Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
CD Universe evidence compromised
- From: Paul Howell
- Date: Fri Jun 09 08:10:42 2000
At http://www.msnbc.com/news/417406.asp?cp1=1
CD Universe evidence compromised
Failure to protect computer data renders it suspect in court
By Mike Brunker and Bob Sullivan
MSNBC
June 7 ? Six months after ?Maxim? broke into the computers of
Internet retailer CD Universe and stole 300,000 credit cards,
U.S. authorities have been unable to find the thief. And even if they
do, they are unlikely to be able to successfully prosecute
the case because electronic evidence collected from the company?s
computers was not adequately protected, MSNBC.com has learned.
THOUGH THE FBI indicates the theft and subsequent
extortion attempt remain under investigation, a source
familiar with the case said the failure to preserve the
electronic evidence had virtually eliminated the possibility of
a prosecution.
?The chain of custody was not established properly,?
said the source, who spoke on condition of anonymity.
A second source, also speaking on condition of anonymity,
confirmed the account.
?This is a case that is not going to get solved,? said the
second source. ?It?s like the O.J. Simpson case, the
evidence is tainted. Even if you find whomever, how do you
prosecute it??
?CHAIN OF CUSTODY?
?Chain of custody? refers to the process by which
computer forensics specialists preserve the crime scene ?
i.e., the computer logs on hard drive of the network server
so that an intruder?s actions can be traced. Each step in
the process must be carefully documented so that, if the
case gets to court, prosecutors can show that the electronic
records were not altered as the investigation progressed.
Initial reports suggested Maxim orchestrated the crime
from Eastern Europe, but that has never been confirmed. If
true, it would mean the odds against his arrest and prosecution
already were extremely long.
But the inability to use electronic evidence in court virtually
guarantees that the thief, who claimed to be a 19-year-old Russian
male in e-mail conversations with reporters after news of the theft
became public in January, will never be brought to justice.
It is not clear exactly how the CD Universe evidence
was compromised, but it apparently occurred in the initial
frenzy in the company?s Wallingford, Conn., headquarters
as FBI agents and employees from three computer security
firms worked feverishly to determine how the thief got into
the company?s network and to shore up network defenses,
the sources said.
Representatives of the three companies ? Network
Associates, Kroll O?Gara and Infowar.com ? did not
return calls seeking comment.
FIRST ON THE SCENE
A spokesman for Network Associates contacted
MSNBC.com days after the break-in saying the company
was conducting a review of security at CD Universe.
Sources said experts from Kroll O?Gara and Infowar.com
arrived on the scene later.
Brad Greenspan, president of eUniverse, parent
company of CD Universe, said he had no knowledge that
the data culled from the music retailer?s computers could
not be used in court.
?We?ve complied with the federal authorities and
stepped back and let the FBI do their investigation,? he
said.
Lisa Bull, a spokeswoman for the FBI?s field office in
New Haven, Conn., declined to comment on the
investigation other than to confirm that it remains open.
Other FBI officials also declined to conform or deny that
the electronic evidence had been improperly catalogued.
Preserving computer data for use in court requires the
use of stringent checklists and procedures to prevent files
from being overwritten and thereby making it impossible to
prove that they were not altered after the fact, explained
Joan Feldman, president of Computer Forensics Inc. in Seattle.
?On a PC running Windows or NT, for example, if you
go into Explorer and click on a file, you?ve automatically
changed the last-access date,? she said, using the familiar
home computer to draw parallels to working in a server
environment. ?If I?m working on the only copy and I?ve just
changed the last-access date, that?s an important piece of
data if I?m trying to authenticate evidence.?
COMMUNICATION BREAKDOWN POSSIBLE
Without knowing the circumstances under which the
CD Universe data was allegedly compromised, Feldman
said a breakdown in communication would be the most
likely cause of such a loss of documentation.
?Mistakes happen,? she said. ?Somebody doesn?t tell
somebody that it?s the only copy. That?s the kind of area
where it would break down.?
She also speculated that CD Universe employees and
personnel from the security consulting firms may have been
more concerned about figuring out how Maxim gained entry
to the network rather than preserving the evidence.
Questions about the evidence in the CD Universe case
may well turn out to be moot, as there has been no
indication that investigators are making headway in their
attempts to track down Maxim.
In fact, it remains a mystery how the computer criminal
was able to penetrate CD Universe?s network and seize
what he claimed was data on 300,000 credit cards. He later
posted information on roughly 25,000 cards on a Web site
after failing to extort at least $100,000 from the music
retailer.
Maxim, in e-mail conversations with MSNBC.com and
other news organizations after his exploits became known,
stated that a security flaw in IC Verify credit-card
processing software allowed him to gain access to the data.
But Cybercash, the company that makes IC Verify,
denied the charge and neither public nor private
investigators have come forward to clarify the situation ? a
move that would allow other retailers to plug the hole.
UNENCRYPTED LOGS
A source familiar with the product told MSNBC.com,
however, that IC Verify does create clear text ? or
unencrypted ? logs of credit card data and stores the
information in two files on the server.
The merchant can change the location of this vulnerable
store of data, but many small business owners who
purchase the product aren?t tech-savvy enough realize the
danger, said the source, an information-systems consultant
with nearly 30 years? experience.
?You could make it more secure, the problem is that
nobody ever tells you you need to,? said the source, who
spoke on condition of anonymity.
And despite the six months of investigation, it also
remains unclear how much fraud was perpetrated with the
stolen cards. MSNBC.com has anecdotal evidence that
some cardholders? accounts were fraudulently used, but
Visa and MasterCard said that they do not have any overall
breakdown of fraud statistics that would allow them to
determine a figure for losses attributable to the theft.
?But certainly we?ve seen no uptick as a result of this
case or fraud in general,? said Sean Healy, a spokesman for
Visa USA, noting that fraud rates remain at historic lows
even though the level for Internet transactions is 9 cents per
$100 as compared to 6 cents per $100 for
brick-and-mortar transactions.
He also cited the credit-card company?s zero-liability
policy for customers whose credit cards are used for
financial fraud.
A VICTIM?S FRUSTRATION
But Karen Jones of Sebastapol, Calif., said that while
she has suffered no monetary loss since her Visa card was
posted on the Web by Maxim, the theft has caused her a
considerable amount of grief. She figures she has spent
roughly 10 hours a week since Dec. 30 corresponding with
credit card companies and dozens of merchants and
vendors to get more than $4,000 in fraudulent charges
removed from her account.
And even after she canceled her credit card and
opened a new one, charges from the old card continued to
find their way onto her new account.
She finally was able to put a stop to the credit
cross-pollination by contacting the Visa International office
in Tokyo. A Visa International spokeswoman said the
forwarding of charges to the new account was ?not a
normal operating practice,? and indicated that it would be
the responsibility of the bank that issued the card to correct
the problem.
Jones said that while her experience was extremely
educational, it also was frustrating.
?There?s nobody out there ? there?s no
agency ? that is willing to take on the individual
cardholders,? she said. ?... It?s you and the bank that issues
you the card.
And after spending countless hours trying to get the
fraudulent charges erased, she has a piece of advice for
anyone who finds themselves in a similar position.
?I would say don?t waste your time like I did,? she
said. ?Let the Visa issuer worry about it.?
|
