What harm social engineering?

by BeauHoward on October 31, 2013

I received an interesting question via Twitter this morning:

Dr.Krypt3ia@krypt3ia Protected account 30m

Question: You socially engineer an exec out of a password or access but you don’t use it. Instead you write about it. Legal troubles ensue?

My initial reaction was that the particular laws at issue are not specifically relevant to a more pressing, practical question.  What would it cost to be sued for this stunt?  Not just in legal fees and potential damages, mind you.  Being accused of lying to a businessman in order to hijack his password would almost certainly also cost a person reputation points and credibility in the InfoSec industry.  These days, the sad truth is that most people look at a judgment against them as nothing more than a starting point for a negotiation.  A hit to your reputation, on the other hand, affects your ability to sell your services, and it therefore affects your cashflow.  So there are practical concerns here that may outweigh the technical right-or-wrong question.

Having said that, I wanted to address the actual legalities briefly.  I am a lawyer, after all, and my “practical concerns” don’t really add anything unique to the discussion.

Just to frame the discussion, my initial response was:

Fletcher Howard@BeauHoward 30m

@krypt3ia@theprez98 if you make him look dumb, and he can even say the words “computer fraud” with a straight face, you’ll have a bad time.

Which prompted a good follow-up question:

Dr.Krypt3ia@krypt3ia Protected account 30m

@BeauHoward@theprez98 Intersting as no computer has been touched.

So what of the issue that the Computer Fraud and Abuse Act is a statute designed to prevent the hacking or cracking of password protected computers, but “social engineering” doesn’t require a single computer to be involved?  For those out-of-the-know, “social engineering” is a fancy new word for a confidence trick.  It is lying your way into information.  For example, if you called up the administrative assistant to the President of a company and pretended to be from the company’s third-party IT services provider, and you somehow used that little white lie to trick him or her into giving you the President’s username and password for his Citrix login, you might say you “socially engineered” the password from her… even though your grandma would just call you a “con man.”

Regardless of the semantics, the question remains.  Does a computer actually have to be hacked before the theoretical company can file a lawsuit under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030?  Arguably, no.  Here is the text of the law, from which I have quoted only the relevant parts:

(a) Whoever—

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if— (A) such trafficking affects interstate or foreign commerce; …

shall be punished as provided in subsection (c) of this section.

18 U.S.C. § 1030(a)(6) and (7).

So, under section 1030(a)(6), it is illegal to traffic in passwords.  The term “traffic” is defined in 18 U.S.C. 1020(e)(5) to mean, “transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of” (emphasis added).  In other words, our hypothetical social engineer would not not have to actually transfer a password to another person to be guilty of “trafficking” under the CFAA.  He would simply have to obtain the password with the intent to transfer it.  He might deny that he had this intent. It might even be possible for him to make a factual case that he did not actually have this intent.  But this is going to be a uphill battle for obvious reasons.  As a matter of evidence, a defendant’s actual, subjective state of mind is unknowable and unprovable except by the direct testimony of the defendant himself, or by circumstantial evidence.  Because nobody trusts the defendant to tell the truth about his subjective state of mind, lawyers and judges judge peoples’ intent by their actions.  In most cases, where a defendant has done all of the acts to have committed a crime, the jury will be allowed to determine what the defendant was thinking when he did those acts, and the jury will be allowed to disbelieve the defendant if they decide that he is not trustworthy.  In the case of our hypothetical social engineer, he would have lied his way into retrieving the password, and so the jury would most likely be justified in finding that he was also lying about his intent not to “traffic” the password once it was obtained.  They are not required to make this finding, but it would cost a lot of money to have a lawyer prove the social engineer’s case.  So, we’re back to practical considerations.  Regardless, just by social engineering a password and bragging about it online, our hypothetical social engineer could certainly expect to slapped with a CFAA trafficking claim, and the judge would likely let the question go to the jury.

It is important to note that the embarrassed company would have a cause of action based on the trafficking charge under the following CFAA section:

(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.  A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses  [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

18 U.S.C. § 1030(g).  Significantly, in order to bring this cause of action, the company has to be able to allege that it suffered “damage” or “loss.”  “Damage” is generally defined to mean “any impairment to the integrity or availability of data, a program, a system, or information,” and so it would require an actual computer to have been touched.   18 U.S.C. § 1030(e)(8).  However, “loss” means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  18 U.S.C. § 1030(e)(11) (emphasis added).  Even if our social engineer never touched the company’s computers, the company might nonetheless suffer “loss” if it decided to conduct an expensive damage assessment or, similarly, to hire an outside consulting firm to inspect the integrity of its networks and data and to look for evidence of an intrusion.  See, e.g., Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 2d 887, 895 (N.D. Cal. 2010) (“[c]osts associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the statute”); Frees, Inc. v. McMillian, CIV.A. 05-1979, 2007 WL 2264457, *3 (W.D. La. Aug. 6, 2007) (“[t]he cost of hiring an expert to investigate the computer damage is clearly a ‘reasonable cost’ sufficient to constitute ‘loss’ under the CFAA”).  This loss only needs to be $5,000 in value before the company can file a lawsuit, 18 U.S.C. § 1030(a)(4)(A)(i)(1) and (g), and it is not hard for the company to run up a $5,000 bill when it hires a law firm to hire an InfoSec consultant to conduct the investigation.  In other words, the company will be able to satisfy the “loss” component even if the hypothetical social engineer never touched its computer network.

To make a long story short, we live in a climate that is very skittish about computer “hacking,” and lots of the decision makers are either baby boomers or greatest generation-ers who lack the critical experience with computer systems necessary to make rational decisions in these kind of cases.  Old people don’t like “hackers,” regardless of MIT’s effort to reclaim that word for creative types, and you can safely assume that an older judge is probably going to decide close questions in favor of the business and against the clever social engineer.  Thus, while we might privately acknowledge that the business’s most reasonable response to this scenario would be to change the password and move on without calling unnecessary public attention to its computer security holes, that doesn’t mean that the people in charge will understand this.  They may well decide to try to make an example of the social engineer, and the court system might just go along with it as outlined above.

If I were a white hat, I would steer clear of any “social engineering” unless I already had a consulting contract with the business to perform an information security assessment.

So, Anonymous Wants to Kill Facebook…

by BeauHoward on August 10, 2011

Listen to the press release on YouTube by clicking here.

Read it on the Village Voice by clicking here.

…This should be interesting.  In a fight like this, my money usually gets placed on the corporation generating $2 billion a year in revenue.  That said, Anon has been about this game long enough now to know that it won’t actually “kill” Facebook.  They could cost Facebook money through harassment, but the juggernaut social network will clearly weather the storm, whatever it is, because (1) it has a $50 billion market cap, (2) there is too much money to be made, and (3) people are addicted to it.

Take cigarettes as an example.  They give you cancer and kill you, and everyone on Earth knows it.  Even so, the tobacco industry is alive and well for basically the same three reasons that Facebook will be fine.  Countless public service announcements and anti-smoking ordinances may have dented big tobacco’s armor, but Altria Group, Inc. (formerly Phillip Morris) still generated $3.9 billion in profits on more than $16 billion in revenue in 2010.

So this threat feels like a public service announcement and a publicity stunt from Anonymous.  It will not kill Facebook, but it will certainly be interesting to watch.

 

One caveat: Anon has planned its operation for November 5, which is Guy Fawkes day.  I presume they intend only a virtual detonation of Facebook with the usual denial of service attacks and associated grief, as opposed to actual detonation with kegs of gunpowder.  Anon does, after all, appear to have a new toy to replace the Low Orbit Ion Cannon.

Need to know where someone was? Subpoena their iOS “consolidated.db” file.

by BeauHoward on April 20, 2011

I had a recent case where someone skipped a court hearing despite being under subpoena to attend, and I suspected that the explanation for their absence was phony.  Fortunately, the issue was handled quietly, without court involvement, and my suspicion and persistence in asking questions was enough to force a resolution.  But what if suspicion and pointed questions had not been enough?  What if I needed proof?

Recent research from Pete Warden and Alasdair Allan suggests that a person’s whereabouts might be determined from the “consolidated.db” file stored on their iPad or iPhone.  Apparently, these devices use information broadcast from cell towers to regularly triangulate their location, and then they store this information in the consolidated.db file for whatever purpose.  Targeted advertising maybe?  That’s a mystery for another time.

Anyhow, call tower triangulation isn’t GPS-level accurate, but it could certainly prove that someone’s iPhone was in Atlanta (for example) when the person claimed to have been in Dallas (again, for example).  From there, cell phone records, social media activity, and other evidence could be used to help prove whether the individual was actually with their phone at relevant times.  It’s a neat trick, if you can pull it.

Here’s an article on point from the Washington Post and Bloomburg.

Here’s a link to an app that would help you examine the data contained in consolidated.db.

I wonder who will be the first to try to subpoena this file in a civil proceeding?

Update:

ArsTechnica has an interesting article suggesting that encrypting your iPad or iPhone data backups will make this information harder to obtain by someone looking for it surreptitiously on your home computer, but it would not encrypt the data stored on your phone or tablet itself:  click here.

There is also some indication that the location data contains glitches which will occasionally place you in a location a few miles off from your  actual location.  This could be very significant or not, depending on why your location is being tracked.  See here.

Judge Sanctions Plaintiffs $29,000 for Discovery Fishing Expedition Against John Doe Defendants

by BeauHoward on April 12, 2011

The Court issued its Final Order and Judgment on April 6, 2011, in the case styled Ligatt Security International, Inc. v. John Does 1-25, et al., Civ. Act. File No. 10-A-6012-5, Superior Court, Gwinnett County, Georgia.  The Judgment awards the Defendant approximately $29,000 in attorney’s fees, stating:

The Court finds that Plaintiffs filed this case as a pretext for a discovery fishing expedition, which Plaintiffs conducted through the illegal means described in the Court’s prior Order Awarding Fees.  The Court bases this finding on the reasons stated on the record during the March 28, 2011 hearing (as reflected in the transcript thereof), and on (a) the testimony of Plaintiff Evans respecting his intentions for filing this case; (b) the fact that Plaintiffs never filed a written response to any motion filed by Defendants; (c) the fact that, after multiple hearings, Plaintiffs finally stated in open court that they did not oppose the relief requested in the Motion to Dismiss; and (d) the fact that, after the Court entered its Order Awarding Fees, which quashed Plaintiffs’ illegal subpoenas, Plaintiffs voluntarily dismissed this case to pursue litigation in other courts.  Based on the foregoing, the Court finds that, by improper conduct including, without limitation, the issuance of illegal subpoenas, Plaintiffs unnecessarily expanded this proceeding, which was itself initiated and conducted without substantial justification, for the purposes of harassment, and as part of an illegal discovery fishing expedition.

For the reasons stated in the Order Awarding Fees and further pursuant to O.C.G.A. § 9-15-14(b), Defendant Morris is entitled to an award of reasonable and necessary attorneys’ fees and expenses incurred in preparing and pursuing both his Motion to Dismiss and Motion to Quash.

(Footnote omitted.)

The full text of the Judgment can be read by clicking here.

The full text of the Court’s prior Order Quashing Subpoenas can be read by clicking here.

You can read The Register’s coverage of the subpoena issue here:  Judge Rebukes ‘World’s No. 1 Hacker’

No Defamation When University Blacklists “Unreliable” Websites

by BeauHoward on April 12, 2011

In another case that turns on the difference between statements of opinion and fact in the defamation context…

The Turkish Coalition of America (“TCA”) and Sinan Cingilli recently sued the University of Minnesota and two University officials, President Robert Bruininks and Professor Bruno Chaouat, for defamation (among other things) related to the parties’ conflicting viewpoints on whether the Ottoman government’s killing of Ottoman Armenians during World War I constituted genocide. The TCA maintains a website arguing that no case of genocide could be successfully brought against the Ottoman government.  The University of Minnesota, which operates a Center for Holocaust and Genocide Studies (“CHGS”), takes a contrary viewpoint, and from about 2006 forward, the University’s CHGS website stated the following about the TCA under the heading “Unreliable Websites”:

We do not recommend these sites. Warnings should be given to students writing papers that they should not use these sites because of denial, support by an unknown organization, or contents that are a strange mix of fact and opinion. We also do not advise using sites with excessive advertising.

On the issue of whether this statement could constitute an actionable defamation, the United States District Court in Minnesota stated:

[As to the defamation claim,] the Court concludes that the alleged statements constitute protected opinions of the CHGS and Professor Chaouat. Defendants have openly acknowledged that the CHGS and Professor Chaouat believe that the killing of Ottoman Armenians during World War I was genocide. Even if the allegedly defamatory statements indicate that the TCA’s contra-genocide viewpoint is unreliable, it is clear that this position is one of academic opinion. Accordingly, the Court dismisses Plaintiffs’ defamation claims against Defendants.

The Court notes that in order for Plaintiffs’ defamation claims to go forward, Plaintiffs would have to be able to establish that the allegedly defamatory statements made on the CHGS website were false. To conclude that Defendants’ statements were false, the Court would also have to determine that either the contra-genocide viewpoint is correct or that the issue is a genuine controversy. The problematic nature of such a request highlights why statements of opinion, and particularly academic opinion, are not actionable….

Although this ruling is pretty narrowly tailored to academic debates, I don’t see a reason it shouldn’t extend to public discussion of other complicated social, political or legal issues.  Universities aren’t the only “tastemakers” out there with sufficient pull to scuttle reliance upon a website.  (Note that I said “reliance upon” as opposed to “visits to,” because publicly denigrating someone’s website is a great way to drive traffic there).  Why should the well-respected be denied the freedom to express their legitimately held opinions in public debates?

You can read the full text of the Court’s Order here: Memorandum Opinion and Order

You can read professor Eugene Volokh’s commentary here:  The Volokh Conspiracy

Identifying Anonymous Internet Trolls

by BeauHoward on March 16, 2011

The problem of harassment from anonymous Internet trolls is hardly new. The topic has a rich enough history to merit New York Times (NYT), Wikipedia and How Stuff Works articles, of which, the NYT story is far-and-away one of the most fascinating things you can read for free on the Internet.

A quick Google search reveals a wealth of content alternately rating the all-time-best trolls, explaining how to troll, and/or describing strategies for dealing with trolls.  XKCD once published this hilarious cartoon on the topic: Troll Slayer.

In truth, Internet trolling can often be amusing and harmless. This was the case with Mark V. Shaney, a program that generated nonsensical, but quasi-intelligent text and posted it to Usenet to trick people into conversing with a computer when they believed they were having a conversation with a real, albeit off-kilter person.

There are, however, circumstances where individuals cross the line, and a hoax becomes tortious, or worse, criminal. In one famous case, a prankster created a fake Bloomburg News website and successfully manipulated a stock price. The NYT reports:

Using a personal World Wide Web site intended to look like an Internet page of Bloomberg News, someone posted a fake report early yesterday that said an American technology company called Pairgain Technologies Inc. was being taken over by an Israeli rival for a hefty price. The report spread to a Yahoo message board and then to other sites frequented by stock traders, who quickly bid up Pairgain’s stock by more than 30 percent.

(NYT, Fake News Account On Web Site Sends Stock Price Soaring, April 8, 1999.)

In other cases, anonymous Internet harassment has arguably lead to more dire consequences. Lori Drew, for example, was convicted in federal court of misdemeanor computer fraud “for her involvement in creating a phony account on MySpace to [play a trick on] a teenager, who later committed suicide.” (NYT, Verdict in MySpace Suicide Case, November 26, 2008.)

These examples are by no means exhaustive. Hundreds of instances of Internet harassment, defamation, stock manipulation, stalking and fraud are a mere Google search away.  Some of these schemes are perpetrated by trolls, in the classic sense. Others are perpetrated with criminal intent. Regardless, if you are unfortunate enough to become a victim, the trickiest part of making yourself whole can often be identifying the culprit.

If you are legally or technically savvy enough to do so, discovering the Internet Protocol (IP) address associated with a tortious communication should be one of your first steps. According to ICANN, the international organization assigned to manage and coordinate Internet addresses:

IP addresses are the numbers assigned to computer network interfaces. Although we use names to refer to the things we seek on the Internet, such as www.example.org, computers translate these names into numerical addresses so they can send data to the right location. So when you send an email, visit a web site, or participate in a video conference, your computer sends data packets to the IP address of the other end of the connection and receives packets destined for its own IP address.

(ICANN, Beginner’s Guide to Internet Protocol (IP) Addresses, accessed March 16, 2011.)

An IP address, however, merely points to a computer or a router, not a person. In the case of a stationary computer, the IP address cannot tell you who was at the keyboard. In the case of a router, the IP address only identifies the router itself, not the connected devices, and certainly not the individuals using those devices. If the IP address refers to a foreign proxy server or a Tor exit node, the problems are compounded. Depending on the circumstances, it could be difficult, cost prohibitive or impossible to positively identify the sender of the communication by an IP address alone.

That said, an IP address is often a nice piece of circumstantial evidence. It can help narrow your range of suspects, and, when used in conjunction with other identifying evidence, it can help support your case for identifying the culprit. So, what other forms of identifying evidence do you need? Thanks to recent research, a small number of writing samples is one possible answer.

In a new article by Farkhund Iqbal, Rachid Hadjidj, Benjamin C.M. Fung, Mourad Debbabi titled “A Novel Approach of Mining Write-Prints for Authorship Attribution in E-mail Forensics” (mirror here), the authors propose a fairly sophisticated method for analyzing suspects’ writing samples, identifying recurrent factors and patterns that make up the suspect’s “write-print” (style, word choice, common grammatical errors, et cetera), and then comparing the suspect’s write-print to the write-print of the problem communication.

In the words of the authors:

In forensic science, an individual can be uniquely identified by his/her fingerprint. Similarly, in cyber forensics, an investigator would like to identify the ‘‘write-print’’ of an individual from his/her e-mails and use it for authorship attribution.

The authors tested their proposal using data from the publicly-available Enron email database and achieved remarkably accurate results (in the 80% range) when using a modest sample of the test-suspects’ emails (about 16 emails each for 6 suspects). In a civil lawsuit, where the evidentiary standard is “more likely than not,” a methodology with an 80% average success rate may be sufficient to get your expert in front of a jury if the other identifying evidence is consistent.

In short, if you can use IP information to narrow your range of suspects, and your attorney can collect and authenticate a reasonable number of writing samples, an expert employing the Iqbal write-print analysis could remove some guesswork from identifying your culprit.  Although the write-print study was conducted with emails, there is no reason the same analysis would not work with message board, blog, or newspaper comment posts.

In closing, please note that not every instance of harassment is actionable, and using a court to strip another person of their online anonymity generally raises First Amendment and a variety of other legal issues.  If you find yourself in the unfortunate position of needing to identify an offending John Doe, consult your attorney.

Anonymous Leaks Internal Bank of America Emails

by BeauHoward on March 14, 2011

From the New York Times: link to the article.

Anonymous picked up where Wikileaks left off by publishing a batch of Bank of America’s (BoA) internal emails, allegedly showing that BoA was complicit in foreclosure fraud. According to the NYT:

The documents indicate that Bank of America improperly foreclosed on several homes during the height of the financial crisis in 2008 that began one of the worst recessions since the great depression. The report came from a former employee with Balboa Insurance — a risk management and insurance firm. The employee reportedly corresponded with Bank of America employees and was told to falsify loan numbers on documents to force Bank of America to foreclose on homeowners.

Other publications, such as Business Insider, remain skeptical about whether the leaked emails contain any damaging information to BoA.

The BoA emails were provided to Wikileaks last year, which intended to release them in December 2010. Julian Assange’s arrest may have derailed those plans, although Reuters reported in February 2011 that even Mr. Assange’s desire to release the documents had waned because he was not sure whether they demonstrated anything newsworthy.

Anonymous is providing access to the leaked emails at http://bankofamericasuck[dot]com, but reports indicate that a flood of interest has shut down the site.

A discussion on the Reddit politics board lists a number of mirrors.

Georgia residents interested in the leaked emails may want to tread carefully, as it remains to be seen how BoA will react to the disclosure.

Others reporting on this story, some of which are republishing emails from within the leaked batch of documents:

Huffington Post: Bank Of America Anonymous Leak Alleges ‘Corruption And Fraud’ (Mirror)

The Register: Anonymous collective begins leaking Bank of America emails. Is that all you’ve got? (Mirror)

Forbes: Bank Of America E-Mail Leaks Are Here, How Much Will They Hurt? (Mirror)

The Atlantic: New Leakers Accuse Bank of America of ‘Corruption and Fraud’ (Mirror)

Business Insider: Bank Of America “Leaks” Are A Total Letdown And The Source Is A Whiny Former Employee (Mirror)

Gawker: Anonymous to Leak Bank of America Documents Monday (Mirror)

Twitter: #BlackMonday