The first step is to list all of the necessities I typically use in a week, and to figure out how to obtain each of these without plastic wrappers, bags or bottles. Here’s a first stab at the list:

Off to a good start! Unfortunately, the next item, “Yogurt,” looks a lot more daunting…

m: Well, all the small businesses would lie. Right? If you’re a small outfit, and the choice is “Either I say yes to everything or my business is destroyed…” What’s the choice?

s: When did you start taking PCI compliance seriously?

m: At some point just prior to fall of 2005, we concluded that PCI applied to us because we’re a merchant who accepts credit cards, and so we had Responsibilities. I don’t remember there being a good enough dialogue about it, or even any dialogue. Was there some point that I said, “Yes, I agree that if I would like to continue accepting credit cards as an Internet merchant I additionally agree to comply with this 100-point list?” I don’t remember ever doing that. I don’t remember ever saying, “Dear VISA, yes, I agree, I’ll do it!”

s: What is the impact of PCI/DSS on small businesses?

m: Well, if it continues to be generally ignored by the vast majority of small merchants and small hosting companies, then the impact will be slow and steady.

It’s a matter of how aggressive the credit card processors and the PCI SSC themselves decide to get on their customers. Sure, my payment processing company… could decide to demand from me an attestation of compliance. They could hold this over my head and say, “we will REVOKE your credit-card processing privileges if you do not submit your attestation of compliance.”

Imagine us asking thousands and thousands of customers who have previously been on auto-pay to “please, hand-write me a check from now on.” And customers in 40-something countries. Good luck.

s: It’s fair to say you would go out of business.

m: It might not kill us, but it would cripple us. But that credit card processor, in making that decision to revoke our privileges, would of course be cutting themselves out of thousands of dollars of revenue every month that we paid them. They would be killing one of their customers. So, they’re torn in two directions.

s: Do you feel that the PCI SSC took appropriate input from merchants?

m: In reality, 95% of the merchants would have not been capable of providing substantive technical feedback to the committee.

s: How come?

m: Because 95% of merchants are not technical operations. They are business that are selling coffee on the corner, or they’re selling widgets, and their cardholder data environment doesn’t consist of much but a plastic box with a phone line connected to it.

s: What do you think that implies for their ability to comply with PCI/DSS?

m: The jaw-dropping, gasp, oh-my-goodness implication of PCI/DSS is for all the “Laura’s Online Candle-Shop” and “Best-Fishing-Lures-in-Arkansas Dot Com” and the small Internet merchants with online shopping carts. These are my customers. I know a lot of them have shopping carts that are not million-dollar-a-month e-commerce operations. They are not Amazon. They are modestly successful online merchants.

Now these millions of small businesses, and the small-to medium-sized web hosting companies that are called upon by these small merchants, have a 100-point checklist of things that are not terribly understandable and are broadly interpretable and in many ways onerous to the point of absurdity for a small operation.

s: Do you think that PCI/DSS will cause consolidation in the web hosting industry, or that there will be fewer small businesses as a result?

m: I don’t think the American public or the international public is going to shed a tear if there is bloodletting consolidation of the web hosting industry. Where they would take up arms would be if Laura and Sam and Bob can’t open candle shops online. If that becomes impossible, or unrealistic, or incredibly expensive, there’s going to be pushback.

s: You think that people won’t miss the mom-and-pop web hosting companies?

m: Most web hosting companies are noticed by their customers when something breaks. The future of baseline web hosting is like the future of the electric company. Who gives a damn who you buy electricity from? You expect it to work 100% of the time. When it doesn’t, you’re annoyed and it’s disruptive. You don’t have a relationship with your electric company the way you do with your corner coffee shop or brewery.

s: Why is that?

m: The nature of commoditization, I guess.

s: Sounds like you’re suggesting that what will happen with the web hosting industry is similar to what happened in the telephone industry.

m: Sure, or any of the utilities that we all take for granted. Now, everyone assumes that cell phone service is going to work, your cable is going to work, there’s going to be water when you turn on the spigot. Web hosting companies will need to grapple with that commoditization and provide services that impress or delight or become more part of the daily workflow of the customer, rather than being part of some background thing that [you only notice when] something breaks.

s: Do you think there’s value for the public in having a variety of hosting options, or is it simpler to have it centralized?

m: The web hosting industry has got to be incredibly confusing for a customer right now. There are tens of thousands of hosting operations, many of which are 1, 2, 3, 4 dollars a month… Talk about a race for the bottom! How low can you go? It’s below the threshold of constituting commerce. A dollar a MONTH? I think the industry would benefit greatly from a culling.

I have in my mind that perhaps half of all “web hosting companies” are a one-man show with someone who has another job, whether a student or some sort of professional. Those folks are in no way equipped to ensure the security of credit card data or to fix a server when it breaks. There’s such a low barrier to entry in the web hosting industry right now.

s: What do your peers in the industry think of PCI/DSS?

m: People are flabbergasted at the absurb impossibility of the vast majority of web hosts from ever approaching PCI/DSS compliance. Laura’s Candle Company? She’s required by PCI/DSS to ONLY host her web site that accepts credit cards in an environment that is itself PCI/DSS compliant. The only hosting that she’s allowed to use under PCI/DSS [requires 8 separate devices]: hardware firewall, application firewall, log audit system, and all that business. However, the vast majority of companies load up customers onto one box, and then get a new box. Then they load up customers on that, and then get a new box. And so on.

I know someone who has a hosting account with one of the top ten hosting companies. When she wants to FTP or SSH into her server, she goes to server 192 dot domain name dot com, and that machine hosts FTP, SSH, web, database, DNS, SSL, POP3, etc. It hosts all services. Bang, right off the bat, that’s not a PCI/DSS compliant hosting environment. For these web hosting companies, it’s a shaking of the foundation.

s: Do you think it’s realistic to expect small business owners to comply with PCI/DSS in the near future?

m: As a small business owner myself, I’m both the operations guy and the people manager. We have always hired new staff as we identified a clear and defined role, and more importantly, had the revenue to pay that person a fair wage and benefits. We’ve got this daily pop and crackle of operations plus customer service. We do not have the extra thousands or tens of thousans of dollars a month to, oh, just staff up!

Stopping customer service is not a viable option. Stopping operations pop and crackle is not a viable option. So who do I pull off? Where do I find the right staff or the right expertise to start working through the things that are required of PCI/DSS? I don’t know.

If I ran a technical operation that had 1000 operations employees, I could say, “Hey! pull team B-13 off of their raised floor construction project. They are now the PCI/DSS regulation security team.” That sounds fine. That’s something that a big operation could pull off. If I was in a position to hire three new engineer sysadmins next week, then I’d surely put one or maybe two of them on PCI/DSS. “Hey, we’ve got to rewrite this code,” or “Hey, we’ve got to reconfigure this network,” We’ve got to do this, we’ve got to do that. But like many small businesses, we barely keep up with what’s going on right now.

s: This economy must be especially hard.

m: That’s right. We’re watching customers shut down their gardening blogs and their chess club web sites. These sites were important to them until they lost their jobs, and now they’ve got to figure out what the priorities are in terms of monthly expenses.

s: How much do you think this is going to cost you?

m: Well, of course if our credit card processor tells us it’s going to cost us an extra 1% of every transaction, that’s measurable. If they, like I’ve heard from other web hosts, decide that until we submit our attestation of compliance, we’ll have an extra $19.95 a month nuisance fee, then it’ll be $20 a month for the foreseeable future.

Another potential angle on cost: Will our customers begin demanding some sort of certification / attestation? “My credit card processor tells me that I’m only allowed to host with a PCI complant host so I really need to know.” If our only answer is “no,” we’ll lose customers. Our growth will be stifled, and we may shrink as an operation. So, we could wither, or be crippled or killed, or just be taxed by PCI/DSS.

s: Basically, you’re saying that PCI/DSS could cause small businesses to go under.

m: Yes, if it was enforced vigorously. I should go on record as saying that I support the general idea of having standards for how credit card data is handled on behalf of your customers. People should use secure best practices and due care to ensure that credit card data is not released to hackers in Des Moines or Denmark or Indonesia. We must avoid that. Good! Let’s have some standards.

s: What is the purpose of PCI/DSS?

m: To push cardholder data security downstream to the merchants who handle it first.

s: Do you think PCI/DSS is at all effectve?

m: Yes. I would say that PCI/DSS is effective in encouraging– let’s say urging or demanding– entities that handle personal information, including card holder data, card numbers and whatnot, to review the security procedures. It provides a not-valueless checklist of things to think about when handling this sensitive information.

s: What is the future of PCI/DSS?

m: First, I’ll say that no more than 20% credit card merchants will be PCI/DSS compliant, truly, in the next decade. It will be a slow and gradual process. At some point, a team of brilliant security engineers is going to come up with something that renders plaintext credit card numbers like telegraphs. There will no longer be a concept of entering some numbers that magically allow you to move money around.

s: You think our financial transaction system will evolve beyond credit cards into something different?

m: Yes, that is exactly what I mean. Even the biggest, most responsible badass security processors with awesome security practices keep getting compromised. The data at rest is inherently vulnerable, and so will continue to be a succulent target. We need to make the target less tasty. [We need] a transaction system that could– perhaps magically– ensure that the transation was legitimate, and it isn’t just a string of not very many magic numbers. When smart guys and gals invent that, we will begin forgetting about PCI/DSS compliance in its current form.

s: Do you think that the credit card companies should be focusing on changing the system?

m: For all I know they have teams of ten thousand in underground bunkers who are developing the next great payment transaction processing technology. If they are, that’s great. That’s awesome. I have no idea what they’re doing, but I hope they are. I hope they are not believing that a short string of numbers is the tool of the future.

Here are examples of the private information that state and local governments collect:

Health:

• Prescription Drug Monitoring Programs (PDMPs) in which “physicians and pharmacists… log each filled prescription into a state database to help medical professionals prevent abusers from obtaining prescriptions from multiple doctors.”
• Adult Medical histories (including sexual orientation, drug history, lists of medical problems, work history). Gathered for vaccinations and state health testing.
• Vaccine immunnization records (Children and Adults)
• Lists of people who are immunocompromised
• Lists of pregnant women and their doctors
• HIV/AIDS test results

Taxation:

• Income sources and levels
• Bill owed (doctors, lawyers, etc) for certain cases (see p.10)
• Bank statements
• Bank account numbers(see p. 14)
• Credit card numbers(see p. 14)
• Social security numbers
• Pension information
• Life insurance information
• Detailed employment records
• Deductions
• Value of assets (house, car, etc)
• Address, phone, extensive contact information
• Children’s names, Social Security numbers, ages
• Names of daycare providers

Unemployment:

• Names of people who have been unemployed
• Bank routing and checking account numbers
• Extensive personal details, including SSN, Driver’s license info, etc.
• Previous employment history
• Details regarding job search
• Salary records
• Records of unemployment funds received

Transportation:

• Detailed travel records (EZ-Pass, Fastlane, Subway passes)
• Dates, times, and locations that subway/EZ-pass cards were used
• Lists of senior citizens, contact information and photographs
• Lists of disabled people, contact information and photographs
• Credit-card and payment information
• Rider photographs and video footage

Motor Vehicle Services:

• Driver personal info:
• Height
• Weight
• Eye correction
• Address
• Social Security Number
• Payment information
• Violations (see p.3 for a list of info typically included in citations)
• Locations, dates, times
• Description and details
• Images (photographs, videos)
• Red-light camera images
• License-plate tracking

Government Employee records

• Social Security numbers
• Employee reviews
• Health insurance information

Education:

• Childrens’ standardized test scores

Police:

• Confidential informant records
• Confidential juvenile records
• Video surveillance footage of streets and intersections
• Rape victim statements and details
• Officer personal information and disciplinary records
• Investigative data

 
We conduct routine inspections of restaurant kitchens for public safety, and the public is entitled to see inspection certificates. Shouldn’t management of our public data be held to the same standards?

The public deserves to have input regarding what data is put into the hands of companies which are not controlled by the public. We deserve regulations which protect our private information from abuse, and which specify what types of information can or cannot be hosted by foreign companies and private companies.

Most importantly, we deserve assurance. Our government must routinely verify through inspection and public reports that confidential information is not being misused by private companies, and that only appropriate types of information are being shipped off-site. If private companies are to hold taxpayer information, the public deserves independent verification and reassurance that our data is well-managed.

For information about the specific data used by your state, check out your state’s web site and look at the services it offers. (Here’s a nice example from the State of New Mexico.) Then think about all the private information that your government needs to collect and process in order to support those services. You might be surprised.

“Over 60% of the U.S. state governments have gone Google.”

Does this mean that we’ve now handed the majority of our state governments’ operational data to a single privately-controlled company which has well-publicized partnerships with other governments such as China?

To find out more, I contacted Google’s press department. A representative promptly got back to me with more information:

“The reference to Going Google refers to US state governments using one or more of Google’s enterprise products…With regard to data hosting, Google Apps is a cloud computing solution meaning Google hosts the data in our data centers, relieving the customer or gov agency of the burden of managing their own servers in house.”

In other words, according to Google, United States state governments have literally handed over our public data to be held and managed by a private company which has well-publicized partnerships with other governments such as China. The data is physically stored in Google’s buildings, on Google’s servers, managed by Google’s employees. This means Google now controls our government’s access to it’s own data.

Google declined to make their list of state government customers public, so instead I checked to see which states had active Google Apps login pages for their domains. There are 19 states that have active Google Apps login pages (plus Washington D.C.) These include:

In September, Google announced its plans to create a major government data hosting operation for the United States. “Today, we’re excited to announce our intent to create a government cloud, which we expect to become operational in 2010. Offering the same services and features as our existing commercial cloud (such as Google Apps), this dedicated environment within existing Google facilities in the US will serve the unique needs of US federal, state, and local governments…”

Moving the data itself offsite is a BIG change, and one that comes at a BIG price. This effectively places state governments’ data outside the direct control of our government. If Google (or an ISP) were to decide for whatever reason– economic, political– to cut us off from our data, governments using their services would be, well, Scroogled.

To me, this is an unacceptable level of control for a single private company to have over federal, state or local government. When you reach a point where the government cannot operate without a private company, then the private company has effectively gained control of the government.

With Google physically housing and managing state government operational data, they literally gain control of our government’s operations. What’s more, Google also has access to data mine the information. Would this be legal? Hopefully not, depending on the contract that our governments have signed. Would it be technologically possible? Of course.

In another twist, state governments’ moves to outsource their data could also open their information to far greater access by intelligence agencies. It might be legal under homeland security rules for federal intelligence agencies to force Google to turn over information from state and local governments, perhaps without even notifying them. For issues where state laws are in direct conflict with federal laws, the implications for states’ rights are serious. For example, several states maintain lists of registered medical marijuana patients. Could a federal agency force or coerce Google to turn over lists of names without permission from the state?

Google is extremely good at managing its own public image (it undeniably has a leg up due to the fact that it controls news sources and search engine returns). However, it is still a for-profit corporation and ultimately works for the good of its owners, not the public. The fact that Google is working to host a large percentage of U.S. government data should set off alarm bells. How can the U.S. government effectively manage its own security and the interests of the people when large corporations have it by the balls?

The long-term, hard-to-quantify risks of moving the United States’ operational data to a private company are easy to ignore when you look at the short-term technological benefits and shiny flashy features. No one can deny that Google enables government entities to operate with a level of sophistication that would inconceivable if all operations were done in-house. Governments typically suffer the same problems as many midsize companies with underfunded IT departments and political complexities that make it difficult to centralize and streamline operations. It doesn’t really make sense for every state and local government to reinvent the wheel with respect to IT. With no “public option” for scalable, government-sponsored IT services, it’s understandable that state and local governments would outsource to the private sector.

That said, the practice of outsourcing government IT management is risky and deserves careful scrutiny and regulation. It’s funny that we’re chasing after “terrorists” in our airports, and at the same time our state governments have moved fundamental operations data over to a private company which is not controlled by the public and has strong ties to foreign governments.

Google is outside our system of checks and balances. They are quickly becoming absolutely necessary for our government to function, but their operations are not transparent and are outside the control of the American people.

Here are a few related press materials published by Google:

District of Colombia

Virtual Alabama

City of Los Angeles

‘”Its destruction left a deep and lasting wound in the architectural consciousness of the city. A famous photograph of a smashed caryatid in the landfill of the New Jersey Meadowlands struck a guilty chord.” (Wikipedia)
Patty King wrote in a comment a couple of days ago: “I remember a time about 10 years ago when flying was fun and so easy. Will it ever be like that again?”

Once upon a time, inspiring the traveler was important. The reactions of people in Penn Station were worth the enormous amount of time and effort placed into the space. Cultural and artistic expression were clearly strong and valued.

First impressions matter. Train stations and Airports are places where we welcome people from other countries or cities.

Perhaps someday we’ll remember the art, ambiance and culture that these important spaces brought to us. Perhaps someday we’ll once again decide to make our airports and train stations welcoming instead of paranoid, inspiring instead of intimidating, proud instead of afraid. Then flying will be fun again.

Sure, mankind created the Internet. That doesn’t mean we’re in charge.

When Robert Tappan Morris wrote the code for the first Internet worm, did he expect that it would spread? Sure. Did he expect that it would take down 10% of the Internet? No way.

When Chén Yíngháo wrote the very nasty Chernobyl virus back in 1998, did he expect that it would demolish over 700,000 systems worldwide, including the Korean Supreme Court and Turkish police departments? Nope. (And companies like IBM, Yamaha Corp. and Activision certainly didn’t intend to distribute it in their commercial products.)

People don’t control the Internet, just like the sun doesn’t go around the earth. A single computer sitting on your desk at work is the product of millions of people’s efforts, and the environment and the technology are constantly changing. Malware spreads like bacteria. Large networks of computers are like organisms which we can only generally predict.

Accidents, poor design and lack of maintenance are a huge contributing factors to cascading network disasters. A lot of networks are old, poorly maintained and getting more unstable by the day. I’ve seen systems in critical facilities crash when exposed to default nmap scans. Our most important systems are often the least frequently updated, because it’s hard to schedule down time and changing software or hardware is always risky. Unfortunately, lack of resources in government, utilities and other critical sectors is a big part of the problem.

“There is a risk,” writes Graham. “Hackers will eventually cause a major power outage. In the grand scheme of things, though, it’s not a big deal. Major power outages from accidental mistakes will always be a bigger threat.”

Destruction isn’t the greatest incentive. Viruses that kill their hosts don’t tend to spread, and similarly hackers who destroy their targets have a tough time generating profits.

As long as there are credit card numbers to distract them, we’ll all be fine.

Reverse of the United States Great Seal Novus Ordo Seclorum “A New Order of the Ages”

“Death of Anonymous Travel”
DEFCON 2009 – PDF
MD5sum: c772681c37c9ad5d210c19c12eb43095

Thanks to everyone who sent in comments, suggestions, and encouragement. (Special thanks to the EFF lawyers for reviewing this beforehand– you guys rock!)

I’ll have the full list of references (vendor marketing materials, news articles, FOIA docs, etc) up in the next week, so check back!

Abstract:
Worldwide, people who use cars, buses, trains, and carry cell phones are tracked in increasingly centralized corporate and government databases. This capability is still in its infancy, and has been facilitated by communication and payment systems which are linked to identification and refer to centralized electronic databases.

* Collate and disseminate information about current known travel monitoring practices;
* Discuss technical and social solutions for maintaining personal privacy and the freedom to assemble;
* Encourage greater transparency and public control over data collection and use.

“I recently requested my “file” from the Dept of Homeland Security – Customs. It was interesting to see that they not only knew every flight I took, but also all of the hotels I stayed at too. This surprised me because I didn’t understand how they knew where I was staying.

“I researched this and realized that when I had stayed at hotels that were not booked in advance, they did not have the information on my record. It seems that when you book through Sabre or other services that use Sabre, your entire itinerary become part of the DHS record also. I think this is what they compare your passport stamps to when you come back into the country and the Customs guy is sitting there staring at the computer screen and your passport.”

Sabre is used to book reservations for railways, car rentals, cruises, lodging and airlines around the world.

The Bush Turnpike in Texas no longer accepts cash as of July 1, 2009. Based on the federal Coinage Act of 1965, I believe this is illegal.

The Coinage Act (31 U.S.C. 5103) states: “United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues.”

The Treasury Department has made it clear that “Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills.” However, I would argue that the NTTA is now operating as a “creditor.” “ZipCash is the NTTA’s “drive now, pay later” option for customers without TollTags,” reads their advertising literature. “High-speed cameras take pictures of the license plates of vehicles without TollTags. Invoices for the tolls are then sent to the registered owner of each vehicle.”

The time at which payment is collected matters a lot. Stores are not required to accept US cash for products and services paid up front, because no debt is incurred. However, “restaurants that do not collect payment until after a meal is served would have to accept that legal tender for the debt incurred in purchasing the meal.” (Wikipedia) Based on this logic, the NTTA (“a political subdivision of the State of Texas”) would presumably not be required to accept cash for payment as a driver is getting onto the highway, but once he or she has driven the stretch of road, the debt has been incurred and US cash monies must be accepted.

There currently appears to be no way for a driver on the Bush Turnpike who is not the registered owner to directly receive and pay an invoice from the NTTA (according to Texas law, the owner is responsible). The NTTA sends “ZipCash” invoices only to the registered vehicle owner, and TxTolls are not transferable between vehicles. What’s more, the NTTA has no instructions (at least, none that I could find) on their web site which indicate how a driver could pay their ZipCash invoice in, well, real cash.

With the advent of “ZipCash” the North Texas Tollway Authority (NTTA) now falls under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) definition of “creditor” as “any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services.”

This means that the NTTA is also regulated by the FTC’s new Red Flags Rules, which apply to any “creditor” that “offers or maintains ‘covered accounts.’ A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions…” The NTTA’s “Toll Tags” accounts fit squarely into that definition. (I wonder how hard the NTTA has worked on their required Red Flag Identity Theft Protection Program…)

According to the US Treasury, the Coinage Act ensures that “all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor.”

“Iran’s Web Spying Aided By Western Technology,” read the front page of the Wall Street Journal a few weeks ago. “European Gear Used in Vast Effort to Monitor Communications.”
Judging by the Intelligence Support Systems industry marketing brochures, Iran’s “monitoring center” is not exactly advanced compared with European state-of-the-art. Nokia-Siemens themselves said that they sold Iran a “restricted functionality” monitoring center. (Reports indicate that Iran also has “deep packet inspection” capabilties, presumably from another source.) According to Nokia-Siemens, over 60 countries have been sold a Monitoring Center. But their current “Intelligence Platform” solution is far more full-featured. Check out the Intelligence Platform brochure, which touts its “pattern recognition” and “behavioral analysis” capabilities. It “automatically detects formerly unknown patterns.” (Ah, dragnet.)

We can’t stop the unrelenting march of mass civilian communications monitoring, but perhaps we can turn lemons into lemonade. (Mmm, mass surveillance lemonade…what?)

From the Nokia-Siemens Intelligence Platform Brochure

Consider this technology’s potential for good. You could watch the spread of information through different routes the way doctors watch radioactive materials travel through the blood. You could measure how a population feels about a particular issue and get instantaneous feedback on policies with infinitesimal granularity. Better understanding of human psychiatry and communication could help us make better individual decisions and perhaps collectively govern ourselves more efficiently.

National communications surveillance is a very powerful tool for government right now (not to mention lucrative for phone companies, who are paid for the access). Also, given revelations about NSA wiretapping and FBI’s “Quantico Circuits,” it’s clear that the fundamental infrastructure is already in place (*ahem* NarusInsight).

Mass communications information would be very valuable for scientists– psychiatrists, anthropologists, etc. Unfortunately, today Internet, mobile and transaction surveillance data tends to go exclusively to the people who can pay for it or profit from it– ie. spooky government agencies with big budgets and advertisers. What if academic researchers had access to the same information that intelligence agents already comb every second?

Not that I really want to be under anybody’s microscope. But if anyone’s going to be analyzing my phone calls, payment transactions, emails and IMs, I’d rather it be researchers who will publish their findings, instead of secretive intelligence agencies. If our communications aren’t going to be private, let’s at least use these capabilities for clear, transparent public benefit.

Here’s an e-affirmative action proposal: For every intelligence agent that has access to mass surveillance data, one academic researcher should have access to the same information. And report on it.

At least then we’d know what the heck was going on.

Josh (author of SANS’ excellent Wireless Ethical Hacking class) eloquently describes his encounter and privacy concerns below:

“When I started my DX for the first time, I saw an entry “Archived Items”, which was all the books I had previously purchased. When I downloaded my copy of “ZigBee Wireless Networks and Transceivers” on the DX, I was surprised to see it open on the page where I had left off on my previous Kindle.

“I’d like to find out what Amazon’s privacy policy is about this data, and what they are retaining long-term. Do they record only the last page read for each of my books, purging this information after a period of time, or is it more nefarious?”

Josh Wright is the author of SANS 617 – Wireless Ethical Hacking.

“The demo laptops in question are located in an independently owned/operated reseller location, and are not configured or maintained by Verizon Wireless. Verizon Wireless is committed to the security of its customers and is working with the reseller to resolve this issue.”

Usually when working with vendors, the company’s lawyers immediately respond to any potential problems with security systems. Verizon did not respond this way. Instead, they began by asking a bunch of questions about the store locations and what security breaches were compromised. Further, they said that they could understand the confusion because the third party resellers have huge Verizon signs on their store. In short, they acknowledge that it can be very difficult to distinguish between the real Verizon stores and the resellers.

I was also very happy to see that they were interested in solving the issue. You see, even though the stores are not theirs, there is still damage that can be done if something hideous was to happen on one of the terminals.

I will keep you all posted on how the fix goes. I am planning on hitting a few of the stores later today just to see.
 

Last week I was plucking around at my local Verizon Wireless store looking for a power adapter for my i760. Apparently, this task is far harder then I thought it would be. The gentleman behind the counter said, “Whoa! That is a very old phone.”

I bought it last year.

Anyway, he disappeared into the back like he was hunting for the store’s last mogwai and left me, alone, in the store with their demo EVDO computer terminal.

So I started playing around with the Windows XP system they allow their customers to test the EVDO speed. Which I think is a great idea. However, there was a sign that said, “Please, check your email here!!” I don’t think so.

So I got curious as to what kind of security they put on these systems. I was hoping for at least a partially locked down terminal. At the very least, I was sure they would not leave an open system logged in with Administrator privileges for the whole world to use.

I was wrong.

As you can see the system is logged in with an account that has Administrator Privileges. There is no “hacking” this box…. You just walk up to it.

 
When he returned, without the adapter I needed, he noticed that I had the command prompt up. He asked me the basic questions like, “What the hell are you doing?” Which I answered truthfully with the necessary mitigation steps. You see, I am a pathetic, hopeless white hat. I spent a few seconds re-explaining the problem to him while his eyes glassed over. When I was done he said that he would need to take my name and a copy of my drivers license so he could run this “incident” by the management and possibly the police. It was my turn for my eyes to glass over and quickly leave the store. The irate store clerk was shocked that I would just walk away without complying with a perfectly sound and logical request to hand over my PII to a store that cannot secure a simple terminal.

To my horror, all of the Verizon stores in my area were set up the exact same way.

There are two issues here. First, these terminals are insecure by design and replicated. Second, they encourage their potential customers to use these insecure systems to do potentially sensitive activities.

Why should Verizon care? The single biggest thing I can think of is liability. If you’re an attacker why would you keep your illegal files on your system? It seems so much better to store them on a random Verizon demo system. Next, think about the consistency. It is trivial to dump the password hashes from a system when you have Administrator access to the box. Where else are those passwords used?

The point is that we need to start securing things even if you don’t think there is a need. There are liability issues that come with having open systems so insecure. Further, it is just these types of things that can be catastrophic for an organization. The sad part is many organizations would say they never saw it coming.

We can say it again and again, organizations need to be a bit more protective of their customers data. Also, I think it would be a step in the right direction to not openly suggest that customers should check their email.

Until then… Buyer beware.

TSA has stated that Secure Flight record system is exempt to multiple provisions of the Privacy Act. In particular, it claims:

• “Exemption from the Access and Amendment Requirements” which “relate to an individual’s ability to request access to and correction of records…”
• “Exemption from Requirement to Collect Only Relevant and Necessary Information”
• “Exemption from the Requirement of Maintaining All Records Used by the Agency in Making a Determination about an Individual with Accuracy, Relevance, Timeliness and Completeness”
• “Exemption from the Requirement of Judicial Review”

TSA’s transportation security strategy appears to be based on the logic that by tracking civilians en masse and maintaining secret “watch lists” we can somehow identify all people with potentially malicious intent and prevent them from accessing public transportation systems. (“Sorry sir, you’ve already committed three suicide bombings this year, so we can’t allow you on the plane.”)

Of course, air travel is just a small part of the picture. TSA is also “responsible for security in all modes of transportation.” This includes cars, buses, subway and rail. According to their mandate, presumably even bicyclists would fall under TSA’s purview. Ground transportation is arguably even more important than aviation security, particularly because so many phone and network cables run along railways and highways. Although TSA has thus far focused their most draconian regulations on the air, they have been asserting increasing control over ground public transportation.

Last September, TSA flexed their ground-transportation muscles when they mobilized TSA and Amtrak security teams “from approximately 100 commuter rail, state, and local police agencies… for the largest joint, simultaneous Northeast rail security operation of its kind, involving 150 railway stations between Fredericksburg, Virginia, and Essex Junction, Vermont.”

What prompted this massive security exercise?

“The morning rush-hour multi-force security deployment was NOT in response to any particular threat or incident, but rather a demonstration of an ongoing collaborative effort to expand counter-terrorism and incident response capabilities up and down the Northeast Corridor railway system,” wrote TSA in a press release.

I see.

Let’s follow the TSA’s strategy to its logical conclusion. If we accept Secure Flight as a valid security strategy, then in order to effectively and fully “secure” our transportation infrastructure, we would need to:

• Track everyone traveling on a highway, subway, bus, train, or plane;
• Track everyone in or near a transportation interchange;
• Accurately identify every person (ultimately, using biometrics or similar);
• Compare identification to meticulously-maintained “watch lists”;
• Selectively deny travel based on secret information stored in government databases

Even then, it only takes one sneaky attacker to dodge the system and cause havoc. Furthermore, tracking every citizen is an extremely high-impact, resource-intensive strategy, which will require deep, fundamental, rather frightening changes in our society. It requires the abolishment of free society, placing our freedom to travel in the hands of an un-auditable, un-elected elite.

By treating citizens as potential enemy combatants, we waste money and actually degrade our nation’s security. This concept is summarized neatly in the Tao Te Ching: “do not use arms to coerce the world, for these things tend to reverse– brambles grow where an army has been… Weapons are inauspicious instruments, not the tools of the enlightened.” (Translation: Thomas Cleary)

What is a more effective strategy? The key is to examine incentives that lead up to attacks. Millions of people around the world, including American citizens, feel that they have been treated unfairly by United States corporations and the government.

Rather than feeding the fire by treating innocent civilians like potential enemy combatants, perhaps we should spend that money on 1) actually improving quality of life for civilians; 2) diplomatically resolving conflicts; 3) genuinely improving the resilience of our critical infrastructure; 4) non-proliferation and weapons-tracking efforts.

“When welfare and justice embrace the whole people, when public works are sufficient to meet national emergenices, when the policy of selection for office is satisfactory to the intelligent, when planning is sufficient to know strengths and weaknesses, that is the basis of certain victory.” (Cleary, Translator’s Introduction to the Art of War)

New York’s “Real Time Crime Center can quickly query millions of pieces of information to uncover previously unknown data relationships and points of connection.”

In Poland “personal and vehicle IDs can be instantly checked in an EU-wide database.”

In Chicago: city staff “have access to video from a multitude of cameras citywide, with advanced analytics built into the infrastructure, that are connected to a fiber/wireless network to assist the operator with potential ‘eyes-on-the-scene’ in the vicinity of an incident.”

I’m all for fighting crime, but these vast, nascent public surveillance programs which have minimal public input and oversight are pretty frightening. If you’re familiar with the history of IBM, their massive surveillance operations are especially creepy. “IBM was founded in 1898 by German inventor Herman Hollerith as a census tabulating company. Census was its business,” wrote Edwin Black in his 2001 book, IBM and the Holocaust.

During the 1930s, IBM subsidiaries worked closely with the Nazis to develop and maintain the registration and tracking systems which were the foundation of their extermination operations. “IBM’s custom-designed prisoner-tracking Hollerith punch card equipment allowed the Nazis to efficiently manage the hundreds of concentration camps and sub-camps throughout Europe, as well as the millions who passed through them. Auschwitz’ camp code in the IBM tabulation system was 001.” (Black, 2002)

“The image of a tattooed number on the forearm of a death-camp survivor is one of the most recognized symbols of the Holocaust. Black shows that these numbers initially correlated to the IBM Hollerith punch-card system.” (AllBusiness, 2002)

Of course, the level of surveillance that we are experiencing today far surpasses anything seen by those living in Nazi Germany. Between GPS-tracked cell phones, OCR license-plate readers, and full-fledged city video surveillance systems, both corporations and law enforcement can track private citizens’ moment-to-moment activities.

What’s happening with all this data? The answer is: we (the public) don’t know. From traffic cameras to full-scale city monitoring systems, mass surveillance programs are being put into place with very little publicized detail regarding information security or data management. Conversely, the implementers seem to have taken a “security through obscurity” approach, where public disclosure of surveillance IT management practices is seen as a threat to security itself.

“Billions of records, accessible in minutes,” reads an IBM advertisement. “At the heart of the Real Time Crime Center is IBM Crime Information Warehouse technology… Advanced data-mining technology provides investigators with access to billions of records.”

Challenge: can you find any record of IT security audits of New York’s powerful public surveillance center, or even just indications that regular IT security audits occur? I can’t. (If you do, post!) If these records exist, they sure aren’t easily accessible by the public. Don’t we deserve verifiable evidence that our personal information is being responsibly managed?

As anyone in the open-source or cryptographic community knows, security through obscurity doesn’t make a system more secure. In the case of mass surveillance and tracking systems, the public is being denied the ability to verify that our data is securely and appropriately managed.

Moreover, what exactly are government and contractors doing with all of this very personal data? Contractors such as IBM are collecting an enormous amount of personal data, yet the public receives very little detail about how long our information is kept, who has access, and precisely how our data managed or used — other than vague, unverified assurances that our information is managed in accordance with regulation. It is impossible for us to assess compliance with referenced privacy and information security regulations without any real data.

Mass surveillance is an extremely powerful tool which is here to stay. Electronic mass tracking systems essentially obviate the need for punch cards and tattooed numbers, while serving effectively the same purpose. “It was the use of raw numbers, punch cards, statistical expertise, and identification cards that made [Nazi genocide] possible…” write Aly and Roth in their excellent book, The Nazi Census. “Every act of extermination was preceded by an act of registration.”

In a free society, the public must have the ability to actively provide input and receive feedback regarding the collection, maintenance and use of our tracking information, surveillance photographs and videos. If mass surveillance systems are not controlled by the population under surveillance, they will be (and have been) used for oppression. “Knowledge is power.”
 

Do Pirates and Ninjas use Emacs or Vi?

Philosecurity has conducted countless hours of research, interviewed real ninjas and pirates in their natural environs, and launched intensive laboratory studies involving monkeys in order to bring you, our readers, the scientifically proven answers you demand.

After thousands of hours and monkey brains, our scientists have reached the following conclusions:

• Pirates use Emacs
• Ninjas Use Vi

Laboratory results showed that 92% of ninjas preferred vi, while fully 96% of pirates used emacs. In the wild, these numbers were even higher (94% and 97.5%, respectively).

Philosecurity’s expert team of scientists conducted an extensive genetic analysis and concluded that pirates were more genetically fit for the emacs programming environment, while ninjas were predisposed for survival in the vi environment. These genetic features can clearly be seen in the following photos of leading emacs and vi users:

Ninja	Pirate
Bill Joy Vi Creator Hand placement conceals poison dart	Richard Stallman Emacs Creator Note beard

In order to better understand why, we gathered a team of anthropologists, programming experts, and behavioral psychiatrists to analyze the data. Our experts concluded that there are deep-seated psychological, cultural and evolutionary reasons that pirates use emacs and ninjas use vi.

Why Ninjas Use Vi

According to vi’s author Bill Joy, vi was designed to be usable over “a 300-baud modem,” on systems that could “just barely get the cursor off the bottom line.” This was in contrast to Emacs, which “was written for systems with blazing fiber-channel links and monster PDP-10′s.” (Jackson, Linux.com) Ninjas, who emerged in 15th century feudal Japan, would no doubt have appreciated vi’s functionality even across limited communications facilities and on older equipment.

Vi is designed to allow “users of the QWERTY keyboard to keep their fingers on the home row, thus requiring less movement to edit.” This would undoubtedly appeal to ninjas, who are “skilled in the art of stealth.” (Wikipedia)

Vi was originally designed to do a few things well, and avoid feature bloat. This also appealed to ninjas, who had to travel light. Over the centuries, ninja evolved increasingly specialized equipment, such as shobo rings to hit pressure points, metsubushi (small bombs) and poison shuriken (throwing weapons). “The assassination, espionage, and infiltration tasks of the ninja led to the development of specialized technology in concealable weapons and infiltration tools.”(Wikpedia) Similarly, over time vi has evolved offshoots such as vim with increasingly powerful features designed for the programming environment.

Vi has two modes:

• Command mode – Stealthily leap from line to line, over sentences, leaving no trace.
• Insert mode – Text everywhere

Ninjas have two modes:

• Stealth mode – Silently leap from tree to tree, over fences, leaving no trace
• Battle mode – Bodies everywhere

Why Pirates Use Emacs

Emacs was designed to be “highly customizable and includes a large number of bells and whistles, as it is essentially a Lisp programming language execution environment…” (Wikipedia)

Pirates are highly concerned with customization. What they lack in speed they make up for in panache: swanky flags, matching shoulder parrots and even customized limbs with fancy hooks and pegs. Pirates work hard to customize their ships, their costumes, their appendages and their speech. Emacs is traditionally slower than vi, but that wouldn’t be much concern for pirates, who are usually drunk and missing limbs anyway.

Pirates place themselves along trade routes and routinely raid passing ships, which gives them access to the most modern equipment. One of their overarching professional goals is to accumulate lots of valuable stuff. In the course of daily raids they acquire the most modern technology, which they can then use to run a more resource-intensive programming editor such as Emacs.

Conclusions

Based on extensive laboratory research on monkeys, as well as detailed analysis of wild pirate/ninja habitats, Phillosecurity’s team of experts has uncovered clear evidence that pirates use Emacs and ninjas use vi. The team also identified several cultural and evolutionary factors which have contributed to this trend.

Still, open questions remain. According to leading programming expert Gary Longsine, “Vampires use vi with an emacs plugin.” What editors will robots and space aliens prefer? Only time will tell.
 

Forensic analysts traditionally focus on hard drive analysis, but hard drives are not always accessible, and they don’t tell the full story. Savvy investigators also include the network environment. Recently I’ve been co-authoring a class on Network Forensics (SANS Sec558), and I’ve been building lab networks, collecting evidence for the class exercises, and practicing network forensics in-depth. Here are a few ways that investigators reconstruct computer activity using network forensics.

Web Surfing: Many organizations use web proxies to improve web surfing performance. As it happens, web proxies maintain a log of web requests and even copies of web pages (for a limited period of time). Forensic investigators can use graphical tools such as Sarg to analyze web proxy logs and view a list of client’s browsing history. Investigators can even extract pages themselves from the web proxy cache with common tools such as wget.

By analyzing web proxy logs, investigators can reconstruct browsing history, view downloads, recover social networking information, identify external email accounts, and even obtain usernames and passwords (which are sometimes included in URLs). Web proxies result in faster web browsing and help lower network congestion. As a side effect, they also accumulate logs which record your web browsing history.

Laptop/Mobile Device Tracking: Investigators can identify a specific laptop even when its IP address changes, and even if it moves to a different network. The network card in your computer has a unique address assigned to it by the manufacturer called the Media Access Control (MAC) address. When you connect your laptop to a hotspot or company network, your network card broadcasts its unique MAC address, and the DHCP server then assigns an IP address to your network card.

Forensic analysts can use DHCP server logs to track which IP addresses belonged to which network cards at a given time. By default, your MAC address also reveals information about the manufacturer, so forensic analysts can infer whether your laptop contains, for example, an Apple-manufactured network interface.

There’s a catch: You can change your network card’s MAC address. It’s actually fairly easy to do, even though most people don’t bother. A MAC address is really about as reliable as using hair color to describe a suspect. Much of the time, it’s accurate, and it takes conscious effort to change– but with a little effort it can be modified. You can even change the MAC address so that it looks as though your network card was made by a different manufacturer. If someone purposefully changed their MAC address, that would make it harder to link network activity to their specific network card.

Logon History: In order to comply with regulations such as HIPAA (as well as standard security best practices), organizations frequently configure workstations to send records of events to central logging servers, which collect and store logs from many workstations all in one place. Typically, central logging servers store login times, failed login attempts, and commands that are executed with administrative privileges (the specifics vary depending on the organization). The workstation must be preconfigured to send logs to the central logging server. My favorite log analysis tool is Splunk. By analyzing a central logging server, forensic investigators can track when you logon (or when you mess up your password), when you run privileged commands, or take other noteworthy actions.

Network traffic: Forensic investigators who are monitoring active connections can collect all network traffic to and from a specific computer, without the user ever knowing. There are many ways to monitor network traffic. If investigators have the support of network administrators, then the administrators can simply set up a SPAN port on a router, mirror all traffic, and filter for interesting bits. Some companies do this all the time, filtering for malicious traffic, proprietary data, or even keywords that might indicate employees are angry. Wireless networks are even easier to analyze. Since wireless access points are hubs, every client can potentially capture traffic destined for any other system– or all systems. Tools such as Wireshark and tcpdump are useful for capturing network traffic (investigators: if you use tcpdump, remember to set the snaplength to zero for full packet contents).

Here are a few things forensic investigators can do with raw traffic captures:

• File carving: Investigators can actually carve files out of raw network traffic and reconstruct file transfers. If you upload a JPG to a web site, send an email attachment, or download an MP3, anyone who has captured your network traffic can reconstruct your file. Tools such as tcpxtract are helpful for this purpose. Investigators can also view images and other file formats in real time as they are transferred across the network, using tools like driftnet.
• Instant message reconstruction: If you’re not encrypting your instant messages, then they are quite easy to see as they travel across the network. One of my clients once half-jokingly said that he considered deploying a scrolling sign in the lunchroom which broadcast everybody’s IMs, in order to reduce the amount of IM usage.
• Email reconstruction: Emails are rarely encrypted as they traverse the network. Much like instant messages, the text is trivial to read. Investigators don’t even need to go to the trouble of reconstructing files: you can simply run “strings” on raw packet captures and dump the output to a file (I recommend always checking both ASCII and Unicode output). If you’re feeling more interactive, you can also view the raw traffic in a hex editor and read the ASCII output.
• Web surfing reconstruction: Perhaps your organization doesn’t have a proxy server, or the forensic investigator doesn’t have access to it. With access to captured traffic from your computer, investigators can extract your web browsing activity, full page content, and form submissions.

Forensics and privacy are two sides of the same coin. Both investigators and everyday citizens benefit from understanding the types of personal information that companies, hotspots and ISPs routinely store, and how activity can be tracked and reconstructed.

Check out our three-day class: SANS Sec558: Network Forensics, scheduled to run this June at SANSFIRE in Washington, DC. We’ll do lots of advanced, hands-on exercises in which we analyze a virtual network, and spend a full day working as investigative teams to solve a crime. Hope to see some of you there!

Sherri Davidoff

PGP-signed text: 2009-03-16 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/03/16/beyond-hard-drive-forensics/feed 1 http://philosecurity.org/2009/03/09/rogue-wireless-gets-sneakier http://philosecurity.org/2009/03/09/rogue-wireless-gets-sneakier#comments Mon, 09 Mar 2009 07:41:26 +0000 sherri http://philosecurity.org/?p=1113 For $40, anyone can purchase a cheap wireless AP and plug it into the company network. Often, employees do this simply for the sake of convenience, not realizing that it opens the company to attack. Criminals also deliberately plant wireless access points, which allow them to bypass the pesky firewall and remotely access the network later on. These days, disgruntled employees can easily hide an AP behind the file cabinet before cleaning out their desks, and then access the company network months later from the parking lot.

Many companies conduct regular “war-walking” scans to detect rogue access points (ie. using Kismet or Netstumbler), or invest in commercial Wireless Intrusion Detection Systems (WIDS). However, there are sneaky ways to bypass traditional war-walking and WIDS systems. Recently, I took Josh Wright’s excellent “Wireless Ethical Hacking” SANS class, and he touched on a number of tricks that attackers can use to foil your company’s rogue WAP detection efforts. Here are a few:

1) Channel 14

In the United States, the FCC has licensed 11 channels for 802.11b/g, which have center frequencies between 2.412 GHz to 2.462 GHz. However, most of Europe allows 13 channels (up to 2.472 GHz), and Japan allows 802.11b all the way up to channel 14, or 2.484 GHz.

Cards manufactured for the United States often don’t support channel 14, since it’s illegal to transmit on that frequency. There’s overlap between the channels, but at 2.484 GHz, channel 14 is far enough away from channel 11 that network cards are unlikely to pick up much signal on channel 11. If an attacker were to configure an AP to illegally transmit on Channel 14 and export data at 2.484 GHz, security teams monitoring US channels would probably never detect it.

2) 802.11n Green Field mode

The IEEE has been hard at work on the 802.11n (“MIMO”-based) specification, which allows much greater throughput than 802.11a/b/g (100Mbps or more). The draft 802.11n standard specifies two modes:

• “Mixed-mode,” which allows it to work with legacy 802.11a/b/g networks;
• “Green Field” or “high-throughput only” mode, which takes full advantage of the enhanced throughput but is not visible to 802.11a/b/g devices. Older devices will see GF-mode traffic only as noise.

Not visible to 802.11a/b/g devices? That means if you’re war-walking with an 802.11a/b/g card, you can’t see 802.11n devices operating in Green Field (GF) mode. The specification hasn’t even been finalized, but 802.11n devices are already available for as little as $50– easy to buy, easy to plug into your company’s network. However, most companies have not yet purchased 802.11n-compatible equipment and hence can’t detect GF-mode 802.11n rogue APs.

Josh published a vulnerability report explaining this, in which he wrote: “With the inability to decode GF mode traffic, an attacker can position a malicious rogue AP on a victim network using the GF mode preamble. This would allow an attacker to evade wireless intrusion detection systems (WIDS) based on non-HT devices. This includes all WIDS devices based on 802.11a/b/g wireless cards.”

3) Bluetooth Access Point

If you’re like me, when you think about Bluetooth you envision your tiny little headset which crackles and hisses every time you walk too far away from your phone. That’s because your Bluetooth headset is designed for a Class 2 Bluetooth network, which is fairly low-power and has a maximum range of ~10M.

However, there’s more to Bluetooth than your rinky-dink headset. Bluetooth Class 1 devices are much more powerful, with ranges similar to 802.11b wireless APs. A Bluetooth Class 1 device can transmit up to 100mW, with a typical range of ~100M (or miles, if the receiver has a directional antenna).You can buy a Class 1 Bluetooth AP for $100-200.

Can you discover Bluetooth APs while war-walking? Not if you’re just using an 802.11 card. Even if you’re using a spectrum analyzer like WiSpy, you may not notice it. Bluetooth uses Frequency Hopping Spread Spectrum, and hops 1600 times a second throughout the 2.402-2.480GHz band. Because it’s spread out across the spectrum, it can be hard to notice and easily mistaken for noise by the untrained eye. Most Wireless IDS systems and security teams simply don’t look for it (yet).

4) Wireless Knocking

This is my favorite. Remember port knocking? Instead of installing a backdoor to listen on a particular port (where it might be noticed), l33t h4x0rs installed rootkits that would wait for a particular sequence of ports to be scanned, at which point the knocker’s IP address would be granted access. “A three-knock simple TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker without prior knowledge of the sequence to test every combination of three ports in the range 1-65535, and then to scan each port in between to see if anything had opened… That equates to approximately 65535⁴ packets in order to obtain and detect a single successful opening. That’s approximately 18,445,618,199,572,250,625 or 18 quintillion packets.” (Wikipedia)

With wireless knocking, a rogue AP sits on the network in monitor mode, listening for probe requests. When the rogue AP receives a packet (or sequence of packets) with the preconfigured SSID, it awakens and switches to master mode. The program “WKnock” is designed for this purpose, and it can be installed on any AP supported by the OpenWRT framework. During times when the rogue AP isn’t active, it is silent and can’t be detected using common wireless scanning tools.

Sneaky!

If you want to learn more about wireless attacks and defense, I definitely recommend Josh Wright’s class – SANS 617.

Sherri Davidoff

PGP-signed text: 2009-03-09 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/03/09/rogue-wireless-gets-sneakier/feed 6 http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking#comments Mon, 23 Feb 2009 11:43:10 +0000 sherri http://philosecurity.org/?p=983 Last week marked the original official deadline for the Digital Television Transition, after which analog television broadcasts would be terminated. (The official deadline was recently extended to June 12, 2009.) To ease the transition, the US government launched the TV Converter Box Coupon Program, which “allows U.S. households to obtain up to two coupons, each worth $40, that can be applied toward the cost of eligible converter boxes.” (TV converter coupon program site)

The coupon is similar to a credit card, with a serial number and expiration date printed on the front (as well as a nifty hologram that reads “Security”). It also has a magnetic stripe. Curious, I borrowed a coupon and swiped it through my trusty mag-stripe reader. The output was as follows (name/number have been changed for privacy):

%B5897320630985200^SMITH/FRANK ^0903121000000000000000798000000?
;5897320630985200=09031210000079800000?

Much to my surprise, the applicant’s name was encoded on the coupon, in addition to the serial number and expiration date.

Consumers are clearly not aware that their names are encoded on the cards. Although National Telecommunications and Information Administration (NTIA) documents refer to “identifying serial numbers,” (NTIA 2006) there is no mention of the fact that names themselves are encoded on the cards. Since the name is not printed on the face of the card itself, there’s no way for recipients to tell it is there without special card-reader equipment.

As a result, over 24 million Americans have now unknowingly submitted their names into the tracking systems of nationwide corporate retailers such as Wal-Mart and Best Buy. “There are federal privacy laws that say what the government can do with your information, but once that information is given to private industry, it’s theirs,” commented senior security consultant Jonathan Ham.

What’s more, the NTIA itself tracks the location, date and time of each purchase. Retailers are required to “provide NTIA electronically with redemption information and payment receipts related to coupons used in the purchase of converter boxes, specifically tracking each serialized coupon by number with a corresponding [certified converter box] purchase.” (NTIA retailer site.) Each week, the NTIA publishes statistics indicating the number of cards used in each zip code.

Consumers are not explicitly informed of the coupon tracking on the TV Converter Coupon Program web site or application. Buried in the NTIA’s web site is the statement that “to keep track of the number of coupons issued, used and redeemed, as well as to minimize fraud and counterfeiting, NTIA intends to place identifying serial numbers on the coupons.” (NTIA 2006)

I went to Best Buy to get a retailer’s perspective on the TV Converter Coupon Program. Like most retailers, Best Buy likes to track their customers. With cash or check, this is difficult, but with credit cards and similar systems (such as the DTV coupons), customers can be automatically added to their database.

Rob Hooper, the helpful manager on duty, explained, “[The DTV coupon] would probably have their name, a number, and they probably have to put in their phone number for us to ring out the remainder of the transaction. As soon as that number gets rung through a Best Buy retailer or a Wal-Mart retailer or anywhere else, [NTIA can] probably break it down underneath the ID of the retailer, and then also the ID of the individual who applied for that particular card number. Not only do they have demographics, they also have geographics– where each card is used.”

In other words, the government receives detailed information about precisely where and when each card is used, and each card is explicitly linked to a name. What’s more, since the names are stored on the coupon’s magnetic stripe itself, the retailer also receives and can store personal information about the consumer. The consumer may never even be aware that his or her name has been given to the retailer.

My mother, who applied for the program by phone, was shocked to learn that her name was encoded on the card and her purchases were tracked. “The government should have made me aware of the information they would be collecting about me if I used the card,” she said. “They’re taking away my freedom. If they decide they need to collect information, they should do so with the people they are collecting the information from volunteering to give it, not being forced.”

Presumably the names encoded on the coupon’s magnetic stripe can be used to prevent fraud, but in practice this has not been occurring. Even if the name on the coupon doesn’t match the consumer, retailers still accept the coupons.

“We generally don’t check IDs against the card,” said Rob. “If someone’s out there stealing digital converter box cards and they’re just hoarding boxes of those cards, that’s not on the top priority list for Best Buy’s loss prevention.”

“We haven’t really seen too much fraud whatsoever with these coupon cards,” he added. “It would be a really interesting thing to try to steal $40 converter box cards, because you’re basically getting paid off in technology that will be antiquated.”
 
Millions of Americans using the DTV converter coupons have unknowingly had their shopping habits tracked and names given to third parties such as Best Buy and Wal-Mart. What is the value of our privacy? Is watered-down “fraud protection” really worth giving away millions of American’s names to retailers? Would my mother really want her shopping habits recorded in an obscure government database, even to save $40?

“I like to shop for a product without Big Brother watching over me,” said Mom.

 

Sherri Davidoff

PGP-signed text: 2009-02-23 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking/feed 3