Privacy and Identity Theft

It’s been pretty obvious for a few years that the law enforcement community, by and large, is lacking the tools and funding to deal effectively with cybercrime and the analysis of digital data.

Today, Jim Christy, a director at the Department of Defence Cyber Crime Center asked techies at the BlackHat DC briefings to develop better tools to sift through digital evidence. The typical investigation might include analysis of computers, flash drives, mp3 players, cell phones and game machines.

On a separate note, I’ve been looking into how cybercrime data, such as logs from phishing sites or crimeware drop-boxes, is shared with law enforcement and the end users who’s data is stolen. More on this in future posts…

APWG stalwart and top Symantec researcher Zulfikar Ramzan (better known to us as Zully) has created a proof-of-concept pharming attack that is all of one line of javascript.

If you visit a webpage with this javascript, it bascially makes your browser to an HTTP post to a default router address, with the default router password, and sets it to change the DNS settings. Thus, if you are like most people, and you are using this popular home router, and have not changed the admin password, this one line of Javascript can totally compromise your surfing.

You’ll be taken to whatever website the attacker wishes, even if you type in “www.realbank.com”.

Nasty.

Who would ever pay $2M for a laptop? The same guys who buy golden toilet seats and $2,000 screwdrivers? Nope, it’s Nationwide Building Society, a U.K. financial services company.

In truth, they probably only paid about $2,000 for the laptop. But they were recently fined $1.9M by the FSA for losing said laptop, which was chock-a-block full of sensitive customer information.

Two-Factor authentication is hitting the mainstream with the Beta launch of the PayPal Security Key.

The device appears to be a Vasco One Time Password. Interestingly it does not use the open OATH algorithm that VeriSign has been championing.

The Associated Press reported that the Veteran Affairs department has lost another hard drive, with up to 20,000 un-encrypted personnel records.

I thought that they had this kind of thing under control after last summer’s loss of up to 26.5 million veterans personal info??? Didn’t President Bush issue a requirement for all data to be encrypted last year????

The Republican “law and order agenda” includes provisions for ISPs to track customer online activities and retain those records for up to 2 years.

A core provision is the storing of “name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned”.

We do need to help give law enforcement the tools they need to fight phishers, crimeware authors, and those involved in child pornography and other abuses. However, can you image the privacy and identity theft disaster that would ensue if thousands of ISPS, big and small, had to start tracking and storing all this information?

First, most of the thousands of small ISPs in this country would probably go bankrupt.

Second, you’ve just created a fertile ground for ID thieves to steal thousand of databases with your personal information, email address and web surfing habits. There is no way that all of these databases will remain secure.

Imagine what a criminal could do with this information….

I know your name.
I know your IP address.
I know which banking and brokerage sites you visit, therefore I know where you have accounts.
I probably know where you work if you login to a VPN or access corporate email from an ISP.
I know which hotels you stay in.
I know which auction sites and ecommerce sites you visit or have accounts at.

Basically, spear-phishing would go through the roof. It would be impossible to discern real emails from fake ones.

Let’s get realistic here, lawmakers. If some of the world’s largest government agencies and ecommerce sites can’t keep customer databases secure, how are thousands of ISPs supposed to do it???? This idea, while well-intentioned, is a disaster waiting to happen.

(PS. buy stock in data storage companies).

Suddenly, out of nowhere, our booth was surrounded by cameras, and someone is handing out champage to everyone…. it seems that we won Best Booth award at RSA. Nice.

After more than a year and half of stealth, we are going to be letting RSA Conference security gurus in on what we have been up to.

We’ll be showing our stuff at the RSA Conference this week. The show starts tonight (Monday Feb 5) at 6pm. Stop by our booth, # 2547, and check it out. We are there Tuesday, Wednesday and Thursday all day. Come by and sign up for a free Beta unit!

According to CNET News.com, former and current FBI officials say that the agency has adopted Internet surveillance tactics that involve collecting “massive databases” that track the activities of thousands of Internet users.

This “full piple” surveillance tracks all web surfing and email traffic from targeted IP addresses or IP blocks.

This technique is used when an ISP cannot isolate the particular person or IP address because of technical constraints.

I suppose it’s a kind of “dragnet fishing” where anyone can be tracked and added to the analysis databases if the ISP they are using happens to be under surveillance because of one suspected bad guy on the network.