October 2006 Archives

Noted blogger John Battelle reports in his blog based on a couple of pieces...about who Google (NASDAQ:GOOG) is working with these days.

One example from HomeLandStupidity.us he references:

IT contractors and intelligence officials familiar with the arrangement confirmed to HSToday.us that Google had been providing assistance to the intelligence community, but would not say under what authority that assistance had been requested or provided.

The intelligence community appears to be interested in data mining Google's vast store of information on each user who uses Google's services. Google collects data on each user's search queries, which web sites users visited after making a query, and through its Google Analytics service, can also track users on cooperating web sites. It's not clear what level of access to or how much of this information has been made available to intelligence agencies.

John goes on to note:

This might be filed in the Tin Foil Hat category, or it might be something we look back on and wonder how we ever missed it. I don't have any idea which. That alone sort of scares me.

The story says that Google is working with the Govt. in the war on terror. It depends a lot on ex CIA agent Robert Steele, who may or may not be a trustworthy source.

I've seen this story all over the place this weekend, and it strikes me as possibly accurate on at least one level: If the CIA/Dept. of Homeland Security was NOT trying to secretly work with Google, it's even lamer than we might imagine. After all, the company has just about the best infrastructure in the world to help them do their job. Is it legal? Moral? Right? Another question entirely....

This is ironic for two reasons:

1) Chris Boyd (Microsoft Security MVP) and head of our Malware Research Labs (currently on hiatus preparing for our talk at the RSA show and something he want talk about called The Fourth Wall) and yours truly- Wayne Porter, also Microsoft Security MVP, Director of Special Research, currently working on e-commerce analysis....were recently, along with the Facetime Communication's team and our Security Labs team, noted publicly on Google's Security thank you page:

Google Thanks You People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience. We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:

* Alex Shipp, Messagelabs
* Bryan Jeffries
* Castlecops
* H D Moore
* Jeremiah Grossman
* Johannes Fahrenkrug
* Martin Straka
* Team Cymru
* Yahoo! Paranoids
* Wayne Porter & Chris Boyd, FaceTime Communications
* Alex Eckelberry, Sunbelt Software
* Richard Forand

I add as an odd aside that after commenting on an article at ThoughtShapers on Google's move into podcasting/adsense and how they are tearing up top down media all kinds of people pinged me on whether I was one of the 'trusted sources" who leaked this to Jeff Molander. The answer is no. I made that clear in my personal blog notably here (The Google Rumor Mill Redux- Getting Details Straight) and an aside here Leaked Papers and Google Adsense.

Going back to John's observations though I have no idea how Google or to what capacity they are working with Homeland Security- I am just a cog. With their processing and information gathering power I would be hard pressed to say that it wouldn't make sense for DHS and / or the CIA not to want to do so.

Remember that GUID I talked about at Revenews? (Note: GUID is a Globally Unique Identifier. A GUID is often a pseudo-random number used in software applications. Each generated GUID is "statistically guaranteed" to be unique.)

For example, the concept of a GUID or the longer they use a service (even anonymously and in aggregate) makes it easier to determine who they are. Granted Google may not have any nefarious purposes for this, but what happens when other agencies do? You might be ?anonymous? to Google, but when another agency plays connect the dots after obtaining access to your machine and subpoenas activity around a GUID- you aren?t so anonymous anymore. In reality, you become an online novel- I can perhaps establish your character by your queries. Of course, this risk exists with any tracking mechanisms, but a service as ubiquitous as Google, especially one that looks at queries, is all the more potent.

2) I do know that Homeland Security does pay attention to cyberthreats- as they should. I was surprised to find some of our research in their daily briefing reports, specifically around some notable worms. These reports a.k.a. The DHS Daily Open Source Infrastructure Report (Daily Report) is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. They divide it up by the critical infrastructure sectors and key assets defined in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.

An Example- this was over the KMeth Worm, which I find interesting.

  • Kmeth Worm noted by DHS [PDF Document]
  • Most of these Daily Briefings- which are free and unclassified appear on the DHS.gov site, although to search them you need to use the FEMA.gov site...

    Tin Foil Hats? I don't know. Safety and privacy and security are all different but related and require a delicate balance. Then you have to think back to the NSA wiretaping scandal. Did people really notice? Did they really care?

    Take a look at Google Trends (given the questions is this a good place to validate this question?). Google trends is a fairly good indicator of search activity. It is an indirect reflection of what is going on online.

    Here we see the terms: wiretapping, NSA scandal, wiretapping scandal, wire tapping

    Click to See Chart

    Interesting...there is some movement there.

    Now: NSA scandal, wiretapping scandal, ATT scandal, NSA wiretapping, phone tapping

    Click to See Chart

    Nada, zilch. Not even if you analyze U.S. queries only- despite major press coverage. Try your own strings and see what turns up.

    Of course per Google: "Google Trends aims to provide insights into broad search patterns. As a Google Labs product, it is still in the early stages of development. Also, it is based upon just a portion of our searches, and several approximations are used when computing your results. Please keep this in mind when using it."

    Mark Foley Scandal Rages On Over Instant Messages (IM)

    Excepts and citations from the Wikipedia on the Foley Scandal. To learn more about what this means in terms of government and business and how IM documents should be treated as any other watch this Fox news segment from Kailash Ambwani, CEO of Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and not logging Instant Messenging can put a big business at a big risk.

    Foley's e-mails to the former Congressional page in Louisiana, who was 16 at the time, said in part:

    "I am in North Carolina...and it was 100 in New Orleans...wow that's really hot...well do you miss DC...it's raining here but 68 degrees so who can argue...did you have fun at your conference...what do you want for your birthday coming up....what stuff do you like to do,"


    "I just emailed will...hes such a nice guy...acts much older than his age...and hes in really great shape...i am just finished riding my bike on a 25 mile journey..."

    "how are you weathering the hurricane....are you safe?send me an email pic of you as well...."

    The instant messages from 2003 that ABC obtained after its initial story were much more explicit than the e-mails from 2005 sent to the Louisiana page, and reportedly with a former page now employed in Oklahoma. According to several former congressional pages, the congressman used the screen name Maf54 on these messages. One exchange included:[

    Maf54: do you really do it face down
    Teen: ya
    Maf54: kneeling
    Teen: well i dont use my hand...i use the bed itself
    Maf54: where do you unload it
    Teen: towel
    Maf54: really
    Maf54: completely naked?
    Teen: well ya
    Maf54: very nice
    Teen: lol
    Maf54: cute butt bouncing in the air

    In another exchange, Foley proposed to meet with a former page:

    Maf54: I want to see you
    Teen: Like I said not til feb?then we will go to dinner
    Maf54: and then what happens
    Teen: we eat...we drink...who knows...hang out...late into the night
    Maf54: and
    Teen: I dunno
    Maf54: dunno what
    Teen: hmmm I have the feeling that you are fishing here...
    im not sure what I would be comfortable with...well see

    An exchange that took place in April 2003 apparently reveals Foley engaging in cybersex with an eighteen-year-old former page as the House voted on an emergency supplemental appropriations bill to fund the Iraq War; the released portion does not contain the purported cybersex exchange:

    Maf54: ok..i better go vote..did you know you would have this effect on me
    Teen: lol I guessed
    Teen: ya go vote?I don't want to keep you from doing our job
    Maf54: can I have a good kiss goodnight
    Teen: :-*

    In another exchange, Foley appeared to invite the same page to his apartment with a friend to consume alcoholic beverages:

    Maf54: we will be adjourned ny then
    Teen: oh good
    Maf54: by
    Maf54: then we can have a few drinks
    Maf54: lol
    Teen: yes yes ;-)
    Maf54: your not old enough to drink
    Teen: shhh?
    Maf54: ok
    Teen: that's not what my ID says
    Teen: lol
    Maf54: ok
    Teen: I probably shouldn't be telling you that huh
    Maf54: we may need to drink at my house so we don't get busted

    - For another transcript visit ABC News (warning explicit language)

    - Kailash Ambwani Video on Foley Incident and Instant Messenger auditing and control.

    There has been quite a bit of controversy over the "Mark Foley Scandal".

    From the Wikipedia:

    Mark Adam Foley (born September 8, 1954 in Newton, Massachusetts) was an American Republican politician and a member of the United States House of Representatives from 1995 until 2006, representing the 16th District of Florida.

    Foley resigned from the U.S. Congress on September 29, 2006 after it surfaced that he had sent sexually explicit instant messages[1] to former Congressional pages who were both under and over the age of 18.[2] [3][4]. He had previously been warned about "overly friendly" emails to former Congressional pages. As a result of the disclosures, the Federal Bureau of Investigation (FBI) and the Florida Department of Law Enforcement (FDLE) opened an investigation of the messages to find possible criminal charges

    Given the government has put into effect all kinds of laws about digital messenging to protect people:

    - Gramm-Leach-Bliley Financial Modernization Act (GLBA)

    - Sarbanes-Oxley Act of 2002 (SOX)

    - Health Insurance Portability and Accountability Act of 1996 (HIPAA)

    One has to wonder who watches the government for oversight in the digital realm? That is beyond my scope of knowledge, but companies might think about what a scandal like this might mean to them.

    So where do you start? First figure out how much instant messenging traffic is going on in your network. Facetime has a free tool called the RTMonitor that can help with this.

    Also get educated. Establish some IM policies- don't let incidents establish you. Facetime sponsored this whitepaper from the ReymannGroup.

    A little snippet:

    "...With the increased privacy and security awareness among businesses, customers, and our elected officials, traditional best practices are being incorporated into new laws and regulations that define a higher security standard that all affected organizations must achieve. Information security is no longer only a prudent business decision, it is mandated!..."

    It's free and has a handy checklist too.

    Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup)
    [Direct Download PDF]

    Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

    Remember the modular Pipeline Worm the Facetime Security Labs Team uncovered recently? The W32.Pipeline Worm, which hit right before the really strange MSN HeartWorm.a...Thanks to the guys Twisted Pair at Network for the mention of the menace.

    They also covered some nasty work via another Russian pron attack from our research friends at Sunbelt Software get.

    The Pair note the Pipeline Worm, the rootkit element and the botnet menace and give a nice mention of our RTGuardian 500 device which won the Network World Choice Award also see here. We clocked in with a latency of zero milliseconds on executable and nonexecutable and an efficacy of 98.5%! Great job research and great job from engineering.

    From the pre show blurb:

    Jason and Keith talk about the winners in the Motorola-Symbol deal; more battery recalls involving Sony; a new AOL IM worm that has obvious red-flag warnings; Russian porn site security risks; Life is (Not) Good; iTunes million dollar movie week; and, the continuing HP spy saga. Plus Pigskin Pick'em! (32:39)

    Streaming Podcast Page: Located Here

    Are on the goal- grab the MP3 and pop it into your player of choice...or whatever you do with your MP3's!

    About this Archive

    This page is an archive of entries from October 2006 listed from newest to oldest.

    September 2006 is the previous archive.

    November 2006 is the next archive.

    Find recent content on the main index or look in the archives to find all content.