The Ethical Investigator

In September 2011, Gauss, a new malware described by the tech-press “as a cyber-espionage tool kit” emerged from the Middle East.  Gauss steals highly sensitive data, including browser passwords, online bank accounts as well as cookies and system configurations.  Gauss closely resembles the malware Flame and Stuxnet, which according to Kaspersky Labs, were created in state-sponsored factories.  Consequently, analysts believe that it too might be state-sponsored.  Since its debut, Gauss appears to have infected 2,500 machines worldwide.  However, the total number of victims may actually be much higher, in the realm of tens of thousands. 

And that number could just keep growing.  Shortly after Gauss was discovered in June 2012, its command and control infrastructure was disabled.  This may sound like a victory, but it is actually far from the truth.  As tech journalist Larry Dignan explains on Cnet.com, the Gauss “malware is dormant waiting for servers to become active.” In other words, it may continue to wreck havoc.

Admittedly, this sort of thing—state-sponsored hackers breaking into bank accounts— could keep one up at night.  What is interesting from an investigative point of view, however, is the way that computer scientists have figured out how to root out the Gauss malware before it causes harm.  Apparently, computer scientists have determined that the font Palida Narrow is used during a Gauss cyber attack.  Therefore, programs designed to detect Gauss check for that particular font to help determine whether the malware is in fact present and needs to be rooted out. 

To be clear, the font does not cause the theft to occur.  Instead, its presence merely correlates with the malware that does.  It is an indirect and yet highly elegant and quick way to detect whether a problem may exist.

As investigators, we can’t always get exactly to the evidence we want to prove.  Sometimes it merely doesn’t exist.  Often, ethical and legal constraints keep us from being able to obtain the facts we definitively need to prove what we are investigating. 

It’s easy to get lost searching for the unsearchable, pining for that one nugget that will help everything fall into place.  But investigators don’t have that luxury. 

So, we sometimes have to do what the computer scientists have done by pinpointing a font as a sign of trouble: We have to take a step back and look for clues elsewhere.  This may mean getting off one path and onto another. For instance, we may not have direct evidence of wrongdoing, but we can scour the evidence in order to detect patterns that suggest wrongdoing.  Alternatively, we can review the facts to see if we can find any that correlate with what it is we’ve been asked to help prove or disprove.

This is not about making assumptions—we never say that because x exists, therefore y.  Instead, it is about being able to look for solutions that advance our clients’ knowledge, even if they fall short of the ideal solution.  

A sophisticated friend of our firm was in the market for a luxury car and found one for sale via the Internet. His concern was aroused when the seller said she was handling the sale through a company called Escrow Atlantic, an international payments company.

Our friend asked us to look at this company, and the results make for a nice case study in the detection of possible fraud.

We started with the Escrow Atlantic website. It looks professional enough, but we always like to know who has registered an internet domain since that can provide a good clue as to who is behind the operation. Sometimes this is hidden information, but in this case it isn’t. It turns out that by going to Network Solutions’ Who Is registry here, we found that Escrow Atlantic’s site is registered to a man in Florida who has an Italian telephone number. His email address is a hotmail account with the name of a different individual.

None of this is tantamount of a scam, of course, but it’s a little unusual. Why not a company email address? Why an Italian phone number when, according to the company website, the company has no office in Italy?

We pressed on and tried to call Escrow Atlantic, but the toll-free number went to the voicemail of “Escrow Atlantic” (and not a particular person). The numbers for the Florida and Missouri offices went instantly to voicemail, and we were unable to connect with the London number.

A search for a business registration record at the Secretaries of State in Florida and Missouri turned up no record of a company called Escrow Atlantic. Nor was it registered under that name at Companies House in the United Kingdom, where you can do a free search here.

Finally, we emailed the Missouri office of Escrow Atlantic, and here we got quick responses, up to a point. Where is the company registered? We were referred to the website’s contact page with the office addresses and phone numbers. We asked again and were told that Escrow Atlantic is “Registered in the United Kingdom with offices in America and Australia.”

Unfortunately, when we responded that we could find no registration in the UK, the company went quiet on us. Of course, Escrow Atlantic could be a “DBA,” or doing business as – a business name different from the official company name – but it would be easy enough for the company to tell us that.

While we can’t say that Escrow Atlantic is not a reputable company, if it is it could do two things to boost our confidence:

1. Get someone -  anyone - to answer the phone;
2. Provide that most basic of information: the place of incorporation and the name of the company that was incorporated.

The news is out and it’s not good. In fact, it’s downright troubling.  It seems that every day, usually several times a day, there is more and more information available about the dangers of the Internet.  It’s enough to make a Luddite out of even the most devoted technophile.  Here’s a sampling of some of the latest updates on the lack of privacy on the Internet, and threats to personal and financial information:

• Online Tracking is Worse Than We Thought: UC Berkeley Law School recently released its first ever Web Privacy Census, which was aimed at measuring how companies track visitors to their websites. The report confirmed that all the top 100 web sites use cookies to track users and visitors. If that’s not worrisome enough, the study also determined that the use of tracking software on users' computers has doubled in the past year. This is about more than tracking users anonymously to provide targeted advertising—like when you scroll a website for a grill and then you check your email and suddenly see ads for some of the same grills you clicked on from the sites you just visited.  Apparently, companies are just as likely to collect and use personal information in ways that may subject consumers to price discrimination, lowered credit scores and limits, and even identity theft.

• Social Networking Can Be Dangerous: The FBI recently issued a new warning on social networking.  The FBI pointed out that hackers are not only threatening governments—they are also targeting individual users via social networks, exposing the users and their workplaces, if they are online in the office, to great harm.  Hackers either exploit personal connections through social networks or write and manipulate computer code to gain access and/or install unwanted software on personal or company computers or phones. 

• Tweets and Facebook Posts May be Used Against You: The courts continue to weigh in on whether social networking may be used against users who post information on their personal sites.  While the judiciary’s responses vary on a case-by-case basis, so far the trend seems to be that posts on Facebook or tweets may be used as grounds for dismissals from jobs, or even against defendants in criminal or civil cases.

Politicians are paying attention.  Senators and Representatives have introduced a plethora of competing bills and held or plan to hold a number of hearings to discuss how best to protect Internet users.  A good summary of the most recent efforts can be found on the Data Privacy Monitor blog run by the law firm Baker Hostetler.  Issues being addressed include protections to safeguard users’ privacy, requiring greater transparency from companies about how they troll for information from users and what they use that data for, and clearer terms of use that allow consumers to easily opt out of having their time online tracked.  In addition, the National Telecommunications & Information Administration (NTIA) has announced its first meeting to develop a code of conduct in order to uncover how companies that provide apps for mobile devices deal with personal information.

Keeping up with all the changes is daunting, but as we’ve said before, in our entries "The Myth of Online Privacy" and "Fight Hackers With Encryption," there are simple steps you can take to protect yourself.  This article, “How to Keep Your Facebook Profile Private Yet Usable,” written by Dave Copeland details the best ways to protect yourself on Facebook, short of not signing up in the first place. Numerous software programs exist to block tracking data from being stored on your computers.  Creating a clear Internet use policy for your company and making sure your employees understand what is expected of them is also a good plan.

And, as always, doing the bare minimum is crucial: encrypting emails, only using secure Wi-Fi connections and avoiding some of the most common tricks used to activate malware that can log keystrokes or record phone calls.

None of these measures will provide complete protection, but they are good places to start to ensure that you and your company are being proactive about guarding against some of the dangers that lurk online. 

With all the focus on tech IPOs that reward gaming and chatting, it’s nice to see a company dedicated to privacy getting a little of bit of venture cash behind it. With just $1.5 million raised so far, CertiVox is still a tech minnow, but its idea is a solid one: people need to be able to trust that some privacy online is still a possibility.

Remember all that spam e-mail for male enhancement and mysterious lottery winnings? Most people have become wise to the classic spam or phishing schemes, and hackers have stepped up their game. The new tactics are spear-phishing (researching and targeting specific users) and whale-phishing (targeting executives who have access to the most information).

One way this works is for hackers to research their target in the social network, pick one of the target’s “friends” and set up an e-mail account that looks like it belongs to the friend. The target won’t think twice about clicking on the malicious link that comes in from their friend. With this tactic, some hackers seek to simply create mischief, others are targeting corporations.

Recently we wrote about a particularly worrying study on corporate security breaches – think Sony, Lockheed Martin and Citigroup. The data shows that the problem lies largely with employees’ mobile devices and the completely unencrypted transfer of information. People are using Facebook, sending e-mails and clicking on links, all of which results in a public transfer of information that can be intercepted. Hackers bet on our complacency and “that’s just how the internet works” attitude and win every day.

Now comes CertiVox, whose goal is to provide government-grade encryption to corporations and your web browser. Their new (and free) PrivateSky plug-in allows you to encrypt what you do online and show it only to those for whom it’s intended. Your e-mail is no longer an open postcard and your Facebook rants stay private. For corporations, there are more robust solutions for the entire network.

A concern here is that a good encryption product, one that does not allow the product’s creator to see the message, could fall into the hands of criminals. Governments can crack highly sophisticated encryption programs, but at what cost in time and money? If CertiVox gets big enough, will it have to cough up its code to government authorities in order to keep going, as Research in Motion did in India?

While we don’t vouch for CertiVox’s reliability or competitiveness, it’s certainly a step in the right direction that such a company is able to raise cash to keep itself going.

(Photo Credit: Sasha Wolff) 

A chilling story in the Wall Street Journal’s Digits Blog yesterday told us that LinkedIn, Netflix and Foursquare “stored various forms of users’ personal data in plain text on a mobile device, putting sensitive information at risk to computer criminals.”

As if to confirm worst-case scenarios, Citibank then revealed that hackers have accessed the accounts of some 200,000 credit card customers in North America.

Even with a rash of data breaches, encryption is the part of computer security we tend to forget about. We know increasingly that social networking can let too many strangers into our lives and that we should think twice before entrusting anyone with sensitive financial information.

But how many of us encrypt data on our computers? It’s so easy to do, and I would argue that it should become best practice for professionals everywhere. Our firm does so it, so that if our computers were ever stolen thieves would find nothing but encrypted garbage where case files should be. We like the free, open-source Truecrypt program, available here. Other alternatives are available but at a cost.

But what about email? There is plenty of evidence that a deleted email can stick around in many forms on your computer or server even after you hit “delete,” but few think about the dozen servers between your office and the server of the person receiving your email. Both you and the recipient can do whatever you want, but your unencrypted email may be stuck (for years or decades) on multiple servers in multiple countries, all ready to be hacked.

While it’s true that hackers with enough patience and computing power can break many encryption codes, the idea is to raise the cost for criminals even to try.  If you encrypt just the tiny portion of your emails carrying sensitive financial information, you direct a hacker right to your most vulnerable material. If you encrypt thousands of emails, a hacker will give up after working for hours to unveil messages that say “Happy Birthday!” or “Tks, will do.”

Yesterday the U.S. Commerce Department issued its green paper on cybersecurity, but stopped short of recommending encryption of emails. It strikes us that for certain highly sensitive matters encryption of email is worth the trouble. There can be problems with forwarding, and in many cases it makes sense for both sides to have an encryption program. Otherwise, you need to keep the same string of messages going for a non-licensee to benefit from the encryption-licensee’s program.

At the very least, we should all make sure our email accounts have their own passwords. That way if someone looks at your desktop computer at work, your Microsoft Outlook can at least stay locked. Password protection for Outlook can be arranged by setting a password for your Personal Folders File (.pst) within Outlook. You can do this on the File menu under Data File Management.  

We now know that Apple will use next week's Worldwide Developer’s Conference to unveil iCloud, its new cloud storage product. Apple’s first attempt at cloud storage, MobileMe, was such a failure that Steve Jobs publicly tore into the Apple team for tarnishing the company’s reputation. 

It looks like the 2.0 version will probably be getting it right and customers will now be able to share their documents, movies, music and photos from the Apple "cloud" (and by cloud, we mean Apple-owned servers on the ground in fire-proof rooms). Most of Apple's customers will use the company's products without thinking twice about the sensitivity of the information they are handing over. 

That’s a lot of trust that could be misplaced. The risk for any form of cloud computing is that you no longer have exclusive access to your files. Cloud storage by Apple and others sounds economical in terms of hard-drive space saved at your office and used more efficiently by Apple, but cloud computing creates vast opportunities for theft of private information and, as we’ve written before here, there’s no proof that Apple will be able to protect yours. 

For now, speculation has it that iCloud will be used mostly for sharing movies, music and photos. But the plan is also to integrate it into the upcoming iPad and iPhone software iOS 5, creating an operating system that will be able to communicate with the Apple cloud with or without your approval. A further concern is that the very popular apps that define Apple’s devices could be able to transmit information over the new cloud-based system. 

Simply put, your files and information, including location and other personal data, are going to be somewhere in cyberspace, where they stand a chance of being intercepted. Or Apple could just have unlimited access to them. 

This type of information interception has the U.S. Senate taking first steps in formally drafting laws that aim to further protect personal data. In mid-April, Senators John Kerry and John McCain offered a privacy bill that would “strike a balance between consumer advocacy groups and the [tech] industry.” Now that Apple is introducing iCloud to their enormous following, the Senate’s discussion on adequate regulation could not be coming at a better time. 

Although the Kerry/McCain bill is a step in the right direction, a solution from lawmakers will probably take more time than is required for companies, such as Apple, to roll out new products and gather large quantities of sensitive information. 

Two weeks ago, Apple and Google were called to answer growing concerns over privacy practices before Senate lawmakers. Today, executives from both companies responded to questions in a Senate hearing, but did little to alleviate our fears of user tracking.

The tracking of smartphones and their users’ activities is a scary thought.  We know that certain websites use invasive tracking cookies to store user behavior. With smartphones it’s worse. They can do the same thing, but you can’t hide behind an ambiguous IP address – your phone identifies exactly who you are, every time. For example, an iPhone app that uses the device’s GPS feature stores (and probably transmits without your knowledge) any locations you visit – your home, the office, restaurants, your child’s school.

On April 25^th, Minnesota Democrat Al Franken, chairman of a new Senate Judiciary subcommittee focused on technology and privacy issues, wrote to Apple’s Steve Jobs. He asked, “why Apple is collecting the data, how it is generated, why it's not encrypted, and why Apple customers were never affirmatively informed of the collection and retention of their location data.”

At today’s hearing, Apple responded with this: “Apple is deeply committed to protecting the privacy of all our customers,” and said that the company plans to decrease how much personal location information is stored. Later in the day, Apple stated that the collection resulted from a "bug" that was fixed last week and that it has never recorded users' location data. Whether or not Apple is changing its story remains unclear, but the potential for such tracking is already in place. Perhaps Apple does not track users, but it has been found that plenty of popular apps in its store do.  

Aside from promises to stop recording user data, nothing has been done to conclusively address the future of tracking practices, despite Apple's fixing of a mysterious "bug" and continued monitoring of apps in its App Store, according to the Wall Street Journal. Apple does not currently require apps to display privacy policies and developers of third-party software are free to do what they like with our data. This is a serious privacy issue, one that may be news to most users, and, as Franken further states, “our federal laws do far too little to protect this information.” 

Protecting Yourself from the Internet.

It’s time to face it: the internet is watching you. Have you ever noticed that if you search for a product online or if your e-mail inbox has a purchase confirmation that the advertising on certain pages reflects your preferences? For example, don’t be surprised to see advertising for Cabela’s or Sports Authority if you’ve recently bought sporting goods online.

Internet marketing and search engine optimization companies have capitalized on unique user input online and have worked diligently to produce user-specific, targeted advertising. While these forms of advertising may at first appear harmless, the real truth is that these acts and practices reach far further than behavior-based advertising and are monitoring your online activity every day.

Search engines and their affiliates are fully within their rights to monitor and evaluate the queries processed by their service. What marketer wouldn’t want to see the 10 most popular searches in the U.S. every year?

But it starts to become creepy when websites upload tracking cookies onto your computer. This usually happens without your knowledge and is disguised by the cookies that are actually beneficial, the ones that help websites load faster. Quite simply, these tracking cookies take your browsing history and navigation preferences and send them home to the third-party. Tracking cookies are not the well-known Trojan viruses and do not transmit keystrokes, but imagine this: the tracking cookie reports your search history and your IP address while you happen to be logged into Facebook. The third-party now knows exactly who you are and what you searched for. It’s up to the users to decide whether this practice is simply a nuisance or one that infringes on their online privacy.

Google is planning a new feature in their searches – the ability for users to “+1” a search result, indicating approval. It’s comparable to the “Like” button. Google isn’t even bothering to hide the fact that this “+1” feature will probably allow them to construct an even more accurate profile of who you are.

The good news is that the fight against tracking like this is gaining momentum.

You may have seen the most recent upgrades rolled out by popular internet browser developers. Yahoo, Mozilla and Microsoft have all implemented a “stop tracking me” feature in their latest browser versions.

To really free yourself from tracking requires doing more, according to Jonathan Mayer, principal researcher of Stanford’s Do Not Track.Us Project. While various blocking methods can disable or inconvenience your browsing of favorite pages, Stanford’s project adds a line of code to any piece of data transmitted from your computer in a tracking attempt, indicating that the user does not wish to be tracked. Mozilla and Microsoft have adopted the technology in their latest browsers, and Stanford’s goal is to have the FTC formally enforce this.

Telemarketers annoyed the U.S. public to a breaking point and the Do Not Call Registry was created. The issue of online tracking is boiling and it’s a matter of time before the people start to demand government regulation. Until then, here are some tips:

• Research the issue to familiarize yourself with how you are being tracked. Start with The Electronic Frontier Foundation’s section on Online Behavioral Tracking.
• Download the latest version of popular browsers and use their built-in Do Not Track feature. Mozilla Firefox 4.0 and Internet Explorer 9.
• Always clear your search history and wipe your browser cookies. This can be done in your browser, but best if paired with more effective software. We suggest the proven, reliable and free Piriform CCleaner. 

“Google has become a jungle” says The Wall Street Journal. After coming under widespread attack regarding the relevancy of its search results, it’s now common knowledge that Google searches often bring up not what are necessarily the best sources for a particular search but sites ranked highly for commercial reasons.

The truth is that Google generates its hefty revenues through advertising programs. The more you pay, the higher you go on the list of results. As Google’s inner workings become better known to the public, it’s easier to see that Googling is not the “end-all” of searching online.

Says the Wall Street Journal,

Almost every search takes you to websites that want you to click on links that make them [spammers and marketers] money, or to sponsored sites that make Google money. There’s no way to do a meaningful chronological search. 

For most of us who are online but not shopping, relevant or useful information is available on more than just commercially successful sites. What if a user wants to find some information about an emerging company that Google happened to place on page eight of the search results? It can sometimes make sense to skip to page eight of a Google search if you don’t see what you want on pages one or two.

Google constantly updates its complex (and secret) search algorithm. Minor tweaks result in barely noticeable differences, but larger changes are dramatically affecting rankings of sites that rely on Google for their traffic. On such change happened recently when Google targeted two online retailers – Overstock and JCPenney, attempting to game the algorithm and boost their rankings. Google banished them to later pages in search results. Changes that target “cheaters” sometimes end up hurting honest, quality sites, too. But, as Google’s head of anti-spam says – “No algorithm is 100% accurate.”

Despite the overwhelming market share Google holds, it’s now evident that better information could be out there and getting to it could require changing search strings or sifting through 10 pages of results.  

A start-up search engine that’s currently in the beta-stage of shaking things up is called “Blekko.” The concept behind their search is similar to the “like” button on Facebook. If users find the page valuable, they click a “like” button and Blekko ranks it higher. With so much ruthless spamming present online, it’s not likely that Blekko will turn the idea into a foolproof system. But if there was a way, our internet could be delivered pre-approved by an overwhelming majority. Online content delivery could turn into more of a democracy, instead of Google calling the shots.

Tips for smart Google searching:

• Change your search string. Word order matters on Google
• Search again a few hours later. Search results change all the time
• Pay attention to time frame. Google can limit search results to a specified period.
• Limit your search to particular document formats. You can call up only pdf’s, Excel spreadsheets, or documents on a server with a .edu suffix.
• Use advanced search to remove unwanted words
• Search within particular domain. John smith site:harvard.edu searches for John Smith only within the Harvard University domains.