Graham Cluley’s blog

Associated Press is reporting that a soldier has been convicted of negligence by a Swedish court, and fined 21,000 kronor (£1735) for losing a USB memory stick containing details of unexploded bombs in Afghanistan.

The 31-year-old soldier admitted leaving the USB flash drive, which contained classified information he had collected while serving as a peacekeeper in Afghanistan in 2006, in a Stockholm university computer. The data should have been handed back to authorities at the end of his mission, but the device was clearly still being used two years later.

The news comes at the same time as reports indicate that the US Army is cracking down on the use of USB storage devices. According to Wired, the commander of US Strategic Command has ordered the ban of all removable data storage devices, following defence networks being infected by the SillyFDC worm.

There are many variants of the SillyFDC worm, which typically infect Windows PCs by spreading via USB drives, hunting for any removable device connected to the computer. The malware then downloads further code from the internet, opening the potential for identity theft or launching distributed denial-of-service attacks or spam campaigns.

I would recommend that computer users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC.

Any storage device which is attached to a computer should be checked for virus and other malware before use. Floppy disks, CD ROMs, USB keys, external hard drives and other devices are all capable of carrying malicious code which could infect the computers of innocent users.

Device control technology can help your company reduce the risk of data leakage and malware infection, by giving administrators control over removable
storage devices.

If you don’t live in the UK, chances are that you don’t know who the BNP (British National Party) are.

The group has been no stranger to the newspaper headlines in the past, and tomorrow it is likely to find itself gracing the pages of the popular press once more because its membership list has been posted on the internet.

According to The Daily Telegraph, publication of the list has caused panic amongst members - many of whom are concerned about reprisals from the general public.

The newspaper also reported that the name of a serving policeman is on the list, even though police officers are banned from joining.

In a statement BNP leader Nick Griffin, himself not unused to being embroiled in controversy, promptly issued a statement on the BNP’s website confirming that the membership list was essentially genuine, and blaming former staff of “treachery” for stealing the information.

Although the BNP says it is taking legal action against internet service providers hosting the material, it’s all rather too late for that. The cat is out of the bag, and anti-BNP activists will surely repost the long list of names, addresses and phone numbers of BNP members to other websites and message boards.

Nick Griffin’s message to his members attempts to raise bravado saying “It’s water off a duck’s back to the stout hearts of the British National Party. Let’s enjoy the publicity bonus!” but party supporters are surely going to feel extremely uncomfortable about their personal details being publicised on the internet in this way.

All organisations need to take great care over the information they collect about their staff, partners, customers, and - in this case - members. If strict rules and policies are not in place controlling the access and distribution of the information then it could be your company which is next brought into disrepute.

Florida-based software company CyberSpy Software has been ordered by a US district court to stop selling its RemoteSpy keylogging spyware program.

According to the Federal Trade Commission, CyberSpy gave customers detailed instructions on “how to disguise their spying program as an innocuous file, such as a photo, attached to an email.”

It is claimed that when innocent internet users clicked on the disguised file, the spyware would install itself silently onto the victims’ computer, monitoring every keystroke, email and instant message, and making a record of every website visited.

Data gathered by RemoteSpy was uploaded to a server run by the CyberSpy company, and made available to customers via a password-protected website.

The RemoteSpy and CyberSpy websites appear to be currently offline (presumably at the court’s request) but I managed to find an archived version for the screenshot above.

CyberSpy is far from the only company to work in this apparent “grey” area between legitimate and illegitimate software. Such products typically promote themselves as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, rather than more traditional identity theft - but it’s clear that they can be used with a wide variety of motives.

The FTC will be trying to prove that because the RemoteSpy software was installed onto computers without the informed consent of the PC’s owner, and used to secretly steal personal data, that it was in breach of the law. If the FTC is successful in their fight against CyberSpy it could send a warning shot to other vendors selling “legitimate” spyware.

Put your best dancing shoes on and deck the halls with bunting, because it’s that time of year again. Yes, it’s Get Safe Online week here in the UK.

International celebrities like Brad Pitt, Bill Gates and that little guy who used to be in Diff’rent Strokes are converging on London for a media blitz to help raise awareness amongst the British public of computer security issues. A 120 foot 3D hologram of Carol Vorderman will be beamed above Nelson’s Column to provide shoppers and tourists with tips on how to avoid having their online bank account raided, and how to upgrade their version of Internet Explorer. Meanwhile, episodes of top soap operas Eastenders and Coronation Street will feature storylines about identity theft and scareware.

Okay, so some of that last paragraph may not be entirely true.

But wouldn’t it be great if it was? You see, I think Get Safe Online is a terrific website with superb material on it, and there’s no doubting the very real determination of the people behind the organisation to spread the word about how to use the internet safely. But - and it’s a big but - no-one apart from security geeks seem to know about the website, and we’re hardly the most important people to train about computer security.

I hope the awareness week is successful in raising the profile of the site and safe computing practices amongst the general public, but the government needs to put much more effort into educating the masses into how to surf safely online.

Apologies for the silence from the Clu-blog over the last few days.

Of course, it’s typical that when you take a few days holiday that various stories (large and small) will break in your absence. My wife always reminds me that it was while we were on holiday in Mexico that the notorious female virus writer Gigabyte was arrested.

So, if you can’t wait until I return to my desk on Monday, here’s a quick catch-up on some of the stories that occurred while I was out of keyboard range..

Spam takes a dive

Maybe the biggest story of the last few days has been the dramatic 75% drop in global spam which we witnessed after McColo was disconnected from the internet.

McColo is alleged to have been the home for command-and-control centres for some of the world’s largest botnets - including those responsible for distributing attacks like Rustock and Pushdo.

Of course, the drop in spam levels is likely to be only temporary - but that shouldn’t stop us from congratulating members of the security industry like Brian Krebs who helped make this happen.

Great work!

Inconsistent treatment for NASA hackers?

Remember Gary McKinnon, the British hacker who is facing extradition after breaking into NASA and Pentagon computers shortly after 9/11?

Well, his case contrasts dramatically with that of another NASA hacker sentenced this week. According to media reports, Victor Faur, a Romanian computer programmer who hacked into NASA, US Navy and Department of Energy computers has escaped a jail term.

28-year-old Faur received a suspended sentence of 16 months on Monday, and was ordered to pay a total of $238,000, after being found guilty of hacking into the government departments between November 2005 and September 2006.

What’s curious is, that as far as anyone can tell, the US doesn’t seem to be making much attempt to extradite Faur to their own shores. And furthermore, years after the McKinnon incident the American military systems were still open to exploitation by hackers.

My guess is that McKinnon would be very happy to receive a fine (and even spend time behind bars) if it meant he could stay in his country of birth and be tried by a British court.

$1 million bounty offered for capture of identity thief

Earlier this month I applauded Express Scripts who had refused to pay a ransom demand after data on some of their customers was apparently stolen by an identity thief.

Now the US-based company, which handles 500 million medical prescriptions every year, is offering a million dollar reward for information which might lead to the arrest and conviction of the thief.

Express Scripts have asked the FBI to investigate the theft - so if you have any clues about who might be responsible and fancy $1 million give them a call on 1-800-CALL-FBI.

Dental records extracted from University of Florida

The records of some 330,000 current and former patients at the University of Florida’s College of Dentistry were potentially compromised by hackers, reports revealed on Wednesday.

It turns out that the University’s IT team discovered unauthorised software on the computer system when they were doing a routine upgrade to the server in early October. Apparently, information stored on the computer included the names, addresses, dates of birth and social security numbers of dental patients reaching back as far as 1990.

There’s a worry here that educational establishments may be something of a soft target when it comes to identity theft and data leakage compared to, say, financial organisations who are more used to always looking over their shoulder for the next hacker attack. As more universities realise the severity of attacks like this we’re likely to see them instilling the need for stronger security throughout their systems.

Researchers are claiming that they have found a way to partially crack the encryption used on WPA wireless communications.

According to a media reports, Erik Tews and Martin Beck claim that they have found a way to unlock the Temporal Key Integrity Protocol (TKIP) key, used by WPA, to read data sent from a wireless router to laptop computers. According to the researchers, the key can be cracked in 12-15 minutes.

Many companies and home users currently use the WPA (Wi-Fi Protected Access) encryption protocol to prevent criminals from sniffing confidential information out of the air which could be used for the purposes of identity theft.

It has long been known that WEP, an earlier encryption standard, was easily breached and many individuals and firms who use wireless have been encouraged to make the switch to a more secure system such as WPA or WPA2.

Indeed, just last month I reported on how the Payment Card Industry (PCI) Security Standards Council was telling retailers that they must use better encryption like WPA or WPA2 to protect credit card and other identity information following a spate of embarrassing data breaches.

Fortunately, so far the researchers say they have not been able to find a way to intercept communications sent from wireless laptops to the router - only data sent in the other direction. Nevertheless, there will be many eyes turned to next week’s PacSec conference in Tokyo where Tews says he will demonstrate the attack against WPA.

Depending on what is revealed, some companies may need to look again at their Wi-Fi security and adopt a higher level of encryption. WPA2 has not suffered from any cracks so far - maybe everyone should switch to that?

Express Scripts handles the medical prescriptions of millions of Americans every year through home delivery and at retail pharmacies. That’s a lot of important data for the Fortune 150 company to look after.

You can, therefore, understand why Express Scripts took a recent letter that threatened to expose millions of the company’s medical customers’ records seriously.

According to media reports and a press release by the firm, an unknown person or persons sent an extortion letter to the company in early October, including the names, dates of birth, social security numbers, and prescription information of 75 customers.

Express Scripts has done the right thing.

Firstly, it hasn’t paid any money. That’s important because paying blackmailers only encourages them to ask for more money, or to steal from others.

Express Scripts has also called in the FBI, and begun its own investigation into how the security of their databases might have been breached.

Furthermore, it has gone public on the incident. A press release has been posted to the wires, and a section set up on their website explaining to customers that there has potentially been a large data security breach. Imagine what the implications might have been if they had tried to hush up the incident, paid off the blackmailer, and never told their customers about the possible slip-up.

What’s interesting to me is that having got his paws on the data (we don’t know presently whether he has only got 75 records or perhaps millions..) the criminal chose to try and extort money out of Express Scripts. He notably didn’t try and exploit the identity information himself, as far as we can tell, and he didn’t try and sell the data on via the computer underground.

That suggests to me that either he thinks he can make more money by blackmailing Express Scripts (sorry buster, it doesn’t seem that they want to play ball..) or that he simply isn’t circulating in the right underground circles to know how to fence the information on to other criminals.

Although we did hear a story recently about a chap accused of trying to get money out of Maserati after allegedly stealing customer information, it’s pretty rare to hear stories of data thieves trying to extort money their victims rather than the more “conventional” stories of distributed denial-of-service (DDoS) and ransomware blackmail attempts.

Whether that’s because firms who are targeted by data thieves don’t make the incident public like Express Scripts have is hard to say.

The personal information of almost 1000 bank customers has been lost by an employee of Bank of Ireland, after the data was copied onto an unencrypted USB memory stick.

In the latest security blunder to befall a bank, details of 894 customers’ accounts, phone numbers and addresses were wrongfully copied onto a portable flash drive which was subsequently lost. In the wrong hands, the information could provide criminals with some of the essential stepping stones to committing identity theft.

Bank of Ireland says it has informed most of the people affected by the data breach, and will monitor their accounts for unusual activity.

That’s all very well - but this security lapse should never have happened in the first place. With proper checks and measures in place, it should have been possible to control access to the memory stick and ensure that any sensitive data copied to it remained encrypted.

Sadly it seems the message about the need for greater care over the transport of sensitive data just isn’t getting through to some businesses - or at least that workers cannot be trusted to follow security guidelines and policies.

If you cannot enforce a policy across your workforce then there is the risk that your employees are putting the reputation of your company directly into the firing line.

British newspaper The Mail on Sunday has itself another scoop.

A member of the public found a 4GB USB thumb drive outside a outside a pub in Cannock, Staffordshire. The memory stick, which was passed to the newspaper, is alleged to contain confidential passwords for the Government Gateway website, and its source code.

The British public register on the Gateway website to access hundreds of government services including self-assessment tax returns, VAT returns, pension entitlements and child benefits. This year, 1.8 million people are said to have submitted their tax returns via the system for instance.

The memory stick was lost by an employee of Cannock-based Atos Origin, who manage the Gateway system on behalf of the UK government.

A spokeswoman for the Department for Work and Pensions has stated that the memory stick contained data for “only a handful” of people, and all of their passwords were encrypted. She also confirmed that the website was temporarily suspended while the department investigated the security breach.

Even if the passwords were encrypted - was it appropriate that this information was on a USB memory stick allowed out of a secure area in the first place? With the long line of recent embarrassing security breaches hitting firms and government departments, doesn’t more need to be done to control the movement of sensitive data?

Clearly the private and public sector are putting the identities of the innocent at risk through their carelesness. A few days ago at the RSA Europe Conference in London, Information Commissioner Richard Thomas gave a speech revealing that there have been 277 data breaches reported to his department in the last year. Thirty serious incidents, in both the public and private sectors, are still under investigation.

As massive databases of personal information are increasingly gathered, the risks of embarrassing data leaks increase. This has been one of the concerns regarding the Home Office’s proposal of a national identity card scheme.

As blog reader Pete recently said to me, maybe we’ll start to see the capacities of USB memory sticks advertised like this in future: “8gb, enough for 8,000,000 books, 4,000 mp3s, 16,000 civil servants personal details, 38,000 prisoners inside leg measurement…”

If you revolve in security circles then you may well know that this week is “RSA week”. The European version of the well-known stateside security conference is taking place over the next few days at the ExCeL Conference Centre centre in London’s rejuvenated docklands.

(By the way, am I the only one to get annoyed by the overuse of camel-case in the ExCeL Centre’s name? It’s like a convention of dromedaries..)

If you’re going to the conference, please feel free to drop in on a roundtable discussion I am participating in tomorrow morning at 10.15am. I, and luminous peers such as David Perry from Trend Micro, Larry Bridwell from AVG and Andreas Marx of independent testing labs AV-Test, will be discussing “The Need To Adopt Standards-Based Anti-Malware Testing Methodologies”.

And if you’re in the market for encryption (and lets face it, with the barrage of stories of data leakage foul-ups, you probably should be) you could do a lot worse than have a chat with those lovely chaps from Utimaco on stand 46.

RSA Europe week serendipitously coincides with the next meeting of AMTSO (the Anti-Malware Testing Standards Organisation), a cross-industry group designed to improve the quality of anti-virus tests.

A motley crew of anti-virus researchers and other interested parties from companies such as Trend Micro, AV-Test, ICSA Labs, Eset, McAfee, Norman, Symantec, Virus Bulletin, AVG, MessageLabs (aren’t they now Symantec? Sounds like someone is after extra drinks..), F-Secure, Panda, Bit 9, Alwil, Kaspersky, Microsoft, and others I’ve probably forgotten.. are descending on Oxford, as Sophos HQ will be the venue on Thursday and Friday this week.

This horde is planning to have a night out amid the dreaming spires of Oxford on Thursday night. I imagine this will be an evening of high art, classical music and witty repartee. I’ll report back on who ends up spending the night in jail.