The Problem With Memory Sticks


… is that you forget you have them in your pocket. According to Credant Technologies, a Texas-based security company, about 9,000 USB sticks have been left in people’s pockets in the UK when they take their clothes to the dry cleaners.

This is based on a survey (no link available; sorry) of 500 dry cleaners across the UK who, on average, had found 2 USB sticks during the course of a year. There are, according to the Textile Services Association, some 4,500 dry cleaners in the UK. A survey by the company of taxi drivers in London and New York last September showed that over 12,500 handheld devices such as laptops, iPods and memory sticks were left in the back of cabs every 6 months.

Taking these figures with the caution they deserve—two? Is that ‘We find on average two thumb drives each year’ or ‘yeah I suppose you could say a couple’?—it doesn’t sound surprising. Indeed, you’d think it would be higher, and, indeed, in the centre of London, it is: One dry cleaner in the heart of the City of London said he is getting an average of 1 USB stick every 2 weeks, another said he had found at least 80 in the past year.

Credant want to remind us that data on thumb drives is probably going to be valuable, and there could be a lot of it. With most drives now at least 2GB in capacity, that’s a lot of files that some bad guy could have access to. Encrypt, they say (using their software, presumably.)

They have a point. Though maybe encryption isn’t so much the answer as asking whether there’s perhaps a better way to carry sensitive data around with you? Like not?

Illustration from Computer Zeitung used with permission

Whatever Happened to Geo-encryption?

Ok, not the question on the tip of your tongue, but bear with me. Geoencryption, or geo-encryption, boils down to: How about if you could only access data when you’re at a certain spot? 

It’s not a new idea: the brains behind it, Dorothy Denning, a veteran of cryptology has been talking about it for at least a decade. When people were last getting excited about it, in the wake of 9/11,  it was all about movie studios being able to release films digitally confident that only movie theaters could decrypt them, or coded messages to embassies only be deciphered within the building itself. Now we probably know better: with more accurate GPS, and with GPS in phones, one could imagine much more portable uses, such as transmissions to the field that could only be deciphered once the recipient is in location, or automatically encrypting data if a device is moved without authorisation. 

But not much seems to have actually happened since then. The website for Geocodex, the company she helped set up, doesn’t seem to have an active web site — this one is blank, and has been since its inception (it was registered under the name Mark Seiler, a movie executive who set up the company in around 2000.) She does have a string of patents, though, the most recent of which was approved on November 28. Of course, the patent isn’t new: It was filed five years ago to the month. But it does seem to be the only one that mentions geo-encryption. So does this mean something will now happen? 

Some pieces: 

Geo-Encryption: Global Copyright Defense? from Slashdot, April 2002

How Geo-Encryption Makes Copyright Protection Global, CIO Insight, April 2002

Using GPS to Enhance Data Security at GPS World

and a profile of Dorothy Denning by Anne Saita, Information Security, Sept 2003, her homepage at the Center on Terrorism & Irregular Warfare and at Georgetown U.

update Dec 13 2006: after writing to Dorothy Denning I received this back from Mark Seiler:

It is still a bit premature for us to discuss GeoCodex publicly. Granted, after seven years, the word “premature” seems strange in any context. However, there are still other, related patent filings that we anticipate receiving shortly. This is not to say that we are not active while waiting on the patent office. This past year we began field trials for several different geo-encryption applications and additional test deployments will be on-going in 2007.

We to expect to start making announcements towards the middle of the year. If you’d like, we’ll make a note and give you a “heads up” at the appropriate time.

Although it’s taken much longer than we would have hoped, we still believe that geo-encryption – and GeoCodex in particular – offers a unique solution to the problem of protecting digital content.


The Strange, Short Life and Death of ‘My Private Folder’

Microsoft has introduced a new application for Windows XP users, and even more quickly, killed it off. The app was free, but what was the company thinking?

A piece by Mark Hachman and Natali T. Del Conte at PCMag on Friday says that “If you’ve heard of Microsoft Private Folder 1.0, forget it. As of 2:30 p.m. Pacific Time on Friday, it no longer exists. Microsoft quietly added the free encryption utility earlier this month, and then just as quietly deleted it. The utility allowed users to encrypt and store files inside a private folder.” Cute, and according to Microsoft designed as a benefit (read: inducement) to customers who allow their computers to be verified as running an unpirated copy of Windows.

The trouble is, the program doesn’t work. Or as a Microsoft spokesperson puts it: “we received feedback about concerns around manageability, data recovery and encryption, and based on that feedback we are removing the application.” The problem, according to Microsoft is that if you forget the password there’s no way back into the files you’ve encrypted (such services usually use a key management system called EFS that allows system administrators to retrieve files if necessary.)

But actually the problem was more serious than that. According to a note posted to the bottom of the story, the application runs a service in the background to allow encryption/decryption, which slowed the system to a crawl by apparently using more than 90% of the CPU. And while some network administrators have worried that they would be inundated with users’ pleas for help after forgetting their passwords actually the problem seems to lie more in the poor software itself — users reporting losing files, spontaneously rebooting and corrupting the encrypted files

Maybe the biggest blow, however, is that the files aren’t really hidden. For one, the folder installs itself onto the desktop, a big bright shining “My Private Folder” visible to everyone (this can be deleted). For another, Humphrey Cheung at TG Daily reports that by booting into Safe Mode a user is able to see all the files in My Private Folder. (This could also be done by simply uninstalling the application.) They remain encrypted but if someone really wanted to, they could examine the files with a hex editor to pluck out any interesting looking stuff. Even the file names might be revealing enough.

So the spokesperson was right in saying “around manageability, data recovery and encryption”. But why did Microsoft release something, however small and toylike, that was so fraught with problems, bugs and silliness?

Phishing Gets Smaller, Smarter

It’s intriguing how phishers are targeting smaller and smaller groups. Not only does it indicate that the bigger banks and institutions are becoming more secure (or their customers smarter) but it indicates that the phishers must be employing increasingly sophisticated methods of harvesting email addresses. Or is there something else afoot?

The Bakersfield Californian yesterday reported an attack on the Kern Schools Federal Credit Union which has, according to its website, 140,000 members and 10 branch offices. That’s actually not a lot of people to target, in spamming terms. Still, up to 25 members got the email and reported it to the union. One must assume many more received it and didn’t report it. The Bakersfield paper went on to say:

As large financial organizations become better at fighting off such phishing attacks, scammers seem to be targeting smaller regional banks and credit unions. Smart phishers are finding sources of e-mail addresses and using them to get in touch with bank customers. “They’re figuring out how to beat the probabilities of targeting people,” said Peter Cassidy, secretary general of The Anti-Phishing Working Group. “I guess this is the same discipline that marketers use.”

In many cases, that’s meant targeting people whose e-mail address is public. “In the past, phishers used to go after mainstream consumer Web sites with millions of users, but now the targets are becoming much smaller and more localized,” Dan Hubbard, senior director of security and technology research at online security firm Websense Inc., said in a statement.

An interesting feature of this chapter in the phishing saga. My guess is that these attacks are from quite different gangs than the original East European/ex Soviet groups that started all this. But I could be wrong. But here’s a thought: Could the customer data have been gathered from a data security breach? Clearly these breaches are a growing worry for financial institutions of any size, as high profile cases have illustrated. Indeed, last December Kern hired a company called Ingrian to secure its members’ data:

“As we looked at the NCUA legislation and the ongoing incidence of security breaches taking place, we decided that it made sense to augment our existing security capabilities by implementing encryption inside our enterprise,” explained David DuBose, vice president, information technology, Kern Schools Federal Credit Union. “After evaluating the alternatives available, we became convinced that Ingrian’s approach—providing a centralized appliance that intelligently manages encryption, keys, and policies—gave us the most secure and most cost-effective way to protect sensitive data.”

i think perhaps it’s time for banks to look proactively at how many of its customers are getting targeted and see whether there is a correlation with missing data (the Privacy Rights Clearing House counts nearly 10 million people — Americans, I assume — whose data has been stolen or otherwise compromised this year.) If there is any correlation between phishing attacks and stolen data, then perhaps banks and other institutions need to be more proactive in warning customers, rather than just posting tardy warnings or warning ‘brochures’ that are in a format (PDF) many customers won’t know how to open and way too big (3+MB) for anyone not on broadband to download.

A New Kind Of Klip

An alternative to RSS? Or an advance? Or can the two sit together?

Canada’s Serence will today announce a new version of KlipFolio, which describes itself as a a ‘uniquely powerful and globally-adopted information awareness and notification platform’ but could probably be better termed a variation of RSS that uses a proprietary software and a slightly more modular approach than most RSS fans are used to.

This new version of KlipFolio, 2.5, has advanced statistics for content providers, encryption for Klip data and some enhancements to the Klip software for end users, including audio alerts, scroll-bars and configurable fonts.

There are some advantages to some in using Klips over RSS or Atom feeds, and this seems to be the direction that Serence is taking: Corporate data, or any other material where the provider wants to ensure it doesn’t get into the wrong hands, and where the provider wants plenty of data back on who’s reading what, when and how much.

The small modular approach also lends itself to small chunks of deliverable data rather than the big grab-bag of news that RSS readers have become. This is something I’ve mentioned before.

Wiretapping Your Way Into Credit Card Fraud

If you think the Internet is a scary place for stealing your sensitive bank data, try your local gas station.

The Star Tribune in Malaysia reports that criminals there are increasingly intercepting the transmission of credit card data between the point of sale machines that swipe your card and the bank. This data, incredibly, is being sent in unencrypted text form so all a criminal has to do is ‘wiretap’ the phone line and capture the data — usually onto an MP3 player.  All they need to do is find the phone line, either in the outlet’s Main Distribution Frame room, or that of the bank itself and record the gurgling modem sound. A special decoder can then convert that noise into data. Your data.

The banks are finally getting onto this. Malaysia’s central bank has ordered all credit cards in the country to be EMV(Europay/MasterCard/Visa)-compliant by end-2005 (this means smart, and supposedly fraud-proof). But for now, The Star Tribune says, the banking industry is trying to encrypt data. Unfortunately, so far nothing has been agreed on.

At the risk of sounding appalled, I’m appalled. How can such data be transmitted without a modicum of encryption? This means that when we’re typing our credit card number into a web page it’s actually more secure than if we give it to the guy at the gas station or restaurant?

I was never that happy anyway doing the latter, given the prevalence of skimming — where a crooked employee would either double-swipe your card, or swipe it into a separate device that stored your details — but now, it seems, the data is up for grabs even when it’s being transmitted to your bank for verification. Yikes.

News: From Kazaa To Skype

 From Estonia comes news that the guys behind file-swapping legend Kazaa are launching an Internet phone service they claim could put traditional phone companies out of business. AP says the service, called Skype, purports to offer free, unlimited phone service between users with sound quality near to existing phone lines.
Skype users — and there are already more than half a million of them — can currently use the program only to talk to each other, but it could later be enhanced so someone could call other types of programs, or even regular landline and cell phones. The program directs peer-to-peer data through the quickest networks, ensuring that quality isn’t degraded. Privacy is ensured through encryption.