Cybercrime

Spike in IRS-Branded Phishing Attempts

Beau Monday — Wed, 07 Nov 2007 21:47:00 GMT

I've gotten a few of these over the past couple of weeks. Everyone knows this is a phishing scam, right?

How many phishing flags can you spot here? Unexpected email: Check. Offering me money out of the blue: Check. Link goes somewhere OTHER than where it claims: Check. References bogus law (I'm pretty sure the 19th Amendment to the Constitution didn't address IRS refunds). Bad grammar: Check.

Do we need a refresher on Phishing?

Hacking the Vote - Demonstrated

Beau Monday — Fri, 03 Nov 2006 01:23:00 GMT

It's been 3 years since I made my first post regarding the rising concerns of electronic voting. I consider myself fairly well informed on the issue, having done additional research on the matter in the subsequent years. A recent paper called “How to Steal an Election“ (pdf) also highlighted a number of ways an election can be tampered with, some quite easy to execute.

But even I didn't realize the ease at which elections can be tampered with, without a trace, until I watched a video of it being done during HBO's airing of Hacking Democracy this evening.

I watched an election official power on a randomly selected voting machine after inserting the hacked memory card into it. I watched him “Zero Out“ the machine, and print out a tabulation showing the machine had 0 “Yes“ and 0 “No“ votes in it to start the election. I watched 8 people fill out paper ballots, 6 of them casting votes for “No“ and 2 of them casting “Yes“ votes. I watched those ballots being fed into the voting machine.

Then I watched the voting machine report 7 “Yes” votes, and 1 “no”.

The election supervisor overseeing the demonstration said “Nothing I have seen so far would cause me to doubt the validity of this vote. I would have certified those results.”

Then I watched the memory card uploaded to the central tabulator that aggregates the votes from all the individual voting machines, and again 7 “Yes” votes were registered, and a single “No” vote.

The election had been hacked, and nobody was the wiser. A chill came over me.

The only thing touched by the Bad Guy during this demonstration was the system's removable flash memory card. The card was fed into a randomly selected voting machine that the Bad Guy did not have access to, either prior to the demonstration, or during it. The Bad Guy was locked in a separate room for the duration of the voting process.

We have Diebold's chief software architect on film, saying that a vote cannot be tampered with by simply modifying the memory card. Yet I had just seen it done. Diebold was either wrong, or lying.

I know what you are thinking: How does the bad guy get his hacked memory card into a voting machine? It takes tools, like a screwdriver and an allen wrench. Diebold claims the PCMCIA slots on these machines are secured with temper evident seals. And wouldn't someone at the polling station notice a voter tampering with the PCMCIA slot?

Sure. But that's not where, or even when, the hack occurs.

You see, it's not uncommon for polling workers to be issued the voting machines, with their memory cards installed, the night prior to an election. Then they take the home, or God knows where. They have hours to tamper with those systems in the comfort of their own homes, or perhaps to deliver them to some nondescript warehouse somewhere where an small army of hired geeks is waiting to reprogram the systems with the poisoned memory cards.

But what about the tamper evident seals? Wouldn't it be obvious if the polling worker breached the seal? Perhaps. But who validates the seal has not been broken before placing the system into use? THE FUCKING POLL WORKER. Talk about the fox guarding the henhouse.

Here's California's stance on so-called “Sleepover” practice of sending voting machines home with poll workers:

All poll workers take an oath to uphold the integrity of the elections process prior to initiating their duties. Poll workers are essential to ensuring public accountability in the elections process. It is appropriate that they are entrusted with the security of voting equipment and supplies prior to and during the day of the election.

Poll workers are trained to confirm that voting equipment is sealed and that the tamper-evident seals are not broken prior to the opening of the polls on Election Day.

Got that? Our elections are secure because the poll workers, who are mostly volunteers, TAKE AN OATH. Politicians take oaths too, and they aren't exactly icons of integrity. Who appoints election officials in most areas of the country? Oh yeah, POLITICIANS.

But, regardless, given a whopping 4 minutes alone time with the system, it's been demonstrated that a machine's memory card can be removed and replaced with a hacked one, and the tamper seal replaced. So even if the poll worker was not in on the hack, there would still be no evidence the system had been compromised, and no reason not to use it for voting. Hell, if they stop at a drug store on the way home to pick up some aspirin, it's plenty of time for someone to break into their car and hack the voting machine.

By the way, the practice of sending voting machines home with poll workers is also endorsed by the elections officials in King County (Seattle), where I'll be voting next week. Yay.

But what about the paper trail? Can't the vote be counted manually using the paper ballots that were fed into the system? The answer to that question is “maybe”. Every state has laws dictating when a recount can and cannot be done. In Ohio, for instance, a representative sample of 3% of the paper ballots are first counted. Unless that sample recount shows some anomaly, a full recount is not permitted. Who selects which ballots are recounted? Election officials do. Election officials are often political appointees, which hardly makes them impartial.

This very scenario played out in Ohio after the 2004 election, which if you remember, was decided by Ohio's vote. When public auditors were given the 3% of ballots to recount, they were strangely organized. All Kerry's ballots seemed separated from Bush's ballots. Doesn't seem random, does it? And guess what? No discrepency could be found in that 3% sample, so a full recount was not permitted by state law.

And recounts assume the ballots even exist to begin with. Most state laws require election officials to retain paper ballots for months, if not years, after an election, so they can be referenced at a future date. But, as we saw in the Hacking Democracy movie, election officials don't seem to respect those retention laws too much, and dumpster dives outside election offices just hours or days after an election often resulted in voting materials that should have been retained.

But this is all speculation, right? I mean, this is all conjecture by a bunch of conspiricy theorists.

You'd like to think so, but voting irregularities involving these and similar systems have already cropped up in actual elections:

In Fairfax County, Virginia in 2003, a programming error in the electronic-voting machines caused them to mysteriously subtract 100 votes from one candidate's totals.

In a 2003 election in Boone County, Iowa the electronic vote-counting equipment showed that more than 140,000 votes had been cast in the municipal elections, even though only half of the county's 50,000 residents were eligible to vote.

In San Bernardino County, California in 2001, a programming error caused the computer to look for votes in the wrong portion of the ballot in 33 local elections, which meant that no votes registered on those ballots for that election. A recount was done by hand.

In Volusia County, Florida in 2000, an electronic voting machine gave Al Gore a final vote count of negative 16,022 votes.

If you Google for such events, there are literally hundreds of such stories.

The bottom line is that electronic voting machines cannot be trusted. I don't care if it takes 3 fucking months to hand count paper ballots, if that's what it takes to ensure an accurate assessment of the will of the people. If a programming error, let alone a malicious act, can alter the results of an election, the public will lose faith that the government is duly elected by the population.

Can you imagine the anarchy that will erupt if the American people learn that elections have been tampered with by politicians, or by outside elements who would gain by influencing the political structure of the United States?

It'll be Second Amendment time then. Unless the liberals neuter that in the meantime. Then we're just all kinds of fucked. How do you say “Yes, comrade” in Chinese anyway?

Are We Winning the Battle?

Beau Monday — Thu, 22 Jun 2006 22:30:00 GMT

One of the more interesting talks given at last week's CSI NetSec in Arizona was conducted by CSI editorial director Robert Richardson. He gave us a preview of next month's release of the annual cybercrime survey conducted jointly by the FBI and CSI.

The survey shows a continued decline in the money lost by companies due to cybercrime. Compared to 2005, losses are down 18%, and down 68% compared to 2004. This metric has been declining for 4 straight years actually.

So. Does that mean we're winning? Does that mean that all the money we're spending on security is actually bearing fruit?

Well, that question was not answered in the talk. But in this author's opinion, the answer is a resounding: Kinda.

There is no question that corporations are more secure today than they were a year ago, and certainly more secure than they were 4 years ago when the cost of breaches started its pattern of decline.

*But*, does this mean cybercrime as a whole is declining, or is it merely moving on to easier targets? Bruce Schneier, in his book Beyond Fear, made a observation that has stuck with me. He observed that putting burglar alarms on a house doesn't reduce crime. It merely moves it down the street to the house that doesn't have a burglar alarm. The crime rate, as far as the cops are concerned, stays constant. But from the perspective of the homeowner with the new alarm, the rate has gone down.

Bruce's analogy works in cybercrime just as well, which is exactly the point he was making at the time. Cybercriminals who are thwarted by strong defenses don't simply give up. They don't say to themselves, “Aw, shit, this hacking thing is hard. I'm going to go back to flipping burgers at McDonald's.” No, they look for the house with no burglar alarm, and that house is currently owned and occupied by Consumers.

The flaw in the CSI/FBI survey, you see, is that it *only* addresses cybercrime losses sustained by corporations. Cybercrime losses borne by consumers is not addressed in this survey. Corporations are the house with the burglar alarm. Cybercrime is actively and aggressively moving towards more lucrative, poorly educated, and inadequately protected, consumers. I think if the numbers for consumers was reconciled with numbers for corporations, the crime rate would be static, if not in fact rising.

-----------------------------

Another interesting factoid that came out of the recent survey is the huge decline in corporate spending on security initiatives. While the 2005 survey indicated corporations on average spent 35% of their IT budgets on security initiatives, that amount has plummeted to a mere 2% in the 2006 survey. While the 35% in the 2005 survey was certainly driven by infrastructure upgrades to support regulatory requirements such as HIPAA and SOX which are now largely in place, nobody in the community thinks 2% is adequate for any serious security program.

If companies feel 2% is an adequate level of spending on security, this may be the last year we see declines on corporate losses due to cybercrime.

I guess we'll have to wait until next year to learn the consequences of that change.

3 incidents per week

Beau Monday — Mon, 20 Feb 2006 19:29:00 GMT

A lot of noise has been made of the Choicepoint debacle of last year that exposed the personal records of, at last count, 170,000 individuals in America. What you may not realize is that, for all the attention the incident garnered, it wasn't one of the top breaches of the year, based on the number of records exposed.

The top 5 were all million+ records exposed, including the grand daddy of them all, Card Systems, with 40 million records exposed when hackers penetrated their systems in early 2005. Next in line was Citi Financial, with 3.9 million records lost on a backup tape that never made it to its destination.

You have to go all the way to 15th place to find Choicepoint's relatively miniscule 170,000.

In 2005, there was an average of 3 incidents a week. 52 million records, all told.

And those are just the incidents we know about.

Educating Home Users about Cybersecurity

Beau Monday — Thu, 29 Sep 2005 17:20:00 GMT

I've been thinking for a long time how to get security ingrained into the psyche of the average home user. I've been half heartedly trying to “expose some content”, as some of my colleagues would say, to spread the message of why computer security is important to everyone.

But I haven't really made any progress, and it was getting pretty frustrating for me personally. The problem was that the project could be all-encompassing, especially when I started considering what a state agency could distribute to all its residents.

So a couple weeks ago I decided that doing it on a small scale is better than not doing it at all. I contacted the president of my home owners' association, and floated the idea of offering a couple free seminars to our residents about computer security. I think at first he was skeptical about the idea, and wondered what my “angle” was. I assured him that I had no product to sell, and would not be pitching anything during the sessions. He finally realized that I was sincere, and offered to include the seminars in the bi-monthly newsletter that gets sent to all homes in the development, in addition to providing a forum and a projector for me to use.

So now that I have it all set up, I have to come up with a presentation. I do security awareness training all the time at work, but that's to a group of computer-savvy IT people. And I do a specific subject every 2 weeks. This time it's going to be about an hour long (I don't think I could get anyone to sit and listen for 2 hours, honestly), and I need to cover a lot of ground without making it too technical.

Topics I plan on covering:

Why is home computer security important?
Who are the bad guys, and what could they possibly want from my computer?
What kinds of techniques do they commonly deploy?

The hazards of peer-to-peer networks
The hazards of email
The hazards of hostile websites and/or popups

The need for patching, and the how-to
The need for antivirus, and the how-to
The need for anti-spyware, and the how-to
The need for strong passwords, and the how-to
(I'd like to cover firewalls, but I'm not sure I can make that subject simple enough)
Children and the Internet

An hour is a dreadfully short amount of time to cover everything, but is there something missing from my list that you think is absolutely critical for the average home user to know about? Any other advice about how to best run a grass-roots campaign like this?

WSJ reports on AGORA's Google Hacking Demonstration

Beau Monday — Mon, 13 Jun 2005 00:21:00 GMT

Back in March, I noted briefly that I had attended a “Google Hacking Contest” put on by the AGORA organizers. I can't say much about what goes on at AGORA, but since this hit the wires, I guess it's ok.

Well in the audience that day was a reporter from the Seattle Post-Intelligencer, one of the two major newspapers for the greater Seattle area. And then it was picked up and ran on page B1 (above the fold!) in a subsequent issue of the Wall Street Journal (the WSJ is subscription only, so I am providing a very curious free link instead).

It's worth a read, and I think you'll get a deeper appreciation for the depth of information that is anonymously available to ANYONE on the Internet, and why I came home that day nearly shaking from what I had witnessed at the event. Want information about people who work for the Justice Department? Ask Google. Want to see if your name is on a Terrorist Watch List? Ask Google. Need the death records for 70 million Americans who have died, so you can steal their identities? GOOGLE for it!

When Good Intentions Beget Bad Laws

Beau Monday — Sun, 12 Jun 2005 23:57:00 GMT

Back in April of this year, Washington became the 6th state in the Union to pass a law requiring the disclosure of events resulting in the exposure of personal information to unauthorized entities. Similar, if not identical, legislation is making its way through the governing bodies of at least 28 other states as I write this.

This legislation follows closely California's own SB1386, which came as a result of the well known breach of California's government systems, which resulted in the exposure of the employee files of every one of California's state employees.

More famously now though, California's SB1386 is the reason Choicepoint was forced to go public with the security breach they experienced last year. After Choicepoint, and then Citigroup, Lexis-Nexis, Bank of America, and countless other breaches of trust, state governments have decided that doing something is better than doing nothing, and bills are flying around in every state. In addition, California Democrat Dianne Feinstein recently took a break from her usual political antics to introduce a federal version of these bills, called the Notification of Risk to Personal Data Act.

The problem is, these laws, short as they are, have a number of fatal flaws.

Let me quote from the Washington bill, SB6043 (though the federal version is nearly word-for-word identical):

For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(a) Social security number;
(b) Driver's license number or Washington identification card number; or
(c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Did you catch it? “When either the name or the data elements are not encrypted.” So, under the Washington bill, and the pending federal counterpart, so long as you encrypt the name of the victim (or the sensitive data), you don't have to disclose. Ah, encryption! The answer to everything security! Even if the company uses an encryption algorithm that a pocket watch can crack in under a second, they can pretend that the stolen/mishandled information is permanently secure from any evil doers forever and ever amen. As a consumer, I shouldn't care if you used a well-tested algorithm that would take 10,000 computers a year to crack. At the end of the day, my data is still in the hands of someone who wants to use it to commit a crime.

We all know that's bupkis, don't we? Encryption is always a time tradeoff, and any encryption can be broken given enough time and enough horsepower.

Then there is this disturbing concept of “customer” that seems to pop up in the most unfortunate places:

(10)(a) Any customer injured by a violation of this section may institute a civil action to recover damages.

Customer? Who said anything about “customers”? The word “consumer” is well defined in law. The word “individual” is well defined in law. The word “customer”, however, is NOT well defined in law. And this sudden switch in the legislation from speaking about individuals and consumers is very interesting, because the net result of this verbiage is to protect certain businesses, not obligate them to disclose.

Let's consider the Choicepoint incident for a moment. The half a million personal records Choicepoint mistakenly forked over to the Nigerians who scammed them were not the personal records of Choicepoint customers. I'd bet less than 1% of those people had ever heard of Choicepoint before, much less paid for any service from Choicepoint. So, under this Washington state law, and the Federal variant, none of the victims of Choicepoint's lax security would have any recourse under Section 10a.

Now, thankfully, at least in Washington, we have an Attorney General who knows technology. And we have a VERY active security community that is working with the AG's office to draft guidelines for enforcing the existing law until we can get it amended (probably later this year, when the legislature goes back to work).

But SB6043 goes into effect toward the end of July, and we're going to have to put up with it for a while in its current form. I just hope that the legislators in other states, and at the federal level, are reaching out to their local security communities for input before these bad laws get on the books. Because toothless laws like these don't benefit the real victims of these incidents.

What the hell's going on in California?

Beau Monday — Thu, 10 Mar 2005 22:41:00 GMT

If you watch the news lately, you can't help but hear about some of the recent high-profile hacks of major information clearing houses.

Choicepoint, the most publicized victim, announced a few weeks ago that sensitive information on 30,000 Californians was given to hackers who were posing as Choicepoint customers. What they failed to tell everyone initially, was that number of people whose personal information was exposed is closer to half a million.

Choicepoint is an information aggregator, and about the biggest one there is. They have dossiers on 10 BILLION individuals and businesses, and those dossiers include social security numbers, credit histories, and just about anything else you'd want to know about a person. This is a company that credit agencies like Equifax go to when they want to know background information about an individual.

Also in California, San Diego firm SAIC recently admitted that one of their offices was broken into, and the perps made off with computers containing countless numbers of social security numbers and other sensitive information.

So what the hell is going on in California?

Nothing that's not also going on everywhere else, unfortunately. California just happens to be the only state in the Union that has a law requiring public disclosure of crimes resulting in the exposure of personal information. Why didn't Choicepoint tell the other 470,000 people that they had their information stolen as well? Because those people don't live in California, so Choicepoint didn't have to tell them a thing.

Believe it when I tell you that what happened to Choicepoint is happening at other companies, albeit on a smaller scale. But until we have a nationwide law requiring such companies to fess up when they get hacked or otherwise snookered into exposing the information in their care to undesirables, nothing is likely to change.

Google Hacking Contest

Beau Monday — Thu, 10 Mar 2005 22:11:00 GMT

I recently had the privilege to witness an organized Google Hacking Contest, inspired by Johnny Long's new book “Google Hacking for Penetration Testers”.

The contest pitted 8 teams of local security folks (including a team from Intel and a team from Qualys) against each other, and gave them 60 minutes to use Google to find as much personal information about people as possible.

The results, frankly, were astounding. I went into it knowing Google was a one-stop identity theft shop, but I still left shaking my head.

The highest scoring team found over 2.5 million bits of sensitive information, including social security numbers, dates of birth, credit card numbers (complete with expiration dates... handy!) in that 1-hour span.

Common offenders: Porn sites don't seem to take very good care of your credit card information. Genealogy sites seem to be a little too free with social security numbers, dates of birth, mothers' maiden names, and all kinds of other things that Joe Public shouldn't share with the world. Doctors, surprisingly, seem to have an uncontrollable habit of publishing social security numbers, certifications, license numbers, and everything else one would need to impersonate them at the local pharmacy.

There are also a surprising number of states that publish death certificates online, which include social security numbers, family information, and dozens of other bits of information that would be useful for assuming their identity. Dead people won't be filing a complaint with the local authorities if their identity gets stolen, either.

So what do you do? You can't ban Google. There are dozens of other search engines around, you can't censor all of them. You can get information out of Google's cache, but what's to say some hacker hasn't already copied off onto a personal web server and shared it with all his hacker buddies?

The trick is to write off the information. We have to, as a society, recognize that social security numbers are no longer a valid identification mechanism. Once you reduce the value of the information available to Google, it doesn't matter if it's there.

The genie's out of the bottle. That information is out there, and there's no way to get it back. All we can do now is trivialize it.

First destructive cell phone viruses emerge

Beau Monday — Tue, 25 Jan 2005 23:50:00 GMT

Cellphone anti-virus developer SimWorks is reporting (pdf) that 2 new cell phone viruses have been identified, and they can render a cell phone completely inoperable to the point of having to replace it.

Gavno.a infects the phone when a user downloads and installs an infected software package onto their phone. Gavno.b on the other hand, attempts to spread itself over BlueTooth. Both files claim to be a patch in an effort to trick unwary users into downloading and activating them.

Once activated, the viruses halt a critical process on the phone, preventing it from making any calls, and often causing it to constantly reboot. Gavno.b also attempts to spread a pair of older trojans to nearby phones using BlueTooth.

Both viruses infect phones running Symbian Series 60 v7, like the Nokia 6600 and 7610.