It’s being suggested that this case of a murder over the unauthorized sale of virutal goods might create the need for new laws:

A Shanghai online game player has stabbed to death a competitor who sold his cyber-sword, the China Daily said.

The incident creates a dilemma in China where no law exists for the ownership of virtual weapons.

Qiu Chengwei, 41, stabbed competitor Zhu Caoyuan repeatedly in the chest after he was told Zhu had sold his “dragon sabre”, used in the popular online game Legend of Mir 3, the newspaper said a Shanghai court was told yesterday.

“The armour and swords in games should be deemed as private property as players have to spend money and time for them,” Wang Zongyu, an associate law professor at Beijing’s Renmin University of China, was quoted as saying.

I’m going to beg to differ here. The motive may be new, but the crime is definitely covered by existing statutes unless murder by individuals is suddenly legal in China.

Why is it that we keep hearing calls for new laws for “cybercrime” and “cyberspace” when existing statutes already provide adequate protections? I wish that a tenth of the effort that goes into “new” laws for computer crime was going toward resources to enforce existing laws in cases where the interaction simply happened to take place on-line.

The area where I see a need for truly new laws might come in the area of standardizing criminal codes across jurisdictions. Since Internet-enabled offenses tend to sit in any number of jurisdictions (victim, server, criminal, criminal’s anonymous proxy, etc), it’s often hard to find even one where they will take on the investigation, even when you “venue shop” for someone who will simply return your calls.

Chris Walsh originally found and posted this image:

I can tell he’s my kind of security guy because he read the article on Employees being the biggest threat first.

In the current Alarmed column at CSO Magazine, Scott Berinato accuses the Information Security profession of failing to protect Corporate Management from themselves, calling it our “Waterloo” and, “the overwhelming defeat of security.”

Companies not only have failed to secure personal data, they can’t secure personal data. The range of technologies available today is in fact incapable of producing an acceptable level of security. The IT infrastructure that business runs on is so flawed, technically and socially, that nothing, no number of security products, can be slapped on post facto to secure personal data.

I agree with him here. It was an “overwhelming defeat of security.” But if he wants to pick a battle, I am still hopeful that it will turn out to be Security’s Battle of Dunkirk.
(more…)

The academic computer break-in’s continue apace, this time at Northwestern University’s Kellogg School of Management right here in Chicago.

Northwestern University said Friday that hackers attacked the computer systems of the Kellogg School of Management, one of the nation’s pre-eminent graduate business schools, and may have gained access to personal information of more than 21,000 students, faculty and alumni.

At Kellogg, there’s no indication that personal data–names, addresses and Social Security numbers–were stolen, but an internal investigation continues, Northwestern spokesman Charles Loebbaka said.

I have to give these attackers credit. If I wanted to get some top-notch identities, Kellogg would definitely be a good place to find them. If I were responsible for a database of Personal Identity Information (PII) these days, I’d be thinking long and hard about how much of that data I really needed.

Now, even though Kellogg doesn’t know if the attackers got the Crown Jewels–SSN’s, etc.–or not, they have to take the drubbing in the press as if the attackers got away with everything. Just having PII on servers is becoming increasingly risky. Maybe it’s time to reconsider the risks of keeping the stuff around.

This is one of the nasty facts about data–once people get it, they never seem to get rid of it. It doesn’t take up any space, really–a few hundred megabytes on a 250GB hard drive isn’t worth the effort to find and remove. Traditionally, document retention laws have largely mandated the minmum amount of time that information must be stored. People get in trouble for destroying data–look at Enron. The “cut off their air supply” email from the Microsoft Anti-Trust case is a notable exception and has driven a dramatic change in email (but not other data) retention policies in the past couple of years.

So how are the Risk Assessment variables in-play at the moment? First, people’s estimation of the odds of an Incident occurring seems to be going way up. While major incidents like Choicepoint have been getting lots of press here of late, major PII incidents leading to Identity Theft Fraud By Impersonation have been a problem for years.

Next, the expected Average Incident Response Cost is is rising, starting with California SB1386 (the now-mainstream-famous incident disclosure law). If an Incident requires personal notification, that’s going to get expensive in a hurry. Incident Response costs are already high–servers have to be taken down and rebuilt, hitting the business with downtime. There may be Sarbanes-Oxley issues depending on the system involved (i.e. a payroll server) and the incident’s timing. Tack on some Crisis Communications (several thousand dollars if you want it done right) and the cost of stuffing and sending a few thousand first class letters and pretty soon you’re talking serious amounts of Green Money (as opposed to Cost Center/Monopoly Money).

These costs are already the law if the incident involves Californians. Now, it looks like Federal Legislation is right around the corner, too. I don’t know if customers are voting with their feet yet if they believe that a company is not handling their data responsibly, but I think that it will happen sooner than later adding Reputational Damage to the cost of incident.

Right now, people should be asking, “Do we have data we don’t need?” If PII can be purged entirely, then the smart move is to do so. If there is no data to lose, then the risk of an incident goes to zero.

If the data can’t be purged, then it’s probably time to take a fresh look at options for protecting that data, Can the data be converted into a translucent database or otherwise encrypted? Is access to the information being adequately managed? The ChoicePoint Incident was a breakdown of the access management function, not the Network Security function.

Finally, if there isn’t an Incident Response Plan specifically addressing a PII Incident, then one needs to be created–and that’s not free either. One of the main reasons that ChoicePoint, a company that most people had never heard of two months ago has become a household name is because of how badly they mis-managed their response to this incident. While the Incident Response Plan shouldn’t have to contain reminders like, “Don’t lie to the press, not even once,” it should spell out how specific legislative and crisis communications issues will be handled. Now that PII Incidents have become a Mainstream Media item they need to be dealt with appropriately lest the share price, customer base, or future deals take a pounding.

The costs relating to keeping Personal Data are rising fast. People have traditionally considered the cost of keeping data as limited to disks and servers. Keep that in mind when evaluating whether or not you really need to hold onto that Personal Identifying Information next time.

A rare tale of victory in the fight against Theft By Impersonation (aka “Identity Theft”):

This morning, I found out that thousands of dollars of charges had been made on two of my credit cards in the past two days. Now, the identity thieves are sitting in jail. This is how it happened. It involves identity theft, a careless thief, one pissed-off Ovid and lots of luck.

I’ll bet he doesn’t keep to keep the Discover Cashback Bonus for the fraudulent charges, tho ;-)

Financial Cryptography pointed me to a Boston Globe article discussing some of what’s being done to combat the problem.

That’s not identity theft, according to computer security expert Bruce Schneier, author of ‘’Secrets and Lies.” It’s just plain theft — ‘’impersonation leading to fraud,” he said. ‘’I think when we call it identity theft, we lose the battle.”

In Schneier’s view, it’s impossible to eliminate impersonation, especially when somebody is stealing money online. On the Net, nobody knows you’re a thug. Any conceivable authentication method can be faked — even biometric data like fingerprint scans.

‘’I think this whole problem is being solved wrong,” Schneier said. ‘’People are focusing on authenticating the individual, and that’s hopeless.”

As someone IanG summarized Schneier, who pointed out recently, “the reason we have Identity Theft is because Identity Has Value.”* I don’t think this is being disputed by anyone at this point. I think that there is a much more fundamental problem at play here.

A hundred years ago, identity was reputation–the concept of a “man being as good as his word.” Today, identity is the aggregate representation of a person’s past, present, and future income, expenditures, liabilities and a qualified opinion on where the person’s cashflow priorities lie. It is usually represented as the Credit Score.

As it is, financial identity cannot be “stolen” like a car or a wallet. Identity can, however, be devalued and damaged. If I commit fraud by impersonating your Identity, you still have your identity, I have merely damaged or devalued it. If the now-badly-devalued Identity could actually be “lost” like a wallet, then in this scenario, a Loss of Identity would be a Good Thing. This implies a mechanism whereby the victim could obtain a new, undamaged Identity unencumbered by the old.

This might sound like bankruptcy to some, but bankruptcy is the opposite of what I’m envisioning. Bankruptcy is (or was, anyway) the credit equivilent of ritual Hari-Kari, setting the credit score to the lowest value possible in exchange for the discharge of past mistakes.

While this might not be as good as having the old Identity back (largely dependent on how valuable the old Identity was, of course), it would certainly be better than the current situation, which is that the victim must operate with a damaged identity. At best, they suffer significantly more friction in all future credit transactions. At worst, they suffer discrimination and are denied credit outright despite being the victims.

In the modern world, Financial Identity and Personal Identity are supposed to be separate. Look at the things that cannot be reported or considered as part of one’s Financial Identity under the Fair Credit Reporting Act such as race, gender, or sexual preference. Basically, all the things that comprise Personal Identity. So cut the cord once and for all. Split the two identities so the Financial Identity can finally be treated like what it really is–an aggregate risk summary of an entity.

The ability to determine the value of a new baseline Identity also implies that the value of one’s Identity could easily be compared to the baseline value, meaning that a Cost Per Incident could be computed and the risk of an incident calculated. Once you can do that, then Just Add Actuaries and suddenly, you can insure it.

There is another piece of this puzzle that I’m not going to get into today, and that’s Authentication. A large part of the current fraud-through-impersonation problem is the lack of strong, effective form of Identity which can work on a national or global scale. Right now, however, the Authentication piece is essentially nonexistent–my webmail account is better secured than my Financial Identity.

* The “Identity Has Value” statement was a quote, but I can’t find the link–if someone can remind me, I’d like to attribute it.Thanks, Ian!

Eweek has gone back to the future this week to make us aware that Caller ID can be spoofed.

For those of you who don’t get out much, this has been a known risk of using CallerID as a means of authentication for years now. Thus, the message that should be taken from this article is that CallerID is not a trustworthy form of authentication.

The Rate Of Occurrence for CallerID Spoofing may be increasing, changing the Annual Loss Expectancy calculation, but the Threat has been around for years, with or without VOIP. You can configure a traditional PBX to send fraudulent CallerID information, too, but I don’t hear an outcry to ban or otherwise restrict the use of CallerID for “traditional” PBX’s on voice T-1’s.

The solution here is Security Awareness training. The reason this attack works is probably not because of the CallerID, but because people consistently continue to fall for Social Engineering attacks. Teach people that CallerID issue is not authentication and the problem will go away on it’s own. (yeah, right!)
(more…)

According to Edward Felton, Apple has released a “fix” to iTunes which breaks Jon Johansen’s (aka DVD Jon) and company’s PyMusique, an iTunes client which leaves off the iTMS Digital “Rights” Management system that Apple uses on iTunes files.

the security mechanisms of iTMS were, and are, well designed. A system that does what iTMS does will necessarily be unable to prevent unauthorized copying of music. That’s just a fact. Apple, to its credit, didn’t overinvest in fancy anti-copying technology that would be defeated anyway. Instead, Apple built a more modest and — here’s the key point — user-friendly system that gave users freedom to make legal use of music and provided speed bumps to steer consumer behavior, but didn’t pretend to stop determined infringers. There was no point in trying to stop determined infringers, because (a) there was nothing Apple could do to stop them from ripping iTMS content, and (b) all of the songs that might be ripped from iTMS were already available on the darknet anyway.

iTMS security is a bit like the lock on your screen door: it’s not very strong, but it doesn’t have to be, because the screen door around it is inherently vulnerable anyway. Putting an expensive lock on your screen door is a waste of money because it doesn’t make you any safer. Similarly with iTMS: spending more on copy protection would have been a waste, because it wouldn’t have reduced infringement.

Rather than owning up to its savvy engineering decision not to overinvest in fruitless copy protection, Apple apparently feels compelled to pretend publicly that iTMS is “secure” in the sense that heroic effort is required to illegally redistribute content bought from iTMS. That’s obviously untrue, but Apple is unwilling to admit that in public.

This is an interesting intersection of things I love (rational, effective risk management) and things I hate (evil technologies like DRM).

Apple is dancing with the devil here. On one hand, they had to throw a carrot to the Content Owners (aka the RIAA, legal scourge of the P2P universe) in order to get any inventory for their store. At the same time, however, I think they knew full well that DRM doesn’t actually prevent unauthorized (by the RIAA) copying of files.

They didn’t want to admit this to the RIAA, who would then pack up their content and go home. But they also had to at least suspect that anyone who believed DRM prevents unauthorized content distribution wouldn’t know the difference between DRM and a laptop box with a rock in it. Cory Doctorow, in his role as EFF representative has covered this better than I ever will, so go read his explanation if you’ve never done so or haven’t done so recently.

Apple did the Smart Thing and provided an elegant-looking DRM solution which didn’t require a ton of resources to design and implement but still provided the appearance of security. I won’t go so far as to call it Security Theater like the first commenter in in Felten’s blog, but I do think that it was designed more as a “reminder” that the correct course of action is to go buy your own copy than any real expectation it would stop a concerted effort to make unburdened/unrestricted copies.

So, applying the Three (Sometimes Four) Question Model…

1) Did they have a problem? Yes (Two problems, actually). First, they needed to provide limitations on the unrestricted copying of the content they wanted to sell or their supplier wouldn’t work with them. Second, they needed to ensure that their customers would encourage each other to each buy their own copy of the songs.

2) Did the solution actually solve the problem? Yes on both. The DRM as implemented prevented casual sharing of files, meaning that their suppliers were willing to license the music for use in iTunes and their average customer could only get their own “official” copy by buying it from the store

3) Was it cost-effective? I’ll assume the answer here is “Yes” since the solution seems to be generally appropriate to the scope of the problem. Casual or accidental sharing is minimized and the suppliers are placated, but the measures are not so draconian that they become difficult to implement or maintain (witness the rapid response to PyMystique).

4) What was the opportunity cost of doing this? A tiny bit of negative publicity and ill will from the crypto and security community. But since we probably don’t buy enough of their music constitute a rounding error, I think they were probably willing to accept that risk.

In summary, Apple did a good job of a bad thing. I’m so conflicted.

I’ve got a bad Case of the Mondays today, so when Wendy Seltzer’s Blog had a link to a New York Times story on open wi-fi, what follows was inevitable…

From Wendy:

Without a hint of irony, however:

“Two federal law enforcement officials said on condition of anonymity that while they were not aware of specific cases, they believed that sophisticated terrorists might also be starting to exploit unsecured Wi-Fi connections.”

Yes, even law enforcement needs anonymity sometimes.

Personally, I think that the reason that most of the “sources” are anonymous is because they don’t exist.

The article itself is FUD written by at best an ignorant reporter or, more likely SBC Communications’ Public Relations firm, and published as “news.” I suspect SBC because their spokesman Michael Coe is cited by name saying, “the company had provided about one million Wi-Fi routers to its customers with encryption turned on by default.” So the point of the article is that individuals deploy their wireless insecurely, whereas corporations like SBC are much better at it.

It’s just a happy coincidence that SBC’s Michael Coe also wrote the press release announcing that SBC is rolling out their own wi-fi subscription service right now. I guess that SBC is planning on logging 100% of the connections from their 3,300+ access points? That’s going to be expensive. Of course, if the perpetrator used a stolen credit card so sign up for SBC’s service, then Law Enforcement is in the same boat as if said perpetrator used an unsecured wireless connection, except that this way if they catch the person, they can throw on a credit card fraud charge for good measure.

From the article (which neglects to mention SBC’s Wi-Fi service):
(more…)

Simson Garfinkel provides a wonderful description of the difficulties with authentication:

Authentication in computer systems is commonly described as being based on “something that you know'’ (e.g. a password), “something that you have'’ (a token or smart card), or “something that you are'’ (a biometric). Authentication systems frequently fail because they are actually based on something that you have forgotten, something that you have lost, or something that you no longer are. Performance-based biometrics (e.g. keystroke dynamics) fail when they are based on something that you could once do well but can no longer do, or something that other people can do consistently, but you simply can’t.

I just had to share.