Via MSNBC:

A recently discovered flaw in Internet Explorer could allow criminals to collect passwords and banking information. Microsoft is warning Windows users to be aware of the problem, with a manual work-around available, but there is no downloadable software fix available yet. So far, Microsoft says it “has not seen any indications of active exploitation of the vulnerability.”

Read the article: http://technolog.msnbc.msn.com/_news/2011/02/01/5967710-ie-flaw-could-mean-access-to-passwords

The Need

Where do I begin? Even before (maybe especially before) storage devices were portable, they were still vulnerable to theft, due more to their high resale value than the questionable value of their contents. Today, the market value of even a brand-new desktop computer may not be worth the potential consequences of being caught. But, the lucrative identity theft trade has given rise to an entirely different motive for computer, tablet, and cellphone theft. In this case, the device is simply a means to an end.

But theft and the obvious concern over losing such easily and commonly misplaced devices as thumb drives are far from the only reason to encrypt hard drive data. Today, for instance, international travelers may be subject to the copy and search of their hard drives, as authorized by the Department of Homeland Security's U.S. Customs and Border Enforcement's "Policy Regarding Border Search of Information" (July 16, 2008), which, among other things, allows Customs Agents broad discretion to detain "electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search." Regardless of your motivation, encrypting mobile data storage should be high on your list of priorities. Like my AmericanExpress card, I never leave home with out it.

Note to attorneys, medical professionals, or anyone with a fiduciary responsibility: Unlike most professionals, you may have a legal, if not ethical, responsibility to protect your clients' data. Even if a standard for "reasonableness" has previously been applied to "locks" and other 20th century security practices, it may not apply to devices removed from a secure space. Check with your respective associations and/or licensing boards for more information.

Hardware vs. Software Encryption

There are two primary means of data encryption on the market today: hardware and software. The primary advantage of the latter is price and wide-scale availability. While software encryption can be used to protect a part or the whole of a storage device, it can also be applied to nearly any storage device attached to almost any operating system--but not necessarily interchangeably. That is to say that the mechanism for encrypting a device attached to one operating system may not be able to be decrypted on another, and vice-versa. That is not universally true, but your mileage may vary, depending on the software utilized. One more significant disadvantage to consider is the possibility of what's commonly referred to as a "man-in-the-middle" attack. Software encryption and decryption are performed on the host-system. That means that a compromised system can be used to intercept your password, disable your encryption, or worse. While the data within a hardware-encrypted drive is still vulnerable to a compromised system, the encryption method should be isolated. The exception being that a hardware-encrypted device that relies on password entry from a computer keyboard may still fall prey to a malicious keylogger, screen capture, or some form of remote access. In either case, two-factor authentication, utilizing a hardware "key" may largely mitigate this concern.

One more recent concern over software encryption involves a practice referred to as a "Cold Boot Attack", which exploits access to the computer's RAM in search for encryption keys, rather than attempting to physically crack the encryption algorithm.

Hardware-encrypted devices, on the other hand, tend to sell at a premium.  They are also not yet widely available. As discussed below, these devices have yet to gain a firm market foothold. This means that your options are severely limited. But, when implemented just right, they can have a clear advantage over software encryption, with a heavy nod toward external authentication mechanisms, such as keypads and biometrics. Many also have the advantage of performing the entire encryption and decryption process internally, without utilizing any host-CPU. Theoretically, this should have a decided speed advantage, compared to software encryption, which is dependent entirely on the computer's processor to continuously encrypt and decrypt data. A disadvantage, however, is that upgrades are usually out of the question, as most hardware encryption devices are uniquely mated to their internal storage. Conversely, software-encrypted drive partition or directory can often be mirrored, or even just copied to a new device. Which also has some clear advantages when it comes to backing up data.

One other interesting advantage to software encryption is plausible deniability. Or, at least, obsfucation. Some software encryption applications will hide encrypted data within, or along side, unencrypted data in a way that makes it look like unused space. Other features allow for hidden encrypted partitions, and even boot-loaders that make a drive appear to be unreadable or un-formatted.

Software

You know the saying, "You get what you paid for"? It doesn't apply to software encryption. Some of the best encryption software available isn't for sale. At the same time, you're welcome to pay decent money for some pretty questionable applications.

TrueCrypt

I'm just going to start right off with my favorite. TrueCrypt is a free open-source software encryption application for Windows, Mac and Linux. It can encrypt an entire device, just a partition, a directory, or a single file. Decryption can occur after the system has been booted, or you may take advantage of whole-drive pre-boot authentication. Volumes can be hidden with or amongst other data, or an entire operating system can be hidden in the shadow of another, leading a potential intruder to logically assume that the unencrypted operating system is the only operating system. Other features include various models of two-factor authentication, and encryption of removable devices. Encryption can, and in practice does, occur transparently and without user intervention.

Microsoft BitLocker

Similar in some aspects to TrueCrypt, BitLocker is included with all Ultimate and Enterprise editions of Microsoft Windows Vista and 7. It provides for full-volume encryption using 128 bit AES. This feature also offers two-factor schemes to decrease intrusions. Microsoft made an attempt to provide plausible deniability or obfuscation within this software.

Apple FileVault

FileVault encryption comes packaged with Macintosh computers beginning with OS X v10.3 (Panther"). Unlike the products above, FileVault does not encrypt entire volumes, but rather individual directories. Nor have any obfuscation or plausible deniability features been included.

Hardware

Unfortunately, when it comes to hardware encryption devices, sometimes you can't have the best money can buy, unless you're willing to buy a lot of them. Currently, the biggest drawback to these devices is the lack of selection -- especially when it comes to consumer or small business-oriented devices.

Ironkey

Ironkey

Ironkey is one of the best-known encrypted USB thumb drives on the market. At the time of writing, Ironkeys come in "Basic", "Personal", and "Enterprise" models. According to the manufacturer's web site, currently-sold models inlude a rugged metal tamper-resistant waterproof casing, always-on AES 256-bit hardware encryption, and strong authentication. They are also cross-platform compatible (Windows, 2000, XP, Vista, and 7, with or without administrative privileges, as well as Linux and MacOS). Personal and Enterprise models also include a pre-installed secure Firefox browser, password and identity manager, and encrypted backup application. Enterprise models also include a remote-disable and terminate feature for lost and stolen USB drives, as well as a number of administrative features.

Ennova

Ennova OLED Biometric Secure Drive

One of the most exciting looking devices is Ennova's fingerprint scanning encrypted USB thumb drive with a color OLED screen. At least from the visual aid, it appears as though the OLED screen serves double-duty as both a touchscreen for manipulating the device, and a biometric fingerprint scanner.

Unfortunately, the device was due out in 2010 and has yet to been seen for sale. Memory size and pricing specifications are unconfirmed as well. In the meantime, I have my biometrics crossed.

Sandisk Cruzer Enterprise

SanDisk Cruzer Enterprise

Another enterprise-bound device, SanDisk's Cruzer Enterprise includes 256-bit hardware-encryption and two-factor RSA SecurID authentication. What this means for the end-user is integration with the ubiquitous RSA token (pictured), providing a level of security already familiar to security-minded corporations, and already in the hands of their employees. This device, however, is not likely to be available on a one-to-one basis, but appears to be marketed in bulk to large organizations.

Lenovo ThinkPad Secure Drive

Thinkpad Secure Drive

About as utilitarian as they come, Lenovo's ThinkPad Secure Drive looks like it could be mounted to a vault. Encryption is 128-bit AES. With a 500-RPM spinning drive, this drive holds more data than most solid-state devices, and much more than a thumb drive. At 160GB, 320GB, and 500GB, you won't likely use it to encrypt your entire Bluray movie collection, but it might make a suitable backup drive for your desktop, compared with most thumb drives topping out at 64GB or less.

The hardware encryption is externally obvious by the keypad. Meaning that, once the correct code has been entered on the physical keypad, this becomes a standard external hard drive. This also means that this product is not subject to software exploits designed to capture keystrokes or disable encryption software. Nor does it require administrative privileges to operate, or any software drivers. This becomes particularly important when using it across platforms, which it should accomplish admirably.

Fujitsu Intelligent ("Self-Destructing") USB Drive

Fujitsu Intelligent USB Drive

Rather than building Fort Knox on a key chain, Fujitsu's Intelligent USB Drive has a built-in processor and battery that, after a pre-set intervention period, will automatically erase data when it’s plugged into an unauthorized computer. Additional enterprise-bound software interacts with the device to restrict which network devices can and cannot access the device, and can even "self-destruct" if an unauthorized attempt is made. Perhaps most intriguing, Fujitsu is reportedly developing something called "File Redirect" which will prevent data from being transferred from the device to any other device, requiring all manipulation to take place on the drive itself. This is a real departure from other devices, by placing an emphasis on securing authorized user-activity, rather than just unauthorized activity, and loss due to theft or carelessness.

Another innovative device, the Intelligent USB Drive has yet to see the light of day, outside Fujitsu's labs. The photo (left) looks real enough. One has to wonder if the self-destruct feature makes getting this product cleared by Fujitsu's legal department a "Mission:Impossible".

Bottom Line

With the exception of Ironkey, most companies appear to be dipping a toe in the water. I haven't seen a solid commitment to a product line, or even a single product, from most other manufacturers. Instead, they appear to be focusing on space-intensive consumer-oriented personal multimedia storage devices. It's unfortunate, because when it comes to purchasing this kind of product, name and reputation often take a backseat to performance and innovation. That means that this product segment could still be anyone's game. Thus far, it appears as though most challengers have already conceded to Ironkey.

In reality, however, the consumer has to shoulder some of the blame. The lack of interest from the consumer in personal data security makes an investment in a product line a questionable investment. Until consumers demonstrate a real interest and concern for data security, or the enterprises make it mandatory, it's likely to remain a niche market.

Other Locking Methods

There's no school like the old school. These devices eschew advanced algorithms, fancy biometrics, and all matters of cloak-and-dagger, for a combination lock. Though I struggle for a humorous take on what appears to be silly in the shadow of vastly superior technology, I really can't find it. So long as the locks hold, these are really no less secure than any other means, probably less complicated to utilize, not subject to any of the traditional attacks or intrusions, and more affordable.

It feels a bit like comparing a Schwinn to a Ferrari. But, there are many places a Schwinn will take you that a Ferrari can't, and you'll never find yourself stranded due to a dead battery.

oo7 USB Flash Drive

007 USB Flash Drive

I'm not a fan of the name, unless it's meant to convey the same thing as calling a bald guy "Curly" or a fat guy "Slim". And, I'd like to think that James Bond's flash drive might be more than, well, a flash drive. But the concept seems solid. A three digit user-"programmable" combination converts the 007 USB Flash Drive from a combo-lock to a thumb drive. Without the digits, it's useless as a storage medium, but sufficient to secure other forms of storage, like a gym locker. But, the added kicker is, even once the numbers are in order, you'll still have to enter another password once you plug it in. (Let's hope that's not the same as the first.)

This one's still a concept, but who knows?

Lock It Down: Combination Lock for USB Flash Drives

Lock It Down

OK, this physical thumb drive lock only serves one purpose. But, it comes in three colors, and it's available now! It also has the added advantage that it works with any thumb drive. But don't attach it to the end of a USB cable, because that would just be dumb.

This one's hard to find, but there are a number of very similar devices available for a few bucks on eBay (and they come in even more colors).

SecurityDr Data Guard USB Thumbdrive Lock

SecurityDr Thumb Drive Lock

The only obvious difference between the SecurityDr and the product above is that it's bigger and comes in no color options. But, it includes a free FTC ID Theft Protection Manual, and it's available at Amazon.com right now. (Note: For what it's worth, you can download the FTC's ID Theft Protection Manual HERE for free.)

The funny thing about world-domination is that even when you achieve it, you still have to finance it. Maybe that's why Facebook keeps coming up with crazy money-making schemes.

Last week it was disclosing users' addresses and phone numbers to third-parties. The latest puts you in the role of company spokesperson by turning your "likes" and "checkins" into sponsored ads on your friend's pages--without your consent. Currently there is no way for users to disable this "feature".

Read more at http://news.yahoo.com/s/ap/20110126/ap_on_hi_te/us_tec_facebook_ads

Via Epic.org: Facebook has retreated from its decision to allow third-party access to users home addresses and phone numbers. Facebook backed off after criticism of the new policy, but said it would go forward once it has made further changes. EPIC Executive Director Marc Rotenberg said "Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used." EPIC, and several consumer organizations, have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy.

Read full article at http://epic.org/2011/01/facebook-drops-plan-to-disclos.html

The federal government thinks identity and passwords need to be fixed to keep the internet healthy, but is declining, thankfully, to try to fix it themselves. Instead, they are pushing internet entrepreneurs to build something robust and open.

Read full article at http://feeds.wired.com/~r/wired/index/~3/3Uts2JG5xFc/

"Secret Service paid TJX Hacker $75,000 a Year"

According to Wired, a convicted hacker and credit card thief was paid to work undercover for the U.S. Secret Service. A convicted accomplice told Wired that Albert Gonzalez was paid $75,000 a year in cash as a confidential informant to the U.S. Government.

Though the Secret Service would not comment, a former federal prosecutor told Wired that the payment was not unusual. He compared it to "million-dollar payouts" to informants involved in organized crime investigations. According to Department of Justice guidelines, agents are required to advise confidential informants that payments "may be taxable income that must be reported to appropriate tax authorities".

Albert Gonzalez was arrested in 2008 and accused of running one of the largest identity theft crimes in U.S. history. After his arrest Gonzalez lead instigators to more than $1 million buried behind his parent's home.

Gonzalez will be sentenced on Thursday. The government is seeking a 25 year sentence.

Attn. MPAA: There are much worse ways to copy movies than with a computer.

In 2007 prosecutors in Anchorage Alaska accused 34 year old stripper Mechele Linehan of plotting a murder based on the 1994 movie "The Last Seduction". Life so closely imitated art, said prosecutors, that they even tried to have the movie played for the jury.

Rockstar Games Grand Theft Auto

In 2008 a teenager confessed that he was trying to imitate scenes from the video game "Grand Theft Auto" when he robbed a murdered a taxicab driver in Bangkok Thailand. Movies like "The Deer Hunter" (1978) are even believed to have inspired several "copycat" suicides in the late 1970's and early 80's.

All of this may seem like fodder for censorship advocates, but that debate has largely come and gone in favor preserving the First Amendment's right to free speech. Wise as the framers of the U.S. Constitution may have been, few would accuse them of being clairvoyant. After all, who could have predicted the impact the Internet would some day have on both the precept of free speech and the concept of privacy?

Though many speak of the "right to privacy", it is not, at least as far as the U.S. Constitution is concerned, a right at all. It is, nonetheless, an ethos that has long been coveted by Americans, and is implicit in the Fourth Amendment's:

...right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures...

Of course, mention the term "search" to most people today, and it's far more likely to conjure thoughts of friends lists", home pages and e-books, than actual people, houses and papers. And while, in just the past few years, popular culture has come to embrace the sharing of intimate, private and personal details with virtual strangers, the desire to remain "secure" seems to be very much alive in the 21st Century. In fact, more than any other, the Fourth Amendment has played a central, albeit contested, role in the litigation of hi-tech criminal evidence.

I know what you watched last summer...

So, what does all this have to do with your Netflix queue? Though Americans, and many other people around the world, may be willing to voluntarily divulge personal information, either in trade for modern conveniences and services, or increasingly, for a sense of online significance, we're not quite as enthusiastic when it's taken from us and shared without any tangible return. It's no longer a secret that the monetary value of data has been pre-calculated into the return on investment (ROI) of so many of today's business models, but consumers still tend to expect a certain level of security. In recent years the bar has been set pretty low. Still, it may surprise many to learn that "anonymous" usage data can be deciphered into personally-identifiable intelligence, as proven by a pair of researchers at the University of Texas using what was thought to be anonymous user data provided to contestants in the three-year $1 million "Netflix Prize" to improve the site's recommendation results.

The UT's results brought both unwanted attention from the Federal Trade Commission and a lawsuit from a private firm, resulting in Netflix's decision last week to cancel a planned sequel to the prize awarded last year.

It's not hard to imagine how this sort of data could be exploited to peddle shoes to people who have rented all six seasons of "Sex in the City", or BestBuy ads targeted at fans of NBC's "Chuck".

Dreamworks Minority Report (2002)

It's no longer extraordinary to see similar data exploited in the process of investigating crimes either. Certainly the viewing interests and habits of the individuals mentioned above have been considered relevant discovery by law enforcement. In these cases, there's little, if anything, to decipher.  Anything that Netflix knows about you, your account, and your viewing habits, is subject to a warrant, and, with or without much imagination, could be incriminating. How many of us haven't seen a good fictional car case, a well-written murder plot, a scripted street-fight, or a perfectly executed crime? The consumption of such fiction could be hazardous to your defense, if it proceeds similar accusations.

Now, imagine the same evidence available to anyone, without a warrant, subpoena, or probable cause. Perhaps someone at the FTC had the movie "Minority Report" in their queue.

What do you call the sacrifice of one person's privacy in an attempt to save the privacy of over 1300? If you're a bank, you call it collateral damage.

When I was a kid I earned my first paycheck passing out fliers for a neighbor who was starting a pool cleaning business. With my first $13 in hand, my grandfather took me to the a bank in walking distance to my home, got me a tour of the vault from the branch manager, a neat pouch to hold all my coin, a full explanation of the principals of savings and loans, and helped me open my very first savings account. Believe it or not, back then, all my account information was stored on a double-sided index card behind the teller.

Today, things are much more complicated. Gone are the index cards and passbooks, most of the employees, tellers and branches, a good deal of the service, interest-bearing accounts with only $13 in them, and a lot of the customers' money. Today, it's all computerized, and most banks even attach various penalties to discourage human contact.

I know an awful lot about electronic data systems, but I don't pretend to fully understand how the modern banking system works. Sometimes, I think I do--from a mechanical (as opposed to financial) perspective. But then something convinces me that I don't. For instance, you know how every so often your bank emails its customers' names, addresses, Social Security numbers, and loan information to Gmail?

To be completely honest, I didn't know they did that either, until I found out recently that The Rocky Mountain Bank in Wyoming had sent 1,325 such records to the wrong Gmail account. (Mind you, most would have trouble imagining who could possibly be the right recipient.) Once the error was noticed, the bank attempted to contact the recipient to request immediate destruction of the email and its attachment. When the bank received no response, a request was made to Google for the recipient's identity. Citing its privacy policy, Google refused to provide the information requested, and the bank filed suit.

According to court documents:

"On August 12, 2009, Plaintiff received a request from one of its customers for Plaintiff to send certain loan statements to a third-party representative of that customer. That same day, an employee of Plaintiff attempted to send the requested information to the customer’s representative via email. The next day, Plaintiff discovered that its employee had inadvertently sent the email to the wrong Gmail email address. In addition, Plaintiff discovered that attached to the email was a file containing confidential customer information for 1,325 individual and business customer accounts for customers other than just the customer who requested information. The confidential information includes names, addresses, tax identification numbers, and loan information for each of the 1,325 customer accounts.

After learning of its inadvertent disclosure of confidential customer information, Plaintiff tried to recall the email without success. It then sent another email to the Gmail address, instructing the recipient to immediately delete the prior email and the attached file in its entirety without opening or reviewing it. Plaintiff also requested that the recipient contact Plaintiff to discuss his or her actions. The recipient has not responded to Plaintiff’s email."

Ironically, in a case that pits the privacy interests of innocent parties against each other, the protagonists of this story had some privacy concerns of their own. The Bank's lawyers attempted to file their suit under seal -- which was denied by the U.S. District Court. Though not mentioned in the court's ruling on this issue, most states have security breach notification laws that require disclosure of any records that may have gotten into the hands of unauthorized individuals. Wyoming does, indeed, have such a law (40-12-502. "Computer security breach; notice to affected persons"). It states:

"(a) An individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes personal identifying information about a resident of Wyoming shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Wyoming resident."

While the bank was compounding errors by ignoring its obligations to its customers and state law, their case against Google was being reviewed by another judge who ordered Google to disable the account, and disclose the recipient's identity.

The Rocky Mountain Bank maintains that it contacted the recipient more than once and requested that the individual respond to requests to "discuss his or her actions". The implication is that, had the recipient responded, this whole matter could have been handled amicably and honorably -- among gentlemen, as it were. I wonder if, from the perspective of the bank, its customers, or even the email recipient, a "discussion" would have really sufficed. I know, as a bank customer, John Doe's word that he had deleted all my personal information from his Gmail account wouldn't satisfy me at all. If I were in charge of bank security, I don't think I'd be very satisfied either. In either case, I suppose I would be demanding proof that had been deleted, never copied, forwarded, or printed, and probably some kind of connotative memory-wipe.

Years ago, I was consulted by a judge after a District Attorney's office "accidentally" obtained access to a defense lawyer's hard drive (quotes inserted to cite the provided explanation, not my personal feelings about the explanation). The negotiated remedy and order was an extensive forensic search of the DA's hard drives, and a complete wipe of their contents -- even when the search turned up no conclusive evidence that the DA had ever examined any privileged materials. But I doubt any accidental recipient would agree to that -- especially a civilian. And why should they?

Of course, no one knows, at this point, if the recipient ever saw the message. Many reading this web site would likely have dismissed it, and any subsequent messages from the bank as a phishing scam. The Rocky Mountain Bank even has a link to an oddly nondescript PDF addressing the subject of phishing scams.

There's really no reason to believe that the bank ever considered litigation to be an entirely avoidable option, no matter how cooperative the recipient might have been. Nor am I convinced that the court's decision has provided any comfort to the individual's who's privacy has been sacrificed -- including the one who's email account has been disabled, and personal information shared with a bank that's already demonstrated that they can't be trusted with the information.

So, if suing Google won't assure its customers' privacy and financial security, what should the bank have done? That's an easy one. Ask any programmer. They'll tell you: The only way to fix a 1D10T error is to upgrade your wetware and reboot.

You've been punked!!!

How German filmmakers hijacked part of California, stole its identity, and used it to scam an entire country.

I think I've finally figured out the origin of the expression, "If you believe that, I've got a bridge to sell you": Bluewater, California.

The "bridge" to which I refer crosses the Colorado River, and connects Bluewater, California with its sister-city, Bluewater, Arizona. According to the city's web site, downtown Bluewater offers a range of bars and restaurants where you can dine on seafood fished from local waters, get locally-grown produce from the Farmer's Market every Wednesday and Saturday, and enjoy summer poetry in the park.

Imagine the shock when KVPK7, Bluewater's own local news channel reported that the tiny city had become the target of an attempted suicide bombing by a German rap group known as “Berlin Boys”? Who on earth could conceive of such an event hitting a small town in America?  Only Hollywood. Or, in this case, a group promoting the German film, "Short Cut to Hollywood."

The group, according to Wired, set up fake web sites for the "city" (actually, an unincorporated, and largely uninhabited, part of San Bernardino County, CA), the news station, and even a Wikipedia page further authenticating the fictitious news station. They simulated news footage, and even posted local Skype phone numbers on the fictitious web sites. After receiving a tip, journalists in Germany found the fake city web site, and used the phone numbers listed to confirm the tip and interview city officials. Those numbers, of course, went right back to the pranksters in Germany. From there, the story spread through the German press.

The hoax might have lasted longer had news agencies, hungry for additional information, not called the superseding county, San Bernardino, for comment.

Think it couldn't happen here? Well, it practically did. If a handful of German artists who know how to write web pages can fool the entire German press, it certainly doesn't bode well for the common folk who rely on them. And, if part of  California can have its identity stolen, that doesn't bode well for the rest of us either. Just imagine what could have happened if the state still had its credit rating.

By the way, anyone know the German translation for "Punk'd"?

You probably won't find much sympathy for Elane Cioni. A mistress scorned, she's been convicted of hacking into the email account of her former-boss, the man with whom she was having an affair, and then his wife, his other girlfriends, and even his kids. (I suppose, that doesn't engender much sympathy for her main-target either.) But, you might be surprised to find out Cioni's not a very good hacker.

You might also be surprised to learn that there's a market for professional hacking and, similar to many legitimate professions, the jobs are going offshore. When it comes to password hacking, those who can, do. Those who can't, outsource. When Cioni wanted back into her boyfriend's life she turned to one of an increasing number of web sites with offers like this:

"Need to monitor your Child? Your Spouse? Your Boyfriend/Girlfriend? We Hack Passwords for $100 USD. We Crack all major web based emails. This include Hotmail, Yahoo! AOL and Gmail. We Provide Proofs Before payment."

Passwords for $100

One particular web site even states: "This unique service is 100% legal".

The Washington Post conducted an interview with the FBI to find out why these services remain online. "The FBI is aware of these illegal services," spokesman Paul Bresson said, "and we have been successful in the past in identifying criminal activity and working with prosecutors to bring indictments. Users of these services should know that just because a product is marketed on the Internet doesn't mean it's legal."

While Cioni had an agenda, the same password could have granted her access to her victims' bank accounts, insurance policies--access to practically any service that allows individuals to "log in". Once access has been gained, she could have reassigned passwords, and even rerouted email communications, effectively allowing her to assume the individual's identities. Fortunately, that wasn't her agenda. But, it's unknown how many of the nation's tens-of-millions of identity theft victims had their passwords purchased.

Making a case against Cioni wasn't very difficult. Of course, it helped that she mentioned things to her boyfriend that only someone who would have read his email would have known.  And, she used her own PayPal account to pay for the password hacking service. In case that wasn't enough, IP address records were subpoenaed from her Internet Service Provider (ISP), and her computer was searched to find fragments of her targets' email cached to her hard drive.

Then again, Elane Cioni is not a very good hacker.

You can listen to below an NPR interview on this topic, and hear more about this story:

Washington Post (http://www.washingtonpost.com/wp-dyn/content/article/2009/09/06/AR2009090602238.html)