Home
Company information
 Workingarts Products
Customers & Testimonials
Partners
 Contact Workingarts
Security Alerts Archives





©workingarts.com
2002

July 2, 2002

CYBER CRIME OR COINCIDENCE?
by Frédéric Martin

Instead of writing about a specific information security technology, this month, I decided to tell you about a real world experience related to computer security. A few weeks ago, I was attending a network security conference at the Embarcadero Hyatt in San Francisco. After a long day of conferences, I sat at the bar and had a conversation with a few security luminaries, whom I will not name, because of the story I am about to tell you.

We discussed a recent legal case which involved a cyber chase after a man (who turned out to be a boy), who had sent ransom emails to two prominent US personalities -- one of whom shall remain nameless, but I can give you a hint: for a few years, that person has been holding the top spot in Forbes annual publication of the richest people on earth. I digress... The two unpleasant messages had been sent via email from the network of a well-known internet service provider's (ISP) email system. When the recipients received their message, they were asked to pay a large amount of money if they wanted to avoid losing their home or place of business to the destructive powers of explosives. A certain three-letter agency was immediately put on the case and, with the help of very well kept ISP and telephone company records, were able to zero in on a likely culprit. Soon after the information bits were correlated, the agency, reinforced with swat teams and all, stormed his apartment, seized his computers and detained the suspect. They confronted him with a mountain of circumstantial evidence, until he cracked and admitted to the cyber blackmail. The kid is now in jail. One should note that the case was decided without a jury trial. But more on that later...

So far, so good? Well, let's discuss the evidence: sure, he was online when the emails were sent out, sure he was the owner of the two separate accounts that were used to send out the threatening notes, sure the messages were written in similar language… but who's to say that he was the person at the keyboard when the emails were sent out?
You may remember that in last month's column, we discussed information security's most obvious initial concern: the identity of the person at the keyboard, passwords, and so-called stronger user authentication methods (biometrics, one time password calculators, Kerberos, etc.). Currently, most user ids and passwords, sent our during an ISP connection request, travel in clear text over the wire when a user logs into an ISP. At least that is the case with most ISPs, as it is with the specific one used to send the threatening electronic missives. It's also a good thing that the whole thing didn't make it to a courthouse, where the inherent vulnerability of our internet communications user authentication infrastructure would have been put on trial and where the defense would have easily made a clear case for its inherent lack of accountability. Were the guilty boy aware of the weakness of the prosecution's case, he could have dismissed the whole thing with a simple request: ask the prosecutor to prove, without the shadow of a doubt, that he was the person sitting at the keyboard, that he sent the messages and that no one else could have stolen his user credentials, either as they were transmitted in clear text over the internet or as they were easily viewed by the ISP's technical staff when the user logged in. To put it simply, there is no way anyone could have proved it. Period. Next case!...

Makes you think that more reliable user authentication just might become more of an issue in the coming years, does it not? The good that comes out of this story is that the courts, government and private industries are looking into solutions. It's an infrastructure issue that technology can already solve, today, with public and private key encryption algorithms. The technical work has been done and is already being used in the banking world. Now, it's up to the Internet infrastructure players to purchase it, as a necessary cost of business, and deploy it (and pass on the cost to the users). But then again, it may be up to regulatory agencies to make that happen.

Frédéric Martin can be reached at www.workingarts.com.

Sales tools|Marketing tools|Public relations|Partner development | Home

Contact information
workingarts
Telephone 559-662-1119
Fax 559-662-0865
Email getitdone@workingarts.com 
P.O. Box 1050
Madera, CA 93638-1050