Privacy and Identity Theft

IBM has donated Idemix to the Higgins Project. Idemix is an anonymous credential system that allows users to submit cryptographic assertions of identity and payment credentials to sites.

The credentials are one-time-use only. Thus you won’t be disclosing your name, address, credit card details etc to merchants and processors. They would use the encrypted assertions to get the information they need, and to have a way to refer to the other information in an “emergency” by refering to the issuing authority.

Reminds me of the ill-fated SET Secure Electronic Transactions system from the mid 1990s.

Let’s hope Higgins has more success than SET. At this point I’d be surprised. In my view, SET failed because:
– chicken-and-egg problem. Merchants needed to install SET, and users needed to install SET client.
– Merchant databases use customer credit card numbers to index data records. Recoding databases to deal with anonymous transactions was just too costly
– little or no market demand for more secure and private transactions

I’m here in Redmond, WA at Microsoft headquarters for the ISOI internet security operations and intelligence mini-conference where the topic-du-jour is botnets. But on the other side of the world, in swanky Davos Switzerland, amid meetings of leaders of state discussing global warming and trade imbalances, the conversation veers towards botnets.

Vint Cert, Michael Dell and others gathered today to discuss the botnet plague. According to Cerf, up to 150 million computers, 25% of the Internet, could be infected with Trojans which allow hackers to use our computers surrepticiously for sending spam, denial of service, phishing attacks and other malicious activities.

According to these guys, authentication and more secure operating systems are needed. Duuh.

Maybe this security nightmare will start to get the attention it deserves?

GoDaddy, one of the Internet’s largest domain name registrars, took the unusual step of suspending the domain of popular security news and tools website http://seclists.org/ with only 52 seconds of notification in a voicemail message to the owner of the domain.

The domain was disabled because MySpace.com complained to GoDaddy that a page on SecLists.org had the usernames and passwords of thousands of MySpace.com users. Presumably these were collected in one of the ongoing phishing scams that are plaguing the popular social networking site.

I’m in Redmond, WA today at the ISOI security conference, where there is much discussion about how to get phishing sites de-registered by domain name registrars. Here’s an ironic case where a registrar acted perhaps too quickly, and disabled a legitimate security site.

MySpace.com didn’t even bother to contact the site’s owner. They just called GoDaddy.

A USB stick containing confidential information about the Dutch Embassy in Warsaw – including the secret entrance codes to a diplomat’s home and the names of bodyguards – has been left in a rental car and is now in the hands of the Volkskrant newspaper.

Last year, there were several incident in which USB sticks, belonging to defence ministry and police officials, ended up in the wrong hands.

Brief article here

In several posts this month on the seul.org Tor mailing list, it seems that someone or several people are running “evil” Tor exit nodes, attempting to perform man-in-the-middle attacks against SSH connections going over Tor.

There’s also a brief mention of it here (with a very cool little “evil Tor node” diagram).

This is an increasing phenomenon when you have anonymous, untrusted end-nodes.

The US Treasury department reported to Congress this week that it could not complete implementing a comprehensive data collection system until 2010.

The plan is to track all cross-border electronic financial payments by requiring banks and money transfer services to report all transactions over $3,000 to the Treasury Department’s FinCEN financial crimes network. This could result in over 500 million financial transactions per year being reported to FinCEN.

Each report would include the names and addresses of senders and beneficiaries, as well as the amounts and dates.

You may recall that the Treasury is in hot water because it has been collaborating with S.W.I.F.T. in Belgium to track all transfers through their network for the last several years.

I have personally visited S.W.I.F.T. many times in both Brussels and in the USA. Did you know that their programmers work in a Chateau on a gorgeous estate outside of Brussels? Less widely known is that the cell of this Chateau contains millions of dollars of vintage wines!

SophosLabs has reported that it discovered a phishing scam against MySpace users.

The evil twist is that this scam was operated by so-called “white hat” hackers, trying to illustrate a point that MySpace should protect its users against this type of phishing.

It is clearly illegal, even for security researchers, to spoof the brand of a company and collect identity information (such as names and passwords). At least it’s illegal from a brand spoofing point of view.

But what makes this worse, is that these so-called “white hats” posted the information for the allegedly 60,000 users who fell for the scam.

Three years of consumer credit card and debit card transaction information was stolen from the computer networks of TJX, the parent company of retailers T.J. Maxx and Marshalls. The breach occurred in December 2006, but was only announced today.

It will be interesting to see if this data is used in phishing attacks, to personalize these attacks, or just resold into the white plastic underground.

A soldier from Tenessee lost a flash drive containing personal videos while on duty in Iraq. Somehow that unencrypted flash drive ended up in enemy hands, and the video resurfaced this week on Iraqi TV, heavily edited into a fake propaganda video.

The soldier will not be disciplined.

Jeffrey Brett Goodin has been convicted of operating a sophisticated phishing scam, posing as AOL’s billing department.

This is the first conviction by a jury under the Can-Spam act of 2003, according to the U.S. Attorney’s Office.

He faces up to 101 years in federal prison.