Are You Ready for Electronic Commerce Crime? by Richard Power and Rik Farrow Recently, a man walked into a smoking room at San Francisco Airport. He= carried an encrypted CD-ROM disk with approximately 100,000 credit cards on it.= The secret code to decrypt the CD-ROM was based on the first letters of the= sentences in a specific paragraph on a specific page in Mario Puzo=92s = The Last Don. He thought he was going to walk out with $260,000 in cash for the = CD-ROM. Instead, FBI Special Agent Cal Dalrymple placed him under arrest and to= ok him into custody. Crime follows money. And many hundreds of millions of dollars have alre= ady flowed into cyberspace. For example, according to the Forrester Group (Cambridge, MA), the total value of goods and services traded between c= ompanies over the Internet will reach $8 billion this year and soar to $327 bill= ion by 2002. But like the bears descending on Yosemite valley camp sites, denizens o= f the electronic underground, lured by the scent of easy money, have begun to= paw at poorly protected commerce servers. Consider the case of Carlos Salgado, Jr. (aka SMAK). Salgado, a 37-year-old Daly City man, hacked several companies doing bu= siness on the World Wide Web (WWW), including an Internet Service Provider (ISP) = and two other companies. Exploiting known operating system flaws and utilizing = commonly available hacking tools, Salgado gained unauthorized access to the comp= anies=92 systems and harvested tens of thousands of credit card records from the= m. The details of Salgado=92s digital adventures and the FBI investigation= that brought him to justice provide a fascinating and invaluable glimpse int= o the shadows of cyberspace and shed light on to the dark side of the electro= nic commerce gold rush. The companies involved weren=92t major financial institutions or other = high- profile organizations. They were simply selling the goods and services = on the Web. In other words, they were the kind of companies were already over-= burdened network professionals might say, =93Who would want to hack us?=94=20 It should also be noted that two of the companies involved had no = knowledge that they had been hacked until the FBI notified them. They were gratef= ul for the heads-up and cooperated in the investigation. Diary of a computer crime investigation A technician performing routine maintenance at a San Diego-based ISP ca= me across tell-tale signs of unauthorized access and discovered a packet sniffer = used to collect logons. The technicians then discovered that the intruder was s= till logged onto the system. The relevant files were backed up. As the technicians were backing up the files, the intruder was deleting= files to cover his tracks. The compromised computer was taken off-line. The unauthorized access was traced to the University of California at S= an Francisco (UCSF). The FBI was called in. A customer who was to become a cooperating witness in the case notified= the ISP that he had talked to a hacker using the handle SMAK via Internet Relay= Channel (IRC). SMAK boasted of the hack and of gaining the credit card informat= ion. He offered to sell the credit card information along with another database= of 60,000 credit card numbers.=20 San Francisco FBI agents conducted interviews at UCSF and determined th= at the unauthorized access into the ISP=92s system originated from the comprom= ised account of an innocent student. The cooperating witness continued communications with SMAK. They discus= sed the possibility of purchasing small samples of the credit card information.= It was hoped the ongoing communication would provide the time to track and ide= ntify SMAK and encourage a face-to-face meeting. In one of these encrypted messages, Salgado provided some insight into = how a hacker does his research. (See figure 1.) Decrypted e-mail from Salgado to a potential buyer There may be a delay in our business together of a day or so. It's not necessarily a bad thing. Let me explain. This morning i was reading a b= usiness magazine article about online transactions on the internet and a partic= ular niche in services. A couple companies were mentioned that generated SEV= ERAL MILLION dollars in CC transactions a week! I decided to go exploring an= d got into their sites. The article was right! However, i need to explore the= sites for a little while to establish firm control and locate machine extract= able data. I think it is worth it. --Smak The cooperating witness (under the direction of the FBI) asked, =93How = many of the credit card numbers are valid?=94 The cooperating witness bought 710 of= them for $1 each. SMAK sent the database as an encrypted e-mail attachment. The = numbers were determined to be valid credit card numbers with credit limits from= $5,000 to $12,000. The cooperating witness paid SMAK the $710 via anonymous We= stern Union wire transfer. The cooperating witness purchased 580 more credit card numbers for $5 e= ach. SMAK received the $2900 again via Western Union anonymous wire transfer. The meet was arranged for May 21 at 11:15 am, in the smoking room at ga= tes 60-67 in the American Airlines Terminal at SFO. (See figure 2.) Salgado broug= ht an encrypted CD-ROM containing approximately 100,000 credit card numbers a= nd a paperback copy of Mario Puzo=92s The Last Don. The code to decrypt the = CD-ROM was composed of the first letter of each sentence in the first paragraph on= page 128. Salgado was arrested and advised of his constitutional rights. He= waived his rights and spoke to the FBI. Salgado was indicted on five counts=97three counts of computer crime un= der 18 U.S.C. Section 1030, and two counts of trafficking in stolen credit cards = under 18 U.S.C. 1029. He pleaded guilty on four of the five counts and faces up = to 30 years in prison and a $1 million fine. =20 Don=92t underestimate Internet-based credit card theft VISA USA=92s Fraud Control team played an important and vital role in h= elping keep the investigation on track and moving swiftly, particularly by providin= g vital figures on the scope of financial losses. There were 86,326 valid credit card accounts compromised . These compri= mised cards affected 1,214 different financial institutions. Forty-five of th= em had more than 100 accounts at risk. Considering average credit card fraud l= osses=97for example, $616 for mail order/telephone order fraud, $1,335 for credit c= ard counterfeiting to $1,836 for fraudulent credit applications=97the poten= tial impact could have been a staggering $1 billion. The average $125 cost for card= reissue alone adds up to over $10 million dollars ($125 x 86,326 =3D $10,790,75= 0). The next time you hear a high-tech industry sycophant on TV telling= consumers that it is =93perfectly safe=94 to send their credit card num= bers over the Internet, remember these figures. The real security concern for informa= tion security practitioners and law enforcement agents has never been the ri= sk to just one consumer doing a single credit card transaction over the WWW=97= the real security concern centers on the vulnerability of front-line commerce se= rvers doing millions of dollars worth of transactions and the back-end databa= se servers brimming with credit card information. The encryption of a sing= le transaction doesn=92t guarantee the confidentiality of the networked co= mputer on which it is stored, just as a properly administered firewall doesn=92t = ensure that there are no other points of entry into the network it guards. The crest of an electronic commerce crime wave? The significance of the Salgado case should not be lost. It shows that = there is a market for databases of credit card information purloined from commer= cial Web sites. Salgado thought it was plausible that someone would offer him bi= g money for the data. It also shows that such data is not very difficult to att= ain. No one has suggested that Salgado was an =91elite hacker.=92 Indeed, one w= riter close to the underground described him to me as =93a bottom feeder.=94 But he= was standing in SFO with an encrypted database containing over 80,000 credit card re= cords stolen from the on-line sites of three commercial enterprises, wasn=92t= he? There were firewalls in place, Secure Socket Layer (SSL) was used, but Salgad= o got around them. He is brighter than some observers have characterized him,= but it is also easier to accomplish such hacks than many have been led to beli= eve. The Salgado case also offers a glimpse into the modus operandi of elect= ronic commerce criminals. He launched his attacks from a compromised account = of an innocent individual. He conducted on-line negotiations using encrypted = e-mail and received initial payments via anonymous Western Union wire transfer= =2E Information Age crime will be different in many ways from Industrial Ag= e crime. In the 21st century, bank vaults, armored cars, closed circuit video ca= meras and silent alarms will still be used; but firewalls, intrusion detection, encryption, digital signatures and other sophisticated technologies wil= l grow in importance. However, as the Salgado case shows, technologies like firew= alls and encryption alone aren=92t enough. For the dream of the electronic comme= rce gold rush to come true, corporations are going to need adequately staffed an= d trained information security teams and they will inevitably have to turn to com= petent law enforcement agencies to capture and convict those who attempt to ro= b them. If your organization suffers a serious computer intrusion, CSI and the = FBI recommend the following steps: ? Report the incident promptly to law enforcement. ? Preserve evidence of the incident. ? Designate a liaison person to interact with law enforcement. ? Track economic losses/costs of incident and related investigation Electronic commerce security checklist Remember the companies that were hacked in the Salgado case had firewal= ls in place and used SSL to encrypt their transactions. Security is not just technology. [RICHARD: SSL only protects data while it is traveling across the Internet. Not once it is on site. Also, there were firewalls, but where was the data in relation to the firewall? The Web server should have been external, and the database server on a carefully defended internal network. Just saying there is a firewall really doesn't help. Also, I heard recently that there is a page out there which talks about the hack of Checkpoint via their firewall last April that I told you about, but I do not know where it is yet. RIK] Here are some items for essential items for your electronic commerc= e checklist. Reign in rogue initiatives. Write a strong, enforceable policy that= demands management approval for all Internet-based electronic commerce endeavor= s =97even purely informational content=97before they are deployed. It is fairly t= ypical for Web site building to get out of hand throughout the enterprise while y= ou=92re=20 still deliberating on what standards to implement. Commend the zealot= s for their initiative, but plull the plug. Rogue Web commerce sites within a= corporate environment are like a flowery meadow strewn with land mines.= It may look pleasing to the eye, but it is probably bristling with serious lia= bility and security problems. Conduct a thorough risk assessment. There are numerous risks, thre= ats and vulnerabilities that the flesh of your servers is heir to, but how are= you going to prioritize them? Which are the most plausible? Which are the l= east likely? What=92s your worst case scenario for a full-scale security bre= ach? What kind of financial loss could your enterprise sustain? Could it absorb = the hit?=20 Sit everybody down to brainstorm. Conjure each nightmare scenarios, th= ink it through. What is the cost of the potential hit? What would be the price= -tag to defend against it? What are the trade-offs? What can you afford? What d= o you stand to lose? What is the cost of down time? What proprietary informat= ion is at risk and how would you value it? What kind of incident would result in = an irreparable lose of customer trust? Evaluate the security of your trading partners. Enterprises wishing= to conduct Electronic Data Interchange (EDI), Electronic Funds Transfers = (EFT) and other forms of business to business EC must take steps to ensure that t= heir trading partners have a level of security at least as good as their own= =2E For example, ask if they have documentation from any third-party security a= udits that they can share with you. Make certain that trading agreements address liability and other l= egal issues. What happens if there is a dispute? Who is responsible for dama= ges? These contingencies must be agreed upon before initiating transactions.= Existing EDI or commerce policies may or may not translate well into cyberspace.= Incorporate EC into overall network security architecture. Afteral= l, they will impact each other. For example, if your EC security is strong and= your network security is weak, you could well be a victim of an end run arou= nd the EC security. Remember , Salgado was successful in spite of firewalls and S= SL. Which brings up another question=97is there a comprehensive network security architecture? If not, the move into Internet-based EC might be an exce= llent=20 opportunity to get one formulated. Keep an eye on the Standard of Due Care. Be sure to activate and r= igorously apply security controls supplied by vendors and Internet Service Provid= ers. Use appropriate security tools as they become available (e.g., firewalls). = Implement accepted security protocols (e.g., SSL). Utilize strong encryption for both confidentiality and integrity. K= eys under 80-100 bits may not be good enough. Keys of 40-50 bits can be broken by= [RICHARD: For most purposes, 80 bit keys are plenty for now. And perhaps the issue of even keeping a credit card number online past the date of a completed transaction should be dealt with in policy. The customer can be forced to provide the credit card for each purpose. Or the credit card number should be kept in secure, encrypted environment, and require manual, oeprator assisted operation to use the credit card. If use of credit card numbers is automatic, the attacker can use that automatic operation to steal the numbers and info... RIK] determined attackers using brute force. But U.S. crypto export restrict= ions may complicate matters. You must weigh the risk versus the business needs.= Stay tuned to the crypto policy debate to be ready to advantage of breakthro= ughs or prepare for set-backs. Protect the crypto keys. The decrypted values and keys should be= stored on a system that has NO connection to the outside network. Consider a =93= security module=94 or =93tamperproof enclosure=94 that erase the keys if and whe= n the device is tampered with. If you don=92t adequately protect your crypto keys, poun= ding your chest about the strength of the algorithm or the length of the key is meaningless. If someone can get access to the crypto keys, not even an = immediate and complete removal of export restrictions will save you. [RICHARD: Sorry, this point escapes me. We can get strong encryption today, even if we must import it. RIK] Secure the commerce server. The host (i.e. commerce server) should = be behind a firewall. The host should not be used for development, general usage = or other processing beyond data reception and WWW service. For example, a stripped down ser= ver on an Apple or other PC box might be much preferable to a general-purpose UNI= X or NT box. [RICHARD: The Apple Web server does not function well for EC (lack of flexibility to support CGI or scripts). UNIX can be stripped down to the bare essentials, and made as secure as a dumb Apple, but provide much better performance. NT cannot be stripped down, except perhaps by five people who all work at Microsoft. RIK] Audit the commerce server. Regular, thorough audits as well as intr= usion detection efforts should be conducted on host systems. Protect the data. Transaction data (including credit card numbers, = etc.) should not be stored on the commerce server box, but rather batched to = another machine=97off the net=97to be decrypted and stored. Implement strong authentication. One-time authentication (e.g., PCM= CIA or smart cards) should be preferred to any fixed password scheme, as long = as they=92re not cost-prohibitive. Institute a =93Warning=94 banner for network logons. You need a no= tice about=20 the montitoring of on-line activity that appears whenever individuals (= whether authroized or not) logon to the network. Unless you have this in place,= law enforcement investigators may well be hamstrung and you may evern end u= p on the wrong side of a civil suit, Establish an Emergency Response capability. Don=92t wait until it=92= s too late. Organize a team, delegate assignments and drill for the inevitable. Bui= ld liason with local law enforcment, so that you have a relationship of trust alr= eady established. Prepare to identify, collect and preserve cyber-crime evidence. Yo= u=92ll need a copy of the baseline syste,m before it was tampered with, and you=92= ll need copies of the system during and after the hacks (preferably a bit imag= e copy of every sector or every block on an electronic storage device). Don=92t = store the evidence on the network! Keep hard copy of the logs. Get out your calcu= lator and document financial losses due to intrusion. [RICHARD: For purposes of collecting evidence, you want the original hard drive. A copy can be made, repaired, and used back in the attacked system--but the original becomes the evidence. RIK] Get your PR flak ready. Enterprises that take =93Emergency Response= =94 seriously have boiler-plate press releases ready to run in the event of a digital= calamity. [RICHARD: Actually, I think most people have a policy AGAINST press releases. You might prepare your PR in case the incident becomes public. RIK] Devise disaster recovery and business continuity plans for both EC applications and data. For example, institute a hot-spare plan (perhap= s including RAID disks). Also, backups should be stored in such a manner = as to ensure that they are kept safe. Familiarize yourself with the various types of fraud and prepare to= deal with them. There should be clear policies and mechanisms about how to r= espond to complaints about fraud by customers vs. the merchant, and complaints of fraud by c= ustomers. Security must be as transparent as possible to the end user. =