Privacy and Identity Theft

Fraudsters have been using other people’s online brokerage accounts to generate tens of millions of dollars of profits over the last 3 months. Brokerage account login information is being stolen by phishing and crimeware (eg. keyloggers). These hijacked accounts are used to buy thinly traded penny stocks and drive up the prices. Scammers then sell the stock in other accounts and reap huge profits.

By using many accounts at different online brokerages, it becomes very difficult to track down the fraudsters.

This online crime wave seems to correspond with the recent dramatic rise in stock pump-and-dump spam that you may have noticed.

We predicted this type of fraud over 1 year ago at the DHS SRI Identity Theft Technology Consortium. Now we are seeing it happening in the wild. This is the latest illustration of how the online crime community is gaining in sophistication, not just in stealing identity information and passwords, but in the actual execution of financial fraud.

It shouldn’t be news that U.S. authorities can search laptops at borders, but until now it’s not been something that most business travellers even considered to be a risk.

Clearly, corporate laptops, and indeed any storage device such as USB flash drives, portable hard drives, blackberrys and other PDAs should be encrypted and have password access controls. The risk of having a laptop confiscated, and having confidential data copied or possibly leaked by US authorities is very low. But this does serve to point out yet another reason for data encryption to be widespread.

The next question will be – what are the rights of US authorities at border crossings, or in general, to request or force you to divulge your password? And what happens to you if you exercise your Fifth Ammendment rights, and don’t tell?

An interesting paper has been released about ways to hack the TOR anonymity network.

http://www.packetstormsecurity.org/0610-advisories/Practical_Onion_Hacking.pdf

This paper shows that hostile operators of TOR exit nodes can poison web traffic in various ways, in order to track your real IP address or replace content with malicious or fake content.

Interestingly, the paper does not expose flaws in the TOR protocols, but really shows that web content, such as Flash, can be manipulated by hostile exit node operators to track your IP address and the content that you are browsing.

This illustrates an interesting attack vector for spreading crimeware or other types of malware: simply run malicious TOR exit nodes and use iframes or fake web content to present zero-day exploits to anyone who surfs through your node.

In security, we often like to think that we should “trust nobody” with privacy or secrets. The reality is, with a TOR network, you are “trusting” the operators of the TOR exit nodes. These are basically unknown people running servers anywhere in the world, and you know nothing about them or their motives. It all seems quite dangerous.

The Electronic Frontier Foundation has sued the Justice Department because the FBI failed to respond to a Freedom of Information Act in a timely manner about it “Investigative Data Warehouse” (IDW).

The IDW is a consolidated database of more than 700 million records about people’s biographical information, physical locations, financial records and photographs. The FBI says that the IDW is a consolidation of numerous other agency databases into a single, searcheable data warehouse. They have not publicly posted the criteria on the personal information included in the database, as required by the Privacy Act of 1974.

Jeff Stein earlier this year wrote about accessing the IDW at FBI headquarters, and being surprised about the depth of information about him stored in the database.

Finally, a Google for all your personal history!