Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Encryption Blog
Showing posts in English
Doug McLean | 04 Oct 2008 | 0 comments

As a lifelong resident of California I’d be the first to admit that state politics on the left coast can sometimes be a little peculiar.

Last month with the Governor and the Legislature at their traditional impasse over the state budget, the Governor was threatening to veto the budget AND more than 900 other bills if the Legislature voted to over-ride his budget veto. Finally, on September 18 the governor and the legislature agreed on a budget (80 days late). With this piece of business out of the way, Governor Schwarzenegger turned his attention to processing the 896 bills passed by the legislature in the wake of the budget deal.

Unfortunately, this didn’t leave the governor enough time to do the standard due diligence on which bills to sign or veto. In California the governor must do one or other as we have a sort of “reverse pocket veto” law that...

Doug McLean | 23 Sep 2008 | 0 comments

Congress Passes Cybercrime Bill While the executive branch of the U.S. government was consumed last week with helping the credit markets find a way out the desert, the legislative branch focused just long enough on cybercrime to pass an important bill.

The House finally passed the Identity Theft Enforcement and Restitution Act and sent it to the president for signature. The bill passed the Senate unanimously in July of last year, but had been stalled in the house behind other "legislative priorities". Though as the 110th Congress has passed fewer bills than any Congress in the years they've kept records, you kind of have to wonder just what those other priorities were.

Still, we should be thankful Congress is finally taking its responsibility to upgrade the...

Doug McLean | 18 Sep 2008 | 0 comments

The U.S. Department of Justice yesterday released the results of a cybercrime survey in which they polled nearly 8,000 businesses about their experience with cybercrime. Not surprisingly, they found that 67% of their respondents had detected at least one cyberattack in 2005 (the period studied). In addition, more than 90% of respondents that had detected an attack acknowledged financial loss as a result. When it came to the specific threats posed by outright cybertheft, only about 10% of respondents claim to have been victimized. What's truly disturbing, however, is that only half of those victimized reported the theft to law enforcement.

Three Thoughts That Struck Me

-If enterprises aren't going to adopt the same reporting standards for cybertheft that they'd have if a thief broke in and raided the...

Doug McLean | 15 Sep 2008 | 0 comments

Damon Patrick Toey plead guilty Friday to his role in the TJX breach. The legal strategy being pursued by the prosecution here is pretty clear. Get one or more of the minor players to roll over by promising leniency if they testify against the "bigger fish". In this case the big fish is the purported ring leader, Albert Gonzalez.

We'll be able to tell just how much confidence the government has in its case based on the number of guilty pleas they'll extract from the co-conspirators before they take Gonzalez to trial. If they're highly confident that the body of evidence can get them a conviction, they'll probably only offer deals to one or two others and they'll take Gonzalez to trial rather quickly. If there are holes in the evidence, they'll negotiate with the other perpetrators to see who they can...

Doug McLean | 03 Sep 2008 | 0 comments

A report out of the Identity Theft Resource Center claims that the number of data breaches in 2008 has already surpassed 2007's total of 446. While it's intuitively obvious that the number of data breaches is increasing, I have a hard time putting much credence in the actual numbers reported by the ITRC or the reasons they cite for the increase.

The first problem with counting data breaches is that we all need to admit that the only statistics we see at all are reported data breaches. Until 2003 when California passed the watershed legislation in this field, SB 1386, very few breaches had to be reported and predictably almost none were. Initially, many global enterprises ignored SB 1386 assuming that if they didn't have a presence in California they weren't subject to it's requirements. It took awhile before most enterprises, particularly those outside of...

Doug McLean | 24 Aug 2008 | 0 comments

Jesper Johansson posted a really terrific piece entitled "Anatomy of a Malware Scam" on The Register Friday. Johansson is an All-Pro security expert and researcher and does a marvelous job of breaking down an extremely complicated scam into terms even most civilians can understand.

He not only explains the computer and social engineering gambits involved in this particular fake malware detection scheme, but analyzes the nature of the team that executed it. There is a LOT of sophisticated software engineering involved in this attack and if you had any doubts that the malware business has been taken over by professionals, this should put to rest any doubts. This fake anti-malware utility is in some ways better designed from a usability standpoint than some of the legitimate tools out there. The problem, of course, is that it's real purpose (or at least one of them) is to...

Doug McLean | 15 Aug 2008 | 0 comments

OK, it may not be as big a news story as Lindsay Lohan's announcing she's converting to Judaism, but I thought the story coming out of embattled Georgia that they have been seeing massive Distributed Denial of Service attacks originating in Russia is interesting. No, not the fact that the Russians clearly view cyberwar as integral part of modern warfare. They proved that LAST year when the Russians brought the 'net infrastructure of Estonia to it's knees in a dispute over a Russian war memorial.

No, what I found interesting is that it's not at all clear who in Russia is orchestrating the attacks. Early reports focused on the Russian military and some shadowy botnet service providers. Now there's speculation that it may simply be a group of patriotic Russian hackers doing their best to defend the motherland. Gary Warner at University of Alabama Birmingham has done some really...

Doug McLean | 14 Aug 2008 | 0 comments

It's been said that you shouldn't ever overestimate the intelligence of your basic criminal. One of my favorite cybercrime stories, however, deals with a perpetrator who was clearly smart enough, but was just unlucky...very unlucky.

In June 2004 Sharon Durbin was a small time crook living in Harris County in South Texas. She’d been struggling to find a way to support her lifestyle and thought she’d hit on the perfect solution. Using a stolen bank account number and a fake ID, she started writing checks against the bank account of one Chuck Rosenthal. For a while, her scam worked until one day she got a little greedy and wrote a check for $1,071. When the check cleared, Mr. Rosenthal noted the amount and the payee and determined something was amiss. Mr. Rosenthal, who had some familiarity with the potential loss from identity theft immediately closed the account and notified the Harris County prosecutor’s office. This last step wasn’t difficult...

Doug McLean | 12 Aug 2008 | 0 comments

It's been an extraordinarily active week on the cybercrime front and it feels like a good time to initiate a new blog I've been thinking about for some time. For those of us that track cybercrime, identity theft and the other activities of Internet miscreants, it's clear that the nature of the game has changed in the last year. Cybercrime, historically an activity driven by testosterone impaired geeks, has become the latest growth industry for organized crime. I'll look at some of the facts and statistics that demonstrate this in the coming weeks, but for now I want to look at some of the more interesting evolving stories.

First, there was the arrest of eleven suspects in the TJX case. For those of you that don't follow internet crime closely, this was the data breach that caused the release of 41 million records (mostly credit card numbers) into the wild. Estimates of losses to date run in the hundreds of millions of dollars. The FBI has been working...

Doug McLean | 12 Aug 2008 | 0 comments

Decryption Without Key Present

The PGPsdk has a feature that allows the Encrypted Session Key (ESK) from a message to be extracted and decrypted separately. The decrypted ESK could then be used later to decrypt the original message. It works as follows:

1) Assuming the client has a PGP encrypted message.  The PGPDecode() function could be called with a event handler that extracts the ESK(s) which are presented to the handler during a  kPGPEvent_PassphraseEvent.

typedef struct
{
   PGPByte   *sessionKey;
   PGPSize   sessionKeySize;
} SessionKeyInfo;
static PGPError sExtractESKHandler( PGPContextRef context,
                                    PGPEvent *event,...