Jaime Chanaga, CISSP, CISA

A drug case that recently went before the Ninth U.S. Circuit Court of Appeals Court in San Francisco, has resulted in a ruling (for the full text of the ruling:  click here - PDF document)  by the court that is going to have a profound legal impact on anyone using the Internet, including e-mail and web browsing.

The court in its ruling compared the fact the government can for example monitor the physical mail a person sends or receives and note the sender's and receiver's mailing address on the outside of a mailed envelope.   In that action the government can monitor patterns of mail traffic without a search warrant, but must get one to open the envelope and read the contents.  The court said the government can monitor in the same way the email address traffic (to and from) a persons email account, without a search warrant.

I'm a law abiding citizen and have nothing to hide from the U.S. Government.  If asked, I would gladly share my email with the government.   There is a proverb my grandparents and parents always mentioned that said:  "He who has done nothing wrong, has nothing to fear from."  However, I do like to maintain a bit of privacy in my e-mail communications, considering e-mail is an insecure method for receiving and sending information.  As personal information security risks grow, I'd rather have my personal e-mails encrypted from prying eyes of potential data thieves.

Regardless of whether the government can read my email without a search warrant, as a consumer and information security professional, I try to do my part to protect my personal email.   That's why I try to use encryption technologies to secure my e-mail communications.   My personal encryption tool is PGP Desktop 9.6.2.    Please forgive me as I'm not here to share a product endorsement.  What I'm trying to share is that anyone can do something to protect the confidentiality of their online communications.  I took action to try and protect my personal email communications.  What have you done today to protect your e-mail communications? 

Here are some solutions to encrypt your e-mail communications you may wish to explore:

• OpenPGP - www.openpgp.org
• PGP - www.pgp.com
• Hush Mail - www.hushmail.com
• ZixCorp - http://www.zixcorp.com/solutions/emailencryption.php

[Disclaimer:  As of July 17, 2007, neither myself or my firm, The CSO Board LLC, have no conflict of interest (financial or other) with any of the above mentioned companies.  We have no financial or other incentive to mention these companies or organizations.] 

Although this court ruling changes the game a bit, so too must society adapt to the technological changes and challenges.   I challenge you to do something today to protect the confidentiality and security of your online and e-mail communications.

For further reading:

Keep it Classified: E-mail Encryption for Small Business

Lifehacker: How to encrypt your email

WashingtonPost:  E-mail at Risk? Cover It With Encryption

Sometimes, I'll read a news story that makes me feel both angry and very concerned for our future.  The Washington Post published a story (http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501945_pf.html) on July 6th, 2007 that has shaken my beliefs.

A group of three British residents sympathetic to the global jihadist terrorist movement used a set of tools including computer viruses, phishing (creating fake sites emulating legitimate web sites like Ebay.com, etc.) web sites (they created) to steal credit cards from unsuspecting victims.  (For more information on phishing attacks read: http://en.wikipedia.org/wiki/Phishing)

They also used Internet bulletin board forums and underground chat rooms where they shared information including stolen credit card numbers, computer hacking, bomb making, and videos of beheadings and suicide bombings in the current conflict in Iraq.

In an attempt to hide their actions, the men also attempted to launder the money from the stolen credit cards through online gambling operations.   The stolen credit cards were also used to fund online purchases of supplies and equipment that the men intended to provide to terrorists in theaters of conflict.

The statistics of their crime are alarming.  One of the computers seized as part of the investigation into the activities of these men, has been found to contain 37,000 stolen credit card numbers and detailed information on the legitimate credit card holders including names, dates of birth, credit balances and limits.

The information technology (IT) and security industry have many technical countermeasures for combating the risks of email spam, phishing web sites, and protecting credit card information.  However, as technology professionals we know how to combat those issues, but are we missing the bigger picture?

We constantly read news stories of companies that have fallen victim to their own actions and have lost credit card information.  Yet, it seems when companies do suffer electronic data breaches for credit card information, the issue is relegated to a technical issue and not one with potential broader implications.  Some organizations see those security breaches as a financial problem.  But that vision is myopic also.

Over the past 10 years as I have seen the information security profession and industry mature, I've always felt that both the IT and security fields will increasingly play a large role in the safety and security of our communities and countries.   In the news story I've shared with you, three men were able to steal credit card numbers and the identities of countless people, many of whom will never truly know how their information could have been used to fund the activities of terrorist and terrorist sympathizers.

But where does the responsibility lie?  Is it only up to banks, financial institutions, and companies to protect our personal information?   I would challenge anyone who says that 100% of the responsibility lies with banks and financial institutions or businesses to protect your and my personal information.   

Consumers must step up to the plate and be proactive.  How many of you as consumers know what spam email, phishing attacks, and computer viruses are?   How many of you as consumers know what to do to protect yourself from those risks?  Education in regards to these risks will help you protect your personal and financial information.

Don't think for a moment that you as an individual consumer cannot have an impact on preventing groups like terrorists and other criminal elements of society from continuing their actions.  Yes, you and I can help make it harder for criminal elements of society from harming us all.   I challenge each and everyone of you to go ahead protect your personal information and make a valuable contribution to the world in the process.

One final thought for businesses.  You too have a responsibility to prevent misuse of the personal and financial information we as consumers, clients, and employees have entrusted to you.   Please look beyond the technical and financial impact of ignoring the risks when failing to protect our personal and financial information.   Please stop making information security an afterthought.

As consumers and businesses we may never be able to change the mentality of criminal elements of society like terrorists.  But we can make a difference.

The U.S. Federal Bureau of Investigation (FBI) has announced via  a press release (http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm) that 1 million IP addresses (computers/systems) have been identified as being compromised by botnet software. 

The FBI news release states:

"A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy."

The FBI is providing information (http://www.fbi.gov/page2/june07/botnet061307.htm) for anyone who may suspect their system is affected.  The U.S. Federal Trade Commission (FTC) is also providing information (http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt132.shtm) for consumers on the dangers, impact, and suggestions for consumers regarding botnets.

This news story is one more example that information security is everyone's responsibility. 

Take these basic steps to secure your home computer today:

1. Scan your computer with updated anti-virus/anti-spyware software.
2. Install software vendor patches such as Windows Update.
3. Ensure your computer has a software or hardware firewall protecting it.

In protecting your home computer you will be also reducing the possibility that hackers will steal your identity and personal information from files stored on your home computer.   These three basic steps won't guarantee 100% protection but will significantly reduce the possibility that your home computer will be compromised by botnets and other malicious attacks.

ABC News - FBI Takes Down Cyber Hijackers
http://abcnews.go.com/TheLaw/story?id=3274261&page=1

Wikipedia - Botnet
http://en.wikipedia.org/wiki/Botnet

Connecticut Attorney General's (AG) Office is investigating a data security breach at Pfizer Inc.  (Press Release: http://www.ct.gov/ag/cwp/view.asp?Q=383962&A=2788).  The information of 17,000 current and former employees including names, social security numbers, and some payroll information including bonuses.  The information was compromised on a laptop that had file sharing (peer-to-peer) network software installed and exposed the confidential information to third parties. In a letter (http://www.ct.gov/ag/lib/ag/consumers/pfizerdatabreachletter.pdf) dated June 6, 2007, Connecticut AG Richard Blumenthal asked Pfizer to explain in detail the policies and actions Pfizer takes to protect sensitive information.

As a security professional, I applaud AG Blumenthal's quick action to open an investigation into any incident that demonstrates irresponsible behavior towards the protection of personal information by any organization.

In today's era of security breaches, organizations must be more careful about storing sensitive personal information on laptops and making sure that their employees understand their responsibility for protecting that sensitive information.   We have the technology today and the lessons of the past to be able to effectively protect sensitive information.  It is time to end the excuses and get serious about the protection of personal information.

The University of Virginia has issued a press release (http://www.virginia.edu/uvatoday/newsRelease.php?id=2217) confirming a data security breach that occurred between May 20, 2005 and April 19, 2007.  During this time period the University's ongoing investigation has uncovered that hacker's were able to access the names, social security numbers, and dates of birth affecting 5,735 faculty members. 

Currently the University of Virginia Police coordinating with the U.S. Federal Bureau of Investigation (FBI) on the ongoing criminal investigation.  Initial findings suggest that the hackers were able to retrieve the information from a database through sophisticated web application attacks.  In simple terms, the hackers manipulated an Internet facing web application to retrieve the personal information from an internal database server.

This fact is not surprising considering the rise in application layer attacks in recent years.  Most organizations fail to adequately secure web applications or test them for exploitable vulnerabilities.  Organizations, including Universities, should do more to test web applications for vulnerabilities that could allow attackers to escalate their privileges and attempt to gain unauthorized access to sensitive databases.   Application security testing is not the final answer in the "arms race" between security professionals and attackers, but it is a step in the correct direction.

It sounds like an action movie plot, but the real life story of Brett Shannon Johnson, as being reported by Wired.com (http://www.wired.com/politics/law/news/2007/06/secret_service) is an unbelievable story.   

For 10 months, Johnson was working undercover with the U.S. Secret Service (USSS) office in Columbia, South Carolina to help the Secret Service catch identity thieves.   While working with the Secret Service, Johnson let his greed get in the way and continued his illegal identity theft activities.  During this time Johnson committed id theft fraud totaling around $2 million dollars, most done under the radar of the Secret Service who were using him as a paid informant!   Once the Secret Service became aware of his crimes, Johnson decided to run away and disappear.  Not the smartest move he could make.

Last week a federal judge fined Johnson $300,000 and sentenced him to six (6) years in jail for his crimes.

Go ahead read the story on Wired.com (http://www.wired.com/politics/law/news/2007/06/secret_service) for more twists on this story!

The White House Office of Management and Budget (OMB) has given federal agencies a 120-day deadline for developing a security breach notification policy.   This mandate (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf) also requires federal agencies to rethink their use of personally identifiable information (PII), such as social security numbers.  Federal agencies are instructed to rethink their requirements for PII including the unnecessary use of information including social security numbers.

With recent security breaches highlighting the need for better protection of PII, the White House OMB is taking information security and privacy for electronic data seriously.

In surprising action, the State of California Secretary of State has ordered a comprehensive review of the security mechanisms of the electronic voting machines certified for use in California.  While politicians in Washington D.C. have largely ignored the issue or played lip service only to the security and integrity risks inherent in electronic voting (e-voting) systems, California's Secretary of State Debra Bowen has taken a commendable step in the correct direction. 

The "Top-To-Bottom Review" requested by the California Secretary of State's Office is being done through a contract with the University of California (UC), experts from both private and public universities, and private sector companies throughout the United States.   

The list of technology and security experts who are initially named to conduct this research is quite impressive.  Some of those experts are:

• Matthew Bishop, Professor in the Department of Computer Science and Co-Director of the Computer Security Laboratory at UC Davis
• David Wagner, Associate Professor in the Computer Science Division at UC Berkeley
• Matt Blaze, Associate Professor of Computer Science, University of Pennsylvania
• Ed Felten, Professor of Computer Science and Public Affairs, Princeton University; Director of Center for Information Technology Policy, Princeton University
• Eric Rescorla, Chief Scientist of Network Resonance, Inc.
• Mark McLarnon, RABA Technologies
• Harri Hursti, Independent Computer Security Consultant
• Giovanni Vigna, Associate Professor, Computer Security Group, Department of Computer Science, UC Santa Barbara
• Deirdre K. Mulligan, Director of the Samuelson Law, Technology & Public Policy Clinic, a Clinical Professor of Law at the UC Berkeley School of Law (Boalt Hall)
• Candice Hoke, Associate Professor of Law and Director, Center for Election Integrity, Cleveland State University
• Joseph Lorenzo Hall, MA, MIMS, Ph.D. candidate in the Department of Information Management and Systems, UC Berkeley
• Noel Runyan, electrical engineer and computer scientist with over 33 years experience

This initial list of experts is quite impressive and commendable.  I wish all of these researchers and those yet to be added to their ranks success in their endeavors to help find and fix the vulnerabilities with the electronic voting systems used in California's elections.  To the researcher's, thank you for your experience and talents in safeguarding our democracy.

With public concern in our democracy for fair, accessible, and accurate political elections, I only have to wonder why the federal government has not taken the lead in doing the kind of research California's Secretary of State has requested.   Maybe it is time that those in positions of public trust in Washington D.C. at the federal level, follow California's lead in ensuring that every citizen's vote is secure, accurate, reliable, and accessible.

One last closing thought, California is embarking on this ambitious research well ahead of the 2008 U.S. Presidential Election.  Will anyone in the United States Congress review California's research ahead of the U.S. Presidential Elections and pass national legislation to safeguard every citizen's vote that is cast on electronic voting machines?

For more information on the State of California's Secretary of State's Top-To-Bottom Review please visit: 
http://www.ss.ca.gov/elections/elections_vsr.htm

Recently I had the opportunity to hear a presentation on the efforts of the North Texas Crime Commission (NTCC - http://www.ntcrimecomm.org).  The NTCC's mission is to bring together the law enforcement community at all levels (local, state, and federal), media, and citizens in the fight against crime in communities throughout the Dallas/Ft. Worth (DFW), Texas metropolitan area.

I'm grateful the DFW area has a dynamic organization like NTCC and local, state, and federal law enforcement agencies willing to share information and cooperate openly with private industry and the general public.  In a post September 11 world we live in, it is imperative that the general public, private industry, and the law enforcement community work together to provide safer communities and contribute to our national security efforts.

The NTCC is sponsoring a community event called Scam Jam 2007, which is open to the general public (free admission) on June 2, 2007 from 9:00 a.m. to 1:00 p.m.  This event is focused on how everyone can protect themselves from fraud and identity theft.  With permission of the NTCC, I'm posting a copy of the brochure for this event, Scam Jam 2007.  Click this link to Download ScamJam2007.pdf  to view the brochure announcing the event. The keynote speaker will be U.S. Congressman Pete Sessions.

It is good to see private industry, concerned community outreach organizations such as NTCC, and the law enforcement community work together for the good of every citizen.

Officials at the University of Missouri have acknowledged a second electronic attack this year that has compromised 22,000 social security numbers of students and alumni.  Currently the FBI is investigating this incident.

News reports (http://www.msnbc.msn.com/id/18561756/)  indicate the information was accessed by manipulating a web page that allowed users to query an internal software application to compile reports for help desk issues.  The attack originated with IP addresses originating from China and Australia.

Educational institutions should be more proactive in protecting personal information.  Due to their open academic culture, educational institutions are prime targets for social engineering and technical attacks by persons with intent on stealing personal information such as social security numbers.  Perhaps educational institutions would do well to reconsider their business practices, operational procedures, and technical measures around the use and protection of personal information.

Official Statement from University of Missouri
http://www.umsystem.edu/ums/news/releases/news07050801.shtml

University of Missouri - Division of Information Technology / Computer Security
http://doit.missouri.edu/computersecurity/