August 2008 Archives

Authorities in Delaware recently reported that a woman from North Carolina tried to kidnap her former virtual boyfriend who lives in Delaware. Although their relationship was born in Second Life, the most famous virtual world, the attempted kidnap happened in the real world.

The story, which was reported by CBS 3 in Claymont, Delaware, was receiving major coverage in cyberspace over the weekend. The referenced story includes video reporting from the scene. Here's an excerpt:

"The pair apparently met online in "Second Life." A virtual relationship began between the victim, whose character was a Lion, and Jerrigan, whose online persona was said to be a virtual woman. When the two met in reality several months ago, police said the victim ended the relationship, sending Jernigan into a downward spiral.

In the beginning of August, Jernigan allegedly drove to the victim's Pennsylvania workplace and attempted to kidnap him at gunpoint. While she was unsuccessful, she returned two weeks later to track down the victim's Delaware address."

 Why do I mention this story? There is a growing debate online regarding the real life relevance of actions which occur in cyberspace. On one sideline - those who view virtual worlds as fun playgrounds where actions don't count in the real world, at least in terms of the law. In many circumstances this makes common sense, such as when people play online games like Grand Theft Auto. Take for example this article entiled, "Do Real World Laws Apply in Virtual Worlds?" from earlier this year, which quotes many legal scholars:

"... the law, in most cases, pertains only to physical acts, not virtual ones. Thus, virtual theft, virtual murder and virtual rape are quite different under the law than real theft, murder and rape -- no matter how upset it makes the "victim." In most cases, Kerr concludes, the real world law would not be applicable." 

On the other sideline are those who say "not so fast." Consider the Business Week article, "Virtual Exchanges Get Real."  In this case, "Linden Dollars" were stolen from Second Life stock exchanges. So what's the problem? Linden Dollars can be exchanged for real dollars just like the British Pound Sterling or Euros. In this case, the equivalent of $10,000 was missing.

Meanwhile states like Missouri have set up offices in Second Life where avatars represent real workers recruiting real people for real jobs in the real world. Companies like IBM have set up virtual headquarters online and meet with real-world customers in a variety of ways. This is clearly more than just a big game. There are huge advantages and big wins for governments who enter into virtual worlds, but who makes the rules? More importantly, how are they enforced?

These are just a few of the tough questions that will need to be answered in the coming years as virtual worlds and the real world merge together in news ways. One thing is clear to me, just as this woman tried to kidnap her ex-virtual boyfriend, more and more actvities happening in virtual worlds will spill-over to real life, and visa versa.  Recent reactions of shock to this incident will seem strange to people five or more years from now.

In my view, virtual world actions do count in the real world - whether all of the laws count or not. Our character, reputations and relationships can be helped or put at risk by online actions - just like your "Google rep."

No doubt, much of what is going on in cyberspace is just for fun and games, but increasingly we're discussing serious virtual business issues with real consequences. Virtual integrity is linked to real-world integrity in more ways than most currently realize.

What's your opinion?     

Three college students from the Massachusetts Institute of Technology (MIT) were ordered on Thursday to keep quiet on how they developed the ability to hack into the Boston subway system's payment system and add hundreds of dollars to their payment cards. A federal judge issued a gag order to prevent the students from revealing the security holes they found.

The Associated Press described the situation in detail in weekend newspapers, but this story was overshadowed by the Olympics. Here's an excerpt:

The basic details of the vulnerabilities in the Massachusetts Bay Transportation Authority's two primary payment cards -- CharlieCard and CharlieTicket -- are already floating around the Internet.

Those details were released prior to the students' planned talk last weekend at the DefCon hacker conference in Las Vegas. Electronic copies of the students' 87-slide presentation were included on CDs handed out to conference attendees before the conference officially began and before the transit agency filed its lawsuit. The MBTA sued the students and won a restraining order after the agency said it needed time to fix the problems. The students and conference organizers then canceled the talk. 

Another hearing is scheduled for Tuesday to decide if the students can release parts of their findings.

Meanwhile Internet blogs are full of commentary (both pro and con) regarding freedom of speech and whether the students should have revealed their hacking techniques. PC World started blogging on this topic last Weds.

Here's part of what they are writing: The complication comes down to one basic question: Should the students have given their full presentation to the MBTA in advance? The MBTA, for its part, now tells CNET News that the group agreed to do just that -- but never did.

The students tell a different story. Responding via the Electronic Frontier Foundation, the students say they had met with the MBTA and "understood that concerns were resolved." 

More details surfaced Friday by ZDNet's Richard Koman. He states that:

The essence is that MBTA itself included the MIT student's confidential report (PDF) to MBTA on their security weaknesses as an exhibit in their complaint and it is now a public document.

The students identify the problems:

• Value is stored on card not in a central database
• Anyone with a card can read and write to it
• No crypto signature algorithm
• No centralized card verification   

There will be plenty more blogs and opinions on this topic floating around cyberspace in the coming days and weeks. I find the debate raging over "free speech" to be somewhat off track. Rather, what about a discussion on the the ethics and morality of these students revealing ways to steal or hack into critical infrastructure. Whether or not we have the constitutional right to say (or write) something is only a part of the question.  We have the legal right to do many things that aren't wise. In this case, their actions may or may not be against the law (if they didn't actually steal). But revealing this information at a public conference, while Boston officials were not pleased or content, seems wrong to me. 

We've entered a dangerous new time as a technology industry - where it's cool to hack and find ways to break into digital systems. The new way to make a name for yourself, get noticed and have five minutes of fame is to hack into critical infrastructure.

I know the counter arguments. No doubt, many research projects can help uncover holes and help us improve security. But the actions taken by the students in this situation raise many ethical and moral questions.

This information is now all over the Internet. Many "copy-cat" young hackers are developing new ideas and similar game plans. Despite obvious security flaws in the Boston subway system, I have a hard time seeing how this trend is helping America. I do see how it helps the three students from MIT.     

What are your thoughts?           

Several recent security reports warn of dangers found on social networking sites like MySpace and Facebook. As the popularity of these sites has grown, the risks have grown as well. Yesterday,  USA Today proclaimed, "Hackers want to be your (malicious) friend." 

Here's an excerpt from that article: "Last week, computer security firm Sophos detailed an attack in which messages posted on the walls of users' Facebook pages urged them to view
a video that claimed to be hosted on a Google website. But when the link was clicked, the victim was diverted to a website containing malware."

Earlier this month, Jennifer Leggio, who blogs for ZDNet, described "Facebook's (futile) malware exorcism - can social networks fight back?"  She doubts the claim, made by Max Kelly who is Facebook's head of security, that they have identified and blocked the ability to link to malicious websites from within Facebook. Jennifer says:

Jennifer also references a DefCon 16 session with a great name: Satan is on My Friends list: Attacking Social Networks.  The sesson description for that breakout says this:

"Social Networking is shaping up to be the perfect storm... An implicit trust of those in one's network or social circle, a willingness to share information, little or no validation of identity, the ability to run arbitrary code (in the case of user-created apps) with minimal review, and a tag soup of client-side user-generated HTML (Hello? MySpace? 1998 called. It wants its markup vulns back). Yikes.

But enough about pwning the kid from homeroom who copied your calc homework. With the rise of business social networking sites, there are now thousands of public profiles with real names and titles of people working for major banks, the defense and aerospace industry, federal agencies, the US Senate... A target-rich and trusting environment for custom-tailored, laser-focused attacks...."

Lest you think this topic is brand new - think again. While the hacker tricks change with the times, PC World proclaimed: "Hackers Crash the Social Networking Party," almost two years ago.

There are also plenty of other online publications writing about these problems, with over 1.3 million page views available for the Google search "social network malware." What's to be done? There are plenty of suggestions for MySpace and Facebook roaming around in cyberspace. Nevertheless, most experts continue to point back to end user awareness and more training. 

Perhaps the best advice comes from an age-old Biblical Proverb: "A man of many companions may come to ruin, but there is a friend who sticks closer than a brother." In other words, know your online friends.

Any comments on social networking at work?   

The State of Michigan was hit with a new phishing attack yesterday, and thanks to some very quick response and excellent work by several internal teams within our Michigan Department of Information Technology (MDIT), we dodged a major bullet. The majority of the email attacks came with variations on the headlines "CNN.com: The Daily Top 10." The Sunbelt Blog describes this fake CNN email phishing scam in detail.

 Although we block over 90% of incoming email into Michigan State Government with our spam blocking processes, these emails got through to most state employees yesterday. Some employees clicked, and a few machines got infected and needed to be rebuilt. We were able to block malware downloads for hundreds of others who fell for the tempting headlines and clicked on the video link feeds.

We also deleted the emails from thousands of inboxes and ensured that these incoming fake emails were blocked going forward. As of late yesterday, we had blocked hundreds of thousands of these fake emails that were trying to enter state government email boxes. 

Thankfully, no sensitive data was lost, and we avoided any network or systems outages. Our teams have come a long way in the past few years regarding incident response, resiliency and recovery, and this type of attack would have devastated us a few years back.  

Other states are telling me that they were seeing the same attacks, and an Multi-State Information Sharing and Analysis Center (MS-ISAC) call was planned for Thursday afternoon (8/7) to discuss the situation further between states and local governments. In Michigan, we are also tracking several phishing attempts with various "Beijing Olympics" email subject headings.

As experts predicted last week, this is a very dangerous time for government networks, and enterprise administrators need to be on full alert for various new attacks during August.

 All of these big events create new opportunities for the "bad guys" to distract users and gain unauthorized access. I'll cover this later, but expect similar techniques to be used for the upcoming political conventions. 

Apple released security patches to address a number of serious threats this week. The computer industry has been critical of Apple's slow response to the domain name system (DNS) vulnerability that has caused a major stir throughout the computer industry.

Hundreds of different blogs, online magazines and newspapers ran stories on this topic over the past few days. Brian Krebs, who blogs for Washingtonpost.com, described the recent patches that Apple released in detail. He describes the situation this way:

"Security Update 2008-005 patches a serious flaw in the DNS that could allow hackers to hijack users' Internet connections or silently redirect them to counterfeit Web sites. Cisco, Microsoft, Sun Micrososytems and a host of Linux projects pushed out a coordinated fix for the flaw on July 8, when it was first disclosed, and Apple immediately took heat for not releasing its patch then as well."   

However, the story gets more interesting. Computerworld and other online technical publications quickly declared that the DNS patch doesn't work.  According to Andrew Storms, director of security operations atnCirce Network Security Inc, "The difficult news this morning is that we thought we were getting a patch, but we haven't gotten anything."

The article went further. "Storms' tests confirmed that even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomizing them, as should have been the case if the fix had addressed the flaw."

For those who missed it, I first started blogging on this DNS issue a few weeks ago. Since that time, thousands of articles have popped up on many aspects of this problem. A Google search on "DNS flaw" now yileds over a million page views.

Tod Newcombe, Editor of Public CIO Magazine, sent me a great story from CNET News.com which describes Dan Kaminsky as The man who changed Internet security. The story is pretty amazing and shows a behind the scenes look at how vulnerabilities that are found can be difficult to address. Of course, this was a special case. 

The article proclaims, "There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties."

Again, I urge all government enterprises to ensure that they have addressed this very serious problem. Active exploits are now available online.