Privacy and Identity Theft

Pharmacy chain Rite Aid has been fined $1 Million for violating privacy standards of the Health Information Portability and Accountability Act (HIPAA). It is good to see that the Office for Civil Rights (OCR) put some teeth into the HIPAA act, and actually extract a meaningful fine for violating the personal privacy rules of the act. Apparently Rite Aid did not properly dispose of identifying information on pill bottles of customers.

A forum at Dell’s website has described that replacement R410 server motherboards that are infected with malware/spyware have been shipped by the company to customers.

Apparently the systems management firmware has been compromised in the manufacturing supply chain, and has been infected with malicious software. Dell is calling customers to warn them of the malware infections, and giving them instructions on how to scan the flash memory to detect and remove the spyware.

It’s another example in the growing set of supply chain vulnerabilities that are starting to emerge in the IT industry. Vendors of IT infrastructure must realize that attackers are eager to infect their products, and are even doing so inside the supply chain itself.

I was in the United Kingdom last week. The UK government is said to be ready to sign a law that would permit police from other EU countries to demand details of UK citizens suspected of crimes in other countries. Details that could be released to foreign police include banking records, phone records, and even DNA samples.

This is happening under the auspices of the European Investigation order (EIO).

Civil liberties organizations are very concerned that UK citizen’s personal details could be shared with foreign police for such mundane offenses as not paying for a meal at a restaurant.

Anthony Scott Harrison, 21, from the Black Forest area near Adelaide, Australia, yesterday pled guilty to computer hacking. He admitted to infecting 3,000 computers with a banking trojan that allowed him to steal online bank account login details and credit card information. He also admitted to infecting a further 74,000 computers with a bot designed for DDoS.

London, UK.

Conservative Member of Parliament Rob Halfon claims that the UK government is not doing enough to investigate privacy invasions by Internet companies. He warns that if government does not take more action to investigate Internet companies that are accused of privacy violations, the UK risks having a “privatized version of Big Brother”.

His comments come in the wake of concerns about Google’s StreetMap project that “inadvertently” mapped out the wifi spots of thousands of people.

Dan Raywood of SC Magazine interviewed me about privacy issues and data protection today here in London. You can read the full article here.

I am in London, UK this week.

The UK Ministry of Defense has admitted to losing 340 laptops over the last two years, and less than half of them were encrypted. A further 215 USB memory sticks were lost, and many were not encrypted either. When you add up lost mobile phones, CDs, PDAs as well, it turns out that only 20% of these were encrypted.

I spent much of the day being interviewed by security and business press. There is considerable interest in how the Information Commissioner’s Office (ICO) will deal with government agencies that have lax security and data protection practices. For corporations, the ICO can now fine up to 500,00 pounds, but it’s unclear how government bureaus will be disciplined.

Zeus is a prolific trojan that is designed to allow cyber criminals to break into corporate online banking accounts and allow criminals to transfer large amounts of money from company bank accounts.

A new version of the Zeus trojan has been detected that tries to steal Verified by Visa and Mastercard SecureCode passwords, allowing criminals to use corporate payment credit cards.

When users log into their online banking websites from infected computers, the new Zeus trojan will display a screen telling the user that they need to enroll their corporate credit card into the Verified by Visa security scheme. In reality, the criminals are stealing your data and can then use that to use your corporate credit card online illegally.

Mozilla has disabled a Firefox browser plug-in, Mozilla Sniffer, that steals your usernames and passwords and sends them to a third party website that cyber-criminals presumably use.

I will be speaking at the Atlanta Infragard A-List security training conference on August 25th.

I will talk about the evolving cyber-crime threat landscape that is targeting users of online banking systems. I’ll also review various ways that banks can deploy solutions to help protect their users. I’ll look at various protection types for consumer banking versus corporate banking systems and online trading systems.

If you would like to attend the Infragard meeting, you can find more information here: Atlanta Infragard A-List Conference.

Infragard is a partnership of businesses, the FBI, educational entities and the National Infrastructure Protection Center. This alliance is designed to protect IT systems from hacker attacks and other intrusions by providing a network for sharing information, anonymously, about attacks and how to protect against them.

11 alleged Russian spies have been arrested and charged with conspiracy to commit an offense against the United States by not registering with the attorney general. 9 of these individuals have also been charged with money laundering. Details on the people arrested are here. One couple is based in Cambridge, MA.

The FBI says that these spies not only used encryption to protect data on their laptops and USB flash drives, but that they also are suspected of using proprietary Russian-build steganography software to hide data inside images and other files on their computers.

Steganography is the technique of hiding information inside other documents or data, so that it cannot be detected. Combining steganography with cryptography can create systems of communications and data protection that are incredibly difficult to detect and to crack.

For example, imagine encrypting a data file using strong encryption, and then inserting that file as noise in the soundtrack or video stream of a large .wmv video file. Then posting that file to a website or sharing it on a bittorrent network for its intended recipients to download. If you communicate out-of-band (through an email or a phone call or SMS) to your recipients the name of the video file, and if there is a key sharing protocol (ie. they know the password to decrypt the data), then its highly likely that only that person will be able to know that the encrypted data is there, and be able to decrypt it.

If anyone else downloads the file, even using steganographic detection tools they are unlikely to detect the encrypted data. And even if they were able to extract it, they would still have to crack the encryption.

In fact, one wishing to communicate covertly would want other people to download the file, so that nobody monitoring networks can tell who the file is intended for.

In the case we are discussing today, the alleged Russian spies were detected sending data to known addresses of Russian government computers (we assume IP addresses). Using the technique I discuss, they would have been able to avoid such detection.

One other thing I found interesting about this article is that a 27 character password was required to access the steganographic data. Sounds like a great security measure to have such a long password. However, the agent wrote the password down on a piece of paper! In such a case, it would have been much more secure to use a shorter password that was more easily remembered.