Banks Fighting Back Against Retailers In Breaches

The WSJ is reporting that the bankers who were impacted by the Target and Home Depot breaches are fighting back.

Usually, Mastercard and Visa negotiate a deal with the retailer who was breached and then dole out the money to the banks.  The money seems to go to the big banks with the small banks being left out.

Earlier this month Target agreed to a deal with Mastercard to pay $19 million to cover the banks costs from the breach.  Visa, it is assumed, will negotiate their own deal.  Usually, part of this deal is for the banks to agree to give up their right to go after the merchants themselves.  The banks have gone to the judge and said that they are not willing to do that.

To help understand why, the small banks are mad as hell and not going to take it any more, to use an old quote.  A survey of 535 banks with assets below $1 billion revealed that nearly 75% of them did not receive a dime in reimbursements for breaches between 2009 and 2014.  NOT. ONE. DIME.  At the same time, all banks with assets above $50 billion were reimbursed.

Breaches are a bigger problem for small banks because they don’t have the economies of scale.  A big bank can issue a new card for 3 bucks.  It costs the small banks 10 bucks, for example.

The Chicago Patrolman’s Federal Credit Union has only 16,000 Visa cards in circulation.  Last year, they suffered $80k in fraud losses.  In the first quarter of this year, they had $55k in losses. That is hard for a small bank to swallow.  In a previous breach they suffered $150,000 in losses and received $1,000 in reimbursement.

This fight is likely to get ugly before it gets done.  One option for the small banks would be to decline to participate in the $19 million settlement, which I think they legally can do.  If history is any indicator, that might mean that they forgo getting that $1,000 check.

What it also means is that it is likely to get uglier for Target and Home Depot.  It could mean “death by a thousand cuts” where they are defending themselves against a whole bunch of lawsuits.

This is all speculative, but Target was likely thrilled to settle for $19 million when the banks said that they spent over a half billion.  If this winds up going to trial, which I doubt Target or Home Depot would ever allow – even if they had to give the banks a lot more money – it would reveal details that these retailers would rather keep quiet.

It also means that the breach stays in the public’s mind longer.

What this also means is that the days of businesses who are breached settling with the banks for a penny on a dollar or less may be over.

All very interesting – stay tuned as this plays out.

Then Target has to deal with Visa.  There isn’t even an offer on the table and given what is going on in court right now, I doubt there will be one until this is settled.

For any organization that collects NPI, this means the stakes are being raised.  Be smart.  You cannot guarantee that you won’t be breached, but, at least make it a challenge.





There Is Reason Vendors Want You To Use Their Apps – But It Is Not What You Think

A European security research group tested a group of 2,000 apps from the Play Store and found they connected to 250,000 different URLs from 2,000 different domains.

They found one app in the sample, Music Volume Eq, an app designed to control volume, connects to almost 2,000 distinct URLs.

The study said that about 10 percent of the sample connects to more than 500 sites.

There is a difference between apps connecting to user tracking web sites and ad serving sites.  The research says that more than 70  percent of the apps do not connect to a user tracking site, but on the other hand, a few connect to over 800 tracking sites.

Remember that this is a sample and that while 2,000 apps, if well chosen, may be representative, they also may not be.

The team, from Eurecam France, is working on an app that users can run to see where an app is connecting.  The app is called NSA in honor of a certain Northern Virginia Agency.

The article (see here) describing the study seems a little biased and hopefully the data is not.  For example it makes this huge revelation that “9 out of 10 of the most frequently contact (sic) ad-related domains are run by Google”.  Is that a surprise?

They also make the comparison below between Apple and Android, which, while may be true, has nothing to do with ad sites or tracking sites that an app visits.  The researchers do not talk about doing the same exercise with iPhones for some reason, even though it seems logical to do.

“There are essentially two starkly different environments in which to download apps. The first is Apple’s app store, which carefully vets apps before allowing only those deemed fit to appear. The second is the Google Play store, which is more open because Google exercises a lighter touch in vetting apps, only excluding those that are obviously malicious.”

What is important to understand is that most apps and web pages track you, to a greater or lesser extent.  The reasons are usually financial.  For the most part, the tracking is not nefarious, although with the ad networks, there are bad actors who use those networks to deploy malware.  This is all done behind the scenes transparently to the user.  And that data is sliced, diced, packaged, sold and resold.

Dirtboxes and Stingrays

I have written several items about cell site simulators or Stingrays.  Dirtboxes are stingray-like devices hung from an airplane that DoJ agencies use to capture tens of thousands of cell phones as they fly over hundreds of miles.

I said early on that it was going to be years before the crap hit the fan, but I later said I was wrong.  It is moving much faster.

Senator Grassley (R-IA) and Leahy (D-VT) have been spearheading the effort to get answers from the DoJ.  This post contains two items from Sen. Grassley’s web site about the questions the Senate is asking DoJ about their use of Dirtboxes and Stingrays.
Dec 31, 2014

WASHINGTON – Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Chuck Grassley (R-Iowa) pressed top Obama administration officials on the use of cell-site simulators, which can unknowingly sweep up the cell phone signals of innocent Americans.

Recent news reports have chronicled the use of such simulators by law enforcement, explaining that the simulators have the potential to capture data about the location of thousands of cell phones in their vicinity.  Leahy and Grassley previously pressed the FBI about the use of this technology.  In a joint letter sent last week to Attorney General Eric Holder and Secretary of Homeland Security Jeh Johnson, the Senators raised questions about exceptions to a new FBI policy to obtain a search warrant before using a cell-site simulator.  The Senators also asked about other agencies’ use of the technology.

“It remains unclear how other agencies within the Department of Justice and Department of Homeland Security make use of cell-site simulators and what policies are in place to govern their use of that technology,” Leahy and Grassley wrote.

Outlining privacy concerns for innocent individuals, the letter continues: “The Judiciary Committee needs a broader understanding of the full range of law enforcement agencies that use this technology, the policies in place to protect the privacy interests of those whose information might be collected using these devices, and the legal process that DOJ and DHS entities seek prior to using them.”

A signed copy of the December 23 letter to Attorney General Holder and Secretary Johnson is available Here.  Text of the letter can be found below.

December 23, 2014

The Honorable Eric H. Holder, Jr.                                          The Honorable Jeh Johnson
Attorney General                                                                    Secretary of Homeland Security
Department of Justice                                                             Department of Homeland Security
950 Pennsylvania Avenue, N.W.                                            Washington, D.C. 20528
Washington, D.C. 20530

Dear Attorney General Holder and Secretary Johnson:

In recent months, media reports have detailed the use of cell-site simulators (often referred to as “IMSI Catchers” or “Stingrays”) by federal, state and local law enforcement agencies.  Most recently a November 14, 2014, Wall Street Journal article (“Americans’ Cellphones Targeted in Secret U.S. Spy Program”) reported that the United States Marshals Service regularly deploys airborne cell-site simulators (referred to as “DRT boxes” or “dirtboxes”) from five metropolitan-area airports across the United States.  Like the more common Stingray devices, these “dirtboxes” mimic standard cell towers, forcing affected cell phones to reveal their approximate location and registration information.  The Wall Street Journal article reports that “dirtboxes” are capable of gathering data from tens of thousands of cellphones in a single flight.

We wrote to FBI Director Comey in June seeking information about law enforcement use of cell-site simulators.  Since then, our staff members have participated in two briefings with FBI officials, and at the most recent session they learned that the FBI recently changed its policy with respect to the type of legal process that it typically seeks before employing this type of technology.  According to this new policy, the FBI now obtains a search warrant before deploying a cell-site simulator, although the policy contains a number of potentially broad exceptions and we continue to have questions about how it is being implemented in practice.  Furthermore, it remains unclear how other agencies within the Department of Justice and Department of Homeland Security make use of cell-site simulators and what policies are in place to govern their use of that technology.

The Judiciary Committee needs a broader understanding of the full range of law enforcement agencies that use this technology, the policies in place to protect the privacy interests of those whose information might be collected using these devices, and the legal process that DOJ and DHS entities seek prior to using them.

For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

We have concerns about the scope of the exceptions.  Specifically, we are concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests of other individuals who are not the targets of the interception, but whose information is nevertheless being collected when these devices are being used.  We understand that the FBI believes that it can address these interests by maintaining that information for a short period of time and purging the information after it has been collected.  But there is a question as to whether this sufficiently safeguards privacy interests.

Accordingly, please provide written responses to these questions by January 30, 2015:

1.    Since the effective date of the FBI’s new policy:
a.    How many times has the FBI used a cell-site simulator?
b.    In how many of these instances was the use of the cell-site simulator authorized by a search warrant?
c.    In how many of these instances was the use of the cell-site simulator authorized by some other form of legal process?  Please identify the legal process used.
d.    In how many of these instances was the cell-site simulator used without any legal process?
e.    How many times has each of the exceptions to the search warrant policy, including those listed above, been used by the FBI?

2.    From January 1, 2010, to the effective date of the FBI’s new policy:
a.    How many times did the FBI use a cell-site simulator?
b.    In how many of these instances was the use of a cell-site simulator authorized by a search warrant?
c.    In how many of these instances was the use of the cell-site simulator authorized by some other form of legal process?  Please identify the legal process used.
d.    In how many of these instances was the cell-site simulator used without any legal process?
e.    In how many of the instances referenced in Question 2(d) did the FBI use a cell-site simulator in a public place or other location in which the FBI deemed there is no reasonable expectation of privacy?

3.    What is the FBI’s current policy on the retention and destruction of the information collected by cell-site simulators in all cases?  How is that policy enforced?

4.    What other DOJ and DHS agencies use cell-site simulators?

5.    What is the policy of these agencies regarding the legal process needed for use of cell-site simulators?
a.    Are these agencies seeking search warrants specific to the use of cell-site simulators?
b.    If not, what legal authorities are they using?
c.    Do these agencies make use of public place or other exceptions?  If so, in what proportion of all instances in which the technology is used are exceptions relied upon?
d.    What are these agencies’ policies on the retention and destruction of the information that is collected by cell-site simulators?  How are those policies enforced?

6.    What is the Department of Justice’s guidance to United States Attorneys’ Offices regarding the legal process required for the use of cell-site simulators?

7.    Across all DOJ and DHS entities, what protections exist to safeguard the privacy interests of individuals who are not the targets of interception, but whose information is nevertheless being collected by cell-site simulators?

Please number your written responses according to their corresponding questions.  In addition, please arrange for knowledgeable DOJ and DHS officials to provide a briefing to Judiciary Committee staff about these issues following the provision of these written responses, but no later than February 6, 2015

Mar 23, 2015

WASHINGTON – ‎Senators Chuck Grassley of Iowa and Patrick Leahy of Vermont, Chairman and Ranking Member of the Senate Judiciary Committee, questioned the Justice Department about reports that federal law enforcement agencies have deployed cell phone tracking technology on behalf of  federal intelligence agencies. In a letter to Attorney General Eric Holder and Acting Deputy Attorney General Sally Yates, the senators ask whether law enforcement’s use of technology capable of scanning data from thousands of cell phones is part of a domestic test operation on behalf of the intelligence community.  The letter follows a media report detailing cooperation between the Central Intelligence Agency and the U.S. Marshals Service to domestically test surveillance technology.

Grassley and Leahy raised concerns about the legal and privacy implications of this technology in a letter last year to Attorney General Eric Holder and Homeland Security Secretary Jeh Johnson.  The senators have not yet received a written response from the Justice Department, as requested in that letter.

The devices mimic cell phone towers to connect with and collect identifying information from cell phones in the area. While reports have indicated that the technology has been deployed for domestic law enforcement purposes, it remains unclear what legal authority and privacy protections are in place for their use.

A signed copy of the letter is available here.  Text of the letter is below.

March 18, 2015


The Honorable Eric H. Holder Jr.
Attorney General
U.S. Department of Justice
The Honorable Sally Quillian Yates
Acting Deputy Attorney General
U.S. Department of Justice

Dear Attorney General Holder and Acting Deputy Attorney General Yates:

In June and December, we wrote to the Department of Justice (DOJ) and other agencies raising questions about the use of cell-site simulators.  Often referred to as “IMSI Catchers,” “dirtboxes,” or “Stingrays,” these devices mimic standard cell towers and force affected cell phones to reveal their approximate location and identifying serial number.  Although we understand that some versions of these devices can intercept and collect the content of communications, the Federal Bureau of Investigation (“FBI”) and the United States Marshals Service (“USMS”) both maintain that they do not use the devices in this way.  These agencies have also reported that they purge any data collected from non-targeted telephones once an investigation is complete.

Last week, the Wall Street Journal reported that the USMS field-tested various versions of this technology in the United States from 2004 to 2008 on behalf of the Central Intelligence Agency (“CIA”).  If this report is true, such practices raise additional concerns.  In December, we asked about the full range of DOJ entities that use this technology, the policies in place to protect the privacy interests of third parties whose information might be collected by these devices, and the legal process that is sought prior to their deployment, including the information provided to courts that may authorize their use.  DOJ’s failure to answer these questions has heightened our concerns.

Accordingly, please provide written responses to each of the following by March 27, 2015:

1.    Does DOJ policy ever permit the use of cell-site simulators to capture the content of communications domestically?  If so, under what circumstances is this permitted?

2.    Has DOJ or any DOJ entity tested cell-site simulators or other surveillance technology on behalf of the intelligence community, by employing the devices in the course of domestic law enforcement operations?    If so, when, to what extent, and under what legal authority?

3.    What, if any, DOJ policy governs the testing and deployment of new surveillance technology?

4.    Please provide written responses to Questions 1 through 7 of our December 23, 2014 letter, as requested in that letter.

Should you have any questions, please contact Jay Lim at (202) 224-5225 or Lara Flint at (202) 224-7703.  Thank you for your cooperation in this important matter.



Charles E. Grassley
Patrick Leahy
Ranking Member


The Insider Threat – Goldman Sachs Edition

In a somewhat bizarre case, a Goldman Sachs programmer has been convicted for the second time of stealing software that he developed for Goldman (see Wired article).  The first conviction was overturned and the second may be nullified by the judge.

Sergey Aleynikov was convicted in 2011 on espionage and theft of trade secret charges.  He was accused of stealing the source code for Goldman’s high speed trading platform he helped develop prior to leaving for another firm.

The following year the conviction was reversed because the code is not physical property, according to the appeals court and so the theft statute he was charged under did not apply.

After the reversal, Sergey was released from prison after serving 1 year out of his original 8 year sentence.

Goldman, not being happy that the conviction was overturned, worked with the NY District Attorney and he was charged him under state law (the initial conviction was under Federal law) with “unlawful use of secret scientific material” and “unlawful duplication of computer related material”.  He was found guilty of the first charge and acquitted on the second.  I am not sure how that might work, but that was what the jury decided.

Sergey was earning $400,000 a year at Goldman when he decided to take a new job with Teza Technologies which would have paid him $1.2 million.

A few days before he left Goldman, he downloaded and encrypted code he had worked on and transferred it to a website hosted in Germany.  Then he erased the program he used to encrypt the files.  He also attempted to delete the log files showing his activity.  This does not seem to me like the activities of a person who thought what he was doing was legal.

His story was that he only intended to collect open source software.  According to his attorney, only 32 megabytes of the 1,224 megabytes of code he took was proprietary.  If true, that would tend to support his claim.

The appeals court said that because he did not assume physical control over anything when he took the source code, he did not deprive Goldman of its use, therefore he did not steal anything.

Apparently, the judge in the second case is skeptical of the conviction and may overturn it.  If that doesn’t happen, I assume Sergey will appeal it.

So what does all this mean?

To an employer concerned about insider threats,  it means that it is not limited to low-compensation employees and it is not limited to physical objects.  It also means that it is very difficult to actually obtain a conviction (this happened in 2009).

To an employee, it means that your actions may be viewed very differently by an employer than by you and even if you think what you are doing is legal, your employer may not agree.  And, if your employer disagrees with your interpretation, your life will be hell for a long, long time.

With Sergey earning almost half a million dollars a year and Goldman being pretty profitable, a LOT of money has been spent on this over the last 6 years.  AND, it is not over yet.

Also, the police did not find any of Goldman’s code on Teza’s computers, so it was not a cut and dried case of someone stealing code to take to his new job.

The scary part is that this is an easy case – they have the proverbial smoking gun and six years later it is not settled.  What about those cases where the employer never even found out about.

What this says is that the entire problem of insider theft is a pretty messy problem and it is not going to become any easier in your lifetime or mine.

Banks Fight Back Against Third Party Information Providers

Below is an interesting ad from the J.P. Morgan Chase home page:


They go on to say that you could be responsible for any losses if you do.  They say don’t share your login password for with third party sites that offer budgeting, managing and other services.

In fact, the user agreement says this:

If you disclose your Card numbers, account numbers, PINs, User IDs, and/or Passwords to any person(s) or entity, you assume all risks and losses associated with such disclosure. If you permit any other person(s) or entity, including any data aggregation service providers, to use the Online Service or to access or use your Card numbers, account numbers, PINs, User IDs, Passwords, or other means to access your accounts, you are responsible for any transactions and activities performed from your accounts and for any use of your personal and account information by such person(s) or entity.

There are two ways to look at their ad, both of which, I think, are valid.

First, if you give out your password to another site, say Mint (I’m not picking on them, it is just a popular aggregation service), that aggregates your financial data, you may well be responsible for any fraud that occurs.  If they are hacked, it is your bank account that is at risk.  At best, you will have to fight to prove that you didn’t do the transaction.  The bank could say that by giving them your password, you authorized them to do whatever they did, so it is your problem (which is exactly what it says in the user agreement).  Also, since it was done with your userid, it will be hard to prove that it wasn’t you.  The bank could say that someone logged in with your userid and password, that there is no evidence of hacking, so you must have done it.

The second way to look at it is that the bank wants to be your trusted financial advisor.  They want you to come to THEIR web site so that they are the center of your financial universe.  If you use a third party site, they become much less relevant to you, which will not make them very happy.  You might never log on to the bank’s web site yourself ever again.  That will make them sad.  It also means that their bank could be swapped out with a different bank and it wouldn’t make any difference to you.

I think both points of view are valid.

So what’s a person to do if they do want to use a third party web site to help them manage their financial life?  I make these recommendations.

First, of course, research the site as best as you can to make sure that they are reputable, have good security practices, their terms of service don’t make you liable for everything they do – stuff like that.

Second, and likely more important, most banks will allow you to create additional userids to access your account data.  Many of them will allow you do grant or revoke permissions to that ID.  This means a little more work for you, but we are talking about your money.

If a web site only does reporting for you, they do not need to be able to issue checks or wire transfers.  Create a userid just for that site and don’t give it those permissions.  If you have another site that does bill pay for you and only needs access to your checking account, only grant it access to your checking account.  DO NOT SHARE IDs ACROSS DIFFERENT SITES.

If you have already given out your password to some other site, change your password and then create a new ID for them with the right permissions.

This includes, by the way, if you give your accountant or bookkeeper access to your banking site – give each of them their own ID.

By giving each entity that has access to your money it’s own ID, IF there is a problem, you have a much better chance of figuring out where the problem came from.

Why Hackers Are Winning

Microsoft just patched a bug this month (see article) that potentially allows a hacker to take over your computer and for sure allows a hacker to crash it – repeatedly – all because they forgot to check for a carry overflow in an addition operation.  It potentially affects 70 million web sites and is being actively exploited as you read this.

I will try to make this as non-geeky as I can.

Windows runs in two modes – user mode, where MOST programs run and kernel mode, where certain parts of Windows runs.  In kernel mode, a program can do anything it wants – talk to the hardware, whatever.  The goal should be that as little as possible runs in kernel mode because if the programmers make a mistake, it can be, to say this kindly, catastrophic.

If a program needs to ask Windows to perform certain tasks for it, it makes system calls and each one of these calls has some overhead to it.  If you look at things from a certain perspective, if you move code from user mode to kernel mode, it will run faster since in kernel mode it just does stuff instead of asking Windows to “please do this for me”.  However, if there are any bugs, you run the risk of making the hackers VERY happy, since they now control the real hardware of the machine.

A few years ago (when Windows 7 was being written), Microsoft decided to move part of it’s web server into kernel mode to improve it’s performance.  That code runs in most versions of Windows 7, Windows Server 2008 and 2012 and Windows 8.

In this code, they needed to do a calculation about the length of something (which is end-start+1).  If you do this in Excel or in a high level programming language, they make sure that all the eyes are dotted and tees crossed, but operating systems are written in low level languages to improve performance and in that case you are on your own.

Without going into details, they forgot one part of the calculation (checking for a carry out) and the result is that under certain circumstances, the server will crash.  There are a lot more details, but that is not important for this post.

One stupid check missing can cause the server to crash.  Potentially affecting 70 million web sites (note:  it is only a problem if site has kernel caching turned on, which is the default).

Of course, the hackers know, now that Microsoft has released a patch, what the problem is and have been crashing web sites right and left.  And, Microsoft thinks, a hacker might be able to execute any code she wants to as a result of this bug.

Even though Microsoft calls this a critical patch, 10’s of millions of web sites have not been patched and are at risk.

And while Microsoft got caught this time, it happens to Apple, Google, and anyone else that writes programs.  This stuff is very complicated and always has bugs – some more critical than others.

The programmer has to get it right every time.  The hacker only needs to get it right once.  This is ESPECIALLY true if the code is running in kernel mode.

And remember, that testing only confirms the presence of bugs, not the absence of bugs, so testing would be unlikely to test for a length of exactly 0 – 18,446,744,073,709,551,615 , which is the ONLY length that will cause the server to crash.

Which is why the hackers are winning.