philosecurity

7/15 – Updated with more details, and a shiny new photo.

The Bush Turnpike in Texas no longer accepts cash as of July 1, 2009. Based on the federal Coinage Act of 1965, I believe this is illegal.

The Coinage Act (31 U.S.C. 5103) states: “United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues.”

The Treasury Department has made it clear that “Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills.” However, I would argue that the NTTA is now operating as a “creditor.” “ZipCash is the NTTA’s “drive now, pay later” option for customers without TollTags,” reads their advertising literature. “High-speed cameras take pictures of the license plates of vehicles without TollTags. Invoices for the tolls are then sent to the registered owner of each vehicle.”

The time at which payment is collected matters a lot. Stores are not required to accept US cash for products and services paid up front, because no debt is incurred. However, “restaurants that do not collect payment until after a meal is served would have to accept that legal tender for the debt incurred in purchasing the meal.” (Wikipedia) Based on this logic, the NTTA (”a political subdivision of the State of Texas”) would presumably not be required to accept cash for payment as a driver is getting onto the highway, but once he or she has driven the stretch of road, the debt has been incurred and US cash monies must be accepted.

There currently appears to be no way for a driver on the Bush Turnpike who is not the registered owner to directly receive and pay an invoice from the NTTA (according to Texas law, the owner is responsible). The NTTA sends “ZipCash” invoices only to the registered vehicle owner, and TxTolls are not transferable between vehicles. What’s more, the NTTA has no instructions (at least, none that I could find) on their web site which indicate how a driver could pay their ZipCash invoice in, well, real cash.

With the advent of “ZipCash” the North Texas Tollway Authority (NTTA) now falls under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) definition of “creditor” as “any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services.”

This means that the NTTA is also regulated by the FTC’s new Red Flags Rules, which apply to any “creditor” that “offers or maintains ‘covered accounts.’ A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions…” The NTTA’s “Toll Tags” accounts fit squarely into that definition. (I wonder how hard the NTTA has worked on their required Red Flag Identity Theft Protection Program…)

According to the US Treasury, the Coinage Act ensures that “all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor.”

This week I’m trying to think positively about mass surveillance. It seems inevitable, after all.

“Iran’s Web Spying Aided By Western Technology,” read the front page of the Wall Street Journal a few weeks ago. “European Gear Used in Vast Effort to Monitor Communications.”
Judging by the Intelligence Support Systems industry marketing brochures, Iran’s “monitoring center” is not exactly advanced compared with European state-of-the-art. Nokia-Siemens themselves said that they sold Iran a “restricted functionality” monitoring center. (Reports indicate that Iran also has “deep packet inspection” capabilties, presumably from another source.) According to Nokia-Siemens, over 60 countries have been sold a Monitoring Center. But their current “Intelligence Platform” solution is far more full-featured. Check out the Intelligence Platform brochure, which touts its “pattern recognition” and “behavioral analysis” capabilities. It “automatically detects formerly unknown patterns.” (Ah, dragnet.)

We can’t stop the unrelenting march of mass civilian communications monitoring, but perhaps we can turn lemons into lemonade. (Mmm, mass surveillance lemonade…what?)

From the Nokia-Siemens Intelligence Platform Brochure

Consider this technology’s potential for good. You could watch the spread of information through different routes the way doctors watch radioactive materials travel through the blood. You could measure how a population feels about a particular issue and get instantaneous feedback on policies with infinitesimal granularity. Better understanding of human psychiatry and communication could help us make better individual decisions and perhaps collectively govern ourselves more efficiently.

National communications surveillance is a very powerful tool for government right now (not to mention lucrative for phone companies, who are paid for the access). Also, given revelations about NSA wiretapping and FBI’s “Quantico Circuits,” it’s clear that the fundamental infrastructure is already in place (*ahem* NarusInsight).

Mass communications information would be very valuable for scientists– psychiatrists, anthropologists, etc. Unfortunately, today Internet, mobile and transaction surveillance data tends to go exclusively to the people who can pay for it or profit from it– ie. spooky government agencies with big budgets and advertisers. What if academic researchers had access to the same information that intelligence agents already comb every second?

Not that I really want to be under anybody’s microscope. But if anyone’s going to be analyzing my phone calls, payment transactions, emails and IMs, I’d rather it be researchers who will publish their findings, instead of secretive intelligence agencies. If our communications aren’t going to be private, let’s at least use these capabilities for clear, transparent public benefit.

Here’s an e-affirmative action proposal: For every intelligence agent that has access to mass surveillance data, one academic researcher should have access to the same information. And report on it.

At least then we’d know what the heck was going on.

Josh Wright recently purchased a new Kindle. Surprisingly, when he downloaded one of his books onto the new Kindle, it offered to open it to the page where he had left off on his old Kindle. In other words, Amazon tracked not just the books he was reading, but specifically which sections of the book he was looking at.

Josh (author of SANS’ excellent Wireless Ethical Hacking class) eloquently describes his encounter and privacy concerns below:

“When I started my DX for the first time, I saw an entry “Archived Items”, which was all the books I had previously purchased. When I downloaded my copy of “ZigBee Wireless Networks and Transceivers” on the DX, I was surprised to see it open on the page where I had left off on my previous Kindle.

“I’d like to find out what Amazon’s privacy policy is about this data, and what they are retaining long-term. Do they record only the last page read for each of my books, purging this information after a period of time, or is it more nefarious?”

Josh Wright is the author of SANS 617 – Wireless Ethical Hacking.

This week I discovered that someone had opened up a new Chase card in my name. Scouring the Chase site for the appropriate number to report fraud, I stumbled onto their “Identity Protection” page and received this rather ironic pop-up.
 (Click to enlarge)

Saw this sign in the Baltimore airport last week:

“Self-Service Check-In: You Will Need a Major Credit Card”
and then in small print:
“For Identification Only”

Yes, apparently American Airlines will only give boarding passes to individuals who have been thoroughly vetted according to the strict standards of American Express, Mastercard, or VISA (and perhaps Discover).

The illustrious John Strand has an update for us regarding Verizon’s demo EVDO system security. This summer John is launching his new SANS class, Security Architecture for Systems Administrators.

Shortly after we posted the article about the openness of the Verizon EVDO demonstration terminals, we were contacted by Verizon. After discussing the issue at length they requested that we post the following comment:

“The demo laptops in question are located in an independently owned/operated reseller location, and are not configured or maintained by Verizon Wireless. Verizon Wireless is committed to the security of its customers and is working with the reseller to resolve this issue.”

Usually when working with vendors, the company’s lawyers immediately respond to any potential problems with security systems. Verizon did not respond this way. Instead, they began by asking a bunch of questions about the store locations and what security breaches were compromised. Further, they said that they could understand the confusion because the third party resellers have huge Verizon signs on their store. In short, they acknowledge that it can be very difficult to distinguish between the real Verizon stores and the resellers.

I was also very happy to see that they were interested in solving the issue. You see, even though the stores are not theirs, there is still damage that can be done if something hideous was to happen on one of the terminals.

I will keep you all posted on how the fix goes. I am planning on hitting a few of the stores later today just to see.
 

John Strand is the author of this week’s article. John is the owner of Black Hills Information Security and a member of PaulDotCom Security Weekly. He is also a SANS Instructor and a regular presenter at various security conferences.

Last week I was plucking around at my local Verizon Wireless store looking for a power adapter for my i760. Apparently, this task is far harder then I thought it would be. The gentleman behind the counter said, “Whoa! That is a very old phone.”

I bought it last year.

Anyway, he disappeared into the back like he was hunting for the store’s last mogwai and left me, alone, in the store with their demo EVDO computer terminal.

So I started playing around with the Windows XP system they allow their customers to test the EVDO speed. Which I think is a great idea. However, there was a sign that said, “Please, check your email here!!” I don’t think so.

So I got curious as to what kind of security they put on these systems. I was hoping for at least a partially locked down terminal. At the very least, I was sure they would not leave an open system logged in with Administrator privileges for the whole world to use.

I was wrong.

As you can see the system is logged in with an account that has Administrator Privileges. There is no “hacking” this box…. You just walk up to it.

 
When he returned, without the adapter I needed, he noticed that I had the command prompt up. He asked me the basic questions like, “What the hell are you doing?” Which I answered truthfully with the necessary mitigation steps. You see, I am a pathetic, hopeless white hat. I spent a few seconds re-explaining the problem to him while his eyes glassed over. When I was done he said that he would need to take my name and a copy of my drivers license so he could run this “incident” by the management and possibly the police. It was my turn for my eyes to glass over and quickly leave the store. The irate store clerk was shocked that I would just walk away without complying with a perfectly sound and logical request to hand over my PII to a store that cannot secure a simple terminal.

To my horror, all of the Verizon stores in my area were set up the exact same way.

There are two issues here. First, these terminals are insecure by design and replicated. Second, they encourage their potential customers to use these insecure systems to do potentially sensitive activities.

Why should Verizon care? The single biggest thing I can think of is liability. If you’re an attacker why would you keep your illegal files on your system? It seems so much better to store them on a random Verizon demo system. Next, think about the consistency. It is trivial to dump the password hashes from a system when you have Administrator access to the box. Where else are those passwords used?

The point is that we need to start securing things even if you don’t think there is a need. There are liability issues that come with having open systems so insecure. Further, it is just these types of things that can be catastrophic for an organization. The sad part is many organizations would say they never saw it coming.

We can say it again and again, organizations need to be a bit more protective of their customers data. Also, I think it would be a step in the right direction to not openly suggest that customers should check their email.

Until then… Buyer beware.

Walking into the doctor’s office, I was surprised to see a new sign in front of the receptionist, which read:

“Red Flag Identity Theft Rule We are now required by law to ask for a Photo ID at the time of each visit. Please have your Photo ID ready for the receptionist to scan.”

As an avid bicyclist, I wasn’t carrying a driver’s license.

“I’m sorry, we’ll have to reschedule you,” said the receptionist. “We need to scan your ID before we can see you. It’s a new law.”

“No, I really don’t have one. I bicycle everywhere. I don’t even know where my old license is any more.”

She looked me in the eye and said, “Sorry. I suggest you get a photo ID. You need to have one to be seen.”

“What if I’m paying for my own visit, and not using health insurance?”

“We need to scan your ID and have it in your file or we can’t see you.”

“I don’t think it’s right to deny care to patients who don’t have a Photo ID,” I said.

“Well, I can talk to my supervisor,” she said. “But I think you’re going to have to reschedule.”

As I waited, I watched the receptionist take another patient’s driver’s license and walk off into a back room. Apparently, in order to comply with the “Red Flag Identity Theft Rule,” the doctor’s office now scans a copy of every patient’s driver’s license and stores it in their computer systems.

How secure are my doctor’s computer systems? Patients don’t have the right to know. Doctor’s offices, hospitals and even health insurance companies get infected with viruses, worms and spyware all the time. These are generally not reported as patient data breaches, because they are far too common.

Just in the past few weeks, there have been news reports of patient data thefts from UC Berkely Health Service, Virginia Prescription Monitoring Program and Memorial Medical Center. The vast majority of breaches never get reported or even detected, however, because tiny little health care clinics and hospitals all over the country have neither the resources nor the incentives to institute appropriate detection measures.

And now they want to store a high-resolution copy of my driver’s license on top of everything else? What is this “Red Flags Identity Theft Rule,” anyway?

The Red Flags Rules are a collection of new Federal Trade Commission regulations aimed at reducing the risk of identity theft. The American Medical Association and dozens of other medical societies “have protested the FTC’s decision to apply the Red Flags rule to medical practices and other health care providers.”

Why on earth does the Federal Trade Commission affect who my doctor treats?

According to the FTC, “Health care providers may be subject to the Rule if they are ‘creditors.’ Although you may not think of your practice as a ‘creditor’ in the traditional sense of a bank or mortgage company, the law defines ‘creditor’ to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance.”

The FTC requires “each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.” Although the Red Flags Rules do not explicitly require doctor’s offices to make copies of patient identification, they are often implemented this way.

Ironically, spreading more private information around– such as high-resolution copies of driver’s licenses- increases patients’ risk of identity theft. As a 2008 World Privacy Forum report explained:

“When patients are, for example, asked for a drivers’ license when checking in to hospitals for surgery, the license itself may be copied or scanned and added into the actual patient file. This can give hospital insiders with criminal tendencies access to a treasure trove of photographic, biometric, and other information that may have been unavailable to them before. The result can be more identity theft (medical and otherwise).

“…Just because customer identity proofing is commonplace in the financial sector does not mean that it has translated perfectly or even well to the health care sector. The two sectors have different regulatory requirements, approaches to access points, security, and information flows. Banks and health care providers also have different competencies, staffing capacities, training, and in many cases even procedures when it comes to reviewing and managing customer identification documents.”

Everyone should have access to medical care– not just people who have registered with the government and obtained a photo ID. Furthermore, patients should have the right to health care without being forced to give up control of our personal information. As a patient, I don’t really want a copy of my Photo ID stored on a crappy unpatched Windows box at my doctor’s office. Today’s patients do not even have the right to know how well doctor’s offices and hospitals are secured, even in the face of constant reports of medical data breaches. That’s sick.

On May 15, the first phase of TSA’s Secure Flight program took effect after years of development. By the end of the year, when you book a flight, the airline will send your name (as specified on your government-issued ID), birthdate, gender, and itinerary to TSA’s centralized Secure Flight system, where you will be checked against government watch lists. In other words, before you ever set foot in the airport, your travel can be denied.

TSA has stated that Secure Flight record system is exempt to multiple provisions of the Privacy Act. In particular, it claims:

• “Exemption from the Access and Amendment Requirements” which “relate to an individual’s ability to request access to and correction of records…”
• “Exemption from Requirement to Collect Only Relevant and Necessary Information”
• “Exemption from the Requirement of Maintaining All Records Used by the Agency in Making a Determination about an Individual with Accuracy, Relevance, Timeliness and Completeness”
• “Exemption from the Requirement of Judicial Review”

TSA’s transportation security strategy appears to be based on the logic that by tracking civilians en masse and maintaining secret “watch lists” we can somehow identify all people with potentially malicious intent and prevent them from accessing public transportation systems. (”Sorry sir, you’ve already committed three suicide bombings this year, so we can’t allow you on the plane.”)

Of course, air travel is just a small part of the picture. TSA is also “responsible for security in all modes of transportation.” This includes cars, buses, subway and rail. According to their mandate, presumably even bicyclists would fall under TSA’s purview. Ground transportation is arguably even more important than aviation security, particularly because so many phone and network cables run along railways and highways. Although TSA has thus far focused their most draconian regulations on the air, they have been asserting increasing control over ground public transportation.

Last September, TSA flexed their ground-transportation muscles when they mobilized TSA and Amtrak security teams “from approximately 100 commuter rail, state, and local police agencies… for the largest joint, simultaneous Northeast rail security operation of its kind, involving 150 railway stations between Fredericksburg, Virginia, and Essex Junction, Vermont.”

What prompted this massive security exercise?

“The morning rush-hour multi-force security deployment was NOT in response to any particular threat or incident, but rather a demonstration of an ongoing collaborative effort to expand counter-terrorism and incident response capabilities up and down the Northeast Corridor railway system,” wrote TSA in a press release.

I see.

Let’s follow the TSA’s strategy to its logical conclusion. If we accept Secure Flight as a valid security strategy, then in order to effectively and fully “secure” our transportation infrastructure, we would need to:

• Track everyone traveling on a highway, subway, bus, train, or plane;
• Track everyone in or near a transportation interchange;
• Accurately identify every person (ultimately, using biometrics or similar);
• Compare identification to meticulously-maintained “watch lists”;
• Selectively deny travel based on secret information stored in government databases

Even then, it only takes one sneaky attacker to dodge the system and cause havoc. Furthermore, tracking every citizen is an extremely high-impact, resource-intensive strategy, which will require deep, fundamental, rather frightening changes in our society. It requires the abolishment of free society, placing our freedom to travel in the hands of an un-auditable, un-elected elite.

By treating citizens as potential enemy combatants, we waste money and actually degrade our nation’s security. This concept is summarized neatly in the Tao Te Ching: “do not use arms to coerce the world, for these things tend to reverse– brambles grow where an army has been… Weapons are inauspicious instruments, not the tools of the enlightened.” (Translation: Thomas Cleary)

What is a more effective strategy? The key is to examine incentives that lead up to attacks. Millions of people around the world, including American citizens, feel that they have been treated unfairly by United States corporations and the government.

Rather than feeding the fire by treating innocent civilians like potential enemy combatants, perhaps we should spend that money on 1) actually improving quality of life for civilians; 2) diplomatically resolving conflicts; 3) genuinely improving the resilience of our critical infrastructure; 4) non-proliferation and weapons-tracking efforts.

“When welfare and justice embrace the whole people, when public works are sufficient to meet national emergenices, when the policy of selection for office is satisfactory to the intelligent, when planning is sufficient to know strengths and weaknesses, that is the basis of certain victory.” (Cleary, Translator’s Introduction to the Art of War)

Today I got a charming letter in the mail from Citibank informing me that:

“A paper trail is an identity thief’s best friend. Sign up for paperless statements and you can rest easy knowing all your account information is locked away safely online.”

Ahahahahaha!…ha… ha… When’s the last time you heard about millions of credit card numbers being stolen from the mail? Somehow I don’t recall identity theft being such a big deal before online financial systems started taking off. In much the same way that the Bush administration linked Saddam Hussein to 9/11, credit card companies are now campaigning to link “identity theft” and… paper.

This brilliantly twisted marketing campaign:
1) Fuels the “identity theft” fear-mongering, increasing identity theft protection sales.
2) Reduces the number of individuals who will be able to independently verify and access statements down the road
3) Saves Citibank money on paper (which also benefits the environment, but that isn’t Citibank’s motivation)
4) Instills a false sense of security regarding the safety of web-based account management systems
5) Increases customers’ risk of identity theft by promoting the use of insecure, online web based account management systems (which will subsequently lead to more “identity theft protection” sales… yay!)

I’d feel a lot safer if all of my account information were locked away in my own fireproof filing cabinet. Unfortunately, it’s clearly not. Less than a month ago Citibank sent me a new card because one of their payment processors lost millions of people’s account information, including mine.

An identity thief’s friends are the vast legions of computers running Windows with Internet Explorer that people use to login to their online accounts (with re-used passwords such as “fluffy2009″). Identity thieves are also pretty chummy with payment processors such as Heartland, who recently lost over 100 million of credit card numbers.

Identity thieves’ best friends in the world are the credit card companies themselves, who have created a system rife with holes, and subsequently profit from their own systematic failures through scams such as “identity theft protection” services.

What chutzpah.

Sherri Davidoff PGP-signed text: 2009-04-26 (current)

Last week, the evening before speaking at the RSA Conference in San Francisco, we saw a large black suitcase sitting by the main entrance of the Courtyard Marriott. It appeared to have been left behind by an unfortunate traveler.

We walked up to the front desk to let the hotel know. “Oh,” sighed the Marriott employee. “We get that all the time.”

Apparently, as part of the Marriott’s design theme, the hotel had installed realistic sculptures of unattended personal items all over the ground floor.

Out front there were two lonely suitcases, each left beside a different bench near the valet. Inside, there were a couple more suitcases, an outdated cell phone and a wallet on the bar.

Obviously a pre-9/11 design concept…

Cephalopod autopsies? Nope, today’s article is about conducting forensics on a Squid web proxy/cache. Just as complicated, but less smelly.

Chances are pretty good that you’re reading this page through a web proxy right now, especially if you’re in an enterprise environment. Web proxying and caching have become increasingly popular, for both filtering traffic and speeding up requests. Even consumer ISPs have latched onto the idea (sometimes using similar techniques to insert ads into pages as they are downloaded). That means your web surfing history is probably being recorded in a proxy log somewhere.

Web proxy and cache servers are untapped gold mines for forensic analysts. They often record the web browsing history for an entire organization, all rolled up into one directory. Web caching servers also contain copies of pages themselves, for a limited time.

This is great for forensic analysts (and not so hot from a privacy perspective). Investigators can examine web browsing histories for everyone in an organization all at once. Moreover, it’s possible to reconstruct web pages from the cache. Right now, investigators often simply visit web sites in order to see what they are. This has some serious drawbacks: first, there is no guarantee you’re seeing what the end user saw earlier; and second, your surfing now appears in the server’s activity logs. If the owner of the server is an attacker or suspect, you may well have just tipped them off. It’s much better to first examine the web cache to see what you can find stored locally.

To learn more, I installed Squid, a popular web proxy/cache server, on my lab network and dissected it. There are a number of tools out there that will reconstruct client browsing history, based the access logs. I really liked squidview (which has a Kismet-style interface) and sarg (HTML clickable).

What I didn’t find was public information or tools for reconstructing pages from the web cache. It’s definitely possible. The proxy cache, by its very nature, stores the pages you view on its local hard drive and may later serve those pages to you or someone else. The precise pages it stores and the length of time they are retained vary depending on the specific server configuration and usage.

As a forensic analyst, I wanted to recover those cached pages. I figured, if Squid could do it, so could I.

By changing Squid’s configuration to “offline” mode, you can use wget to extract some pages directly from the local cache. This is handy because it reconstructs the pages automatically, if they exist. However, I wanted to see what information was stored directly in the cache, and access associated headers and metadata.

Squid’s access log is straightforward: it’s essentially a text file which contains a list of client IP addresses and pages accessed. If you correlate these with DHCP and central authentication logs, you can potentially match web surfing activity to a particular network card or user.

The cache directory is far more mysterious. If you simply list the directory contents, here is what you will see:

$ ls
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F swap.state

Daunting. That swap.state file is Squid’s database, which contains a record of every item in the cache. It’s a binary file. If you delete it while Squid isn’t running, Squid will actually re-create it the next time it starts up. (This is helpful if you’re trying to manually edit the Squid cache in order to create lab exercises for, oh, a new class on network forensics.)

Within each of those subdirectories are files such as these:

And each of those subdirectories contains files such as this:

Finally, each of those eight-character files contains- yes! – the pages actually cached by Squid. Here is an example. When you surf to a web page, Squid will add some metadata to the top, which includes the full URI and its MD5sum. Squid then stores this, along with the full HTTP reply (headers and body) as a file in one of these subdirectories. If the page is requested later, it can look it up in swap.state and fetch it.

Now let’s extract some content directly from the cache.

Let’s say we’re analyzing web traffic associated with 192.168.1.26. We come across the following entry in Squid’s access.log:

1239739309.653 377 192.168.1.26 TCP_MISS/200 30348 GET http://finickypenguin.files.wordpress.com/2007/10/1161451564593.jpg – DIRECT/72.233.69.12 image/jpeg

Interesting… What is this image? Let’s see if it’s in the cache.

We could analyze swap.state, but I created my own table of the URIs stored in Squid, along with their corresponding cache files. This was for two reasons: first, I didn’t have to rely on the accuracy of Squid’s database; and second, I’m a lazy bum and it’s pretty easy to do using a simple Bash script. The URI is stored near the beginning of each cached page, just after the MD5sum of the URI. If you grep for strings beginning with “http” in the first few lines of each cache file, you’ll find it.

Here’s that file we were looking for:
./00/03/0000036A    http://finickypenguin.files.wordpress.com/2007/10/1161451564593.jpg

Now let’s open up that cache file. Running strings on it, we see the following metadata and header info:

Lots of juicy info there. To extract the image itself, let’s open this up in a hex editor. I like to use “bless” on Ubuntu. JPEG images begin with “FFD8,” so extracting this content is fairly easy. Highlight everything before the magic number, click “Cut” and save as 0000036A-edited.jpg.

A quick check with “file” confirms that we got it right:
$ file 0000036A-edited.jpg
0000036A-edited.jpg: JPEG image data, JFIF standard 1.01

Now let’s open it up:

Looks pretty suspicious to me…
 

I love the Minneapolis airport. For an information security geek, it never fails to provide some interesting gem.

Wandering through the airport this week I ran across a Delta “Helpline” kiosk (formerly Northwest’s Rebook Service Center). Every time I walk through the airport I see these gray kiosks closed up and pushed aside in some corner.
As luck would have it, this one was open. There were several cell phones sitting on it, tethered to desks. A sign instructed users to contact a Northwest agent by picking up the phone and dialing “1692 #TALK.”
“The phone can only be used to access the Northwest Customer Service Rebook Hotline,” concluded the sign. Apparently, that didn’t stop people from trying (and perhaps succeeding). The phone allowed full access to call history, revealing all outbound numbers that had been dialed, to both cell phones and land lines:
What’s more, the phone also allowed full access to configuration information, including Northwest’s Sprint user account name and associated phone IDs.
Funky. Reminds me of a public toilet that never gets cleaned.

This week, IBM ran a full-page ad in the Wall Street Journal, which advertised that:

New York’s “Real Time Crime Center can quickly query millions of pieces of information to uncover previously unknown data relationships and points of connection.”

In Poland “personal and vehicle IDs can be instantly checked in an EU-wide database.”

In Chicago: city staff “have access to video from a multitude of cameras citywide, with advanced analytics built into the infrastructure, that are connected to a fiber/wireless network to assist the operator with potential ‘eyes-on-the-scene’ in the vicinity of an incident.”

I’m all for fighting crime, but these vast, nascent public surveillance programs which have minimal public input and oversight are pretty frightening. If you’re familiar with the history of IBM, their massive surveillance operations are especially creepy. “IBM was founded in 1898 by German inventor Herman Hollerith as a census tabulating company. Census was its business,” wrote Edwin Black in his 2001 book, IBM and the Holocaust.

During the 1930s, IBM subsidiaries worked closely with the Nazis to develop and maintain the registration and tracking systems which were the foundation of their extermination operations. “IBM’s custom-designed prisoner-tracking Hollerith punch card equipment allowed the Nazis to efficiently manage the hundreds of concentration camps and sub-camps throughout Europe, as well as the millions who passed through them. Auschwitz’ camp code in the IBM tabulation system was 001.” (Black, 2002)

“The image of a tattooed number on the forearm of a death-camp survivor is one of the most recognized symbols of the Holocaust. Black shows that these numbers initially correlated to the IBM Hollerith punch-card system.” (AllBusiness, 2002)

Of course, the level of surveillance that we are experiencing today far surpasses anything seen by those living in Nazi Germany. Between GPS-tracked cell phones, OCR license-plate readers, and full-fledged city video surveillance systems, both corporations and law enforcement can track private citizens’ moment-to-moment activities.

What’s happening with all this data? The answer is: we (the public) don’t know. From traffic cameras to full-scale city monitoring systems, mass surveillance programs are being put into place with very little publicized detail regarding information security or data management. Conversely, the implementers seem to have taken a “security through obscurity” approach, where public disclosure of surveillance IT management practices is seen as a threat to security itself.

“Billions of records, accessible in minutes,” reads an IBM advertisement. “At the heart of the Real Time Crime Center is IBM Crime Information Warehouse technology… Advanced data-mining technology provides investigators with access to billions of records.”

Challenge: can you find any record of IT security audits of New York’s powerful public surveillance center, or even just indications that regular IT security audits occur? I can’t. (If you do, post!) If these records exist, they sure aren’t easily accessible by the public. Don’t we deserve verifiable evidence that our personal information is being responsibly managed?

As anyone in the open-source or cryptographic community knows, security through obscurity doesn’t make a system more secure. In the case of mass surveillance and tracking systems, the public is being denied the ability to verify that our data is securely and appropriately managed.

Moreover, what exactly are government and contractors doing with all of this very personal data? Contractors such as IBM are collecting an enormous amount of personal data, yet the public receives very little detail about how long our information is kept, who has access, and precisely how our data managed or used — other than vague, unverified assurances that our information is managed in accordance with regulation. It is impossible for us to assess compliance with referenced privacy and information security regulations without any real data.

Mass surveillance is an extremely powerful tool which is here to stay. Electronic mass tracking systems essentially obviate the need for punch cards and tattooed numbers, while serving effectively the same purpose. “It was the use of raw numbers, punch cards, statistical expertise, and identification cards that made [Nazi genocide] possible…” write Aly and Roth in their excellent book, The Nazi Census. “Every act of extermination was preceded by an act of registration.”

In a free society, the public must have the ability to actively provide input and receive feedback regarding the collection, maintenance and use of our tracking information, surveillance photographs and videos. If mass surveillance systems are not controlled by the population under surveillance, they will be (and have been) used for oppression. “Knowledge is power.”
 

In the great debates of Pirates vs. Ninjas and Emacs vs. Vi, there is one overarching question:

Do Pirates and Ninjas use Emacs or Vi?

Philosecurity has conducted countless hours of research, interviewed real ninjas and pirates in their natural environs, and launched intensive laboratory studies involving monkeys in order to bring you, our readers, the scientifically proven answers you demand.

After thousands of hours and monkey brains, our scientists have reached the following conclusions:

• Pirates use Emacs
• Ninjas Use Vi

Laboratory results showed that 92% of ninjas preferred vi, while fully 96% of pirates used emacs. In the wild, these numbers were even higher (94% and 97.5%, respectively).

Philosecurity’s expert team of scientists conducted an extensive genetic analysis and concluded that pirates were more genetically fit for the emacs programming environment, while ninjas were predisposed for survival in the vi environment. These genetic features can clearly be seen in the following photos of leading emacs and vi users:

Ninja	Pirate
Bill Joy Vi Creator Hand placement conceals poison dart	Richard Stallman Emacs Creator Note beard

In order to better understand why, we gathered a team of anthropologists, programming experts, and behavioral psychiatrists to analyze the data. Our experts concluded that there are deep-seated psychological, cultural and evolutionary reasons that pirates use emacs and ninjas use vi.

Why Ninjas Use Vi

According to vi’s author Bill Joy, vi was designed to be usable over “a 300-baud modem,” on systems that could “just barely get the cursor off the bottom line.” This was in contrast to Emacs, which “was written for systems with blazing fiber-channel links and monster PDP-10’s.” (Jackson, Linux.com) Ninjas, who emerged in 15th century feudal Japan, would no doubt have appreciated vi’s functionality even across limited communications facilities and on older equipment.

Vi is designed to allow “users of the QWERTY keyboard to keep their fingers on the home row, thus requiring less movement to edit.” This would undoubtedly appeal to ninjas, who are “skilled in the art of stealth.” (Wikipedia)

Vi was originally designed to do a few things well, and avoid feature bloat. This also appealed to ninjas, who had to travel light. Over the centuries, ninja evolved increasingly specialized equipment, such as shobo rings to hit pressure points, metsubushi (small bombs) and poison shuriken (throwing weapons). “The assassination, espionage, and infiltration tasks of the ninja led to the development of specialized technology in concealable weapons and infiltration tools.”(Wikpedia) Similarly, over time vi has evolved offshoots such as vim with increasingly powerful features designed for the programming environment.

Vi has two modes:

• Command mode – Stealthily leap from line to line, over sentences, leaving no trace.
• Insert mode – Text everywhere

Ninjas have two modes:

• Stealth mode – Silently leap from tree to tree, over fences, leaving no trace
• Battle mode – Bodies everywhere

Why Pirates Use Emacs

Emacs was designed to be “highly customizable and includes a large number of bells and whistles, as it is essentially a Lisp programming language execution environment…” (Wikipedia)

Pirates are highly concerned with customization. What they lack in speed they make up for in panache: swanky flags, matching shoulder parrots and even customized limbs with fancy hooks and pegs. Pirates work hard to customize their ships, their costumes, their appendages and their speech. Emacs is traditionally slower than vi, but that wouldn’t be much concern for pirates, who are usually drunk and missing limbs anyway.

Pirates place themselves along trade routes and routinely raid passing ships, which gives them access to the most modern equipment. One of their overarching professional goals is to accumulate lots of valuable stuff. In the course of daily raids they acquire the most modern technology, which they can then use to run a more resource-intensive programming editor such as Emacs.

Conclusions

Based on extensive laboratory research on monkeys, as well as detailed analysis of wild pirate/ninja habitats, Phillosecurity’s team of experts has uncovered clear evidence that pirates use Emacs and ninjas use vi. The team also identified several cultural and evolutionary factors which have contributed to this trend.

Still, open questions remain. According to leading programming expert Gary Longsine, “Vampires use vi with an emacs plugin.” What editors will robots and space aliens prefer? Only time will tell.
 

No matter where you go, your computer leaves footprints on the network. When you connect to the network, logon to your workstation, or surf the web, these activities leave trails throughout your employer or ISP’s network– even when the administrators are not deliberately trying to monitor your activity.

Forensic analysts traditionally focus on hard drive analysis, but hard drives are not always accessible, and they don’t tell the full story. Savvy investigators also include the network environment. Recently I’ve been co-authoring a class on Network Forensics (SANS Sec558), and I’ve been building lab networks, collecting evidence for the class exercises, and practicing network forensics in-depth. Here are a few ways that investigators reconstruct computer activity using network forensics.

Web Surfing: Many organizations use web proxies to improve web surfing performance. As it happens, web proxies maintain a log of web requests and even copies of web pages (for a limited period of time). Forensic investigators can use graphical tools such as Sarg to analyze web proxy logs and view a list of client’s browsing history. Investigators can even extract pages themselves from the web proxy cache with common tools such as wget.

By analyzing web proxy logs, investigators can reconstruct browsing history, view downloads, recover social networking information, identify external email accounts, and even obtain usernames and passwords (which are sometimes included in URLs). Web proxies result in faster web browsing and help lower network congestion. As a side effect, they also accumulate logs which record your web browsing history.

Laptop/Mobile Device Tracking: Investigators can identify a specific laptop even when its IP address changes, and even if it moves to a different network. The network card in your computer has a unique address assigned to it by the manufacturer called the Media Access Control (MAC) address. When you connect your laptop to a hotspot or company network, your network card broadcasts its unique MAC address, and the DHCP server then assigns an IP address to your network card.

Forensic analysts can use DHCP server logs to track which IP addresses belonged to which network cards at a given time. By default, your MAC address also reveals information about the manufacturer, so forensic analysts can infer whether your laptop contains, for example, an Apple-manufactured network interface.

There’s a catch: You can change your network card’s MAC address. It’s actually fairly easy to do, even though most people don’t bother. A MAC address is really about as reliable as using hair color to describe a suspect. Much of the time, it’s accurate, and it takes conscious effort to change– but with a little effort it can be modified. You can even change the MAC address so that it looks as though your network card was made by a different manufacturer. If someone purposefully changed their MAC address, that would make it harder to link network activity to their specific network card.

Logon History: In order to comply with regulations such as HIPAA (as well as standard security best practices), organizations frequently configure workstations to send records of events to central logging servers, which collect and store logs from many workstations all in one place. Typically, central logging servers store login times, failed login attempts, and commands that are executed with administrative privileges (the specifics vary depending on the organization). The workstation must be preconfigured to send logs to the central logging server. My favorite log analysis tool is Splunk. By analyzing a central logging server, forensic investigators can track when you logon (or when you mess up your password), when you run privileged commands, or take other noteworthy actions.

Network traffic: Forensic investigators who are monitoring active connections can collect all network traffic to and from a specific computer, without the user ever knowing. There are many ways to monitor network traffic. If investigators have the support of network administrators, then the administrators can simply set up a SPAN port on a router, mirror all traffic, and filter for interesting bits. Some companies do this all the time, filtering for malicious traffic, proprietary data, or even keywords that might indicate employees are angry. Wireless networks are even easier to analyze. Since wireless access points are hubs, every client can potentially capture traffic destined for any other system– or all systems. Tools such as Wireshark and tcpdump are useful for capturing network traffic (investigators: if you use tcpdump, remember to set the snaplength to zero for full packet contents).

Here are a few things forensic investigators can do with raw traffic captures:

• File carving: Investigators can actually carve files out of raw network traffic and reconstruct file transfers. If you upload a JPG to a web site, send an email attachment, or download an MP3, anyone who has captured your network traffic can reconstruct your file. Tools such as tcpxtract are helpful for this purpose. Investigators can also view images and other file formats in real time as they are transferred across the network, using tools like driftnet.
• Instant message reconstruction: If you’re not encrypting your instant messages, then they are quite easy to see as they travel across the network. One of my clients once half-jokingly said that he considered deploying a scrolling sign in the lunchroom which broadcast everybody’s IMs, in order to reduce the amount of IM usage.
• Email reconstruction: Emails are rarely encrypted as they traverse the network. Much like instant messages, the text is trivial to read. Investigators don’t even need to go to the trouble of reconstructing files: you can simply run “strings” on raw packet captures and dump the output to a file (I recommend always checking both ASCII and Unicode output). If you’re feeling more interactive, you can also view the raw traffic in a hex editor and read the ASCII output.
• Web surfing reconstruction: Perhaps your organization doesn’t have a proxy server, or the forensic investigator doesn’t have access to it. With access to captured traffic from your computer, investigators can extract your web browsing activity, full page content, and form submissions.

Forensics and privacy are two sides of the same coin. Both investigators and everyday citizens benefit from understanding the types of personal information that companies, hotspots and ISPs routinely store, and how activity can be tracked and reconstructed.

Check out our three-day class: SANS Sec558: Network Forensics, scheduled to run this June at SANSFIRE in Washington, DC. We’ll do lots of advanced, hands-on exercises in which we analyze a virtual network, and spend a full day working as investigative teams to solve a crime. Hope to see some of you there!

Sherri Davidoff

PGP-signed text: 2009-03-16 (current)

Did you like this article? Share it!
• 
• 
• 
• 
• 

For $40, anyone can purchase a cheap wireless AP and plug it into the company network. Often, employees do this simply for the sake of convenience, not realizing that it opens the company to attack. Criminals also deliberately plant wireless access points, which allow them to bypass the pesky firewall and remotely access the network later on. These days, disgruntled employees can easily hide an AP behind the file cabinet before cleaning out their desks, and then access the company network months later from the parking lot.

Many companies conduct regular “war-walking” scans to detect rogue access points (ie. using Kismet or Netstumbler), or invest in commercial Wireless Intrusion Detection Systems (WIDS). However, there are sneaky ways to bypass traditional war-walking and WIDS systems. Recently, I took Josh Wright’s excellent “Wireless Ethical Hacking” SANS class, and he touched on a number of tricks that attackers can use to foil your company’s rogue WAP detection efforts. Here are a few:

1) Channel 14

In the United States, the FCC has licensed 11 channels for 802.11b/g, which have center frequencies between 2.412 GHz to 2.462 GHz. However, most of Europe allows 13 channels (up to 2.472 GHz), and Japan allows 802.11b all the way up to channel 14, or 2.484 GHz.

Cards manufactured for the United States often don’t support channel 14, since it’s illegal to transmit on that frequency. There’s overlap between the channels, but at 2.484 GHz, channel 14 is far enough away from channel 11 that network cards are unlikely to pick up much signal on channel 11. If an attacker were to configure an AP to illegally transmit on Channel 14 and export data at 2.484 GHz, security teams monitoring US channels would probably never detect it.

2) 802.11n Green Field mode

The IEEE has been hard at work on the 802.11n (“MIMO”-based) specification, which allows much greater throughput than 802.11a/b/g (100Mbps or more). The draft 802.11n standard specifies two modes:

• “Mixed-mode,” which allows it to work with legacy 802.11a/b/g networks;
• “Green Field” or “high-throughput only” mode, which takes full advantage of the enhanced throughput but is not visible to 802.11a/b/g devices. Older devices will see GF-mode traffic only as noise.

Not visible to 802.11a/b/g devices? That means if you’re war-walking with an 802.11a/b/g card, you can’t see 802.11n devices operating in Green Field (GF) mode. The specification hasn’t even been finalized, but 802.11n devices are already available for as little as $50– easy to buy, easy to plug into your company’s network. However, most companies have not yet purchased 802.11n-compatible equipment and hence can’t detect GF-mode 802.11n rogue APs.

Josh published a vulnerability report explaining this, in which he wrote: “With the inability to decode GF mode traffic, an attacker can position a malicious rogue AP on a victim network using the GF mode preamble. This would allow an attacker to evade wireless intrusion detection systems (WIDS) based on non-HT devices. This includes all WIDS devices based on 802.11a/b/g wireless cards.”

3) Bluetooth Access Point

If you’re like me, when you think about Bluetooth you envision your tiny little headset which crackles and hisses every time you walk too far away from your phone. That’s because your Bluetooth headset is designed for a Class 2 Bluetooth network, which is fairly low-power and has a maximum range of ~10M.

However, there’s more to Bluetooth than your rinky-dink headset. Bluetooth Class 1 devices are much more powerful, with ranges similar to 802.11b wireless APs. A Bluetooth Class 1 device can transmit up to 100mW, with a typical range of ~100M (or miles, if the receiver has a directional antenna).You can buy a Class 1 Bluetooth AP for $100-200.

Can you discover Bluetooth APs while war-walking? Not if you’re just using an 802.11 card. Even if you’re using a spectrum analyzer like WiSpy, you may not notice it. Bluetooth uses Frequency Hopping Spread Spectrum, and hops 1600 times a second throughout the 2.402-2.480GHz band. Because it’s spread out across the spectrum, it can be hard to notice and easily mistaken for noise by the untrained eye. Most Wireless IDS systems and security teams simply don’t look for it (yet).

4) Wireless Knocking

This is my favorite. Remember port knocking? Instead of installing a backdoor to listen on a particular port (where it might be noticed), l33t h4×0rs installed rootkits that would wait for a particular sequence of ports to be scanned, at which point the knocker’s IP address would be granted access. “A three-knock simple TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker without prior knowledge of the sequence to test every combination of three ports in the range 1-65535, and then to scan each port in between to see if anything had opened… That equates to approximately 65535⁴ packets in order to obtain and detect a single successful opening. That’s approximately 18,445,618,199,572,250,625 or 18 quintillion packets.” (Wikipedia)

With wireless knocking, a rogue AP sits on the network in monitor mode, listening for probe requests. When the rogue AP receives a packet (or sequence of packets) with the preconfigured SSID, it awakens and switches to master mode. The program “WKnock” is designed for this purpose, and it can be installed on any AP supported by the OpenWRT framework. During times when the rogue AP isn’t active, it is silent and can’t be detected using common wireless scanning tools.

Sneaky!

If you want to learn more about wireless attacks and defense, I definitely recommend Josh Wright’s class – SANS 617.

The National Drug Intelligence Center has developed software called (ahem) “HashKeeper” “as its principal tool to expedite the analysis of electronic media.”

Hahahaha…..

Apparently, “HashKeeper is available free of charge.” Contact the National Drug Intelligence Center for more information.

National Drug Intelligence Center
c/o Mr. Steve Gironda
Telephone: 814-532-4987
E-mail: ndic.domex.request@usdoj.gov

Hat tip to John Masterson.

Last week marked the original official deadline for the Digital Television Transition, after which analog television broadcasts would be terminated. (The official deadline was recently extended to June 12, 2009.) To ease the transition, the US government launched the TV Converter Box Coupon Program, which “allows U.S. households to obtain up to two coupons, each worth $40, that can be applied toward the cost of eligible converter boxes.” (TV converter coupon program site)

The coupon is similar to a credit card, with a serial number and expiration date printed on the front (as well as a nifty hologram that reads “Security”). It also has a magnetic stripe. Curious, I borrowed a coupon and swiped it through my trusty mag-stripe reader. The output was as follows (name/number have been changed for privacy):

%B5897320630985200^SMITH/FRANK ^0903121000000000000000798000000?
;5897320630985200=09031210000079800000?

Much to my surprise, the applicant’s name was encoded on the coupon, in addition to the serial number and expiration date.

Consumers are clearly not aware that their names are encoded on the cards. Although National Telecommunications and Information Administration (NTIA) documents refer to “identifying serial numbers,” (NTIA 2006) there is no mention of the fact that names themselves are encoded on the cards. Since the name is not printed on the face of the card itself, there’s no way for recipients to tell it is there without special card-reader equipment.

As a result, over 24 million Americans have now unknowingly submitted their names into the tracking systems of nationwide corporate retailers such as Wal-Mart and Best Buy. “There are federal privacy laws that say what the government can do with your information, but once that information is given to private industry, it’s theirs,” commented senior security consultant Jonathan Ham.

What’s more, the NTIA itself tracks the location, date and time of each purchase. Retailers are required to “provide NTIA electronically with redemption information and payment receipts related to coupons used in the purchase of converter boxes, specifically tracking each serialized coupon by number with a corresponding [certified converter box] purchase.” (NTIA retailer site.) Each week, the NTIA publishes statistics indicating the number of cards used in each zip code.

Consumers are not explicitly informed of the coupon tracking on the TV Converter Coupon Program web site or application. Buried in the NTIA’s web site is the statement that “to keep track of the number of coupons issued, used and redeemed, as well as to minimize fraud and counterfeiting, NTIA intends to place identifying serial numbers on the coupons.” (NTIA 2006)

I went to Best Buy to get a retailer’s perspective on the TV Converter Coupon Program. Like most retailers, Best Buy likes to track their customers. With cash or check, this is difficult, but with credit cards and similar systems (such as the DTV coupons), customers can be automatically added to their database.

Rob Hooper, the helpful manager on duty, explained, “[The DTV coupon] would probably have their name, a number, and they probably have to put in their phone number for us to ring out the remainder of the transaction. As soon as that number gets rung through a Best Buy retailer or a Wal-Mart retailer or anywhere else, [NTIA can] probably break it down underneath the ID of the retailer, and then also the ID of the individual who applied for that particular card number. Not only do they have demographics, they also have geographics– where each card is used.”

In other words, the government receives detailed information about precisely where and when each card is used, and each card is explicitly linked to a name. What’s more, since the names are stored on the coupon’s magnetic stripe itself, the retailer also receives and can store personal information about the consumer. The consumer may never even be aware that his or her name has been given to the retailer.

My mother, who applied for the program by phone, was shocked to learn that her name was encoded on the card and her purchases were tracked. “The government should have made me aware of the information they would be collecting about me if I used the card,” she said. “They’re taking away my freedom. If they decide they need to collect information, they should do so with the people they are collecting the information from volunteering to give it, not being forced.”

Presumably the names encoded on the coupon’s magnetic stripe can be used to prevent fraud, but in practice this has not been occurring. Even if the name on the coupon doesn’t match the consumer, retailers still accept the coupons.

“We generally don’t check IDs against the card,” said Rob. “If someone’s out there stealing digital converter box cards and they’re just hoarding boxes of those cards, that’s not on the top priority list for Best Buy’s loss prevention.”

“We haven’t really seen too much fraud whatsoever with these coupon cards,” he added. “It would be a really interesting thing to try to steal $40 converter box cards, because you’re basically getting paid off in technology that will be antiquated.”
 
Millions of Americans using the DTV converter coupons have unknowingly had their shopping habits tracked and names given to third parties such as Best Buy and Wal-Mart. What is the value of our privacy? Is watered-down “fraud protection” really worth giving away millions of American’s names to retailers? Would my mother really want her shopping habits recorded in an obscure government database, even to save $40?

“I like to shop for a product without Big Brother watching over me,” said Mom.

One midsummer night in 1977, the power went out in New York City. “Thousands of people took to the streets and smashed store windows looking for TVs, furniture, or clothing… The police made 3,776 arrests, although…many thousands escaped before being caught. 1,037 fires burned throughout the City…” (Blackout History Project)

The troublemakers weren’t faceless terrorists but local youth and ultimately, mainstream moms and dads. The most notable shift in the demographic of the looters occurred between the hours of 11:00 P.M. and midnight when stable, normally law-abiding citizens began to participate in the scavenging and mayhem.

The massive extent of the looting, especially compared with the few disruptions that occurred during the 1965 blackout, was partly due to the economic downturn. By 1977 the unemployment amongst young blacks in New York City had reached 40%, compared to roughly 20% in 1965. Many people were out of work and the standard of living had decreased; however, television and media constantly reminded people of the material goods which they could not possess. (Time, 1977)

It’s no wonder that in the current economic downturn, companies are starting to worry more about the “insider threat” and white-collar looting. “Information security experts are bracing for the law of unintended consequences to swing into action in 2009 as layoffs, downsizing and low morale bring the worst out of trusted insiders looking to profit off of proprietary intellectual property, customer contact lists, trade secrets and any other sensitive information. …[L]ast December the majority of participants in a survey reported that if they were fired tomorrow they would definitely take company data with them to their next employer.” (Lumension, 2009)

Today, as downsizing becomes rampant, there are increasing numbers of disgruntled former employees, who sometimes have deep knowledge of an organization’s IT infrastructure. There are also more disgruntled current employees, as downsizing places greater burden and stresses on staff that remain. As scholar Ho Yanxi quoted, “The one who treats me well is my leader, the one who treats me cruelly is my enemy.’” (Cleary, Art of War).

Exacerbating the situation, fewer staff means less people to monitor and maintain already out-of-control networks. This increases the risk of security vulnerabilities and lowers the risk that a theft will be noticed, proportionally increasing the likelihood of exploitation. Cutting already overworked IT staff leads to a downward spiral of network disrepair, security incidents and stressed IT workers.

The risk-vs-reward calculations are illustrated in this interview with one of the first blackout looters:

Interviewer: “What kind of money would you need to stop you from [looting]?”
J: Oh, it wouldn’t just have to be money. It would have to be my position in life. Like if I was to go to law school, and have a nice paying job, and be established in a firm or something… I wouldn’t take the risk of getting busted and havin to go to jail and blowin’ my schooling. It’s not worth the risk. (Blackout Looting!, p.176)

As white-collar workers feel increasingly disenfranchised, the risk of insider data theft proportionally rises.

Who are “we,” anyway?

The “insider threat” is even more serious when a large percentage of workers are contractors, who have even less incentive to ensure long-term organizational stability. The war in Iraq nicely illustrates this phenomenon. Last week the GAO released a very interesting report on US operations management in Iraq and Afghanistan, in which they stated, “As of July 2008, there were approximately 162,400 DOD contractors and, as of December 1, 2008, approximately 148,500 U.S. troops in Iraq.” This enormous ratio of contractors to military staff proved overwhelming. “Lack of adequate numbers of contract oversight personnel,” was cited as a serious issue. “[T]oo few contract oversight personnel limited DOD’s ability to identify savings, monitor contractor performance, or resolve contractor performance issues.” (GAO, 2/2009)

Lacking oversight, training and incentives, contractors took enormous advantage of their situation. “KBR employees who were contracted to perform construction duties inside palaces and municipal buildings were looting,” said Linda Warren, a contracted laundry foreman, during Senate hearings. “Not only were they looting, but they had a system in place to get contraband out of the country so it could be sold on eBay. They stole artwork, rugs, crystal, and even melted down gold to make spurs for cowboy boots.” (The transcript of her testimony is definitely worth reading.)

Even contracting officers took advantage. Yesterday the New York Times released a front-page exposee, in which they reported, “Maj. John L. Cockerham of the Army pleaded guilty to accepting nearly $10 million in bribes as a contracting officer for the Iraq war and other military efforts from 2004 to 2007, when he was arrested. Major Cockerham’s wife has also pleaded guilty, as have several other contracting officers…. Former American officials describe payments to local contractors from huge sums of cash dumped onto tables and stuffed into sacks as if it were Halloween candy. “You had no oversight, chaos and breathtaking sums of money,” said Senator Claire McCaskill.”(NYTimes, 2/15/2009)

Iraq is an extreme, but informative, example. Given these recent graphic illustrations of the results of contractor mismanagement, it’s worth examining the current situation in the IT sector, where contractor jobs are rising even as general employment falls.

“Contract work fuels rise in tech job postings” reported CNET news last week. “Tech job listings rose to 57,337 as of February 2…But if you’re looking for full-time work with health benefits, you may not find the new data to be especially good news: Helping to drive that modest increase was a 7.3 percent gain in the number of contractor positions… ‘In uncertain times, companies are looking for flexibility in their payrolls to continue with critical projects,” said Tom Silver.. [of] Dice.com. Those critical projects often involve improvements to a company’s infrastructure… ‘For the last year or so, contractor jobs have accounted for 38 to 40 percent of the positions, but I expect that increase,’ Silver said. He noted he wouldn’t be surprised if the percentage for contractor job postings eventually reached to 50 percent later this year.” (Kawamoto, 2/2009)

In other words, the people being hired to work on “critical” infrastructure projects are increasingly those that do not receive health benefits and have little invested in the long-term survival of the company. Furthermore, as the ratio of full-time to contractor staff shrinks, there are fewer full-time employees to provide oversight.

Solutions: Maintaining Security in a Weakening Economy

The blackout of 1977 and the Iraq war illustrated two important factors which ultimately led to widespread security failures and looting:

1. Reduced incentives for large numbers of individuals to support the current system;
2. Limited oversight and low perceived risk of personal repercussions.

These two factors are increasingly present in the IT sector today, where a growing percentage of disgruntled employees and contractors have access to critical IT infrastructure, and where companies do not have the staffing or technical resources to monitor access and lock systems down.

How can we correct these fundamental problems that lead to the “insider threat?

1. Help workers to feel invested in the current system;
2. Increase the perception of oversight and perceived likelihood of repercussions.

Any time there is a fundamental disconnect between the incentives of the people versus the organization, there is naturally internal conflict and greater risk of people undermining the status quo. When workers do not feel invested in the system, security incidents abound. Conversely, organizations can reduce the risk of insider attack by giving people a stake in the company’s success. A favorite of the security industry, ancient military strategist Sun Tsu wrote about the importance of “inducing the people to have the same aim as the leadership.”

Even on a tight budget, organizations can still foster worker loyalty. As demonstrated during World War II, it is possible to maintain– and even grow– a dedicated workforce during tough times. The WWII propaganda effort was implemented as a massive postering campaign on an unprecedented scale. During a period where civilians re-used scraps of paper because supplies were so limited, the US Office of War Information sought to “[ poster ] America every night,” and treated posters “as real war ammunition.” (Design for Victory, p. 11-12) The investment paid for itself hundredfold.

Without resources for appropriate staffing and equipment, a high-return security investment for many companies might be a simple PR campaign, designed to motivate employee loyalty. Similarly, even organizations that lack the resources to install and maintain proper monitoring capabilities can still at least create the perception of oversight, which can dramatically reduce incidents. Physical security professionals have long utilized this tactic, for example by installing $30 dummy cameras and warning signs which advertise that the premises is actively monitored.

I often say that “humans are unreliable components,” but that’s not really true. Humans are unreliable when placed in unstable situations and given conflicting incentives. Much like transistors in a circuit, humans within organizations tend to act predictably based on perceived incentives and risk.

In today’s downward economy, companies are dramatically reducing incentives for workers and expanding the ratio of IT contractors to employees, even while IT oversight and monitoring capabilities are already very limited. As with New York’s 1977 blackout and the Iraqi occupation, workers find themselves with conflicted incentives, and some will invariably decide to serve their own well-being rather than the larger organization. How can organizations lower the risk of “white-collar looting”? Advertise incentives for workers to support the organization, and instill at least the perception (and better, the actuality) of oversight and monitoring.