I had mentioned Security & Privacy Day @ Stony Brook University in an earlier post and I attended the conference. The slides from most of the presentation are now online on the event's speaker schedule.

A chart from the paper "Spot me if you can: recovering spoken phrases in encrypted VoIP conversations" linked from Prof. Monrose's home page. The chart shows the overlap of Hungarian with some other languages.

One of the more interesting (to me) sessions was "Information Leakage in Encrypted Network Traffic" by Fabian Monrose of Johns Hopkins University. The presentation showed how variable bit rate (VBR) compression in VoIP carries over some hints of the audio wave forms before compression. The packet sizes vary in some resemblance of the wave forms and, from the packet sizes, it is possible to get clues about the encoded communications. It is possible to have a good go at identifying the language spoken in the VoIP communications and, in some cases, spot certain phrases. Interestingly, spoken Hungarian (Magyar) can look like Arabic, Czech, Turkish, and several other languages in the VBR analysis. Monrose said that some linguists are looking into why.

Unfortunately, the slides from this talk are not on the Security & Privacy Day 2008 site. But you can lean about the VoIP VBR analysis from Prof. Monrose's home page. Look under the papers for Encrypted Traffic.

Speaking of professors' home pages and their papers, I was checking out the home page for Prof. Rebecca Wright of Rutgers University. She was scheduled to speak on "Incentives for honestly announcing paths in BGP" but, instead, spoke on network privacy and some ways to maintain soem privacy in the course of data mining. Prof. Wright's home page has links useful for people learning about the mathematics of cryptography and application of cryptography. (The emphasis is heavy on the maths; not the place if you are merely looking to learn day-to-day practical applications, such as how to use GnuPG.) Besides her papers, check out out the syllabi for her courses if you are trying to get an idea of how to study the underlying workings of modern cryptography.

J.D. Abolins

A couple of years ago, I had posted on my former blog about ID Analytics survey of data breaches. They had studied four data breaches involving over half a million consumer identities and examined the scope of exploitation of the stolen data.

ID Analytics found that relatively few of the people whose identity data was stolen in data breach had the data exploited for financial fraud. The report is no longer online but copies can be found at archive.org. Although four data breaches is a rather small sample size, I found the ID Analytics report to be a good hint that stolen identity data imight not be actually exploited extensively.

Matthew Elvey commented on my posting and raised an interesting point:

Umm... when TD Ameritrade's customer database was breached, it appears that approximately all of the customers had their data abused. Exception to the rule? If so, it's a pretty big one - about 6.2 million exceptions big.

This 2007 incident, indeed, raises the question if the 2006 ID Analytics report's claims still hold. I was wondering aboiut the scope of the data exploitation.

I checked the Privacy Rights Clearinghouse's useful chronology of US data breaches. The big TD Ameritrade breach is listed under 15 September 2006. (They had a couple of smaller earlier data breaches also listed.) Yes, 6.3 million customers did have their contact information --- names, e-mail addresses, phone numbers & home addresses --- stolen. The PRC chronology entry notes that company customers afterwards received spam, a likely exploitation of the stolen email addresses.

TD Ameritrade's site carries a "Special Client Announcement" about the incident and the spam. TD Ameritrade claims, "At no time were clients' financial assets held at TD AMERITRADE touched as a result of this issue. UserIDs and passwords were not stored in this particular database." The announcement also mentioned that TD Ameritrade hired ID Analytics to monitor the affected customers' credit following the breach.

Looking further, I am seeing that the spam was "pump & dump" scam spam. According to an 18 September 2007 Security Focus article, the exposure of TD Ameritrade customers' email addresses to spammers may have been going on for a while before the big data breach. The article also mentions Mr. Elvey's experiences with the "pump & dump" spams. Now, I understand his comments a bit better.

So far, it doesn't look like financial exploitation of the stolen data in the form of stealing money from the customers' accounts or establishing fraudulent accounts in their names. Yes, the scam spams are abusive but they were not the form of exploitation ID Analytics was considering in its report.

Significant financial exploitation of stolen customer data may have occurred in a 2006 data breach involving TD Ameritrade Holding Corp. and E-Trade Financial Corp.

So far, I believe the ID Analytics reports' claim of low risks for actual financial exploitation (which takes more time and effort than spamming) still holds. But I am glad Mr. Elvey made his comment questioning the report. Things can change and current security notions need to periodically re-examined.

Finally, an excellent blog concerning fraud is the "Fraud, Phishing, and Financial Misdeeds" blog.

Still looking to fully exploit my own identity,
J.D. Abolins