Privacy and Identity Theft

Many companies spend millions of dollars on 2 factor authentication, issuing authentication keyfobs to employees so that even if a password is phished or keylogged, an outsider cannot get into the network without physical possession of the authentication token keyfob. In fact, this type of strong authentication is mandated for all access to government networks.

But a horrible vulnerability is emerging that could take companies completely off the Internet. It is the dawning realization that critical infrastructure is in fact only protected by a username and password. What is that infrastructure? The DNS records at Domain Name Registrars like Network Solutions and Go Daddy.

In some respects, the DNS records at a registrar are the most important items to secure. If a hacker gets the domain administrator’s password, they can change the DNS records to redirect all web and email traffic to any server or network of their choice. Imagine if a major bank or government agency had all their web and email traffic redirected to a hacker or foreign attacker? It would be an absolute disaster.

Worse, what if an ISP had their traffic, and that of their millions of customers, redirected to an attacker network? It could affect the privacy and security of millions of people.

Well, it’s happened. Yesterday hackers phished the domain name registrar password of Comcast. They redirected all Comcast traffic to hacked servers for hours. They even warned Comcast system administrators, who didn’t believe the attack was happening!

This should be a wake-up call to the industry that there are critical pieces of infrastructure that are lying totally vulnerable to phishing attacks. DNS records and other Software as a Service systems like Salesforce.com all need to be implementing strong two factor authentication.

I have hear for some time that travel to some countries, such as China, faces a risk that your laptop will be copied or infected by malware when you are sleeping, taking a shower, etc. Here comes recent evidence that even the US Government is facing these threats.

When travelling, carry important confidential data on an IronKey. It cannot be copied.

In a News.com blog post today, a Proofpoint and Forrester Research survey was discussed. Proofpoint has found that 41% of large companies (with 20,000 employees or more) have people who are paid to read and analyze the outbound email of their employees.

I’m guessing that most of these companies use an email filtering tool, like Proofpoint, to find email that has “suspicious content”. Then they flag those for manual inspection.

SMIME encrypted email anyone?

Attorney General Richard Blumenthal today announced that a storage company for a New York bank lost an unencrypted backup tape containing Social Security numbers and bank account information belonging to as many as hundreds of thousands of Connecticut consumers and personal information of millions more nationwide.

Among the Connecticut consumers are depositors and investors of People’s United Bank of Bridgeport, which gave Bank of New York Mellon the information so it could offer those consumers an investment opportunity.

“I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon (.BNY.) involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers, including People.s United Bank account holders and shareowners,” Blumenthal said in his letter. “Several hundred thousand Connecticut citizens may be affected, and possibly more, by this loss of highly significant personal information.

On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers — hundreds of thousands of them People’s United Bank customers and investors — and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.

Today we learn of a triumph of cooperation between international law enforcement agencies, the FIB, Secret Service, financial institutions, the US Postal Service, the IRS and local law enforcement agencies. A federal grand jury in Los Angeles charged 33 individuals in a 65-count indictment unsealed today for their alleged participation in an international racketeering scheme that used the Internet to defraud thousands of individual victims and hundreds of financial institutions. Seven individuals were charged in a District of Connecticut indictment for their roles in an Internet phishing scheme, including two who were also charged in the Los Angeles case.

U.S. law enforcement authorities are executing nine arrest warrants in the Los Angeles area and Romanian law enforcement authorities are executing search warrants in Romania today in connection with the racketeering indictment.

As described in the indictments and other publicly filed documents, the phishing schemes used the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers and Social Security numbers.

Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack. The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet “chat” messages. The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys. Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point of sale terminals that the cashiers had determined permitted the highest withdrawal limits. A portion of the proceeds was then wire transferred to the supplier who had provided the access device information.

Seuong Wook Lee, a cashier in the scheme, pleaded guilty on May 15, 2008, in U.S. District Court in Los Angeles to racketeering conspiracy, bank fraud, access device fraud and unauthorized access of a protected computer.

A hacker in Chile hacked into government and military networks, stole data including ID card numbers, names, addresses, telephone numbers and academic records. He then posted these publicly on a blog website, to “demonstrate how poorly protected data in Chile is”. This is a wake up call to companies around the world.

About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen, the pharmaceutical giant confirmed today.

The data breach, which occurred about a month ago, was the second this year affecting Pfizer Inc. employees and the sixth made public in a one-year span dating back to May 2007. More than 65,000 data-breach notifications have been sent out by Pfizer over the past year, including more than 10,000 to employees from Connecticut

Michael Barrett and Dan Levy at PayPal have recently published an excellent whitepaper titled “A Practical Approach to Managing Phishing”

The whitepaper is an overview of PayPal’s practices in how they combat phishing at various levels in the organization. It looks at strategies including email authentication, browser blacklists and extended validation SSL certificates, phishing site takedows, customer education, strong authentication and legal prosecution.

PayPal has shown that back in 2006 about 70% of all phishing email was spoofing paypal.com. Now, they are below 10% of all phishing email attacks. This is proof that these tactics and strategies can work. However, one must also be aware that online fraud is a little bit like a balloon filled with water… squeeze out the fraud in one area, and it will shift to other easier targets. It also shifts towards new ways of committing fraud, such as crimeware and trojans.

Just make sure that you are not one of those easier targets!

On April 26, 2008, HSBC bank reported to the Hong Kong Monetary Authority that an Internet server holding account information of 159,000 customers has gone missing. It seems from reports that the server was physically stolen while a branch was being renovated.

There are several USB thumb drives on the market that offer a biometric fingerprint reader to authenticate yourself to the device without typing in a password. Some customers ask me if IronKey has a plan to develop biometric authentication for our secure encrypted flash drives. The answer is a very firm “maybe”. Here’s why:

The advantages of a biometric fingerprint reader are theoretically:
1. Requires the finger of the user to authenticate, so if an attacker gets your password and your device, they cannot get into the device without cutting off your finger.
2. Because you can authenticate to the device without typing in a password, malware on a computer cannot keylog your device password.

Here are some of the counter-arguments:
1. Mass market fingerprint readers are notoriously unreliable at matching. On a USB device, for matching to be secure, it must be done on the on-board CPU of the flash drive. This means that you do not have a powerful Pentium to run sophisticated matching algorithms. Thus we find that by a combination of low-cost readers and low-powered CPUs, matching can be spotty. I was once told by the CTO of Digital Persona that up to 7% of people are “fingerprint biometric resistant”. In our tests here, we have found that some swipers work great some days, and then refuse to recognize the user on other days. Blame it on sweaty palms or hand lotion, but this means that the user cannot get into their device.

2. So what you end up with, is that the computer or the USB device can also be accessed by a password. You can image how bad it would be if the biometric reader were broken, or for some reason doesn’t recognize a user for some reason, and they cannot get into their computer or vital files on their encrypted USB flash drive.

Effectively then, there is still a password-based way to get into a device. This pretty much means that biometric access is a convenience, not a security enhancer.

3. We are finding in most enterprises, that administrators need a way to be able to access a user’s hard drive or portable storage device. This is typically in case of a user being terminated, quitting, or if there is some kind of investigation. If the only way into a device is with a fingerprint, then how do these administrators gain access to the user’s device? Yet another reason why password-based access (or perhaps PKI?) is needed in addition to a biometric authentication.

4. Biometrics could be replayed. Kim Cameron of Microsoft’s Identity Management group posted a nice blog entry this week about his shiny new Toshiba Portege laptop which has a fingerprint reader. Unfortunately, the mouse buttons on the computer do a wonderful job of capturing fingerprint images from the oils in your finger. Images which are perfectly visible under regular bright lights! Is this akin to leaving your password written on the outside of your computer?

A recent debate erupted in Germany when the Chaos Computer Club printed a magazine with the fingerprint of Wolfgang Schauble, Germany’s interior minister. Mr. Schauble is a big proponent of using biometrics to authenticate users and citizens. Theoretically these can be used to create “rubber fingers” or other photo plates to trick a variety of biometric readers.

Biologger biometric proof-of-concept shown at Black Hat Amsterdam, March 2008

Researchers get 90% of spoofs to pass biometric readers

Impact of Artificial “Gummy” Fingers on Fingerprint Systems

Gummy and Conductive Silicone Rubber Fingers

Older article where 4 out of 6 scanners were fooled by rubber fingers

At IronKey, we are keenly interested in biometric solutions, but we must keep in mind that they have to be proven to enhance security, and not just give a false sense of it, when in reality only providing convenience.