Rossander’s Security Reader

We first talked about ATM skimmers in 2006. They are back in the news in 2010 as a wave of skimmers are being installed by what the FBI describes as organized crime from Eastern Europe. The latest reports show that these skimmers are taking in about $350,000 per day. And unlike the prior exploits, these criminals often wait weeks or even months before using the stolen information, making it much more difficult to connect the monetary loss to the crime.

A quick refresher: An ATM skimmer is a device glued on the front of an ATM machine or gas station card reader that records the magnetic information off your card as it passes the card through to the real reader. Some of these devices are quite thin and can look just like the original equipment. Many are also rigged with hidden cameras which record your fingers as you key in your PIN. Snopes has a good set of pictures, as does CSOonline.

Look carefully at the machine before swiping your debit card. If you see any signs of tampering, loose components, mismatched colors or anything else that makes you suspicious, go to a different machine.

And as always, leave your debit card at home whenever possible. Credit cards carry better legal protections if/when they get exploited.

Well, another Cyber-Monday has come and gone. According to initial reports, it was a good day for retailers and for customers with lots of deals available. I hope that you were successful with your holiday shopping and more importantly, that you were safe with your online shopping.

For those of you who are still shopping, a few quick security reminders.

• Be very suspicious of any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
• Look for the prefix https in the address line.
• If the deal sounds too good to be true, it probably is. If you’re suspicious, take your business somewhere else.
• Make sure your own computer protections (anti-virus, firewall, patches) are up-to-date.
• Always use a credit card, never a debit card. And check your statement carefully for charges you don’t recognize.

The more interesting question, though, may be whether your online shopping was “legal”. It’s called Cyber-Monday because so many people wait until they’re back at work and can use their company’s high-speed connections for their shopping. Are you allowed to do that under your company’s Acceptable Use policy? If you are in charge of setting the policy, should it be allowed?

Dan Lohrmann (of GovSpace fame) wrote an article for CSOonline titled Cyber Monday & Redefining Acceptable Use – Again in which he recaps the history – and confusion – of acceptable use policies. In these days of social networking (Facebook, Twitter, LinkedIn, wikis, etc), it seems so much more complicated. Should we allow it? Should we block it? Is it all-or-nothing or should we try to decide by categories? If we treat all employees the same, how do we accommodate the departments (say, Marketing) with special needs? What are we paying employees for anyway?

Lohrmann rightly says that this is a management problem that goes “back to the basic boss/employee accountability questions” and offers some hope that once Management decides on the right policies, the latest generation of tools can help to enforce them.

I’ll go further and say that despite all the hype, this is not a new problem. Because it’s not a new problem, using tools to cover it over is a placebo. The problem is employee (and supervisor) behavior. You need to know whether your people are getting the work done that you expect and pay them to do. And if not, you need to know that your supervisors are finding it and taking corrective action. If the work is getting done even on Cyber-Monday, why do you care if they spend their spare time at Amazon?

Note: I categorically reject the definitions of “expected work” that are based on hours. In my experience, employees have an intuitive levelset for how much work they should be doing given the pay, perks and culture (and offset by the animosity created by bad managers). Attempts to increase productivity by ‘taking away distractions’ just causes employees to find other distractions. They always have and they always will. The joke about the two-hour rule long pre-dates the Internet.

More than that, I believe that they understand and levelset productivity in terms of business results. No matter how you pay me, if I’m only making one widget an hour, I’m not meeting expectations. On the other hand, if I’m cranking out 150, you have no right to care that I can do it while spending half my day at the water cooler because if you try to push me for 300 I’m going to slack back to the 20 or so that my co-workers average.

To be blunt, if you lock down the computer, you are not going to get that productivity back.

The next question then is why your supervisors aren’t fixing the poor performers. It could be that they don’t understand the expectations. Specifically, you haven’t made them ready to be good supervisors. Or maybe they’re just lazy or, worse, too conflict-averse. Anyone can be a supervisor but not everyone can be a good supervisor. The point, though (and my apologies for the long-winded way around to it), is that technology is not a replacement for good supervision. You need to know what your people are doing. You need to know that work is getting done and done properly. Acceptable use policies intended to affect “productivity” are the lazy way out and using them will get you the lazy-man’s result.

That’s not to say that Acceptable Use policies don’t have a place. Acceptable Use policies should put clear boundaries around how the employee’s behavior can affect the company’s reputation (which is why restrictions on gambling and hate sites are defensible) or how they can affect other employees (the hostile workplace implications of sexually explicit sites) or even how they affect corporate resources like bandwidth (which is why we blocked internet video for the longest time – not because Howard Stern needed censoring but because we’re at the end of the pipe and streaming media usage led to a measurable degradation of business traffic). But Acceptable Use policies must be based on a direct adverse impact to the company. And it must be a clear enough connection that good employees self-censor rather than try to get around the blocks.

Acceptable Use, especially the “productivity” aspect of Acceptable Use, is more than just a management tactics question – it’s a management philosophy question. It’s a question about trust. The answer affects the whole tone and culture of your company.

Go to your Facebook page and take a screen-shot. Paste that into a Word document or Paint program. Now cover up the names and pictures and project the result up on the wall. What does it say about you? Would your friends recognize you? Your parents? Yourself?

Howard Rheingold, a social-media professor at Stanford University, runs this experiment with his class. It’s surprising – and a bit frightening – what you see about yourself in this way. As one of his students put it, Facebook tacitly encourages you to describe yourself in headlines. Snippets, soundbites and stereotypes. You list a specific interest but since readers only see the subset of things you list, they make assumptions based on that first impression. Many people who take a neutral look at their profile discover that it presents a very shallow image.

Worse, they find that it rarely presents an image of responsibility and trustworthiness. When so many employers include Facebook in their background checks, it’s an image that can really limit your options later on.

Facebook does have some privacy settings that can minimize the damage but only if you take the time to set it right and even then if you’re lucky enough to set them right now for the privacy settings you’ll need in 5 or 10 years. The better answer is to control what you post and what you allow others to post about you. If there’s something embarrassing, take it down.

The other thing to remember is that Facebook will probably not be the last word in social media. New programs will come out and hopefully they’ll take a stronger approach to privacy and foresight. In the meantime, be cautious about what you post in any social media. Be a little paranoid. Watch out for yourself.

Pennsylvania just enacted the Consumer Protection Against Computer Spyware Act. I appreciate that legislators are finally starting to take computer security seriously though this law may be more bark than bite.

Briefly, the law makes it a state crime for any “unauthorized user” to deceptively add software to your computer without your consent, prevent you from removing their software, changing your computer settings or hiding their own software. It’s a pretty good list of all the bad things that people were doing to our computers in 2008.

Unfortunately, the hackers have moved on and are using different tactics now. But I guess it never hurts to outlaw the old bad stuff. You might at least catch the stupid criminals who haven’t stayed with the times. The real problem, though, is that cybercrime is rarely investigated, much less prosecuted. If this law gets legitimately used a dozen times in the next five years, I’ll be surprised.

Which brings me to my real cause for concern – what are the ways this law could be twisted beyond its intended scope?

This law makes it illegal to change settings, modify bookmarks, impose a homepage, disable software, prevent your own software from being disabled and use techniques like keylogging. All those are bad things when done by an outsider but potentially legitimate tactics for law enforcement, your own company’s IT Security investigations or for your responsibilities as a parent.

On the plus side, PA did include wording that the person adding the software and making the modifications must be an unauthorized person. That’s a good thing. Other states have left that qualification out, making it ambiguous whether the company’s IT department could impose software restrictions on a company-owned computer. PA’s law provides a safe-harbor for the IT Security department as long as they are also authorized users on the user’s computer.

Here’s the rub, though. Several courts have passed down decisions (such as Tengart v LovingCare, US v Ziegler, US v Simons) that make it confusing when the computer is the user’s and when it is the company’s. Similar decisions have made it ambiguous whether a computer is owned by the parent or the child. (And it gets really complicated when you have two spouses going at it as in White v White.)

If the ownership and privacy right is at the company (or family) level, I don’t see a problem here. The IT department (or parent) is an authorized user by definition. One authorized user can still change settings or programs on the computer without the consent of the other authorized user(s). Whether it’s ethical or effective is another question but it would pretty clearly be legal under this law. On the other hand, if the employee (or child) has a “reasonable expectation of privacy” to the computer, then the IT department (or parent) might not be considered authorized under this law.

The fix is easy. PA did a pretty good job with this law – we don’t need to tamper with the law. You just need to make it crystal clear to every other user of the computer that you are the primary owner of the computer and that no other user can have any expectation of privacy that excludes you and your right to monitor. At the company level, you should have that in your written policy manual and probably on the login splash screen. At the family level, you need to insist on having a copy of all your children’s passwords (my one exception to the never share your password rule) and use parental controls. Exert your rights regularly both to reinforce everyone’s understanding of the rules and so that you can show that your actions were a part of your routine security practice, not for example retaliation.

That sounds pretty simple but I predict at least one lawsuit testing the expectation of privacy and complaining about actions that in the non-computer world would be considered nothing more than good parenting. Make sure that everyone knows that you are an authorized user, then you can monitor whenever you find it necessary and you can impose changes on your corporate computers whether or not the individual user likes them.

Disclaimer: I am not a lawyer. I don’t even play one on TV. This is a layman’s interpretation of the law. I like to think it’s an informed opinion but only that – an opinion. If you need specific legal advice, contact a qualified lawyer in your area.

[W]e’re in favor of strong encryption, robust encryption. The country needs it, industry needs it. We just want to make sure we have a trap door and key under some judge’s authority where we can get there if somebody is planning a crime.
- FBI Director Louis Freeh, May 11, 1995

They can promise strong encryption. They just need to figure out how they can provide us plain text.
- FBI General Counsel Valerie Caproni, September 27, 2010

Encryption backdoors were declared dead in 2001. Unfortunately, the proposal has raised it’s ugly head again. EFF published a reminder about why it was a bad idea then and is still a bad idea now. It’s important enough to quote in it’s entirety. With elections coming, please vote to protect your privacy rights.

For those who weren’t following digital civil liberties issues in 1995, or for those who have forgotten, here’s a refresher list of why forcing companies to break their own privacy and security measures by installing a back door was a bad idea 15 years ago. We’ll be posting more analysis when more details on the “new” proposal emerge, but this list is a start:

1. It will create security risks. Don’t take our word for it. Computer security expert Steven Bellovin has explained some of the problems. First, it’s hard to secure communications properly even between two parties. Cryptography with a back door adds a third party, requiring a more complex protocol, and as Bellovin puts it: “Many previous attempts to add such features have resulted in new, easily exploited security flaws rather than better law enforcement access.”

   It doesn’t end there. Bellovin notes:

   Complexity in the protocols isn’t the only problem; protocols require computer programs to implement them, and more complex code generally creates more exploitable bugs. In the most notorious incident of this type, a cell phone switch in Greece was hacked by an unknown party. The so-called ‘lawful intercept’ mechanisms in the switch — that is, the features designed to permit the police to wiretap calls easily — was abused by the attacker to monitor at least a hundred cell phones, up to and including the prime minister’s. This attack would not have been possible if the vendor hadn’t written the lawful intercept code.

   More recently, as security researcher Susan Landau explains, “an IBM researcher found that a Cisco wiretapping architecture designed to accommodate law-enforcement requirements — a system already in use by major carriers — had numerous security holes in its design. This would have made it easy to break into the communications network and surreptitiously wiretap private communications.”

   The same is true for Google, which had its “compliance” technologies hacked by China.

   This isn’t just a problem for you and me and millions of companies that need secure communications. What will the government itself use for secure communications? The FBI and other government agencies currently use many commercial products — the same ones they want to force to have a back door. How will the FBI stop people from un-backdooring their deployments? Or does the government plan to stop using commercial communications technologies altogether?

2. It won’t stop the bad guys. Users who want strong encryption will be able to get it — from Germany, Finland, Israel, and many other places in the world where it’s offered for sale and for free. In 1996, the National Research Council did a study called “Cryptography’s Role in Securing the Information Society,” nicknamed CRISIS. Here’s what they said:
   

   Products using unescrowed encryption are in use today by millions of users, and such products are available from many difficult-to-censor Internet sites abroad. Users could pre-encrypt their data, using whatever means were available, before their data were accepted by an escrowed encryption device or system. Users could store their data on remote computers, accessible through the click of a mouse but otherwise unknown to anyone but the data owner, such practices could occur quite legally even with a ban on the use of unescrowed encryption. Knowledge of strong encryption techniques is available from official U.S. government publications and other sources worldwide, and experts understanding how to use such knowledge might well be in high demand from criminal elements. — CRISIS Report at 303

   None of that has changed. And of course, more encryption technology is more readily available today than it was in 1996.

3. It will harm innovation. In order to ensure that no “untappable” technology exists, we’ll likely see a technology mandate and a draconian regulatory framework. The implications of this for America’s leadership in innovation are dire. Could Mark Zuckerberg have built Facebook in his dorm room if he’d had to build in surveillance capabilities before launch in order to avoid government fines? Would Skype have ever happened if it had been forced to include an artificial bottleneck to allow government easy access to all of your peer-to-peer communications?

   This has especially serious implications for the open source community and small innovators. Some open source developers have already taken a stand against building back doors into software.

4. It will harm US business. If, thanks to this proposal, US businesses cannot innovate and cannot offer truly secure products, we’re just handing business over to foreign companies who don’t have such limitations. Nokia, Siemens, and Ericsson would all be happy to take a heaping share of the communications technology business from US companies. And it’s not just telecom carriers and VOIP providers at risk. Many game consoles that people can use to play over the Internet, such as the Xbox, allow gamers to chat with each other while they play. They’d have to be tappable, too.
5. It will cost consumers. Any additional mandates on service providers will require them to spend millions of dollars making their technologies compliant with the new rules. And there’s no real question about who will foot the bill: the providers will pass those costs onto their customers. (And of course, if the government were to pay for it, they would be using taxpayer dollars.)
6. It will be unconstitutional.. Of course, we wouldn’t be EFF if we didn’t point out the myriad constitutional problems. The details of how a cryptography regulation or mandate will be unconstitutional may vary, but there are serious problems with nearly every iteration of a “no encryption allowed” proposal that we’ve seen so far. Some likely problems:
   • The First Amendment would likely be violated by a ban on all fully encrypted speech.
   • The First Amendment would likely not allow a ban of any software that can allow untappable secrecy. Software is speech, after all, and this is one of the key ways we defeated this bad idea last time.
   • The Fourth Amendment would not allow requiring disclosure of a key to the backdoor into our houses so the government can read our “papers” in advance of a showing of probable cause, and our digital communications shouldn’t be treated any differently.
   • The Fifth Amendment would be implicated by required disclosure of a private papers and the forced utterance of incriminating testimony.
   • Right to privacy. Both the right to be left alone and informational privacy rights would be implicated.
7. It will be a huge outlay of tax dollars. As noted below, wiretapping is still a relatively rare tool of government. Yet the tax dollars needed to create a huge regulatory infrastructure staffed with government bureaucrats who can enforce the mandates will be very high. So, the taxpayers would end up paying for more expensive technology, higher taxes, and lost privacy, all for the relatively rare chance that motivated criminals will act “in the clear” by not using encryption readily available from a German or Israeli company or for free online.
8. The government hasn’t shown that encryption is a problem. How many investigations have been thwarted or significantly harmed by encryption that could not be broken? In 2009, the government reported only one instance of encryption that they needed to break out of 2,376 court-approved wiretaps, and it ultimately didn’t prevent investigators from obtaining the communications they were after.

   The New York Times reports that the government officials pushing for this have only come up with a few examples (and it’s not clear that all of the examples actually involve encryption) and no real facts that would allow independent investigation or confirmation. More examples will undoubtedly surface in the FBI’s PR campaign, but we’ll be watching closely to see if underneath all the scary hype there’s actually a real problem demanding this expensive, intrusive solution.

The real issue with encryption may simply be that the FBI has to use more resources when they encounter it than when they don’t. Indeed, Bellovin argues: “Time has also shown that the government has almost always managed to go around encryption.” (One circumvention that’s worked before: keyloggers.) But if the FBI’s burden is the real issue here, then the words of the CRISIS Report are even truer today than they were in 1996:

It is true that the spread of encryption technologies will add to the burden of those in government who are charged with carrying out certain law enforcement and intelligence activities. But the many benefits to society of widespread commercial and private use of cryptography outweigh the disadvantages.