Privacy and Identity Theft

London, UK.

Conservative Member of Parliament Rob Halfon claims that the UK government is not doing enough to investigate privacy invasions by Internet companies. He warns that if government does not take more action to investigate Internet companies that are accused of privacy violations, the UK risks having a “privatized version of Big Brother”.

His comments come in the wake of concerns about Google’s StreetMap project that “inadvertently” mapped out the wifi spots of thousands of people.

Dan Raywood of SC Magazine interviewed me about privacy issues and data protection today here in London. You can read the full article here.

I will be speaking at the Atlanta Infragard A-List security training conference on August 25th.

I will talk about the evolving cyber-crime threat landscape that is targeting users of online banking systems. I’ll also review various ways that banks can deploy solutions to help protect their users. I’ll look at various protection types for consumer banking versus corporate banking systems and online trading systems.

If you would like to attend the Infragard meeting, you can find more information here: Atlanta Infragard A-List Conference.

Infragard is a partnership of businesses, the FBI, educational entities and the National Infrastructure Protection Center. This alliance is designed to protect IT systems from hacker attacks and other intrusions by providing a network for sharing information, anonymously, about attacks and how to protect against them.

11 alleged Russian spies have been arrested and charged with conspiracy to commit an offense against the United States by not registering with the attorney general. 9 of these individuals have also been charged with money laundering. Details on the people arrested are here. One couple is based in Cambridge, MA.

The FBI says that these spies not only used encryption to protect data on their laptops and USB flash drives, but that they also are suspected of using proprietary Russian-build steganography software to hide data inside images and other files on their computers.

Steganography is the technique of hiding information inside other documents or data, so that it cannot be detected. Combining steganography with cryptography can create systems of communications and data protection that are incredibly difficult to detect and to crack.

For example, imagine encrypting a data file using strong encryption, and then inserting that file as noise in the soundtrack or video stream of a large .wmv video file. Then posting that file to a website or sharing it on a bittorrent network for its intended recipients to download. If you communicate out-of-band (through an email or a phone call or SMS) to your recipients the name of the video file, and if there is a key sharing protocol (ie. they know the password to decrypt the data), then its highly likely that only that person will be able to know that the encrypted data is there, and be able to decrypt it.

If anyone else downloads the file, even using steganographic detection tools they are unlikely to detect the encrypted data. And even if they were able to extract it, they would still have to crack the encryption.

In fact, one wishing to communicate covertly would want other people to download the file, so that nobody monitoring networks can tell who the file is intended for.

In the case we are discussing today, the alleged Russian spies were detected sending data to known addresses of Russian government computers (we assume IP addresses). Using the technique I discuss, they would have been able to avoid such detection.

One other thing I found interesting about this article is that a 27 character password was required to access the steganographic data. Sounds like a great security measure to have such a long password. However, the agent wrote the password down on a piece of paper! In such a case, it would have been much more secure to use a shorter password that was more easily remembered.

IronKey’s Chief Technology Officer, Gil Spencer, was at the AUSCERT security conference in Australia this week. He was the lucky recipient of a promotional USB flash drive from IBM at the conference.

Today IBM sent out an apology. It seems that the USB flash drives that they handed out were infected with autorun malware. Nice one, IBM.

They should have given out IronKey secure devices. IronKey Enterprise devices have anti-malware software and hardware and firmware protection against autorun USB malware.

According to McAfee’s Q1 Threat Report, malware that is designed to spread onto USB removable storage devices was the most prevalent malware threat in Q1 2010. The number 1 most detected malware variant by McAfee researchers was “Generic! Atr”, followed by a number of password-stealing Trojans and the Autorun Conficker worm.

This should come as no surprise. The ability to infect USB drives, and then spread onto computers on which those drives are used, has become a widely exploited technique in many malware packages. Perhaps the most famous case of such an infection was in late 2008 when such a worm, “Agent.btz”, infected sensitive Department of Defense computers. This led to a lockdown by the DoD of all removable storage devices until they could define a set of technical operating requirements to ensure that malware cannot spread onto and from removable storage devices.

IronKey worked with the Department of Defense, National Security Agency, and other bureaus to help define these technical requirements. Now these capabilities are available to Enterprise customers of IronKey devices. They include services such as built-in anti-malware scanning, intelligent hardware-based autorun tamper prevention, read-only mode, etc.

ICT Review has published Dave Tripier’s article: “How Cybercriminals Are Stealing Corporate Funds, and Putting Pressure on the Global Banking System”.

“The last eighteen months have delivered some of the most testing challenges to the global banking system. Whilst financial institution and businesses alike both struggle to emerge from a brutal recession, they’re now having to face up to a new threat which can potentially steal away their funds and corporate reputation with the simple click of a mouse.

In this article Dave Tripier, CMO of IronKey, explains how organised cyber crime rings have begun to target corporate banking transactions – and offers valuable advice to help banks and businesses to deal with this new threat.”

Read the full article here.

Financial Services Technology magazine has published my new article, “The 21st Century Trojan War”. In it I talk about the new corporate banking trojan threats, and how the cyber-underground is advancing their attacks against the financial services infrastructure by infiltrating the computers of finance professionals inside corporations and government agencies.

“In 2009, organized cyber crime rings began to shift away from massive phishing attacks against consumer banking users, and instead target bigger fish – corporate banking users. The cybercriminals use advanced malicious software (malware) to attack the computers of finance professionals in companies and government agencies. If a computer that is used to access a commercial online banking services becomes infected, the attackers can effectively take over the corporate financial accounts in real time by hijacking active banking sessions, and issue commands for funds transfers.

Symantec detected over 70,000 variants of the Zeus Trojan in 2009.

Documented losses to corporate banking customers from fraudulent wire transfers initiated in the USA by next-generation malware on corporate computers have ranged from $10,000 to over $1,000,000 per incident. Much of this money was successfully transferred to ‘money mule’ accounts overseas, and was never recovered. It is far more lucrative for cyber criminals to make numerous $9000 transfers from a single corporate bank account, than to try to hijack thousands of consumer-based accounts and make small money transfers. It is also reasonable to expect that online corporate banking fraud will track historical online consumer banking fraud patterns, and will grow dramatically over the next several years.”

Read the rest of the article at: Financial Services Technology Magazine.

When you die, what will happen to your digital assets? Importantly, what will happen to your passwords and online accounts? Some of these need to be handed over to work colleagues. Some of these need to be handed over to spouses and children. Some may be needed to be handed over to your estate attorneys. And some maybe just die with you.

There are many complex issues regarding data privacy, disclosure, data privacy, rights management and the crypto and business systems that need to align underneath.

The day after the Internet Identity Workshop, Phil Windley is hosting “Digital Death Day”, a workshop that is going to examine these questions, and discuss proposed solutions and technical and legal hurdles.

In November 2008, the US Department of Defense banned the use of USB flash drives and other removable medial on all Defense Department networks, after a DoD network was infected by a USB flash drive that had an autorun malware on it.

Today, Navy Vice Admiral Carl Mauney, deputy commander of the United States Strategic Command said: “After extensive testing of mitigation measures, DoD decided to make this technology available again on a strictly controlled basis on DoD computers. Since the order restricting use of removable media, DoD developed capabilities and processes that allow safe use of these devices. Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met.”

An article at Government Info Security lists the requirements for using removable storage devices in the Department of Defense:

• Employing approved procedures and hardware that prevent unauthorized use, and scan, clean and wipe the devices removing malicious software.
• Restricting use to operational mission requirements
• Allowing only properly inventoried, government-procured and -owned devices for use in Defense Department information systems.
• Prohibiting personally owned devices on all military networks and computers.
• Banning use of DoD-procured and owned devices on non-government networks or computers without authorization from an approval authority.
• Using flash media only as a last resort to transfer data from one location to another and only when other authorized network resources are not available.
• Subjecting randomly selected users and drives to periodic audits.
• Requiring combatant commands, cervices, and agencies to establish their own approval authorities for determining whether selected flash media may be used within their individual organizations.

In an interview published by the Armed Forces Press Service today, Navy Vice Admiral Mauney said active operations in Afghanistan, Iraq and elsewhere will get priority in implementation of the new guidelines. “In terms of the mechanics, we’ve put together several small kits of the equipment that’s needed and we’ll be transitioning those to people out in the theater – in Afghanistan in particular – to help certain groups facilitate their use,” he said. The kits will contain hardware and software to ensure the safe use of removable media, including the required anti-malware scanning capabilities.

InsideDefense.com and Wired.com today reported that U.S. Strategic Command (STRATCOM) has lifted last year’s ban on the use of removable storage devices inside the Department of Defense.

USB flash drives and other removable storage devices were banned by the DoD in November 2008 after a military network was infected by the Agent.btz worm, which was introduced into the network from a USB flash drive.

The Wired.com article is incorrect in its assertion that STRATCOM has not addressed the problem of spreading viruses from removable media devices. IronKey and other vendors of hardware encrypted secure storage have been working with Joint Task Force – Global Network Operations (JTF-GNO) at STRATCOM to develop technical and operational requirements for preventing malware from infecting removable storage devices, and from migrating from devices onto networks.

IronKey partnered with Tresys who has a File Sanitization Tool designed to clean devices from malware when moved between different government networks.

IronKey Enterprise devices also feature an anti-malware scanner, to ensure that files stored on IronKeys do not have malware. IronKey devices also have active anti-malware capabilities preventing tampering with the autorun.inf on the device, which prevents malware from spreading from devices onto host computers.