in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

On Data Encryption Software, Money Mules, and Monsters

Most don't see the point behind a conscious effort to use data encryption to protect "not-sensitive" information.  Today, I'm hoping to give that perception a little twist by commenting on the rise of the money-mule problem.  I'm going to take a detour and cross some byways to make my point.

  • A numbers game
  • A numbers game II
  • How money mules are recruited
  • Does it need protection?
  • FBI will go after money mules

A Numbers Game

One year ago, Monster.com, an on-line job site, had a data breach.  Unidentified hackers broke into their servers, and names, phone numbers, and passwords--in addition to e-mail addresses--were stolen.  It has happened to plenty of organizations: banks, brokers, competing job sites, etc.

Let's suppose only e-mail addresses had been stolen.  Is that such a bad thing?  One might argue "no."  The internet is full of e-mail addresses.  People pass them around and post them publicly.  How could one possibly argue that something is to be made private, to be protected, when it's been flung into the darkest reaches of cyberspace, and is useful only when it's shared, and shared widely*?

In past posts, I noted that the theft of seemingly not-sensitive data was cause for alarm when it involves massive amounts of data, especially when there is an unacknowledged variable**.  For example, stealing an e-mail address seems quite trivial.  One could argue that stealing hundreds of thousands of them might be trivial as well, on the presumption that people won't fall for random spam and phishing attacks (I know, studies and polls prove otherwise).

However, the theft of e-mail addresses from Monster.com poses problems because of an unacknowledged variable: it's from Monster.com**.  And, the hackers know this.

* We'll suspend arguments on "I never post my e-mail addresses on public forums" etc. since it isn't relevant in this case: the fact that you have an unlisted number doesn't change the fact that phone numbers, in general, are not considered to be sensitive information.  Likewise for e-mail addresses.

** I guess I should come up with, or look around for, better terminology.  I call it an "unacknowledged variable" because most people don't acknowledge the impact of a certain, obvious variable, parameter, element, etc.  Most don't differentiate between "a massive data set from [some company]" and "a massive data set" when that data set is breached, except to assign blame.  There are ramifications, though, when it comes to the quality of the data.  Why this is important will be clarified below.

A Numbers Game II

There was a scam that used to prey on investors in the stock market.  I like it so much that I've mentioned it before:

Described in John Allen Paulos’ Innumeracy, the stock market scam is a game of probability (some would say certainty).  You cull 10,000 names and addresses from the phone book.

For half of them, you send a letter claiming the stock market is going to go up next week; for the other half that it’s going to go down.  Next week, you target the 5000 names for whom your “prediction” was correct.  Half of them get a second letter saying the market is going to go up; the other half, down.  Rinse and repeat as needed.

At the end of this process, you will get a handful of believers that think you’re the best trader since Warren Buffet and George Soros combined.  You tell them they won’t get the final letter unless you get $10,000 from each one.  With the impressive track record, investors send you money. [April 2008]

The above scam is effective under one particular condition, though: you have to mail people who are interested in, and have the means to buy, stock.  That's the unacknowledged variable in this case. (The scammers usually got hold of a client list from a brokerage firm, if you must know.)

Let's turn back to our hypothetical Monster.com situation.

How Money Mules are Recruited and Become Profitable

A money mule is a person who transfers stolen money or merchandise from one country to another, either in person, through a courier service, or electronically. [Wikipedia entry on money mule]

Where unwitting mules are being recruited, the basic process is the same as in the stock market scam: scammers get in touch with the right people, make them an offer they won't refuse, and profit.

So, where can the "right people" be found?  Monster.com, where people sign up because they're specifically looking for a job.  But what about the scam?  Krebs has a great write up on it:

Money mules typically are first contacted by e-mail, usually with a greeting that claims the prospective employer found the recipient’s resume on Careerbuilder.com, Monster.com, or some other job search site. The fraudsters usually represent themselves as international finance or tax companies that are looking to hire “financial agents” to help customers move their money abroad speedily. Candidates often are told the position is a work-at-home job, that no experience is necessary, and that they need only have access to a computer with an Internet connection. [Krebs on Security]

Would the scam work if scammers had sent e-mails to random people?  Probably; there's always someone looking for a gig.

But, the driving force of successful scams lies in putting the odds on the scammer's side.  When it comes to money mules, the odds of signing up a mark who's posted his resume on Monster.com, vs. another whose e-mail address was obtained from "somewhere on-line," are very different.  For one, scammers know that the people at Monster.com are looking for a job, which translates to "I know they are looking to make money."  The odds of someone falling for a scam just increased dramatically.

Long story short: there is a qualitative difference between a list of e-mail address obtained by hacking Monster.com and another that was complied by trawling through blogspot.com, even if in both cases the actual data in of itself is generally regarded as "not-sensitive."

Does It Need Protection?

Should companies like Monster.com use encryption software, such as AlertBoot, to protect their data?  Of course.  But what about data that, at first glance, doesn't look like it needs protecting, such as e-mail addresses?

Such information is probably encrypted in Monster.com's case because e-mail addresses are also tied to passwords, names, etc.  However, if it were just a separate list of e-mail addresses?

The decision to encrypt something is not as straightforward as you'd think it is.  There are real concerns related to the expenditure of time, resources, energy, etc.  If one does end up encrypting the data, then addition resources must be dedicated to key management, password security, backups, and so on.

Some note that if you're even considering encrypting it, perhaps it's because it deserves encryption; you're just wondering whether you want to go through the hassle of it.

I must admit that I myself remain divided on the issue.  One the one hand, theory (e.g., numbers game) and reality (e.g., money mules) shows that there is something to the idea of protecting even seemingly non-sensitive data.

On the other hand, my "other" brain keeps remarking how stupid it sounds.  Wouldn't it be tantamount to encrypting the white pages because the unacknowledged variable is "Boston Metropolitan Area?"  I mean, the theoretical danger of someone picking up the white pages and posing as a court officer is not far-fetched:

For example, another scam making the rounds is when a person from court calls you up, demanding to know why you haven't show up for jury duty.  He offers you a fine and incarceration, or for jury duty to be deferred.  You're gonna defer?  Oh.  He'll need your full name and SSN to make sure he's talking to the right person and to complete the paperwork. [Feb 2009]

I guess the question is, how much of a risk are you willing to take?  Unfortunately for me, this can only be answered by you, reader.  If it were up to me, I'd say go ahead and encrypted: but I'm not the one that deals with the key management, backups, password security, etc.
 
(Granted, if you use AlertBoot managed encryption, a sizable portion of that would be off the table for you as well.)

The FBI is Coming After You: Willing Mules (and Unwitting Ones)

One final thing on the issue of money mules.  In the past, people who've been caught working as a money mule, knowingly or otherwise, faced the real possibility of being responsible for any monies they wired overseas: if they sent $60,000 to Icantspellittkstan, they were left holding the bag when the bank and the authorities came a-knockin'.

According to krebsonsecurity.com, the FBI is going after money mules--unwitting as well as willing ones.  Despite the fact that money mules are victims, at least the unwitting ones are, they are also the ones that are allowing hackers to profit from their illegal activities.

It's a controversial issue, as can be testified by the rather long comment section at krebsonsecurity.com.

If you'd like to learn more about money mules and the scams that take them in, visit krebsonsecurity.com.  He does an excellent job on covering these and other data security stories and issues.

 
<Previous Next>

Laptop Encryption Software: NM Human Services Dept. Has Breach. Salud!

Disk Encryption Software: Laptop With Retinal Images Stolen In The UK

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.