Security

The Chicago Tribune has reported that it was able to identify 2,653 employees of the CIA, including covert agents, from online data providers who charge for access to public records. The Tribune reports that it identified agents through telephone listings, real estate transactions, voting records, property tax records, and other documents, and that they were able to identify internal CIA phone numbers, covert mailing addresses, and two dozen CIA facilities. One facility, “The Farm” at Camp Peary, VA, was looked up via ordinary Internet searches, which yielded the names of 26 people who work there. (John Young’s cryptome site features this May 31, 2005 New York Times story on Camp Peary.) ...

Back on March 4, the story broke from an American traveling in Canada that something had gone wrong at Citibank, causing it to shut off access from the ATM networks of Canada, Russia, and the UK. Bruce Schneier picked it up on March 6, and now it’s hit the mainstream media with more details, with some attributing the problem to OfficeMax. The symptoms from a bank customer’s perspective are debit cards being replaced by the banks (which Citibank, Bank of America, and Washington Mutual have been doing since at least last month) and an inability to make withdrawals with current cards from ATMs in Canada, Russia, or the UK. At least some of the banks have now admitted to ATM fraud occurring, with Citibank admitting to “several hundred transactions” in three countries, while some western Massachusetts institutions have seen fraud in Spain, Pakistan, and Romania. The attribution to OfficeMax comes from investigations in Massachusetts. Tech Web News’ report is the most detailed to date: The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs “the worst consumer scam to date.” Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K. ...

John Markoff has a story in the New York Times about AT&T’s “Daytona” database, which has a record of 1.9 trillion calls from over the last several decades. The Electronic Frontier Foundation, which has filed a lawsuit against AT&T for cooperating with the NSA’s warrantless interception program, asserts that this database has been used by the NSA for data mining. “Checking every phone call ever made is an example of old think,” he said. ...

Bruce Schneier reports on the technical details of how about 100 Greek politicians and offices, including the U.S. Embassy in Athens and the Greek prime minister, were illictly tapped. What was originally referred to as “malicious code” turned out to be eavesdropping code in Vodafone’s mobile phone software that was present for law enforcement interception. The same kind of code is present in U.S. phone switches as required by CALEA. As Schneier points out, “when you build surveillance mechanisms into communication systems, you invite the bad guys to use those mechanisms for their own purposes.”

Michelle Malkin argues that the CFIUS process is a “rubber stamp” and complains about the fact that financing for the Dubai Ports World acquisition of P&O was underwritten by Barclay’s and Dubai Islamic Bank, which were “both cited as probable conduits for bin Laden money." This latter point, at least with regard to Barclay’s, is about as meaningful as claiming that Verizon Wireless is linked to terrorism because a terrorist used a Verizon Wireless phone, and arguing on that basis that Verizon should not be allowed to conduct business in the United States. Barclay’s is a global banking and investment company headquartered in London’s Docklands, operating the fourth largest bank in the UK. On the former point, the CFIUS investigation I am most familiar with involved a fairly extensive review, the rejection of one potential acquirer (the application was withdrawn and resubmitted without that acquirer, so doesn’t count as a CFIUS rejection), and the implementation of significant and ongoing security restrictions and review prior to approval. It wasn’t a rubber stamp, though it did seem clear that most of the government agencies involved were pretty clueless about the technical details (with the exception of the representatives from the NSA and some from the DOD, who were very sharp), and the government ended up outsourcing most of the ongoing oversight of the deal to a D.C.-area private contractor after the acquisition was completed.

The International Information Systems Security Certification Consortium ("(ISC)2")’s CISSP (Certified Information Systems Security Professional) certification is the best known information security certification. According to “(ISC)2”’s website, all CISSPs “are required to commit to fully support” the “(ISC)2” Code of Ethics. This code of ethics includes four mandatory canons: Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.The second of these canons is spelled out in more detail with a set of bullet points, the first of which is: Tell the truth; make all stakeholders aware of your actions on a timely basis.Clearly, honesty is a key requirement of this code of ethics. An up-and-coming certificate for information security managers is the Certified Information Security Manager (CISM) certification from the Information Systems Audit and Compliance Association (ISACA). ISACA also has a Code of Professional Ethics, which states that all ISACA certificate holders will comply with seven statements, the third of which is: 3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.Again, honesty is clearly a key requirement. I recently learned that these requirements are not met by a prominent information security professional who frequently speaks at high-profile security conferences, has held the Chief Security Officer position at Exodus, Cable & Wireless, and Savvis, has been Chairman of the Internet Security Alliance, and is Chairman of the FCC’s NRIC Homeland Security focus group on cyber security. “Dr.” Bill Hancock has degrees from a diploma mill, has repeatedly told false stories about being a Vietnam war veteran, a Navy SEAL, and a prisoner of war, and has lied about his martial arts expertise.

The latest issue of the Skeptical Inquirer (March/April 2006) features an article titled “Hoaxers, Hackers, and Policymakers: How Junk Science Persuaded the FBI to Divert Terrorism Funding to Fight Hackers” by Carolyn Meinel. The descriptive text on the first page (between the article title, subtitle, and author’s name) says “Hoaxers warned of an imminent and deadly electronic Pearl Harbor. Consequently, the FBI diverted resources and attention away from terrorism and toward fighting hackers. This may have contributed to the September 11, 2001, attacks. Use of critical inquiry and the scientific method could have avoided this misdirection." While most of the article appears to me to be accurate and its conclusion about treating claims from self-proclaimed computer security experts with scrutiny is sound, the article itself contains unsubstantiated arguments (in particular the arguments of the title and subheading) and comes from a self-proclaimed hacking expert of questionable credibility. Meinel’s article is in three sections–an introductory section about the title, a section about specific claims made by two hackers, and a section on “critical analysis of e-terrorism.” I find little to criticize in the latter two sections, except for its implication that Peter Neumann’s testimony before Congress was unfounded (Neumann is a highly respected expert on computer risks, the editor of the RISKS Digest, and author of the book Computer-Related Risks, 1995, The ACM Press). Meinel begins by describing Fred J. Villella bringing hackers “Dr. Mudge” (Pieter Zatko, though Meinel never mentions his name) and “Se7en” (“Christian Valor”, who was indeed exposed as a chronic fabricator as Meinel claims in the second part of her article) to meetings of federal policymakers where they warned of “a looming electronic Pearl Harbor.” The most notable such meeting was testimony before the Senate Governmental Affairs Committee on May 19, 1998, where the above-mentioned Neumann testimony took place, and where Mudge testified that he could make the Internet unusable with less than thirty minutes of effort. Meinel argues that this testimony “may have contributed to an entrapment scheme” by the FBI against hacker “Chameleon” (Marc Maiffret, now “Chief Hacking Officer” of eEye Digital Security) as a way to show that “hackers were actually collaborating with enemies of the U.S.” But she provides no evidence of a connection between the testimony and the action. She falsely states that “books (Penenberg 2000; Mitnick 2005) hyped the raid [on Maiffret] to say that hackers were in league with al Qaeda.” Neither of these two books says that. Adam Penenberg, in his book Spooked: Espionage in Corporate America (with Marc Barry, 2001, Perseus Books), writes that “Hackers are always on red alert for the FBI. In fact, when Maiffret was contacted over the Internet by the alleged terrorist Khalid Ibrahim, a member of Harkat-ul-Ansar, a militant Indian separatist group on the State Department’s list of the thirty most dangerous terrorist organizations in the world, he assumed Ibrahim worked for the feds.” Kevin Mitnick, in his book The Art of Intrusion (2005, Wiley, pp. 32-34), raises the possibility that Khalid Ibrahim was part of an FBI operation, but questions it on the ground that only Maiffret received any money from him. On the other hand, he points out that Maiffret told Wired News “he had not provided any government network maps” and wonders why, despite his confession to accepting money from an terrorist-connected individual (Mitnick writes “foreign terrorist”), no charges were ever filed. Then, he writes “Perhaps the check wasn’t from Khalid after all, but from the FBI.” (As an aside, Mitnick’s book states that few know the true identity of “Chameleon,” but Penenberg’s book had already published his identity in 2000.) Perhaps Maiffret avoided prosecution by agreeing to work with the FBI, as other hackers have done (such as Justin Tanner Petersen, “Agent Steal,” whose story is partly told in Jonathan Littman’s The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen, 1997, Little, Brown). The specific argument of the title and subheading–that the testimony of these hackers led to a diversion of funding that may have contributed to the success of the 9/11 terrorist attacks–is stated in a single paragraph in the second column of the first page of the article (p. 32). In that paragraph, Meinel states that cyberspace czar Richard Clarke’s formation of the National Infrastructure Protection Center (NIPC) diverted funding increases “earmarked against terrorism to hire FBI agents for the hacker beat.” This diversion of funds led to only $4.9 million spent by NIPC on counterterrorism, and it therefore lacked the resources to follow up on Phoenix FBI agent Ken Williams’ warning about al Qaeda members training at U.S. flight schools. This argument assumes that NIPC, rather than the FBI’s counterterrorism unit, is the organization which should have followed up on Williams’ memo. It also overlooks the role of the FBI’s incredibly antiquated computer systems, which technophobe FBI Director Louis Freeh had refused to take steps to upgrade (with Congress withholding $60 million in funding for FBI’s IT infrastructure between 1998 and 2000 because of its failure to produce a credible upgrade plan). Not until July 2000, when Freeh appointed Bob Dies to begin work on an overhaul, did Freeh address the issue. The result was that the FBI had 42 separate database systems that could not be searched simultaneously and many agents had computers that did not work or could not display images or connect to the Internet. Many agents used home computers in order to receive email photo images of suspects from local police departments. (See the “Missing Documents” chapter of Ronald Kessler’s The Bureau: The Secret History of the FBI, 2002, St. Martin’s Press. Similar observations are made in the “9/11” chapter of James Bovard’s The Bush Betrayal, 2004, Palgrave Macmillan. Bovard cites (p. 27) a Los Angeles Times story that reports the FBI diverting $60 million in funds earmarked for IT upgrades in the year 2000 to be used for staffing and international offices. The fact that the dollar figure is the same in Bovard and Kessler may indicate that Bovard is misdescribing the same $60 million Kessler mentions.) By contrast, NIPC’s entire budget (PDF) was under $20 million per year through 2000, and Bush requested a budget of $20.4 million for NIPC in 2001. (This is not to say that NIPC was effectively using what funds it had–it wasn’t. But Meinel’s complaint that only $4.9 million of NIPC’s budget was spent on counterterrorism should be put in context–that was a quarter or more of its annual budget.) These IT failings and the other failures reported in the 9/11 Commission Report and elsewhere strike me as more plausible reasons for the U.S. government’s failure to avert the 9/11 attacks than trying to pin it on the hackers who testified before Congress in 1998 about the dangers of cyber attacks. Ironically, in October 2001 an article arguing that the Code Red worm demonstrates that there really are significant risks of Internet-based attacks on U.S. infrastructure (“They would be far worse than not being able to make bids on eBay–potentially affecting product manufacturing and deliveries, bank transactions, telephony and more. Should it occur five years from now, the results could be a lot more severe.”) appeared in Scientific American. The author of this article, “Code Red for the Web,” was Carolyn Meinel. It’s more surprising to me that Skeptical Inquirer published an article by Carolyn Meinel at all. Meinel’s author description printed in SI states: ...

I recommend Michael Santarcangelo’s “Security Catalyst” podcasts, which can be subscribed to at no charge via iTunes or Yahoo Podcasts. He’s got additional information and links related to the shows at the Security Catalyst website. Michael, who I met a few years back through a consulting engagement that was a “death-march project,” is a sharp, witty, and well-spoken advocate of and educator for good computer security.

Bruce Schneier reports on how a house in Valparaiso, Indiana was incorrectly valued at $400 million due to a single-keystroke error by an “outside user” of Porter County’s appraisal records. This incorrect valuation led to an expectation of $8 million in property taxes due from that homeowner, which led to a erroneous increase of budgets and even distribution of funds. Now the Porter County Treasurer has had to ask 18 governmental units to return funds–the city of Valparaiso and Valparaiso Community School Corp. have been asked to return $2.7 million, which will leave the school system with a $200,000 budget shortfall. The number of errors here is huge–first of all, an external user shouldn’t have access to change budget data at all, let alone by a typo which caused the user to invoke “an assessment program written in 1995” which “is no longer in use, and technology officials did not know it could be accessed.” Second, there should have been checks on the data to identify anomalies like a house suddenly jumping in value to $400 million. Third, there should have been checks on the accuracy of budget numbers before the disbursement of funds. And I’m sure I’m only scratching the surface–it sounds like they’ve got some serious IT infrastructure issues.

Via Steve’s No Direction Home Page: Apparently presidential wiretapping is frowned upon–when it’s done by Clinton. Some of the reader comments are hilarious, viz.: “Any chance of Bush rolling some of this back?" “As quietly as possible (although it sometimes breaks out into the open, usually with the sound of gunfire and the death of innocents), a “shadow government” has been set up all around us my friend. It’s foundation is not the constitution, but Executive Orders, Presidential Procalamations, Secret Acts, and Emergency Powers." “This is wherein the danger lies in the precedent set by the Clinton criminal administration. God only knows who will be in power next, but there are no checks and balances anymore. This is exactly the SORT of thing I’ve been protesting all along. Libs just don’t see this!" ...