Privacy and Identity Theft

When he was 15 years old, Michael Calce, known in hacker circles as “Mafiaboy”, engineered a denial of service attack that took down CNN, Yahoo, E-Trade, Dell, Amazon and eBay. He started his hacking activities at an even younger age when he would phish for AOL accounts to get free Internet access.

Calce has made a statement that the move to cloud computing is going to create a virtual playground for hackers and cyber criminals. He also warns that the insider threat of malicious users inside companies is being massively understated, and that companies are at serious risk.

IronKey is a member of the Cloud Computing Security Alliance. We believe that the guidance being provided by the CSA can help cloud computing companies, and enterprises that are selecting a cloud service, to create much more secure systems.

IronKey operates a cloud security service to allow administrators to remotely manage their fleets of IronKey personal security devices and secure USB flash drives over the Internet. Our service allows admins to remotely provision devices, control security policies on remote IronKey devices, provide software and anti-malware updates to remote devices, and perform critical functions such as password reset, device re-provisioning and usage tracking. We even allow enterprise administrators to remotely kill devices if they are reported lost or stolen.

We employ a layered security approach that includes strong two factor authentication to the service (using your IronKey device of course!), data encryption, hardware signing modules, segmented networks, intrusion prevention and detection systems, layers of firewalls, etc.

Rod Beckstrom, former Director of the National Cybersecurity Center at the US Department of Homeland Security, has been named as the new CEO of ICANN, the Internet Corporation of Assigned Names and Numbers, responsible for policy and regulations about Internet domain names and IP addresses. I’ve been privileged to know Mr. Beckstrom during his tenure at DHS, and I’m pleased that he is now taking on the leadership role at ICANN. As part of my activities with the Anti-Phishing Working Group, I’m involved with domain name policies regarding accelerated takedowns of domains that are used for phishing or spreading malware.

Here is an excerpt from an interview by Brian Krebs of the Washington Post online:

Krebs: As I’m sure you’re aware, ICANN’s decision to move forward on hundreds of new gTLDs has ruffled some feathers, particularly in the business and intellectual property communities. Critics of the current process say it’s moving forward too quickly and that the new gTLDs are merely going to create a myriad of costly, legal headaches for brand owners, who will be forced to go out and register variations of their brand name in hundreds of new gTLDs to protect their brands. Are their concerns valid, and are they being addressed well enough?

Beckstrom: Having just spent the week here, I can tell you one of the prominent topics of debate were the intellectual property questions, with various parties proposing solutions. There are still different thoughts in the community: On the one hand, ICANN is receiving a lot of pressure from many companies around the world who want new gTLDs…who want them opened up and available. And others want reasonable mechanisms for some intellectual property review and process.

So, ICANN’s role is to try to play a balancing role. ICANN doesn’t have a firm position on what the solution is. ICANN is simply asking the global community of IP attorneys and others to develop the best possible solutions they can which can actually be implemented. But one of the solutions is not avoiding the gTLDs, because there’s tremendous demand from all over the world to have those, and the number of companies who are opposing them appear to be a minority compared to those who think they should be out there and present.

Search Security has a nice new article about how to secure your USB thumb drives. There is a good discussion of encryptions, remote management and malware spreading issues. There’s some good discussion about data protection policie as well. The article mentions IronKey, and states that “SMBs that need to guarantee that all data will be encrypted should consider thumb drives that feature hardware-based encryption that is embedded in the thumb drive’s controller”.

Max Butler, the “Iceman”, faces two counts of wire fraud stemming from the theft of nearly 2 million credit card numbers and $86 Million in alleged fraudulent purchases. He ran an online cards forum called Carders Market. This was a site where cyber criminals could buy and sell credit card numbers and other personal information.

The US and Russia are engaged in a debate about the future of international cooperation to defend against cyber attackers and cyber criminals. Its about time.

Russia favors a treaty, which will facilitate information exchange and legal actions, as well as potential authorization of cyber-force against attackers online. The US is arguing for a more informal approach based on increased cooperation between law enforcement agencies in various countries.

In my view, both are needed.

I received an email on Wednesday night from FlyClear, the service that allows you to skip the long lines at airport security. Apparently they are going bankrupt, and have ceased operations as of 11pm Thursday. The email was followed up with a second letter describing how they intended to protect my biometric and personal data.

Of concern is that FlyClear last year lost an unencrypted laptop that contained the personal data on numerous applicants, including myself. They implemented laptop full disk encryption after that incident.

This letter talks about erasing laptops, etc. However, of concern to me, is that it looks like they will continue to keep my personal and biometric (fingerprint and retina scans) data, and can possibly provide that data to “another TSA approved company”. So, in essence, it seems that if another company springs into life to offer a similar service, then FlyClear can provide my precious biometric data to that company.

Quote: “The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”

Here is a link to the FlyClear site, and the content of their letter.

Dear David Jevans,

In response to questions raised by our members, Clear would like to offer the following information:

Clear Lanes Are No Longer Available.

At 11:00 p.m. PST on June 22, 2009, Clear ceased operations. Clear’s parent company, Verified Identity Pass, Inc., was unable to negotiate an agreement with its senior creditor to continue operations. Verified Identity Pass regrets that Clear will not be able to continue operations.

How is Clear securing personal information?

Clear stands by our commitment to protect our customer’s personally identifiable information - including fingerprints, iris images, photos, names, addresses, credit card numbers and other personal information provided to us - and to keep the privacy promises that we have made. Information is secured in accordance with the Transportation Security Administration’s Security, Privacy and Compliance Standards.

How is Clear securing any information at the airports?

Each hard disk at the airport, including the enrollment and verification kiosks, has now been wiped clean of all data and software. The triple wipe process we used automatically and completely overwrites the contents of the entire disk, including the operating system, the data and the file structure. This process also prevents or thoroughly hinders all known techniques of hard disk forensic analysis.

How is Clear securing any information in central databases and corporate systems?

Lockheed Martin is the lead systems integrator for Clear, and is currently working with Verified Identity Pass, Inc. to ensure an orderly shutdown as the program closes. As Verified Identity Pass, Inc. and the Transportation Security Administration work through this process, Lockheed Martin remains committed to protecting the privacy of individuals’ personal information provided for the Clear Registered Traveler program. Lockheed’s work will also remain consistent with the Transportation Security Administration’s federal requirements and the enhanced security and privacy requirements of Verified Identity Pass, Inc.

The computers that Verified Identity Pass, Inc. assigned to its former corporate employees are being wiped using the same process described for computers at the airports.

Will personally identifiable information be sold?

The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.

How will members be notified when information is deleted?

Clear intends to notify members in a final email message when the information is deleted.

Who is monitoring this process?

Clear is communicating with TSA, airport and airline sponsors, and subcontractors, to ensure that the security of the information and systems is maintained throughout the closure process. Clear thanks these partners for their continuing cooperation and diligence.

How can I contact Clear?

Please visit our website, www.flyclear.com, for the latest updates. Clear’s call center and customer support email service are no longer available.

Will I receive a refund for membership in Clear?

At the present time, Verified Identity Pass, Inc. cannot issue refunds due to the company’s financial condition.

Has Verified Identity Pass, Inc. filed for bankruptcy?

At the present time, Verified Identity Pass has not commenced any proceedings under the United States Bankruptcy Code.

Clear Customer Service

Clear, 600 Third Avenue 10th Floor, New York, NY 10016
www.flyclear.com

Here’s a great article in the Examiner about “Cyber Security - The Next Big Thing”.

Doug Maughan, Program Manager, Cyber Security R&D Center, Department of Homeland Security (DHS), Science and Technology (S&T) Directorate, talks about IronKey and how DHS helped to fund the initial research behind the company.

Kirkwood Community College officials are providing a year of credit monitoring to 1,600 people and businesses after a mobile data device containing names and Social Security numbers was taken from an Iowa City work force office June 4. The device was not encrypted. A man has been charged in conjunction with the theft.

Hackers were monitoring the WiFi access point at Custom House Coffee in Portsmouth NH, and were able to steal the credit card details of about 50 customers who used the WiFi at the coffee shop to surf the net and do e-commerce transactions.

The IronKey SecureSessions encrypted web surfing service could have prevented this. IronKey SecureSessions provides a triply encrypted web tunnel for all your web surfing, including a secure DNS service, which helps ensure that hackers on WiFi networks cannot see your traffic, and cannot perform an “evil twin” man-in-the-middle attack to hijack your web surfing and redirect it to fake websites.

Murray at the Ethical Hacker (and current Director of Neohapsis Labs), has written a very good review of our IronKey Personal device.

Read the review here.

Murray performed an extensive penetration test of the IronKey device, including quite a bit of technical research including disassembly of the IronKey unlocker application.

After several months of testing, the review has now been posted. Here’s a nice quote:

“I like it so much that all of my data for all of my clients is now stored on the IronKey that they sent me for the beta program. That’s probably the most telling statement I can make – usually, when someone sends me a product for a review, I rip it apart and then toss it in a drawer. For me to trust it to house my clients’ data is not normal. And as many of you fellow pen testers know, the data we keep could bring down their organizations. (As an aside, I’m even pondering whether or not to buy one of the 8GB ones to house the entirety of my business docs – it’s that useful).”