Secure Flash Drives Which Are

Several weeks ago I blogged about several brands of USB flash drives which were all breached in the same way. The rumor mill has it that all of these drives were OEM’d from SanDisk, whose drives have been subject to other hacks in the past.

SanDisk and Verbatim maintain that a software update is sufficient to render their devices once again secure, but Kingston announced in December that “the best way to address this problem is to offer our customers replacement units that incorporate newer and stronger security architecture,” said John Holland, vice president, U.S. sales.

On January 27, Kingston announced the replacement drive. “The DataTraveler 5000 delivers unsurpassed levels of security and encryption to government and enterprise customers,” said Mark Akoubian, business manager, Secure USB Products, Kingston. “This portable data solution represents state-of-the-art data protection while providing end users with the simplicity of plug and play.”

The DataTraveler 5000 utilizes patented Secured by SPYRUS™ technology. According to SPYRUS, their Hydra PC was the first and is still the only USB flash device to pass both NSA verification for classified use and be FIPS 140-2 Level 3 validated. It’s just a guess, but if the NSA verifies a device for classified uses, it’s probably done a bit’o'homework and the device is pretty darn secure.

Secured By SPYRUS

In fact, I worked with SPYRUS while I was at a previous company and was pretty impressed with what they were doing. So impressed that when I was offered the opportunity to join them on the same day that the RSA 2010 security conference opens, I accepted.

At RSA we will be demonstrating the HYDRA PC™ Secure Pocket Drive, which runs Microsoft Windows Embedded. This Windows-on-a-stick reboots and takes control of your PC and uses the mouse, keyboard, display, and RAM to create a hack-proof computing environment. Come by the Kingston or OATH booths (351 and 2023 respectively) to see it in action.

Seacliff Partners International, LLC is not going away by any means, but if I can convince SPYRUS to start a blog, I’ll be doing a lot more over there. Until then, see you back here soon.

I Got Burned And So Can You!

On Saturday, February 20th at approximately 2:20 p.m. Mountain Time, the shared server that my Internet domain is on experienced a hardware failure as a result of an annual fire system inspection at WestHost’s Data Center (DC). An inadvertent release of Inergen (a fire suppression product) was triggered by an actuator that was not removed by the vendor as required in the fire suppression pre-test checklist. Not all servers were affected but mine was.

My website was disappearing a few pages at a time before it disappeared completely as the RAID disk systems were powered down followed by the server. I figured that this was not a big deal as I keep backups of my entire site including my email and Wordpress blogging system. What I didn’t count on was that:

• email sent to me while my server was down was being bounced
• they weren’t answering trouble tickets nor picking up the phone
• I had no idea what server my account was on so the status board was useless to me
• When I finally talked to them they would not allow me to restore my account to another server

While bouncing email is not a good thing, at least I only had my website there and wasn’t running my actual business in the cloud. I also have a backup email account at a different ISP (thank you Apple MobileMe!). Now imagine this event happened at Salesforce, Amazon, GoogleDocs, or Azure where I was running my business applications and not just a website. Do you have a contingency plan for an outage of your cloud-based business applications?

I’m an all Macintosh shop and I would rather take my chances in-house where I can pop down the street to buy a new Xserve, MacPro, or iMac and restore my backups myself. If your business is in the cloud, you may want to be thinking about having a backup at another provider or in house, even if you need to recover selectively.

Secure Flash Drives Which Aren’t

A number of USB Flash Drive (USB Key) vendors sell drives which encrypt your information so that if the drive falls into the wrong hands, the information on them cannot be read. Some drives use software encryption (where the data is encrypted on the PC before being written to the drive), while others implement hardware encryption where the data is sent to the drive to be encrypted. Hardware encryption is considered to be more secure because the encryption key never leaves the drive. The figure shows a secure drive which has a crypto processor and a secure storage area which holds information which only the processor can access.

Secure Flash Drive

No matter the encryption method, when the drive is inserted into a PC, an application asks the user to enter their password to unlock the drive. Some drives, such as the SanDisk U3 series, have an embedded CDROM image which is mounted when the drive is inserted and the unlock program is run automatically by Microsoft Windows. Other drives use software which must be pre-installed or is present on an unlocked portion of the drive so that it can be run manually.

On January 4, 2010, it was widely reported that certain hardware-encrypted USB flash drives had been hacked. This is not exactly true since it was really the unlocking software which was hacked. Simply put, these drives had unlocking software which would accept your password, validate it within the PC, then send an unlock signal to the drive. The problem is that the unlock signal had nothing to do with the password. Let me explain.

As Easy As Opening an Electric Garage Door

Think of a residential electric garage door opener. You have a button inside your house to open it which looks something like a doorbell. In fact, it works the same way – when you press the button, it completes a circuit which opens the door. Now put a numeric keypad on the outside of the house so that you can open the door when you come back from a walk. You enter a code and if the code is correct, the door opens. Just like the switch inside, the keypad completes a circuit. If you pry the keypad off of the wall,  you will see the wires that complete the circuit when the correct code is entered. To open the door you just need to connect the wires. So much for selecting a good code!

In essence, this is what the experts at security firm SySS did to unlock the The Kingston DataTraveler BlackBox, SanDisk Cruzer Enterprise FIPS Edition and Verbatim Corporate Secure FIPS Edition drives. All of these drives support AES 256-bit hardware encryption. Since the AES 256-bit hardware encryption is pretty much uncrackable, they decided to crack the password entry mechanism.

When analyzing the Windows drive unlock program, the SySS security experts found a rather blatant flaw that slipped through testers’ nets. During a successful authorization procedure the program always sends the same character string to the drive after entry of a valid password. Going back to the garage door analogy, the Windows program ‘connects the wires’ to unlock the drive. The SySS experts wrote a small program which would ensure that the appropriate string was sent to the drive, irrespective of the password entered. As a result, they gained immediate access to the data on the drive.

The Vendors Respond

When notified by SySS about this worst case security scenario, the respective vendors responded quite differently. Kingston started a recall of the affected products; SanDisk and Verbatim issued fuzzy security bulletins about a ‘potential vulnerability in the access control application’ and provided a software update. When asked about the risk to European companies by heise Security, Verbatim Europe said that none of the affected drives have been sold in Europe – and that none will be shipped before the hole has been closed.

On the other hand, IronKey responded that their security analysts have analyzed the vulnerabilities that have been reported and that their products do not suffer from this vulnerability. This is because IronKey devices verify the correctness of a user’s password in hardware on the device. The security of IronKey devices does not depend on software on the host PC, which as this attack illustrates, easily can be tampered with.

FIPS 140-2

Journalists are asking how USB Flash drives that exhibit such a serious security hole were given FIPS 140-2 certification. A standard which was authored by the National Institute of Standards and Technology (NIST) and accepted by the Communications Security Establishment (CSE) of the Government of Canada.

Even though cryptographic products which have not received this certification are ineligible for government use in the USA and Canada, it is a minimum standard, and does not guarantee that a product is secure. Neither is it a substitute for having deep technical expertise in the design, implementation, and use of a security product.

What Did We Learn From This?

In summary, a secure flash drive implementation was felled by an insecure unlocking mechanism. SySS asked the questions that others somehow missed. Security is not a point solution nor can it be implemented in a vacuum. Your company’s security must be dealt with holistically and if you don’t have experts on your staff, then find the experts you need before you need them. Don’t be afraid to ask embarrassing questions of your vendors and write damages recovery into your contract. The data you save may be your own.

Comments? I’d love to hear them.

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP
Founder and Principal
Seacliff Partners International, LLC

Why Is a Terrorist Like SPAM?

President Obama said that there were “systemic and human failures” that prevented the government from stopping Umar Farouk Abdulmutallab’s attempted terror attack. A lot of the talk has been about watch lists and information not being shared amongst agencies.

But why is a terrorist like SPAM?

• There seem to be more of them every day
• You miss some which are bad
• You flag some which are good

While politicians are posturing, a lot of US citizens are wondering what’s so hard about catching terrorists. I mean, it’s obvious when you see one, right? But while SPAM isn’t as deadly as a terrorist, SPAM filtering provides a good comparison for why we cannot keep out 100% of the bad guys while not bothering the good guys. Most likely your Internet Service Provider (ISP) runs a SPAM filter to prevent messages from getting to your PC. And your PC email program probably has a local SPAM filter which moves SPAM email from your Inbox to a SPAM folder.

I am guessing that you scan your SPAM folder a couple times a day looking for legitimate emails which somehow got filtered and you also get ticked off when you see a SPAM email in your Inbox. If someone has ever called you to find out why you didn’t answer their email and you said that you never received it, chances are that your ISP deleted the email as SPAM and it never reached you. If a legitimate email is stopped at the ISP or winds up in your SPAM folder, this is called a false positive and means that a good email was treated as if it were SPAM. This would be like the TSA doing an extra security check on a person who is not a threat.

On the other hand, if a SPAM email winds up in your Inbox, this is called a false negative because it was treated as if is were legitimate, just like Umar Farouk Abdulmutallab being allowed on an airplane.

It’s A Trade Off

Security, like your SPAM filter, is a trade off. It is near impossible to get it just right. You are either too tight (lots of false positives) or too loose (lots of false negatives). The only way to prevent every single SPAM email from showing up in your Inbox, or prevent any terrorist from getting on an airplane is to prevent any email from showing up in your Inbox or not allowing anyone to get on an airplane. While you will never hear a politician say it, there is no such thing as 100% security. Even the strictest police states on the face of the earth, Nazi Germany and later on East Germany, couldn’t achieve 100% security. Witness the French Underground and the number of people who managed to escape to the West.

According to March 2009 article in USA Today, the government’s terrorist watch list has hit 1 million entries, up 32% since 2007. Federal data show the rise comes despite the removal of 33,000 entries last year by the FBI’s Terrorist Screening Center in an effort to purge the list of outdated information and remove people cleared in investigations. Each entry on this list is similar to an entry in a SPAM filter. Every time an email comes in for you, the sender is checked to see if it is on the black list and if it is, the email is deleted. The problem is that innocent senders and innocent people can wind up on the list either because their name is similar to someone else’s or by mistake (how did Senator Ted Kennedy ever get on the list? We’ll never know).

Do The Best You Can

I have worked with a lot of FBI agents and found them to be dedicated, hard working individuals. Each of them believes that they are on the front lines protecting US Citizens and take their job seriously. But you still need to remember that security is a trade off. Unless you want to lose any semblance of liberty, privacy, and civil rights, you cannot have 100% security. Even the Israelis know this. When a bomb goes off they tend to the dead and injured, clean up the mess, and are back in business in a few hours.

Bad stuff happens, and all of it cannot be stopped. While the system let Umar Farouk Abdulmutallab get on the plane, the system also worked through the quick action of a single person who was aware of his surroundings. What were Abdulmutallab’s seat mates doing, that someone had to jump over a row of people to get to him?

In 1698, Algernon Sydney stated that, “God helps those who help themselves.” Even John F. Kennedy told us, “ask not what your country can do for you – ask what you can do for your country.” So ask not how your country can protect you 100% of the time, but ask what you need to do to help protect yourself and your country. And don’t just pray to God for help, take action to help yourself. Be like Jasper Schuringa - aware of your surroundings and ready to take action. Only you can protect yourself and those around you.

Security Means Nothing In Our Laps – HUH?

It is a basic tenant of defense that it is impossible to guard everything from every attacker. That is, the guards cannot be everywhere all of the time. If 100 people are trying to get in, and 10 people are trying to keep them out, the chances are high that one or more will get in. That’s just the way it goes.

No matter what we do as a government or as a people, there are some who will hate us and try to attack us. That cannot be changed either. The world has always been dangerous to humans – whether from animals or other clans. There never was and never will be 100% security. We just have to do the best that we can, and without a lot of chest puffing from our members of Congress who are not on the front lines. It is political suicide to admit that there is no such thing as 100% security.

If everyone is on the watch list, then no one is on the watch list. Again, you cannot watch everyone but need to be judicious in the application of resources. Without knowing who else is on the watch list, how can we know whether or not Umar Farouk Abdulmutallab is more or less of a threat?

The Safest Airline

The safest airline in the world, it is widely agreed, is El Al, Israel’s national carrier. The safest airport is Ben Gurion International, in Tel Aviv. No El Al plane has been attacked by terrorists in more than three decades, and no flight leaving Ben Gurion has ever been hijacked. What are the Israelis doing that we aren’t?

Airports in the United States and many other countries are built around convenience while in Israel it’s all about security. We get our boarding passes online and check our baggage at the curb. At TSA checkpoints, twenty-something employees stare at screens, doing the best they can to not talk to us.

Contrast this with an Israeli airport where you stay with your bags until your security check is complete and airline and highly-trained security personnel talk to you and watch you constantly. You’re not allowed to approach the ticket counter until you are cleared by the security system, while in the United States, security is an apparent afterthought.

Israeli airport security, much of it invisible to the untrained eye, begins before passengers even enter the terminal. Officials are constantly monitoring passengers’ behavior, alert to clues that may hint at danger. Profilers make a point of interviewing travelers, sometimes at length, and oftentimes asking questions that don’t seem to make any sense at all – and that’s the idea. The point of the long questioning is to find inconsistencies in a terrorist’s cover story, or to agitate him into a panic. If you are lying or distracted by something, the profilers will soon figure that out and you will be marked as a possible threat and action will be taken.

It’s The People

While the TSA is busy confiscating cosmetics, small pocket knives, and water bottles, the Israelis understand that it is the people who are threats, not the objects that they are carrying. To a much greater degree than in the United States, security at El Al depends on intelligence and intuition rather then performing rote actions and ignoring the passengers.

Meanwhile, the TSA seems to be having a knee-jerk reaction to the recent incident. Anecdotal reports from arriving passengers indicate that all pillows and blankets are being collected an hour before arrival, and that passengers are told they must remain in their seats for that last hour, with nothing on their laps – not even reading material. So if you need to detonate that improvised explosive device you smuggled on board, you’ll now have to do it at least an hour and fifteen minutes before landing. Or, as Bruce Schneier points out, do we really think the terrorist won’t blow up their improvised explosive devices during the first hour of flight?

Other passengers are reporting that the in-flight entertainment systems on international flights are being shut down so that passengers can’t see the flight progress map to determine the plane’s location, so if you don’t have an iPhone you’ll just have to make a guess. And if you have a weak bladder or are suffering from intestinal distress, don’t be surprised if a flight attendant or an air marshal starts banging on the lavatory door.

Is there a 100% guarantee of safety? No there is not. But in three decades, not one El Al plane has been attacked from within, and those are pretty good odds. In my opinion, it’s time for us to learn from the Israelis and get serious about how we protect ourselves when flying rather than closing the door after the terrorist has left the plane.

What do you think? I look forward to your thoughtful comments.

Who Owns Your Information? (Volume III)

A laptop crammed with secret data was stolen from inside the United Kingdom’s Ministry of Defense (MoD) nerve center. Ordinarily that wouldn’t be a big deal since they finally learned and the data on this particular laptop was fully encrypted.

However, the USB device used to decrypt the highly sensitive data was stolen along with the laptop.

The loss was said to have occurred toward the end of November but news of the event did not leak out until late last week and was not con firmed until ear lier this week. A spokesman for the MoD said that “an investigation by MoD police is ongoing and it would be inappropri­ate to comment further.” Well, no kidding!

While at SanDisk, I proposed a system which would use GPS and access to wireless networks to determine where a device was, and if it was not where it was supposed to be, it would either lock up or erase itself. The system was never built, but I am guessing we would have had at least one customer.

What Did We Learn From This?

Just like you would normally keep the key or combination away from the lock which it opens, you should keep the electronic key away from the information which it is protecting. You also shouldn’t write your password on a sticky note and put it under your keyboard.

And as an aside, if you have guns at home, keep them and the ammunition locked up separately so the kids don’t try to play cops and robbers with a loaded weapon. The UK MoD just shot themselves in the foot and we don’t need any more of that.

In Other Exciting News

3D versions of Avatar have a complex Digital Rights Management (DRM) system which involves several certificates and server-delivered time-sensitive keys. Several theaters in Germany received these protected versions of Avatar for preview screenings. However, something went wrong with the DRM system and after trying for several hours to get the film decrypted so they could play it, at least one theater gave up and went 2D. Now why the heck would you DRM something that takes a few hundred thousand dollars of specialized equipment to show? I mean, it’s not like I can play it on my home theatre system even if I did steal it – and apparently the 2D version isn’t protected, which would play on my home system. I don’t even pretend to understand this reasoning and I guess that’s why I’m not in show business.

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP
Founder and Principal
Seacliff Partners International, LLC

Who Owns Your Information? (Unfortunately, Part of a Series)

A hacker was able to break into the database of RockYou, which provides applications and services for social networking sites like Facebook and MySpace,  and obtain 32 million clear-text passwords through an SQL vulnerability. He was able to steal the information because users’ email addresses and passwords were stored in clear text, meaning they were not rendered unreadable through encryption or any other methods. If you happen to use the same email address and password on any other sites, consider them hacked as well.

This might be a good time to review not only which websites you currently use, but web sites where you still have logins but don’t use any more. Most web sites don’t have any way to unregister or delete your account so even though you aren’t using them you still need to ensure that they are secure, or at least do not use UserIDs and passwords which you use on any other site.

Now that the horse has left the barn, RockYou has found religion and is encrypting all passwords and reviewing their current data security features to ensure that they meet industry standards and best practices. Whoopee.

Meanwhile, your password may be toast if you use any of these applications:

• Facebook: superwall, pieces of hair, speedracing, likeness, hugme, birthdaycards
• Myspace: slideshow, uploadphoto, photofx, glittertext, funnotes, countdown, superhug, myspace layouts, stickers
• HI5, Friendster, Orkut, and Bebo users are also at risk

What Did We Learn From This?

Use different user names and/or passwords for every web site on which you have an account. If you have problems remembering user names and passwords, there are dozens of password tracking programs available. Personally I use SplashID which runs on Mac, PC, and iPhone as well as other smart phones. Your information is encrypted and safe as long as your master password doesn’t get out. And one way to guarantee that is to use a password that you can remember, that has nothing to do with your personal life (mom’s maiden name, you wife’s birthday, or your dogs nickname are all no-no’s), and is not used anywhere else.

SplashID will generate random passwords for you which you can copy and paste into the web site. Since you use a different password on every site, the theft of your user name or password from one site will not compromise any other sites.

The Final Word

If you are a business with data ‘in the cloud’ you should have asked your provider about their security practices, what information is encrypted and how it is encrypted, and finally how often they change encryption keys. Meanwhile, if you have accounts on any of the sites listed above, you should spend your weekend changing passwords on any account which is using the same one. And don’t make them the same again or you are still vulnerable to the next hack.

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP
Founder and Principal
Seacliff Partners International, LLC

Who Owns Your Information?

Silly question, no? Users of Microsoft Office 2003 documents protected by Active Directory Rights Management Service (AD RMS) or Rights Management Services (RMS) found out that it wasn’t themselves. Starting on December 11, 2009, customers could not open nor save documents protected with these systems. You see, the expiry date for the license information within the definition file used by Office 2003 was set to December 10, 2009. Microsoft delivered a hotfix on December 11, but until it is installed, users will see this message: “Unexpected error occurred. Please try again later or contact your system administrator.” The patch only works with Office 2003SP3, so if you have macros or applications which don’t work with SP3, you’re out of luck.

Owners of music purchased from WalMart lost access to it when protected songs from its online store could not longer be played after they shut down their  digital rights management (DRM) servers in February 2008. Both Microsoft and Yahoo were forced to alter their own plans to discontinue support for their own DRM servers, with Microsoft pledging to continue support through 2011, and Yahoo offering to refund the song purchases. So you have personal or business information which relies on DRM? What does your contract say about termination of the service and access to your information?

Chase customers who use Quicken or Microsoft Money bill pay also found out that who really owns their data. In the middle of November, Chase upgraded their IT systems and broke the ability for users to pay their bills from their desktops. Chase is aware that this problem has been occurring for well over two weeks, but instead of notifying users of this by phone or e-mail (or even snail mail), they have been waiting for customers to call in, navigate the phone tree, and wait on hold to talk to an agent. As of this writing there is no estimate for when the problem will be solved.

This actually might not be a big deal since, according to Mint founder and CEO Aaron Patzer, “Over the next 6 to 9 months, we will end-of-life Quicken Online and their customers’ data will be migrated over to Mint.” I guess that’s what happens when companies merge.

Oh yeah, Microsoft Money is discontinued as of January 2011 too. After that point, people can continue to use the product, but they will no longer be able to get automated data feeds from their banks, credit card companies and other financial service providers. Guess you better figure out how to transfer your information to a new application before then.

What happens if you want to change providers, or worse, what if your service or application provider goes bust? How do you access your information or get it out of its grasp so that you can move it somewhere else? Let’s say that for whatever reason you want to move from Salesforce.com to another provider or to an internal system.

In summary, do you have an exit strategy for whatever application or service you are using to hold your information? If not, then developing one should be high on your new year’s resolution list.

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP
Founder and Principal
Seacliff Partners International, LLC

We’re From The FBI And We’re Taking Over

You may remember a scene in the movie Passenger 57 where Federal Bureau of Investigation agents come into the airport and pretty much attack the town’s stereotypically incompetent police chief who is holding Wesley Snipes’ character as a prisoner while the terrorist is getting away. After Snipes is released, he starts barking orders to the FBI agents which they follow blindly.

How many other movies have you seen where the FBI rushes in and takes over? In reality, this doesn’t happen. In fact, at the request of local law enforcement agencies, the FBI quietly provides investigative support and many times their involvement isn’t even mentioned.

Where did I learn this? During the month of October 2009, I spent three hours one evening a week in a classroom at the FBI’s Silicon Valley Regional Forensics Laboratory (RCFL), followed by a Saturday at the Alameda County Firearms Training Facility to take part in the FBI Citizen’s Academy.

FBI Citizen’s Academy and InfraGard

Who attends? Business, civic, and religious leaders, each nominated by a Bureau employee or a previous Academy graduate. You must be at least 21 years old (with no prior felony convictions) and must live and work in the area covered by the field office sponsoring the academy. Because classified techniques used in criminal and national security cases are discussed, nominees must undergo a background check and get an interim security clearance.

Who teaches? Stephanie Douglas, the Special Agent in Charge (SAC) of the San Francisco field office, her Assistant Special Agents in Charge (ASAC), Supervisory Special Agents (SSA), and Special Agent (SA) experts came in to talk to the thirty of us about their job duties and to draw back the curtain that some people think masks the real FBI.

Even if you have no interest in the Citizen’s academy, employees of companies involved in food production, high tech, infrastructure services, or other key product and services should seriously consider joining their local chapter of  InfraGard. This is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. I joined InfraGard while working for a company which was having problems with product counterfeiting overseas.

Special Agents and Everyone Else

The FBI is made up of two populations; Special Agents and everyone else. The Special Agent title is used to describe a criminal investigator or detective. Competition for an SA position is extraordinarily fierce, with often less than 5% of qualified applicants eventually working for the FBI.

SAs are required to have at least an undergraduate degree and three years work experience, and must be hired on or before their 37^th birthday. Once hired, they receive a minimum of five months of basic training at the FBI Academy in Quantico, Virginia followed by more specialized training. The FBI follows a practice of lifelong learning ensuring that agents are always up on the latest tools and techniques. SAs are armed and have the power to arrest and conduct investigations into the violation of federal laws.

Everyone else refers to a wide range of professionals. Because of the breadth and scope of the FBI’s mission, they employ professionals in fields as varied as intelligence analysis, laboratory sciences, linguistics, security, information technology, human resources, general management, and so on.

While some agents work undercover out of necessity, the FBI is much more open than other government agencies such as the Central Intelligence Agency (CIA) and National Security Agency (NSA). Some people seem to think that the FBI hides their real work, but this curtain is not put in place by the FBI.  It’s just that we tend to believe what we see in movies rather than taking a trip to the FBI’s web site to learn for ourselves what FBI staffers do for a living.

The Mission

The FBI’s mission has ten priorities, and they are in place to protect us not only from terrorists, but also from white collar criminals, such as Bernie Madoff, unscrupulous mortgage brokers, and sleazy politicians.

This is what the FBI’s priorities look like in 2009:

1. Protect the United States from terrorist attack
2. Protect the United States against foreign intelligence operations and espionage
3. Protect the United States against cyber-based attacks and high technology crimes
4. Combat public corruption at all levels
5. Protect civil rights
6. Combat transnational and national criminal organizations and enterprises
7. Combat major white-collar crime
8. Combat significant violent crime
9. Support federal, state, local and international partners

10.  Upgrade technology to successfully perform the FBI’s mission

Sick Puppies

Some of the hardest cases to work include human trafficking and crimes which target children. Human trafficking falls under the FBI’s civil rights program, while crimes against children can fall under multiple categories. SAs in this section are working with some of the most heinous crimes again the innocent and the persons who perpetrate them.

There is a difference between human smuggling and human trafficking, although the former sometimes become the latter. Smuggling is bringing someone into the USA at their behest, while trafficking is kidnapping on steroids.

It’s sad but true: in almost every country around the world. people are being bought and sold. They are trapped in lives of misery—often beaten, starved, and forced to work as prostitutes or to take grueling jobs as migrant, domestic, restaurant, or factory workers with little or no pay. It’s even worse when the person being trafficked is a child and worse still when the child is being used for sexual gratification.

It takes a very special agent to work in The Innocent Images National Initiative (IINI), a component of the FBI’s Cyber Crimes Program. The mission of the IINI is to reduce the vulnerability of children to acts of sexual exploitation and abuse which are facilitated through the use of computers; to identify and rescue child victims; to investigate and prosecute sexual predators who use the Internet and other online services to sexually exploit children for personal or financial gain; and to strengthen the capabilities of federal, state, local, and international law enforcement through training programs and investigative assistance.

My blood runs cold when I think of children being tortured, raped, or killed to fulfill someone’s sick fantasies – and imagine if your job was to look at hundreds of these images a week so that you can track down the perpetrators. SSA Jack Bennett is one of the very special people who do this dirty job because it saves lives.

Mortgage Fraud

SA Brian Webber and SSA Fran Gross came to class to talk to us about mortgage fraud. From foreclosure fraud to subprime shenanigans, mortgage fraud is a growing crime threat that is hurting homeowners, businesses, and the national economy. You know, the thing that almost totally destroyed the US economy over the last year?

The Prieston Group estimates that annual losses are from $4-6 billion. And it isn’t just the big boys who are screwing us over. There are over 2,400 pending FBI mortgage fraud investigations (through 4/30/09).  We learned about one method which first  calls upon an unscrupulous appraiser to over value a home then follows up with a dumb or desperate, but usually innocent, person (called the straw man) to take out a loan to buy the house.

It goes something like this: A worthless home is bought by the suspect and an appraiser in on the deal overvalues the home. A straw man (who needs a good credit score) uses the bogus appraisal to get a loan to buy the house from the suspect. The suspect and the appraiser take the bulk of the money and may or may not give some to the straw man, who defaults on the loan. When the bank repossesses the house, they discover that it is worth substantially less than the loan and the straw man probably will be left with a ruined credit rating. The suspect and the appraiser repeat the process.

Note to self:  If someone comes to you with a real estate deal that offers you the chance to make money by signing your name to loan documents for a piece of property you have no interest in buying, be suspicious. As with all things, if it sounds too good to be true, it probably is – and you could be left on the hook for money or charged with a crime.

Too Good To Be True

Between 2005 and 2007, victims were persuaded into investing at least $50,000 with Metro Dream Homes, either by refinancing their existing homes or buying new homes at inflated prices.

Investors were told not to worry about high mortgages because Metro Dream Homes would pay their future monthly payments and pay off their mortgages within five to seven years using returns on the homeowner’s original investment. Then the homeowner and Metro Dream Homes would own an equal interest in the home.

Victims were told that their $50,000—not including an administrative fee of up to $5,000—would be used to fund investments in automated teller machines, flat-screen TV displays that carried commercial advertisements, and Touch-N-Buy electronic kiosks that sold telephone calling cards and other items.

To make the scam seem more legitimate, the company marketed its program through live presentations at posh hotels in Washington, D.C.; Baltimore; and even Beverly Hills, California.

In the end, it was a classic Ponzi scheme: the proceeds from later investors went to pay the mortgages of earlier investors. The ATMs, flat-screen TVs, and electronic kiosks never generated any meaningful revenue, federal prosecutors contend.

And the bulk of the money? It lined the defendants’ pockets—with $200,000-a-year salaries, luxury cars, and travel to major sporting events like the 2007 Super Bowl.

By the time law enforcement shut down the company, homeowners had already invested about $70 million. When Metro Dream Homes stopped making the mortgage payments, the homeowners were left holding the bag. The defendants, meanwhile, are facing long prison terms for multiple counts of fraud, conspiracy to commit money laundering, and other charges.

Back To The Future

I originally started this article with a statement about how FBI agents don’t come barging  in to take over an investigation from local law enforcement. In fact, the FBI uses their own budget to train local law enforcement so that they can help themselves. It turns out that the largest of the Bureau’s training efforts for non-FBI personnel is for local and state police who are trained at the field level under the Field Police Training program.

One of the FBI’s oldest and most prestigious law enforcement training programs is the National Academy at Quantico for foreign, state, and local officers.  Since 1935, nearly 35,000 police executives have completed the National Academy’s ten-week management course.  Through this program, the FBI has developed excellent contacts with domestic and foreign officers and fostered relationships which have greatly increased cooperative investigations across the country and around the world.

Relationships that make it easier for a local police force to reach out to the FBI for help when their own resources are tapped out.

Citizen’s Academy Alumni Association

Graduates of the FBI Citizens’ Academy are invited to join its Alumni Association. This organization is a community-based and supported organization, distinct and separate from the FBI. Its purpose is to promote a safer community through community service projects and a process of educating business, labor, media, medical, minority, religious, government, senior citizens, and other community leaders about law enforcement, with particular emphasis on the mission, resources, and limitations of the FBI.

Just like InfraGard, members of the Citizen’s Academy Alumni Association are not Junior G-Men and there is nothing nefarious going on. We have no law enforcement authority nor other special powers, and no, we don’t carry guns. We do share a common spirit to uphold the rights of all citizens and we meet once a quarter for a briefing from our local FBI office on what’s up in our community and what we can do to help both the FBI and our fellow citizens.

It’s All About Sharing

The FBI commonly works in task force environments where representatives from a multitude of jurisdictions are engaged together to target a specific crime problem (e.g. gangs).  And while it can investigate cases start to finish on its own, the FBI also supports local law enforcement whether it be for crimes involving civil rights, kidnappings, child pornography, crimes against children, gangs, and other instances where there is overlapping jurisdiction. In some cases, they will pursue federal prosecutions alongside state cases. If the local cases do not go anywhere, but there is still a valid federal case, the FBI will take on sole responsibility.

Most importantly though, the FBI shares much of the information which it gathers. Anyone is welcome to visit their web site, citizens involved in supporting our nation’s infrastructure are welcomed into the InfraGard public/private partnership, and community leaders are invited to attend the Citizen’s Academy. So the next time you see a movie or TV show where the FBI rushes in, kicks out the locals, and tells them to get lost, you know it’s only because it’s a movie.

An Untested Plan Is Worse Than No Plan At All

I can only assume that someone at TATA’s London Data Center knew this at one time. However, when the rubber met the road, all they got were skid marks. As you can see by this marketing brochure, the state-of-the-art facility was designed with uninterruptable AC power supply (UPS) and redundant generators and utility feed.

But when the power went out and the UPS failed, firms including C4L, ServerCity and Coreix were taken out with it. C4L’s report to its customers said: “We found it very difficult to get a hold of our supplier as it appears they base their entire operations out of this data center. Phones were down and emails simply bounced back.”

Even more interesting is that TATA appears to have been completely unaware of the power outage until a customer contacted them at 4:45 PM to report that their monitors were showing the data center’s temperature rising. At 6:55 PM a power engineer arrived to find that the UPS batteries were depleted and the three generators failed to start.

In other words, the data center was dead and stayed that way until systems started coming back online at 7:30 PM. TATA finally called its customers at 9:50 PM to let them know that the utility power was back but was at risk for another 8 hours until the UPS batteries were fully charged.

What Did We Learn From This?

I am playing armchair business continuity planner here and I could be wrong in my assumptions but here they are so that you can check your own BC plan for similar issues.

• It appears that TATA was not monitoring the temperatures (or power for that matter!) in its data center which could have provided an indication that something was wrong. Do you monitor your data center’s vital signs at multiple locations?
• When the power went out, there was no way to reach TATA because they apparently base all of their operations out of one data center instead of distributing them. If you run mission critical operations, do you have a backup site? At a minimum, do you have a backup site for your organization’s command and control functions?
• TATA’s phones apparently don’t work when the power goes out. If you rely on Voice Over Internet Protocol (VOIP) phones, they will stop working when the power fails. You should have at least one Plain Old Telephone Set (POTS) in every critical location so that you can make and receive calls when the rubber meets the road.
• Why didn’t the generators come online? Were they regularly tested? Did they have fuel?

Some Other Thoughts

• Do you know how much time you have between a power failure and battery depletion?
• Do you have an emergency shut down plan for your servers in case the power fails and the generators don’t come online? A controlled shut down is better than a crash which could corrupt disk volumes and databases.
• Do you have a process to follow when the power comes back online? Do you know which systems need to come up before other systems?
• Do you have a systems priority list to follow if you don’t have enough power to bring the whole data center back online?
• If the entire data center cannot be powered back up immediately, which systems need to come up first and which can wait?
• If you have generators, do you ensure that they are maintained, fueled, and regularly tested with the full data center running off of them?
• Does your change control process include reevaluating your UPS capacity when new equipment is installed in protected areas?
• If you host your servers or rely on cloud computing, do you know for absolute certainty how they are being protected?
• If you are hosting mission critical operations have you thought about using multiple service providers?
• Do you have alternate power supplies for life safety and security systems?

Any other thoughts on this topic?