Trends in Tech Fraud Schemes, Part Two

Users of personal digital devices are threatened. Companies need protection against employees misusing the technology. Individuals need to worry about identity thieves accessing personal data stored on the devices. Here are the latest handheld security measures that fraud examiners need to know.  

In April 2005 an embarrassed chancellor apologized in writing to 98,000 University of California-Berkeley students and applicants whose records had been stolen. The intensely personal information contained in the records and school applications had resided on one laptop that disappeared from a school office. Investigators believed that the thief was after the hardware but ended up with so much more. The school instituted strict security policies after the breach but the confidential data was gone forever.

Even an executive of a handheld security software firm needs special tools and procedures in dealing with his personal digital device. That's what Mark Komisky, CEO of Baltimore's BlueFire Security Technologies Inc., discovered on a recent trip through O'Hare International Airport in Chicago.

His iPaq 6315 Pocket PC went missing. In the cab or somewhere in the airport was his small pocket phone with a miniature keyboard, containing his e-mails, details of his company's strategy, Social Security numbers of his wife and son, and phone numbers for high-level executives at client companies. "Those little things are awfully easy to lose," says Komisky. "It's terrifying."

Mobile devices that hold multiple gigs of data as well as access computer networks are springing up faster than dandelions in the spring. Cell phones, personal digital assistants, music players, and thumb drives hang from teenage ears as well as expensive briefcases. Individuals own the devices and companies provide them to employees. There's an accelerating trend to integrate all media into one device. And despite the fact that the objects are getting smaller, the storage capacity and ability to connect to other devices is expanding.

Both the small size and giant functionality of mobile devices offer an opportunity for fraud. Employees pose an entire spectrum of possible challenges to company security by misusing the devices.

Komisky sets out the main areas of concern. His company makes mobile device security products, including an integrated security solution with authentication, encryption, integrity monitoring, firewall, VPN, logging and central management. First the data stored on the device can be at risk. Secondly, the device might contain information on getting access to secured company networks. Finally, the device might access the network directly. "One employee's device doesn't have to be physically stolen to lose data," says Komisky. "If the devices are on the same network the entire theft can occur electronically."

Solutions for security
The functionality of the newer devices allows for speed and ease for thieves. Thumb drives or iPods, for instance, show up as just another drive when connected to a computer. The syncing function can download notes, calendars, and contact information almost instantaneously. An iPod can be used to boot up a computer and leave the installed Mac software pristine with no trace of having been accessed. Users can install the operating system Linux on iPods as well as create an encrypted data layer on the device with an invisible password protected partition.

Derrick Donnelly spent five years as head of IT security at Apple Computer. As chief technology officer of Santa Clara, Calif.-based BlackBag Technologies Inc., Donnelly is now charged with developing security products for iPods and their Apple cousins. "Right now the biggest task in front of us is raising awareness from CEOs to law enforcement of the potential for security breaches," says Donnelly.

Solutions to the security challenges come from companies specializing in products or services that sell to users. Research institutes such as Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS) are taking up the call to provide solutions as well as raise awareness. "Any technology that connects two computing devices together or where we share information is an area of concern," says Marcus Rogers, Ph.D., on the research faculty of CERIAS, based in West Lafayette, Ind. "We have some researchers scouring the daily news looking for accounts of new ways that these devices are used in crimes," Rogers points out.

Rogers is the co-author of "iPod Forensics" published under the auspices of CERIAS. "We're trying very hard as a discipline to predict what's next but we're still stuck solving the problems that were created by technology introduced two years before," says Rogers.

Rogers and his colleagues are working to help fraud professionals and law enforcement to deal with the devices used in crimes. The steps found in the sidebar on page 50 for handling mobile electronic devices came from Rogers' report. The report calls for more work to be done on iPod forensics, similar to that by the National Institute of Standards and Technology (NIST) on other sorts of PDAs. "For instance, moving away from magnetic storage to flash drives found on many of the new devices complicates the forensics," says Rogers. "With a traditional hard drive even on the small devices there's something left over even if the data is erased."

Forensic products
Companies are also providing products to help with forensics as well as prevention. For instance, BlackBag Technologies' products work with Apple devices to allow investigators to recover deleted data, do a complete hard-drive analysis, employ key word searches, and detect hidden partitions. "Law enforcement needs to know how to seize these devices," says Donnelly. "Once acquired, they can make a copy of everything at a physical level just like any other electronic media."

Solving electronic crimes demands a heightened awareness of users' habits and specifics of the technology. While an initial search warrant may cover a home computer, investigators should be on the lookout for signs of an iPod even if the device isn't visible. A stand, connecting cables, or other iPod accessories should tip off investigators for the need for a second search warrant. iPod users have the ability to set up an invisible partition. Investigators should be sure they're looking at the full scope of storage on devices. If a device owner had data stored on a hidden partition, that portion of the storage wouldn't be visible without further investigation. Users can encrypt data as well. "An initial review showing total gibberish would indicate that some of the data is encrypted," says Donnelly.

Watch too for other forensic tools that might be installed on the device. Some mobile devices contain resident anti-spyware software or other tools that provide an audit trail. The log would reveal tampered registry keys. Also, any IP address attached to the device would show up in the log.

Increasingly, preventive security is being built into the devices. When Komisky lost his pocket PC, it was set up with a remote data wipe tied into the device's password. The moment he knew his device was lost somewhere in Chicago, he called a technician at BlueFire who erased the information on the iPod from the home office in Baltimore. Other BlueFire products provide password protection that wipes data if a user tries more than 10 times to enter a password unsuccessfully.

Wireless carriers are undertaking extensive research into baseline security built into the hardware of pertinent devices. BlueFire is working with a client trying to develop a download that would disable all USB drives in networked computers. "Hardware manufacturers are conducting sophisticated R&D into ways to integrate core security into the device," says Komisky. "But if someone is out to do damage with the use of technology, it's hard to limit their actions with other technology."

All users of mobile electronic devices should be thinking about changing or reviewing policies for usage of the devices. Individuals need password protection for sensitive data. Or they may want to employ encryption techniques. Companies need to start thinking about policies for approved use of the devices as well as procedures for audit or review of devices used by employees. "Companies may need to introduce the concept that these devices are subject to review and analysis," says Donnelly. "Just like laptops, employees may need to be subject to search and their devices verified and audited once in awhile."

New internal policies
New policies for internal actions may need to be established as well. Methods of assigning and changing passwords should be prescribed for mobile devices just as they are for traditional computers and networks. Users of mobile devices should have access only to data they need for their jobs. "More technical people like system administrators might more easily see the opportunities with these devices," says Donnelly. "Companies may want to take extra steps to establish controls for these employees."

Anti-fraud professionals will be dealing with mobile electronic crime for some time to come. CFEs need upgraded knowledge of the workings of the technology as well as skills to help companies establish policies and forensic techniques. In addition to the resources mentioned in this article, CFEs might benefit from the information that comes out of the Black Hat briefings, well-known conferences on online security trends. The upcoming Black Hat Federal 2006 Briefings and Training Jan. 23-26 in Washington, D.C., is billed as a "digital self-defense get-together."

Cynthia Harrington, CFE, CFA, is a contributing writer for Fraud Magazine.  

Read Part One of Trends in Tech Fraud Schemes: Let's (Not) Do the Twist