Wednesday, September 30, 2009

New Malware Re-Writes Online Bank Statements to Cover Fraud

From Wired's Threat Level

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

More Details from the story ...

The victims’ computers are infected with the Trojan, known as URLZone, after visiting compromised legitimate web sites or rogue sites set up by the hackers.

Once a victim is infected, the malware grabs the consumer’s log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank’s automated anti-fraud detectors, the malware will withdraw random amounts, and check to make sure the withdrawal doesn’t exceed the victim’s balance.

The money gets transferred to the legitimate accounts of unsuspecting money mules who’ve been recruited online for work-at-home gigs, never suspecting that the money they’re allowing to flow through their account is being laundered. The mule transfers the money to the crook’s chosen account. The cyber gang Finjan tracked used each mule only twice, to avoid fraud pattern detection.

“They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there,” says Ben-Itzhak. “If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

This is an example of the dangers of 'insecurity.' We'll discuss these types of attacks in more detail later in the semester.

Monday, September 28, 2009

Survey: Half of businesses don't secure personal data

From C|Net News
The personal information you give to businesses may not be as secure as you hope, according to a new survey. Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute.
Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they've been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen.
This is hardly comforting. As weve discussed business will collect data first and then figure out what to do with it later. In the interim it appears that many business do not bother to secure this data because its "too expensive."

Sunday, September 27, 2009

Leaky Social Networks

From Ars Technica
According to a recent study by Worcester Polytechnic Institute researcher Craig E. Wills and AT&T Labs' Balachander Krishnamurthy. A "leakage," by the study's definition, is the opportunity for a third party to link the information they get from the social networks (either in the form of logs or browser cookies) to someone's PII—your name, phone number, and dog's favorite treat aren't passed on directly, but can easily be pieced together.
How is that possible? Not through your name, but through your profile's unique identifier, which is apparently included in the data given advertisers from most social networks. "We found that when social networking sites pass information to tracking sites about your activities, they often include this unique identifier. So now a tracking site not only has a profile of your Web browsing activities, it can link that profile to the personal information you post on the social networking site," Wills said. "Now your browsing profile is not just of somebody, it is of you."
As weve discussed in previous class personally identifiable information is a very broad term. Previous studies have shown that the combination of "anonymous" data can be combined to identify unique individuals. For example, MIT's Latanya Sweeney found that 87% of US citizens can uniquely identified by a combination of their birth date, gender, and zip code.

In this case though, the data leaked is not as abstract and leads an interested party directly to your profile.

FBI Targets Online Extremists

The recent spate of arrests of terror suspects is based in part on excellent investigative work done by the Federal Bureau of Investigation. According to media reports, the FBI is doing an excellent job of monitoring online extremists message boards and chat rooms for signs of pending terrorist attacks.

The arrest of Hosam Maher Husein Smadi, a 19-year-old Jordanian citizen who planned on bombing the 60-story Fountain Place building in Dallas, Texas. According to reports,
Smadi stood out to federal authorities in an online group for extremists because of his repeated remarks that he wanted to commit a violent jihad, or a holy war, against the United States.
Federal officials began speaking with Smadi in March after finding him on an online group for extremist.

Posing as al-Qaida members and speaking Arabic, undercover agents began to probe Smadi for more details of his plans. Slowly, he began to provide them details and ideas to carry out his plan.
We will discuss this case and others later in the semester as we analyze how terrorist groups or using the Internet to communicate and coordinate their activities to like minded extremists. We will also discuss how to conduct online investigations of terrorist suspects.

Friday, September 25, 2009


I just picked up a new book entitled Total Recall: How the e-Memory Revolution Will Change Everything!. The book chronicles Gordon Bell and Jim Gemmell's work on the MyLifeBits project Microsoft Research. The premise of this project is to develop technology that will allow people to digitally record every event in their lives including video streams, audio streams, texts, images, etc.

As we've discussed in class ,a series of technological developments including Moore's Law dictates that computing devices will shrink in size, speed up in processing time, decrease in price, and increase in function. This trend will allow people to carry "sensors" that will record their conversations and grab video of their daily interactions.

The MyLifeBits project is the logical extension of these technological trends. It seems inevitable that people will embrace "life logging." Even those who opt-out will be forced to contend with this type of technology as their conversations and interactions can easily be captured by other life loggers.

What types of privacy harms would occur if this type of life logging technology became widely available?

Wednesday, September 23, 2009

Newly Declassified Files Detail Massive FBI Data-Mining Project

From Wired Magazine ...

A fast-growing FBI data-mining system billed as a tool for hunting terrorists is being used in hacker and domestic criminal investigations, and now contains tens of thousands of records from private corporate databases, including car-rental companies, large hotel chains and at least one national department store, declassified documents obtained by show.

Headquartered in Crystal City, Virginia, just outside Washington, the FBI’s National Security Branch Analysis Center (NSAC) maintains a hodgepodge of data sets packed with more than 1.5 billion government and private-sector records about citizens and foreigners, the documents show, bringing the government closer than ever to implementing the “Total Information Awareness” system first dreamed up by the Pentagon in the days following the Sept. 11 attacks
Does this type of data mining harm privacy? If so, how? If not, why not?

Wednesday, September 16, 2009

Digital Safe Havens

Georgetown Professor Paul Pillar writes in today's Washington Post

How important to terrorist groups is any physical haven? More to the point: How much does a haven affect the danger of terrorist attacks against U.S. interests, especially the U.S. homeland? The answer to the second question is: not nearly as much as unstated assumptions underlying the current debate seem to suppose. When a group has a haven, it will use it for such purposes as basic training of recruits. But the operations most important to future terrorist attacks do not need such a home, and few recruits are required for even very deadly terrorism. Consider: The preparations most important to the Sept. 11, 2001, attacks took place not in training camps in Afghanistan but, rather, in apartments in Germany, hotel rooms in Spain and flight schools in the United States.

In the past couple of decades, international terrorist groups have thrived by exploiting globalization and information technology, which has lessened their dependence on physical havens.

The central question asked by Professor Pillar is whether the Obama administration's assumption that abandoning Afghanistan will create a needed safe haven for al-Qaeda is correct? Many policy makers believe that should we pull out of Afghanistan the Karzai government will fall and the Taliban will take over or the country will disintegrate into a failed state. According to this argument, either condition will provide al-Qaeda with a safe have to re-group and plan additional attacks against US interest at home and abroad.

Professor Pillar questions this assumption by pointing out that al-Qaeda and other al-Qaeda inspired groups have used the Internet to communicate, coordinate, recruit, and train and therefore do not rely on a physical safe haven for success.

What are your thoughts? Can a terrorist cell rely solely on the Internet to plan, coordinate and successfully execute an attack? We will discuss this question in more detail later in the semester.

Monday, September 14, 2009

How to short-circuit the US power grid

On September 11, 2009, Paul Marks from the New Scientists published an article entitled How to short-circuit the US power grid. The article discusses work conducted by researchers from China's Dalian University of Technology. These researchers studied vulnerabilities in US's West Coast power grid. The researchers found that the best way to attack the power grid was to attack the least loaded nodes on the grid. Attacking these lightly loaded nodes was the best way to cause cascading failures throughout the grid.

According to the research, "an attack on the nodes with the lowest loads can be a more effective way to destroy the electrical power grid of the western US due to cascading failures."

Although cyber vulnerabilities in the power grid have been found via other research, it should be noted that this article does not point to any specific "cyber" vulnerabilities in the power grid. Instead the vulnerabilities discussed in this article are within on the structural design of the power grid and the vulnerabilities found in the grid's design could presumably be exploited more easily through a physical attack - i.e. blowing up a generator.

We'll discuss this article later in the semester when we focus on information warfare and cyber attacks but I wanted to pass it along sooner rather than later.

Sunday, September 13, 2009

Google Knows All

The Washington Post's Cecilia Kang wrote a very interesting article on Saturday September 12. The article entitled Google Economist Sees Good Signs in Searches details Google's Chief Economist Hal Varian belief that the recession is waning and the US economy is in recovery. Varian comes to this conclusion through his analysis of what people are searching on Google. The article states,
In March, the number of Google users searching for information about unemployment benefits or employment centers began to drop, Varian said. Overall unemployment has continued to climb, of course, but new jobless claims have declined since peaking earlier this year.
Varian's analysis of search history to measure economic trends is similar to how Google mined search histories to monitor flu outbreaks. Google launched Google Flu Trends in November 2008 after its researchers noticed a relationship between how many people searched for flu related terms and how many people have flu symptoms. More importantly, Google noticed that its search history data could predict flu outbreaks up to two weeks earlier than the Center for Disease Control because people are likely to search the Internet about health concerns before they visit a doctor.

The Database of Intentions

On the surface our search histories do not appear to be particularly sensitive information and they are unlikely to reveal our identity. However, recent history demonstrates the flaws in this logic and show that our search histories can easily reveal our identity. In August 2006 AOL released 20 million "anonymized" search queries from approximately 650,000 users to the research community.

AOL anonymized these search histories by obfuscating or removing 'personally identifiable information' such as usernames and IP addresses. AOL replaced usernames with randomized unique identifiers.

Reporters from the New York Times analyzed these search histories and were able to identify user #4417749. The reporters noted that user #4417749 searched for
  • landscapers in Lilburn, Ga
  • 60 single men
  • homes sold in shadow lake subdivision gwinnett county georgia
  • several people with the last name Arnold
A quick reference of other outside sources lead the Times reporters to Thelma Arnold, a now 65-year widow living in Lilburn, Georgia.

This example reveals the false promise of anonymization. In particular, it is difficult for a database administrator to anonymize one data source when the administrator does not know what other data sources an investigator is able to access. In this case, the Times reporters were able to use the phone book or perhaps property records from Lilburn, Georgia. The combination of these data sources allowed the reporters to identify Thelma Arnold.

Saturday, September 12, 2009

Privacy and Anonymization

Professor Paul Ohm of the University of Colorado Law School recently published an important article entitled Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. The article discusses the perils in relying on anonymization as a means to protect privacy. In today's data rich environment when individuals are constantly emitting data trails and leaving their digital fingerprints throughout cyberspace Professor Ohm argues that it is virtually impossible to anonymize data.

Professor Ohm points to recent research which found that 87% of the US population could be uniquely identified through the combination of zip code, birth data, and sex. Said in another way, 87% of US citizens do not share the same zip code, birth date, and sex with anyone else.

The take away from this article is that policy makers can no longer simply rely on labeling certain data as 'personally identifiable.' In today's digital age, all data must be treated as personally identifiable. As a result, we can no longer rely on anonymizing certain data elements to protect privacy. A new privacy protection regime must be developed because banning information sharing is not realistic.

I highly recommend this article for those students interested in learning more about anonymization and privacy.

Tuesday, September 8, 2009

Privacy Fail

This weekend while perusing books at Barnes and Noble in Georgetown I noticed the book The Road to Big Brother. The book is advertised as an
entertaining and highly revealing account of his attempt to dodge Britain's 4.2 million CCTV cameras and other forms of surveillance, Ross Clark lays bare the astonishing amount of personal data which is hoarded by the state and by commercial organizations, and asks whom should we fear most: the government agencies who are spying on us - or the criminals who seem to prosper in the swirling fog of excessive data-collection.
While scanning through the book I noticed an insert from the publisher Encounter books. The insert was an offer to join their mailing list and a request for the readers personal information.

Clearly no one at Encounter Books understands privacy or irony!

Monday, September 7, 2009

Unreasonable Search?

School administrators have long declared an interest and intent to search student for drugs, weapons, and other contraband in the name of security. Some administrators have even gone so far as 'strip searching' students.

As more students carry cell phones and other PDAs on school grounds, administrators have increasingly targeted these devices for search or seizure. The ACLU recently filed a lawsuit on behalf of a Mississippi middle-school student.

Jacqui Cheng from Ars Technica provides good coverage of the story. According to Ms. Cheng,
Southaven Middle School in Southaven, Mississippi has a policy against cell phone use during school hours, as many schools do nowadays. In August of 2008, 12-year-old Richard Wade was discovered to be in violation of that policy after he received a text message from his father (who was traveling out of state) during "football class." That's when his cell phone was confiscated by his football coaches and then searched by the principal, as well as the Southaven Police Department. At that time, authorities found what they considered to be extremely scandalous, "gang-related activity"—that is, photos of Wade and a friend dancing in the bathroom at Wade's home. The friend held a BB gun across his chest while he danced.

Wade was suspended and then eventually expelled for having "gang signs" stored on his phone. That's when the ACLU got involved—the organization says that the football coaches, principal, and police violated Wade's constitutional rights and even acted outside of the school's policy of merely confiscating phones during school hours.
On the surface this case appears to not only be in violation of the school's own policy but an assault on the students privacy. However, one must also considers the school's interest in this case. Does the school have a legitimate interest in protecting the general student population from potential threats? If so, how should school administrators balance their interest in providing a secure environment for students against the students right to privacy?

Sunday, September 6, 2009

Insights via The Onion

With two posts from the Onion within the last week I can only conclude that 1) I still believe its summer vacation 2) humor is an effective tool to discuss complex policy questions.

Facebook, Twitter Revolutionizing How Parents Stalk Their College-Aged Kids

Text, Text, Text: Parental Nagging Evolves Electronically

The Washington Post checks in with an interesting story on how parents are increasingly using technology to communicate with their children as well as monitor their behavior. From the article,
Parents know more about flubbed tests and skipped homework because of online grading systems. They know more about social lives because of Facebook and MySpace pages.
The Post brings up some interesting issues that are relevant to our examination of privacy. Does our increasingly willingness to share details about ourselves negate our right to privacy? If we share information on Facebook, even if we only share it with our network of friends, can we reasonably expect that information to remain private? We will discuss many of these issues in class.

Check out the full article here.

Wednesday, September 2, 2009

Opting Out

Here is a little humor to get you through the first day of class.

hat tip: The Onion

Tuesday, September 1, 2009

Video Surveillance - Enhanced Security or Privacy Invasion?

According to a London Metropolitan Police Department internal report only "one crime was solved by each 1,000 CCTV cameras in London last year."

David Davis MP, the former shadow home secretary, said: "It should provoke a long overdue rethink on where the crime prevention budget is being spent. CCTV leads to massive expense and minimum effectiveness. It creates a huge intrusion on privacy, yet provides little or no improvement in security."

Detective Michael Michael McNally, who commissioned the report, agreed that more work needed to be done to realize the potential of video surveillance cameras.

McNally said, "CCTV, we recognise, is a really important part of investigation and prevention of crime, so how we retrieve that from the individual CCTV pods is really quite important. There are some concerns, and that's why we have a number of projects on-going at the moment."

A Metropolitan police department spokesman added, "We estimate more than 70% of murder investigations have been solved with the help of CCTV retrievals and most serious crime investigations have a CCTV investigation strategy."

Do you think video cameras deter crime and enhance security? If they do not deter crime do they enable police to more quickly catch the criminals responsible? Do they deter terrorists?

Finally, could the dollars required to install and monitor video surveillance cameras be reallocated to other technologies or investigative techniques that are more effective and less invasive?

source: BBC