- Email: [email protected]
Security Views
Security Views Hackers access state database containing personnel data Attackers have broken into state of California computers that house the state’s personnel database and have gleaned financial data on 265 000 state employees. This database contains names, social security numbers, payroll data, and other personal information about the employees. During what was called a “routine security check” on 7 May, someone noticed that perpetrators had gained unauthorized access to the compromised systems. Steve Maviglio, a spokesman for the California governor’s office, claimed that the incident did not constitute a significant problem as far as security is concerned. He said: "This happens to thousands of computers worldwide, it's not isolated to the state. We have strong protections but hackers are able to figure ways around it. From all initial reports, it looks like we might have nipped this in the bud.... We did all we could to prevent this and we'll do all we can to prevent any adverse consequence." The data operations manager at the computing center where the breach occurred said that the problem that led to the unauthorized database access has now been fixed. So far no suspect has been named, but the FBI has claimed to have traced the attacker to the state of Massachusetts. I suppose that nobody is startled that yet another security-related incident of this magnitude has occurred. After all, according to a spokesperson for the California governor’s office, these kinds of things happen all the time. My impression of how the state of California handles information security has, however, taken a nosedive. First, notice that there was more than a one-month gap between the time the break-in actually occurred and the time it was first noticed. Why did all this time transpire? How can an incident be controlled when it takes over a month to discover it in the
first place? Second, there appeared to be little concern for the well-being of state employees, of which I happen to be one, who could very well be victimized as the result of personal information about them being compromised.
Eugene Schultz, Editor-in-Chief
The employees were apparently contacted two weeks later. Was the state of California acting responsibly in waiting this long? Third, saying that break-ins occur all the time is not necessarily truthful, nor is it an acceptable excuse for having poor security. Many organizations, usually ones with adequate information security programs, hardly ever experience break-ins (even though there many be a plethora of attempted break-ins). The fact that others experience break-ins is at best a cover-up. Finally, the fact that the spokesperson neglected any mention of taking responsibility for securing systems shows what is wrong here in the first place. All this shows just how badly legislation such as Germany’s Datenschutz Law needs to be put in place in the US to protect personal data.
Hacking challenge goes awry Details about a bizarre series of events related to a hacker challenge surfaced recently. Korea Digital Works (KDWorks) issued a challenge in which contestants were incentivized to attack a Web server. KDWorks offered a prize of $100 000 for the first person who succeeded in successfully doing so, but if no one succeeded, this company told prospective contestants that a lesser amount was to be split among the five contestants who did the best, i.e., displayed the best (i.e., most outstanding) hacking techniques. Contestants were given 48 hours to accomplish this feat. Sources indicate that the contest actually extended to one month and the prize money shrunk to $1250 for each outstanding competitor. One person who was judged to be an outstanding contestant started to question the nature of the contest when he was asked for
385
Eugene Schultz Security views
details regarding how to make deposits into his banking account. Meanwhile, two hackers posted information on the hackers.com website claiming that they broke into the server in which information concerning the contestants was held with few difficulties. They also posted a large portion of their attack technique and then claimed that they had notified the contestants of their feat via email. The hackers added that the target server was an unrealistic target, anyway, given that KDWorks had disabled just about every service and application on that system, something that would not be very likely to be true in real-life servers. KDWorks replied that the server that the hackers compromised was only a honey pot server that resided within the system that housed the target Web server. The purpose of the honey pot, according to KDWorks, was to trace the origin of any attacks and to analyze everything that the attackers did. No attacker was smart enough to figure out that the honey pot was not a real server, according to this company, and KDWorks furthermore claimed that the information gleaned from it was false information, anyway. KDWorks then defended the integrity of its hacker challenge by saying that academics and professional technical staff were invited to supervise the competition, and that the event was sponsored by credible professional organizations that included the IT Professionals Association of Korea, the Korea Information Processing Society, and the Korea ISP Association. What a fiasco! Nobody but perhaps a few people from KDWorks knows exactly what really happened here, but it is difficult to deny that this contest was thoroughly bungled. Certainly the ethics involved in how this ‘hacking contest’ (including the unexpected change in the amount of monetary awards and the lack of stated concern over the secrecy of personal information provided by contestants) was run are to be seriously questioned. But there is another important issue here, too, namely the
386
wisdom of issuing hacker challenges in the first place. In a hacker challenge some individuals or an organization challenge the hacker community to break the security of something, perhaps a server or an application or a network device. In most such challenges of which I am aware, the hackers have not succeeded, thus ostensibly attesting to the strength of security of whatever was tested. Some professionals such as Donn Parker have questioned the wisdom of hacker challenges on the basis that they give undeserved credibility to the ‘black hat’ community and provide incentive for prospective and current hackers to engage in this activity. I agree, but I’d go even farther in saying that almost all hacker challenges are anything but scientifically valid anyway. In one that transpired in Las Vegas, Nevada not too long ago a number of participants vehemently protested that there was no network route from the terminals to the target system that the ‘hackers’ could use — i.e., that it was impossible to attack the target system in the first place. Additionally, I hate to give credit to those who engage in unauthorized access, but the two hackers in this particular news item have at least made a very valid point — that using very artificial and limited conditions does not provide a valid test of whatever product or application is being tested via hacking. And after seriously tarnishing its public image, KDWorks, for one, is likely to never again sponsor such a contest. I’d also bet that the sponsors will also be quite a bit more reluctant to sponsor an event of this nature again.
Identity fraud affects Ford Motor Credit customers Ford Motor Credit Company recently sent a letter to warn 13 000 individuals of an identity fraud scam. A group of perpetrators posed as Ford employees to steal an authorization code that would permit them to obtain confidential customer identification information from a database used by credit reporting agency Exper-
Eugene Schultz Security views
ian. Ford Credit contacted Experian in February after they received notice of an unauthorized credit check. The perpetrators attempted to authorize the credit check to make it appear it came from Ford Credit. After Ford Credit notified Experian, it contacted the FBI, which is reportedly performing an investigation of the identity fraud. In the warning letter Ford Credit sent, victims were encouraged to obtain and review a credit report to ascertain whether there have been any unauthorized credit inquiries. This incident once again shows that cybercrime exists in many varieties. Being able to spot and resist attacks such as the one against Ford requires a strong authentication as well as a good personnel security program. Some organizations use strong authentication methods, but except for clandestine government agencies and the military, most organizations lamentably largely overlook the personnel side of information security. In many organizations, for example, personnel checks are seldom performed outside of the initial employment screening process. Clearly there is room for improvement here. Meanwhile, Ford is to be commended for at least showing enough concern to promptly notify those who could potentially be harmed by this incident.
AOL plans to release an encrypted version of AIM America Online announced its plans to begin beta testing its version of the encrypted AOL instant messenger client, AIM. The encrypted IM is targeted for enterprises and will be called ‘Enterprise AIM’. An America Online spokesperson, Marty Gordon, claims that 2025% of those using AIM are corporate users who utilize this tool as a quick way to communicate with co-workers as well as with clients. As many companies are implementing security policies, Gordon says that America Online is attempting to meet its customers’ needs by making the IM client more secure. Verisign will provide cryptographic capabilities
and AOL will deliver the encrypted technology through its network. AIM also has plans to add logging and archiving functionality in the future to help organizations better manage the IM client. Mail encryption is, unfortunately, a too often overlooked area of information security, but confidentiality in instant messaging has been even more neglected. Instant messaging is in many ways like speed chess — each party effectively has a limited amount of time to engage in each action, in this case, respond to what someone else has written. The potential for inadvertent compromise of intellectual property, personal data, and so forth is thus even higher than with conventional email. It is thus encouraging to see that AOL has seen the need for encryption in AIM and is moving ahead to deliver this capability.
Microsoft views and statements stir more controversy In its latest defense against anti-trust sanctions imposed by the US Department of Justice, Microsoft claimed that dividing the company into several smaller competing entities would decrease overall product security. Microsoft attorneys argued that more people would have access to its highly-confidential source code, increasing the risk of attackers obtaining the code, analyzing it for vulnerabilities, and then exploiting those vulnerabilities to compromise its customers’ systems. The open source approach to software thus puts companies at risk, according to Microsoft, and will cause much more harm from security breaches than good. Others are labeling Microsoft’s latest defense as a “desperation plea”. Other reports claim that Microsoft is vigorously lobbying the US Department of Defense (DoD) to suppress its increasing use of open software. Microsoft has allegedly contacted high-level management within the Defense Information
387
Eugene Schultz Security views
Systems Agency (DISA) and the Office of Defense Secretary Donald H. Rumsfeld to argue that open source software threatens security and intellectual property rights. In the meantime, a recent DoD report claimed that open software produces software that is more secure and less expensive. The MITRE Corporation agreed, saying that open source software plays a critical role within DoD, and that banning open source software would have extremely adverse effects upon the DoD. Microsoft responded by saying that it had not actually lobbied against open source software in the first place. My view of Microsoft improved considerably after Bill Gates announced the Trustworthy Computing Initiative (TCI) several months ago. There has in fact been ample evidence that many things at Microsoft have changed as the result of the Microsoft’s TCI. But now Microsoft appears to be back to its old ways. The current controversy centers around open source software. Microsoft’s logic can be summarized as follows: splitting Microsoft into smaller companies would force it to produce open source software, open source software is antithetical to security, and therefore Microsoft should not be split. Hopefully, the US Government is smart enough to avoid succumbing to this kind of specious logic.
Email hoaxes and fraud continue An email hoax is being distributed via email inboxes, falsely warning recipients to delete their Java Debugger Manager file, jdbgmgr.exe, because it is allegedly a virus. A widely circulated hoax message explains that the jdbgmgr.exe file spreads to all contacts in the address book and then damages the PC after sitting quietly for 14 days. It then tells the victims to send the message to everyone they know. Symantec reported the hoax after receiving a high volume of inquiries about the hoax message. Many of those who called Symantec had already deleted the file, thinking
388
that they had eradicated a virus. They were then instructed how to reinstall the file. Symantec typically learns of one email hoax a week, which pales in comparison to the 10-20 new bona fide viruses that surface during the week. Email hoaxes spread quickly and are typically translated into many languages. A senior researcher at Symantec has stated that he suspects that the writer of this particular message has a non-technical background; otherwise this person would have actually created a virus. Another widely distributed hoax is in the form of a message purported to contain an immunity solution for the deadly Klez.E virus. The alleged immunity solution is really a variant of the Klez virus. Users who download the attachment infect their systems. Meanwhile, South African police arrested six individuals suspected of being involved in the ‘Nigerian email’ and letter fraud. The international scam, also referred to as the ‘West African advanced fee fraud’ or ‘419 fraud’, entailed sending out thousands of emails and letters informing victims that they were to receive a large amount of money and could currently collect on a percentage of it. To allow the cash to be deposited into the recipient’s bank account, the victim had to pay an ‘advanced fee’. The advanced fees, which were immediately pocketed by the fraudsters, were to cover administrative or banking costs. Often the scam letters said the money was to come from the government or life insurance agencies. Of the six men arrested, four were Nigerian, one was Cameroonian, and one was South African. Police believe the group is also involved in an international drug-dealing cartel as a large amount of drugs, computers, and false identification papers were confiscated from their bungalows. Although the number of people that have fallen victim to the fraud cannot be determined, officials believe it yielded well over the equivalent of $150 million
Eugene Schultz Security views
from victims. Often victims do not report losses in scams such as the Nigerian email fraud because of embarrassment or not knowing whom to contact. International authorities are still investigating the damages. We’ve seen hoaxes related to alleged bugs in SunOS, the ‘Good Times Virus’, the ‘West African money transfer’ fraud, and even the alleged hoax proclaiming the intention of Bill Gates to pay nearly $250 for every user to whom a certain chain letter message is distributed. The jdbgmgr.exe hoax has circulated widely, yet (fortunately) it has not produced the kind of devastating results that previous hoaxes have. Deleting jdbgmgr.exe will at best interfere with execution of Java code. Many unsuspecting users have, however, fared worse. Some have, for instance, sent cash in response to a hoax message. Others have deleted critical system files such as sulfnbk.exe in Windows 98 and similar systems as they have responded to hoax messages. The number of users who have downloaded the so-called Klez.E immunity solution is also discouraging. Hoaxes are, unfortunately, a ‘fact of life’ on the Internet. I, for one, do not think that websites for hoax prevention are very effective; the average user is not likely to discover such sites in the first place. Educating users about hoaxes is indeed one of the most challenging tasks confronting information security professionals. There are no easy solutions here. Meanwhile, it is at least comforting to learn that the alleged perpetrators of the ‘West African money transfer’ fraud have been arrested. As I’ve said before, although justice by no mean prevails when it comes to cybercrime, it’s always nice to see a victory here and there.
The Benjamin worm: is there a good worm? The Benjamin worm targets users of the Kazaa network, spreading through screen savers and executable files that can be downloaded from
the Kazaa site. Once a user’s computer has been infected, Benjamin duplicates itself, hiding under names that may be of interest to Kazaa users, such as “Braveheart-Special-Editiiondivx.exe.” The worm then creates a directory on the victim computer and fills it with infected files and then finally pulls up a pop-up advertisement from a German website. The website, intending to bring in income for the worm writers, was recently taken down due to such a large volume of hits. The writers of the quickly-circulating Benjamin worm said that they intended for the worm to only frustrate those searching to download pirated software or child pornography. They also claim the worm was a test program designed to disrupt illegal downloads over peer-to-peer networks in hopes that a legitimate program can eventually be marketed. Can there be a ‘good’ worm? Any program that exploits existing vulnerabilities and then reproduces itself and then sends itself to other systems is certainly suspect from an ethical viewpoint. Does that fact that the Benjamin worm is intended to target software pirates or child pornography addicts excuse the fact that it operates without authorization by cognizant authorities? I’d have a difficult time deciding on any answer but “no”. Vigilante worm writers deserve no honor or credit, regardless of their intention.
Cyber-terrorism schools The FBI and Defense Intelligence Agency (DIA) issued a secret alert last month that the Muslim Hackers Club is offering classes that give “hacking lessons”. Fears of a cyberterrorist attack are becoming more real as anti-Israel/US terrorists are being educated with readilyavailable cyberterrorism lessons. A Muslim Hackers Club site posts crash courses on writing viruses, hacking strategies, secret codes, and network ‘phreaking’. The site also lists the top Western sites to target as well as password-
389
Eugene Schultz Security views
protected sites that contain sensitive US intelligence information. Since 11 September, the US has been on high alert for cyberattacks that could potentially cripple American resources, such as water supplies, power lines, or telephone networks. Thus far, US cyberterrorist attacks have been limited to the defacing of American sites. Soon after 11 September, a cybervandal known as ‘DoctorNuker’ posted pro-bin Laden comments on a large US company site. DoctorNuker is allegedly responsible for many other Isreali and US website vandalism. Two years ago, DoctorNuker hacked the American Israel Public Affairs Committee and posted the identities of thousands of supporters. US federal prosecutors believe they have arrested DoctorNuker, whose real name is allegedly Misbah Khan from Pakistan. However, doubts that officials have captured the correct person have arisen; last month a vandal claiming to be DoctorNuker defaced website helpingisrael.com. Some US intelligence agencies believe that a cyberattack is inevitable over time, as the Al Queda network is being equipped with the knowledge and tools needed to conduct such attacks. The threat of a massive cyberterrorist attack is real, yet it is only one of many potentially devastating types of attacks that confront us. Consider all the talk of an ‘Electronic Pearl Harbor’ that has gone on for years. More recently, several researchers have predicted that an ‘uberworm’ that is much more efficient in its infection and spreading methods than previous worms have been will emerge. The reaction to this prediction has been very mixed among information security professionals, yet to predict that catastrophic computer security-related incidents of various types are going to occur is not to put oneself out on a limb, so to speak. Cyberterrorism really represents only one of the many types of cyber-catastrophe that can and probably will occur. Several major cybercatastrophe scenarios have already occurred —
390
consider, for example, the massive distributed denial-of-service attacks in 2000. These events have taught security and other IT professionals how to better prepare for and handle catastrophic incidents, although it would not be difficult to argue that we have a long way to go. Furthermore, most critical control systems such as control systems at nuclear power plants include generous provision for human intervention in the case of system failure or malfunction. Cyberterrorism will undoubtedly occur, but whether it will result in massive destruction and fear remains to be seen. Meanwhile, it is disconcerting that a school that provides training in cyberterrorism is now in operation.
Hackers still outpacing the law Hackers are remaining a step ahead of the law. Last year, a hacker broke into online certificate merchant, Ecount, and stole personal information from company customers. Since the intrusion, the attacker has continued to heckle Ecount, demanding a fee in exchange for customers’ confidential personal information. Law officials are investigating, but have not been able to identify the attack — the attacker has erased all of his tracks. Attacks such as these have left law enforcement agencies frustrated. Hackers, who are typically much more technologically advanced than many investigators, often outsmart investigators. Many times hackers jump from server to server when launching an attack, erasing logs files from each server as they leave. By the time law officials are notified of the attack and can get a subpoena issued, the attackers are long since gone without a trace. Agents can then in futility spend days sifting through logs, only to find nothing. A Gartner Group study revealed that 5.2% of online shoppers have fallen victim to credit card fraud, and 1.9% have been victims of identity fraud. In efforts to fight cybercrime, the Bush administration added 50 new prosecutors and just last November the FBI created a new cybercrime
Eugene Schultz Security views
unit. However, no arrests have been made in recent high-profile attacks such as the attack on financial services company Western Union in September 2000, in which an intruder obtained over 15 000 customer credit card numbers. Many companies realize that the attackers may never be discovered or prosecuted, so they have taken measures into their own hands. Some Internet retailers screen transactions during purchasing. If a customer appears ‘suspicious’, the retailers cancel the transaction. This precaution costs Internet retailers up to 8% of the gross amount from sales. Most Internet retailers, however, are not taking the proper actions needed to protect themselves from attacks as they often erase Web logs prematurely or disable logging altogether. The trend towards increasing levels of electronic fraud will continue. It is just too easy for computer criminals to find opportunity and exploit it without having to face the consequences. As I have argued in this issue’s editorial, much of the problem is with law enforcement. At the same time, however, lack of appropriate legislation also is a big part of the problem. The only real solution is to take matters into one’s own hands — to cancel suspicious transactions (as discussed earlier in this news item), to make every reasonable effort to close weak links in systems, applications, and networks, and so forth.
Cambridge College bans Outlook Cambridge College banned all college users from using Microsoft Outlook or Outlook Express ostensibly because of the high number of viruses and worms associated with these mail clients. About 700 users will now have to switch to other mail clients. The computer officer at the college, Paul McLaughlin, was frustrated by viruses and worms infiltrating the network and the time required by IT staff to clean up the infections. McLaughlin announced a phased approach to allow users to become
accustomed to other mail clients. Currently, users are encouraged to use Mulberry, a mail program that the University Computing Service helped to develop. Users who want an interface similar to Outlook can use the Netscape mail client. Although many of the students, staff and faculty are expected to experience some amount of disruption as a result of the change, they were told it was a necessary step to help protect the integrity and security of the college. Many security experts are not surprised that Cambridge banned the use of Microsoft’s mail clients. They are, however, surprised that other institutions are not taking the same precaution. Experts warn, however, that switching from Outlook to other clients is at best a temporary solution — if and when other clients become more popular, these, too, will then be the new targets of virus writers. Currently, virus writers are targeting the preview facility in Outlook that automatically executes Java and XML. Was this move by Cambridge College an IT decision driven purely by security considerations? If so, it was indeed a rare event in arenas such as academia. But notice that there may be another motive — to push the user community towards using the mail client developed at this college. Still, I like the principle that appears to be at least to some degree present here — to send feedback to vendors who develop vulnerability-ridden software a message by dropping their products or refusing to buy them in the first place. If more organizations did this, we’d have software that did not have so many vulnerabilities.
UK Internet porn sweep leads to 36 arrests British police arrested 36 suspects believed to have been using US pay-per-view child sex websites. The websites posted marketing images that could be purchased from other child pornography sites. The alleged Internet pedophiles were discovered after US law
391
Eugene Schultz Security views
authorities notified the British National Crime Squad (NCS), more or less the UK equivalent of the US FBI. During the operation (codenamed ‘Ore’) 30 police forces searched 43 houses and flats in London, Liverpool, Wakefield, and Grimsby. Customers who had subscribed to the pay-per-view websites between May 1999 and the summer of 2001 gave personal information such as credit card numbers and billing addresses to make tracking the users easier. Last year, seven pedophiles were convicted in an NCS operation (codenamed ‘Cathedral’) that targeted an Internet ring known as ‘The Wonderland Club’. Pornography on the Internet is big business. Regardless of one’s beliefs and moral stands on pornography, one must admit that child pornography is a particularly serious problem due to the effect on the real victims — children. The fact that the Internet also appears to be increasingly used for child pornography is thus especially troublesome. Various measures such as the European Commission’s initiation of an effort to automate information sharing have been put in place to combat the problem. These measures are likely to in some part succeed, yet the problem is too big — it will only continue to grow. Furthermore, a recent ruling in the US excluded from criminal prosecution evidence that includes simulated, not real, child sex. (This ruling was not at all popular within the US, and it is likely that legal challenges will be forthcoming.) The Internet did not give rise to pornography; technology does not usually create new types of crimes, after all. Technology usually only makes possible new ways of committing the same old types of crimes (theft, child pornography, unauthorized gambling, and so forth) in more potent and pervasive manners.
Tech company’s Web flaw exposes customer information Tech publishing house O’Reilly & Associates inadvertently set up access to its website that
392
allowed outsiders to view approximately 100 000 customers’ personal information through the O’Reilly site. Nineteen year-old Point Blank Security consultant, Jeremiah Jacks, discovered the flaw in the Web coding logic and reported it to O’Reilly. O’Reilly stores user profiles, such as each customer’s full name and email address, on the O’Reilly site, www.oreillynet.com. Sometimes, but not often, users add more personal information to their account such as their home mailing address, employer, title, and home phone number. When customers wanted to view their profile they would land at the page resembling www.oreillynet.com/cs/user/edit/u/55544. Jacks discovered, however, that the end number of the URL is a sequentially assigned customer ID number; anyone could view others customers’ personal information by simply entering the correct number. O’Reilly publishes primarily technical books, including works on computer security, Web privacy, and Perl and Java scripting. Jacks commented on the irony of the tech publishing company’s security blunder. I dread to think how many other websites allow access of personal data to anyone, too. The World Wide Web is a two-edged sword in that it provides Internet users with access to an incredible amount of information, programs, and so forth, yet it also holds enormous potential to compromise personal information as well as intellectual property. Jacks’ pointing out the irony of a company that sells books on computer security making a mistake of this kind is humorous, but there is also a serious side to his message. It seems that O’Reilly is in effect telling its readers: “Do as I say, not as I do.”
Teenage hacker pleads guilty to Web sabotage Eighteen-year-old Matthew Kroeker recently pleaded guilty to computer crime charges and agreed to pay restitution. The Kansas teen
Eugene Schultz Security views
admitted to defacing websites and then offering to repair the site in a bribe. As reported earlier this year in ‘Security Views’, Kroeker defaced the City of Stockton home Web page. Kroeker then emailed the Web master of the Stockton home page and offered to repair the site in exchange for a laptop. Web master Cathy Sloan immediately notified the authorities, and after obtaining Kroeker’s personal information, the FBI made the arrest. After investigating the case, officials allegedly discovered that Kroeker was responsible for posting unauthorized messages on a variety of business and government sites. Kroeker could have been tried as an adult, even though he performed the sabotage two years ago. Victims have claimed over $17 000 worth of damages, though the final restitution amount has not yet been announced. Here we have a computer crime case that was prosecuted and resulted in a guilty plea. It is nice to know that despite all its flaws, the system sometimes works correctly. I am hoping that Cathy Sloan, the real hero in this story, will share her experiences by writing a paper or do a Web cast on how she handled this incident. Many system administrators and Web masters will face situations such as the one Sloan faced and could learn much from what she has to say.
Virus creator to serve 20 months in federal prison David L. Smith, the creator of the infamous Melissa virus, was sentenced to 20 months in prison during his federal trial and a 10-year sentence during his state trial. However, the 10year sentence issued by the state of New Jersey will run “concurrently and co-terminously to the federal sentence,” meaning the state time will terminate after Smith finishes his 20month federal sentence. The federal court, under US District Judge Joseph A. Greenaway, Jr., sentenced Smith to a far lighter sentence because of his cooperation with authorities.
The Melissa virus, named by Smith after a topless dancer, cost computer users worldwide far more than the federal sentencing guidelines prescribe — approximately $80 million. This macro virus was distributed through email that contained a Word document attachment. When recipients opened the attachment on an unpatched system, the virus sent copies of itself to 50 contacts from the victim’s Microsoft Outlook address book. Melissa caught the world by surprise. It infected far more systems than the Internet worm of 1988 did and also caused far more damage. We all should be glad that the culprit was identified, prosecuted, and convicted. Smith’s sentence also seems most fair to me. One thing is for sure — Smith will have a lot of time to think about what he did and what consequences his actions caused while he is in prison. This case will hopefully serve as a deterrent against writing viruses, worms, and other types of malicious programs.
Russian software company charged with selling anticopying technology A Russian software company will be tried on criminal charges for selling a product created to crack copyrighted software. Despite the ElcomSoft attorney’s pleas to drop charges before the trial began, US District Judge Ronald Whyte found that the software was in violation of the Digital Millennium Copyright Act (DMCA). The ElcomSoft case will be the first case tried under the new US law. Defense lawyers argued that the law is vague and questions the legal protection under ‘fair use’ doctrines. In a 35-page document, Whyte backed the DMCA law as his decision to proceed with the trial. The DMCA is the first attempt to protect against the illegal duplication and distribution of software, books, music, and movies on the Internet. ElcomSoft was charged soon after the
393
Eugene Schultz Security views
investigation of their product that was developed to crack the encryption on Adobe Systems’ eBooks software. ElcomSoft expressed its disappointment in the decision; this software company believes there should also be protection for ‘fair use’ and legal copying of software. I’ve commented on this case and my concerns regarding DMCA in a previous issue this year. What I thought interesting about this news item is the progression of events. So far the defense has been unable to get the case thrown out on the basis of limitations and loopholes in the DMCA. I suspect, however, that the case is a long way from a verdict and that there will be considerably more wrangling and maneuvering before this one is over.
Online public records allow for identity theft Identity thieves are now increasingly locating public criminal records and using the information they find to steal criminals’ identities while the criminals are ‘doing time’ in prison. The US justice system attempts to track criminals by posting personal information on each criminal. This information includes, but is not limited to names, Social Security numbers, birth dates, home addresses, heights, and weights. For example, Orange County, Florida publishes the Social Security number of inmates before they are jailed — over 57 000 last year, for instance. The US Marshals Service posts Social Security numbers and photographs on the ‘Most Wanted’ website. Law officials may post any type of information that may aid in capturing fugitives. Often photographs and driver’s license numbers are disclosed as well. If the identity is stolen, this can unfortunately lead to false footprints that lead to the fraudster rather than the wanted criminal. The question arises as to why anyone would want to steal an inmate’s identity in the first place. In reality, a meaningful background check is seldom performed for anyone desiring a
394
driver’s license, credit card, or even a car loan. Stealing criminal identities conveniently gives fraudsters a disposable identity. The risk of being caught is low, assuming the identity thief never has a background check performed on the stolen identity. The identity thief also knows exactly when the criminal’s sentence is over, fleeing the identity before anything suspicious is discovered. Inmates, unfortunately, are not the only people who have their personal information accessible to the public. Until last year, people who have filed for bankruptcy had their personal information available through a public database called PACER. Even marriage records in some states are publicly available. The Judicial Conference of the United States, which establishes federal court policies, is quickly attempting to plug some of the security gaps that allow personal information to be harvested by identity fraudsters. This news item raises some extremely interesting issues. First, I think it is fair to say that identity theft is a very serious problem that is only going to become worse, especially in the US, where the privacy of individuals’ personal information is not very well protected by law anyway. But now the bad guys are stealing the identities of criminals. This suggests that more protections concerning potential access to personal information about criminals also need to be put in place. But doing so could disrupt the already partially broken justice system, resulting in reduced ability to track down criminals. Others may counter-argue that criminals should not be afforded the same protections as others. Yet many so-called ‘criminals’ have not yet been convicted, so if we presume innocence until someone is proven guilty, we have still another dilemma. I’ll make a prediction here, namely that virtually nothing will be done to provide extra protection against gleaning personal data about criminals, at least here in the US. The US has a
Eugene Schultz Security views
long way to go as far as privacy protection goes; nobody is likely to lead a crusade to protect criminals when the average citizen’s privacy is poorly protected.
Microsoft challenged the numbers revealed in Gartner’s study and claimed to currently have more than 200 million registered online authentication users.
Most users not interested in online IDs
Who knows what the true number of users of online IDs is? It always amuses me when someone who conducts or reviews a survey proceeds to interpret the numbers they obtain literally. I would also like to learn more about the methodological and scientific rigor with which the survey was conducted. Particular numbers aside, what seems interesting here is both the reasonably large percentage of customers who have indicated they distrust these two Internet giants and the services they provide as well as the users’ professed concern over security considerations. Potential Ebusiness customers are almost certainly becoming acquainted with a growing number of consumer frauds via electronic means. One thing is sure — that a stored password used in authentication of all kinds of commercial transactions is unsuitable from a security perspective. Growing paranoia among consumers could be a very useful thing; it could lead to greater acceptance of third-party authentication and other methods that can dramatically boost security and privacy.
A recent study released by the Gartner Group discovered that most Internet users are mostly not interested in online identity and authentication accounts. Microsoft and AOL have promoted ‘user identification accounts’ with Microsoft’s Passport and AOL’s competing Screen Name service. Passport and Screen Name act as the ‘keys to the castle’, allowing users access to multiple sites without having to give their usernames and passwords each time. The companies have also proposed an E-wallet component of the services that would allow customers to make online transactions without entering billing information each time. The authentication services are intended to prepare the way for fee-based online services. The Gartner study revealed that most Internet users are not interested in online ID accounts. The study also revealed that most users with Microsoft Passport authentication accounts are either not aware that the account exists, or that they simply created the account at a particular point as a requirement to access some particular online service. In general, customers seem to care more about security than convenience. The survey revealed that 38% of customers did “not at all” trust Microsoft and 29% did not trust AOL with their personal finance information. Over 50% did not trust the MSN online service and 49% did not trust MSN Messenger with their personal and financial information. AOL received a slightly higher level of confidence. Gartner also researched the popularity of user authentication services, reporting that by 2003, each of the approximate 50 million registered online authentication users would only access an average maximum of three sites per month with the service.
Proposed amendment to the FISMA Bill in US Representative Janice Schakowsky, a Democrat from Illinois, is working to amend the Federal Information Security Management Act (FISMA) to further protect US national information security. Schakowsky says the gap in national information security lies in a lack of organization in inventory — the Government simply does not know where all its machines are located. This problem surfaced during preparation for the Y2K rollover; the US Government could not attest that all computers were Y2K safe because of machines that were unaccounted for.
395
Eugene Schultz Security views
The proposed amendment to the FISMA Bill would require government agencies to take frequent inventory of their machines and develop a test plan to ensure all systems are working correctly every five years. Introduced by Rep. Tom Davis (R-Va.) on 6 March, FISMA is intended to extend and update the General Information Security Reform Act of 2000 (GISRA). GISRA expires 29 November this year. Information security professionals involved in operational security know just how important it is to learn where all computers are. It may, for instance, be necessary to quickly disconnect a machine with a worm infection from the network. Knowing exactly where the machine is can drastically reduce the potential for the worm to spread throughout the network to which the machine connects. I am a little surprised that the US Government did not require the kind of inventories of systems that are called for in this Bill, but I suppose late is better than never.
Tests of biometric devices show numerous problems Many organizations are beginning to seriously consider using biometrics, or are actually now using some form of biometric-based identification and/or authentication. Recent results of several tests of biometric devices have, however, revealed substantial flaws in some of these devices. A test of the Visionics facescanning program, for example, showed that it could pick a particular face out of a crowd only 47% of the time. Facial recognition accuracy plummeted if people wore glasses or turned their heads too much or if lighting levels were not suitable. Another test involved 11 devices based on recognition of fingerprints and faces. Certain systems recognized ‘faces’ that were
396
really no more than images of faces, not the faces of real people. Breathing on fingerprints or placing a bag of water on fingerprint sensors also often resulted in false recognition. Finally, a Japanese professor manufactured false fingers using moulds of real fingers that allowed successful biometric authentication. Various professionals will interpret these results differently. Some will say that the testing conditions were very artificial; after all, who is likely to go to a security area within a building and hold up a laptop computer with an image of a face to fool a facial recognition system? Others are so convinced that biometrics are the way to go, that they view these results as a minor bump in the road, so to speak — that problems in this technology can and will be worked out in a short time. I would like to go on record as being supportive of biometrics as well as other methods that bypass password entry, the bane of authentication methods. But it appears that biometric technology is not as advanced as we might hope. Any technology that cannot stand up to testing cannot at least be called mature. But there is certainly no reason whatsoever to write this technology off, either. The concept of biometric-based authentication is sound; the implementation of the technology may have a ways to go, however. Also to be considered is the fact that some vendors’ implementations of this technology are better than others. It is thus most unfair to write biometric authentication off entirely on the basis of results showing weaknesses in some of the poorer devices available. So let’s be patient and give biometrics technology more time to prove itself. It is, after all, inherently easier to use ‘who you are’ to authenticate oneself as opposed to ‘what you have’ or ‘what you remember’.
first place? Second, there appeared to be little concern for the well-being of state employees, of which I happen to be one, who could very well be victimized as the result of personal information about them being compromised.
Eugene Schultz, Editor-in-Chief
The employees were apparently contacted two weeks later. Was the state of California acting responsibly in waiting this long? Third, saying that break-ins occur all the time is not necessarily truthful, nor is it an acceptable excuse for having poor security. Many organizations, usually ones with adequate information security programs, hardly ever experience break-ins (even though there many be a plethora of attempted break-ins). The fact that others experience break-ins is at best a cover-up. Finally, the fact that the spokesperson neglected any mention of taking responsibility for securing systems shows what is wrong here in the first place. All this shows just how badly legislation such as Germany’s Datenschutz Law needs to be put in place in the US to protect personal data.
Hacking challenge goes awry Details about a bizarre series of events related to a hacker challenge surfaced recently. Korea Digital Works (KDWorks) issued a challenge in which contestants were incentivized to attack a Web server. KDWorks offered a prize of $100 000 for the first person who succeeded in successfully doing so, but if no one succeeded, this company told prospective contestants that a lesser amount was to be split among the five contestants who did the best, i.e., displayed the best (i.e., most outstanding) hacking techniques. Contestants were given 48 hours to accomplish this feat. Sources indicate that the contest actually extended to one month and the prize money shrunk to $1250 for each outstanding competitor. One person who was judged to be an outstanding contestant started to question the nature of the contest when he was asked for
385
Eugene Schultz Security views
details regarding how to make deposits into his banking account. Meanwhile, two hackers posted information on the hackers.com website claiming that they broke into the server in which information concerning the contestants was held with few difficulties. They also posted a large portion of their attack technique and then claimed that they had notified the contestants of their feat via email. The hackers added that the target server was an unrealistic target, anyway, given that KDWorks had disabled just about every service and application on that system, something that would not be very likely to be true in real-life servers. KDWorks replied that the server that the hackers compromised was only a honey pot server that resided within the system that housed the target Web server. The purpose of the honey pot, according to KDWorks, was to trace the origin of any attacks and to analyze everything that the attackers did. No attacker was smart enough to figure out that the honey pot was not a real server, according to this company, and KDWorks furthermore claimed that the information gleaned from it was false information, anyway. KDWorks then defended the integrity of its hacker challenge by saying that academics and professional technical staff were invited to supervise the competition, and that the event was sponsored by credible professional organizations that included the IT Professionals Association of Korea, the Korea Information Processing Society, and the Korea ISP Association. What a fiasco! Nobody but perhaps a few people from KDWorks knows exactly what really happened here, but it is difficult to deny that this contest was thoroughly bungled. Certainly the ethics involved in how this ‘hacking contest’ (including the unexpected change in the amount of monetary awards and the lack of stated concern over the secrecy of personal information provided by contestants) was run are to be seriously questioned. But there is another important issue here, too, namely the
386
wisdom of issuing hacker challenges in the first place. In a hacker challenge some individuals or an organization challenge the hacker community to break the security of something, perhaps a server or an application or a network device. In most such challenges of which I am aware, the hackers have not succeeded, thus ostensibly attesting to the strength of security of whatever was tested. Some professionals such as Donn Parker have questioned the wisdom of hacker challenges on the basis that they give undeserved credibility to the ‘black hat’ community and provide incentive for prospective and current hackers to engage in this activity. I agree, but I’d go even farther in saying that almost all hacker challenges are anything but scientifically valid anyway. In one that transpired in Las Vegas, Nevada not too long ago a number of participants vehemently protested that there was no network route from the terminals to the target system that the ‘hackers’ could use — i.e., that it was impossible to attack the target system in the first place. Additionally, I hate to give credit to those who engage in unauthorized access, but the two hackers in this particular news item have at least made a very valid point — that using very artificial and limited conditions does not provide a valid test of whatever product or application is being tested via hacking. And after seriously tarnishing its public image, KDWorks, for one, is likely to never again sponsor such a contest. I’d also bet that the sponsors will also be quite a bit more reluctant to sponsor an event of this nature again.
Identity fraud affects Ford Motor Credit customers Ford Motor Credit Company recently sent a letter to warn 13 000 individuals of an identity fraud scam. A group of perpetrators posed as Ford employees to steal an authorization code that would permit them to obtain confidential customer identification information from a database used by credit reporting agency Exper-
Eugene Schultz Security views
ian. Ford Credit contacted Experian in February after they received notice of an unauthorized credit check. The perpetrators attempted to authorize the credit check to make it appear it came from Ford Credit. After Ford Credit notified Experian, it contacted the FBI, which is reportedly performing an investigation of the identity fraud. In the warning letter Ford Credit sent, victims were encouraged to obtain and review a credit report to ascertain whether there have been any unauthorized credit inquiries. This incident once again shows that cybercrime exists in many varieties. Being able to spot and resist attacks such as the one against Ford requires a strong authentication as well as a good personnel security program. Some organizations use strong authentication methods, but except for clandestine government agencies and the military, most organizations lamentably largely overlook the personnel side of information security. In many organizations, for example, personnel checks are seldom performed outside of the initial employment screening process. Clearly there is room for improvement here. Meanwhile, Ford is to be commended for at least showing enough concern to promptly notify those who could potentially be harmed by this incident.
AOL plans to release an encrypted version of AIM America Online announced its plans to begin beta testing its version of the encrypted AOL instant messenger client, AIM. The encrypted IM is targeted for enterprises and will be called ‘Enterprise AIM’. An America Online spokesperson, Marty Gordon, claims that 2025% of those using AIM are corporate users who utilize this tool as a quick way to communicate with co-workers as well as with clients. As many companies are implementing security policies, Gordon says that America Online is attempting to meet its customers’ needs by making the IM client more secure. Verisign will provide cryptographic capabilities
and AOL will deliver the encrypted technology through its network. AIM also has plans to add logging and archiving functionality in the future to help organizations better manage the IM client. Mail encryption is, unfortunately, a too often overlooked area of information security, but confidentiality in instant messaging has been even more neglected. Instant messaging is in many ways like speed chess — each party effectively has a limited amount of time to engage in each action, in this case, respond to what someone else has written. The potential for inadvertent compromise of intellectual property, personal data, and so forth is thus even higher than with conventional email. It is thus encouraging to see that AOL has seen the need for encryption in AIM and is moving ahead to deliver this capability.
Microsoft views and statements stir more controversy In its latest defense against anti-trust sanctions imposed by the US Department of Justice, Microsoft claimed that dividing the company into several smaller competing entities would decrease overall product security. Microsoft attorneys argued that more people would have access to its highly-confidential source code, increasing the risk of attackers obtaining the code, analyzing it for vulnerabilities, and then exploiting those vulnerabilities to compromise its customers’ systems. The open source approach to software thus puts companies at risk, according to Microsoft, and will cause much more harm from security breaches than good. Others are labeling Microsoft’s latest defense as a “desperation plea”. Other reports claim that Microsoft is vigorously lobbying the US Department of Defense (DoD) to suppress its increasing use of open software. Microsoft has allegedly contacted high-level management within the Defense Information
387
Eugene Schultz Security views
Systems Agency (DISA) and the Office of Defense Secretary Donald H. Rumsfeld to argue that open source software threatens security and intellectual property rights. In the meantime, a recent DoD report claimed that open software produces software that is more secure and less expensive. The MITRE Corporation agreed, saying that open source software plays a critical role within DoD, and that banning open source software would have extremely adverse effects upon the DoD. Microsoft responded by saying that it had not actually lobbied against open source software in the first place. My view of Microsoft improved considerably after Bill Gates announced the Trustworthy Computing Initiative (TCI) several months ago. There has in fact been ample evidence that many things at Microsoft have changed as the result of the Microsoft’s TCI. But now Microsoft appears to be back to its old ways. The current controversy centers around open source software. Microsoft’s logic can be summarized as follows: splitting Microsoft into smaller companies would force it to produce open source software, open source software is antithetical to security, and therefore Microsoft should not be split. Hopefully, the US Government is smart enough to avoid succumbing to this kind of specious logic.
Email hoaxes and fraud continue An email hoax is being distributed via email inboxes, falsely warning recipients to delete their Java Debugger Manager file, jdbgmgr.exe, because it is allegedly a virus. A widely circulated hoax message explains that the jdbgmgr.exe file spreads to all contacts in the address book and then damages the PC after sitting quietly for 14 days. It then tells the victims to send the message to everyone they know. Symantec reported the hoax after receiving a high volume of inquiries about the hoax message. Many of those who called Symantec had already deleted the file, thinking
388
that they had eradicated a virus. They were then instructed how to reinstall the file. Symantec typically learns of one email hoax a week, which pales in comparison to the 10-20 new bona fide viruses that surface during the week. Email hoaxes spread quickly and are typically translated into many languages. A senior researcher at Symantec has stated that he suspects that the writer of this particular message has a non-technical background; otherwise this person would have actually created a virus. Another widely distributed hoax is in the form of a message purported to contain an immunity solution for the deadly Klez.E virus. The alleged immunity solution is really a variant of the Klez virus. Users who download the attachment infect their systems. Meanwhile, South African police arrested six individuals suspected of being involved in the ‘Nigerian email’ and letter fraud. The international scam, also referred to as the ‘West African advanced fee fraud’ or ‘419 fraud’, entailed sending out thousands of emails and letters informing victims that they were to receive a large amount of money and could currently collect on a percentage of it. To allow the cash to be deposited into the recipient’s bank account, the victim had to pay an ‘advanced fee’. The advanced fees, which were immediately pocketed by the fraudsters, were to cover administrative or banking costs. Often the scam letters said the money was to come from the government or life insurance agencies. Of the six men arrested, four were Nigerian, one was Cameroonian, and one was South African. Police believe the group is also involved in an international drug-dealing cartel as a large amount of drugs, computers, and false identification papers were confiscated from their bungalows. Although the number of people that have fallen victim to the fraud cannot be determined, officials believe it yielded well over the equivalent of $150 million
Eugene Schultz Security views
from victims. Often victims do not report losses in scams such as the Nigerian email fraud because of embarrassment or not knowing whom to contact. International authorities are still investigating the damages. We’ve seen hoaxes related to alleged bugs in SunOS, the ‘Good Times Virus’, the ‘West African money transfer’ fraud, and even the alleged hoax proclaiming the intention of Bill Gates to pay nearly $250 for every user to whom a certain chain letter message is distributed. The jdbgmgr.exe hoax has circulated widely, yet (fortunately) it has not produced the kind of devastating results that previous hoaxes have. Deleting jdbgmgr.exe will at best interfere with execution of Java code. Many unsuspecting users have, however, fared worse. Some have, for instance, sent cash in response to a hoax message. Others have deleted critical system files such as sulfnbk.exe in Windows 98 and similar systems as they have responded to hoax messages. The number of users who have downloaded the so-called Klez.E immunity solution is also discouraging. Hoaxes are, unfortunately, a ‘fact of life’ on the Internet. I, for one, do not think that websites for hoax prevention are very effective; the average user is not likely to discover such sites in the first place. Educating users about hoaxes is indeed one of the most challenging tasks confronting information security professionals. There are no easy solutions here. Meanwhile, it is at least comforting to learn that the alleged perpetrators of the ‘West African money transfer’ fraud have been arrested. As I’ve said before, although justice by no mean prevails when it comes to cybercrime, it’s always nice to see a victory here and there.
The Benjamin worm: is there a good worm? The Benjamin worm targets users of the Kazaa network, spreading through screen savers and executable files that can be downloaded from
the Kazaa site. Once a user’s computer has been infected, Benjamin duplicates itself, hiding under names that may be of interest to Kazaa users, such as “Braveheart-Special-Editiiondivx.exe.” The worm then creates a directory on the victim computer and fills it with infected files and then finally pulls up a pop-up advertisement from a German website. The website, intending to bring in income for the worm writers, was recently taken down due to such a large volume of hits. The writers of the quickly-circulating Benjamin worm said that they intended for the worm to only frustrate those searching to download pirated software or child pornography. They also claim the worm was a test program designed to disrupt illegal downloads over peer-to-peer networks in hopes that a legitimate program can eventually be marketed. Can there be a ‘good’ worm? Any program that exploits existing vulnerabilities and then reproduces itself and then sends itself to other systems is certainly suspect from an ethical viewpoint. Does that fact that the Benjamin worm is intended to target software pirates or child pornography addicts excuse the fact that it operates without authorization by cognizant authorities? I’d have a difficult time deciding on any answer but “no”. Vigilante worm writers deserve no honor or credit, regardless of their intention.
Cyber-terrorism schools The FBI and Defense Intelligence Agency (DIA) issued a secret alert last month that the Muslim Hackers Club is offering classes that give “hacking lessons”. Fears of a cyberterrorist attack are becoming more real as anti-Israel/US terrorists are being educated with readilyavailable cyberterrorism lessons. A Muslim Hackers Club site posts crash courses on writing viruses, hacking strategies, secret codes, and network ‘phreaking’. The site also lists the top Western sites to target as well as password-
389
Eugene Schultz Security views
protected sites that contain sensitive US intelligence information. Since 11 September, the US has been on high alert for cyberattacks that could potentially cripple American resources, such as water supplies, power lines, or telephone networks. Thus far, US cyberterrorist attacks have been limited to the defacing of American sites. Soon after 11 September, a cybervandal known as ‘DoctorNuker’ posted pro-bin Laden comments on a large US company site. DoctorNuker is allegedly responsible for many other Isreali and US website vandalism. Two years ago, DoctorNuker hacked the American Israel Public Affairs Committee and posted the identities of thousands of supporters. US federal prosecutors believe they have arrested DoctorNuker, whose real name is allegedly Misbah Khan from Pakistan. However, doubts that officials have captured the correct person have arisen; last month a vandal claiming to be DoctorNuker defaced website helpingisrael.com. Some US intelligence agencies believe that a cyberattack is inevitable over time, as the Al Queda network is being equipped with the knowledge and tools needed to conduct such attacks. The threat of a massive cyberterrorist attack is real, yet it is only one of many potentially devastating types of attacks that confront us. Consider all the talk of an ‘Electronic Pearl Harbor’ that has gone on for years. More recently, several researchers have predicted that an ‘uberworm’ that is much more efficient in its infection and spreading methods than previous worms have been will emerge. The reaction to this prediction has been very mixed among information security professionals, yet to predict that catastrophic computer security-related incidents of various types are going to occur is not to put oneself out on a limb, so to speak. Cyberterrorism really represents only one of the many types of cyber-catastrophe that can and probably will occur. Several major cybercatastrophe scenarios have already occurred —
390
consider, for example, the massive distributed denial-of-service attacks in 2000. These events have taught security and other IT professionals how to better prepare for and handle catastrophic incidents, although it would not be difficult to argue that we have a long way to go. Furthermore, most critical control systems such as control systems at nuclear power plants include generous provision for human intervention in the case of system failure or malfunction. Cyberterrorism will undoubtedly occur, but whether it will result in massive destruction and fear remains to be seen. Meanwhile, it is disconcerting that a school that provides training in cyberterrorism is now in operation.
Hackers still outpacing the law Hackers are remaining a step ahead of the law. Last year, a hacker broke into online certificate merchant, Ecount, and stole personal information from company customers. Since the intrusion, the attacker has continued to heckle Ecount, demanding a fee in exchange for customers’ confidential personal information. Law officials are investigating, but have not been able to identify the attack — the attacker has erased all of his tracks. Attacks such as these have left law enforcement agencies frustrated. Hackers, who are typically much more technologically advanced than many investigators, often outsmart investigators. Many times hackers jump from server to server when launching an attack, erasing logs files from each server as they leave. By the time law officials are notified of the attack and can get a subpoena issued, the attackers are long since gone without a trace. Agents can then in futility spend days sifting through logs, only to find nothing. A Gartner Group study revealed that 5.2% of online shoppers have fallen victim to credit card fraud, and 1.9% have been victims of identity fraud. In efforts to fight cybercrime, the Bush administration added 50 new prosecutors and just last November the FBI created a new cybercrime
Eugene Schultz Security views
unit. However, no arrests have been made in recent high-profile attacks such as the attack on financial services company Western Union in September 2000, in which an intruder obtained over 15 000 customer credit card numbers. Many companies realize that the attackers may never be discovered or prosecuted, so they have taken measures into their own hands. Some Internet retailers screen transactions during purchasing. If a customer appears ‘suspicious’, the retailers cancel the transaction. This precaution costs Internet retailers up to 8% of the gross amount from sales. Most Internet retailers, however, are not taking the proper actions needed to protect themselves from attacks as they often erase Web logs prematurely or disable logging altogether. The trend towards increasing levels of electronic fraud will continue. It is just too easy for computer criminals to find opportunity and exploit it without having to face the consequences. As I have argued in this issue’s editorial, much of the problem is with law enforcement. At the same time, however, lack of appropriate legislation also is a big part of the problem. The only real solution is to take matters into one’s own hands — to cancel suspicious transactions (as discussed earlier in this news item), to make every reasonable effort to close weak links in systems, applications, and networks, and so forth.
Cambridge College bans Outlook Cambridge College banned all college users from using Microsoft Outlook or Outlook Express ostensibly because of the high number of viruses and worms associated with these mail clients. About 700 users will now have to switch to other mail clients. The computer officer at the college, Paul McLaughlin, was frustrated by viruses and worms infiltrating the network and the time required by IT staff to clean up the infections. McLaughlin announced a phased approach to allow users to become
accustomed to other mail clients. Currently, users are encouraged to use Mulberry, a mail program that the University Computing Service helped to develop. Users who want an interface similar to Outlook can use the Netscape mail client. Although many of the students, staff and faculty are expected to experience some amount of disruption as a result of the change, they were told it was a necessary step to help protect the integrity and security of the college. Many security experts are not surprised that Cambridge banned the use of Microsoft’s mail clients. They are, however, surprised that other institutions are not taking the same precaution. Experts warn, however, that switching from Outlook to other clients is at best a temporary solution — if and when other clients become more popular, these, too, will then be the new targets of virus writers. Currently, virus writers are targeting the preview facility in Outlook that automatically executes Java and XML. Was this move by Cambridge College an IT decision driven purely by security considerations? If so, it was indeed a rare event in arenas such as academia. But notice that there may be another motive — to push the user community towards using the mail client developed at this college. Still, I like the principle that appears to be at least to some degree present here — to send feedback to vendors who develop vulnerability-ridden software a message by dropping their products or refusing to buy them in the first place. If more organizations did this, we’d have software that did not have so many vulnerabilities.
UK Internet porn sweep leads to 36 arrests British police arrested 36 suspects believed to have been using US pay-per-view child sex websites. The websites posted marketing images that could be purchased from other child pornography sites. The alleged Internet pedophiles were discovered after US law
391
Eugene Schultz Security views
authorities notified the British National Crime Squad (NCS), more or less the UK equivalent of the US FBI. During the operation (codenamed ‘Ore’) 30 police forces searched 43 houses and flats in London, Liverpool, Wakefield, and Grimsby. Customers who had subscribed to the pay-per-view websites between May 1999 and the summer of 2001 gave personal information such as credit card numbers and billing addresses to make tracking the users easier. Last year, seven pedophiles were convicted in an NCS operation (codenamed ‘Cathedral’) that targeted an Internet ring known as ‘The Wonderland Club’. Pornography on the Internet is big business. Regardless of one’s beliefs and moral stands on pornography, one must admit that child pornography is a particularly serious problem due to the effect on the real victims — children. The fact that the Internet also appears to be increasingly used for child pornography is thus especially troublesome. Various measures such as the European Commission’s initiation of an effort to automate information sharing have been put in place to combat the problem. These measures are likely to in some part succeed, yet the problem is too big — it will only continue to grow. Furthermore, a recent ruling in the US excluded from criminal prosecution evidence that includes simulated, not real, child sex. (This ruling was not at all popular within the US, and it is likely that legal challenges will be forthcoming.) The Internet did not give rise to pornography; technology does not usually create new types of crimes, after all. Technology usually only makes possible new ways of committing the same old types of crimes (theft, child pornography, unauthorized gambling, and so forth) in more potent and pervasive manners.
Tech company’s Web flaw exposes customer information Tech publishing house O’Reilly & Associates inadvertently set up access to its website that
392
allowed outsiders to view approximately 100 000 customers’ personal information through the O’Reilly site. Nineteen year-old Point Blank Security consultant, Jeremiah Jacks, discovered the flaw in the Web coding logic and reported it to O’Reilly. O’Reilly stores user profiles, such as each customer’s full name and email address, on the O’Reilly site, www.oreillynet.com. Sometimes, but not often, users add more personal information to their account such as their home mailing address, employer, title, and home phone number. When customers wanted to view their profile they would land at the page resembling www.oreillynet.com/cs/user/edit/u/55544. Jacks discovered, however, that the end number of the URL is a sequentially assigned customer ID number; anyone could view others customers’ personal information by simply entering the correct number. O’Reilly publishes primarily technical books, including works on computer security, Web privacy, and Perl and Java scripting. Jacks commented on the irony of the tech publishing company’s security blunder. I dread to think how many other websites allow access of personal data to anyone, too. The World Wide Web is a two-edged sword in that it provides Internet users with access to an incredible amount of information, programs, and so forth, yet it also holds enormous potential to compromise personal information as well as intellectual property. Jacks’ pointing out the irony of a company that sells books on computer security making a mistake of this kind is humorous, but there is also a serious side to his message. It seems that O’Reilly is in effect telling its readers: “Do as I say, not as I do.”
Teenage hacker pleads guilty to Web sabotage Eighteen-year-old Matthew Kroeker recently pleaded guilty to computer crime charges and agreed to pay restitution. The Kansas teen
Eugene Schultz Security views
admitted to defacing websites and then offering to repair the site in a bribe. As reported earlier this year in ‘Security Views’, Kroeker defaced the City of Stockton home Web page. Kroeker then emailed the Web master of the Stockton home page and offered to repair the site in exchange for a laptop. Web master Cathy Sloan immediately notified the authorities, and after obtaining Kroeker’s personal information, the FBI made the arrest. After investigating the case, officials allegedly discovered that Kroeker was responsible for posting unauthorized messages on a variety of business and government sites. Kroeker could have been tried as an adult, even though he performed the sabotage two years ago. Victims have claimed over $17 000 worth of damages, though the final restitution amount has not yet been announced. Here we have a computer crime case that was prosecuted and resulted in a guilty plea. It is nice to know that despite all its flaws, the system sometimes works correctly. I am hoping that Cathy Sloan, the real hero in this story, will share her experiences by writing a paper or do a Web cast on how she handled this incident. Many system administrators and Web masters will face situations such as the one Sloan faced and could learn much from what she has to say.
Virus creator to serve 20 months in federal prison David L. Smith, the creator of the infamous Melissa virus, was sentenced to 20 months in prison during his federal trial and a 10-year sentence during his state trial. However, the 10year sentence issued by the state of New Jersey will run “concurrently and co-terminously to the federal sentence,” meaning the state time will terminate after Smith finishes his 20month federal sentence. The federal court, under US District Judge Joseph A. Greenaway, Jr., sentenced Smith to a far lighter sentence because of his cooperation with authorities.
The Melissa virus, named by Smith after a topless dancer, cost computer users worldwide far more than the federal sentencing guidelines prescribe — approximately $80 million. This macro virus was distributed through email that contained a Word document attachment. When recipients opened the attachment on an unpatched system, the virus sent copies of itself to 50 contacts from the victim’s Microsoft Outlook address book. Melissa caught the world by surprise. It infected far more systems than the Internet worm of 1988 did and also caused far more damage. We all should be glad that the culprit was identified, prosecuted, and convicted. Smith’s sentence also seems most fair to me. One thing is for sure — Smith will have a lot of time to think about what he did and what consequences his actions caused while he is in prison. This case will hopefully serve as a deterrent against writing viruses, worms, and other types of malicious programs.
Russian software company charged with selling anticopying technology A Russian software company will be tried on criminal charges for selling a product created to crack copyrighted software. Despite the ElcomSoft attorney’s pleas to drop charges before the trial began, US District Judge Ronald Whyte found that the software was in violation of the Digital Millennium Copyright Act (DMCA). The ElcomSoft case will be the first case tried under the new US law. Defense lawyers argued that the law is vague and questions the legal protection under ‘fair use’ doctrines. In a 35-page document, Whyte backed the DMCA law as his decision to proceed with the trial. The DMCA is the first attempt to protect against the illegal duplication and distribution of software, books, music, and movies on the Internet. ElcomSoft was charged soon after the
393
Eugene Schultz Security views
investigation of their product that was developed to crack the encryption on Adobe Systems’ eBooks software. ElcomSoft expressed its disappointment in the decision; this software company believes there should also be protection for ‘fair use’ and legal copying of software. I’ve commented on this case and my concerns regarding DMCA in a previous issue this year. What I thought interesting about this news item is the progression of events. So far the defense has been unable to get the case thrown out on the basis of limitations and loopholes in the DMCA. I suspect, however, that the case is a long way from a verdict and that there will be considerably more wrangling and maneuvering before this one is over.
Online public records allow for identity theft Identity thieves are now increasingly locating public criminal records and using the information they find to steal criminals’ identities while the criminals are ‘doing time’ in prison. The US justice system attempts to track criminals by posting personal information on each criminal. This information includes, but is not limited to names, Social Security numbers, birth dates, home addresses, heights, and weights. For example, Orange County, Florida publishes the Social Security number of inmates before they are jailed — over 57 000 last year, for instance. The US Marshals Service posts Social Security numbers and photographs on the ‘Most Wanted’ website. Law officials may post any type of information that may aid in capturing fugitives. Often photographs and driver’s license numbers are disclosed as well. If the identity is stolen, this can unfortunately lead to false footprints that lead to the fraudster rather than the wanted criminal. The question arises as to why anyone would want to steal an inmate’s identity in the first place. In reality, a meaningful background check is seldom performed for anyone desiring a
394
driver’s license, credit card, or even a car loan. Stealing criminal identities conveniently gives fraudsters a disposable identity. The risk of being caught is low, assuming the identity thief never has a background check performed on the stolen identity. The identity thief also knows exactly when the criminal’s sentence is over, fleeing the identity before anything suspicious is discovered. Inmates, unfortunately, are not the only people who have their personal information accessible to the public. Until last year, people who have filed for bankruptcy had their personal information available through a public database called PACER. Even marriage records in some states are publicly available. The Judicial Conference of the United States, which establishes federal court policies, is quickly attempting to plug some of the security gaps that allow personal information to be harvested by identity fraudsters. This news item raises some extremely interesting issues. First, I think it is fair to say that identity theft is a very serious problem that is only going to become worse, especially in the US, where the privacy of individuals’ personal information is not very well protected by law anyway. But now the bad guys are stealing the identities of criminals. This suggests that more protections concerning potential access to personal information about criminals also need to be put in place. But doing so could disrupt the already partially broken justice system, resulting in reduced ability to track down criminals. Others may counter-argue that criminals should not be afforded the same protections as others. Yet many so-called ‘criminals’ have not yet been convicted, so if we presume innocence until someone is proven guilty, we have still another dilemma. I’ll make a prediction here, namely that virtually nothing will be done to provide extra protection against gleaning personal data about criminals, at least here in the US. The US has a
Eugene Schultz Security views
long way to go as far as privacy protection goes; nobody is likely to lead a crusade to protect criminals when the average citizen’s privacy is poorly protected.
Microsoft challenged the numbers revealed in Gartner’s study and claimed to currently have more than 200 million registered online authentication users.
Most users not interested in online IDs
Who knows what the true number of users of online IDs is? It always amuses me when someone who conducts or reviews a survey proceeds to interpret the numbers they obtain literally. I would also like to learn more about the methodological and scientific rigor with which the survey was conducted. Particular numbers aside, what seems interesting here is both the reasonably large percentage of customers who have indicated they distrust these two Internet giants and the services they provide as well as the users’ professed concern over security considerations. Potential Ebusiness customers are almost certainly becoming acquainted with a growing number of consumer frauds via electronic means. One thing is sure — that a stored password used in authentication of all kinds of commercial transactions is unsuitable from a security perspective. Growing paranoia among consumers could be a very useful thing; it could lead to greater acceptance of third-party authentication and other methods that can dramatically boost security and privacy.
A recent study released by the Gartner Group discovered that most Internet users are mostly not interested in online identity and authentication accounts. Microsoft and AOL have promoted ‘user identification accounts’ with Microsoft’s Passport and AOL’s competing Screen Name service. Passport and Screen Name act as the ‘keys to the castle’, allowing users access to multiple sites without having to give their usernames and passwords each time. The companies have also proposed an E-wallet component of the services that would allow customers to make online transactions without entering billing information each time. The authentication services are intended to prepare the way for fee-based online services. The Gartner study revealed that most Internet users are not interested in online ID accounts. The study also revealed that most users with Microsoft Passport authentication accounts are either not aware that the account exists, or that they simply created the account at a particular point as a requirement to access some particular online service. In general, customers seem to care more about security than convenience. The survey revealed that 38% of customers did “not at all” trust Microsoft and 29% did not trust AOL with their personal finance information. Over 50% did not trust the MSN online service and 49% did not trust MSN Messenger with their personal and financial information. AOL received a slightly higher level of confidence. Gartner also researched the popularity of user authentication services, reporting that by 2003, each of the approximate 50 million registered online authentication users would only access an average maximum of three sites per month with the service.
Proposed amendment to the FISMA Bill in US Representative Janice Schakowsky, a Democrat from Illinois, is working to amend the Federal Information Security Management Act (FISMA) to further protect US national information security. Schakowsky says the gap in national information security lies in a lack of organization in inventory — the Government simply does not know where all its machines are located. This problem surfaced during preparation for the Y2K rollover; the US Government could not attest that all computers were Y2K safe because of machines that were unaccounted for.
395
Eugene Schultz Security views
The proposed amendment to the FISMA Bill would require government agencies to take frequent inventory of their machines and develop a test plan to ensure all systems are working correctly every five years. Introduced by Rep. Tom Davis (R-Va.) on 6 March, FISMA is intended to extend and update the General Information Security Reform Act of 2000 (GISRA). GISRA expires 29 November this year. Information security professionals involved in operational security know just how important it is to learn where all computers are. It may, for instance, be necessary to quickly disconnect a machine with a worm infection from the network. Knowing exactly where the machine is can drastically reduce the potential for the worm to spread throughout the network to which the machine connects. I am a little surprised that the US Government did not require the kind of inventories of systems that are called for in this Bill, but I suppose late is better than never.
Tests of biometric devices show numerous problems Many organizations are beginning to seriously consider using biometrics, or are actually now using some form of biometric-based identification and/or authentication. Recent results of several tests of biometric devices have, however, revealed substantial flaws in some of these devices. A test of the Visionics facescanning program, for example, showed that it could pick a particular face out of a crowd only 47% of the time. Facial recognition accuracy plummeted if people wore glasses or turned their heads too much or if lighting levels were not suitable. Another test involved 11 devices based on recognition of fingerprints and faces. Certain systems recognized ‘faces’ that were
396
really no more than images of faces, not the faces of real people. Breathing on fingerprints or placing a bag of water on fingerprint sensors also often resulted in false recognition. Finally, a Japanese professor manufactured false fingers using moulds of real fingers that allowed successful biometric authentication. Various professionals will interpret these results differently. Some will say that the testing conditions were very artificial; after all, who is likely to go to a security area within a building and hold up a laptop computer with an image of a face to fool a facial recognition system? Others are so convinced that biometrics are the way to go, that they view these results as a minor bump in the road, so to speak — that problems in this technology can and will be worked out in a short time. I would like to go on record as being supportive of biometrics as well as other methods that bypass password entry, the bane of authentication methods. But it appears that biometric technology is not as advanced as we might hope. Any technology that cannot stand up to testing cannot at least be called mature. But there is certainly no reason whatsoever to write this technology off, either. The concept of biometric-based authentication is sound; the implementation of the technology may have a ways to go, however. Also to be considered is the fact that some vendors’ implementations of this technology are better than others. It is thus most unfair to write biometric authentication off entirely on the basis of results showing weaknesses in some of the poorer devices available. So let’s be patient and give biometrics technology more time to prove itself. It is, after all, inherently easier to use ‘who you are’ to authenticate oneself as opposed to ‘what you have’ or ‘what you remember’.