Liar, Liar, and Pretexting, 2006-09-19
Story continued from Page 3
“
What if you don’t affirmatively lie, but merely mislead – allow the recipient of the information to believe that you are someone else, or need the information? Is anything less than the truth, the whole truth and nothing but the truth actionable?
”
In order for the information to be considered “property,” not only must it be non-public, but it must have “value.” Sure, HP paid the lawyers, who paid the investigators, who expended some time and effort to obtain the information by fraud and deception. And sure, the phone company spent some time and effort to create these records, but does this mean that the information itself is “property” with value? Hard to say.
The fraud laws speak of obtaining a “thing of value” and there is no doubt that the HP management thought the records were of value to their investigation. But if you falsely tell a woman you love her to induce her to spend the night, do you obtain a “thing of value?” Sure. Did you do it by fraud or deception? Let’s assume so. Is that a criminal offense? I am not going near that question with a ten foot pole.
Virtual Pretexting
While we don’t know the exact manner in which the pretexting occurred, it is likely that the investigators did not just pick up the phone and call AT&T, claiming to be the HP Board member or journalist about whom they were seeking information. Rather, with access to the databases they already had, they likely learned the names, addresses, social security numbers, and other personal information about their targets (for the Board of Directors, this information was probably in HP's human resources or similar files.)
As a convenience, my bank, insurance company, 401(k) manager, cable TV provider, and yes, telephone company, all allow me to access my documents electronically. Let’s face it, it’s cheaper and easier for all of us when I can get a copy of my bill and statements electronically. But this convenience comes at a price. Making this personal information web accessible dramatically increases the likelihood that the database can be hacked, or that the password and/or userid can be guessed or social engineered. Even if I pick hard to guess passwords, and the site has good security, there is still a major flaw. You see, the security helps me only if I know that an account has been set up. The HP investigators may have created online accounts for the HP Board members and journalists using the information they already knew from the databases. While the access to the databases would be clearly unauthorized, it’s not clear whether the userid and password is a key making the resulting access a trespass, or whether it is an ID card, making the resulting access false personation. Court and prosecutors both have gone both ways on this issue. What is clearly needed is much stronger authentication at the account formation stage, but alas, this might discourage use and cut into convenience.
The Spyware Problem
It addition to pretexting, it appears that the lawyers and investigators also tried to find the source of the leaks by sending reporters documents embedded with spyware. Presumably, the document had some sort of executable in the file which, when the document was opened, would “ping” a particular IP address (probably that of the investigator) with the IP address from which it was opened. Presumably, the “spyware” also did nothing else. We can also assume that the reporter knew nothing about this, and did not consent to the executable.
In the 1980’s, the Soviet Union used a technique where they would place chemicals like nitrophenyl pentadien (NPPD) and luminal on doorknobs or documents in order to trace who had accessed particular documents or locations. This “spydust” could then be tracked. One variant of what the HP investigators did would be to have sent the “spyware-laden” documents to the Board members, with directions that it “ping” the investigators when it is opened from an IP address other than an internal HP address. So is this legal? Like everything else in the law, it depends.
State spyware laws tend to focus not only on the surreptitious installation of programs onto a computer but on what that software does. Prohibited activities tend to include things like sending back personal information, like name, address, Internet activities, and similar things. Also prohibited are things like gumming up your computer, and making the software difficult or impossible to remove. In the HP/CNET case, the “spyware” did install itself surreptitiously, and was designed to send information back to the originator. But the information sent was not necessarily the kind of “personal” information protected under the law. Plus, there is the issue of which law applies. Presumably the California law or at least some form of conspiracy to violate the California law could apply.
This statute, like other spyware laws, protects only “personally identifiable information” with things like first name (or initial) and last name, or business or home address. The HP/CNET “spyware” might have revealed this, but it is doubtful. More likely, it just revealed the IP address of the CNET reporter as the reader of the document - the name of the individual reporter would be inferred. By “business address,” it is doubtful that the California legislature meant “IP address.” So the activity of installing this “spy dust” might not violate the spyware laws. Of course, the investigator’s Trojan horse probably went much further than sending the reporter’s IP address - it may have scanned the entire hard drive, or more.
Go Directly to Jail
What about other laws, like computer crime statutes? Almost every state has a computer crime statute, one that generally prohibits making an “unauthorized access” to a computer, or “exceeding the scope of authorization” to access a computer. Several issues apply here. First, is simply sending mail (or worse, just embedding the executable in a document and leaving it around to be accessed) “accessing” a computer? In the ancient days of the Internet (that is, 1988), Robert Morris, a 22 year old graduate student released a computer worm through, among other mechanisms, a Sendmail vulnerability. The worm “damaged” the computers by essentially slowing them down, making and sending copies to others. In that case, the exploiting of the mail vulnerability by sending what might amount to a “mail bomb” was considered to be an “unauthorized access” or at least “exceeding the scope” of authorized access. But in the HP case, the executable probably did no “damage” or had any discernible effect on the infected computer. Whether it “accessed” a computer may turn on exactly what it did and how it worked.
As noted, it is unlikely that the HP executable merely pinged HP with the IP address of the recipient. You see, at least according to press reports, the investigator directed the tainted letter to a specific reporter (and probably more than one). Thus, the program, once surreptitiously installed, probably scanned the reporter’s hard drive for information about HP (or other information) and tried to send the results back to the investigator. This may have included the contents of the reporter’s in or out boxes, or the files and documents. If only Nixon’s plumbers had this technology, Woodward and Bernstein would have been a footnote.
Alternatively, the executable could have opened a back door to the reporter’s computer, or acted as a key logger. Any of these activities would likely violate the federal computer crime statute, 18 USC 1030. Federal conspiracy law would allow civil or criminal charges to be filed not only against the persons who caused the program to be sent, but also those who approved or solicited the activity.
All of this is important for IT security professionals because it not only affects how you can conduct investigations and your use of deception and ruse, but also deals with sensitive issues like when is information property, and when is it protected by law? And after all, computer crimes are not crimes against computers, they are crimes against information. All I can say is, I wouldn’t like to be in HP management’s shoes right now.
