“Self-Service Check-In: You Will Need a Major Credit Card”
and then in small print:
“For Identification Only”

Yes, apparently American Airlines will only give boarding passes to individuals who have been thoroughly vetted according to the strict standards of American Express, Mastercard, or VISA (and perhaps Discover).

“The demo laptops in question are located in an independently owned/operated reseller location, and are not configured or maintained by Verizon Wireless. Verizon Wireless is committed to the security of its customers and is working with the reseller to resolve this issue.”

Usually when working with vendors, the company’s lawyers immediately respond to any potential problems with security systems. Verizon did not respond this way. Instead, they began by asking a bunch of questions about the store locations and what security breaches were compromised. Further, they said that they could understand the confusion because the third party resellers have huge Verizon signs on their store. In short, they acknowledge that it can be very difficult to distinguish between the real Verizon stores and the resellers.

I was also very happy to see that they were interested in solving the issue. You see, even though the stores are not theirs, there is still damage that can be done if something hideous was to happen on one of the terminals.

I will keep you all posted on how the fix goes. I am planning on hitting a few of the stores later today just to see.
 

Last week I was plucking around at my local Verizon Wireless store looking for a power adapter for my i760. Apparently, this task is far harder then I thought it would be. The gentleman behind the counter said, “Whoa! That is a very old phone.”

I bought it last year.

Anyway, he disappeared into the back like he was hunting for the store’s last mogwai and left me, alone, in the store with their demo EVDO computer terminal.

So I started playing around with the Windows XP system they allow their customers to test the EVDO speed. Which I think is a great idea. However, there was a sign that said, “Please, check your email here!!” I don’t think so.

So I got curious as to what kind of security they put on these systems. I was hoping for at least a partially locked down terminal. At the very least, I was sure they would not leave an open system logged in with Administrator privileges for the whole world to use.

I was wrong.

As you can see the system is logged in with an account that has Administrator Privileges. There is no “hacking” this box…. You just walk up to it.

 
When he returned, without the adapter I needed, he noticed that I had the command prompt up. He asked me the basic questions like, “What the hell are you doing?” Which I answered truthfully with the necessary mitigation steps. You see, I am a pathetic, hopeless white hat. I spent a few seconds re-explaining the problem to him while his eyes glassed over. When I was done he said that he would need to take my name and a copy of my drivers license so he could run this “incident” by the management and possibly the police. It was my turn for my eyes to glass over and quickly leave the store. The irate store clerk was shocked that I would just walk away without complying with a perfectly sound and logical request to hand over my PII to a store that cannot secure a simple terminal.

To my horror, all of the Verizon stores in my area were set up the exact same way.

There are two issues here. First, these terminals are insecure by design and replicated. Second, they encourage their potential customers to use these insecure systems to do potentially sensitive activities.

Why should Verizon care? The single biggest thing I can think of is liability. If you’re an attacker why would you keep your illegal files on your system? It seems so much better to store them on a random Verizon demo system. Next, think about the consistency. It is trivial to dump the password hashes from a system when you have Administrator access to the box. Where else are those passwords used?

The point is that we need to start securing things even if you don’t think there is a need. There are liability issues that come with having open systems so insecure. Further, it is just these types of things that can be catastrophic for an organization. The sad part is many organizations would say they never saw it coming.

We can say it again and again, organizations need to be a bit more protective of their customers data. Also, I think it would be a step in the right direction to not openly suggest that customers should check their email.

Until then… Buyer beware.

“Red Flag Identity Theft Rule We are now required by law to ask for a Photo ID at the time of each visit. Please have your Photo ID ready for the receptionist to scan.”

As an avid bicyclist, I wasn’t carrying a driver’s license.

“I’m sorry, we’ll have to reschedule you,” said the receptionist. “We need to scan your ID before we can see you. It’s a new law.”

“No, I really don’t have one. I bicycle everywhere. I don’t even know where my old license is any more.”

She looked me in the eye and said, “Sorry. I suggest you get a photo ID. You need to have one to be seen.”

“What if I’m paying for my own visit, and not using health insurance?”

“We need to scan your ID and have it in your file or we can’t see you.”

“I don’t think it’s right to deny care to patients who don’t have a Photo ID,” I said.

“Well, I can talk to my supervisor,” she said. “But I think you’re going to have to reschedule.”

As I waited, I watched the receptionist take another patient’s driver’s license and walk off into a back room. Apparently, in order to comply with the “Red Flag Identity Theft Rule,” the doctor’s office now scans a copy of every patient’s driver’s license and stores it in their computer systems.

How secure are my doctor’s computer systems? Patients don’t have the right to know. Doctor’s offices, hospitals and even health insurance companies get infected with viruses, worms and spyware all the time. These are generally not reported as patient data breaches, because they are far too common.

Just in the past few weeks, there have been news reports of patient data thefts from UC Berkely Health Service, Virginia Prescription Monitoring Program and Memorial Medical Center. The vast majority of breaches never get reported or even detected, however, because tiny little health care clinics and hospitals all over the country have neither the resources nor the incentives to institute appropriate detection measures.

And now they want to store a high-resolution copy of my driver’s license on top of everything else? What is this “Red Flags Identity Theft Rule,” anyway?

The Red Flags Rules are a collection of new Federal Trade Commission regulations aimed at reducing the risk of identity theft. The American Medical Association and dozens of other medical societies “have protested the FTC’s decision to apply the Red Flags rule to medical practices and other health care providers.”

Why on earth does the Federal Trade Commission affect who my doctor treats?

According to the FTC, “Health care providers may be subject to the Rule if they are ‘creditors.’ Although you may not think of your practice as a ‘creditor’ in the traditional sense of a bank or mortgage company, the law defines ‘creditor’ to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance.”

The FTC requires “each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.” Although the Red Flags Rules do not explicitly require doctor’s offices to make copies of patient identification, they are often implemented this way.

Ironically, spreading more private information around– such as high-resolution copies of driver’s licenses- increases patients’ risk of identity theft. As a 2008 World Privacy Forum report explained:

“When patients are, for example, asked for a drivers’ license when checking in to hospitals for surgery, the license itself may be copied or scanned and added into the actual patient file. This can give hospital insiders with criminal tendencies access to a treasure trove of photographic, biometric, and other information that may have been unavailable to them before. The result can be more identity theft (medical and otherwise).

“…Just because customer identity proofing is commonplace in the financial sector does not mean that it has translated perfectly or even well to the health care sector. The two sectors have different regulatory requirements, approaches to access points, security, and information flows. Banks and health care providers also have different competencies, staffing capacities, training, and in many cases even procedures when it comes to reviewing and managing customer identification documents.”

Everyone should have access to medical care– not just people who have registered with the government and obtained a photo ID. Furthermore, patients should have the right to health care without being forced to give up control of our personal information. As a patient, I don’t really want a copy of my Photo ID stored on a crappy unpatched Windows box at my doctor’s office. Today’s patients do not even have the right to know how well doctor’s offices and hospitals are secured, even in the face of constant reports of medical data breaches. That’s sick.

TSA has stated that Secure Flight record system is exempt to multiple provisions of the Privacy Act. In particular, it claims:

• “Exemption from the Access and Amendment Requirements” which “relate to an individual’s ability to request access to and correction of records…”
• “Exemption from Requirement to Collect Only Relevant and Necessary Information”
• “Exemption from the Requirement of Maintaining All Records Used by the Agency in Making a Determination about an Individual with Accuracy, Relevance, Timeliness and Completeness”
• “Exemption from the Requirement of Judicial Review”

TSA’s transportation security strategy appears to be based on the logic that by tracking civilians en masse and maintaining secret “watch lists” we can somehow identify all people with potentially malicious intent and prevent them from accessing public transportation systems. (”Sorry sir, you’ve already committed three suicide bombings this year, so we can’t allow you on the plane.”)

Of course, air travel is just a small part of the picture. TSA is also “responsible for security in all modes of transportation.” This includes cars, buses, subway and rail. According to their mandate, presumably even bicyclists would fall under TSA’s purview. Ground transportation is arguably even more important than aviation security, particularly because so many phone and network cables run along railways and highways. Although TSA has thus far focused their most draconian regulations on the air, they have been asserting increasing control over ground public transportation.

Last September, TSA flexed their ground-transportation muscles when they mobilized TSA and Amtrak security teams “from approximately 100 commuter rail, state, and local police agencies… for the largest joint, simultaneous Northeast rail security operation of its kind, involving 150 railway stations between Fredericksburg, Virginia, and Essex Junction, Vermont.”

What prompted this massive security exercise?

“The morning rush-hour multi-force security deployment was NOT in response to any particular threat or incident, but rather a demonstration of an ongoing collaborative effort to expand counter-terrorism and incident response capabilities up and down the Northeast Corridor railway system,” wrote TSA in a press release.

I see.

Let’s follow the TSA’s strategy to its logical conclusion. If we accept Secure Flight as a valid security strategy, then in order to effectively and fully “secure” our transportation infrastructure, we would need to:

• Track everyone traveling on a highway, subway, bus, train, or plane;
• Track everyone in or near a transportation interchange;
• Accurately identify every person (ultimately, using biometrics or similar);
• Compare identification to meticulously-maintained “watch lists”;
• Selectively deny travel based on secret information stored in government databases

Even then, it only takes one sneaky attacker to dodge the system and cause havoc. Furthermore, tracking every citizen is an extremely high-impact, resource-intensive strategy, which will require deep, fundamental, rather frightening changes in our society. It requires the abolishment of free society, placing our freedom to travel in the hands of an un-auditable, un-elected elite.

By treating citizens as potential enemy combatants, we waste money and actually degrade our nation’s security. This concept is summarized neatly in the Tao Te Ching: “do not use arms to coerce the world, for these things tend to reverse– brambles grow where an army has been… Weapons are inauspicious instruments, not the tools of the enlightened.” (Translation: Thomas Cleary)

What is a more effective strategy? The key is to examine incentives that lead up to attacks. Millions of people around the world, including American citizens, feel that they have been treated unfairly by United States corporations and the government.

Rather than feeding the fire by treating innocent civilians like potential enemy combatants, perhaps we should spend that money on 1) actually improving quality of life for civilians; 2) diplomatically resolving conflicts; 3) genuinely improving the resilience of our critical infrastructure; 4) non-proliferation and weapons-tracking efforts.

“When welfare and justice embrace the whole people, when public works are sufficient to meet national emergenices, when the policy of selection for office is satisfactory to the intelligent, when planning is sufficient to know strengths and weaknesses, that is the basis of certain victory.” (Cleary, Translator’s Introduction to the Art of War)

“A paper trail is an identity thief’s best friend. Sign up for paperless statements and you can rest easy knowing all your account information is locked away safely online.”

Ahahahahaha!…ha… ha… When’s the last time you heard about millions of credit card numbers being stolen from the mail? Somehow I don’t recall identity theft being such a big deal before online financial systems started taking off. In much the same way that the Bush administration linked Saddam Hussein to 9/11, credit card companies are now campaigning to link “identity theft” and… paper.

This brilliantly twisted marketing campaign:
1) Fuels the “identity theft” fear-mongering, increasing identity theft protection sales.
2) Reduces the number of individuals who will be able to independently verify and access statements down the road
3) Saves Citibank money on paper (which also benefits the environment, but that isn’t Citibank’s motivation)
4) Instills a false sense of security regarding the safety of web-based account management systems
5) Increases customers’ risk of identity theft by promoting the use of insecure, online web based account management systems (which will subsequently lead to more “identity theft protection” sales… yay!)

I’d feel a lot safer if all of my account information were locked away in my own fireproof filing cabinet. Unfortunately, it’s clearly not. Less than a month ago Citibank sent me a new card because one of their payment processors lost millions of people’s account information, including mine.

An identity thief’s friends are the vast legions of computers running Windows with Internet Explorer that people use to login to their online accounts (with re-used passwords such as “fluffy2009″). Identity thieves are also pretty chummy with payment processors such as Heartland, who recently lost over 100 million of credit card numbers.

Identity thieves’ best friends in the world are the credit card companies themselves, who have created a system rife with holes, and subsequently profit from their own systematic failures through scams such as “identity theft protection” services.

What chutzpah.

Last week, the evening before speaking at the RSA Conference in San Francisco, we saw a large black suitcase sitting by the main entrance of the Courtyard Marriott. It appeared to have been left behind by an unfortunate traveler.

We walked up to the front desk to let the hotel know. “Oh,” sighed the Marriott employee. “We get that all the time.”

Apparently, as part of the Marriott’s design theme, the hotel had installed realistic sculptures of unattended personal items all over the ground floor.

Out front there were two lonely suitcases, each left beside a different bench near the valet. Inside, there were a couple more suitcases, an outdated cell phone and a wallet on the bar.

Obviously a pre-9/11 design concept…

Chances are pretty good that you’re reading this page through a web proxy right now, especially if you’re in an enterprise environment. Web proxying and caching have become increasingly popular, for both filtering traffic and speeding up requests. Even consumer ISPs have latched onto the idea (sometimes using similar techniques to insert ads into pages as they are downloaded). That means your web surfing history is probably being recorded in a proxy log somewhere.

Web proxy and cache servers are untapped gold mines for forensic analysts. They often record the web browsing history for an entire organization, all rolled up into one directory. Web caching servers also contain copies of pages themselves, for a limited time.

This is great for forensic analysts (and not so hot from a privacy perspective). Investigators can examine web browsing histories for everyone in an organization all at once. Moreover, it’s possible to reconstruct web pages from the cache. Right now, investigators often simply visit web sites in order to see what they are. This has some serious drawbacks: first, there is no guarantee you’re seeing what the end user saw earlier; and second, your surfing now appears in the server’s activity logs. If the owner of the server is an attacker or suspect, you may well have just tipped them off. It’s much better to first examine the web cache to see what you can find stored locally.

To learn more, I installed Squid, a popular web proxy/cache server, on my lab network and dissected it. There are a number of tools out there that will reconstruct client browsing history, based the access logs. I really liked squidview (which has a Kismet-style interface) and sarg (HTML clickable).

What I didn’t find was public information or tools for reconstructing pages from the web cache. It’s definitely possible. The proxy cache, by its very nature, stores the pages you view on its local hard drive and may later serve those pages to you or someone else. The precise pages it stores and the length of time they are retained vary depending on the specific server configuration and usage.

As a forensic analyst, I wanted to recover those cached pages. I figured, if Squid could do it, so could I.

By changing Squid’s configuration to “offline” mode, you can use wget to extract some pages directly from the local cache. This is handy because it reconstructs the pages automatically, if they exist. However, I wanted to see what information was stored directly in the cache, and access associated headers and metadata.

Squid’s access log is straightforward: it’s essentially a text file which contains a list of client IP addresses and pages accessed. If you correlate these with DHCP and central authentication logs, you can potentially match web surfing activity to a particular network card or user.

The cache directory is far more mysterious. If you simply list the directory contents, here is what you will see:

$ ls
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F swap.state

Daunting. That swap.state file is Squid’s database, which contains a record of every item in the cache. It’s a binary file. If you delete it while Squid isn’t running, Squid will actually re-create it the next time it starts up. (This is helpful if you’re trying to manually edit the Squid cache in order to create lab exercises for, oh, a new class on network forensics.)

Within each of those subdirectories are files such as these:

And each of those subdirectories contains files such as this:

Finally, each of those eight-character files contains- yes! – the pages actually cached by Squid. Here is an example. When you surf to a web page, Squid will add some metadata to the top, which includes the full URI and its MD5sum. Squid then stores this, along with the full HTTP reply (headers and body) as a file in one of these subdirectories. If the page is requested later, it can look it up in swap.state and fetch it.

Now let’s extract some content directly from the cache.

Let’s say we’re analyzing web traffic associated with 192.168.1.26. We come across the following entry in Squid’s access.log:

1239739309.653 377 192.168.1.26 TCP_MISS/200 30348 GET http://finickypenguin.files.wordpress.com/2007/10/1161451564593.jpg – DIRECT/72.233.69.12 image/jpeg

Interesting… What is this image? Let’s see if it’s in the cache.

We could analyze swap.state, but I created my own table of the URIs stored in Squid, along with their corresponding cache files. This was for two reasons: first, I didn’t have to rely on the accuracy of Squid’s database; and second, I’m a lazy bum and it’s pretty easy to do using a simple Bash script. The URI is stored near the beginning of each cached page, just after the MD5sum of the URI. If you grep for strings beginning with “http” in the first few lines of each cache file, you’ll find it.

Here’s that file we were looking for:
./00/03/0000036A    http://finickypenguin.files.wordpress.com/2007/10/1161451564593.jpg

Now let’s open up that cache file. Running strings on it, we see the following metadata and header info:

Lots of juicy info there. To extract the image itself, let’s open this up in a hex editor. I like to use “bless” on Ubuntu. JPEG images begin with “FFD8,” so extracting this content is fairly easy. Highlight everything before the magic number, click “Cut” and save as 0000036A-edited.jpg.

A quick check with “file” confirms that we got it right:
$ file 0000036A-edited.jpg
0000036A-edited.jpg: JPEG image data, JFIF standard 1.01

Now let’s open it up:

Looks pretty suspicious to me…
 

New York’s “Real Time Crime Center can quickly query millions of pieces of information to uncover previously unknown data relationships and points of connection.”

In Poland “personal and vehicle IDs can be instantly checked in an EU-wide database.”

In Chicago: city staff “have access to video from a multitude of cameras citywide, with advanced analytics built into the infrastructure, that are connected to a fiber/wireless network to assist the operator with potential ‘eyes-on-the-scene’ in the vicinity of an incident.”

I’m all for fighting crime, but these vast, nascent public surveillance programs which have minimal public input and oversight are pretty frightening. If you’re familiar with the history of IBM, their massive surveillance operations are especially creepy. “IBM was founded in 1898 by German inventor Herman Hollerith as a census tabulating company. Census was its business,” wrote Edwin Black in his 2001 book, IBM and the Holocaust.

During the 1930s, IBM subsidiaries worked closely with the Nazis to develop and maintain the registration and tracking systems which were the foundation of their extermination operations. “IBM’s custom-designed prisoner-tracking Hollerith punch card equipment allowed the Nazis to efficiently manage the hundreds of concentration camps and sub-camps throughout Europe, as well as the millions who passed through them. Auschwitz’ camp code in the IBM tabulation system was 001.” (Black, 2002)

“The image of a tattooed number on the forearm of a death-camp survivor is one of the most recognized symbols of the Holocaust. Black shows that these numbers initially correlated to the IBM Hollerith punch-card system.” (AllBusiness, 2002)

Of course, the level of surveillance that we are experiencing today far surpasses anything seen by those living in Nazi Germany. Between GPS-tracked cell phones, OCR license-plate readers, and full-fledged city video surveillance systems, both corporations and law enforcement can track private citizens’ moment-to-moment activities.

What’s happening with all this data? The answer is: we (the public) don’t know. From traffic cameras to full-scale city monitoring systems, mass surveillance programs are being put into place with very little publicized detail regarding information security or data management. Conversely, the implementers seem to have taken a “security through obscurity” approach, where public disclosure of surveillance IT management practices is seen as a threat to security itself.

“Billions of records, accessible in minutes,” reads an IBM advertisement. “At the heart of the Real Time Crime Center is IBM Crime Information Warehouse technology… Advanced data-mining technology provides investigators with access to billions of records.”

Challenge: can you find any record of IT security audits of New York’s powerful public surveillance center, or even just indications that regular IT security audits occur? I can’t. (If you do, post!) If these records exist, they sure aren’t easily accessible by the public. Don’t we deserve verifiable evidence that our personal information is being responsibly managed?

As anyone in the open-source or cryptographic community knows, security through obscurity doesn’t make a system more secure. In the case of mass surveillance and tracking systems, the public is being denied the ability to verify that our data is securely and appropriately managed.

Moreover, what exactly are government and contractors doing with all of this very personal data? Contractors such as IBM are collecting an enormous amount of personal data, yet the public receives very little detail about how long our information is kept, who has access, and precisely how our data managed or used — other than vague, unverified assurances that our information is managed in accordance with regulation. It is impossible for us to assess compliance with referenced privacy and information security regulations without any real data.

Mass surveillance is an extremely powerful tool which is here to stay. Electronic mass tracking systems essentially obviate the need for punch cards and tattooed numbers, while serving effectively the same purpose. “It was the use of raw numbers, punch cards, statistical expertise, and identification cards that made [Nazi genocide] possible…” write Aly and Roth in their excellent book, The Nazi Census. “Every act of extermination was preceded by an act of registration.”

In a free society, the public must have the ability to actively provide input and receive feedback regarding the collection, maintenance and use of our tracking information, surveillance photographs and videos. If mass surveillance systems are not controlled by the population under surveillance, they will be (and have been) used for oppression. “Knowledge is power.”
 

Do Pirates and Ninjas use Emacs or Vi?

Philosecurity has conducted countless hours of research, interviewed real ninjas and pirates in their natural environs, and launched intensive laboratory studies involving monkeys in order to bring you, our readers, the scientifically proven answers you demand.

After thousands of hours and monkey brains, our scientists have reached the following conclusions:

• Pirates use Emacs
• Ninjas Use Vi

Laboratory results showed that 92% of ninjas preferred vi, while fully 96% of pirates used emacs. In the wild, these numbers were even higher (94% and 97.5%, respectively).

Philosecurity’s expert team of scientists conducted an extensive genetic analysis and concluded that pirates were more genetically fit for the emacs programming environment, while ninjas were predisposed for survival in the vi environment. These genetic features can clearly be seen in the following photos of leading emacs and vi users:

Ninja	Pirate
Bill Joy Vi Creator Hand placement conceals poison dart	Richard Stallman Emacs Creator Note beard

In order to better understand why, we gathered a team of anthropologists, programming experts, and behavioral psychiatrists to analyze the data. Our experts concluded that there are deep-seated psychological, cultural and evolutionary reasons that pirates use emacs and ninjas use vi.

Why Ninjas Use Vi

According to vi’s author Bill Joy, vi was designed to be usable over “a 300-baud modem,” on systems that could “just barely get the cursor off the bottom line.” This was in contrast to Emacs, which “was written for systems with blazing fiber-channel links and monster PDP-10’s.” (Jackson, Linux.com) Ninjas, who emerged in 15th century feudal Japan, would no doubt have appreciated vi’s functionality even across limited communications facilities and on older equipment.

Vi is designed to allow “users of the QWERTY keyboard to keep their fingers on the home row, thus requiring less movement to edit.” This would undoubtedly appeal to ninjas, who are “skilled in the art of stealth.” (Wikipedia)

Vi was originally designed to do a few things well, and avoid feature bloat. This also appealed to ninjas, who had to travel light. Over the centuries, ninja evolved increasingly specialized equipment, such as shobo rings to hit pressure points, metsubushi (small bombs) and poison shuriken (throwing weapons). “The assassination, espionage, and infiltration tasks of the ninja led to the development of specialized technology in concealable weapons and infiltration tools.”(Wikpedia) Similarly, over time vi has evolved offshoots such as vim with increasingly powerful features designed for the programming environment.

Vi has two modes:

• Command mode – Stealthily leap from line to line, over sentences, leaving no trace.
• Insert mode – Text everywhere

Ninjas have two modes:

• Stealth mode – Silently leap from tree to tree, over fences, leaving no trace
• Battle mode – Bodies everywhere

Why Pirates Use Emacs

Emacs was designed to be “highly customizable and includes a large number of bells and whistles, as it is essentially a Lisp programming language execution environment…” (Wikipedia)

Pirates are highly concerned with customization. What they lack in speed they make up for in panache: swanky flags, matching shoulder parrots and even customized limbs with fancy hooks and pegs. Pirates work hard to customize their ships, their costumes, their appendages and their speech. Emacs is traditionally slower than vi, but that wouldn’t be much concern for pirates, who are usually drunk and missing limbs anyway.

Pirates place themselves along trade routes and routinely raid passing ships, which gives them access to the most modern equipment. One of their overarching professional goals is to accumulate lots of valuable stuff. In the course of daily raids they acquire the most modern technology, which they can then use to run a more resource-intensive programming editor such as Emacs.

Conclusions

Based on extensive laboratory research on monkeys, as well as detailed analysis of wild pirate/ninja habitats, Phillosecurity’s team of experts has uncovered clear evidence that pirates use Emacs and ninjas use vi. The team also identified several cultural and evolutionary factors which have contributed to this trend.

Still, open questions remain. According to leading programming expert Gary Longsine, “Vampires use vi with an emacs plugin.” What editors will robots and space aliens prefer? Only time will tell.
 

Forensic analysts traditionally focus on hard drive analysis, but hard drives are not always accessible, and they don’t tell the full story. Savvy investigators also include the network environment. Recently I’ve been co-authoring a class on Network Forensics (SANS Sec558), and I’ve been building lab networks, collecting evidence for the class exercises, and practicing network forensics in-depth. Here are a few ways that investigators reconstruct computer activity using network forensics.

Web Surfing: Many organizations use web proxies to improve web surfing performance. As it happens, web proxies maintain a log of web requests and even copies of web pages (for a limited period of time). Forensic investigators can use graphical tools such as Sarg to analyze web proxy logs and view a list of client’s browsing history. Investigators can even extract pages themselves from the web proxy cache with common tools such as wget.

By analyzing web proxy logs, investigators can reconstruct browsing history, view downloads, recover social networking information, identify external email accounts, and even obtain usernames and passwords (which are sometimes included in URLs). Web proxies result in faster web browsing and help lower network congestion. As a side effect, they also accumulate logs which record your web browsing history.

Laptop/Mobile Device Tracking: Investigators can identify a specific laptop even when its IP address changes, and even if it moves to a different network. The network card in your computer has a unique address assigned to it by the manufacturer called the Media Access Control (MAC) address. When you connect your laptop to a hotspot or company network, your network card broadcasts its unique MAC address, and the DHCP server then assigns an IP address to your network card.

Forensic analysts can use DHCP server logs to track which IP addresses belonged to which network cards at a given time. By default, your MAC address also reveals information about the manufacturer, so forensic analysts can infer whether your laptop contains, for example, an Apple-manufactured network interface.

There’s a catch: You can change your network card’s MAC address. It’s actually fairly easy to do, even though most people don’t bother. A MAC address is really about as reliable as using hair color to describe a suspect. Much of the time, it’s accurate, and it takes conscious effort to change– but with a little effort it can be modified. You can even change the MAC address so that it looks as though your network card was made by a different manufacturer. If someone purposefully changed their MAC address, that would make it harder to link network activity to their specific network card.

Logon History: In order to comply with regulations such as HIPAA (as well as standard security best practices), organizations frequently configure workstations to send records of events to central logging servers, which collect and store logs from many workstations all in one place. Typically, central logging servers store login times, failed login attempts, and commands that are executed with administrative privileges (the specifics vary depending on the organization). The workstation must be preconfigured to send logs to the central logging server. My favorite log analysis tool is Splunk. By analyzing a central logging server, forensic investigators can track when you logon (or when you mess up your password), when you run privileged commands, or take other noteworthy actions.

Network traffic: Forensic investigators who are monitoring active connections can collect all network traffic to and from a specific computer, without the user ever knowing. There are many ways to monitor network traffic. If investigators have the support of network administrators, then the administrators can simply set up a SPAN port on a router, mirror all traffic, and filter for interesting bits. Some companies do this all the time, filtering for malicious traffic, proprietary data, or even keywords that might indicate employees are angry. Wireless networks are even easier to analyze. Since wireless access points are hubs, every client can potentially capture traffic destined for any other system– or all systems. Tools such as Wireshark and tcpdump are useful for capturing network traffic (investigators: if you use tcpdump, remember to set the snaplength to zero for full packet contents).

Here are a few things forensic investigators can do with raw traffic captures:

• File carving: Investigators can actually carve files out of raw network traffic and reconstruct file transfers. If you upload a JPG to a web site, send an email attachment, or download an MP3, anyone who has captured your network traffic can reconstruct your file. Tools such as tcpxtract are helpful for this purpose. Investigators can also view images and other file formats in real time as they are transferred across the network, using tools like driftnet.
• Instant message reconstruction: If you’re not encrypting your instant messages, then they are quite easy to see as they travel across the network. One of my clients once half-jokingly said that he considered deploying a scrolling sign in the lunchroom which broadcast everybody’s IMs, in order to reduce the amount of IM usage.
• Email reconstruction: Emails are rarely encrypted as they traverse the network. Much like instant messages, the text is trivial to read. Investigators don’t even need to go to the trouble of reconstructing files: you can simply run “strings” on raw packet captures and dump the output to a file (I recommend always checking both ASCII and Unicode output). If you’re feeling more interactive, you can also view the raw traffic in a hex editor and read the ASCII output.
• Web surfing reconstruction: Perhaps your organization doesn’t have a proxy server, or the forensic investigator doesn’t have access to it. With access to captured traffic from your computer, investigators can extract your web browsing activity, full page content, and form submissions.

Forensics and privacy are two sides of the same coin. Both investigators and everyday citizens benefit from understanding the types of personal information that companies, hotspots and ISPs routinely store, and how activity can be tracked and reconstructed.

Check out our three-day class: SANS Sec558: Network Forensics, scheduled to run this June at SANSFIRE in Washington, DC. We’ll do lots of advanced, hands-on exercises in which we analyze a virtual network, and spend a full day working as investigative teams to solve a crime. Hope to see some of you there!

Sherri Davidoff

PGP-signed text: 2009-03-16 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/03/16/beyond-hard-drive-forensics/feed 1 http://philosecurity.org/2009/03/09/rogue-wireless-gets-sneakier http://philosecurity.org/2009/03/09/rogue-wireless-gets-sneakier#comments Mon, 09 Mar 2009 07:41:26 +0000 sherri http://philosecurity.org/?p=1113 For $40, anyone can purchase a cheap wireless AP and plug it into the company network. Often, employees do this simply for the sake of convenience, not realizing that it opens the company to attack. Criminals also deliberately plant wireless access points, which allow them to bypass the pesky firewall and remotely access the network later on. These days, disgruntled employees can easily hide an AP behind the file cabinet before cleaning out their desks, and then access the company network months later from the parking lot.

Many companies conduct regular “war-walking” scans to detect rogue access points (ie. using Kismet or Netstumbler), or invest in commercial Wireless Intrusion Detection Systems (WIDS). However, there are sneaky ways to bypass traditional war-walking and WIDS systems. Recently, I took Josh Wright’s excellent “Wireless Ethical Hacking” SANS class, and he touched on a number of tricks that attackers can use to foil your company’s rogue WAP detection efforts. Here are a few:

1) Channel 14

In the United States, the FCC has licensed 11 channels for 802.11b/g, which have center frequencies between 2.412 GHz to 2.462 GHz. However, most of Europe allows 13 channels (up to 2.472 GHz), and Japan allows 802.11b all the way up to channel 14, or 2.484 GHz.

Cards manufactured for the United States often don’t support channel 14, since it’s illegal to transmit on that frequency. There’s overlap between the channels, but at 2.484 GHz, channel 14 is far enough away from channel 11 that network cards are unlikely to pick up much signal on channel 11. If an attacker were to configure an AP to illegally transmit on Channel 14 and export data at 2.484 GHz, security teams monitoring US channels would probably never detect it.

2) 802.11n Green Field mode

The IEEE has been hard at work on the 802.11n (“MIMO”-based) specification, which allows much greater throughput than 802.11a/b/g (100Mbps or more). The draft 802.11n standard specifies two modes:

• “Mixed-mode,” which allows it to work with legacy 802.11a/b/g networks;
• “Green Field” or “high-throughput only” mode, which takes full advantage of the enhanced throughput but is not visible to 802.11a/b/g devices. Older devices will see GF-mode traffic only as noise.

Not visible to 802.11a/b/g devices? That means if you’re war-walking with an 802.11a/b/g card, you can’t see 802.11n devices operating in Green Field (GF) mode. The specification hasn’t even been finalized, but 802.11n devices are already available for as little as $50– easy to buy, easy to plug into your company’s network. However, most companies have not yet purchased 802.11n-compatible equipment and hence can’t detect GF-mode 802.11n rogue APs.

Josh published a vulnerability report explaining this, in which he wrote: “With the inability to decode GF mode traffic, an attacker can position a malicious rogue AP on a victim network using the GF mode preamble. This would allow an attacker to evade wireless intrusion detection systems (WIDS) based on non-HT devices. This includes all WIDS devices based on 802.11a/b/g wireless cards.”

3) Bluetooth Access Point

If you’re like me, when you think about Bluetooth you envision your tiny little headset which crackles and hisses every time you walk too far away from your phone. That’s because your Bluetooth headset is designed for a Class 2 Bluetooth network, which is fairly low-power and has a maximum range of ~10M.

However, there’s more to Bluetooth than your rinky-dink headset. Bluetooth Class 1 devices are much more powerful, with ranges similar to 802.11b wireless APs. A Bluetooth Class 1 device can transmit up to 100mW, with a typical range of ~100M (or miles, if the receiver has a directional antenna).You can buy a Class 1 Bluetooth AP for $100-200.

Can you discover Bluetooth APs while war-walking? Not if you’re just using an 802.11 card. Even if you’re using a spectrum analyzer like WiSpy, you may not notice it. Bluetooth uses Frequency Hopping Spread Spectrum, and hops 1600 times a second throughout the 2.402-2.480GHz band. Because it’s spread out across the spectrum, it can be hard to notice and easily mistaken for noise by the untrained eye. Most Wireless IDS systems and security teams simply don’t look for it (yet).

4) Wireless Knocking

This is my favorite. Remember port knocking? Instead of installing a backdoor to listen on a particular port (where it might be noticed), l33t h4×0rs installed rootkits that would wait for a particular sequence of ports to be scanned, at which point the knocker’s IP address would be granted access. “A three-knock simple TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker without prior knowledge of the sequence to test every combination of three ports in the range 1-65535, and then to scan each port in between to see if anything had opened… That equates to approximately 65535⁴ packets in order to obtain and detect a single successful opening. That’s approximately 18,445,618,199,572,250,625 or 18 quintillion packets.” (Wikipedia)

With wireless knocking, a rogue AP sits on the network in monitor mode, listening for probe requests. When the rogue AP receives a packet (or sequence of packets) with the preconfigured SSID, it awakens and switches to master mode. The program “WKnock” is designed for this purpose, and it can be installed on any AP supported by the OpenWRT framework. During times when the rogue AP isn’t active, it is silent and can’t be detected using common wireless scanning tools.

Sneaky!

If you want to learn more about wireless attacks and defense, I definitely recommend Josh Wright’s class – SANS 617.

Sherri Davidoff

PGP-signed text: 2009-03-09 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/03/09/rogue-wireless-gets-sneakier/feed 6 http://philosecurity.org/2009/03/02/national-drug-intelligence-center-keeps-hashes http://philosecurity.org/2009/03/02/national-drug-intelligence-center-keeps-hashes#comments Mon, 02 Mar 2009 05:20:27 +0000 sherri http://philosecurity.org/?p=1087 The National Drug Intelligence Center has developed software called (ahem) “HashKeeper” “as its principal tool to expedite the analysis of electronic media.”

Hahahaha…..

Apparently, “HashKeeper is available free of charge.” Contact the National Drug Intelligence Center for more information.

National Drug Intelligence Center
c/o Mr. Steve Gironda
Telephone: 814-532-4987
E-mail: ndic.domex.request@usdoj.gov

Hat tip to John Masterson.

Sherri Davidoff

PGP-signed text: 2009-03-01 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/03/02/national-drug-intelligence-center-keeps-hashes/feed 3 http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking#comments Mon, 23 Feb 2009 11:43:10 +0000 sherri http://philosecurity.org/?p=983 Last week marked the original official deadline for the Digital Television Transition, after which analog television broadcasts would be terminated. (The official deadline was recently extended to June 12, 2009.) To ease the transition, the US government launched the TV Converter Box Coupon Program, which “allows U.S. households to obtain up to two coupons, each worth $40, that can be applied toward the cost of eligible converter boxes.” (TV converter coupon program site)

The coupon is similar to a credit card, with a serial number and expiration date printed on the front (as well as a nifty hologram that reads “Security”). It also has a magnetic stripe. Curious, I borrowed a coupon and swiped it through my trusty mag-stripe reader. The output was as follows (name/number have been changed for privacy):

%B5897320630985200^SMITH/FRANK ^0903121000000000000000798000000?
;5897320630985200=09031210000079800000?

Much to my surprise, the applicant’s name was encoded on the coupon, in addition to the serial number and expiration date.

Consumers are clearly not aware that their names are encoded on the cards. Although National Telecommunications and Information Administration (NTIA) documents refer to “identifying serial numbers,” (NTIA 2006) there is no mention of the fact that names themselves are encoded on the cards. Since the name is not printed on the face of the card itself, there’s no way for recipients to tell it is there without special card-reader equipment.

As a result, over 24 million Americans have now unknowingly submitted their names into the tracking systems of nationwide corporate retailers such as Wal-Mart and Best Buy. “There are federal privacy laws that say what the government can do with your information, but once that information is given to private industry, it’s theirs,” commented senior security consultant Jonathan Ham.

What’s more, the NTIA itself tracks the location, date and time of each purchase. Retailers are required to “provide NTIA electronically with redemption information and payment receipts related to coupons used in the purchase of converter boxes, specifically tracking each serialized coupon by number with a corresponding [certified converter box] purchase.” (NTIA retailer site.) Each week, the NTIA publishes statistics indicating the number of cards used in each zip code.

Consumers are not explicitly informed of the coupon tracking on the TV Converter Coupon Program web site or application. Buried in the NTIA’s web site is the statement that “to keep track of the number of coupons issued, used and redeemed, as well as to minimize fraud and counterfeiting, NTIA intends to place identifying serial numbers on the coupons.” (NTIA 2006)

I went to Best Buy to get a retailer’s perspective on the TV Converter Coupon Program. Like most retailers, Best Buy likes to track their customers. With cash or check, this is difficult, but with credit cards and similar systems (such as the DTV coupons), customers can be automatically added to their database.

Rob Hooper, the helpful manager on duty, explained, “[The DTV coupon] would probably have their name, a number, and they probably have to put in their phone number for us to ring out the remainder of the transaction. As soon as that number gets rung through a Best Buy retailer or a Wal-Mart retailer or anywhere else, [NTIA can] probably break it down underneath the ID of the retailer, and then also the ID of the individual who applied for that particular card number. Not only do they have demographics, they also have geographics– where each card is used.”

In other words, the government receives detailed information about precisely where and when each card is used, and each card is explicitly linked to a name. What’s more, since the names are stored on the coupon’s magnetic stripe itself, the retailer also receives and can store personal information about the consumer. The consumer may never even be aware that his or her name has been given to the retailer.

My mother, who applied for the program by phone, was shocked to learn that her name was encoded on the card and her purchases were tracked. “The government should have made me aware of the information they would be collecting about me if I used the card,” she said. “They’re taking away my freedom. If they decide they need to collect information, they should do so with the people they are collecting the information from volunteering to give it, not being forced.”

Presumably the names encoded on the coupon’s magnetic stripe can be used to prevent fraud, but in practice this has not been occurring. Even if the name on the coupon doesn’t match the consumer, retailers still accept the coupons.

“We generally don’t check IDs against the card,” said Rob. “If someone’s out there stealing digital converter box cards and they’re just hoarding boxes of those cards, that’s not on the top priority list for Best Buy’s loss prevention.”

“We haven’t really seen too much fraud whatsoever with these coupon cards,” he added. “It would be a really interesting thing to try to steal $40 converter box cards, because you’re basically getting paid off in technology that will be antiquated.”
 
Millions of Americans using the DTV converter coupons have unknowingly had their shopping habits tracked and names given to third parties such as Best Buy and Wal-Mart. What is the value of our privacy? Is watered-down “fraud protection” really worth giving away millions of American’s names to retailers? Would my mother really want her shopping habits recorded in an obscure government database, even to save $40?

“I like to shop for a product without Big Brother watching over me,” said Mom.

 

Sherri Davidoff

PGP-signed text: 2009-02-23 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking/feed 2 http://philosecurity.org/2009/02/17/white-collar-looting http://philosecurity.org/2009/02/17/white-collar-looting#comments Tue, 17 Feb 2009 05:54:28 +0000 sherri http://philosecurity.org/?p=920 One midsummer night in 1977, the power went out in New York City. “Thousands of people took to the streets and smashed store windows looking for TVs, furniture, or clothing… The police made 3,776 arrests, although…many thousands escaped before being caught. 1,037 fires burned throughout the City…” (Blackout History Project)

The troublemakers weren’t faceless terrorists but local youth and ultimately, mainstream moms and dads. The most notable shift in the demographic of the looters occurred between the hours of 11:00 P.M. and midnight when stable, normally law-abiding citizens began to participate in the scavenging and mayhem.

The massive extent of the looting, especially compared with the few disruptions that occurred during the 1965 blackout, was partly due to the economic downturn. By 1977 the unemployment amongst young blacks in New York City had reached 40%, compared to roughly 20% in 1965. Many people were out of work and the standard of living had decreased; however, television and media constantly reminded people of the material goods which they could not possess. (Time, 1977)

It’s no wonder that in the current economic downturn, companies are starting to worry more about the “insider threat” and white-collar looting. “Information security experts are bracing for the law of unintended consequences to swing into action in 2009 as layoffs, downsizing and low morale bring the worst out of trusted insiders looking to profit off of proprietary intellectual property, customer contact lists, trade secrets and any other sensitive information. …[L]ast December the majority of participants in a survey reported that if they were fired tomorrow they would definitely take company data with them to their next employer.” (Lumension, 2009)

Today, as downsizing becomes rampant, there are increasing numbers of disgruntled former employees, who sometimes have deep knowledge of an organization’s IT infrastructure. There are also more disgruntled current employees, as downsizing places greater burden and stresses on staff that remain. As scholar Ho Yanxi quoted, “The one who treats me well is my leader, the one who treats me cruelly is my enemy.’” (Cleary, Art of War).

Exacerbating the situation, fewer staff means less people to monitor and maintain already out-of-control networks. This increases the risk of security vulnerabilities and lowers the risk that a theft will be noticed, proportionally increasing the likelihood of exploitation. Cutting already overworked IT staff leads to a downward spiral of network disrepair, security incidents and stressed IT workers.

The risk-vs-reward calculations are illustrated in this interview with one of the first blackout looters:

Interviewer: “What kind of money would you need to stop you from [looting]?”
J: Oh, it wouldn’t just have to be money. It would have to be my position in life. Like if I was to go to law school, and have a nice paying job, and be established in a firm or something… I wouldn’t take the risk of getting busted and havin to go to jail and blowin’ my schooling. It’s not worth the risk. (Blackout Looting!, p.176)

As white-collar workers feel increasingly disenfranchised, the risk of insider data theft proportionally rises.

Who are “we,” anyway?

The “insider threat” is even more serious when a large percentage of workers are contractors, who have even less incentive to ensure long-term organizational stability. The war in Iraq nicely illustrates this phenomenon. Last week the GAO released a very interesting report on US operations management in Iraq and Afghanistan, in which they stated, “As of July 2008, there were approximately 162,400 DOD contractors and, as of December 1, 2008, approximately 148,500 U.S. troops in Iraq.” This enormous ratio of contractors to military staff proved overwhelming. “Lack of adequate numbers of contract oversight personnel,” was cited as a serious issue. “[T]oo few contract oversight personnel limited DOD’s ability to identify savings, monitor contractor performance, or resolve contractor performance issues.” (GAO, 2/2009)

Lacking oversight, training and incentives, contractors took enormous advantage of their situation. “KBR employees who were contracted to perform construction duties inside palaces and municipal buildings were looting,” said Linda Warren, a contracted laundry foreman, during Senate hearings. “Not only were they looting, but they had a system in place to get contraband out of the country so it could be sold on eBay. They stole artwork, rugs, crystal, and even melted down gold to make spurs for cowboy boots.” (The transcript of her testimony is definitely worth reading.)

Even contracting officers took advantage. Yesterday the New York Times released a front-page exposee, in which they reported, “Maj. John L. Cockerham of the Army pleaded guilty to accepting nearly $10 million in bribes as a contracting officer for the Iraq war and other military efforts from 2004 to 2007, when he was arrested. Major Cockerham’s wife has also pleaded guilty, as have several other contracting officers…. Former American officials describe payments to local contractors from huge sums of cash dumped onto tables and stuffed into sacks as if it were Halloween candy. “You had no oversight, chaos and breathtaking sums of money,” said Senator Claire McCaskill.”(NYTimes, 2/15/2009)

Iraq is an extreme, but informative, example. Given these recent graphic illustrations of the results of contractor mismanagement, it’s worth examining the current situation in the IT sector, where contractor jobs are rising even as general employment falls.

“Contract work fuels rise in tech job postings” reported CNET news last week. “Tech job listings rose to 57,337 as of February 2…But if you’re looking for full-time work with health benefits, you may not find the new data to be especially good news: Helping to drive that modest increase was a 7.3 percent gain in the number of contractor positions… ‘In uncertain times, companies are looking for flexibility in their payrolls to continue with critical projects,” said Tom Silver.. [of] Dice.com. Those critical projects often involve improvements to a company’s infrastructure… ‘For the last year or so, contractor jobs have accounted for 38 to 40 percent of the positions, but I expect that increase,’ Silver said. He noted he wouldn’t be surprised if the percentage for contractor job postings eventually reached to 50 percent later this year.” (Kawamoto, 2/2009)

In other words, the people being hired to work on “critical” infrastructure projects are increasingly those that do not receive health benefits and have little invested in the long-term survival of the company. Furthermore, as the ratio of full-time to contractor staff shrinks, there are fewer full-time employees to provide oversight.

Solutions: Maintaining Security in a Weakening Economy

The blackout of 1977 and the Iraq war illustrated two important factors which ultimately led to widespread security failures and looting:

1. Reduced incentives for large numbers of individuals to support the current system;
2. Limited oversight and low perceived risk of personal repercussions.

These two factors are increasingly present in the IT sector today, where a growing percentage of disgruntled employees and contractors have access to critical IT infrastructure, and where companies do not have the staffing or technical resources to monitor access and lock systems down.

How can we correct these fundamental problems that lead to the “insider threat?

1. Help workers to feel invested in the current system;
2. Increase the perception of oversight and perceived likelihood of repercussions.

Any time there is a fundamental disconnect between the incentives of the people versus the organization, there is naturally internal conflict and greater risk of people undermining the status quo. When workers do not feel invested in the system, security incidents abound. Conversely, organizations can reduce the risk of insider attack by giving people a stake in the company’s success. A favorite of the security industry, ancient military strategist Sun Tsu wrote about the importance of “inducing the people to have the same aim as the leadership.”

Even on a tight budget, organizations can still foster worker loyalty. As demonstrated during World War II, it is possible to maintain– and even grow– a dedicated workforce during tough times. The WWII propaganda effort was implemented as a massive postering campaign on an unprecedented scale. During a period where civilians re-used scraps of paper because supplies were so limited, the US Office of War Information sought to “[ poster ] America every night,” and treated posters “as real war ammunition.” (Design for Victory, p. 11-12) The investment paid for itself hundredfold.

Without resources for appropriate staffing and equipment, a high-return security investment for many companies might be a simple PR campaign, designed to motivate employee loyalty. Similarly, even organizations that lack the resources to install and maintain proper monitoring capabilities can still at least create the perception of oversight, which can dramatically reduce incidents. Physical security professionals have long utilized this tactic, for example by installing $30 dummy cameras and warning signs which advertise that the premises is actively monitored.

I often say that “humans are unreliable components,” but that’s not really true. Humans are unreliable when placed in unstable situations and given conflicting incentives. Much like transistors in a circuit, humans within organizations tend to act predictably based on perceived incentives and risk.

In today’s downward economy, companies are dramatically reducing incentives for workers and expanding the ratio of IT contractors to employees, even while IT oversight and monitoring capabilities are already very limited. As with New York’s 1977 blackout and the Iraqi occupation, workers find themselves with conflicted incentives, and some will invariably decide to serve their own well-being rather than the larger organization. How can organizations lower the risk of “white-collar looting”? Advertise incentives for workers to support the organization, and instill at least the perception (and better, the actuality) of oversight and monitoring.

Sherri Davidoff

PGP-signed text: 2009-02-16 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/02/17/white-collar-looting/feed 2 http://philosecurity.org/2009/02/09/airport-internet-kiosk-phishing http://philosecurity.org/2009/02/09/airport-internet-kiosk-phishing#comments Mon, 09 Feb 2009 06:03:40 +0000 sherri http://philosecurity.org/?p=814 Walking through the Minneapolis airport, a friend and I came across something… not right.

	Apparently, the “New and Improved” Internet Access GateStation kiosk had rebooted, and hung with the BIOS displayed. We laughed and walked closer to get a good look.
	Interesting. It was configured to boot off a USB floppy drive. There couldn’t be a USB port accessible… could there?
	Turned out there was a USB port…
	…Right next to the keyboard. Hmmm.
	That keyboard couldn’t possibly control the BIOS screen, though.
	Oh, wait. It did. We had inadvertently switched the boot device from “USB FDD” to “USB ZIP/Flash.” We could probably boot the kiosk off our own USB thumb drive if we wanted.
	The kiosk had two terminals. One screen was dead and the keyboard was connected to the BIOS display. The other screen appeared to be fully functional. The functional terminal advertised “Go to Web” “Get Email” and “Flight Info.”
	Clicking on the “Get Email” link brought up a payment screen.
	The kiosk accepted cash and credit cards.
	Even though there was clearly a very strange technical problem, people lined up to use the working terminal of the kiosk. Here is a photograph of one person who swiped his credit card and used the kiosk while we stood there, loudly discussing the potential security implications.

Airport kiosk phishing, anyone?

Let’s review:

1. The kiosk had a live keyboard connected to the BIOS setup
2. A USB port was easily accessible and listed as a boot option
3. The kiosk routinely processed highly valuable (and regulated) personal information, such as credit card numbers and email passwords
4. Despite the fact that the kiosk had a super sketchy software error displayed on a screen 4′ high, people lined up to swipe their credit cards and type in their email passwords anyway.
5. The BIOS was displayed and accessible the entire time we were at the airport (a few hours). Airport security staff sat in little carts right next to the kiosk, and didn’t seem interested in reporting the error to anyone. For all we knew, it could have been like that for days.

When a kiosk is bootable from an easily accessible USB port, this opens it up to a variety of attacks. If we were Evil, we could have created a bootable USB thumb drive with our own “New and Improved” Internet Access software (ie. a simple customized Linux distribution) and booted the kiosk off of that. The software could record credit card numbers and password, which would always run before any of the normal software, and store them on the thumb drive which we could later snatch. Given that people didn’t seem at all phased by glaring software glitches, our Evil software probably wouldn’t even have to be very good to successfully snag valuable financial and account information.

Even worse, if the internal hard drive was writable, we could have modified GateStation’s operating system and inserted our malicious code into the legitimate software. If we were really sneaky and willing to put in the effort, we might have been able to flash the Award BIOS and insert our own low-level malware, which would be extremely difficult to detect. This would be a sophisticated attack, but given the high payoff, criminals might consider it worthwhile.

The value of information entered into airport kiosks is very high, but often the level of security is not commensurate.

Sherri Davidoff

PGP-signed text: 2009-02-08 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/02/09/airport-internet-kiosk-phishing/feed 3 http://philosecurity.org/2009/02/02/identity-protection-racket http://philosecurity.org/2009/02/02/identity-protection-racket#comments Mon, 02 Feb 2009 12:21:56 +0000 sherri http://philosecurity.org/?p=703 Credit bureaus and credit card companies have direct control over the risk of identity theft. They control the systems for granting and rescinding credit, including fundamental mediums for communication and related security features. Oddly, that doesn’t stop them from trying to profit when things go wrong. Credit companies strongly push their identity theft “protection” services, especially now that identity theft is on the rise. For example, Equifax offers “ID Patrol” and Discover offers “Identity Theft Protection.” These services appear to be effectively glorified credit monitoring services offered at $10-20 a month.

Sounds like a protection racket to me. “A protection racket is an extortion scheme whereby a powerful entity or individual coerces other less powerful entities or individuals to pay protection money which allegedly serves to purchase protection services against various external threats. Those who do not buy into the protection plan are often targeted by criminals…” (Wikipedia)

Equifax’s scare tactics include: “Don’t become a statistic. Every year, millions of people fall victim to identity theft.” Experian writes, “Specialized criminal gangs increasingly work outside of the United States to gain access to account information. They then perpetrate crimes online…” Discover advertises “Identity theft occurs every 79 seconds and affected 8.4 million people last year.”

Funny– at the same time, the Big Three lobbyists have been trying to convince Washington that “identity theft isn’t as big a threat as people think.” Represented by the Consumer Data Industry Association (CDIA), these very same companies lobbied intensely against laws “empowering consumers to freeze access to their credit histories to prevent identity theft.” (USA Today, 2007) Credit companies also routinely sell consumers’ financial and contact information, subjecting people to solicitations including bait-and-switch loan swindles or identity theft scams.

Credit bureaus have fought against widespread use of fraud alerts and similar techniques which require that they proactively verify consumer identities before, say, new accounts are opened in consumers’ names. Last year Experian sued identity theft protection firm, LifeLock, for activating fraud alerts on behalf of hundreds of thousands of clients. Experian “claimed that alerts should be entered only when people have already been victimized by identity theft or have legitimate reasons to believe that they are at imminent risk.” (Network World, 2008.) I’ve heard that “identity theft occurs every 79 seconds.” Does that count?

Having put himself through MIT on a credit card, Blake Brasher, author of “Infinity Day Weekend,” knows more than anyone I’ve ever met about how to wrangle with the credit industry. The roboticist-turned-painter writes, “I had an obnoxious encounter with Discover card a month ago. I called to negotiate a special APR and they tried to get me to sign up for their identity theft protection service. The guy wouldn’t take no for an answer, and very nearly tricked me into signing up.

“I finally said, ‘Actually, I want to close this account. You’ve convinced me that using this card is not safe and to protect myself from identity theft I want to close the account.’ So he transferred me to someone in the accounts department.

“The woman who answered… explained to me that actually, my Discover card account has built in, free fraud protection, and that if someone tried to commit a fraud with my account I would not be liable at all. They scare you into thinking you need this extra service, but if they scare you too much and you threaten to close your account to keep it safe they go ahead and let you know that you don’t actually need it.”

There are obvious steps that credit companies could take which really would reduce the risk of identity theft– such as taking further measures to verify identity, reducing sales of personal data, using PINs, etc. However, credit companies won’t support measures which reduce their own profits. “Identity theft could be made as obsolete a crime as cattle rustling or high-seas piracy,” reported MONEY Magazine several years ago. “…[It's] now possible to request a freeze on your credit report, stopping anyone from granting new credit without your approval. Why isn’t this brutally simple and effective solution more widespread? Simply put, it disrupts the free flow of credit information on which consumer lenders and data sellers depend.”

When credit companies play both sides of the game, there are reduced incentives for them to build secure systems. Rather, they have found a way to profit from crime. By fighting consumer protection measures and selling personal data, credit companies increase consumers’ risk of identity theft. As long as credit companies can scare enough people into paying them for “protection,” they can actually make money from the results of their own recklessness– thus passing the costs of identity theft on to consumers or merchants, and reducing or even eliminating financial incentives for genuine, systematic improvements.

Sherri Davidoff

PGP-signed text: 2009-02-02 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/02/02/identity-protection-racket/feed 1 http://philosecurity.org/2009/01/26/mind-your-business http://philosecurity.org/2009/01/26/mind-your-business#comments Mon, 26 Jan 2009 08:07:53 +0000 sherri http://philosecurity.org/?p=660 The motto on the very first official United States coin was “Mind Your Business.”  Designed by Benjamin Franklin in 1787, the front of the coin also bore a picture of the sundial with with word Fugio (Latin, “I fly”). Franklin was fond of aphorisms, and the design has been taken to mean, “Time Flies, Mind your Business.”  Franklin’s message was at once sound economic advice and an assertion of privacy.

My, how time flies. A little over two hundred years later, it’s difficult to conduct business privately.  “American Express knows everywhere I go, how long I stay, where I eat, how much I pay,” said security consultant Jonathan Ham. “They could reconstruct my activity on a day-to-day basis.”

Our entire system for conducting financial transactions has changed– and the collection, trade and analysis of detailed personal information is now an enormous component of everyday payment processing.  During 2006, there were 93.3 billion non-cash payments in the United States, meaning third parties were involved in transactions 93.3 billion times. Non-cash payments have increased an average of 4.6% each year since 2006. (Federal Reserve, 2007) There’s no direct way to measure the number of cash transactions, but estimates indicate that the usage of cash in the US is decreasing.

Due to the extreme importance of credit scores, Americans are strongly pressured to use credit cards and build up credit, at the cost of our privacy. Without a credit score, it’s very difficult to buy a house or car, and companies charge far more for insurance. Personal credit checks are now standard for renting apartments, buying houses and many other basic needs.  “They are using FICO scores to evaluate job applicants!”  wrote my father recently.

Personal transaction monitoring goes far beyond credit reports. Financial institutions routinely track and profile customers’ daily habits. A few months ago, I drove cross-country and found myself using my credit card a lot for gas purchases. In the middle of South Dakota, the card suddenly stopped working. I called up the card company.

“Well, you need to notify us if you’re going to be traveling,” admonished the American Express representative.

Like hell, I thought. Notify American Express every time I want to travel? Who do they think they are, my nanny?

Of course, American Express has an undeniable business interest in rabidly tracking card use. The system (which they have created) is ripe for abuse and fraud. As Matt Knox said, “When I use a credit card, the security model is the same as that of handing you my wallet and saying, ‘Take out whatever money you think you want, and then give it back.’”

To compensate for security weaknesses in their own system, financial institutions conduct extremely detailed, real-time monitoring of customer purchases and locations.

Financial institutions also profit from selling and trading personal payment histories. For example, credit card companies sell detailed personal purchasing records for the purposes of marketing. “Privacy restrictions… would require businesses to send significantly more catalogs to obtain the same response rates, and the resulting increase in cost would be passed along to consumer.” (Turner, 2001) Credit card companies routinely profit from selling personal consumer information to third parties, who use the data for targeted advertising.

If financial institutions were not able to reap financial gains from selling personal information, and if they were forced to compensate for systematic security weaknesses out of their own pockets, there would be economic incentives for them to create electronic payment systems that are genuinely more secure and require less monitoring.

Personal financial histories held by private companies are also routinely accessed by the government. Many people are concerned that this access has been abused. “Bipartisan groups in Congress are pressing to place new controls on the FBI’s ability to demand troves of sensitive personal information from telephone providers and credit card companies, over the opposition of agency officials who say they deserve more time to clean up past abuses.”  (Johnson, Washington Post, 2008)

What would Franklin have thought of our modern third-party payment and credit systems?

As it happens, the fledgling United States was completely ripped off by the manufacturer of the first official penny. At the time, the United States didn’t yet have a national Mint, so they outsourced currency production to James Jarvis of Connecticut, who had bribed the head of the Treasury board with $10,000 for the contract. Jarvis was supposed to produce 300 tons of pennies, but ultimately only produced four tons of slightly underweight coins. Furthermore, a congressional report stated that “Jarvis had received a large quantity of federal copper but had only paid for a small portion.” (Louis Jordan, University of Notre Dame)

Would tighter financial monitoring have ensured that the original contract was awarded based on merit rather than a bribe? Would a credit check have helped our fledgling nation avoid making a bad loan? Quite possibly.

Then again, payment is deeply tied with freedom to travel and other fundamental liberties. Anyone who has had their credit card frozen while traveling understands the power that global payment processing companies hold over individuals. Due to the extreme importance of a credit score, Americans today are strongly pressured into using credit cards, which result in the intimate details of our daily purchasing habits being sold and exploited. Fundamentally, we are being forced to choose between our privacy and essential needs such as a house.

Our founding fathers never experienced loss of personal privacy at the scale that we see today, and probably could not imagine a system in which even their daily grocery purchases were tracked and analyzed. If they had, they might have pointed out that privacy is fundamental to freedom, and freedom comes at a price. Sometimes the price of freedom is blood, sometimes it’s money, and sometimes it’s the convenience of “instant credit.”

Sherri Davidoff

PGP-signed text: 2009-01-26 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/01/26/mind-your-business/feed 3