Entries Tagged "identity theft"

Page 8 of 13

Bot Networks

What could you do if you controlled a network of thousands of computers—or, at least, could use the spare processor cycles on those machines? You could perform massively parallel computations: model nuclear explosions or global weather patterns, factor large numbers or find Mersenne primes, or break cryptographic problems.

All of these are legitimate applications. And you can visit distributed.net and download software that allows you to donate your spare computer cycles to some of these projects. (You can help search for Optimal Golomb Rulers—even if you have no idea what they are.) You’ve got a lot of cycles to spare. There’s no reason that your computer can’t help search for extraterrestrial life as it, for example, sits idly waiting for you to read this essay.

The reason these things work is that they are consensual; none of these projects download software onto your computer without your knowledge. None of these projects control your computer without your consent. But there are lots of software programs that do just that.

The term used for a computer remotely controlled by someone else is a “bot”. A group of computers—thousands or even millions—controlled by someone else is a bot network. Estimates are that millions of computers on the internet today are part of bot networks, and the largest bot networks have over 1.5 million machines.

Initially, bot networks were used for just one thing: denial-of-service attacks. Hackers would use them against each other, fighting hacker feuds in cyberspace by attacking each other’s computers. The first widely publicized use of a distributed intruder tool—technically not a botnet, but practically the same thing—was in February 2000, when Canadian hacker Mafiaboy directed an army of compromised computers to flood CNN.com, Amazon.com, eBay, Dell Computer and other sites with debilitating volumes of traffic. Every newspaper carried that story.

These days, bot networks are more likely to be controlled by criminals than by hackers. The important difference is the motive: profit. Networks are being used to send phishing e-mails and other spam. They’re being used for click fraud. They’re being used as an extortion tool: Pay up or we’ll DDoS you!

Mostly, they’re being used to collect personal data for fraud—commonly called “identity theft.” Modern bot software doesn’t just attack other computers; it attacks its hosts as well. The malware is packed with keystroke loggers to steal passwords and account numbers. In fact, many bots automatically hunt for financial information, and some botnets have been built solely for this purpose—to gather credit card numbers, online banking passwords, PayPal accounts, and so on, from compromised hosts.

Swindlers are also using bot networks for click fraud. Google’s anti-fraud systems are sophisticated enough to detect thousands of clicks by one computer; it’s much harder to determine if a single click by each of thousands of computers is fraud, or just popularity.

And, of course, most bots constantly search for other computers that can be infected and added to the bot network. (A 1.5 million-node bot network was discovered in the Netherlands last year. The command-and-control system was dismantled, but some of the bots are still active, infecting other computers and adding them to this defunct network.)

Modern bot networks are remotely upgradeable, so the operators can add new functionality to the bots at any time, or switch from one bot program to another. Bot authors regularly upgrade their botnets during development, or to evade detection by anti-virus and malware cleanup tools.

One application of bot networks that we haven’t seen all that much of is to launch a fast-spreading worm. (Some believe the Witty worm spread this way.) Much has been written about “flash worms” that can saturate the internet in 15 minutes or less. The situation gets even worse if 10 thousand bots synchronize their watches and release the worm at exactly the same time. Why haven’t we seen more of this? My guess is because there isn’t any profit in it.

There’s no real solution to the botnet problem, because there’s no single problem. There are many different bot networks, controlled in many different ways, consisting of computers infected through many different vulnerabilities. Really, a bot network is nothing more than an attacker taking advantage of 1) one or more software vulnerabilities, and 2) the economies of scale that computer networks bring. It’s the same thing as distributed.net or SETI@home, only the attacker doesn’t ask your permission first.

As long as networked computers have vulnerabilities—and that’ll be for the foreseeable future—there’ll be bot networks. It’s a natural side-effect of a computer network with bugs.

This essay originally appeared on Wired.com.

EDITED TO ADD (7/27): DDOS extortion is a bigger problem than you might think. Right now it’s primarily targeted against fringe industries—online gaming, online gambling, online porn—located offshore, but we’re seeing more and more of against mainstream companies in the U.S. and Europe.

EDITED TO ADD (7/27): Seems that Witty was definitely not seeded from a bot network.

Posted on July 27, 2006 at 6:35 AMView Comments

Identity Theft and Methamphetamines

New trend or scary rumor?

When methamphetamine proliferated more recently, the police and prosecutors at first did not associate it with a rise in other crimes. There were break-ins at mailboxes and people stealing documents from garbage, Mr. Morales said, but those were handled by different parts of the Police Department.

But finally they connected the two. Meth users—awake for days at a time and able to fixate on small details—were looking for checks or credit card numbers, then converting the stolen identities to money, drugs or ingredients to make more methamphetamine. For these drug users, Mr. Morales said, identity theft was the perfect support system.

Supposedly meth users are ideally suited to be computer hackers:

For example, crack cocaine or heroin dealers usually set up in well-defined urban strips run by armed gangs, which stimulates gun traffic and crimes that are suited to densely populated neighborhoods, including mugging, prostitution, carjacking and robbery. Because cocaine creates a rapid craving for more, addicts commit crimes that pay off instantly, even at high risk.

Methamphetamine, by contrast, can be manufactured in small laboratories that move about suburban or rural areas, where addicts are more likely to steal mail from unlocked boxes. Small manufacturers, in turn, use stolen identities to buy ingredients or pay rent without arousing suspicion. And because the drug has a long high, addicts have patience and energy for crimes that take several steps to pay off.

[…]

“Crack users and heroin users are so disorganized and get in these frantic binges, they’re not going to sit still and do anything in an organized way for very long,” Dr. Rawson said. “Meth users, on the other hand, that’s all they have, is time. The drug stimulates the part of the brain that perseverates on things. So you get people perseverating on things, and if you sit down at a computer terminal you can go for hours and hours.”

And there’s the illegal alien tie-in:

“Look at the states that have the highest rates of identity theft—Arizona, Nevada, California, Texas and Colorado,’’ Mr. Morales said. “The two things they all have in common are illegal immigration and meth.”

I have no idea if any of this is actually true. But I do know if the drug user-identity thief connection story has legs, Congress is likely to start paying much closer attention.

Posted on July 12, 2006 at 1:32 PMView Comments

Identity-Theft Disclosure Laws

California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide.

Except that it won’t do the same thing: The federal bill has become so watered down that it won’t be very effective. I would still be in favor of it—a poor federal law is better than none—if it didn’t also pre-empt more-effective state laws, which makes it a net loss.

Identity theft is the fastest-growing area of crime. It’s badly named—your identity is the one thing that cannot be stolen—and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit.

Many companies keep large databases of personal data that is useful to these fraudsters. But because the companies don’t shoulder the cost of the fraud, they’re not economically motivated to secure those databases very well. In fact, if your personal data is stolen from their databases, they would much rather not even tell you: Why deal with the bad publicity?

Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information—or to refrain from collecting it in the first place.

Think of it as public shaming. Companies will spend money to avoid the PR costs of this shaming, and security will improve. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.

This public shaming needs the cooperation of the press and, unfortunately, there’s an attenuation effect going on. The first major breach after California passed its disclosure law—SB1386—was in February 2005, when ChoicePoint sold personal data on 145,000 people to criminals. The event was all over the news, and ChoicePoint was shamed into improving its security.

Then LexisNexis exposed personal data on 300,000 individuals. And Citigroup lost data on 3.9 million individuals. SB1386 worked; the only reason we knew about these security breaches was because of the law. But the breaches came in increasing numbers, and in larger quantities. After a while, it was no longer news. And when the press stopped reporting, the “cost” of these breaches to the companies declined.

Today, the only real cost that remains is the cost of notifying customers and issuing replacement cards. It costs banks about $10 to issue a new card, and that’s money they would much rather not have to spend. This is the agenda they brought to the federal bill, cleverly titled the Data Accountability and Trust Act, or DATA.

Lobbyists attacked the legislation in two ways. First, they went after the definition of personal information. Only the exposure of very specific information requires disclosure. For example, the theft of a database that contained people’s first initial, middle name, last name, Social Security number, bank account number, address, phone number, date of birth, mother’s maiden name and password would not have to be disclosed, because “personal information” is defined as “an individual’s first and last name in combination with …” certain other personal data.

Second, lobbyists went after the definition of “breach of security.” The latest version of the bill reads: “The term ‘breach of security’ means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individuals to whom the personal information relates.”

Get that? If a company loses a backup tape containing millions of individuals’ personal information, it doesn’t have to disclose if it believes there is no “significant risk of identity theft.” If it leaves a database exposed, and has absolutely no audit logs of who accessed that database, it could claim it has no “reasonable basis” to conclude there is a significant risk. Actually, the company could point to a study that showed the probability of fraud to someone who has been the victim of this kind of data loss to be less than 1 in 1,000—which is not a “significant risk”—and then not disclose the data breach at all.

Even worse, this federal law pre-empts the 23 existing state laws—and others being considered—many of which contain stronger individual protections. So while DATA might look like a law protecting consumers nationwide, it is actually a law protecting companies with large databases from state laws protecting consumers.

So in its current form, this legislation would make things worse, not better.

Of course, things are in flux. They’re always in flux. The language of the bill has changed regularly over the past year, as various committees got their hands on it. There’s also another bill, HR3997, which is even worse. And even if something passes, it has to be reconciled with whatever the Senate passes, and then voted on again. So no one really knows what the final language will look like.

But the devil is in the details, and the only way to protect us from lobbyists tinkering with the details is to ensure that the federal bill does not pre-empt any state bills: that the federal law is a minimum, but that states can require more.

That said, disclosure is important, but it’s not going to solve identity theft. As I’ve written previously, the reason theft of personal information is so common is that the data is so valuable. The way to mitigate the risk of fraud due to impersonation is not to make personal information harder to steal, it’s to make it harder to use.

Disclosure laws only deal with the economic externality of data brokers protecting your personal information. What we really need are laws prohibiting credit card companies and other financial institutions from granting credit to someone using your name with only a minimum of authentication.

But until that happens, we can at least hope that Congress will refrain from passing bad bills that override good state laws—and helping criminals in the process.

This essay originally appeared on Wired.com.

EDITED TO ADD (4/20): Here’s a comparison of state disclosure laws.

Posted on April 20, 2006 at 8:11 AMView Comments

Military Secrets for Sale in Afghanistan

Stolen goods are being sold in the markets, including hard drives filled with classified data.

A reporter recently obtained several drives at the bazaar that contained documents marked “Secret.” The contents included documents that were potentially embarrassing to Pakistan, a U.S. ally, presentations that named suspected militants targeted for “kill or capture” and discussions of U.S. efforts to “remove” or “marginalize” Afghan government officials whom the military considered “problem makers.”

The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers’ names.

EDITED TO ADD (4/12): NPR story.

Posted on April 12, 2006 at 6:25 AMView Comments

The "I'm Not the Criminal You're Looking For" Card

This is a great idea:

Lawmakers in Iowa are proposing a special “passport” meant to protect victims of identity theft against false criminal action and credit charges.

The “Identity Theft Passport” will be a card or certificate that victims of identity fraud can show to police or creditors to help demonstrate their innocence, Tom Sands, a state representative of the Iowa House and supporter of the proposal, said in an e-mail interview Tuesday.

I wrote about something similar in Beyond Fear:

In Singapore, some names are so common that the police issue He’s-not-the-guy-we’re-looking-for documents exonerating innocent people with the same names as wanted criminals.

EDITED TO ADD (4/7): Of course it will be forged; all documents are forged. And yes, I’ve recently written that documents are hard to verify. This is a still good idea, even though it’s not perfect.

Posted on April 6, 2006 at 1:13 PMView Comments

Impressive Phishing Attack

Read about it here, or in even more detail.

I find this phishing attack impressive for several reasons. One, it’s a very sophisticated attack and demonstrates how clever identity thieves are becoming. Two, it narrowly targets a particular credit union, and sneakily uses the fact that credit cards issued by an institution share the same initial digits. Three, it exploits an authentication problem with SSL certificates. And four, it is yet another proof point that “user education” isn’t how we’re going to solve this kind of risk.

Posted on February 22, 2006 at 7:41 AMView Comments

Identity Theft in the UK

Recently there was some serious tax credit fraud in the UK. Basically, there is a tax-credit system that allows taxpayers to get a refund for some of their taxes if they meet certain criteria. Politically, this was a major objective of the Labour Party. So the Inland Revenue (the UK version of the IRS) made it as easy as possible to apply for this refund. One of the ways taxpayers could apply was via a Web portal.

Unfortunately, the only details necessary when applying were the applicant’s National Insurance number (the UK version of the Social Security number) and mother’s maiden name. The refund was then paid directly into any bank account specified on the application form. Anyone who knows anything about security can guess what happened. Estimates are that fifteen millions pounds has been stolen by criminal syndicates.

The press has been treating this as an issue of identity theft, talking about how criminals went Dumpster diving to get National Insurance numbers and so forth. I have seen very little about how the authentication scheme failed. The system tried—using semi-secret information like NI number and mother’s maiden name—to authenticate the person. Instead, the system should have tried to authenticate the transaction. Even a simple verification step—does the name on the account match the name of the person who should receive the refund—would have gone a long way to preventing this type of fraud.

Posted on February 8, 2006 at 3:42 PMView Comments

1 6 7 8 9 10 13

Sidebar photo of Bruce Schneier by Joe MacInnis.