Security Watch

Click Fraud Rate Rises to 14.1%, Report Says

FBI consultant gets busted, Microsoft Private Folder pulled and U.S. OMD department issues security incident reporting rules.

• By Russ Cooper
• 08/28/2006

As long as advertising rates are based on visits and not sales, this problem will continue to plague the marketing industry. The article points out that fraudulent clicks might be made by Web site owners to increase their own revenue, or by competitors hoping to drain others' budgets. With such compelling motivation, the criminals are likely to always be able to find a way to make money from this scheme.

Click Forensics does have a vested interest, although they go to great lengths to describe themselves as being at arms-length. They produce software that allows advertisers to analyze their clicks to determine which are fraudulent. They say they are attempting to define an industry standard to identify fraud that sites such as Google and Yahoo might accept.

Hacker at FBI Gets Home Detention, $20,000 Fine
Joseph Colon, contracted by the FBI to perform some form of computer consulting in their Springfield, Ill. offices, was convicted of intentionally exceeding his authorized computer access after pleading guilty to cracking the passwords of the FBI director and others. He has been sentenced to six months of home detention and $20,000 in restitution.

It never ceases to amaze me what some individuals consider to be benign or legal. Just because the contractor has authorized access to the SAM files doesn't mean he can feed them into tools designed to crack them! It's believed that the reason this individual didn't get jail time is because the judge felt he had "noble motives" behind his actions. Bah!

Microsoft Pulls Private Folder 1.0 in Wake of Data Recovery Concerns
Microsoft offered a free file security tool to customers who've passed its Genuine Advantage Program testing verifying that they have an official copy of Windows XP. The tool would allow each user on a given system the ability to create a "Private Folder," encrypted and protected with a password known only to them. The tool was intended to allow an individual user to protect files of their choice from other users on the same system. Corporate administrators, however, complained the tool would create a quagmire for them, allowing corporate employees to prevent administrators from being able to see all of the files stored on a corporate laptop, for example.

While it's certainly true that such a tool could pose problems for admins, the tool is hardly unique in its abilities. Just because Microsoft has pulled the tool doesn't mean that admins no longer face the challenge of privately encrypted data on corporate PCs. Microsoft could have easily made the tool only installable by admins and on machines which have had a domain logon, only Domain Administrators. Further, they could have easily provided Group Policy scripts that would have detected the presence of the tool, or administratively prevented its installation.

The knee-jerk reaction by Microsoft to pull the tool makes one wonder what their real concerns were.

OMB Directive Requires Reports of Suspected as Well as Confirmed Security Incidents
The U.S. Office of Management and Budget (OMB) issued a memorandum [PDF] on July 12 revising the rules governing security incident reporting. Specifically, they have mandated that any incident, suspected or confirmed, involving "personally identifiable information" must be reported within 1 hour of discovery. See below for their definition of "personally identifiable information."

Here's the OMB's definition of "Personally Identifiable Information":

"For purposes of this policy, the term Personally Identifiable Information means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual."

It would seem obvious that the U.S. government doesn't want to get caught in another media furor over the loss of personally identifiable information. But it's hard to understand just what value will come of such a mandate other than to ensure that they know prior to the media. Further, the mandate instructs institutions that they "should not distinguish between suspected and confirmed breaches." Such an instruction only has value to the receiving entity, in this case the U.S. Computer Emergency Response Team (US-CERT). Presumably they do not want the U.S. CERT to act differently for suspected breaches than they would for confirmed. Why this must be mandated to the institutions, rather than U.S CERT, however, is unclear.

One of Bill Murray's Laws of Computer Security is: "Be careful what you ask for, you may just get it!" In this case, the signal to noise ratio as a result of this mandate will be extremely low, and possibly overwhelm the US-CERT reporting mechanisms in the process.

More Employers Firing Workers for Misusing E-mail
Results of a survey, released by the American Management Association and the ePolicy Institute, indicates that more employers are firing employees for inappropriate e-mail, IM or blogging activities.

The results also showed that more employers are being subpoenaed for their employees' e-mail records. As such, it suggests that such court actions are making employers pay closer attention to what their employees are doing. Conversely, it's unfortunate that a lot of management believes that the only disciplinary mechanism available to them in this sort of case is termination. They forget other options like changes of assignment, changes in pay, leave without pay and others that may be cheaper than terminating somebody and just as effective. Another option is to simply take the tool away from an offender. Suspend e-mail or Internet access for those who abuse their privileges, rather than fire them.