Roger's Security Blog : Law Enforcement

COFEE now distributed via a NW3C as well

rhalbh — Fri, 16 Oct 2009 09:15:00 GMT

COFEE is a tool available to Law Enforcement only to capture online evidence with a little training as possible. The idea behind the tool is, that there is little need for high-trained staff to be available during e.g. house searches and that a normal, much less trained officer can capture all the data. Until today, Interpol was the only channel for distribution. Now, the US National White Collar Crime Center is the second organization being able to distribute it.

If you are a Law Enforcement Agency/Officer and want access to the tool, you may contact Interpol or NW3C

Roger

Download Pirated Copies – and you will be banned from the Internet

rhalbh — Wed, 13 May 2009 02:31:10 GMT

This is a very tough legislation: France just agreed on a new Internet Piracy Bill. If you violate piracy laws three times, you will be banned from the Internet up to an year: http://www.webpronews.com/topnews/2009/05/12/france-approves-internet-piracy-bill

Interesting approach

Roger

Europol High Tech Crime Experts Meeting 2008

rhalbh — Thu, 11 Dec 2008 15:22:00 GMT

I recently had the great opportunity to join the Europol High Tech Crime Experts Meeting 2008 in Den Haag. This is mainly a get together of the High Tech Crime leads of the EU Law Enforcement agencies and countries where they have a close relationship with (e.g. Switzerland, Norway, Canada etc). Additionally there are a few private sector companies invited.

This shows to me the commitment of Law Enforcement to work closely together with the private sector to fight cyber crime – and this is what you really feel if you are there.

Here you see the corresponding press release: High Tech Crime Experts Meeting 2008

Roger

Lottery Scams – One of the Biggest Threat to End Users

rhalbh — Wed, 05 Nov 2008 20:41:09 GMT

I just want to tell you that I will retire. Yes, sure! I just won twice in a lottery. I just have to make sure that all the taxes and insurance policies are paid…

You know them as well, don’t you? The mails you get to tell you that you won in a lottery (maybe from Microsoft). From what we know today, this is one of the biggest growing types of Internet Fraud today and guess what – I am expecting this to even grow more with the economic downturn as people tend to want to believe in such things as soon as money becomes a little bit tighter.

When I talk about that I often hear statements like “you have to be very naive to get tricked into this”. Honestly today we know that this is not true! We just did a survey and asked approx. 5’000 people in UK, Germany, France, Italy, Spain, The Netherlands and Denmark and this led to some pretty interesting results:

113 or one in 44 said they has lost money to an Internet scam. Let’s repeat that: one out of 44! If you are a marketer and are running a direct mailing campaign, you will probably be the marketing person of the year of you have this amount of people coming back to you. This is highly “successful”.
The losses range from €100 to €7’000
16% (800) of people who receive lottery scams open some of them and 14% of them send replies
There is a big difference in attitudes and awareness level between the countries – for example this ranges from 32% thinking at least some are genuine (Denmark) to 7% (United Kingdom) however across the countries represented 56% of the respondents claim that the scams look professional

So, do not tell me that32% of Danish people are naive or stupid. It is often just the professional way these scams look like.

That’s the reason, why we announced a coalition with Yahoo!, Western Union and African Development Bank to fight lottery scam. This coalition has two goals:

Drive awareness amongst our customers so that they understand that a lottery you never participated in will be scam and the goal is to make you to lose money!
Collect enough intelligence to help Law Enforcement to go after the criminals. We know that in most of the cases the loss is too low to go after the criminals. So, we encourage all the victims to report to Law Enforcement. In order to prepare Law Enforcement to cope with the information, Interpol prepares them and informs them about this campaign. Interpol will help national Law Enforcement as well to collect all the needed information. In addition we encourage victims to send the case to the respective “organizer” of the lottery. We then individually compile the information to intelligence which will then help Law Enforcement to go after the criminals.

So, if you want to know more about this type of scam, either click on the picture above or this link here.

If you are a victim of a “Microsoft Lottery” and filed your case with Law Enforcement, please report it to us:

Thank you
Roger

Hacker arrested for Video Giving Tips for ATM Skimmers

rhalbh — Fri, 31 Oct 2008 16:11:28 GMT

It will be interesting how you see it. When I blogged on Suspended Jail for Hacking Tutorial in France, I got quite some negative feedback like “do you have nothing better to do than to go after these guys”, “why should it be illegal to publish such a tutorial” etc. So, where do you draw the line? I think I was clear about that in my last post and here again: If you have a clear tutorial to commit a criminal activity, this should be punished.

Now, a Turkish hacker was arrested because he published a video with a lot of tips how to skim ATMs: Turkish hacker arrested by FBI made video giving tips for installing ATM skimmers – is this now going too far as well for you? What about your bank account :-) ?

Roger

Why I do not like e-voting (part 3)

rhalbh — Sun, 05 Oct 2008 14:24:30 GMT

It goes on and on and on: Read this one Judge Suppresses Report on Voting Machine Security

Roger

Armored truck robber uses Craigslist to make getaway

rhalbh — Sun, 05 Oct 2008 14:17:07 GMT

This is really clever (sounds like Hollywood but it seems to be real):

In a move that could be right out of a Hollywood movie, a brazen crook apparently used a Craigslist ad to hire a dozen unsuspecting decoys to help him make his getaway following a robbery outside a bank on Tuesday. He then made his escape in an inner tube on the Skykomish River.

Read yourself here

Roger

Suspended Jail for Hacking Tutorial in France

rhalbh — Mon, 22 Sep 2008 22:20:12 GMT

This is pretty remarkable from my point of view: In 2005 our Forensic team together with our Investigators obtained the identification and arrest of M. Jean-Charles S. for the illegal distribution of a hacking tutorial against MSN Hotmail and MSN Messenger users. On June 12, 2008 the Tribunal Correctionnel (criminal court in France) sentenced this person with the following sanction (we announced that on September 17^th):

6 months of suspended jail;
300 Euros in fine
5 000 Euros in damages
750 Euros in procedural costs
Confiscation of the computer

Initially, in the first hearing the defendant was not present and he got the same sanctions with a fine on 8000 Euros. As he realized that this is becoming serious, he asked to be heard again and finally obtained a smaller fine which reflects his financial capabilities.

This is actually the first time I heard about something like that but it is a very good step towards a safer internet on the enforcement side as well

An article as initially published at PCinpact (in French – if you are in IE 8 Beta, right click and translate J):

http://www.pcinpact.com/actu/news/46109-avocat-tutorial-MSN-piratage-messenger.htm

http://www.pcinpact.com/actu/news/46070-pirateg-hacking-MSN-hotmail-diffusion.htm

Roger

How to circumvent Privacy Laws

rhalbh — Wed, 20 Aug 2008 10:10:54 GMT

As you all know, most jurisdictions allow individuals to ask for data collected by an organization (being it a company or a governmental organization). A lot of countries have Data Protection Commissioners that look into what companies and more often governments do with regards to PII (Personal Identifiable Information). After 9/11 the United States forced airlines to violate the local Privacy Legislation as the airlines had – if they wanted to fly to the US – deliver PII to the US (mainly information in the Passenger Name Record), which then had to be accepted by the Data Protection Commissioners as they would kill the airline business if the airlines would not be allowed to do so. So, the US seems to have the power to make companies violate the laws – the background is the fight against terrorism.

Now they even go a step further by circumventing their own legislation: According to Federal Computer Week (Analysis tool exempt from some privacy laws) the DHS developed a system to collect and analyze data collected by immigration and customs. Even worse, they seem to correlate data from different sources: DHS-internal sources as well as commercial databases. The key point is that they decided to exclude this system from several Privacy Acts. Therefore you will not be able to look into the data they collect and make sure it is accurate. If the article mentioned above is correct, it really scares me. Look at that:

The information contained by ICEPIC can include names, dates of birth, phone numbers, addresses, nationalities, fingerprints, photographs, a person's immigration history and alien registration information, according to DHS. Agents and analysts can also use commercial databases to verify or resolve any gaps in ICEPIC data.

So, they start to analyze and if some data points are inaccurate there is no way for you to know and most probably no way for you to make them correct it – scary, isn't it?

Roger

Analysis of the Estonian Attacks

rhalbh — Wed, 21 May 2008 19:25:01 GMT

I just read a paper on the political analysis of the Estonian Attack. If you are interested reading my post on my other blog (as the analysis is not really technical but interesting) there you go: Analysis of the Estonian Attacks

Roger

Support for Law Enforcement and COFEE

rhalbh — Wed, 14 May 2008 17:00:00 GMT

Over the last few weeks there has been a lot of chatter about a tool we provide in a Beta version to Law Enforcement called COFEE: Computer Online Forensic Evidence Extractor.

Let me give you some information on COFEE and put it into the proper context.

I am personally convinced that every company has its obligation to work towards making the Internet a safer place. Amongst other things, this means a close collaboration with Law Enforcement.

Let's face it: Most of security is about crime prevention!

Now, Microsoft has a team internally working with Law Enforcement running different programs:

Anti-Phishing Efforts: You know of the Internet Explorer 7 Phishing Filter. Additionally we are founding member of the Digital Phishnet.
Anti-Spam Efforts: Again, besides technology we have been a leader in promoting Signal Spam, a unique public/private partnership in Europe and probably in the world.
Legislative Efforts: One of the key challenges in fighting cybercime is that most of the cases are international but the law internationally is not harmonized. Therefore we joined together with other industry partners the Council of Europe to support their efforts on harmonization of legislation.
CETS (Child Exploitation Tracking System): CETS is actually a tool we developed jointly with the Canadian police to help to track child exploitation cases across a country. From our perspective, we give the software itself away for free and the police has only to pay for the basic implementation cost.
Training: All across the globe we are training Law Enforcement Officers in different technological themes. We do this either in a partnership with the local or national Law Enforcement agency or Interpol and Europol. We do this for free. Similar trainings we do for judges and prosecutors.
LE Tech: Approximately once every other year we hold a conference in Redmond called LE Tech. This is a technical conference completely shaped to the needs of Law Enforcement Officers.
And a lot more.

Let's come back to COFEE: During LE Tech, a conference in Redmond we organized for Law Enforcement organizations from around the world, we invited a few journalists to some of the sessions. As a result a story appeared in The Seattle Times called Microsoft device helps police pluck evidence from cyberscene of crime. In my opinion, there was a very good quote, attributed to Brad Smith, (Microsoft Senior Vice President and General Counse) on the programs above: "These are things that we invest substantial resources in, but not from the perspective of selling to make money," Smith said in an interview. "We're doing this to help ensure that the Internet stays safe."

The target audience for COFEE is a forensic investigator with very limited knowledge of IT forensics. There are many standard forensic tools that law enforcement officers routinely use to capture information from a computer for analysis. In most investigation scenarios these tools have to be used to extract information at the scene of an investigation as powering down the computer could lead to loss of data and potential evidence.

The COFEE tool automates many of these existing tools and delivers them via a thumb drive making it quick and easy to use in an investigation scenario – as stated above – for the investigator with very limited knowledge on IT forensics.

I have seen and heard a lot of inaccurate information about what COFEE is and does, so wanted to spend some time addressing these misconceptions:

COFEE is in Beta stage today
Use of COFEE is strictly restricted to law enforcement organisations who can only use it within the parameters of national legal frameworks, such as a search warrant or any other valid judicial order.
COFEE can only be used with physical access to a machine! No, absolutely, no, remote capabilities
COFEE does not do anything that cannot already be done by using a range of tools already available to law enforcement. The only difference is that it automates those tools making them quicker and easier to use in an investigation scenario There is no magic. COFEE does not access a "secret backdoor into Windows" (because such a thing does not exist), and it does not circumvent Bitlocker. It automates standard forensic tools via a USB storage device to enable law enforcement to s to access information on a live Windows system.

The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.

So I hope I have been able to show that Microsoft is committed to helping address cybercrime and that our collaboration with law enforcement organisations is an important element of that.

Roger

What is more important: Security or Privacy?

rhalbh — Thu, 17 Jan 2008 10:40:50 GMT

This is basically a very interesting and pretty fundamental question for the society. After 9/11 the US changed the way they work significantly. Just as an example: Airlines had to give the US government information about passengers flying to the US that actually violate the privacy laws in Europe. So, the decision had to be made: Either you violate the laws or you do not fly to the US anymore… What do you do now? Well, the Data Protection Officers actually had to give in.

So, if you look at it from a broader perspective: It is pretty natural that National Intelligence as well as Law Enforcement is looking for as much information as possible to fight crime. And I guess, that successful Law Enforcement and Intelligence Services is something we all would like to have – we want them to protect us. But what are we willing to pay? How far are we letting them invade our privacy? This is the key question and something there is no one answer for.

If you look at this article US spy chief puts security over privacy compared to the comment I made in 2-year old terrorist, it really scares me. I see the dilemma we are in – no doubt. And to be completely honest: I am not sure how far I want to let my privacy go for the sake of my security. I am living in a very safe and secure country – in Switzerland. However I know that the National Police has to work hard to keep it that way. So probably it is as always: As long as nothing happens to me personally, I fight for Privacy. As soon as something happens, I want as much Security as possible.

A problem we all know, don't we: Nobody wants to pay for security but as soon as something happens…

Your view?

Roger

Nigeria: I told you they are serious

rhalbh — Thu, 13 Dec 2007 13:52:23 GMT

Remember my blog post where I told you not to forget countries like Nigeria (I was visiting Nigeria – watch out!)? They really seem to be serious. In the last few weeks we had some troubles getting hold of the head of EFCC (I will tell you more in a week) and now, we have at least some suspicion why: Nigerian ex-oil governor arrested

Corruption is probably one of the biggest problem most of the developing countries have and therefore I congratulate any efforts to fight corruption in these systems. BTW, we have a hard and clear policy that we do not bribe – never ever. If you lose a deal because you did not bribe, too bad. If you are bribing – you are fired. We do not support any illegal activities.

Roger

Pricelist for Cybercriminals

rhalbh — Fri, 02 Nov 2007 19:05:00 GMT

Remember Economy of Cybercrime? I hope so! There I made the statement that Cybercrime has to pay off.

On Zone-h today they summarized a research from G DATA with the title How much can cyberterrorist get? In there you see how much you have to pay for which "service". This is a pretty good income:

Doing simple math - working for just 20 hours per month, on 20 orders, spammer can send over 400 millions of messages and without much effort he could earn around 7000 euro. If that wasn't enough, you can get 10 millions of e-mail addresses for just 100 euro. Same goes to paypal accounts, credit cards numbers and internet game account's.

Roger

Fighting Spam Internationally

rhalbh — Wed, 10 Oct 2007 12:29:57 GMT

There are different ways how to deal with Spam.

One is, to eat it (yes, I know it is an old joke but I still like it…) – see the "official SPAM website" J

If it comes down to e-mail SPAM, the problem is different: Most of the ISPs today are using technical means (say: SPAM Filter), the users do the same and finally, if the SPAM nevertheless reaches the mailbox, the user gets angry and simply deletes the SPAM-mail. This is a pretty expensive process on all sides.

Do you remember the blog I wrote about the "Economy of Cybercrime"? It comes down to the question how the economical view on SPAM looks like: There seem to be a lot of people still being tricked with these mails and actually are doing the business the Spammer promotes. So, the monetary value of spamming looks pretty good – otherwise they would have stopped anyway, wouldn't they? Let's have a look at the cost-side for the spammer: technically there is more cost involved in sending Spam as there was a few years ago. A few years ago you could send mail through a lot of open mail relays – today you have to use botnets, which you often have to pay for. Additionally the Spam filters are getting better and better as well. Nevertheless, the cost on the industry and user side to get rid of it is significant.

What about the risk of being caught and convicted? Well, it is pretty low due to two facts: In certain countries, spamming is not illegal at all. In other countries, the ISP cannot open a case against a spammer – we need the user to actually send the spam in and complain.

This is the reason, why we support two initiatives in this respect:

Spotspam is an initiative which facilitates legal action against spammers at the international level. This is more than needed as there are close to no spam cases that remain within one single country. If you want to know more about Spotspam, you should visit their website http://www.spotspam.net/index.html
Another initiative is coming from France. In France we need the end-user to complain about the Spam – but who does this? It is easier to just delete the mail – isn't it? Signal Spam is a platform that allows the user to easily send received spam back to the ISP who can then start to take legal action. This is a very interesting project in my opinion which could (or even should) be replicated in other countries as well. See their website: http://www.signal-spam.fr/en/index.php/frontend. I just found an article today on PCWorld written by Jeremy Kirk, IDG and I like the comments that were put to the article at the end.

Finally it comes down to the same conclusion as with Cybercrime in general: We have to work together to make them pay – and by "pay" I do not necessarily mean money, I mean legal actions. We have to work closely with Law Enforcement in order to catch them and make sure the spammers get what they deserve

Roger