- Email: [email protected]
Security Views - Malware
computers & security 26 (2007) 269–275
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
Security views 1.
Malware update
The Gozi Trojan horse has recently surfaced. This malicious program exploits a buffer overflow condition in iFrames tags in the Internet Explorer (IE) browser to glean information from Secure Sockets Layer (SSL)-encrypted streams. Largely found in home computing systems, Gozi may be responsible for confidential information such as Social Security numbers (SSNs), authentication credentials for e-business and on-line banking transactions, and authentication credentials for a large number of government organizations and companies being stolen. The compromised information was obtained through individuals’ home computers that were compromised. Gozi, which remained undetected for as long as 50 days, sent data it collected to a system in St. Petersburg, Russia. Ultimately, the data were sold. At least two variants of this Trojan program have been discovered. The Grum-A worm has been spreading by appearing to be a beta 2 version of Internet Explorer 7 (IE7). It sends email messages containing a link to a malicious Web site. The measures appear to come from [email protected]; subject lines show that the message contains a link for the IE7 beta download. A few notable examples of malicious code have appeared, but once again their appearance and functionality are nothing to provoke fear and panic within the infosec arena. Malware continues to be as surreptitious as possible, making it difficult to detect, helping perpetrators of computer crime profit from their activity.
2.
Update in the war against Cybercrime
A contractor at Dai Nippon Printing Company in Japan has been arrested for allegedly pilfering roughly nine million pieces of customer information over a period of five years. Clients affected by this theft include American Home Assurance, Toyota Motor Corporation, and Aeon Co. Dai Nippon is negotiating the amount of compensation for the data security breach with each company. An investigation that resulted in discovering the data security breach began when the contractor allegedly sold 150,000 pieces of information to a crime ring. The fact that he did not own the disk that was allegedly used to copy the data was the basis for Japanese law enforcement charging 0167-4048/$ – see front matter doi:10.1016/j.cose.2007.05.002
him with a crime. The Japanese personal information protection law does not specify penalties for data theft. The Business Software Alliance (BSA) has initiated legal action against five alleged software pirates in the UK, Austria, US and Germany. In each case consumer complaints led to BSA becoming aware of the alleged copyright violations. Florida law enforcement has arrested six individuals for allegedly using information gleaned illegally from TJX to purchase large numbers of WalMart and Sam’s Club gift cards. Arrest warrants have been issued for four other alleged suspects in the ploy. Estimated costs for WalMart and the banks that issued the stolen credit cards have now reportedly amounted to more than USD 8 million. The ploy was ostensibly underway in November last year. TJX had not revealed that the intrusions had occurred at that time. Last January TJX conceded that the data security breaches that affected sensitive financial account information of millions of customers had occurred. Last February TJX said it had discovered additional break-ins indicating perpetrators may have been accessing their systems without authorization since 2005. The security incident has also impacted customers of TJ Maxx stores in the UK and Ireland. A recent filing with the US Securities and Exchange Commission (SEC) indicates that 45.7 million credit and debit card numbers have been compromised through intrusions of TJX computer systems over a period of 18 months. Approximately three-quarters of the card numbers were expired or had some magnetic stripe data masked. Philippines law enforcement has detained seven persons for questioning in connection with multiple break-ins into telecommunications networks in that country, Canada, Australia, the US, and three European countries. The ploy entailed breaking into the telecommunications networks and then selling the connections. Dov Tenenboim has pleaded guilty to gaining unauthorized access to 90 eBay accounts and then using them to pilfer AUD 42,000. Tenenboim, an Australian citizen, also gained unauthorized access to both email accounts and a bank. He used compromised eBay accounts to falsely advertise iPods and then pocketed the sales proceeds. If convicted on all charges that he faces, he might be sentenced to a maximum of 11 years of jail time and fines of AUD 9900. US Department of Defense (DOD) reports reveal that more than 20 US military service members had money siphoned from their pay accounts. The US Defense Finance and Accounting Service’s ‘‘myPay’’ program allows members to administer
270
computers & security 26 (2007) 269–275
their salary information on-line. Services include ability to specify accounts for direct deposits. The thefts may be due either to keystroke loggers, other spyware that infected the home computing systems of affected members, or highly guessable passwords. All pilfered funds have been restored. Lancaster County, Pennsylvania Coroner Gary Kirchner faces trial for allegedly giving a journalist a password to a confidential Web site. Kirchner has been charged with illegal use of a computing system and criminal conspiracy. Information concerning emergency communications is available on the Web site; access is, however, restricted to law enforcement and authorized personnel. A journalist testified that Kirchner supplied her with the password so that reporters could obtain information from the site, precluding the need to call him. If convicted, Kirchner could face up to 14 years in prison and a fine of USD 30,000. Mariyana Feliksova Lozanova, a Bulgarian woman, faces up to 30 years of imprisonment and USD 500,000 in fines for allegedly defrauding US citizens and residents out of more than USD 350,000 through eBay ploys. She allegedly advertised costly items on eBay and then instructed buyers to wire funds using a phony service called ‘‘eBay Secure Traders’’ to make her ploy look legitimate. Victims received neither merchanise nor refunds. Lozanova was taken into custody in Budapest, Hungary. Haven allegedly used fake names in opening bank accounts, she has reportedly been charged with both conspiracy to commit wire fraud and conspiracy to commit money laundering. UK citizen Gary McKinnon has lost his fight to avoid extradition to the US where he has been charged with various computer crimes. Prosecutors allege that he broke into nearly 100 US government computing systems, including systems as the Pentagon, NASA, and the US Air Force and Army. Leslie Langford, an emergency medical technician (EMT) at the University of Illinois Medical Center at Chicago (UIC), has been charged with eight counts of felony identity theft. He has also been fired for his allegedly using his position to gain unauthorized access to medical information of nearly 250 patients. The information includes SSNs and driver’s license numbers. The medical notified the affected patients three weeks after Langford was arrested. Administrators at the medical center were tipped off about Langford’s alleged activity and used the electronic record keeping system there to determine what information was being accessed and who was doing it. Eight of the medical records were allegedly misused. Courtney Smith of Indiana, who pleaded guilty to charges of selling pirated software over the Internet, has been sentenced to 27 months of imprisonment. He earned more than USD 4000 by selling more than USD 700,000 worth of pirated Rockwell Automation software on eBay. US federal prosecutors have charged Singapore citizen Parthasarathy Sudarshan, the founder of Cirrus Electronics, on charges of export violations, international weapons trafficking, conspiracy, and serving as an agent for a foreign government. He is accused of shipping US computer technology to three different Indian government agencies; the technology is used in weapons systems. The equipment includes microprocessors, capacitors and semiconductors used in missile guidance and delivery systems, and heat-resistant memory chips. A US court has denied Sudarshan’s bail
request on the basis that he is likely to flee the US if he is granted bail. Cirrus Electronics international sales manager Mythili Gopa was also arrested. Two additional people have been indicted but not arrested in this case. The US Ninth Circuit Court of appeals has denied Jerome Heckencamp’s effort to have his computer crime convictions reversed. He was sentenced to eight months of imprisonment in 2004 for numerous computer crimes, one of which was that he gained unauthorized access into a Qualcomm computer system while he was a student at the University of Wisconsin-Madison. Late in 1999 the university was informed that the Qualcomm intrusion had been traced to the university network. A system manager at the university traced the break-in to Heckencamp’s dormitory room and also found that Heckencamp’s computer was being used to gain unauthorized access to the university’s email server. The administrator cut off the computer’s network access, but Heckencamp altered his IP address. The administrator then broke into Heckencamp’s computer to ascertain if it was the same one with a different IP address; his stated goal was to safeguard university computers from harm. He confirmed that the IP address in Heckencamp’s computer had been changed. The FBI subsequently obtained a warrant, seized the computer and found evidence that it had been used in several break-ins and Web defacements. Heckencamp’s appeal was based on the fact that his computer was investigated without a search warrant, thereby violating the Fourth Amendment. In upholding Heckencamp’s conviction, the appeals court ruled searching the computer was legal because of a special exception to the Fourth Amendment. It is nice to see that law enforcement in various countries around the world is making progress in bringing suspected computer criminals to justice. At the same time, however, the way that the Heckencamp case has been handled is extremely disconcerting. The evidence against Heckencamp that the system manager obtained was by no means legal – intruding into systems in fact constitutes a felony violation. How then could a court of law allow such evidence to be heard, let alone admitted? Could this travesty of justice be just one more of many indications of how the US is moving towards becoming a fascist state?
3. More compromises of personal and financial information occur A laptop system pilfered from the car of an employee of the Ohio state auditor’s office stores personally identifiable data pertaining to roughly 2000 current and prior Springfield City Schools employees. The incident affects individuals who were as of June permanent employees of three consecutive years and who received paychecks on three different dates in 2003 and 2004. The employees have been sent letters informing them of the incident. The employee who left the laptop in the car has received a reprimand for failing to adhere to an organizational policy. A review of an Indiana state government Web site triggered by a data security breach showed that the incident compromised personally identifiable information pertaining to 71,000 more individuals than was originally suspected. In
computers & security 26 (2007) 269–275
early February of this year state staff found that credit card data of 5600 persons and businesses have been illegally accessed. Indiana ’s Office of Technology has notified state health workers that their personally identifiable information was also accessed without authorization early this year. Authorities have reportedly pinpointed a suspect and have initiated legal proceedings. The person who initiated these attacks may also have broken into government computing systems in other states. A USB storage device found near a bicycle shelter has almost 60 documents belonging to the Perth and Kincross Council in Scotland. The information includes paycheck information pertaining to dozens of Council employees. The individual who found the device gave it to a local newspaper. The device’s disappearance was not reported to law enforcement. Council members are disconcerted because the individual who found the device did not give the device directly back to the council. Two laptop systems reported as missing store personally identifiable information of roughly 31,000 Group Health Cooperative Health Care System medical patients and employees in the Seattle Area. Compromised information includes names, addresses, Group Health ID numbers, and SSNs. The computing systems vanished late February and early March of this year. Affected persons have been informed by mail. Roughly 19,000 current and prior patients of the Swedish Urology Group in the Seattle Area have been notified that their personal information has fallen into unauthorized hands. Three hard drives used to backup the information were pilfered from a locked office last March. Because there were no indications of forced entry, the culprit may possibly have possessed a copy of the master key. The information dates back as far as four years in certain cases. The drives hold data related to doctors, staff members, and patients. A laptop system taken from King’s Mill Hospital in Suttonin-Ashfield, Nottinghamshire, UK in late March this year holds the names, addresses and birthdates of 11,000 children ranging in age from eight months to eight years. Two other computing systems were also pilfered at the same time. Every family of the children has been informed. Nottinghamshire law enforcement is conducting an investigation of the thefts. The laptop has been recovered, and two suspects in the case have been placed under arrest. Personally identifiable information pertaining to roughly 380 public school employees in St. Mary Parish, Louisiana was publicly available on the Internet when a Yahoo! web crawler gleaned the information. Yahoo!’s crawler accessed a database holding staff development roster information from 2002 through 2004. The school district has asked Yahoo! and Web page archiving services to purge the information from their cache files and has informed individuals who were affected by the confidentiality compromise. The school district’s technology department has since adopted measures to help prevent a similar incident from reoccurring. Three laptop systems that disappeared from the US Navy College Office in San Diego, California are presumed stolen. These machines may store sailors’ personally identifiable information, including names, SSNs, names, rankings, and rates. Those potentially affected by the data security breach
271
are current and former Navy active duty members who were assigned to a vessel homeported in San Diego from January 2003 to October 2005 and who had been enrolled in the Navy College Program for Afloat College Education. The Naval Criminal Investigative Service (NCIS) is looking into the incident and is cooperating with San Diego police in an effort to find the laptops. The University of Montana-Western is informing between 400 and 500 current and prior students that their personally identifiable information was stored on a disk taken from a faculty member’s office. The information includes names, SSNs, birthdates, and addresses. The students affected by the incident are all enrolled in the school’s TRIO Student Support Services Program, which was formerly known as the Educational Opportunity Program. Law enforcement is investigating the incident. The University of California at San Francisco (UCSF) has begun informing 46,000 university and medical center students, faculty members and staff that their personal data were compromised when a perpetrator broke into a UCSF server. The compromised data include names, SSNs, and bank account numbers. UCSF staff learned of the incident late last March and then disconnected the compromised server from the network. A Nebraska woman trying to access previous tax returns via the Turbo Tax web site found that she had access to returns of three other individuals who had the same last name and first initial. The compromised information includes SSNs and bank account routing numbers. Misconfigured access for the Turbo Tax Web site caused the problem. Intuit, which makes Turbo Tax, has removed the link that resulted in the data security compromise. Chicago Public Schools (CPS) is informing current and prior employees that their personal information was compromised. This information was on two laptop systems pilfered from an office at CPS headquarters last April. The incident affects roughly 40,000 current and former employees who paid into the Teacher Pension Fund between 2003 and 2006. The compromised information includes names and SSNs, but not addresses or birthdates. CPS is emailing current employees and is also making information concerning former employees available on the Web. Surveillance cameras captured an image of a suspect in the incident. A USD 10,000 reward for information resulting in the return of the pilfered computers is also being offered. CPS experienced another incident of this nature within the last 12 months. A locked shipping case containing backup tapes from Florists’ Mutual Insurance Company parent company Hortica has been lost in shipping. Hortica administers benefits and insurance to employees of companies in the horticultural industry. The container was lost by UPS; it was in transit from a secure off-site facility to Hortica headquarters in Illinois. Hortica has modified its backup procedure to preclude shipping provided by common carriers. The information on the tapes includes names, SSNs, bank account numbers, and driver’s license numbers. Security Title Agency in Phoenix, Arizona is advising customers that their personal information was potentially compromised when the company’s Web site was defaced. This company stores customer information on the server used to
272
computers & security 26 (2007) 269–275
host its Web site. Security Title asserts that there is no evidence that the perpetrators gleaned personal information, but it nevertheless is offering free credit monitoring to its customers. Data security breaches continue to occur at an alarming pace, and there is still end in sight. After data security breaches occur, organizations apologize and make other concessions to individuals who were affected, but seldom do they improve their data security practices to the point that such breaches are unlikely to reoccur. I hate to be so repetitious, but until the US as well as other governments adopt legislation that requires adequate data protection practices, data security breaches will continue to be regular occurrences.
4. Saudi Arabia prescribes penalties for information technology crimes The Saudi Arabian cabinet approved imposing a one-year prison sentence and fines of 500,000 riyals in a new law pertaining to information technology crimes. The bill was first proposed last year in the Shura, the kingdom’s advisory assembly. It next must go to the king for final ratification. The information technology crimes law forbids and prescribes penalties for illegal access to an Internet site as well as for unauthorized entry into a Web site to alter its design or destroy it. It also forbids and prescribes penalties for invading privacy through misuse of cell telephone cameras and similar devices to take unauthorized snapshots for the purpose of defaming or damaging people. Under strict Islamic law, camera phones had previously been banned; religious police are opposed to their use. The Saudi Arabian government already regulates citizens’ use of the Internet by blocking content deemed improper and by tracking on-line actions by users. Every country in the world that does not have suitable computer crime legislation comprises a weak link in the struggle against computer crime. The fact that Saudi Arabia has pushed forward computer crime-related information is thus another encouraging development. Hopefully, other countries that have not already done so will draft and pass similar legislation.
5. Oracle files industrial espionage suit against SAP In a complaint filed with the US District Court in San Francisco, California, Oracle Corporation has alleged that SAP has illegally accessed and downloaded Oracle products and proprietary and confidential materials by using bogus logins and credentials gleaned from legitimate Oracle customers. Oracle technical staff attempted to determine why huge traffic spikes were occurring on its CustomerConnect servers from September 2006 through January 2007. They discovered that the traffic originated from IP addresses within the SAP TomorrowNow offices located in Bryan, Texas. Oracle claims that on one particular occasion employees at SAP TomorrowNow used bogus logins and passwords to access Oracle servers and then downloaded more than 7200 files in four days. Oracle asserts that the pilfered information was used by SAP to offer low cost services
to customers who used Oracle applications and then to attempt to switch them to SAP’s application software. This news item once again shows that industrial espionage is a real and ever-ongoing threat. At the same time, however, I fear that most commercial entities do not pay enough attention to this type of threat, let alone do much if anything about it. If SAP is found guilty of the charges that Oracle has brought against it, I wonder if SAP will only get its proverbial hands slapped or if there will be an appropriate fine and sanctions. Too often in the past organizations and individuals have gotten away much too lightly when they have been found guilty of using computing technology to engage in industrial espionage.
6. Colorado woman sues Internet Archive for breach of contract Web site owner Suzanne Shell is suing the Internet Archive because it uses spiders to search the Internet and glean and archive Web site information. Her suit charges Internet Archive with conversion, civil theft, breach of contract, and violating the Racketeering Influence and Corrupt Organizations Act and the Colorado Organized Crime Control Act. Shell’s Web site’s main page posts the following warning at the bottom: ‘‘IF YOU COPY OR DISTRIBUTE ANYTHING ON THIS WEB SITE, YOU ARE ENTERING INTO A CONTRACT.’’ Clicking on this notice displays a more detailed copyright notice and agreement. Shell’s suit claims that the Internet Archive’s spider visit to her site constituted acceptance of her terms. A court ruling granted the Internet Archive’s motion to dismiss the charges except for the breach of contract claim. The lawsuit has implications for all sites that gather content through automated programs, including Google. They might have to persuade Web site publishers to opt in before indexing or otherwise capturing their content. The Uniform Electronic Transactions Act (UETA) seems to agree with the statement: ‘‘A contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents’ actions or the resulting terms and agreements.’’ It will be interesting to learn of the ruling on Shell’s remaining lawsuit. She appears to have a point – the warning her Web site provides is anything but obfuscated, and its wording is clear. At the same time, however, a highly relevant issue in this case is that almost without exception Web sites across the world allow spiders to visit them and glean information without any restrictions whatsoever. The way spiders such as the Internet Archive’s spider work are thus functionally supported by established norms of Internet behavior. Do these norms take precedence over the special conditions and restrictions at a particular site such as Shell’s? Should the Internet Archive’s spider have some somehow learned about these conditions and restrictions? Chances are we will find the answer to these questions when we learn of the ruling.
7.
Florida eVoting problems persist
Touch-screen voting machine miscounts from last year’s US national election continue to be an issue in Florida. The
computers & security 26 (2007) 269–275
Florida Congressional District 13 race resulted in more than 18,000 Sarasota county votes not being recorded. This discrepancy is being considered by the Florida First District Court of Appeals in Tallahassee. If so ruled, access to the county’s touch-screen voting machines could be granted to outside experts and the appeal could overturn the election in which Republican candidate Vern Buchanan won by a disputed 369 votes over Democrat candidate Christine Jennings. Experts agree that the 13% Sarasota County undervote is a fluke and that Jennings would have won by about 3000 votes with the typical 2–3% undervote for a ‘‘top of ballot’’ race. Elections Supervisor Kathy Dent was warned before last year’s election by ES&S internal systems that more than 1600 of the county’s touch-screen machines could have delayed responses from a ‘‘smoothing filter’’ problem, but the problem was never rectified. Jennings wants Professor Dan Wallach of Rice University to conduct a forensic examination of the hardware, software, and source code used in the machines. If the court rules in Jennings’ favor, an investigation will be allowed, and a revote may be required. It is once again troubling to learn of yet another eVoting machine-related problem in the state of Florida. Worse yet, with a few exceptions (of which the current governor of Florida is one), few legislators and officials in this state appear to be very concerned about these problems. Kathy Dent in particular appears to be a very culpable figure in the Florida eVoting mess. I honestly do not expect much to be done about this problem in the near future, either – many individuals, Ms. Dent included, appear to want the state of things to remain just as they are.
8. Irish Information Commissioner says fingerprinting in schools is not appropriate The Irish Information Commissioner’s Office has issued guidance concerning fingerprinting in their schools. This Office maintains that according Irish law it is not necessary for schools to fingerprint children, and that if doing so is not necessary, the Data Protection Act states that it should not be done. The Office is not opposed to school biometrics, but it feels that the schools should not use this method without a good reason. Each school would have to have its plans for biometrics outlined and evaluated in a privacy impact statement. Most parents approved the biometric programs after the schools assured them that the fingerprint data would only be used to track student attendance and that the data would not be shared or used for criminal investigations. The guidance also told the schools that they should get parental consent before fingerprinting any child younger than 18 years of age. In contrast, the UK Information Commission allows schools to rely on the children’s consent if they are deemed mature enough to understand the implications involved. Additionally, students must have the option of opting out of a school biometrics program at any time without fear of reprisals or denial of access to services. I agree with the Irish Information Commissioner’s Office’s decision. Introducing and obtaining approval to use biometrics for one purpose and then switching gears, so to speak, without obtaining consent for a different usage purpose is
273
unfair. Additionally, parental consent should be required. Biometric technology is sufficiently invasive of individuals’ privacy that those who advocate and use it must ensure that privacy- and ethics-related issues are first properly addressed.
9. UK bank fraud victims must report suspicious transactions to banks The new UK Fraud Act requires that bank fraud victims now directly notify their bank of any suspicious transactions rather than report the crime to law enforcement. The bank will then decide whether to inform law enforcement agencies. Experts say that the government is introducing the change only to reduce the recorded crime figures – the banks will now have too much discretion concerning what types of fraud are reported and investigated. Victims of bank fraud that the bank does not for any reason want to disclose will thus be functionally suppressed. Apacs, which represents the credit and debit card industry, states that the change will cut through bureaucratic barriers and provide more accurate figures. The Home Office says that law enforcement will still decide which crimes warrant allocate of resources for investigation. Furthermore, if the fraud accompanied or was the result of a wallet being stolen or the fraudulently used card was the result of a burglary, then the crime would still be reported to law enforcement. The Home Office also said that non-bank fraud would continue to be dealt with by law enforcement as usual. Any issue concerning reporting fraud and crime is invariably difficult. One of the most difficult hurdles is getting victims to report what happened – there seems to be a great deal of reluctance on the part of victims in this regard. Additionally, to whom they must report what happened makes a huge difference. I suspect that bank fraud victims will find it much easier to report to banks, entities with whom they have at least dealt in the past, than to law enforcement. As such, the new UK Fraud Act’s provisions may actually turn out to be beneficial in fighting fraud and other types of computer crime. At the same time, however, the fact that banks have been given the power to decide whether or not to pass customer-provided information on to law enforcement is troubling.
10. Appeals court ruling: no privacy when personally-owned PC brought to work Michael Barrows, the city treasurer of Glencoe, Oklahoma, was sentenced to six and a half years of imprisonment for possessing child pornography on his PC that he was using for business purposes at his job. He was also required to register as a sex offender and was sentenced to an additional three years of supervised release. On appeal to the 10th Circuit Court, the man claimed that his PC was his personal property and was thus subject to Fourth Amendment protection; it was, according to his logic, searched without a warrant. However, the Court disagreed, stating that because he had the PC in a shared public office openly visible to the public, and that he had connected the PC to the office network to share files, and that he knew the PC contained files used by others in
274
computers & security 26 (2007) 269–275
the office, and he did not thus use a password, turn it off, or take other steps to prevent third-party use of the computer when it was at the office, that this indicated that he should not have expected any privacy with respect to his PC. When a co-worker tried to access some files on the defendant’s PC and had a computer-savvy reserve police officer who was visiting city hall help him access it, they subsequently stumbled over the porn files. They called law enforcement, which obtained a warrant and seized the hard drive. The circumstances and subsequent proceedings resulted in his eventual conviction. This ruling is only one of many that deal with the issue of privacy in the workplace, something that very much affects the practice of information security. In numerous cases an employee has been suspected to hiding company property in a purse or briefcase. Various rulings have upheld the right of the company to search the purse or briefcase if either is on company premises; others have not. The case of Barrows is, however, different in that the property that was seized and used as evidence was undisputedly his. The ruling sends a message – be careful what you bring to work with you, and be careful how you allow your own computer to be used. It may also send another more subtle message, however – if you are a known trafficker of child pornography, anything can and will be used against you in court.
11. GAO says that DHS continues to be plagued with information security-related problems After scrutinizing sector infrastructure protection plans that the 17 private-sector coordinating councils delivered in December 2006 to the US Department of Homeland Security (DHS), the US Government Accountability Office (GAO) recently released a report that summarized their evaluation of the plans. The nation’s 17 sectors include that for energy, financial services, food, information technology, and water supply. The GAO found that although the DHS has increased its vigilance with regard to information security, it has not yet fully implemented 25 recommendations involving information security threat and vulnerability assessment, attack warnings, and how information is shared and how response and recovery are coordinated after an attack. Some privatesector participants feared sharing sensitive information on their vulnerabilities to their sector coordinating councils because they worried the information might be leaked to the public or might subject them to lawsuits. They also struggled with their relationships with the DHS, citing a lack of trust, high employee turnover, and a lack of understanding of infrastructure operations at DHS. Other problems noted were delays in obtaining guidance from the government and in receiving numerous changes in that guidance concerning how to do infrastructure protection planning. This news item should not be a surprise to anyone. Since its inception (which now appears to be increasingly ill-advised), the DHS has been plagued with a plethora of almost insurmountable problems, of which information security problems are among the foremost, that it does not seem to be able to begin to solve. At this point one must seriously
wonder whether the few benefits that the DHS has produced are so outweighed by this department’s many overwhelming liabilities and deficiencies that it is time to dissolve this government department and absorb its functions into other, better functioning departments.
12. Six-year-old girl installs keystroke logging device in UK House of Commons As part of a BBC Inside Out investigation and demonstration, a six-year-old girl smuggled a keylogging device into the UK House of Commons, which is one of the most physically secure buildings in the country. Because security there focuses on keeping guns and bombs out, the girl walked past the armed police and through X-ray searches. Once inside, the producers convinced Tory MP Ann Milton to leave her computer unattended for a little while. Within 15 s, the girl, who had almost no knowledge of computers, had attached the device to the computer. Although the device had been attached to a computer within the House of Commons, there was no alarm. Information that could have been compromised on the computer included passwords, top-secret information, and sensitive personal details. The keylogger cost only GBP 50. This is a startling event, one that will undoubtedly cause some changes in physical security practices in the UK House of Commons. If something like this happened there, think what might happen in other, less secure settings in organizations throughout the world.
13. Proposed anti-spyware legislation could result in larger fines The ‘‘Securely Protect Yourself Against Cyber Trespass Act,’’ also known as the ‘‘Spy Act,’’ would prohibit any software that takes control of a computer, modifies registry settings, logs keystrokes, or collects other data through misrepresentation. This proposed legislation is before the House Subcommittee on Commerce, Trade, and Consumer Protection for the third time. Twice before, in 2004 and 2005, the subcommittee, full committee, and House of Representatives passed the act, but the bill did not pass in the Senate. The legislation would add tougher fines and civil penalties for anyone responsible for programs that hijack a user’s computing system or collects data without authorization or consent from the computer’s user. Under the Act, the US FTC would have greater ability to go after companies and individuals responsible for spyware, which frequently is used to install other adware and malware. Up to now, the FTC has pursued cases based on its power to investigate fraudulent trade practices. The Spy Act broadens the definition of spyware and would allow the FTC to levy fines of up to USD 3 million per activity committed by a spyware program that is prohibited by the act and USD 1 million for each violation of the prohibition against data collection without consent. The Center for Democracy and Technology supports the Spy Act, but would rather see a commitment to legislation that establishes a foundation for privacy rights than a piecemeal approach that addresses specific threats, such as spyware or data breaches. The Direct
computers & security 26 (2007) 269–275
Marketing Association is also worried that the overly aggressive legislation could punish legitimate advertisers and marketing firms. Anti-spyware legislation in the US is currently not very adequate in that its provisions have had very little impact. The current proposed legislation would have greater impact in that it prescribes large fines for those who violate its provisions. Although previous versions of this bill were voted down in the Senate, with the new composition of Congress this year the bill now stands a much better chance of passing. If it does pass, I predict that it will in time substantially reduce the number of Web and other sites in the US that inject spyware into computer systems that connect to them. At the same time, however, it for obvious reasons will not reduce the number of such sites in other countries.
14. Computer technician’s mistake wipes out Alaska revenue information A computer technician doing routine maintenance work last July at the Alaska Department of Revenue inadvertently reformatted and erased a huge data file and the backup disk for an oil-funded applicant information account valued at USD 38 billion. Unfortunately, the Department’s third line of defense
275
had also failed; the backup tapes were unreadable. Nine months worth of information for the yearly Alaska Permanent Fund yearly payout was deleted. The information included the 800,000 electronic images that had been scanned into the system, including the 2006 paper applications that people had mailed in or filed over the counter, and the supporting documentation such as birth certificates and proof of residence. The only backup was of the hardcopy documents themselves; these were stored in over 300 cardboard boxes. At a cost to the department of USD 220,700, 76 people consequently worked overtime for six weeks to re-enter the lost data. No one got in trouble for the incident. The department says that it now has a proven and regularly tested backup and restore procedure. This story is almost unbelievable – it is difficult to imagine how an incident of this magnitude could have occurred. This story reinforces a long-standing tenant of information security – human error results in far more loss and destruction than do misintentioned individuals. Human error can be greatly reduced by paying attention to usability considerations, something that often costs far less than deploying dozens of security-related controls. It is thus well time that information security professionals turn more of their attention to human factors problems in the IT arena.
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
Security views 1.
Malware update
The Gozi Trojan horse has recently surfaced. This malicious program exploits a buffer overflow condition in iFrames tags in the Internet Explorer (IE) browser to glean information from Secure Sockets Layer (SSL)-encrypted streams. Largely found in home computing systems, Gozi may be responsible for confidential information such as Social Security numbers (SSNs), authentication credentials for e-business and on-line banking transactions, and authentication credentials for a large number of government organizations and companies being stolen. The compromised information was obtained through individuals’ home computers that were compromised. Gozi, which remained undetected for as long as 50 days, sent data it collected to a system in St. Petersburg, Russia. Ultimately, the data were sold. At least two variants of this Trojan program have been discovered. The Grum-A worm has been spreading by appearing to be a beta 2 version of Internet Explorer 7 (IE7). It sends email messages containing a link to a malicious Web site. The measures appear to come from [email protected]; subject lines show that the message contains a link for the IE7 beta download. A few notable examples of malicious code have appeared, but once again their appearance and functionality are nothing to provoke fear and panic within the infosec arena. Malware continues to be as surreptitious as possible, making it difficult to detect, helping perpetrators of computer crime profit from their activity.
2.
Update in the war against Cybercrime
A contractor at Dai Nippon Printing Company in Japan has been arrested for allegedly pilfering roughly nine million pieces of customer information over a period of five years. Clients affected by this theft include American Home Assurance, Toyota Motor Corporation, and Aeon Co. Dai Nippon is negotiating the amount of compensation for the data security breach with each company. An investigation that resulted in discovering the data security breach began when the contractor allegedly sold 150,000 pieces of information to a crime ring. The fact that he did not own the disk that was allegedly used to copy the data was the basis for Japanese law enforcement charging 0167-4048/$ – see front matter doi:10.1016/j.cose.2007.05.002
him with a crime. The Japanese personal information protection law does not specify penalties for data theft. The Business Software Alliance (BSA) has initiated legal action against five alleged software pirates in the UK, Austria, US and Germany. In each case consumer complaints led to BSA becoming aware of the alleged copyright violations. Florida law enforcement has arrested six individuals for allegedly using information gleaned illegally from TJX to purchase large numbers of WalMart and Sam’s Club gift cards. Arrest warrants have been issued for four other alleged suspects in the ploy. Estimated costs for WalMart and the banks that issued the stolen credit cards have now reportedly amounted to more than USD 8 million. The ploy was ostensibly underway in November last year. TJX had not revealed that the intrusions had occurred at that time. Last January TJX conceded that the data security breaches that affected sensitive financial account information of millions of customers had occurred. Last February TJX said it had discovered additional break-ins indicating perpetrators may have been accessing their systems without authorization since 2005. The security incident has also impacted customers of TJ Maxx stores in the UK and Ireland. A recent filing with the US Securities and Exchange Commission (SEC) indicates that 45.7 million credit and debit card numbers have been compromised through intrusions of TJX computer systems over a period of 18 months. Approximately three-quarters of the card numbers were expired or had some magnetic stripe data masked. Philippines law enforcement has detained seven persons for questioning in connection with multiple break-ins into telecommunications networks in that country, Canada, Australia, the US, and three European countries. The ploy entailed breaking into the telecommunications networks and then selling the connections. Dov Tenenboim has pleaded guilty to gaining unauthorized access to 90 eBay accounts and then using them to pilfer AUD 42,000. Tenenboim, an Australian citizen, also gained unauthorized access to both email accounts and a bank. He used compromised eBay accounts to falsely advertise iPods and then pocketed the sales proceeds. If convicted on all charges that he faces, he might be sentenced to a maximum of 11 years of jail time and fines of AUD 9900. US Department of Defense (DOD) reports reveal that more than 20 US military service members had money siphoned from their pay accounts. The US Defense Finance and Accounting Service’s ‘‘myPay’’ program allows members to administer
270
computers & security 26 (2007) 269–275
their salary information on-line. Services include ability to specify accounts for direct deposits. The thefts may be due either to keystroke loggers, other spyware that infected the home computing systems of affected members, or highly guessable passwords. All pilfered funds have been restored. Lancaster County, Pennsylvania Coroner Gary Kirchner faces trial for allegedly giving a journalist a password to a confidential Web site. Kirchner has been charged with illegal use of a computing system and criminal conspiracy. Information concerning emergency communications is available on the Web site; access is, however, restricted to law enforcement and authorized personnel. A journalist testified that Kirchner supplied her with the password so that reporters could obtain information from the site, precluding the need to call him. If convicted, Kirchner could face up to 14 years in prison and a fine of USD 30,000. Mariyana Feliksova Lozanova, a Bulgarian woman, faces up to 30 years of imprisonment and USD 500,000 in fines for allegedly defrauding US citizens and residents out of more than USD 350,000 through eBay ploys. She allegedly advertised costly items on eBay and then instructed buyers to wire funds using a phony service called ‘‘eBay Secure Traders’’ to make her ploy look legitimate. Victims received neither merchanise nor refunds. Lozanova was taken into custody in Budapest, Hungary. Haven allegedly used fake names in opening bank accounts, she has reportedly been charged with both conspiracy to commit wire fraud and conspiracy to commit money laundering. UK citizen Gary McKinnon has lost his fight to avoid extradition to the US where he has been charged with various computer crimes. Prosecutors allege that he broke into nearly 100 US government computing systems, including systems as the Pentagon, NASA, and the US Air Force and Army. Leslie Langford, an emergency medical technician (EMT) at the University of Illinois Medical Center at Chicago (UIC), has been charged with eight counts of felony identity theft. He has also been fired for his allegedly using his position to gain unauthorized access to medical information of nearly 250 patients. The information includes SSNs and driver’s license numbers. The medical notified the affected patients three weeks after Langford was arrested. Administrators at the medical center were tipped off about Langford’s alleged activity and used the electronic record keeping system there to determine what information was being accessed and who was doing it. Eight of the medical records were allegedly misused. Courtney Smith of Indiana, who pleaded guilty to charges of selling pirated software over the Internet, has been sentenced to 27 months of imprisonment. He earned more than USD 4000 by selling more than USD 700,000 worth of pirated Rockwell Automation software on eBay. US federal prosecutors have charged Singapore citizen Parthasarathy Sudarshan, the founder of Cirrus Electronics, on charges of export violations, international weapons trafficking, conspiracy, and serving as an agent for a foreign government. He is accused of shipping US computer technology to three different Indian government agencies; the technology is used in weapons systems. The equipment includes microprocessors, capacitors and semiconductors used in missile guidance and delivery systems, and heat-resistant memory chips. A US court has denied Sudarshan’s bail
request on the basis that he is likely to flee the US if he is granted bail. Cirrus Electronics international sales manager Mythili Gopa was also arrested. Two additional people have been indicted but not arrested in this case. The US Ninth Circuit Court of appeals has denied Jerome Heckencamp’s effort to have his computer crime convictions reversed. He was sentenced to eight months of imprisonment in 2004 for numerous computer crimes, one of which was that he gained unauthorized access into a Qualcomm computer system while he was a student at the University of Wisconsin-Madison. Late in 1999 the university was informed that the Qualcomm intrusion had been traced to the university network. A system manager at the university traced the break-in to Heckencamp’s dormitory room and also found that Heckencamp’s computer was being used to gain unauthorized access to the university’s email server. The administrator cut off the computer’s network access, but Heckencamp altered his IP address. The administrator then broke into Heckencamp’s computer to ascertain if it was the same one with a different IP address; his stated goal was to safeguard university computers from harm. He confirmed that the IP address in Heckencamp’s computer had been changed. The FBI subsequently obtained a warrant, seized the computer and found evidence that it had been used in several break-ins and Web defacements. Heckencamp’s appeal was based on the fact that his computer was investigated without a search warrant, thereby violating the Fourth Amendment. In upholding Heckencamp’s conviction, the appeals court ruled searching the computer was legal because of a special exception to the Fourth Amendment. It is nice to see that law enforcement in various countries around the world is making progress in bringing suspected computer criminals to justice. At the same time, however, the way that the Heckencamp case has been handled is extremely disconcerting. The evidence against Heckencamp that the system manager obtained was by no means legal – intruding into systems in fact constitutes a felony violation. How then could a court of law allow such evidence to be heard, let alone admitted? Could this travesty of justice be just one more of many indications of how the US is moving towards becoming a fascist state?
3. More compromises of personal and financial information occur A laptop system pilfered from the car of an employee of the Ohio state auditor’s office stores personally identifiable data pertaining to roughly 2000 current and prior Springfield City Schools employees. The incident affects individuals who were as of June permanent employees of three consecutive years and who received paychecks on three different dates in 2003 and 2004. The employees have been sent letters informing them of the incident. The employee who left the laptop in the car has received a reprimand for failing to adhere to an organizational policy. A review of an Indiana state government Web site triggered by a data security breach showed that the incident compromised personally identifiable information pertaining to 71,000 more individuals than was originally suspected. In
computers & security 26 (2007) 269–275
early February of this year state staff found that credit card data of 5600 persons and businesses have been illegally accessed. Indiana ’s Office of Technology has notified state health workers that their personally identifiable information was also accessed without authorization early this year. Authorities have reportedly pinpointed a suspect and have initiated legal proceedings. The person who initiated these attacks may also have broken into government computing systems in other states. A USB storage device found near a bicycle shelter has almost 60 documents belonging to the Perth and Kincross Council in Scotland. The information includes paycheck information pertaining to dozens of Council employees. The individual who found the device gave it to a local newspaper. The device’s disappearance was not reported to law enforcement. Council members are disconcerted because the individual who found the device did not give the device directly back to the council. Two laptop systems reported as missing store personally identifiable information of roughly 31,000 Group Health Cooperative Health Care System medical patients and employees in the Seattle Area. Compromised information includes names, addresses, Group Health ID numbers, and SSNs. The computing systems vanished late February and early March of this year. Affected persons have been informed by mail. Roughly 19,000 current and prior patients of the Swedish Urology Group in the Seattle Area have been notified that their personal information has fallen into unauthorized hands. Three hard drives used to backup the information were pilfered from a locked office last March. Because there were no indications of forced entry, the culprit may possibly have possessed a copy of the master key. The information dates back as far as four years in certain cases. The drives hold data related to doctors, staff members, and patients. A laptop system taken from King’s Mill Hospital in Suttonin-Ashfield, Nottinghamshire, UK in late March this year holds the names, addresses and birthdates of 11,000 children ranging in age from eight months to eight years. Two other computing systems were also pilfered at the same time. Every family of the children has been informed. Nottinghamshire law enforcement is conducting an investigation of the thefts. The laptop has been recovered, and two suspects in the case have been placed under arrest. Personally identifiable information pertaining to roughly 380 public school employees in St. Mary Parish, Louisiana was publicly available on the Internet when a Yahoo! web crawler gleaned the information. Yahoo!’s crawler accessed a database holding staff development roster information from 2002 through 2004. The school district has asked Yahoo! and Web page archiving services to purge the information from their cache files and has informed individuals who were affected by the confidentiality compromise. The school district’s technology department has since adopted measures to help prevent a similar incident from reoccurring. Three laptop systems that disappeared from the US Navy College Office in San Diego, California are presumed stolen. These machines may store sailors’ personally identifiable information, including names, SSNs, names, rankings, and rates. Those potentially affected by the data security breach
271
are current and former Navy active duty members who were assigned to a vessel homeported in San Diego from January 2003 to October 2005 and who had been enrolled in the Navy College Program for Afloat College Education. The Naval Criminal Investigative Service (NCIS) is looking into the incident and is cooperating with San Diego police in an effort to find the laptops. The University of Montana-Western is informing between 400 and 500 current and prior students that their personally identifiable information was stored on a disk taken from a faculty member’s office. The information includes names, SSNs, birthdates, and addresses. The students affected by the incident are all enrolled in the school’s TRIO Student Support Services Program, which was formerly known as the Educational Opportunity Program. Law enforcement is investigating the incident. The University of California at San Francisco (UCSF) has begun informing 46,000 university and medical center students, faculty members and staff that their personal data were compromised when a perpetrator broke into a UCSF server. The compromised data include names, SSNs, and bank account numbers. UCSF staff learned of the incident late last March and then disconnected the compromised server from the network. A Nebraska woman trying to access previous tax returns via the Turbo Tax web site found that she had access to returns of three other individuals who had the same last name and first initial. The compromised information includes SSNs and bank account routing numbers. Misconfigured access for the Turbo Tax Web site caused the problem. Intuit, which makes Turbo Tax, has removed the link that resulted in the data security compromise. Chicago Public Schools (CPS) is informing current and prior employees that their personal information was compromised. This information was on two laptop systems pilfered from an office at CPS headquarters last April. The incident affects roughly 40,000 current and former employees who paid into the Teacher Pension Fund between 2003 and 2006. The compromised information includes names and SSNs, but not addresses or birthdates. CPS is emailing current employees and is also making information concerning former employees available on the Web. Surveillance cameras captured an image of a suspect in the incident. A USD 10,000 reward for information resulting in the return of the pilfered computers is also being offered. CPS experienced another incident of this nature within the last 12 months. A locked shipping case containing backup tapes from Florists’ Mutual Insurance Company parent company Hortica has been lost in shipping. Hortica administers benefits and insurance to employees of companies in the horticultural industry. The container was lost by UPS; it was in transit from a secure off-site facility to Hortica headquarters in Illinois. Hortica has modified its backup procedure to preclude shipping provided by common carriers. The information on the tapes includes names, SSNs, bank account numbers, and driver’s license numbers. Security Title Agency in Phoenix, Arizona is advising customers that their personal information was potentially compromised when the company’s Web site was defaced. This company stores customer information on the server used to
272
computers & security 26 (2007) 269–275
host its Web site. Security Title asserts that there is no evidence that the perpetrators gleaned personal information, but it nevertheless is offering free credit monitoring to its customers. Data security breaches continue to occur at an alarming pace, and there is still end in sight. After data security breaches occur, organizations apologize and make other concessions to individuals who were affected, but seldom do they improve their data security practices to the point that such breaches are unlikely to reoccur. I hate to be so repetitious, but until the US as well as other governments adopt legislation that requires adequate data protection practices, data security breaches will continue to be regular occurrences.
4. Saudi Arabia prescribes penalties for information technology crimes The Saudi Arabian cabinet approved imposing a one-year prison sentence and fines of 500,000 riyals in a new law pertaining to information technology crimes. The bill was first proposed last year in the Shura, the kingdom’s advisory assembly. It next must go to the king for final ratification. The information technology crimes law forbids and prescribes penalties for illegal access to an Internet site as well as for unauthorized entry into a Web site to alter its design or destroy it. It also forbids and prescribes penalties for invading privacy through misuse of cell telephone cameras and similar devices to take unauthorized snapshots for the purpose of defaming or damaging people. Under strict Islamic law, camera phones had previously been banned; religious police are opposed to their use. The Saudi Arabian government already regulates citizens’ use of the Internet by blocking content deemed improper and by tracking on-line actions by users. Every country in the world that does not have suitable computer crime legislation comprises a weak link in the struggle against computer crime. The fact that Saudi Arabia has pushed forward computer crime-related information is thus another encouraging development. Hopefully, other countries that have not already done so will draft and pass similar legislation.
5. Oracle files industrial espionage suit against SAP In a complaint filed with the US District Court in San Francisco, California, Oracle Corporation has alleged that SAP has illegally accessed and downloaded Oracle products and proprietary and confidential materials by using bogus logins and credentials gleaned from legitimate Oracle customers. Oracle technical staff attempted to determine why huge traffic spikes were occurring on its CustomerConnect servers from September 2006 through January 2007. They discovered that the traffic originated from IP addresses within the SAP TomorrowNow offices located in Bryan, Texas. Oracle claims that on one particular occasion employees at SAP TomorrowNow used bogus logins and passwords to access Oracle servers and then downloaded more than 7200 files in four days. Oracle asserts that the pilfered information was used by SAP to offer low cost services
to customers who used Oracle applications and then to attempt to switch them to SAP’s application software. This news item once again shows that industrial espionage is a real and ever-ongoing threat. At the same time, however, I fear that most commercial entities do not pay enough attention to this type of threat, let alone do much if anything about it. If SAP is found guilty of the charges that Oracle has brought against it, I wonder if SAP will only get its proverbial hands slapped or if there will be an appropriate fine and sanctions. Too often in the past organizations and individuals have gotten away much too lightly when they have been found guilty of using computing technology to engage in industrial espionage.
6. Colorado woman sues Internet Archive for breach of contract Web site owner Suzanne Shell is suing the Internet Archive because it uses spiders to search the Internet and glean and archive Web site information. Her suit charges Internet Archive with conversion, civil theft, breach of contract, and violating the Racketeering Influence and Corrupt Organizations Act and the Colorado Organized Crime Control Act. Shell’s Web site’s main page posts the following warning at the bottom: ‘‘IF YOU COPY OR DISTRIBUTE ANYTHING ON THIS WEB SITE, YOU ARE ENTERING INTO A CONTRACT.’’ Clicking on this notice displays a more detailed copyright notice and agreement. Shell’s suit claims that the Internet Archive’s spider visit to her site constituted acceptance of her terms. A court ruling granted the Internet Archive’s motion to dismiss the charges except for the breach of contract claim. The lawsuit has implications for all sites that gather content through automated programs, including Google. They might have to persuade Web site publishers to opt in before indexing or otherwise capturing their content. The Uniform Electronic Transactions Act (UETA) seems to agree with the statement: ‘‘A contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents’ actions or the resulting terms and agreements.’’ It will be interesting to learn of the ruling on Shell’s remaining lawsuit. She appears to have a point – the warning her Web site provides is anything but obfuscated, and its wording is clear. At the same time, however, a highly relevant issue in this case is that almost without exception Web sites across the world allow spiders to visit them and glean information without any restrictions whatsoever. The way spiders such as the Internet Archive’s spider work are thus functionally supported by established norms of Internet behavior. Do these norms take precedence over the special conditions and restrictions at a particular site such as Shell’s? Should the Internet Archive’s spider have some somehow learned about these conditions and restrictions? Chances are we will find the answer to these questions when we learn of the ruling.
7.
Florida eVoting problems persist
Touch-screen voting machine miscounts from last year’s US national election continue to be an issue in Florida. The
computers & security 26 (2007) 269–275
Florida Congressional District 13 race resulted in more than 18,000 Sarasota county votes not being recorded. This discrepancy is being considered by the Florida First District Court of Appeals in Tallahassee. If so ruled, access to the county’s touch-screen voting machines could be granted to outside experts and the appeal could overturn the election in which Republican candidate Vern Buchanan won by a disputed 369 votes over Democrat candidate Christine Jennings. Experts agree that the 13% Sarasota County undervote is a fluke and that Jennings would have won by about 3000 votes with the typical 2–3% undervote for a ‘‘top of ballot’’ race. Elections Supervisor Kathy Dent was warned before last year’s election by ES&S internal systems that more than 1600 of the county’s touch-screen machines could have delayed responses from a ‘‘smoothing filter’’ problem, but the problem was never rectified. Jennings wants Professor Dan Wallach of Rice University to conduct a forensic examination of the hardware, software, and source code used in the machines. If the court rules in Jennings’ favor, an investigation will be allowed, and a revote may be required. It is once again troubling to learn of yet another eVoting machine-related problem in the state of Florida. Worse yet, with a few exceptions (of which the current governor of Florida is one), few legislators and officials in this state appear to be very concerned about these problems. Kathy Dent in particular appears to be a very culpable figure in the Florida eVoting mess. I honestly do not expect much to be done about this problem in the near future, either – many individuals, Ms. Dent included, appear to want the state of things to remain just as they are.
8. Irish Information Commissioner says fingerprinting in schools is not appropriate The Irish Information Commissioner’s Office has issued guidance concerning fingerprinting in their schools. This Office maintains that according Irish law it is not necessary for schools to fingerprint children, and that if doing so is not necessary, the Data Protection Act states that it should not be done. The Office is not opposed to school biometrics, but it feels that the schools should not use this method without a good reason. Each school would have to have its plans for biometrics outlined and evaluated in a privacy impact statement. Most parents approved the biometric programs after the schools assured them that the fingerprint data would only be used to track student attendance and that the data would not be shared or used for criminal investigations. The guidance also told the schools that they should get parental consent before fingerprinting any child younger than 18 years of age. In contrast, the UK Information Commission allows schools to rely on the children’s consent if they are deemed mature enough to understand the implications involved. Additionally, students must have the option of opting out of a school biometrics program at any time without fear of reprisals or denial of access to services. I agree with the Irish Information Commissioner’s Office’s decision. Introducing and obtaining approval to use biometrics for one purpose and then switching gears, so to speak, without obtaining consent for a different usage purpose is
273
unfair. Additionally, parental consent should be required. Biometric technology is sufficiently invasive of individuals’ privacy that those who advocate and use it must ensure that privacy- and ethics-related issues are first properly addressed.
9. UK bank fraud victims must report suspicious transactions to banks The new UK Fraud Act requires that bank fraud victims now directly notify their bank of any suspicious transactions rather than report the crime to law enforcement. The bank will then decide whether to inform law enforcement agencies. Experts say that the government is introducing the change only to reduce the recorded crime figures – the banks will now have too much discretion concerning what types of fraud are reported and investigated. Victims of bank fraud that the bank does not for any reason want to disclose will thus be functionally suppressed. Apacs, which represents the credit and debit card industry, states that the change will cut through bureaucratic barriers and provide more accurate figures. The Home Office says that law enforcement will still decide which crimes warrant allocate of resources for investigation. Furthermore, if the fraud accompanied or was the result of a wallet being stolen or the fraudulently used card was the result of a burglary, then the crime would still be reported to law enforcement. The Home Office also said that non-bank fraud would continue to be dealt with by law enforcement as usual. Any issue concerning reporting fraud and crime is invariably difficult. One of the most difficult hurdles is getting victims to report what happened – there seems to be a great deal of reluctance on the part of victims in this regard. Additionally, to whom they must report what happened makes a huge difference. I suspect that bank fraud victims will find it much easier to report to banks, entities with whom they have at least dealt in the past, than to law enforcement. As such, the new UK Fraud Act’s provisions may actually turn out to be beneficial in fighting fraud and other types of computer crime. At the same time, however, the fact that banks have been given the power to decide whether or not to pass customer-provided information on to law enforcement is troubling.
10. Appeals court ruling: no privacy when personally-owned PC brought to work Michael Barrows, the city treasurer of Glencoe, Oklahoma, was sentenced to six and a half years of imprisonment for possessing child pornography on his PC that he was using for business purposes at his job. He was also required to register as a sex offender and was sentenced to an additional three years of supervised release. On appeal to the 10th Circuit Court, the man claimed that his PC was his personal property and was thus subject to Fourth Amendment protection; it was, according to his logic, searched without a warrant. However, the Court disagreed, stating that because he had the PC in a shared public office openly visible to the public, and that he had connected the PC to the office network to share files, and that he knew the PC contained files used by others in
274
computers & security 26 (2007) 269–275
the office, and he did not thus use a password, turn it off, or take other steps to prevent third-party use of the computer when it was at the office, that this indicated that he should not have expected any privacy with respect to his PC. When a co-worker tried to access some files on the defendant’s PC and had a computer-savvy reserve police officer who was visiting city hall help him access it, they subsequently stumbled over the porn files. They called law enforcement, which obtained a warrant and seized the hard drive. The circumstances and subsequent proceedings resulted in his eventual conviction. This ruling is only one of many that deal with the issue of privacy in the workplace, something that very much affects the practice of information security. In numerous cases an employee has been suspected to hiding company property in a purse or briefcase. Various rulings have upheld the right of the company to search the purse or briefcase if either is on company premises; others have not. The case of Barrows is, however, different in that the property that was seized and used as evidence was undisputedly his. The ruling sends a message – be careful what you bring to work with you, and be careful how you allow your own computer to be used. It may also send another more subtle message, however – if you are a known trafficker of child pornography, anything can and will be used against you in court.
11. GAO says that DHS continues to be plagued with information security-related problems After scrutinizing sector infrastructure protection plans that the 17 private-sector coordinating councils delivered in December 2006 to the US Department of Homeland Security (DHS), the US Government Accountability Office (GAO) recently released a report that summarized their evaluation of the plans. The nation’s 17 sectors include that for energy, financial services, food, information technology, and water supply. The GAO found that although the DHS has increased its vigilance with regard to information security, it has not yet fully implemented 25 recommendations involving information security threat and vulnerability assessment, attack warnings, and how information is shared and how response and recovery are coordinated after an attack. Some privatesector participants feared sharing sensitive information on their vulnerabilities to their sector coordinating councils because they worried the information might be leaked to the public or might subject them to lawsuits. They also struggled with their relationships with the DHS, citing a lack of trust, high employee turnover, and a lack of understanding of infrastructure operations at DHS. Other problems noted were delays in obtaining guidance from the government and in receiving numerous changes in that guidance concerning how to do infrastructure protection planning. This news item should not be a surprise to anyone. Since its inception (which now appears to be increasingly ill-advised), the DHS has been plagued with a plethora of almost insurmountable problems, of which information security problems are among the foremost, that it does not seem to be able to begin to solve. At this point one must seriously
wonder whether the few benefits that the DHS has produced are so outweighed by this department’s many overwhelming liabilities and deficiencies that it is time to dissolve this government department and absorb its functions into other, better functioning departments.
12. Six-year-old girl installs keystroke logging device in UK House of Commons As part of a BBC Inside Out investigation and demonstration, a six-year-old girl smuggled a keylogging device into the UK House of Commons, which is one of the most physically secure buildings in the country. Because security there focuses on keeping guns and bombs out, the girl walked past the armed police and through X-ray searches. Once inside, the producers convinced Tory MP Ann Milton to leave her computer unattended for a little while. Within 15 s, the girl, who had almost no knowledge of computers, had attached the device to the computer. Although the device had been attached to a computer within the House of Commons, there was no alarm. Information that could have been compromised on the computer included passwords, top-secret information, and sensitive personal details. The keylogger cost only GBP 50. This is a startling event, one that will undoubtedly cause some changes in physical security practices in the UK House of Commons. If something like this happened there, think what might happen in other, less secure settings in organizations throughout the world.
13. Proposed anti-spyware legislation could result in larger fines The ‘‘Securely Protect Yourself Against Cyber Trespass Act,’’ also known as the ‘‘Spy Act,’’ would prohibit any software that takes control of a computer, modifies registry settings, logs keystrokes, or collects other data through misrepresentation. This proposed legislation is before the House Subcommittee on Commerce, Trade, and Consumer Protection for the third time. Twice before, in 2004 and 2005, the subcommittee, full committee, and House of Representatives passed the act, but the bill did not pass in the Senate. The legislation would add tougher fines and civil penalties for anyone responsible for programs that hijack a user’s computing system or collects data without authorization or consent from the computer’s user. Under the Act, the US FTC would have greater ability to go after companies and individuals responsible for spyware, which frequently is used to install other adware and malware. Up to now, the FTC has pursued cases based on its power to investigate fraudulent trade practices. The Spy Act broadens the definition of spyware and would allow the FTC to levy fines of up to USD 3 million per activity committed by a spyware program that is prohibited by the act and USD 1 million for each violation of the prohibition against data collection without consent. The Center for Democracy and Technology supports the Spy Act, but would rather see a commitment to legislation that establishes a foundation for privacy rights than a piecemeal approach that addresses specific threats, such as spyware or data breaches. The Direct
computers & security 26 (2007) 269–275
Marketing Association is also worried that the overly aggressive legislation could punish legitimate advertisers and marketing firms. Anti-spyware legislation in the US is currently not very adequate in that its provisions have had very little impact. The current proposed legislation would have greater impact in that it prescribes large fines for those who violate its provisions. Although previous versions of this bill were voted down in the Senate, with the new composition of Congress this year the bill now stands a much better chance of passing. If it does pass, I predict that it will in time substantially reduce the number of Web and other sites in the US that inject spyware into computer systems that connect to them. At the same time, however, it for obvious reasons will not reduce the number of such sites in other countries.
14. Computer technician’s mistake wipes out Alaska revenue information A computer technician doing routine maintenance work last July at the Alaska Department of Revenue inadvertently reformatted and erased a huge data file and the backup disk for an oil-funded applicant information account valued at USD 38 billion. Unfortunately, the Department’s third line of defense
275
had also failed; the backup tapes were unreadable. Nine months worth of information for the yearly Alaska Permanent Fund yearly payout was deleted. The information included the 800,000 electronic images that had been scanned into the system, including the 2006 paper applications that people had mailed in or filed over the counter, and the supporting documentation such as birth certificates and proof of residence. The only backup was of the hardcopy documents themselves; these were stored in over 300 cardboard boxes. At a cost to the department of USD 220,700, 76 people consequently worked overtime for six weeks to re-enter the lost data. No one got in trouble for the incident. The department says that it now has a proven and regularly tested backup and restore procedure. This story is almost unbelievable – it is difficult to imagine how an incident of this magnitude could have occurred. This story reinforces a long-standing tenant of information security – human error results in far more loss and destruction than do misintentioned individuals. Human error can be greatly reduced by paying attention to usability considerations, something that often costs far less than deploying dozens of security-related controls. It is thus well time that information security professionals turn more of their attention to human factors problems in the IT arena.