Saturday, December 15, 2007

"Entrapment" Meets "Ocean's Seven"

Before I start this post, let me make one thing clear: I hate terrorists. I think terrorists and criminals that actively plan to reduce the quality of our lives and destroy things precious to other people are the lousiest creatures on the planet.

Now that this is understood, let's discuss the Miami Seven, aka "Ocean's Seven".

That group of supposed would-be terrorists was handed a combination of acquittals and mistrials yesterday by a jury of their peers when defense lawyers were able to suggest that, absent the presence of government agents, there exists a reasonable doubt that there never would have been a crime worthy of prosecution.

Maybe it's the fact that this is taking place just an hour away, but this case has concerned me from the start. This is Ocean's Seven played by seven hapless saps, with a government stooge standing in for Andy Garcia.

As Albert Levin summed up for the defense:

"The entire situation was concocted by the government. The warehouse was paid for by the FBI, and the defendants moved their operations there at the suggestion of an undercover informant who was also paid by the FBI. The [Al-Qaeda] swearing-in ceremony was led by the informant — who at another point also suggested a plan to bomb FBI offices in Miami. The case was written, produced and directed by the FBI."

Now I'm a big fan of the FBI and I'm extremely thankful that these guys exist. But when I take this case and extrapolate this case into the world that I work in - Internet crime - what emerges is a really lousy picture.

Imagine or a moment the government decides that Internet crime needs to be "managed" the same way - by embedding agents and encouraging criminal activity.

In this scenario, the government agent rents an office, recruits computer programmers, moves them into cubicles, gives them PCs, connects them to a network, trains them, guides them, and then encourages them to develop a bunch of malware and unleash a sophisticated criminal action against consumers.

At which point they become criminals.

Assuming the FBI guy is the smartest guy in the room (and a natural leader, whom people feel compelled to follow), should the hired programmers be considered "criminals" or "feckless* pawns"?

As much as I hate terrorists, I hate "fake crime" so much more. Albert Levin made the right summation for the defense. Jeffrey Agron, foreman, and the rest of the jury in Miami, made the right call, regardless of the potential any of these individuals may have had for evil.

Inducing criminals to conduct a crime is the wrong way to reduce terror and the absolutely worst way to run a police force.

The FBI can serve us better by reporting on crime and prosecuting criminals, rather than encouraging the progress of would-be criminals.

Contrary to prosecutor Jacqueline Arango's statement, in which she said "The government need not wait until buildings come down or people get shot to prove people are terrorists" - I'm sorry, but you really do need to wait.

Because a lot of the time, when people say they plan to do something, they don't. Not without a strong leader. The FBI should leave the big talkers underfunded and discouraged - that's the best way to fight crime.

*My thanks to Doug Brunt and Megan Kelly for their introduction to the word "feckless" earlier this evening. "Feckless" (i.e. feeble and/or ineffective) describes this group of would-be criminals precisely.

Sunday, December 9, 2007

How To Turn Off Facebook Beacon

Facebook CEO Mark Zuckerberg reacted to angry users this week by issuing a public apology and adding a privacy control web page for Facebook users.


Checking "Don't allow any websites to send stories to my profile" turns off Facebook Beacon and your purchasing choices (i.e. "John Sharp just rented Pride and Prejudice at Blockbuster") will no longer be published to your friends' News Feeds.

This is a welcome step, but it didn't need to be this way. All Facebook needed to do was take a step to the other side of the table and "think user".

It isn't that hard. Take this user posting from "Adam" in the comments section of the recent NY Times article on Beacon.

In less than a hundred words, he provides an articulate and sensible accounting of all the necessary UI components Beacon would require to be acceptable. Here's a sample of some good "think user" thinking:

Had Facebook included a global opt-out option at the beginning, the outcry would have likely been muted. Coupled with an opt-in-by-item with a STRAIGHTFORWARD yes/no, Facebook users would have been happy, privacy advocates would have been happy, and so on.

I mean, something like this:
“Would you like to let your Facebook friends know that you just bought [x] from [y]?
_ YES, SHARE. List this in my friends’ newsfeeds.
_ NO, DON’T SHARE. Keep this private.

NOTE: You can click on PRIVACY in Facebook to set a default for this feature.”

Adam, maybe they should give you Chris Kelly's job.

Facebook isn't out of the woods yet. There is still the question of what happens to user data provided by the user.

In Zuckerberg's recent blog/apology, there was no mention of any changes to their method of dealing with user data, and no clarification as to whether or not the personal data provided by the user is deleted immediately, rather than "stored, then deleted".

In a recent statement released by Facebook to Stefan Berteau, senior spyware research engineer with (Authentium partner) CA, Facebook says user data is always sent to Facebook ("in order for Facebook to operate technologically"), but that data will be deleted from its servers, once they receive the news that the user has opted out.

"When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically. If a Facebook user clicks "No, thanks" on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well."

I look forward to seeing Berteau's follow-up Wireshark capture logs and analysis. It would be nice to find out that Facebook has kept its word on the changes.

Note: Facebook users, here's that link again.

Saturday, December 8, 2007

Man Loses $20,000, eBay Says "Not Our Problem"

Shaqir Duraj appears to have become the latest person to lose money to an eBay fraud.

CBC News reports that Duraj, a Calgary bakery owner, lost $20,000 last Thursday, after purchasing a car at a site that he thought was eBay Motors. The sale later turned out to be a hoax.

This sounds like a replay of that incident - in which a US-based eBay customer lost over eight thousand dollars when she purchased a fictional Jeep Cherokee via a fake "eBay Motors" site that was downloaded onto her computer by the BayRob Trojan.

eBay has obviously decided what its strategy is going to be re customers who get taken by elaborate electronic scams that use the eBay brand - blame it on the Internet.

In fact, after hearing about the $20,000 theft, Erin Sufrin, Public Relations Manager at eBay's Canadian subsidiary, told Canada's CBC News, "That's an internet problem, not an eBay problem."

She went on to offer the following advice:

"Spoofing and phishing is something that we're all a victim of and that we try very hard to combat — trying again to get that education out. Never click on — if you think it's a fake eBay, or a fake PayPal or a fake anything site, report it."

Ms. Sufrin added, "eBay is working with the RCMP to get help for customers scammed out of large amounts of money."

According to the CBC News web site, this contradicted a Royal Canadian Mounted Police fraud investigator who told CBC News no one from eBay had returned his calls.

Am I the only one who thinks eBay customers deserve better?

Note: eBay *only* covers frauds up to $20,000 that take place on the eBay Motors site. Frauds that take place outside of the eBay environment (regardless of whether or not your thought you were inside the "real" eBay environment at the time) are *not* covered by the terms and conditions listed on the eBay Motors site, specifically:

"The eBay Motors Vehicle Purchase Protection (VPP) program provides protection of up to $20,000 against certain losses associated with some types of fraud. You are automatically enrolled in the program at no charge when you complete the purchase of an eligible vehicle on the eBay Motors site (motors.ebay.com)."

Update 1: On Thursday, PR Manager Erin Sufrin added some new details, saying that the scam involved a BMW and a hijacked high-rated seller account (not a downloaded BayRob version of eBay Motors). She added that a "warning" was sent to Duraj.

Further Q's for Ms. Sufrin: Was the warning sent by eBay-branded email? If so, should Duraj (the buyer) have assumed the email to be a hoax email? Or should he have assumed it to be real? Also, isn't it reasonable to assume that payment instructions from a seller with a 98% (high) reputation should be trusted?

"Cyber Attackers" are Looking for PII, Not Nukes

The headlines keep coming about the news that several high-profile military labs - including some of the world's leading nuclear research labs - have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.


Example: In one story published today, PC World claims that Chinese Hackers "launched" a coordinated "major attack" on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

Case in point: The "FTC" phishing scam, cited by ORNL reps. As I blogged yesterday, this scam has been around for months, and is extremely widespread. In fact, Authentium's malware lab analysts first reported this scam in March.

The scam typically targets the capture of PII (Personally Identifiable Information) - such as the data that appears to have been stolen from the Oak Ridge Labs visitor database.

Need more evidence for the theory these are phishing scams, rather than coordinated, military-style attacks?

According to a link on the PC World web page hosting this article, those very same "Chinese hackers" are also hard at work "attacking" major oil companies and manufacturers of jet engines (check out the above link in the posted image under "Related Content", entitled "Chinese Hackers Accused of Attacking Shell, Rolls-Royce") .

Does anyone really think there is a coordinated attack going on right now against the US Military, Rolls-Royce, Shell Oil - and consumers?

Folks, the real story is, in some ways, far more scary than the one being reported by PC World.

It would appear, unfortunately, that we now have evidence that really smart people fall for phishing scams too - and sometimes those smart people happen to have a large database on their network filled with the personal information of other really smart people.

And sometimes, databases filled with nuclear secrets.

Update: To Steve B's point, these DBs *are* air-gapped, but physical separation is only successful if policies are adhered to - see comments below.

Let me repeat what I said yesterday: the technology exists to stop these kind of attacks. And some of that technology can be used in really simple ways.

Firewalls and email servers, when configured correctly and used in conjunction with robust filtering technologies and/or services located either in the DMZ or inside a secure MSSP data center, can provide a useful first-level defense.

Note: One additional approach used by some IT administrators at ISPs and businesses is the wholesale blocking of IP addresses, or super-blocks, based on the country or region originating the email.

You need to be careful when taking this approach - for example, Australia and China share the same registry (APNIC). But as an additional defense mechanism, it probably should be on this list for consideration.

Which of course leads to the obvious (political) question: Do folks that work at sensitive places like Los Alamos or the Oak Ridge National Laboratory *really* need to be able to receive email from China?

Friday, December 7, 2007

Phishing Attacks Fool 1% of Nuclear Scientists

The Secretary of the Department of Homeland Security, Michael Chertoff, announced today that IT systems at the Oak Ridge National Laboratory have been compromised by phishing.


Secretary Chertoff confirmed the attacks Friday and added:

"Thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' e-mails, all of which at first glance appeared legitimate."

A DHS spokesperson further confirmed:

"...
the hackers potentially succeeded in gaining access to one of the laboratory's non-classified databases that contained personal information of visitors to the laboratory between 1990 and 2004.... the personal information at risk includes names, dates of birth and Social Security numbers of the visitors..."

According to ABC News, one of the fake phishing e-mails appeared to be an announcement for a scientific conference; the other claimed it was a notice of a complaint on behalf of the Federal Trade Commission.

The internal investigation of ORNL, which is ongoing, has so far found that approximately 11 employees out of 1100 targeted "took the bait" and opened the e-mail attachments, "which enabled the hackers to infiltrate the system and remove data."

In other words, phishers scored a hit rate of 1% against employees at one of the world's leading nuclear research facilities.

Let's discuss. First of all, if the target is a consumer, any form of well-crafted phishing attack, such as the recent FTC letter scam, can be called "sophisticated." Consumers are typically not well protected and do not have large IT budgets and enterprise-class filtering systems at their disposal.

However, if you're a four-thousand person enterprise like ORNL, this attack is inexcusable.

Secure Computing, Postini (Google), Microsoft, WebSense, MessageLabs - there are literally hundreds of ISVs and service providers out there, many of whom partner with Authentium, that are highly capable of providing extremely robust, and affordable, email filtering services that can and will prevent these emails getting to in-boxes inside sensitive government facilities.

And then there are emerging technologies such as Raytheon SureView that enable recording, rapid response, and treatment of behavior contrary to an enterprise's security policy, such as clicking on attachments in emails.

Authentium to ORNL: these phishing attacks were "consumer-grade" attacks. Technology exists to stop them. There is no excuse for allowing these attacks to occur within the walls of one of the world's leading scientific facilities.

Note: If you have visited ORNL within the last five years, you should probably give them a call and find out if your data was housed in the database that was compromised. You can do this by contacting ORNL Visitor Services at 865.574.7199.

Wednesday, December 5, 2007

EV Certs Don't Stop Phishing

Earlier this year, Netcraft published a survey that showed more than there were more than 600,000 "secure sites" capable of hosting an SSL session on the web.


To quote Netcraft, "The first survey, in November 1996, found just 3,283 sites; since then, the number of SSL sites has had an average compound growth of 65% per annum."

As an indicator of commercial activity, I think this is a useful survey. If you accept the premise that mergers and acquisitions lead to less new certificates being issued, then the growth in e-commerce may actually be in excess of 65% annually.

Which brings me to the biggest potential failure on the SSL roadmap to date: EV Certs.

The recent launch of EV (Extended Validation) merchant certificates by Microsoft, Verisign and others has not exactly set the world on fire. By May this year - the last time data on EVs was published by Netcraft - the total number of EV certs being utilized by Internet merchants was just 700, or 0.1% of the total.

There's a good reason for this: EV certificates don't work.

They don't stop phishing, they don't communicate well to users, they do away with the SSL padlock, and the whole thing is so easily spoofed, it may as well not be there.

You don't have to take my word for it - there is a scientific study available conducted by Standford University and Microsoft Research that backs this up.

The findings of the analysis were unequivocal: users paid zero attention to the green background applied to the address bar by the EV cert:

"We presented a controlled between-subjects evaluation of the extended validation user interface in Internet Explorer 7. Unfortunately, participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group."

The results improved slightly after a reading of the IE Help File, but then the group uncovered a second problem - the EV-powered address bar can be spoofed very easily, essentially rendering any investment in education, or pushing people to read the manual, completely valueless:

"Like its predecessor, the lock icon, extended validation is vulnerable to picture-in-picture user interface spoofing attacks. We found these attacks to be as effective as homograph attacks, the best known phishing attack."

They are absolutely right on this count. As our Chief Scientist, Helmuth Freericks, has previously warned, creating a spoofed version of this attack is rather trivial.

So how can consumers get their hands on real security? Obviously, there is a real need for innovation. At Authentium, we have spent three years designing a secure Internet browsing environment that does away with the need for UI gimmicks. In other words, we've followed the advice of Stanford and Microsoft researchers:

"Designing a user interface that resists both homograph and picture-in-picture attacks should be a high priority for designers of future browsers."

That's what our guys have done. To take a look, click here, or take a look at Corey's video about VERO and VirtualATM in the right-hand column.

Tuesday, December 4, 2007

IC3 Internet Crime Complaint Form Rates An A+

Earlier in the year I published a post about the Federal Trade Commission's Identity Theft Complaint Form.


At the time, I believed the FTC asked for way too much information, and risked becoming a serious secondary contributor to identity theft.

Unfortunately, nothing much has changed - as you can see from the above image, the FTC form still exposes way too much user information to any key-loggers and screen-scrapers running on your PC.

This is why I was very glad to find that the FBI have taken a different, and in my view far more sensible approach to logging reports regarding Internet crime.

There are two things I particularly like about the FBI site. The first is that it places emphasis on engaging with local law enforcement offices about the crime, including establishing a process for isolating who you need to talk to, and how you should contact them.

The second thing I like about this form is that it doesn't collect too much personal information to be a threat in and of itself. Only the reporter's name and address is captured. The rest of the data collection schema is clearly focused on collecting information designed to help resolve the crime, rather than information that could potentially further compromise the victim.

Authentium says: the FBI and their Internet Crime group deserve an "A+" for this service, and the design of the IC3 form. If you find yourself the victim of an Internet crime, and don't know what your next steps should be, this is potentially a very good first step.

Sunday, December 2, 2007

Coming Soon to Second Life: FBI Field Office

Second Life, the popular "virtual world" created and operated by Linden Labs, is certainly proving to be on the cutting edge of real/virtual legal issues.


First, back in May, German police launched an investigation into alleged inworld child pornography (this investigation ultimately seems to have subsided in the wake of the recently-announced deal between Linden Labs and Washington DC-based age-verification company, Aristotle).

Then ten days ago, virtual thieves stole at least US$11,500 in *real money* from avatar-customers of virtual banks located inside Second Life.

According to Nobody Fugazi, an avatar/commentator who runs a Second Life fan site called your2ndplace.com, the hacked Second Life banks included L&L Bank and Trust, SL Investor's Bank, Giovinazzo Choice Investments, Whitfield Holdings/Royal Invest and SL Business Bank.

L&L Bank and Trust has admitted they lost $11,000. Nobody Fugazi was quoted on Massively.com as saying he believed SL Investor's Bank did not suffer any losses.

When the news broke, users, who spend about US$1.5mm in real money every day in Second Life, were understandably upset (one blogged that "the sky ripped apart" when he found out the theft had happened). Second Life citizen "Gr1zz" left this response, not untypical, at Massively.com:

"I have alwase felt virtural property IS PERSIONAL PROPERTY! Wether you work long and hard for in game credits, or purchase them with real dollars, its damaging when you loose it. "

Spelling mistakes aside, this comment raises some interesting questions about Second Life, the nature of its assets, how its citizens feel about those assets, the duty Second Life has to protect their value, and the whole idea that an entire economy and banking environment based on the US$ should be allowed to exist, regulation-free.

$11,000, the "real" amount publicly acknowledged as lost by L&L Bank and Trust, would probably not normally be a large-enough amount for the FBI to get involved, but if they don't get involved, what is going to happen when things get serious?

Authentium says: the FBI should consider treating these virtual heists as real crimes, so we're ready and prepared when the first large-scale virtual heist happens inworld, which may be for a considerable amount more Linden dollars than the heists two weeks ago.

Note: Anyone wishing to peer inside the mind of a Second Life bank should venture here for an informative read, courtesy of the SL Investor's Bank blog.

Note: The chart above is courtesy of the Reuters inworld Second Life news office. To see the live updating Linden dollars vs. USD conversion and daily spending widgets, click here.

Saturday, December 1, 2007

FaceBook's CPO Should Step Down

Facebook announced this morning that they are in the process of modifying Beacon, their advertising service, so your shopping decisions will no longer be broadcast to your friends on Facebook, and your privacy re-respected.


This is a step in the right direction - and a big win for MoveOn.org and Internet activism. But Facebook's Chief Privacy Officer, Chris Kelly, should never have allowed Beacon to become a "consumer purchase broadcasting system" in the first place.

Try this simple test. Imagine you're at your local supermarket. You've finished shopping and you're placing stuff on the conveyor belt at the checkout counter, when suddenly the checkout clerk grabs a microphone and starts reading out the labels on your choices, item by item, broadcasting this information to every other person in the store.

Here's what your neighbors get to hear: Your food choices - including the items you just purchased for your special needs diabetic child. Your personal hygiene buying decisions. Your choice of magazines. Your alcohol and tobacco purchases. The flowers just just bought - hey, where is your wife? Are they really for her?

For a company that produces some pretty cool software, Beacon is about as uncool as it gets. Though there exist some obvious legal limits as to what can be broadcast - pharmaceutical or birth control purchases, medical treatments, insurance - there are still plenty of purchasing decisions that many of us would prefer remain private.

Example - the Facebook-Fandango link. I doubt that many people really want *all* of their friends knowing *all* of their content choices...

Everyone understands that Facebook needs to make money in order to keep operating. No reasonable person would deny that advertising is the right business model. But Beacon was really a step too far.

Everyone knows - and most people accept - that when you search on one of the major search engines, your actions will be tracked and recorded and added to a profile. Most people also understand that this purchasing data, like the data generated every time you shop at the supermarket, is an increasingly necessary part of business.

Without it, businesses cannot run as efficiently, or meet the needs of their customers as effectively, which ultimately means less productivity and higher pricing. That said, there is no precedent I can think of for the broadcasting of consumer purchasing choices to other consumers, either in the real world, or on the Internet.

This is the second high-profile, privacy-related incident faced by Facebook in less than a year. Authentium says: Facebook's CPO, Chris Kelly, needs to stop thinking about the bottom line and focus 100% on keeping personal information private - or he should step down and allow someone else to come in with a stronger consumer privacy focus.

In the event that you think I'm being a little harsh, Mr. Kelly had a chance to jump on the side of the consumer two days ago at the Commonwealth Club, but he presented himself as a Facebook executive first, and a consumer privacy advocate second.

Image from moveon.org.