Saturday, February 23, 2008

Watch out for that Freezing Data Loss by the Feds.

The latest threat to our security is both a technology glitch and a government failure.

Here is the Govt failure: "Nearly two years after an embarrassing flap in which veterans' personal information was put at risk of identity theft, federal agencies are still not doing all they can to prevent further lapses, investigators have found. Most of the two dozen federal agencies examined by the Government Accountability Office, Congress' investigative arm, had not implemented five federal recommendations aimed at protecting personal information." AP, Feb 2008. 

Ok, so as we fight terrorism, try to lock down our critical infrastructure, and protect vital information on Americans but the federal agencies just drag their feet!  We know that bureaucrats are leisurely. They will be in their job long after Presidents, Senators, and others have been voted out of office or retired.  Still it is not acceptable that the Feds are slacking especially after some MAJOR losses of critical information including millions of VA files.

The second issue is the discovery by a bunch of security professors that data stored on hard drives can be stolen by freezing a chip with a blast of cold air from a can of keyboard dust remover. Honestly I am not lying! You can read all about this amazing and simple risk factor at Princeton University

The tragedy of both of these developments is, of course, that none of them are easy to protect against by consumers or even by institutions. These are MAJOR threats from systems failures or weaknesses. 

Of course, for those of us in the identity and information security industry it is lifetime job security! 

Stay vigilant.

Friday, February 15, 2008

Watch Your Finger -- print.

Here is the latest on more mandatory biometrics. The European Commission proposed on Feb. 15, 2008 that all foreign travelers entering and exiting Europe, including American citizens, should be fingerprinted.

If it is approved by the European Parliament, the proposal would mean that this important ID information on tens of millions of citizens, will be added to databases shared by "friendly governments" around the world. (I am not sure where to get hold of the list of friendly and "Not Friendly" govts. but I'm pretty sure n Korea and Iran are on that second list).

The United States already requires foreigners be fingerprinted and photographed before they enter the US. In some European countries facial images of foreigners coming in will also be collected and stored in a Europe-wide database.

According to various sources including Canadian Press, "
European Union Justice Commissioner Franco Frattini also want to use a satellite system to keep out illegal immigrants. He says his proposals would safeguard the borders of the EU's passport-free zone, which includes 24 countries. They would also prevent people from entering illegally or overstaying their visas. Frattini's proposals, if approved by all 27 EU governments, would represent one of the largest security overhauls in the EU and could cost billions. Critics called it an attempt to create a total-surveillance "Big Brother" society, violating European privacy rights and freedoms."

What's up with the satellite system you ask? Here is what we know so far:
  • There would be a "... European border surveillance system, using high-resolution satellites and lower-flying drones to keep an eye on remote areas, such as coastlines and mountains."
  • "The system would first be applied to patrol coastal borders of southern EU members on the Mediterranean and Black seas, where each year thousands of illegal migrants attempt to reach the EU in dangerous voyages, often aboard overcrowded boats".
  • "Frattini reiterated earlier plans to set up a "Euro-corps" of border guards who could be sent at short notice to hotspots across the EU. He also called for expanding the Frontex border agency and giving it a greater role in co-ordinating EU border patrols." From CanadianPress
This, of course represents the classic trade off - privacy vs security. It has already been the topic of the latest heated debate in Congress as I write this column. Pres Bush wants domestic surveillance of telephone conversations between foreign nationals sanctioned by Congress for many years into the future and exempt telecoms from liability for privacy violations. the Democrats are largely resisting. With the Europeans, who can't do anything wrong, now ratcheting up significantly their surveillance and security paradigm, it will be interesting to see how that debate unfolds in the USA.

The Democrats and the ACLU think we are living in the pre-9-11, no Osama Bin Laden period of history and argue for civil liberties that were in place in those times. (Of course, we forget that whenever there are perceived threats to the US such as Civil war Secession, Fascism (FD Roosevelt), communism, we change our definitions of civil liberties and our privacy practices). There is no doubt that we need to be very respectful of civil liberties. there is no doubt that we can ill afford a "dirty bomb", a massive cyber-attack against critical infrastructure, or some other terribly damaging hit against the US and Americans.

YOU figger where the balance lies. It ain't easy.

Steffen Schmidt, CEO
Professor of Political Science and Public Policy

Wednesday, February 13, 2008

Happy Valentines Day

I consider myself pretty good when it comes to determining what is real e-mail and what is fake phishing e-mail. I must admit though over the past couple months they have been getting pretty good. From ebay e-mails asking me questions about an item I am selling to paypal e-mails trying to get me to update my security settings. All of them made me take a second look and ask myself... Am I selling anything on ebay?

Recently though over the past couple days I have been flooded by e-mails titled: “My Heart for you,” “What is Love,” “Just for you,” “Phone Love,” “Is anything as beautiful as a rose,” “I like you,” etc. When I open each of there they usually have a short message saying “I love you” and a link to some crazy site like or Honestly does anyone fall for these?

I am assuming the smarter phishing scams such as ebay and paypal duplication e-mails must not be gaining the collective gullible folks like they used to. They seem to have returned to the ideal of spamming hundreds and hundreds of e-mails out and hopefully one returns positive! The one in a million attack.

Just to see what all you need to do to get infected, I figured I would click on a link (using my mac) and see what happened. The first couple sites didn’t even resolve, meaning the officials must have already shut those down, but the third one did.

I was sent to a website displaying a heart and a message saying “Your download will begin shortly.” Below that was a message which stated “If your download does not begin automatically click here and choose run.” I did as it said and it tried to send me a file called withlove.exe (which my mac did not know what to do with). I saved it on my desktop for later dissection.

Looking through this file it seems to do the following:
1) Disable AntiVirus
2) Opens some ports to listen for incoming commands from the master computer
3) Begin to send out more of this “I Love You” SPAM mail.

After doing some research this latest attack seems to be the work of the infamous Storm Worm. For those of you who have not heard of Storm Worm, it is a botnet of about a million computers which are under control of this group called The Storm Factory. They use all these computers to fill up our inboxes with SPAM. The question is why? As I mentioned in the update to “Who is You,” the motivation behind the attacks is more important then the attacks itself.

What is to gain by this? Growth of course, but why does Storm Worm need more computers? The million or so they have now sends me about 1 e-mail every 15 minutes (When I turn off SPAM filters). Somehow I don’t think 1 every 10 minutes is going to trick me into falling for this.

Most security professionals are worried about the the use of these Million computers as a Denial Of Service Tool. If each machine tried to access a website, they could effectively take down the website. But they haven’t done that yet (at least not that I know). Maybe they could use these computers to fold proteins or search for extra life (SETI). Would this be such an urgent problem then? What if they just applied patches to fix the systems.

This group has been doing this for each holiday. Christmas, Super Bowl, Thanksgiving, etc. However the best defense against this may be the fact that this is done for Valentines Day. Christmas is when you get in touch with long lost friends, etc, but Valentine’s Day is usually something celebrated between couples who hopefully know each others name and style of e-mails!

My question to the group: If this was all done for the good of the individual would it be a bad thing?

Nate Evans
The Krell Institute

Labels: , , ,

Thursday, February 07, 2008

Moroccan Held for Alleged Royal ID Theft

Just in case you missed it, I wanted to share this small article with you . Next time someone try's to tell you that identity theft will not happen to them, explain to them it can happen to ANYONE anywhere. Here is a case that the thief used Facebook to commit the crime, something I have been warning of for years.

RABAT, Morocco (AP) — Moroccan authorities arrested a man Wednesday for allegedly stealing the identity of King Mohammed VI's younger brother on the social networking Web site Facebook, the country's official news agency said.
Fouad Mourtada, 26, was detained in Casablanca over "villainous practices" linked to the alleged theft of Prince Moulay Rachid's identity, the MAP agency reported, citing unidentified police officials.
The report did not elaborate, but said members of the royal family have no Web sites or blogs, and that the only official way to obtain information about them was through the MAP agency.
Facebook, one of the world's most popular online hangouts, claims more than 61 million active users.

Labels: , , , , , , , ,

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft -