The EFF, Geek Squad and The U.S. Constitution

This week the Electronic Freedom Foundation #EFF announced that it was suing the Geek Squad of Best Buy computer service fame. The EFF is suing to obtain records of what it believes detail how Geek Squad employees were used as paid informants of the FBI. I know what you are already thinking; the government is already spying on computer users. So what is the big deal about this?

Well, I’m glad you asked! The fourth amendment to the U.S. Constitution spells out that the government must obtain a warrant before conducting a search of your person, or belongings. Of course, it also goes on the list items needed before a warrant can be granted, things like probable cause, sworn statements and a neutral judge to oversee the whole thing.

Well, in this case the EFF claims that the FBI gave 8 or so Geek Squad employees training and software to search customer computers for child porn when the computer was brought in for service. The problem would be if your actions are being directed by law enforcement, you become an agent (in the legal sense, not with a gun or badge) and must obtain a search warrant before conducting a search for evidence of a crime.

According to the EFF, Geek Squad was helping FBI agents bypass warrants requirements to obtain evidence. There are plenty of cases where tech employees uncover evidence of a crime and forward it to law enforcement, even cases where hackers illegally obtained information and law enforcement officers were still able to use the data in prosecution.

I don’t always take the same side as the EFF, but in this case I think they have a point. It will be interesting to see where this goes.

What makes me #wannacry

By now most of you have heard of the #wannacry variant of ransomware, or at the very least you have heard of ransomware? Ransomware is a malicious computer program that encrypts a user’s computer and then offers to restore your files if you pay a ransom. Generally, the ransom is to an off-shore email account and payment is preferred in bitcoins. The solution to ransomware in general is to keep your anti-virus software up to date and be careful about downloading or opening random files that are emailed to you.

This post is not about ransomware, but about something that really makes a security professional “want to cry.” Those of us in the profession know that user education can stop most potential attacks, but user education is also one of the hardest items to make happen, even in a small organization.

Today’s topic is: DO NOT USE THE SAME PASSWORD FOR MULTIPLE SITES!

I have a current investigation on my desk with 47 victims, multiple stolen credit cards used to make online purchases of electronics. I will change the names and some of the data, because sharing information during an investigation is really, really frowned upon. Just ask James Comey.

The fraud was perpetrated by foreign nationals using all the regular hacker methods, but the one common item… victim after victim admitted to using the same password across multiple shopping sites and then compounding the problem by saving the credit card information online to make purchasing easier in the future.

Problem… It allows bad guys to make fraudulent purchases with your information much easier too and the take away from this particular case?

Don’t reuse passwords across sites and if you are feeling particularly security minded don’t save card information either.

Trump was Right..Almost..Sort of...

Not long after the election President Trump made the startling claim that he had been the victim of “illegal wiretapping” and he was right, almost, sorta. While most of the media discounted his claims outright false members of the Electronic Freedom Foundation and computer security professionals were a little more believing.

Not too long ago, Edward Snowden released documents detailing the NSA’s surveillance program named PRISM among other intelligence programs. At the time in an unprecedented trip the head of the NSA went to speak to the BLACKHAT conference in Las Vegas. Among statements made at the conference were that the NSA did not have the ability read the contents of an email.

Unlike a conference hearing in congress, this was a room full of computer security experts. So, of course there was a loud shout from the crowd of “Bullsh@t, if I can do it, you damn sure can!“ Fast forward to this past week and the NSA reveals that they have discontinued the policy of reading the contents of emails sent by American Citizens.

And so this brings me back to my original statement, maybe Trump is right, but in the language of “Politicians and Media” the surveillance wasn’t “ILLEGAL” and it was all electronic and not “TAPPING a PHONE LINE”, so the entire statement is obviously false. Only in Washington could such logic be followed much less believed.

The take away for the rest of us: IF you wouldn’t share that message, text or photo with your Grandma, you probably shouldn’t send it across the internet. 

Fraud and the Cost of Doing Business

This weekend is NOLA-Con a great Hacking, or to be more politically correct, Computer Security Conference in the amazing city of New Orleans. Even though I missed this year, I still plan on checking out the videos of presentations and you should too!

In 2016, I got to give a talk at the conference on the challenges that law enforcement investigators face when investigating cyber crimes. I'm sure it's on YouTube somewhere if you care to look. One of the greatest challenges faced is the lack of cooperation by victims.  I know what you are thinking, "How can that possibly be true?" If you have been a victim of identity theft, I feel your pain, but follow my logic for just a minute.

You log into your bank account one day only find somebody used your account information to make several online purchases and now you are out several hundred or even thousand dollars. You quickly call your bank and after playing 20 questions with a fraud representative you are advised to contact local law enforcement and file a police report to complete your fraud claim.

Of course when you call your local police you want the bad guy caught and prosecuted to the "fullest extent of the law!" And you are willing to help in anyway possible, at least for a couple of days. Thankfully, the bank refunds your missing money and you begin to lose interest. I know, we are all busy and downloading records or printing out information is a pain, Besides, you are busy with kids and work and school and church.....

Really, it's not your fault. The banks are almost as bad, some other person will send over that information as some other time. I no longer hold my breath waiting and after a few weeks the case is marked "Inactive" and place a really, really big file cabinet never to be seen again. (Think the last scene of Indian Jones Raiders of the Last Ark movie)

The problem is real money was stolen either from the merchant (via charge back) or the bank, or maybe an insurance company and the current solution: "Just raise the price a little or charge another fee" That's just the cost of doing business.

Welcome to Cyber Case Files! My name is Chip Thornsburg and I am the CEO of Alamo Cyber Security. In all of my free time I am also a detective with the Helotes Police Department, or maybe it's the other way around. Any-who I thought I might take some time to share stories of past cyber cases worked in a law enforcement capacity and in the private sector. I also intend to share some pointed tips on Cyber Security, how you can help protect yourself and maybe even some comments on the news of the day.  Once again WELCOME and I hope you enjoy!