Tag Archives: Ethics

Former Soviet Bloc, Allies, Under Lurid Attack

Trend Micro researchers David Sancho and Nart Villeneuve have written up an interesting attack they’ve dubbed LURID on diplomatic missions, government ministries, space-related government agencies and other companies and research institutions in the former Soviet bloc and its allies. (Only China was not a Soviet bloc member or ally in the list, and it was the least affected by the attack.)

Although they don’t say, or speculate, about the attacker, it’s not hard to conclude who might be particularly interested in what the attacks are able to dig up:

Although our research didn’t reveal precisely which data was being targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets.

Russia had 1,063 IP addresses hit in the attacks; Kazakhstan, 325; Ukraine, 102; Vietnam, 93; Uzbekistan; 88; Belarus, 67; India, 66; Kyrgyzstan, 49; Mongolia, 42; and China, 39.

The campaign has been going for at least a year, and has infected some 1,465 computers in 61 countries with more than 300 targeted attacks.

Dark Reading quotes Jamz Yaneza, a research director at Trend Micro, as saying it’s probably a case of industrial espionage. But who by? ”This seems to be a notable attack in that respect: It doesn’t target Western countries or states. It seems to be the reverse this time,” Yaneza says.

Other tidbits from the Dark Reading report: Definitely not out of Russia, according to Yaneza. David Perry, global director of education at Trend Micro, says could be out of China or U.S., but no evidence of either. So it could be either hacktivists or industrial espionage. Yaneza says attackers stole Word files and spreadsheets, not financial information. “A lot of the targets seemed to be government-based,” he says.

My tuppennies’ worth? Seems unlikely to be hactivists, at least the type we think of. This was a concerted campaign, specifically aimed to get certain documents. Much more likely to be either industrial espionage or pure espionage. Which means we might have reached the stage where groups of hackers are conducting these attacks because a market exists for the product retrieved. Or had we already gotten there, and just not known it?

Either way, Russia and its former allies are now in the crosshairs.

More reading:

Massive malware attacks uncovered in former USSR | thinq_

Cyberspy attacks targeting Russians traced back to UK and US • The Register

Malware Inside the Credit Card Machine

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

Social Engineering, Part XIV

image

Further to my earlier piece about the scamming potential of Web 2.0, here are a couple more examples of why social engineering is a bigger problem than it might appear.

First off, governments and organisations are not as careful with your information as you might expect them to. There are plenty of examples of CD-ROMs and laptops going missing, but often even that doesn’t need to happen. Some governments openly publish such information on the Internet. Indonesia’s minsitry of education, for example, has published the names, addresses, age, date of birth, school and education number of 36 million Indonesian students in easily downloadable XLS format.

Who might use such information? The mind boggles at the possibilities. But one hint might be found in this Straits Times article from neighboring Singapore, which reports a growing wave of faux kidnappings: Gangs phone someone with enough information about their loved one—child, spouse, or whatever—to convince them they’ve been kidnapped and the mark must pay the ransom immediately. In the past six months employees at one bank alone have foiled 14 such attempts—merely by alerting the victims trying to withdraw large amounts of money that they’re being conned.

In the first half of this year, according to the newspaper, 21 people have been scammed out of S$322,000 ($216,000) in this way. Such scams rely on having access to just the kind of information contained in the ministry of education’s database: Knowing kids’ names, their class, their home address, their school chums—all would be invaluable in doing a scam like this. Or any other number of scams.

The point is that we need to think beyond the narrow confines of single channels of data. Scammers don’t: They use a combination of techniques to build up enough information about their mark to be able to either impersonate them or convince them of something. In the above case, it’s that they have kidnapped a relative. In this (still ongoing) Hong Kong-based scam, it’s that they are their bank.

I’m not suggesting Web 2.0 is going to breed a different kind of scam, it’s just going to breed a new kind of opportunity. Social engineering relies on gathering just the sort of data that social networking and presence tools base themselves on.

The Predictable Human (and a Privacy Issue)

A study of mobile phone data shows that we are extraordinarily consistent about our movements. Mobile phone data, unsurprisingly, provides rich pickings for researchers since we carry one around with us all the time, and, unlike dollar bills, it’s more likely to stick with one person. But some have questioned the ethics of such a study.

The BBC reports that the study, by Albert-László Barabási and two others, shows we are much more predictable in our movements than we might think:

The whereabouts of more than 100,000 mobile phone users have been tracked in an attempt to build a comprehensive picture of human movements.

The study concludes that humans are creatures of habit, mostly visiting the same few spots time and time again.

Most people also move less than 10km on a regular basis, according to the study published in the journal Nature.

This is fascinating stuff, and perhaps not unexpected. But appended to the Nature news article on the study are two signed comments by readers alleging that the authors of the study didn’t follow correct ethical procedure. Someone calling themselves John McHaffie says

What is particularly disturbing about this study is something that the Nature news article failed to reveal: that Barabasi himself said he did not check with any ethics panel. And this for an action that is, in fact illegal in the United States. Disgusting lack of ethics, I’d say. And the statement from his co-author Hidalgo isn’t much better: “We’re not trying to do evil things. We’re trying to make the world a little better”. The old “trust me, I know better” argument. Maybe this two should take a basic graduate-level ethics course.

I’ve not yet confirmed it, but it’s likely to be John G. McHaffie of the University of Wake Forest. Another commenter, Dan Williams, calls for a federal investigation of the school involved in the study.

I don’t have access to the original Nature article, so I can’t explore this further right now. But the Nature news item itself says that “Barabási and his colleagues teamed up with a mobile-phone company (unidentified to protect customers’ privacy), who provided them with anonymized data on which transmitter towers had handled the calls and texts for 100,000 individuals over the course of 6 months.”

This is clearly gold. The article suggests that others have long sought to get their hands on mobile phone data. It quotes Dirk Brockmann of Northwestern University in Illinois, as saying that he had not been able to expand a study he did using dollar bills because of privacy issues:

Strict data-protection laws prevented Brockmann from carrying out his own version of the mobile-phone study in Germany, where he was based until recently. Mobile-phone data have the potential to reveal information about where individuals live and work. “I’ve been trying to get my hands on mobile-phone data but it isn’t possible,” he says.

Privacy issues aside, the study is fascinating, and could be useful in monitoring disease outbreaks or traffic forecasting. (I wrote about one using Bluetooth a couple of days ago.) And how about riots? Unrest? Shoppers?

BBC NEWS | Science/Nature | Mobile phones expose human habits

The Puppy Love Scam

The scam emails offer a Yorkshire Terrier dog for adoption

A few weeks back I wrote about love scams (“You Give Love a Bad Name,” WSJ.com) — how scammers are trawling online dating sites looking for suckers. What interested me about the scam is that in some cases the scammers play a very patient game — luring the mark in over a period of months before any sting is attempted. 

Sophos, the antivirus people, say they have found a new twist on the same scam, where scammers are apparently luring folk by offering a puppy up for adoption:

The emails, which come from a husband and wife who claim to be on a Christian Mission in Africa say that their Yorkshire Terrier dog is not coping well in the hot weather.

Says Graham Cluley, senior technology consultant for Sophos:

“The criminals are offering the pet puppy in an attempt to gather information from kind-hearted people who jump in to help. If you respond the scammers will try and steal confidential information about you, or sting you for cash. If you fall for a trick like this you’ll be the one ending up in the doghouse.”

Actually this is not quite new and not completely accurate. The LA Times wrote back in May about how the scam works:

People who responded to the ads eventually were asked to send hundreds of dollars to cover expenses such as shipping, customs, taxes and inoculations on an ever-escalating scale.

Some reported paying fees totaling more $1,500.

A piece in the Pittsburgh Post-Gazette last week said the scam had been going across America for a year and points out that a Google search for “Nigerian Puppy Scam” turns up more than 200,000 “hits.” (I must confess I found only 16,000.) Bulldogs and Yorkshire Terriers are favorites. The paper was apparently alerted to the scam when ads were found to be running in its own paper. A month earlier the Toronto Star reported that a local woman had parted with $500 for a 11-week old terrier, after responding to an ad on a free local classified site and complying with requests for three payments to ship the dog from Nigeria. (A reporter called up the scammer, who uttered the immortal scammer’s words:

“Are you trying to call me a scam? I’m a family man,” he said. “I am a man of God. I am a missionary.”

For more detail on scams and how to spot them, check out this page on the IPATA website.

Dogs work because we love them, and are suckers for the sob story. What’s interesting here — and why these scams are in some ways more dangerous — is that the scam does not play upon people’s greed at all, but instead upon their charity and sense of decency.

Two conclusions from this:

  • These scams are aimed at throwing a wider, and slightly different, net to the old scams. The victims are going to be people who are moral, not greedy.
  • Chances are the scammers are aiming at making less money from these scams, but perhaps make up for it in volume. Perhaps the days are over when scammer aimed to make five-figure sums.

Puppy offered for adoption by Nigerian email scammers

Technorati Tags: , , , ,

Movies vs Games. They’re Not the Same

A remark by Will Wright picked up by Jason Kottke captures why movies and computer games are different, and why we should not think one is going to edge out the other. I would add something else: Computer games allow us to experience emotion, while movies allow us to feel those emotions vicariously. We have no control over those emotions on film, since they’re being manipulated by the director of the movie — sometimes crassly, sometimes brilliantly. But we are passengers. With computer games we are in the driving seat.

clipped from www.kottke.org

Notes from Will Wright’s keynote at SXSW 2007. “Movies have these wonderful things called actors, which are like emotional avatars, and you kinda feel what they’re feeling, it’s very effective. Films have a rich emotional palette because they have actors. Games often appeal to the reptilian brain – fear, action – but they have a different emotional palette. There are things you feel in games – like pride, accomplishment, guilt even! – that you’ll never feel in a movie.”

The Privacy Myth

If there’s one myth that endures in this age of online participation, blogs, shared photo albums and Web 2.0, it’s that we’ve overcome our concerns about privacy. It sounds on the surface, logical: We must have gotten over this weird paranoia, or else why would we share so much online? Why would we bother about privacy issues when there’s no real evidence that people, companies, governments and the NSA are out to get us? This, for example, from Web 2.0 blog TechCrunch guest contributor Steve Poland:

I’m sure there’s data to back me up on this, but today compared to 10 years ago — people are way more comfortable with the Internet and have less privacy concerns. Or at least the younger generations that have grown up with the Internet aren’t as concerned with privacy — and spew what’s on their mind to the entire world via the web.

I can’t speak for the younger generation, having been kicked out of it some years ago. But if we’re talking more generally about folk who have embraced the Net in the past 10 years, I’d have to say I don’t think it’s that we don’t care about privacy. We just don’t understand it. In that sense nothing has changed. I think what is happening is the same as before: People don’t really understand the privacy issues of what they’re doing, because the technology, and its liberating sensuality, are moving faster than we can assimilate to our culture. This is not new: Technology has always outpaced our intellectual grasp. If you don’t believe me think radio, TV, cars and cellphones. We were lousy at predicting the impact of any of these technologies on our environment. Lousy.

Usually, it’s because we just don’t stop to think about the privacy implications, or we don’t stop to ask deeper questions about the sacrifices we may be making when we buy something, give information to a stranger, register for something, accept something, invite someone in to our digital lives, install software, sign up for a service, or simply accept an email or click on a link. The speed of communication – click here! register here! — makes all this easier. But I don’t really blame the reader. Often it’s us journalists who are to blame for not digging enough.

Take, for example, a new service called reQall from QTech Inc in India. On the surface, it sounds like a great service: phone in a message to yourself and it will appear in your email inbox transcribed with 100% accuracy. Great if you’re on the road, on the john or at a party and don’t want to start jabbing away or scrawling the note on the back of your spouse’s neck.

Rafe Needham of Webware initially enthuses about it on his blog. But then he later finds out that

Update: I’m told that ReQall’s speech-to-text engine isn’t wholly automated. “We use a combination of automated speech recognition technology and human transcription,” a company co-founder told me. Which means there may be someone listening to your notes and to-do items. Yikes!

Yikes indeed. Who would record a message knowing that a stranger is going to be transcribing it, and a company storing it on their servers? To be fair to Rafe he’s not the only one not to initially notice this privacy angle. And at least he bothers to write it up. Dean Takahashi didn’t mention it in his (admittedly) brief Mercury News piece, for example. The company’s press release makes no mention of it either, saying only that

reQall is patent-pending software technology that uses a combination of voice interface and speech-recognition technology to record, log and retrieve your tasks, meetings and voice notes.

(The same press release appears on Forbes’ own website, which I always think looks a bit odd, as if there’s no real difference between a story and a press release. But that’s another rant for another day.) That, frankly, would leave me thinking there was no human interaction either.

But then again, there are clues here and if we (by which I mean us hacks) were doing our job we should probably follow them. Any Google search for reqall and privacy throws up an interesting trail. A CNN report on memory quoted Sunil Vemuri talking about reQall but says issues about privacy and keeping such records free from subpoena have yet to be worked out. When a blogger called Nikhil Pahwa quoted CNN on ContentSutra someone from QTech wrote in:

Please note that there is an inaccuracy in the post. QTech is not “currently working on sorting out issues related to privacy laws, and how to prevent these recordings from being subpoenaed.” Can you correct this?

The text was duly crossed out, so now it reads:

According to the report, they’re currently working on sorting out issues related to privacy laws, and how to prevent these recordings from being subpoenaed are still to be worked out.

So we’re none the wiser. Are there issues? Are QTech working on those issues? Or are there issues that other people are working on, not QTech? Their website sheds little light. There’s nothing about human transcription on any of the pages I could find, nor in the site search. Their privacy policy (like all privacy policies) doesn’t really reassure us, but neither does it explicitly scare our pants off. A brief jaunt through it (I’m not a lawyer, although I sometimes wish I was, and I think John Travolta in “A Civil Action” makes a good one) raises these yellow flags:

  • QTech can use your location, contact details etc to “send you information related to your account or other QTech Service offerings and other promotional offerings.” I.e. the company knows where you are, your phone number and home address and could spam you.
  • QTech may “include relevant advertising and related links based on Your location, Your call history and other information related to Your use of the Services.” I.e. The company could send you stuff based on what information you’ve given in your messages, and any other information you carelessly handed over during the course of using the service.
  • QTech can use the content of your audio messages (and your contact information) for, among other things, “providing our products and services to other users, including the display of customized content and advertising,  auditing, research and analysis in order to maintain, protect and improve our services … [and] developing new services.” I.e. the company can mine the contents of your messages and other stuff and spam other customers. Somehow this seems more scary than actually spamming you.
  • QTech will hold onto those messages “for as long as it is necessary to perform the Services, carry out marketing activities or comply with applicable legislation.” I.e. don’t think your messages are going to be deleted just because you don’t need them anymore.

Privacy documents are written by lawyers, so they’re about as weaselly as they can be. And QTech’s is no different. But there is some cause for concern here, and we journalists should at least try to explore some of these issues. I looked for any acknowledgement that there’s a human involved in the transcription, and some reassurance that the content of those messages is not going to be mined for advertising purposes, and that it would be possible for customers to insist their messages are deleted. I couldn’t find anything, although to their credit QTech do say they won’t “sell, rent or otherwise share Your Contact Information or Audio Communications with any third parties except in the limited circumstance of when we are compelled to do so by a valid, binding court order or subpoena”. But if QTech are doing their own advertising then does that really make any difference?

I’m seeking comment from QTech on this and will update the post when I hear it. And this isn’t really about QTech; it’s about us — citizens, readers, bloggers, journalists — thinking a little harder about our privacy before we throw it away for a great sounding service. Do you want, for example, your personal memos (“Calling from the pub. God I really need a holiday. I think I’m cracking up”) mined for advertising (“Hi! Can I interest you in Caribbean cruise? I hear you’re cracking up!” “Hi, need psychological counselling? I’m told you do” “Hi! Need Viagra? I hear from that last message you left you probably do”)?

Keep a Blog, Get Fired

Here’s an interesting statistic, in the light of Scoble’s departure from Microsoft (no direct connection, I promise, but it does raise issues about whether corporates really like blogging): 7.1% of companies have fired an employee for violating blog or message board policies.

According to email security company Proofpoint, whose survey you can download from here, decision-makers at large U.S. companies show growing concern over sensitive information leaving the enterprise through electronic channels such as email, blog pages and message boards: “In fact, 55.4% of these large companies (with 20,000 or more employees) have expressed their uneasiness that regulations guarding the firm’s privacy will be violated by members of the “e-communication” community.  In an effort to reduce risk of exposure, 44% of larger companies employ staff to monitor outbound email, and nearly 1 in 5 companies (17.3%) has disciplined an employee for disobeying blog or message board policies.”

Proofpoint’s survey suggests they may be right: “more than a third (34.7%) of companies report their business was affected by the disclosure of sensitive material in the past year. Furthermore, more than 1 in 3 investigated a suspected email leak of confidential or proprietary information and 36.4% investigated a suspected violation of privacy or data protection regulations in the past year.” While a lot of this is email, “companies fear that financial data, healthcare information, or other private materials may be posted in blogs, sent through instant messaging, or transmitted by other means.”

Some other titbits:

  • Nearly 1 in 3 companies (31.6%) has terminated an employee for violating email policies in the past 12 months. More than half (52.4%) of companies have disciplined an employee for violating email policies in the past year.
  • More than 1 in 5 (21.1%) companies were hit by improper exposure or theft of customer information (whatever that means), while 15% were impacted by improper exposure or theft of intellectual property. (I think this means customer information or other sensitive data were stolen.)
  • Companies estimate that more than 1 in 5 outgoing emails (22.8%) contains content that poses a legal, financial or regulatory risk. The most common form of non-compliant content is messages that contain confidential or proprietary business information.
  • Here’s a funky one: 38% of companies with 1,000 or more employees hire staff to read or analyze outbound email. 44% of larger companies (those with more than 20,000 employees) employ staff for this purpose. I bet you didn’t know your company was hiring people to read your outgoing email.
  • Nearly 1 in 5 companies (17.3%) has disciplined an employee for violating blog or message board policies in the last year. 7.1% of companies fired an employee for such infractions. Ouch. 10% of public companies investigated the exposure of material financial information via a blog or message board posting in the past year.

Of course, Proofpoint have a point to prove (thank you) here, but probably this information is sound. There’s definitely a sense out there that blogging is something that needs to be controlled, for better or for worse. Of course, the bigger point is that information is no longer something that can be kept within organisations. Once it became digital, and once employees could move that digital data out of the company easily (remember when company email was not Internet-based, and there was no gateway out of the company email system? I do) then the walls were already tumbling down. The question now for companies is: do we try to ring-fence as much as we can, or do we put more trust and faith in the hands of employees so they don’t feel the urge to vent outside the company gates?