The Short Path to Deniability  
Posted by Gunter Ollmann on August 30, 2007 at 12:26 PM EDT.

"When is identity theft advantageous to the victim?”  That was a question that came up in a recent hallway conversation, and it got me thinking…

Over the years I’ve seen and heard plenty of excuses for various hack attempts and fraudulent claims – all of which were geared towards elevating the perceived level of deniability for the ‘victim’.  With increasing regularity the “Trojan Defense” has been played out, more often than not failing unless it can be corroborated with other physical and logistical information (e.g. here’s some video tape of the victim speaking at a conference at exactly the same time it was said they were hacking in to the SCADA systems of the Hoover Dam).

That said, given the regularity of news stories now coming out alerting us to the latest data leakage and subsequent disclosure of millions of stolen identities, how long will it be before the already sizable fraction of the population who have been unwitting victims finally become the majority case?  Will this up the ante for plausible deniability?

I can’t see why it wouldn’t.

Spreading your Seed

In the past I’ve had discussions with industry peers that have advocated getting as much of their own personal information out on to the Web as possible – seeding the Internet by firing off anonymous emails to lists and bulletin boards with their credit card details, National Insurance or Social Security numbers, drivers license number, etc. – so they could maintain a certain level of deniability should it ever prove necessary to do so. 

While I’m certainly not going to advocate this kind of approach, it is pretty clear that the probability of being able to successfully refute a strange charge to your credit card (should it ever go to court) is probably going to be higher than average.  But, then again, the probability of having to refute a charge is going to be higher as well.

As a side note, an interesting thing you can try if you think someone may be using your identity, is to Google for it.  If you’ve had the same credit card for several years and regularly use it to purchase goods online (or on the high street), try typing the last 8-10 numbers of it in to a Google search – you may be surprised.

The Trojan Defense

However, I think the “Trojan Defense” is well on the path to being more successful.  Like a twisted parody of a Sotheby’s auction for an irreplaceable artwork, multiple security vendors appear to be engaged in a bidding war as to how big the Botnet problem is.  Figures in the tens-of-millions or tens-of-percent of the Internet are regularly branded about – the bigger the number, the more media attention you get, and hopefully more sales for the company? (call me a skeptic then...)

I’ve looked closely at these numbers, and I have great difficulty believing a lot of the higher numbers being quoted.  There are a lot of reasons for the skepticism, but the fact that genuinely infected hosts are regularly infected with multiple botnet agents, leads me to believe that the same infected hosts are probably being counted multiple times (for example, did you ever run a spyware remover tool and found it list dozens of installations on the same host?  If you’re vulnerable and don’t know/care, you’re going to be infected repeatedly).

Regardless of the specifics and the absolute number genuinely out there, it is still pretty clear that the problem is growing.  The prevalence of botnet and Trojan agents and the easy access to them, means their employment as a tool to aid deniability is trivial – and, when combined with the fact that most of these agents allow for password and encrypted connectivity, it is likely possible that you could install a half-dozen botnet agents on to your host and not have to worry about anyone actually taking control of them (unless your goal is to be really plausible).  The “bidding war” numbers help further by obfuscating their “fraudulent” use.

Prove it!

Add to that, with all the press about the latest inventory of companies publicly declaring that hackers have stolen the details of millions of their customers, how plausible is it to simply say “I shopped at XXXX company a couple of years ago, that’s how the fraudster must have got my details – now give me back my money”?

I’m unsure, but I doubt that Visa/Mastercard/AMEX/etc. are given a comprehensive list of every customer detail stolen from each compromised organization around the world.  And I doubt very much that most victim companies could categorically say that “it was only the first 3 million records with customer’s surnames starting with S” – so any customer could have been a victim of the breach.

In fact, with public threat perception the way it is at the moment, you could probably name any large retail vendor and claim that they must have leaked your details. 

Which brings me to my last thought on this topic, as an organization that holds many customer details and personal information, how would you refute any claim that you inadvertently leaked or had those details for a specific customer stolen?  Given that many of the largest data thefts on public record occurred over multiple months and through multiple vectors (and probably included multiple attackers), how could you categorically say it isn’t happening right now - let alone prove that you weren’t the culprit?

    Copyright 2001-2007 © Gunter Ollmann