The phone rang. Two different companies had been hacked, both in the same way. The first was a very large corporation (we’ll call it “Worldwide Company, Inc”) which managed hundreds of millions of dollars online. The second was a small business that handled financial transactions– we’ll call them “Local LLC.” The bank shut down both companies’ online accounts after it was clear that the hackers had gained access to their internal systems.
Man-In-The-Browser Attack Caught in the Act
There were telltale signs of the Blackhole Exploit Kit at work.

Curious, I extracted copies of the phishing emails and malware from each infected workstation. What did it LOOK like when these companies were infected? What were their computers actually doing under the hood? Most of all, I wanted to actually SEE the Man-In-the-Browser attack in action!

After three days and a LOT of caffeine, I caught it on camera. Check out the Blackhole phishing attack in action. You can see the videos and screenshots of the over at my new blog, at LMG Security– complete with charts of the network traffic, where you can watch the infected desktop “phone home” to the attacker every 20 minutes on the dot. After 48 hours, the malware executed a man-in-the-browser attack against Bank of America’s web site, which you can see on video.

My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver’s license number, and mother’s maiden name– all at the same time. Nice try, dude!! (I used a Paypal test credit card number to submit the “validation” form. The hackers actually check to make sure your credit card number is legit.)

Share these videos with your friends and co-workers so they know how NOT to get pwned!

I’m preparing to spend one week without buying or throwing away anything plastic. This experiment was inspired by the movie “Tapped,” which artfully shows the terrible environmental damages, health risks and social conflicts caused by the mass manufacture and waste of plastics.

The first step is to list all of the necessities I typically use in a week, and to figure out how to obtain each of these without plastic wrappers, bags or bottles. Here’s a first stab at the list:

  • Bottled water
  • Yogurt
  • Pasta and Rice     
  • Nuts and Seeds
  • Bread
  • Cheese
  • Tea
  • Spices
  • Honey
  • Vegetables
  • Juice
  • Peanut Butter
  • Rice Milk
  • Meat
  • Oil
  • Eggs
  • Beer/Wine
  • Milk
  • Ice Cream
  • Condiments (Ketchup, Mustard, Mayonnaise)
  • Shampoo and Soap
  • Detergents (Dish & Laundry)
  • Toothpaste
  • Food Storage Containers
  • Toilet Paper
  • Trash Bags


Starting from the top:
 
#1: Bottled water
The bottled water problem solved itself! As I was sitting watching the movie “Tapped,” I got thirsty. I figured it would be pretty tasteless to buy a plastic bottle of water while watching a movie about the damage caused by plastic bottles of water. Fortunately, the producer and director of the film were right outside the theater, armed with dozens of stainless steel water bottles (“Klean Kanteen“) for $10 each. Now I’m armed my trendy steel water bottle, which fits as nicely in my bike rack as it does in my car’s cupholder. On top of that, given that I was typically buying one $1.50 bottle of water a day, I’ve saved roughly $547.50 for the year already. Wow…

Off to a good start! Unfortunately, the next item, “Yogurt,” looks a lot more daunting…

Sherri Davidoff
PGP-signed text: 2010-02-23 (current)

As the global conflict for resources heats up, the Internet is just another battleground.

Last weekend I watched a terrific documentary about the bottled water industry called “Tapped.” The second half of the movie is an intensive look at the plastic bottle manufacturing industry, and the enormous damage that these petroleum-based products cause to our environment (ie. the Great Pacific Garbage Patch). Many plastic bottles and containers also leech hazardous chemicals, such as bisphenol A, into food.

With this in mind, I’ve decided to try a little experiment: To go one week without purchasing, or throwing away, anything made of plastic. Since plastic is a centerpoint of conflict, it seems fair to ask the question, “Can we live without it?” After all, if everyone on the planet stopped buying plastic, big companies would stop producing it, and a lot of environmental damage and conflict over access to natural resources would be avoided.

Normally on Philosecurity we focus on information security threats, but information security is of course just a part of the larger problem of global security. You can’t separate information security from social, economic or environmental factors. For example, one reason so many companies are suffering from intellectual property theft due to the “insider threat” is because employees are underpaid, mistreated and have no economic or social incentive to act in their employers’ best interest.

As our world’s environment degrades, the fights over clean water and life-sustaining resources will become increasingly violent and brutal. Over the next decades, as the global population becomes desperate for access to essential resources, corporations will have to work harder to defend their physical and network infrastructures from attack. On the flip side, social network data mining and surveillance efforts will heat up, as companies work to identify and splinter resistance groups (see, for example, Monsanto’s “army of private investigators” who intimidate and conduct surveillance operations against small farmers throughout the Midwest. (Vanity Fair, 2008)

The goal is simple, but executing it is very hard. Today I started planning and preparing for one week without consuming plastic. Stay tuned for more details!

Sherri Davidoff
PGP-signed text: 2010-02-22 (current)

“Mike,” the owner of a midsized web-hosting company, talks about the effects of the Payment Card Industry Data Security Standard (PCI/DSS) on web hosting companies and small online merchants who are his customers.

s: If PCI/DSS were enforced today, what would happen?

m: Well, all the small businesses would lie. Right? If you’re a small outfit, and the choice is “Either I say yes to everything or my business is destroyed…” What’s the choice?

s: When did you start taking PCI compliance seriously?

m: At some point just prior to fall of 2005, we concluded that PCI applied to us because we’re a merchant who accepts credit cards, and so we had Responsibilities. I don’t remember there being a good enough dialogue about it, or even any dialogue. Was there some point that I said, “Yes, I agree that if I would like to continue accepting credit cards as an Internet merchant I additionally agree to comply with this 100-point list?” I don’t remember ever doing that. I don’t remember ever saying, “Dear VISA, yes, I agree, I’ll do it!”

s: What is the impact of PCI/DSS on small businesses?

m: Well, if it continues to be generally ignored by the vast majority of small merchants and small hosting companies, then the impact will be slow and steady.

It’s a matter of how aggressive the credit card processors and the PCI SSC themselves decide to get on their customers. Sure, my payment processing company… could decide to demand from me an attestation of compliance. They could hold this over my head and say, “we will REVOKE your credit-card processing privileges if you do not submit your attestation of compliance.”

Imagine us asking thousands and thousands of customers who have previously been on auto-pay to “please, hand-write me a check from now on.” And customers in 40-something countries. Good luck.

s: It’s fair to say you would go out of business.

m: It might not kill us, but it would cripple us. But that credit card processor, in making that decision to revoke our privileges, would of course be cutting themselves out of thousands of dollars of revenue every month that we paid them. They would be killing one of their customers. So, they’re torn in two directions.

s: Do you feel that the PCI SSC took appropriate input from merchants?

m: In reality, 95% of the merchants would have not been capable of providing substantive technical feedback to the committee.

s: How come?

m: Because 95% of merchants are not technical operations. They are business that are selling coffee on the corner, or they’re selling widgets, and their cardholder data environment doesn’t consist of much but a plastic box with a phone line connected to it.

s: What do you think that implies for their ability to comply with PCI/DSS?

m: The jaw-dropping, gasp, oh-my-goodness implication of PCI/DSS is for all the “Laura’s Online Candle-Shop” and “Best-Fishing-Lures-in-Arkansas Dot Com” and the small Internet merchants with online shopping carts. These are my customers. I know a lot of them have shopping carts that are not million-dollar-a-month e-commerce operations. They are not Amazon. They are modestly successful online merchants.

Now these millions of small businesses, and the small-to medium-sized web hosting companies that are called upon by these small merchants, have a 100-point checklist of things that are not terribly understandable and are broadly interpretable and in many ways onerous to the point of absurdity for a small operation.

s: Do you think that PCI/DSS will cause consolidation in the web hosting industry, or that there will be fewer small businesses as a result?

m: I don’t think the American public or the international public is going to shed a tear if there is bloodletting consolidation of the web hosting industry. Where they would take up arms would be if Laura and Sam and Bob can’t open candle shops online. If that becomes impossible, or unrealistic, or incredibly expensive, there’s going to be pushback.

s: You think that people won’t miss the mom-and-pop web hosting companies?

m: Most web hosting companies are noticed by their customers when something breaks. The future of baseline web hosting is like the future of the electric company. Who gives a damn who you buy electricity from? You expect it to work 100% of the time. When it doesn’t, you’re annoyed and it’s disruptive. You don’t have a relationship with your electric company the way you do with your corner coffee shop or brewery.

s: Why is that?

m: The nature of commoditization, I guess.

s: Sounds like you’re suggesting that what will happen with the web hosting industry is similar to what happened in the telephone industry.

m: Sure, or any of the utilities that we all take for granted. Now, everyone assumes that cell phone service is going to work, your cable is going to work, there’s going to be water when you turn on the spigot. Web hosting companies will need to grapple with that commoditization and provide services that impress or delight or become more part of the daily workflow of the customer, rather than being part of some background thing that [you only notice when] something breaks.

s: Do you think there’s value for the public in having a variety of hosting options, or is it simpler to have it centralized?

m: The web hosting industry has got to be incredibly confusing for a customer right now. There are tens of thousands of hosting operations, many of which are 1, 2, 3, 4 dollars a month… Talk about a race for the bottom! How low can you go? It’s below the threshold of constituting commerce. A dollar a MONTH? I think the industry would benefit greatly from a culling.

I have in my mind that perhaps half of all “web hosting companies” are a one-man show with someone who has another job, whether a student or some sort of professional. Those folks are in no way equipped to ensure the security of credit card data or to fix a server when it breaks. There’s such a low barrier to entry in the web hosting industry right now.

s: What do your peers in the industry think of PCI/DSS?

m: People are flabbergasted at the absurb impossibility of the vast majority of web hosts from ever approaching PCI/DSS compliance. Laura’s Candle Company? She’s required by PCI/DSS to ONLY host her web site that accepts credit cards in an environment that is itself PCI/DSS compliant. The only hosting that she’s allowed to use under PCI/DSS [requires 8 separate devices]: hardware firewall, application firewall, log audit system, and all that business. However, the vast majority of companies load up customers onto one box, and then get a new box. Then they load up customers on that, and then get a new box. And so on.

I know someone who has a hosting account with one of the top ten hosting companies. When she wants to FTP or SSH into her server, she goes to server 192 dot domain name dot com, and that machine hosts FTP, SSH, web, database, DNS, SSL, POP3, etc. It hosts all services. Bang, right off the bat, that’s not a PCI/DSS compliant hosting environment. For these web hosting companies, it’s a shaking of the foundation.

s: Do you think it’s realistic to expect small business owners to comply with PCI/DSS in the near future?

m: As a small business owner myself, I’m both the operations guy and the people manager. We have always hired new staff as we identified a clear and defined role, and more importantly, had the revenue to pay that person a fair wage and benefits. We’ve got this daily pop and crackle of operations plus customer service. We do not have the extra thousands or tens of thousans of dollars a month to, oh, just staff up!

Stopping customer service is not a viable option. Stopping operations pop and crackle is not a viable option. So who do I pull off? Where do I find the right staff or the right expertise to start working through the things that are required of PCI/DSS? I don’t know.

If I ran a technical operation that had 1000 operations employees, I could say, “Hey! pull team B-13 off of their raised floor construction project. They are now the PCI/DSS regulation security team.” That sounds fine. That’s something that a big operation could pull off. If I was in a position to hire three new engineer sysadmins next week, then I’d surely put one or maybe two of them on PCI/DSS. “Hey, we’ve got to rewrite this code,” or “Hey, we’ve got to reconfigure this network,” We’ve got to do this, we’ve got to do that. But like many small businesses, we barely keep up with what’s going on right now.

s: This economy must be especially hard.

m: That’s right. We’re watching customers shut down their gardening blogs and their chess club web sites. These sites were important to them until they lost their jobs, and now they’ve got to figure out what the priorities are in terms of monthly expenses.

s: How much do you think this is going to cost you?

m: Well, of course if our credit card processor tells us it’s going to cost us an extra 1% of every transaction, that’s measurable. If they, like I’ve heard from other web hosts, decide that until we submit our attestation of compliance, we’ll have an extra $19.95 a month nuisance fee, then it’ll be $20 a month for the foreseeable future.

Another potential angle on cost: Will our customers begin demanding some sort of certification / attestation? “My credit card processor tells me that I’m only allowed to host with a PCI complant host so I really need to know.” If our only answer is “no,” we’ll lose customers. Our growth will be stifled, and we may shrink as an operation. So, we could wither, or be crippled or killed, or just be taxed by PCI/DSS.

s: Basically, you’re saying that PCI/DSS could cause small businesses to go under.

m: Yes, if it was enforced vigorously. I should go on record as saying that I support the general idea of having standards for how credit card data is handled on behalf of your customers. People should use secure best practices and due care to ensure that credit card data is not released to hackers in Des Moines or Denmark or Indonesia. We must avoid that. Good! Let’s have some standards.

s: What is the purpose of PCI/DSS?

m: To push cardholder data security downstream to the merchants who handle it first.

s: Do you think PCI/DSS is at all effectve?

m: Yes. I would say that PCI/DSS is effective in encouraging– let’s say urging or demanding– entities that handle personal information, including card holder data, card numbers and whatnot, to review the security procedures. It provides a not-valueless checklist of things to think about when handling this sensitive information.

s: What is the future of PCI/DSS?

m: First, I’ll say that no more than 20% credit card merchants will be PCI/DSS compliant, truly, in the next decade. It will be a slow and gradual process. At some point, a team of brilliant security engineers is going to come up with something that renders plaintext credit card numbers like telegraphs. There will no longer be a concept of entering some numbers that magically allow you to move money around.

s: You think our financial transaction system will evolve beyond credit cards into something different?

m: Yes, that is exactly what I mean. Even the biggest, most responsible badass security processors with awesome security practices keep getting compromised. The data at rest is inherently vulnerable, and so will continue to be a succulent target. We need to make the target less tasty. [We need] a transaction system that could– perhaps magically– ensure that the transation was legitimate, and it isn’t just a string of not very many magic numbers. When smart guys and gals invent that, we will begin forgetting about PCI/DSS compliance in its current form.

s: Do you think that the credit card companies should be focusing on changing the system?

m: For all I know they have teams of ten thousand in underground bunkers who are developing the next great payment transaction processing technology. If they are, that’s great. That’s awesome. I have no idea what they’re doing, but I hope they are. I hope they are not believing that a short string of numbers is the tool of the future.

Sherri Davidoff
PGP-signed text: 2010-02-08 (current)

There’s a wonderful quote in the Hitchhiker’s Guide to the Galaxy: “The Ravenous Bugblatter Beast of Traal [is] a mindboggingly stupid animal, it assumes that if you can’t see it, it can’t see you- daft as a bush, but very ravenous.”

Here on the Internet, we face a related problem. Every time we type something into a web search bar, it is analyzed. Every web site we visit is tracked back to us. Every word we send over email can be read in transit. Every IM can be captured. All of our transactions using credit or debit card are logged, the locations, amounts and purchases used to develop detailed profiles of us. This information can be, and often is, used to manipulate/exploit us. (This doesn’t even take into account spyware, keystroke loggers, and other invasive recording/tracking devices that record many people’s every movements.)

We can’t see it happening, so most people don’t realize that we’re being watched.

Even when we do realize we’re being watched, often the attitude is, “Who cares?” Corporations, dictators and other modern predators aren’t as stupid as the Ravenous Bugblatter Beast, and they’re very ravenous. Many of us operate with a broad trust in human goodness which is unfounded. Humans enslave, hurt, kill and exploit each other. Not all of us, but some. Having equal visibility, or at least an accurate understanding of the playing field, is exceptionally important.

In order to preserve true democracy and individual freedom, we need to demand better publicity and transparency of monitoring. People are not designed for an environment in which we are constantly being watched by an invisible eye. We don’t instinctively take this into account when designing government or conducting business. We need to:

a) Educate people regarding current monitoring techniques by government, corporations, and criminals;
b) Work to make these activities as visible as possible, by demanding signage, lights, labels or other visible indications of surveillance in all forms of technology.

If you have suggestions regarding how and why to make surveillance more visible (on the Internet and beyond), please contribute comments. This is an exceptionally important issue that we need to openly discuss and address.

Sherri Davidoff
PGP-signed text: 2010-02-01 (current)

Recently, a friend of mine received a letter from Bank of America informing her that “some credit card information on your Bank of America account may have been compromised at an undisclosed third-party location.”

The letter went on to state that BofA had reviewed her account and saw “no evidence that your account has been misused in any way. We will continue to monitor activity on your account, and if we detect suspicious transactions, we will notify you.” BofA also informed her that “we will close your existing account and issue you a new account number and credit card(s).”

Imagine if your doctor sent you a letter informing you that “you’ve contracted an undisclosed disease from an undisclosed third party. Take these pills and carry on as before. We’ll monitor your symptoms and notify you if you show signs of further infection.”

The underlying subtext here is that a) my friend’s information was probably compromised through a merchant that she has done business with; b) she does not have the right to know who that was; and therefore c) she must continue to do business as usual without the ability to change her behavior based on the fact that the merchant did not safeguard her information appropriately.

BofA referenced a web site where they talk about data compromise:

http://www.bankofamerica.com/compinfo

According to this site, “When a data compromise occurs Bank of America is notified by multiple sources, including Visa®, MasterCard®, American Express® and law enforcement agencies when our accounts have been included in a data compromise… Unless the merchant announces the breach to the public, we are unable to provide the name of the merchant or where the data breach has occurred.”

In other words, the credit industry is facilitating willful ignorance in order to protect their fundamentally broken system. If you or I found out where exactly the breach happened, we might not be so inclined to give our credit-card numbers to the end merchant or payment processors involved. Customers are not provided with the information we need to make educated decisions about who we trust with our information.

Truth be told, the fundamental problem isn’t with the end merchants, anyway. The problem is that our financial infrastructure rests on the broken concept that a short string of numbers can be used to move money from one person’s account to another. This string of numbers has to be kept “secret,” but it also has to be given to dozens of people throughout the course of a day in order to conduct routine transactions.

Here’s my favorite section of BofA’s data compromise FAQ:
“Is it safe to use my new card?
“We are confident that this was an isolated incident and that the steps we have taken will ensure the continued security of your account. Please continue to use your new account as you normally would.”

Yes… an “isolated incident,” just like the other 285 million records that were compromised last year. Take these pills and carry on.

Sherri Davidoff
PGP-signed text: 2010-01-24 (current)

If your medical data, credit card number, Social Security number, personal email, or other information were stolen, would you even know about it? After ten years handling incident response and forensics, I’ve been repeatedly shocked at the number of times that organizations sweep data breaches under the rug.

When upper management is notified of a data breach, they have to choose between:

    a) Announcing publicly and in a timely manner, which would result in major reputational damage, financial drain, loss of business, and potentially huge lawsuits.

    b) Keeping quiet and hoping that no one ever finds out (in which case, nothing happens).

Of course, usually upper management doesn’t find out at all. There is little incentive for IT staff to report compromises all the way up the chain, since it just makes them look bad. System administrators fear that if they detect a compromise on their own servers, managers will accuse them of doing a bad job. Also, the breaches have to be detected in the first place– and often security staff are overworked and have limited resources for tuning IDS or following up on alerts.

The bottom line is that no one is motivated to do a good job detecting and publishing breaches– not corporations, not upper management, not IT staff, and in many cases not even security teams themselves. Ethics can hardly compete against real financial incentives and fears for job security.

Don’t Companies Have to Report Breaches?

“The irony is that companies with the worst security practices, who do not keep logs or configure IDS systems effectively, are the ones who get off scot-free because they do not collect or retain the evidence of a breach.”

Many states have data breach notification laws, but these tend to have major loopholes. Importantly, they don’t provide clear guidelines for deciding whether a “security breach” happened. As a result, if an attacker destroys important evidence or if the company does not retain records that would explicitly prove inappropriate access, then the company will probably decide that they are not required to report. Customers affected never even hear that there was concern about a breach in the first place.

The assumption is that the data is secure unless there is explicit evidence which proves otherwise. This is backwards! When log retention creates a liability, companies have reduced incentive to collect or retain detailed records. If we assume the data is secure unless there is proof otherwise, then there is no reason for companies to work to retain evidence.

The irony is that companies with the worst security practices, who do not keep logs or configure IDS systems effectively, are the ones who get off scot-free because they do not collect or retain the evidence of a breach.

What about the proposed federal Data Accountability and Trust Act?
The Data Accountability and Trust Act which passed the US House of Representatives last month does nothing to address this loophole. It requires that “Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data…notify each individual…”

OK, so what is a “breach of security”?

“(1) BREACH OF SECURITY- The term `breach of security’ means unauthorized access to or acquisition of data in electronic form containing personal information.”

How do you decide if there has been “unauthorized access to or acquisition of data”? The bill does not provide any guidance. As long as the organization does not keep records which would *prove* that confidential data was accessed or exported, their legal counsel may advise them that they do not have to report. I am not a lawyer, but I have seen this happen repeatedly with respect to existing data breach regulations.

How Can We Fix This Loophole?
Here are some ideas:

  • Assume insecurity. Companies should be able to produce access logs and records which confirm that the data has been kept safe, rather than vice versa. This will motivate companies to collect and retain access logs in much greater detail than they do now.
  • Proactively audit large organizations that retain lots of personal data.
  • Publish yearly certificates based on audit results, the same way health inspectors publish certificates for restaurants. This way the public can decide which companies to give our information to, based on how well they secure it.

Today, the vast majority of security breaches are never reported. When you examine the incentives and the myriad of holes which exist in reporting regulations, it’s easy to understand why. Detailed logging and monitoring practices result in greater liability. Reporting incidents to the public can lead to financial ruin. There’s little incentive for organizations to do a genuinely good job tracking access to confidential data.

In this backward system, it’s a wonder we hear about any breaches at all. The fact that we do hear about data breaches frequently should make you stop and think about the number that are *really* occurring, but are never detected, let alone reported. Speaking from experience, I can tell you that the data breaches you hear about are just the tip of the iceberg.

Sherri Davidoff
PGP-signed text: 2010-01-02 (current)

Governments store and gather a *lot* of private information about everyday citizens, in order to provide you with services such as health, transportation, safety, education, taxation, and much more. How much of this will be handed over to private IT companies such as Google in the rush to the “cloud”? What will happen to it from there? Absent regulation and routine inspections, it’s hard to tell.

Here are examples of the private information that state and local governments collect:

Health:

“We conduct routine inspections of restaurant kitchens for public safety, and the public is entitled to see inspection certificates. Shouldn’t management of our public data be held to the same standards?”

Taxation:

Unemployment:

Transportation:

Motor Vehicle Services:

  • Driver personal info:
    • Height
    • Weight
    • Eye correction
    • Address
    • Social Security Number
    • Payment information
  • Violations (see p.3 for a list of info typically included in citations)
    • Locations, dates, times
    • Description and details
    • Images (photographs, videos)
  • Red-light camera images
  • License-plate tracking

Government Employee records

  • Social Security numbers
  • Employee reviews
  • Health insurance information

Education:

Police:

 
We conduct routine inspections of restaurant kitchens for public safety, and the public is entitled to see inspection certificates. Shouldn’t management of our public data be held to the same standards?

The public deserves to have input regarding what data is put into the hands of companies which are not controlled by the public. We deserve regulations which protect our private information from abuse, and which specify what types of information can or cannot be hosted by foreign companies and private companies.

Most importantly, we deserve assurance. Our government must routinely verify through inspection and public reports that confidential information is not being misused by private companies, and that only appropriate types of information are being shipped off-site. If private companies are to hold taxpayer information, the public deserves independent verification and reassurance that our data is well-managed.

For information about the specific data used by your state, check out your state’s web site and look at the services it offers. (Here’s a nice example from the State of New Mexico.) Then think about all the private information that your government needs to collect and process in order to support those services. You might be surprised.

Sherri Davidoff
PGP-signed text: 2009-12-30 (current)

Our Google Government

Recently I saw an ad which read:

Google and State Gov

“Over 60% of the U.S. state governments have gone Google.”

Does this mean that we’ve now handed the majority of our state governments’ operational data to a single privately-controlled company which has well-publicized partnerships with other governments such as China?

To find out more, I contacted Google’s press department. A representative promptly got back to me with more information:

“The reference to Going Google refers to US state governments using one or more of Google’s enterprise products…With regard to data hosting, Google Apps is a cloud computing solution meaning Google hosts the data in our data centers, relieving the customer or gov agency of the burden of managing their own servers in house.”

In other words, according to Google, United States state governments have literally handed over our public data to be held and managed by a private company which has well-publicized partnerships with other governments such as China. The data is physically stored in Google’s buildings, on Google’s servers, managed by Google’s employees. This means Google now controls our government’s access to it’s own data.

Google declined to make their list of state government customers public, so instead I checked to see which states had active Google Apps login pages for their domains. There are 19 states that have active Google Apps login pages (plus Washington D.C.) These include:

Alaska
Connecticut
Washington, DC
Illinois
Iowa
Kentucky
Louisiana
Maine
Michigan
Montana
North Dakota
Nebraska
New Hampshire
Ohio
Oklahoma
Minnesota
Pennsylvania
South Dakota
Utah
Wisconsin

In September, Google announced its plans to create a major government data hosting operation for the United States. “Today, we’re excited to announce our intent to create a government cloud, which we expect to become operational in 2010. Offering the same services and features as our existing commercial cloud (such as Google Apps), this dedicated environment within existing Google facilities in the US will serve the unique needs of US federal, state, and local governments…”

Moving the data itself offsite is a BIG change, and one that comes at a BIG price. This effectively places state governments’ data outside the direct control of our government. If Google (or an ISP) were to decide for whatever reason– economic, political– to cut us off from our data, governments using their services would be, well, Scroogled.

To me, this is an unacceptable level of control for a single private company to have over federal, state or local government. When you reach a point where the government cannot operate without a private company, then the private company has effectively gained control of the government.

With Google physically housing and managing state government operational data, they literally gain control of our government’s operations. What’s more, Google also has access to data mine the information. Would this be legal? Hopefully not, depending on the contract that our governments have signed. Would it be technologically possible? Of course.

In another twist, state governments’ moves to outsource their data could also open their information to far greater access by intelligence agencies. It might be legal under homeland security rules for federal intelligence agencies to force Google to turn over information from state and local governments, perhaps without even notifying them. For issues where state laws are in direct conflict with federal laws, the implications for states’ rights are serious. For example, several states maintain lists of registered medical marijuana patients. Could a federal agency force or coerce Google to turn over lists of names without permission from the state?

Google is extremely good at managing its own public image (it undeniably has a leg up due to the fact that it controls news sources and search engine returns). However, it is still a for-profit corporation and ultimately works for the good of its owners, not the public. The fact that Google is working to host a large percentage of U.S. government data should set off alarm bells. How can the U.S. government effectively manage its own security and the interests of the people when large corporations have it by the balls?

The long-term, hard-to-quantify risks of moving the United States’ operational data to a private company are easy to ignore when you look at the short-term technological benefits and shiny flashy features. No one can deny that Google enables government entities to operate with a level of sophistication that would inconceivable if all operations were done in-house. Governments typically suffer the same problems as many midsize companies with underfunded IT departments and political complexities that make it difficult to centralize and streamline operations. It doesn’t really make sense for every state and local government to reinvent the wheel with respect to IT. With no “public option” for scalable, government-sponsored IT services, it’s understandable that state and local governments would outsource to the private sector.

That said, the practice of outsourcing government IT management is risky and deserves careful scrutiny and regulation. It’s funny that we’re chasing after “terrorists” in our airports, and at the same time our state governments have moved fundamental operations data over to a private company which is not controlled by the public and has strong ties to foreign governments.

Google is outside our system of checks and balances. They are quickly becoming absolutely necessary for our government to function, but their operations are not transparent and are outside the control of the American people.

Here are a few related press materials published by Google:

District of Colombia

Virtual Alabama

City of Los Angeles

Sherri Davidoff
PGP-signed text: 2009-12-24 (current)

shirts-smallHand-printed and designed by the talented Blake Brasher of Solid State Circus, this original T-shirt is for those of you who want to:

  • Go to a club or buy beer without having your ID swiped and all your personal details stored in the store’s crappy unpatched Windows box
  • Visit the doctor without having a high-res scan of your ID captured and stored in your doctor’s crappy unpatched Windows box
  • Go about your normal everyday business without being tracked.

Designed especially for Philosecurity. Be totally comfy and make a statement!


Sizes




              
Sherri Davidoff
PGP-signed text: 2009-11-25 (current)

Today is the final day to submit solutions for the Network Forensics Puzzle Contest #2: Ann Skips Bail. The winner will receive a Lenovo IdeaPad S10-2 – just like the free netbooks Sec558 students will get in Orlando.

The MOST ELEGANT solution wins. Good luck!!

“After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town. “We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet capture may contain clues to her whereabouts.”

“YOU are the forensic investigator. Your mission is to figure out what Ann emailed, where she went, and recover evidence…”

http://forensicscontest.com/

Brought to you by the authors of SANS Sec558: Network Forensics:
Sherri Davidoff and Jonathan Ham

‘”Until the first blow fell, no one was convinced that Penn Station really would be demolished, or that New York would permit this monumental act of vandalism against one of the largest and finest landmarks of its age of Roman elegance.” (New York TImes)

‘”Its destruction left a deep and lasting wound in the architectural consciousness of the city. A famous photograph of a smashed caryatid in the landfill of the New Jersey Meadowlands struck a guilty chord.” (Wikipedia) concours
general-waiting-roomPatty King wrote in a comment a couple of days ago: “I remember a time about 10 years ago when flying was fun and so easy. Will it ever be like that again?”

Once upon a time, inspiring the traveler was important. The reactions of people in Penn Station were worth the enormous amount of time and effort placed into the space. Cultural and artistic expression were clearly strong and valued.

First impressions matter. Train stations and Airports are places where we welcome people from other countries or cities.

Perhaps someday we’ll remember the art, ambiance and culture that these important spaces brought to us. Perhaps someday we’ll once again decide to make our airports and train stations welcoming instead of paranoid, inspiring instead of intimidating, proud instead of afraid. Then flying will be fun again.

Sherri Davidoff
PGP-signed text: 2009-11-19 (current)

I really loved Robert Graham’s article about the Brazilian power outages. He writes:

“Most rumors of hacker infiltrations are false. If you investigate computers in any large organization hard enough, you’ll find malware. This doesn’t mean hackers have broken in, because most viruses are not under control of the hacker who launched them. Also, things get on computers that trigger deep scans from anti-virus scanners that are not necessarily malicious malware. This malware becomes a distraction to finding the true cause of what happened. Thus, when investigating a power outage, finding malware on computers doesn’t mean hackers caused the outage.”

Sure, mankind created the Internet. That doesn’t mean we’re in charge.

When Robert Tappan Morris wrote the code for the first Internet worm, did he expect that it would spread? Sure. Did he expect that it would take down 10% of the Internet? No way.

When Chén Yíngháo wrote the very nasty Chernobyl virus back in 1998, did he expect that it would demolish over 700,000 systems worldwide, including the Korean Supreme Court and Turkish police departments? Nope. (And companies like IBM, Yamaha Corp. and Activision certainly didn’t intend to distribute it in their commercial products.)

People don’t control the Internet, just like the sun doesn’t go around the earth. A single computer sitting on your desk at work is the product of millions of people’s efforts, and the environment and the technology are constantly changing. Malware spreads like bacteria. Large networks of computers are like organisms which we can only generally predict.

Accidents, poor design and lack of maintenance are a huge contributing factors to cascading network disasters. A lot of networks are old, poorly maintained and getting more unstable by the day. I’ve seen systems in critical facilities crash when exposed to default nmap scans. Our most important systems are often the least frequently updated, because it’s hard to schedule down time and changing software or hardware is always risky. Unfortunately, lack of resources in government, utilities and other critical sectors is a big part of the problem.

“There is a risk,” writes Graham. “Hackers will eventually cause a major power outage. In the grand scheme of things, though, it’s not a big deal. Major power outages from accidental mistakes will always be a bigger threat.”

Destruction isn’t the greatest incentive. Viruses that kill their hosts don’t tend to spread, and similarly hackers who destroy their targets have a tough time generating profits.

As long as there are credit card numbers to distract them, we’ll all be fine.

Sherri Davidoff
PGP-signed text: 2009-11-18 (current)

UPDATE: The Metropolitan Detention Center has confirmed that Mr. Mocek was arrested and is currently being held for $1000 bail. He is being charged with “concealing identity, disorderly conduct, refusing to obey an officer, and criminal trespass.” (1:40PM, 11/16)

Today a traveler going through the Albuquerque airport was arrested after politely refusing to show his ID. Phil Mocek, a Seattle area native, was traveling with his friend Jesse Gallagos when he politely declined to show ID to TSA agents.

According to reports from friend Ben Livingston, “Phil politely refused to show ID to the TSA employee. The TSA employee then called in a supervisor, and Phil started recording with his digital camera, which caused the supervisor to “freak out” and call the airport police. Approximately six police showed up in force, asked no questions, and told Phil he was being arrested for disturbing the peace.”

Mr. Mocek had previously contacted TSA personnel at the Albuquerque International Sunport Airport(ABQ) to find out if photography was allowed, and was clearly told by local TSA officer Susanne Spencer that advance notification was recommended, but not required. “We only encourage individuals to contact TSA in advance so we can facilitate the photography,” she wrote in an April 10, 2009 email. She subsequently reiterated that statement to Mr. Mocek on April 14. (FlyerTalk)

After Mr. Mocek was detained, “[Police] asked if he was with anyone, and he indicated he was flying with Jesse,” said Mr. Livingston. “The police told Jesse he would also be arrested if he did not leave the compound. They demanded and received Jesse’s ID, then drove him in a police cruiser off the airport property, where they informed him that he was banned from the property for 24 hours.

“I spoke with the Albuquerque jail and Phil hasn’t been booked yet. He’s still in the hands of the airport police… We are actively seeking help from anyone in Albuquerque who might be able to help… I’m hoping a local lawyer, or anyone local, might be able to get a little further.”

Philosecurity contacted local authorities at 7:50PM on Sunday, Nov 15 2009, and confirmed that Mr. Mocek was still in custody and being “processed.” Friend Ben Livingston provided some further perspectives on the issue, as follows:

“As Americans, we have the right to travel freely between the states… In America, we’re supposed to defend against the government demanding our papers in order to travel. A lot of folks remember that in Germany, you had to show your papers in order to travel. Since 9/11, our government has implemented a policy that in order to make
things more ‘safe’ and ‘secure,’ they’re going to force people to show their papers to get into the terminal to board the plane. The airlines don’t necessarily require ID, although it’s their right to decide who they do business with.

“As far as the federal government goes, demanding our papers in order to travel from state to state is actually a violation of our civil rights. If you’re traveling into or out of the country, the federal government has a right to demand your papers. But if you’re  traveling interstate, you have a right to travel freely without interference from the federal government.

“In reality, ID checks don’t make us safer.  All of the terrorists on that 9/11 flight had valid ID. It’s a fake security measure designed make us to feel safer. It’s not actually intended to keep us safe. There are ways around it, too… Just last year TSA announced a new policy for the first time ever, which said that if you don’t have your ID but you cooperate with TSA, show them credit cards etc, you can fly. So if you say you screwed up, it’s cool. If you politely refuse for whatever reason to show ID, TSA will deny you access.”

Sherri Davidoff
PGP-signed text: 2009-11-15 (current)

Congratulations to all of our rock star investigators who solved the Network Forensics Puzzle Contest! We received over 100 submissions, many of which were truly excellent. Figuring out a winner was challenging, but in the end, one submission stood out over all.

We asked you for the most elegant solution. It was possible to solve the puzzle with common tools such as Wireshark, and many people did. However, modern investigations often involve many gigabytes– if not terabytes– of packet data. In the real world, pointing and clicking doesn’t scale. Moreover, when you’re working with large amounts of data, processing time is extremely valuable. Small, fast tools are key.

What we considered “elegant” was the construction of some automated process for solving the puzzle which was easy to use, easy to understand, very portable, and would easily be able to scale to much larger and more difficult problems.

Five people were named Semifinalists because they created an automated process (ie scripting) to facilitate future investigations. Seven Finalists took this to a level beyond and created novel solutions involving considerable amounts of scripting. Please take a look at each of their solutions as WE learned something from every one.

The winner got fame, glory, and a free SANS On-Demand class (worth up to $3500), and the finalists each receive a Fiendish Japanese Pocket Puzzle from Thinkgeek.

We’ve created a dedicated web site, forensicscontest.com, with the solutions and winner. Check it out for the full solutions and names:

http://forensicscontest.com

Be sure to subscribe to the RSS feed. We’ll be posting more contests soon!

Sherri Davidoff
PGP-signed text: 2009-09-25 (current)

Puzzle Contest Update (2)

To our excellent contestants,

We received so many great contest entries, including custom-written tools, that we will be taking a few more days to finish testing all of the code we received. The winner will be announced on the PaulDotCom podcast next Thursday and posted on this site. Great job everybody! Stay tuned.

Swiping Your Identity

Today a local liquor store decided to swipe my identification card into their computer systems for the first time. Here’s my response.

To the management of Local Liquor Store*,

I’ve been a customer of your store for about a year now. My husband and I stop by to stock up for parties. Your staff are always very friendly and helpful. I am writing because today I purchased a bottle of liquor at your counter. I was paying in cash. The clerk asked to see my identification so that she could verify my age. I handed it to her, and she immediately swiped it into your computer system without my consent.

While I understand that you need to check identification, I do not consent to having my personal information stored in your computer systems for any length of time. I value my privacy and I do not want my location or purchasing habits tracked. Moreover, my personal information is valuable and you have provided me with no assurances regarding the security of your systems.

By law, I am required to show proper identification to prove that I am over the legal age to purchase alcohol. This does not imply that I consent to having you record my identification details. If you insist that your customers submit to having our personal information recorded in order to make purchases, you should clearly inform us and ask permission before swiping.

When I told your store clerk that I did not want my information stored in your computer systems, she said that it was only stored for “about 800 swipes” and that she was required to swipe driver’s licenses of anyone born after 1980. This is discriminatory. Do people under the age of twenty-nine have less right to privacy than those above?

Montana’s constitution protects our rights to privacy in this state. We should be able to go to the store without having our identification and whereabouts tracked. Identity theft is also a big problem, and spreading our personal information around puts us at greater risk.

I like your store and have been a good customer for some time. However, I value my privacy above all. I hope you will consider changing your policy regarding tracking shoppers, because I enjoyed being one of your customers. Until then, I will be shopping elsewhere.

Thank you for your time.

* Store name has been changed. You probably guessed that.

Sherri Davidoff
PGP-signed text: 2009-09-12 (current)

Here’s a real copy of an American citizen’s DHS Travel Record retrieved from the U.S. Customs and Border Patrol’s Automated Targeting System (ATS). This was obtained through a FOIA/Privacy Act request and sent in by an anonymous reader (thanks!)

The document reveals that the DHS is storing the reader’s:

cbp

  • Credit card number and expiration (really)
  • IP address used to make web travel reservations
  • Hotel information and itinerary
  • Full Name, birth date and passport number
  • Full airline itinerary, including flight numbers and seat numbers
  • Cruise ship itinerary
  • Phone numbers, incl. business, home & cell
  • Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation

Again, here is the full record. The anonymous reader obtained his/her travel history using Edward Hasbrouck’s excellent guides. Check out his site for more info!

Thanks a ton for sending this in. If anybody else gets a copy of their ATS travel record, send it in! We’d love to see them and compare.

ip-address
cc2
hotel2
31337

Sherri Davidoff
PGP-signed text: 2009-09-06 (current)

Contest Prize Update

SANS is sponsoring a prize for our Network Forensics Puzzle Contest! The winner gets a free SANS On-Demand class (worth up to $3500 depending on the class you pick). Prizewinners will be announced during the Sec558 “Network Forensics” class in San Diego, 9/16-9/18.

Remember, the MOST ELEGANT solution wins. We highly encourage coding and automated solutions. You are welcome to submit multiple solutions if you would like to continue to refine your work. Submissions will be accepted through September 10, 2009.

Sherri Davidoff
PGP-signed text: 2009-08-19 (current)

*Prizewinner to be announced at Sec558 “Network Forensics” in San Diego, 9/16-9/18.

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

http://philosecurity.org/558/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to contest@philosecurity.org. Deadline is 9/10/09. Good luck!!

cheers,
Sherri

Sherri Davidoff
PGP-signed text: 2009-08-14 (current)