy comments in its article on the subject, but one that stands out is from SANS Institute security researcher, Johannes Ullrich, who observed that the tactic of sending fraudulent regulatory alerts with malware was something seemingly invented by security consultants.  "I thought, 'Finally this is in the wild, because I've only seen it in pen tests before.'"

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Are you having trouble making sense of social networking sites like Twitter?  It may be because you are trying to read an encoded command to a malware-infected computer.  Security consultant Jose Nazario at Arbor Networks has discovered that popular social networking sites like Twitter and Jaiku are being used to control botnets, armies of computers that have infected with malware enabling the individual controlling the botnet to steal user information and direct the computers to attack others.  Botnet commanders often use IRC (Internet Relay Chat) messages to control the "slave" computers, but Nazario discovered encoded gibberish in a user's tweets and decoded them to find that the messages directed infected computers to download additional payloads of malware.  According to Nazario's post on the Arbor Networks blog, the original botnet commands appear to have been used to steal user information.

This raises a number of concerns for any website that permits users to generate content. In addition to copyright infringement and other abuse concerns, clearly this highlights another type of content that website administrators should be policing. Also, as companies and institutions begin to view particular websites as being involved in botnet infections, even inadvertently, system administrators may begin blocking access to these sites. As a result, this is a concern both for companies that maintain social networking sites, blogs and other user-generated content, as well as employers and other companies that provide access to those sites.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a press release from the United States Attorney's Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history."  According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1" and "Hacker 2") stole "more than 130 million credit and debit card numbers together with account information" from Heartland Payment Systems, 7-Eleven, Inc., and Hannaford Brothers Co.," and also hacked into two unidentified corporate victims.

Note that this is the same Albert Gonzalez that is awaiting trial for his role in the notable attack suffered by TJX that is now only the second largest known breach of its kind.

The indictment alleges that, between October 2006 and May 2008, Gonzales and an uncharged co-conspirator named "P.T." identified potential corporate victims by, among other things, reviewing a list of Fortune 500 companies.  They would then travel to retail stores of potential victims to identify point of sale terminals (checkout machines) and learn about potential vulnerabilities of those systems.  P.T. would visit the corporate websites of potential victims to identify vulnerabilities in the payment processing systems the victims used.  According to the indictment, the conspirators maintained computers in New Jersey and around the world that stored malware and other information critical to the hack.  Gonzalez, P.T. and Hackers 1 and 2 then hacked into the victims' networks using various methods, including SQL injection attacks, which is a well-known attack that exploits security vulnerabilities between an online interface and the back-end customer database.

Once they had hacked into the computer networks, the conspirators placed malware on the victims' networks that enabled them to access the networks at a later date.  They would then find credit and debit card data and transmit it to servers they controlled.  At the same time, they installed "sniffer" programs, which would conduct real-time interception of data being processed by the victims and periodically transfer this data to the conspirators.  The indictment alleges that the conspirators often worked together on a real-time basis via instant messaging to advise each other how to navigate the victims' networks.  The conspirators concealed their actions in numerous ways, including disguising the IP addresses of their computers through intermediary (or "proxy") servers, and by placing additional malware on the victims' networks that could evade anti-virus software and would erase traces of the malware's presence on the networks.

Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the gain from the crimes, whichever is greater.  According to the press release, Gonzalez is currently in jail in Brooklyn, New York and awaiting trial in New York and Massachusetts related to prior instances of data theft. 

While it is certainly good to know that the Department of Justice continues to take an active role in large-scale incidents, the description of the scheme in the indictment should give retailers and other institutions pause and perhaps a reason to review information security measures.  While the perpetrators in this case are obviously skilled programmers, it appears that they obtained some of the information essential to executing their scheme simply by observing check out registers and visiting corporate websites.  [Editor's note: the FTC has considered SQL injection attacks to be "commonly known or reasonably foreseeable" since at least 2000, see FTC's enforcement action against Guess? and comments by the FTC's chief privacy officer. If your company has not hardened its website to these attacks, it may be assuming an undue risk.]  Moreover, it appears from the indictment that three of the four individuals are still at large, and of course there are likely numerous individuals out there with both the means and the motive to perpetrate similar schemes.  Because the indictment is fairly general in the details of the mechanics of the hacks, it will be interesting to see what details come out in the prosecution of the case and what lessons, if any, companies can learn from those details.

Links:

• "Three Men Indicted for Hacking into Five Corporate Entities, including Heartland, 7-Eleven, and Hannaford, With Over 130 Million Credit and Debut Card Numbers Stolen", August 17, 2009 Press Release from New Jersey United States Attorney's Office
• Indictment Against Albert Gonzalez, Hacker 1 and Hacker 2

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. 

Especially when a household computer is shared between parents and children, the installation of peer-to-peer software may make tax returns, bank statements and other personal information saved on that computer available to everyone else on the peer-to-peer network.  During questioning by state and federal investigators, Wood explained that "kids put Limewire on the computer and the parents don't know."  As a result, Wood was able to obtain personal information from approximately 120 different individuals from Massachusetts, New York, Georgia, Florida, Ohio, Iowa, Louisiana, Oregon and California.  He then used this information to create counterfeit checks and driver's licenses and to open credit accounts in the victim's names.

Note that failing to limit the files shared by peer-to-peer software is not just a problem for household computers. In an earlier post, we discussed the problems caused when an employee installed LimeWire at work.  Also note that LimeWire's user guide and FAQ provide directions on how to make sure you are not sharing personal or sensitive information with the world.

Wood's scheme was discovered after he posted an ad on Craigslist.com purporting to sell a "brand new" Apple MacBook Pro for $1,500 and instead shipped a box containing a book and a glass vase instead of a computer.  Working with Seattle Police, the victim set up a meeting with Wood and he was arrested.  Upon investigation, Seattle Police discovered that Wood possessed a number of counterfeit driver's licenses and sought the assistance of the Social Security Administration's Office of Inspector General.  The Kings County Sherriff's Office, FBI, U.S. Postal Inspection Service and U.S. Secret Service's Electronic Crimes Unit also assisted in the investigation. 

Wood pled guilty to violations of federal laws governing identity theft (18 U.S.C. sec. 1038(A)), wire fraud (18 U.S.C. sec. 1343) and the Computer Fraud and Abuse Act (18 U.S.C. sec. 1030(a)(4)).  He is also required to pay over $25,000 in restitution to a number of parties, including Bank of America, American Express and other financial institutions (for the complete list, see the judgment filed in court earlier this week (.pdf)).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this week, Latvian internet service provider Real Host was shut down by its upstream providers Junik and TeliaSonera after security experts linked Real Host to a number of criminal activities.  Among the many activies allegedly conducted through Real Host were the use of malware to steal banking credentials, SPAM email campaigns and the service provider was running command and control servers for the Zeus botnet (i.e., millions of infected computer slaves or "bots" used by cybercriminals to steal information and attack other computers).  The expert who linked Real Host to these activites and who goes by the pseudonym "Jart Armin," told Network World in an interview that Real Host may be "one of the top European centers of crap."  Armin's site, HostExploit.com, has published a report on the rogue ISP (requires registration) and even has an abstract video of the take-down occuring.

The take-down of rogue ISPs by upstream service providers has become more common in the United States with the removal of Atrivo and McColo, two service providers shut down at the end 2008.  Where service providers did not take action, the Federal Trade Commission filed suit in federal court in California in June of this year to remove the rogue ISP Pricewert/3FN.  The complaint filed by the FTC (.pdf) alleged that, in becoming an active participant in a range of cybercrimes, the ISP committed unfair or deceptive acts or practices in violation of the FTC Act, 15 U.S.C. sec. 45(a). (Note also that the temporary restraining order and preliminary injunction entered in that action not only shut down the ISP, but also ordered the seizure of assets and a number of other extraordinary protections.)

Links:

• HostExploit.com, and its report on Real Host (requires registration)
• Network World's story on the shut down of Real Host

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Speaking at the Black Hat computer security conference in Las Vegas only a few hours from now, hackers (or "security experts") Charlie Miller and Collin R. Mulliner are scheduled to expose an alleged security flaw in the Apple iPhone that may allow someone sending a single SMS message to take control of any iPhone.  According to a number of reports (note Forbes and AppleInsider), the exploit would allow a hacker to take control over all of the iPhone's functions.  This potentially could mean that a hacker could turn on the camera, microphone and GPS functions in your iPhone to record your activities, dial the phone or use your iPhone to infect others. 

Miller, who works as a security expert for Independent Security Evaluators, suggests that if you receive a text message with a single box-shaped character (e.g., "□"), turn the iPhone off immediately.  [I'm not sure what the advice would be after that, but maybe you could use a break from all those emails while Apple fixes this problem.]  Because the alleged flaw could allow someone to take over your friends' and family's iPhones, the next suspicious text message you receive might be from someone you know.

Miller apparently notified Apple of this flaw some weeks ago and, concerned that Apple has not released a patch, intends to force the issue by demonstrating the hack today.

Links:

• Apple
• Black Hat security conference
• Charlie Miller's firm, Indepdent Security Evaluators
• Collin Mulliner's website
• Forbes article, "How To Hijack 'Every iPhone In The World'"
• Apple Insider article, "SMS hack could leave "every" iPhone vulnerable"
• Computer World article on Miller's first presentation on the iPhone flaw at the SyScan conference

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, Research In Motion, Ltd. (RIM), the maker of Blackberry, posted a note on its website confirming that a software update offered to customers of its carrier Etisalat in the United Arab Emirates contained spyware.  According to the note, certain customers received an SMS message from Etisalat informing them of a software update (named "Registration") designed to improve performance.  However, RIM acknowledged, "[i]ndependent sources have concluded that Etisalat's Registration software application is not actually designed to improve performance of a Blackberry Handheld, but rather to send received messages back to a central server."

According to RIM, the software was not RIM-authorized and was not developed, tested, promoted or distributed by RIM.  On July 17, RIM sent a more detailed note to customers explaining that "Etisalat appears to have distributed a telecommunications surveillance application that was designed and developed by SS8," which is a California company that describes itself as "a leader in communications intercept and a worldwide provider of regulatory compliant, electronic intercept and surveillance solutions."  RIM has offered a new update to remove the spyware. 

The incident was discovered after customers who installed the software began complaining that it was draining the batteries on their devices.  According to an article in PC World, SS8 has not responded to telephone calls seeking comment, while Etisalat has described the problem as a "slight technical fault" that "has resulted in reduced battery life in a very limited number of devices."  An article from Wired notes that a security consultant in Asia named Sheran A. Gunasekera has released a white paper analyzing the code that made up the spyware.  According to Mr. Gunasekera, the spyware could only intercept outgoing e-mail messages.  It could not intercept incoming messages (whether they be e-mails, instant messages, PIN messages, phone calls, etc.), nor could it silently update itself with newer releases. 

Although this version of spyware apparently affected a limited number of Blackberry users, that is no cause for comfort.  Mr. Gunasekera believes that the source code used for "Registration" could easily be modified, improved and used in the future on unsuspecting Blackberry users.  In a New York Times article, Internet security and privacy consult Richard M. Smith of Boston Software Forensics was quoted as stating that smart phones are "perfect personal spying devices" and that the threat is "an evolving one.  As the technology advances, the security problems follow behind."  Given the ever increasing security risks in the information security world, it is likely only a matter of time before there is another, much larger incident related to smartphone security. 

Links:

• Post on Blackberry's Website:  "App Remover for removing Etisalat's 'Registration' application on Blackberry smartphones"
• July 17, 2009 RIM Customer Statement Regarding Etisalat / SS8 Software
• SS8 Homepage
• Statement by Etisalat about the incident
• "RIM: UAE Carrier's Blackberry Update Was Spyware," by Robert McMillan, IDG News Service, PCWorld, July 21, 2009
• "Analyzing the SS8 Interceptor Application for the BlackBerry Handheld," by Sheran A. Gunasekera
• "Researcher: Blackberry Spyware Wasn't Ready For Primetime," by Kim Zetter, Wired, July 21, 2009
• "Blackberry Maker: UAE Partner's Update Was Spyware," by the Associated Press, found at the New York Times, July 22, 2009

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter's internal company documents.  The hacker, who goes by the handle "Hacker Croll," has apparently emailed a collection of 310 internal Twitter documents to TechCrunch, including a presentation for a proposed reality television show called "Final Tweet" and a February 2009 financial forecast.  Many wait to see what other documents will come to light while TechCruch negotiates with Twitter's lawyers.

Postings on the French website Korben.info claim that Hacker Croll obtained a list of employees, along with employees' credit card numbers, telephone numbers, meeting reports, time sheets, salary information, confidential Twitter contracts with Microsoft, Nokia, Samsung and other companies, as well as a list of celebrity  "High Profile Users." (an English translation of the French website is available here).

Twitter's Evan Williams stated "This had nothing to do with the security of twitter.com, and there were no user accounts compromised here."  This was reiterated in Biz Stone's post on the Twitter blog, appropriately entitled "Twitter, Even More Open Than We Wanted."  Stone notes "This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords." 

This is not the first time that poor password security has led to a noteworthy breach (see WIRED Magazine's account of how one hacker used publicly available information to hack into Sarah Palin's email).  This may serve as a good reminder to many of us that we may want to take the time to change our passwords today (and select a combination with at least 6 characters, at least one capital letter and at least one number).

Links:

• TechCrunch's report and follow up posts on Final Tweet and Twitter's financial projections
• Twitter Blog Post, "Twitter, Even More Open Than We Wanted"

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 3, 2009, FBI arrested Sergey Aleynikov, a Goldman Sachs programmer, as he disembarked at Newark airport on charges that he violated the Electronic Espionage Act (18 U.S.C. sec. 1832) when he sent company data to an overseas document server. 

According to the criminal complaint and supporting affidavit (.pdf) filed in the federal court for the Southern District of New York, Aleynikov was part of the team that developed a high-speed, automated trading system for Goldman Sachs.  He resigned and left the company on June 5th, but federal prosecutors allege that in his last four days of work, Aleynikov encrypted and transferred 32 megabytes of source code relating to the automated trading system from Goldman's servers in New Jersey to a privately run document server in Germany.

Below we detail some of the evidence behind the arrest - evidence that demonstrates why adequate workplace monitoring and an appropriate response plan is key in protecting proprietary information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, the U.S. Attorney's Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital's computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.

McGraw had given his one week notice to hospital security contractor, United Protective Services, and was scheduled to depart on July 3, 2009.  His intrusion into hospital systems was allegedly made in preparation for a larger attack on July 4th, a day he referred to as "Devil's Day."  The story behind the arrest is laid out in the criminal complaint and supporting affidavit filed in federal court (.pdf); however, a number of other details have emerged over time that demonstrate how vulnerable many institutions may be to insiders.

• Email This
• Print
• Comments (5)
• Trackbacks
• Share Link