The SANS Technology Institute

Security Laboratory

Leadership Lab: Information Technology and the Law

This series of essays explores the many aspects of technology law relating to computer and information security.

Subpoenas for Electronic Records - September 15th, 2007
Dispel Criminal Intent with Open Communication - August 27th, 2007
Subterfuge as a Security Tactic - August 22nd, 2007
Mock Trial as Security Education Exercise - Updated July 23rd, 2007

Subterfuge as a Security Tactic

August 22nd, 2007
By Benjamin Wright, JD

Subterfuge as Security Tactic

By Benjamin Wright, JD

Identity theft thrives because in modern society it’s hard to authenticate someone. The Internet compounds the problem, enabling (as the Wall Street Journal reports) a 24-year-old in Russia, Igor Klopov, to lead a gang impersonating rich Americans, including Charles Wyly, founder of Michaels Stores, Inc.[1] After surveilling Mr. Wyly from afar, Mr. Klopov persuaded Chase bank to send a new checkbook for Mr. Wyly to the home of a gang member.

Yet the authentication problem is a two-way street. Just as banks and merchants struggle to verify the identity of their customers, criminals struggle to verify the identity of co-conspirators. To execute his daring scheme, Mr. Klopov needed accomplices. That need led to his apprehension, for one of his trusted, online acquaintances was in fact an undercover police officer.

The story sheds light on a larger principle of information security. The good guys can bamboozle the bad guys by confusing them about what is real and what is not. That’s why honeypots are a valuable tool of IT security.

I anticipate that subterfuge will come to play an even larger role in all aspects of security. Rich folks like Mr. Wyly will hire online “bodyguards” who, as part of their stock in trade, track and deceive suspicious characters snooping around their clients. Corporations will plant moles within the ranks of groups who seek to subvert or abuse corporate products.

Legally speaking, the use of deception by private parties to promote security can be tricky. But well-conceived stratagems can withstand legal scrutiny. And if properly portrayed, they can win society’s approval, if not praise.

As an author and instructor at SANS Institute, I discuss issues like these in my courses on IT law.[2]

==

Benjamin Wright is an attorney based in Dallas, Texas, and instructor for a series of courses on IT security law, promoted by the SANS Institute.[3] He is the author of numerous books on technology law. http://www.hack-igations.com

==

[1] Cassell Bryan-Low, “U.S. Says ID-Theft Gang Pursued Wealthy Victims,” Wall Street Journal, August 17, 2007.
[2] http://www.sans.org/training/description.php?tid=862
[3] http://www.sans.org