PGP Blogs

Dept of Justice Fails to Make Identity Theft a Priority
Monday, April 5th, 2010

That headline is not my assertion, but the conclusion reached by the Department of Justice itself. More specifically it’s the conclusion of a report by the Department’s Office of the Inspector General (OIG). The OIG’s charter as stated on its website is below.

The Office of the Inspector General (OIG) conducts independent investigations, audits, inspections, and special reviews of United States Department of Justice personnel and programs to detect and deter waste, fraud, abuse, and misconduct, and to promote integrity, economy, efficiency, and effectiveness in Department of Justice operations.

Typically, the OIG’s reports review the finances and activities of each of the Department’s nine bureaus.  This particular report, however, reviews the entire Department of Justice’s activities around identity theft since President Bush created the Identity Theft Task Force in May 2006. The report notes that identity theft continues to be a growing problem that victimized more than 10 million Americans in 2008 (the last year for which any data is available).

Given this trend, you’d think the U.S. Department of Justice would have made significant progress in addressing this high growth crime. In fact, just the opposite is true. The data and conclusions in the report about the Department’s efforts to combat identity theft are truly disturbing. Some of the issues noted include:

• No work on a strategy to combat identity theft has been done since the President’s task force issued its initial report in May 2007
• Despite the growth in identity theft, the number of defendants charged and convictions obtained appears to have declined from 2008 to 2009. I say “appears to” because the data collected on identity theft prosecutions is so poor, not even the Department itself puts much faith in it.
• The Department does not collect sufficient data on the frequency and nature of identity theft.  What little reporting it does do occurs very slowly. The results of the Justice’s 2006 identity theft survey are not expected to be released until this coming summer.
• There is currently a consistent lack of leadership and accountability on identity theft issues across all bureaus within the Department of Justice including the two you’d like to believe would be leading the battle against identity theft; the FBI and the Criminal Division responsible for prosecuting Federal crimes.

It’s not a pretty picture. It does, however, explain at least part of the reason why identity theft is growing so quickly. Besides being a relatively easy crime to commit, the odds of getting caught, let alone prosecuted, at least in the U.S. are very small. This situation obviously won’t change until something fundamental in our approach to addressing the problem does. We can only hope the OIG’s report spurs that change.

In the meantime, it is more important than ever that consumers do what they can to protect themselves from the criminal gangs that now perpetrate most identity thefts. PGP Corporation’s CEO, Phil Dunkelberger, wrote a pair of blogs on exactly how to do this in late 2006. While it’s been more than three years, the recommendations are still valid.  The first piece focuses on how to protect yourself from old style offline identity theft and the second piece on how to protect yourself from online theft. The only thing I will add is that if you can only do one thing, order your credit report frozen. It’s easy and either cheap or free depending on where you live. MSNBC.com has nice guide and all the links you’ll need to freeze your credit report.

Filed under: Cybercrime Grit & Grime
Tags: credit report freeze, Department of Justice, FBI, Identity Theft
Comments: No Comments

2009 FBI-IC3 Internet Crime Report
Friday, April 2nd, 2010

The Internet Crime Complaint Center published its annual Internet Crime Report earlier this month. The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA). Some of the numbers in the report this year are just stunning.

While the number of complaints of cybercrime filed with IC3 increased 22% in 2009 compared to 2008, the total dollar losses increased a staggering 111% after four years of being relatively flat.

Annual Cybercrime Losses

The other thing I found surprising in the report is that #1 scam type in 2009 were “FBI” related. What this means is that  they involved cybercriminals attempting to defraud consumers by impersonating an FBI official. Fully one sixth of all reported complaints fell into this category. I think this only proves that the cybercriminal element isn’t a lot brighter than their terrestrial equivalent. Impersonating a federal employee of any kind is punishable by up to three years in a federal penitentiary even if no other crime is committed. It seems to me that the prudent criminal would avoid committing a crime at LEAST until some victim coughs up some money.

The only good news I could find in the report is that the vast majority of losses involved relatively small amounts of money. It’s the sheer volume of them that drives the total loss number so high.

Average Cybercrime Losses per Incident

Filed under: Cybercrime Grit & Grime
Tags: cybercrime report, FBI, Internet Crime Complaint Center
Comments: No Comments

Cybercrooks Targeting Small Business Usage of Online Banking
Friday, January 8th, 2010

One good way to tell if a topic has become mainstream is to monitor USA Today. So I wasn’t terribly surprised when I found the lead in the paper’s Money section on New Years Day to be focused on the latest trend in cybercrime. It seems that many cybercriminals, frustrated with the countermeasures put in place by larger banks and enterprises are now targeting smaller businesses that have adopted online banking as a way to save both money and and time.

As we all know cybercrooks like to target the weakest link in any system that might yield cash or cash equivalents. In this case, the miscreants have determined that the some of the systems banks use to support smaller businesses have material weaknesses that can be exploited. Specifically, the Automated Clearing House (ACH) systems and wire transfer systems have not kept pace with the threats they now face. As everyone’s favorite banking fraud analyst, Avivah Litan, points out, the controls for these to critical pieces of financial infrastructure are decades old and were designed with a completely different set of threats in mind.

Pretty much everything about this story is standard cybercrime stock. The attack starts with a spear phishing attack aimed at a small business, a trojan is planted via email or by a corrupted website, authentication credentials are then compromised and used to move funds from the target to the perpetrator’s (offshore) account.

The only thing that’s a little bit different about this story is the recommendation being made by the American Banker’s Association and the FBI to block the attack. Both are recommending small businesses use a dedicated desktop or laptop machine for all of their online banking that is never used for email or web browsing. While this approach would certainly work given what we know if this threat, I wonder how many small businesses can or want to set aside a dedicated online banking PC. And even if they did, just how are they supposed to get the information needed to execute those online transaction on and off that machine?

It seems to me that this might be a valid (if complicated) tactical approach, but that the real solution involves upgrading the core security in the ACH and wire transfer infrastructure to use current authentication and encryption technologies to secure both the transactions and the data they generate.

Filed under: Cybercrime Grit & Grime
Tags: ACH, Avivah Litan, PGP Cybercrime Grit & Grime, Spear Phishing, USA Today, wire transfer
Comments: No Comments

One More Place to NOT Leave Personal Information
Wednesday, December 2nd, 2009

The decline in the newspaper business has already killed some major publications, but for some reason has not (yet) killed off the category of publications known simply as “Advertisers.” These are the free publications that typically carry three to four local stories each day, a few dozen syndicated features and lots and lots of ads for local businesses.

We have a couple of these publications in my neighborhood including one entitled the “Daily Post.” In a cover story today, they reported that local police stopped a car early Sunday morning and in it found:

“…receipts, unopened mail, doctor’s bills and checkbooks belonging to residents in Pleasanton, Menlo Park, Fremont, Atherton, Redwood City and Mountain View.”

“If that wasn’t enough, police came upon a couple of rocks that could be used to smash car windows…”.

PGP Corporation’s CEO, Phil Dunkelberger, has written previously about the need to use a locking mailbox and shred mail containing  personally identifiable information (PII), etc. to prevent offline data theft. Now you can add one more place in which you shouldn’t leave bills, pay statements, tax forms or anything else that can be used to cause identity theft.

When the “smash and dash” class of criminal (not known for its sophistication) has come to understand the value of PII, you know it’s time to get serious about protecting your utility bills, investment statements and other mail. I’m not quite ready to install a shredder in my car, but you can be sure I won’t be leaving any mail in my vehicle any more and urge you to do the same.

Filed under: Cybercrime Grit & Grime
Tags: Identity Theft, PII
Comments: No Comments

Spam Penalties and Growth
Sunday, November 8th, 2009

Most readers of this blog are aware of the unholy alliance between the world’s spammers and cybercriminals. This partnership is based upon the spammer’s ability to present scams to millions of innocent users on behalf of those the crooks that would defraud them. The work of these two groups of miscreants most typically presents itself as phishing attacks on individuals and more recently spear phishing attacks of target corporations.

So it was with some interest that I noted two headlines in the data security trade press this week. The first was the verdict handed down to the self proclaimed “King of Spam,” Sanford Wallace. A judge in California ordered Wallace to pay Facebook $712 million in damages for sending bogus emails to Facebook users. While it’s a another positive sign that the judicial system is willing use what little control it has to penalize spammers, there is little chance any money will actually change hands as Wallace declared bankruptcy earlier this year.

The other, somewhat more depressing headline, claimed that 92% of global email traffic is now spam. Back when I worked for one of the pioneering anti-spam companies, we were surprised when the fraction of spam in all global email sailed through the 50% point and appeared to be on a vertical trajectory. Now that nearly all email is effectively spam, it’s little wonder that many Internet users are abandoning email and simply communicating via Facebook, Twitter, and other social media platforms.

So will verdicts like the one handed down in the Facebook case cause the amount of spam (and their cybercrime payloads) to finally start to decrease? It’s unlikely. Spammers continue to clog the Internet with junk mail because it’s profitable and will continue to do so until it becomes less profitable than the next most profitable thing they can do with their time and resources.

Sam O’Rourke, senior counsel at Facebook, was quoted after the verdict as saying, “This is another important victory in our fight against spam.” I wish he were right, but as Facebook will likely collect nothing and the spam flow in our email is showing no signs of abating, I’m having a hard time seeing why it’s important. Is it a moral victory for Facebook? Sure. Does Judge Jeremy Fogel deserve praise for sending a signal that at least in his court, spammers will receive no mercy? Absolutely. But, will this outcome have any affect on the amount of spam in our email or the number of people defrauded by the bogus offers delivered?  I think that’s very unlikely.

Until the governments (primarily in Asia and Eastern Europe) that are aiding and abetting the criminals perpetrating these crimes stop protecting them from the reach of global law enforcement, we’ll continue to see headlines like the two cited above. Unfortunately, we’re also likely to see ever more sophisticated scams and delivery mechanisms appear as the perpetrators learn how to best exploit the social media platforms and legacy communications tools we all use every day.

Filed under: Cybercrime Grit & Grime
Tags: Facebook, Sanford Wallace, spam
Comments: No Comments

Of Mafias, Macs, & Mules
Friday, October 2nd, 2009

It’s been more than a month since my last posting and it’s been surprisingly quiet on the cybercrime front since the Albert Gonzalez plea deal was announced. There have been a few new stories like this one in Network World summarizing how organized crime, mostly Russian, is taking over the global cybercrime industry. Followers of this blog will find nothing new in these stories other than the fact that nearly all major news outlets now seem to view cybercrime as a ‘beat’ requiring regular reportage.

There were, however, two smaller developments of interest. The first was the discovery that a Russian syndicate had offered a forty three cent “bounty” for every infected Macintosh a user could deliver. It’s an interesting case on two fronts. First, it points out that even though Mac OS still represents less than 15% of computers in use on the ‘net, they are becoming a more appealing target for cybercriminals. Second, it illuminates how the bad guys are using standard e-commerce traffic development techniques, an affiliate program in this case, to perpetrate their crimes or build bot-networks to enable large scale attacks down the line. As the cyber-miscreants adopt more and more of the techniques of e-retailers, the ability to establish a trusted reputation in cyberspace will become ever more important. Look for more services coming online that vet retailers, service providers, and even individual messages to provide the level of trust required for the continued growth of ecommerce. I predict significant growth in the “reputation services” sector in the coming two years.

Finally, under the category of truly grit-and grime, check out this story on a “money mule” in The Washington Post. The term “mule” in this case is appropriated from the desperately poor foot soldiers in the drug war that carry contraband from source to market.  In the cybercrime sector, mules are individuals that the syndicates use to both transfer and launder money that’s been misappropriated typically though fraudulent wire transfers. Being a cybermule doesn’t carry nearly the physical risks of being a drug mule clearly, but the story is still scary enough to make you suspicious of almost any work at home scheme…as you should be.

Filed under: Cybercrime Grit & Grime
Tags: macintosh bounty, mafia, money mule, PGP Cybercrime Grit & Grime, reputation services
Comments: No Comments

Cybercriminal of the Century?
Monday, August 24th, 2009

Doug McLean – Blogmeister
Readers of this blog know that I’ve been following the case against Albert Gonzalez, the alleged mastermind behind the TJX breach. Last Monday came the shocking news that the Justice Department has concluded that Gonzalez also led the teams that breached both Heartland Payment Systems and Hannaford Bros. Supermarkets. Think about that for a minute, we’ve now traced three of the largest data breaches in history to the “vision” and leadership of a single man. Gonzalez is currently incarcerated in Brooklyn, NY where he’s awaiting trial for allegedly perpetrating the comparatively modest breach of Dave & Busters Restaurants.

We’ve also learned that Gonzalez and his colleagues did not attack companies at random, but selected specific Fortune 500 corporations based on their business practices and assumptions about the nature and scale of data that could be stolen. Gonzalez obviously has a brilliant criminal mind and you’ve got to admire his abilities at some level even if you condemn his ethics.

The century is still young, but it seems pretty clear that Mr. Gonzalez can legitimately claim the title of Cybercriminal of the Century at least for now. His exploits make those Kevin Mitnick pale in comparison. He is, however, certainly not the last of his kind we’ll see and it wouldn’t surprise me if the latest disclosures entice even more ethically challenged hackers to the dark side.

UPDATE

On Friday (August 28, 2009) it was announced that Gonzalez would plead guilty to all 19 counts filed against him in the TJX breach.  As a part of the deal Gonzalez will serve 15 to 25 years in prison (with very limited Internet access I’m guessing). And just to prove that crime does pay, he will be forced to relinquish $3m in cash, his condo, and a late model BMW.

As I’ve observed earlier, the federal prosecutors in this case took a very deliberate approach to building an iron clad case against Gonzalez. It’s clear that their work paid off and I think we all owe them a debt of gratitude for taking this case seriously and sending a clear message to those that might want to follow in Gonazalez foot steps.

Now that the entire story is out and we’re reaching the end of the legal actions, my only question is who is going to write the book about Gonzalez exploits?  Are you listening John Markoff?

Filed under: Cybercrime Grit & Grime
Tags: Albert Gonzalez, Cybercriminal, Heartland Payment Systems, John Markoff, TJX
Comments: No Comments

Einstein III
Tuesday, August 18th, 2009

Doug McLean – Blogmeister
The Washington Post broke an interesting story just before the Independence Day holiday about the issues the National Security Agency (NSA) has encountered in deploying their latest cyberdefense system. The Post requires a log-in to view the story, but the Wall Street Journal also covered the topic in more depth and it’s open to all to read, which I strongly recommend to anyone that cares about cybersecurity.

The basic story runs as follows. The Bush administration chartered the NSA with developing a comprehensive solution to both detect and block cyberattacks aimed at federal networks. The system, named Einstein, was originally deployed in 2002, though the functionality of the system was limited to intrusion detection, no countermeasure capability was included.  Einstein III has been under development for a number of years and is nearly at the point where it’s ready to be tested.

So, here’s the problem. The architecture of Einstein III assumes that the content (not just the packet headers and meta data) of all incoming Internet traffic to government agencies will be inspected and evaluated to determine if it contains anything that might be a threat. In order to implement this approach the government must rely upon the cooperation from the carriers from which they purchase Internet connectivity services.

Having been burned by their participation in the Bush administration’s warrantless surveillance program in 2005, the carriers led by AT&T, are sensibly asking for advance approval from the Justice Department to avoid any potential legal liability. As the program will involve the inspection of both incoming public and private sector traffic, the carriers’ concern is understandable. The legal issue involved assumed even more importance last month when the Obama administration announced their intention to proceed with the deployment of Einstein III and that the NSA has now been given the cybersecurity charter for all military networks. As the NSA already had a portion of the charter to protect civilian agency networks, this means that Einstein III could become the backbone of the federal government’s cybersecurity strategy.

For those of you that are opposed to carriers being involved in this effort, I have one piece of advice; get over it. While the carriers’ participation of the warrantless wiretap program was regrettable, it does not mean the private sector doesn’t have a role to play in protecting public sector networks. In fact, the carriers’ participation in Einstein III is exactly the kind of public/private sector partnership the President highlighted when he released the Hathaway report.

Just because such partnerships carry the potential for abuse does not mean they are not a necessary part of the nation’s cybersecurity strategy. In this particular case, there’s no practical way to achieve the mission of protecting government networks without this kind of collaboration. To be clear, I’m not arguing for blanket immunity for the carriers and other private sector firms that will be involved in this mission. We’ll need to develop standards of behavior and protocols with which the private sector will need to comply to prevent the kind of abuse that would infringe on our legitimate privacy and civil rights concerns. In this case, it will likely be necessary to codify these standards and protocols into federal legislation to ensure they are implemented consistently by future administrations.

The key to successfully protecting federal Internet assets is not to make it solely a federal government mission, but to structure the required public/private sector partnership in a way that is consistent with the mission, the legal framework in which it is operates, and the expectations of privacy and liberty Americans expect of their government. As Alfred Nobel learned when he invented dynamite in the 19th century almost all tools can be used for good or evil. Exactly how they are used depends upon the intent and skills of the craftsmen in whose charge we place the tools.

Filed under: Cybercrime Grit & Grime
Tags: AT&T, cyberdefense, Einstein III, NSA, priivate/public partnership
Comments: No Comments

Black Hat Illuminates Russian Cybercrime Gangs
Friday, August 14th, 2009

Most of the news coming out of the Black Hat conference in Las Vegas focused on the new attack on AES and the bootkit attack on the TrueCrypt full disk encryption product. While these are certainly compelling pieces of research, I also found the reviews of the session on Russian organized crime to be quite interesting. The session was co-hosted by the FBI and McAfee and focused on the causes and consequences of the old line Russian criminal gangs entering the cybercrime business.

Make no mistake, these guys are not hackers that just happen to have turned to the dark side. There’s not really a Russian mob so much as there is a mob that happens to be Russian. Russia has a long history of organized criminal gangs that go back to the gulags in which Stalin imprisoned his enemies and perceived enemies. The gangs originally formed in these prisons as a matter of self preservation and branched out into traditional lines of criminal work if and when their members were released. Those of you not familiar with the “Thief in Law” phenomenon should spend a couple of minutes reading this overview piece. These are hardened criminals dedicated to stealing money in any way they can to the point of believing that any other line of work is “dishonorable”.

It’s little wonder then that in this environment that cybercrime would flourish. The FBI estimates that Russian criminal syndicates extract more than $250m per year just from the U.S. using a combination of hacking financial institutions, identity theft, and other scams. Not only is cybercrime a very lucrative product line extension for the Russian gangs, the penalties if caught are ineffective in the extreme. Jail terms of less than a year are common, which barely causes their skills to get rusty. So, in the Russian criminal syndicates we have the perfect mix of resources, intent, and environment for cybercrime to grow very big, very fast while getting very, very sophisticated.

As ComputerWorld reported, the Clampi botnet is now one of the world’s largest. Given it’s design and implementation it is extremely difficult to trace, let alone defeat. Not only are Clampi’s perpetrators leveraging virtualization to stamp out hundreds of “unique” copies of the virus on which it depends for propagation, they are using quite sophisticated encyrption techniques to secure the communication between infected machines and their command/control center.

If you’re not concerned about these developments, you should be. The technologies and approaches the bad guys are taking appear to be moving much more quickly than our ability to contain them as the recent lack of progress in just identifying a national cybersecurity advisor proves. As I’ve noted before, winning (or at least not losing) this battle is going to take more resources, more skill, and more focus than is currently being applied to it.

UPDATE 8/17/09: Government Computer News ran a story today on organized crime involvement in the cyberattacks against Georgia last year. I can’t say I’m surprised, but it does make me wonder just what role the Russian mob is playing in executing Russian foreign policy.

Filed under: Cybercrime Grit & Grime
Tags: Black Hat, botnet, Clampi, FBI, Russian organized crime
Comments: No Comments

Top Five Favorite Cybercrime Blogs
Monday, June 22nd, 2009

I’ve been reviewing some of the other blogs covering cybercrime and want to share with you five that I’ve found most interesting.

Kenyantykoon’s Blog on African Cybercrime: A very good country-by-country summary of one of the hot beds of cybercrime.

Cybercrime and Doing Time: One of the older blogs on cybercrime written by Gary Warner, Director of Research in Computer Forensics at the University of Alabama.  He tends to focus on spam and phishing scams.  He writes very cogently about cybercrime. This is a typical post on the current Bank of America phishing scam.

Schneier on Security: Not specifically focused on cybercrime, but deals with it frequently enough to make my list. Besides if you don’t enjoy Bruce’s writing, you’re not paying attention.

The Cybersleuth: Written by a criminal defense attorney in Miami. His piece on the security issues associated with cloud computing entitled A Chastity Belt for the Cloud, is quite insightful.

IdentityTheftInfo.org Blogs: Multiple authors and obviously focused on ID theft. Certainly not visually appealing, but provides comprehensive perspective on the myriad ways you can lose control of your identity.

I’ll update this list periodically as I find more blogs that are both useful and readable.

Filed under: Cybercrime Grit & Grime
Tags: Bruce Schneier, cybercrime blogs, Gary Warner, Howard Schmidt
Comments: No Comments