Late last week, e-mail services firm Epsilon, which manages e-mail campaigns for hundreds of high-profile clients in retail, publishing, consulting and other sectors, revealed that it had been hacked. As a consequence, the attackers were able to obtain the names and e-mail addresses of millions of customers of companies like Citigroup, Walgreens, JP Morgan and many, many others.

Like me, you likely received a notice from a company you do business with informing you of the hack. I got mine from McKinsey Quarterly:

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Three quick observations about What It Means:

First, this is embarrassing for Epsilon. It suggests that they have some work to do on their defenses. We don’t know how the attackers got in — it could have been by exploiting a weakness in their web applications (likely), or from a social engineering attack of the type that hosed RSA (less likely).

Second, the attack will be of no consequence to most people. Yes, as many commentators have written, there is an “elevated risk of spear phishing attacks,” which in plain English means this: because the bad guys have your name and e-mail address, they might try to trick you by sending you an e-mail with a funny link. But to be honest, I don’t get much, if any, spam — thanks to Perimeter’s multi-stage e-mail filtering service. And if you use a premium spam filtering service, you probably don’t either. And even if the attackers manage to put together an e-mail that does get through your spam filters, how would you be able to tell that this particular break-in was the cause of it? Right.

Third, nice work McKinsey! The e-mail above is a great example of how to write an unambiguous and clear disclosure e-mail. You’ll note that they spell out exactly what Epsilon says has been disclosed (name and e-mail address, not enough to trigger a PCI or HIPAA violation). They also provide appropriate guidance on what to watch out for, and reinforce that McKinsey employees will never request sensitive information from their customers (which they shouldn’t). This is exactly what you should say in an e-mail like this.

The bottom line is this: spam happens. Just make sure that your employees and colleagues don’t blindly click on attachments they shouldn’t, or blindly click on links embedded in e-mail. Take this incident as an opportunity to reinforce your security policies. But don’t worry too much. Compared to the RSA compromise from a few weeks ago, this is very small beer.

Defining an enterprise mobile device passcode policy can be surprisingly difficult. Security managers must attempt to reconcile two opposing goals. They must:

• Create a passcode policy that is strong enough to protect the device if it is lost or stolen, while:
• Not annoying users with needless length or complexity

These goals are hard to reconcile because mobile devices like smartphones and tablets are personal, portable and convenient. Employees use their devices in places they wouldn’t use a PC: in the car, during their kids’ football game, and during (shall we say) otherwise unproductive periods of the day. It’s tempting to simply duplicate existing network security policies. The rationale goes something like this: smartphones and tables are nothing more than small PCs with antennas, so the password policies should be the same as for PCs. It’s easy to think that, but it’s the wrong attitude.

This whitepaper will describe the passcode policy Andrew recommends for mobile devices that comply with NIST’s e-authentication Level 1 guidelines as described in Special Publication 800-63, “Electronic Authentication Guidelines”. The policy is reasonable, employee-friendly and highly usable, but strong enough to protect your company’s data. To cut to the chase, here’s what it is:

• 8-digit numeric PIN
• Simple PINs disallowed
• Automatic lock after 15 minutes
• Grace period of 2 minutes
• Automatic wipe/permanent lock after eight wrong tries
• No expiration

Click here to read the whitepaper.

I’ve spent the week at the RSA Conference. It is a great place to meet colleagues, customers and friends. I had been a Conference Chair for the last 5 years, helping pick speakers and build panels. That was lots of fun, but this year I chose to sit out and let some other lucky soul have a chance. I did participate in the program, however. My friend Caroline Wong put on a panel on security metrics, and asked me to be one of the four panelist. The panel was a blast, and is worth a blog post in its own right.

But the subject of today’s post isn’t my panel, or metrics, but about a key part of the show. It’s about a time-honored ritual at RSA: the industry keynote delivered by Microsoft’s Corporate Vice President of Trustworthy Computing, Scott Charney. In a speech that was covered by multiple media outlets, including IDG News Service, CIO, and Computer Reseller News, Charney made three significant announcements. He:

• Admitted that last year’s suggestion, to require ISPs to cut off serially infected machines, was not realistic because it imposed undue costs on ISPs. Charney argued instead that end-users must take more responsibility for the safety and security of their own machines. To that end, he…
• Proposed a system of “public health certificates” that customer client machines would present to relying parties like banks and on-line websites that needed extra assurance that their customers’ machines were clean. Charney calls this “Collective Defense.” In addition, Charney…
• Argued that the Internet must attribute activities to people wherever we can. Charney argues that with threats, there is always a Who, a What and a Why. Figuring out who the Who is would go a long way to helping national governments fight the various cyber-wars, cyber-skirmishes and cyber-hair-pulling matches that have been documented so well in the press over the last few years.

It seems to me that Scott, as the designated security spokesman for Microsoft, clearly understands his responsibility to set forth a vision for the industry. Microsoft’s preeminent position as the world’s leading software and systems vendor demands that he think big, think fast and think provocatively about The Future of Security. Moreover, the RSA Conference, as the preeminent industry conference devoted to information security, gives Microsoft (and Charney) the perfect platform for presenting their big, fast and provocative thinking. But let’s be honest, there’s a fine line between provocative and pollyanna. This year, Charney donned blue-tinged gossamer winds and fluttered off into the magical land of wishful thinking.

Let’s start with Microsoft’s ideas about Collective Defense and “public health certificates.” If I understand the idea correctly, relying parties (such as banks) would elect to trust — or selectively trust, or not trust — devices that presented digitally-signed attestations about their health. Rather than call this Collective Defense, let’s call it NAC’s Nephew. Practically, here is what that would mean: if McAfee or Symantec AV tells your bank that you have a clean bill of health, then your bank ought to let you transfer your money to Liberia. But if you don’t, they might think twice or ask for secondary authentication.

If you are technologist, especially one who drinks the Better Living Through Cryptography Kool-Aid or believes that “non-repudiation” actually refers to a real legal concept, digitally-signed health certificates sure sounds like a great idea. But upon closer scrutiny, nagging questions about practicality, implementation complexity and the so-what factor make it less attractive. Dan Geer has noted that technologists need to beware whenever they catch themselves saying “…and then a miracle happened.” That’s what we have here. I could raise a dozen objections, including (1) the decreasing efficacy of endpoint anti-malware software, (2) the high likelihood of certificate forgery, (3) the lack of likely implementations for platforms that aren’t Windows, and (4) the serious doubt that banks are asking for this stuff anyway (Trusteer isn’t exactly setting the world on fire, is it?).

But these are just the obvious objections. Slightly more worrying is Charney’s admission that ISPs aren’t part of the solution for keeping PCs safe. By that I assume he meant: Comcast, Time Warner, Charter, Cox had a few objections to cutting off infected customers. I can imagine a conversation between the two Steve Bs (Ballmer and Burke) that went something like this:

Burke (Comcast): So, Steve, I understand that you’d like to have me start cutting off Internet subscribers when we figure out that that their machines are infected.

Ballmer (Microsoft): You better believe it. We’re all-in on making our customers safer. ALL-IN!

Burke: I’ve got 80 million high-speed customers. My customer support team tells me I’ll lose 5m of them within the first year of running this program. That’s 7 billion dollars of lost revenue in the first year.

(pause)

Burke: Are you trying to get me to throw a chair at you?

(pause)

Burke: Excuse me Steve, but you’ll understand if I pass. I’ve got to run anyway. It’s time for me to start working on my 2011 Christmas cards.

That conversation never happened, and the numbers I presented are fictitious. But you can understand why putting the onus on ISPs to “keep their pipes clean” isn’t good for business. That Microsoft realizes this now is merely an admission of reality, and most welcome.

But while Microsoft’s new position reflects a more realistic appreciation of the limits of securing customer computers, Charney doesn’t push his thinking as far as he could. For example, consider his analogy comparing infected PCs to infected people. These are both health risks, and in both cases it behooves authorities to be aware of infections as early as possible. To the extent you can compare people to PCs, It also makes sense to educate customers about basic practices they can take to reduce the risk of infection (although I suspect Symantec might object to the implied comparison of installing their software to hand-washing.)

That said, computers aren’t like people at all. Computing can be improved in ways that the most audacious recombinant DNA theorist can only dream of. Because unlike humans, machines’ “DNA” — the operating systems and software that they are made of — can be replaced wholesale. From the security perspective, operating systems like SELinux, Qubes OS, BlackBerry OS, Apple’s iOS, Google’s Android or even Microsoft’s own Singularity or Windows Phone 7 OSes are fundamentally superior to Windows, because they have built-in protections like code-signing, verified roots-of-trust — often burned into hardware — and mandatory access control. From the security perspective, replacing Windows PCs with trusted Post-PC OSes such as Singularity or iOS isn’t merely a minor improvement like washing your hands. It’s more like replacing humans with a carbon-based life-form that’s immune to influenza.

Now, these other Post-PC OSes and their associated App Stores have other problems that I will be writing about in future posts, such as chatty, privacy-invading apps. But infections that compromise machine integrity isn’t one of their most pressing problems. And yes, I know I’m going to catch a lot of flak from the app security absolutists for saying this (“NOTHING is 100% secure…”). Please. Captain Obvious already paid me a visit today. Given enough time and money, anything is breakable. But acting as if mandatory code-signing, sandboxing and hardware-based trust anchors don’t decrease risk significantly is tantamount to dismissing 30 years of research by people much smarter than you and I. And that, in turn, means that we are ignoring lessons about how software should be built. In other words: we should not let loose talk about “ecosystems” distract from the critical need to re-examine the core software we run on the systems we use in our daily work.

Charney gets close — so very close — to this key point. When he calls for public health certificates that rely on hardware roots-of-trust to vouch for the integrity of devices, he should, instead, ask himself why they are needed in the first place. When he admits that ISPs can’t filter out infected PCs because of the expense, he should be asking whether he ought to, instead, design an operating system that fundamentally resists infection.

And finally, when he suggests that customers should share responsibility for educating themselves about keeping their PCs clean, he should ask himself why they should care, and whether the hassle of “education” and “taking responsibility” is worth it from the customer’s standpoint.

Now that’s a visionary speech I wish he’d made.

Greetings! Every morning, I do a quick scan of the articles in my Google Reader queue. I have ‘Reader configured to pull about 100 different RSS feeds on different topics ranging from security to high-tech news, plus a variety of “professional hobbies” such as application development. I usually pick out a few articles to actually read. In what I hope will will become a regular feature here at Perimeter Blog Central, here are four that caught my attention today:

1. Malware: Microsoft Disables Autorun for USB

In an innocuously-named post called “Deeper insight into the Security Advisory 967940 update,” my friend and metrics crony Adam Shostack describes why Microsoft is disabling the default Autorun feature in Windows XP and Windows Server 2003 and 2008, and Windows Vista for USB media. As the accompanying MSRC post describes, it means that customers will run a reduced risk of being infected by malware when they insert USB sticks of unknown origin into their computers. I am glad to see Microsoft taking this step to protect customers, but to be fair, USB Autorun/Autoplay was one of the dopiest and riskiest features Microsoft ever introduced. It had FAIL written all over it. Good to see them uninstall it.

2. Metrics: GQM+Strategies For Defining Security Metrics

In his post on security metrics, Brad Bemis describes the Goal-Question-Metrics+Strategies (GQM+Strategies) method for constructing metrics. It’s a good post, and describes a simple methodology that should be useful for customers who want to know how think about the process. An important part of the post (and the method) is the focus on using (1) business objectives to drive the goals, which (2) prompt the questions and (3) lead to the creation of metrics. However, Brad’s “business objectives” discussion is a bit abstract. Fortunately, there are lots of very structured ways that corporations often use frame their objectives. I am a big fan of the Balanced Scorecard, which advocates measuring organizational performance according to the Financial, Customer, Internal Operations, and Learning & Growth perspectives. I describe the “Balanced Security Scorecard” in my book, Security Metrics: Replacing Fear, Uncertainty and Doubt. (In better booksellers everywhere — and did I mention? — it makes a great gift.)

3. Mobile: Veracode Announces Mobile App Security Scanning Service

Today, my friends at Veracode announced a new service for scanning mobile applications for security flaws. Veracode already scans apps for Windows Mobile (meh) and BlackBerry (ok, sure). Now, it is expanding to cover Android (in Q1) and iOS apps (in Q2). Targeting the hottest two smartphone platforms is smart, and I applaud them for their leadership in this area. Full disclosure: I used to work with many of the principals of Veracode at @stake. I count Chris Wysopal (Veracode’s CTO, formerly the artist known as Weld Pond), Christian Rioux (Chief Scientist, fka Dildog) and Chris Eng (Senior Director) as friends, and I wish them all the best with this exciting new service.

4. Mobile: Smartphones More Popular Than PCs

Today’s Financial Times reports that according to IDC, vendors shipped 101 million smartphones in the fourth quarter of 2010. Vendors shipped just 92 million PCs. What it means: Post-PC devices are now more popular than the venerable PCs they are running next to (or in some cases, replacing). Of course, my former employer Forrester Research predicted that this would happen nearly nine months ago, as I pointed out in a blog post from August of last year. Note that IDC’s numbers do not count the iPad in either category. If you count them in the “smartphone” bucket (as I do), the total is closer to 108 million Post-PC devices. What it means for customers: your security posture is going to change faster than you might think. As I pointed out in my previous post, securing the mobile devices on your network cannot be an afterthought — it needs to be your front-and-center priority for 2011. You should focus on applying sensible controls to protect your data.

That’s it for today. I hope you are enjoying your week. See you at RSA next week!

On the heels of the news that Apple CEO Steve Jobs was taking a medical leave of absence, the company announced its earnings after the close of the bell Tuesday. And even though Apple always sandbags its estimates, and even though it seems like we are used to seeing “Apple blows out its numbers” headlines every quarter, the announcement really was a blowout. The company announced record revenues, record profits ($6 billion), record shipments of Macs (4.1 million), record shipments of iPhones (16 million) and a gangbusters quarter for iPads (7.3 million). That might all seem abstract until you reflect that what this says about the changing mix of computing devices used by companies and by individuals:

• The iPad is replacing laptops for some customers. With shipments of over 7m in the last quarter, iPad sales are now a statistically relevant 7% of worldwide PC sales. Combine that with the observation that netbook sales are down by 30% year over year. The conclusion: the iPad is becoming not just an accessory device, but a replacement device for a lot of mobile computing tasks. Our CEO and Chairman of the Board both carry an iPad; in the Chairman’s case, it has replaced his laptop entirely. Apple’s quarter means this won’t be an unusual phenomenon for long.

• iOS is emerging as a major enterprise platform to be secured. Since the introduction of the iPhone, Apple has sold 160 million iPhones, iPads or iPod Touch devices. Put another way, Apple sold 160 million devices that are capable of accessing corporate e-mail. If you assume that 25% of these devices are used for work purposes, that means 40 million iOS devices that need to be properly secured. That is probably a conservative number: Apple told the Street that 88% of the Fortune 100 are deploying the iPhone in some way, and that 80% are piloting or supporting the iPad. The canonical example of this might be JP Morgan Chase, which announced in December 2010 that every employee in its investment banking division will receive an iPad.

There are a lot of pundits and security vendors that see the emergence of Apple as a non-traditional enterprise supplier as a sign of impending doom. McAfee believes that we’ll finally see an influx of Mac and iOS malware (despite the dearth of it in the past). Cisco says something similar. And so does Sophos (although that’s a drum they have been beating so long I’m surprised their arms haven’t fallen off).

Our view here at Perimeter is that all this talk about Apple malware is just a bright-and-shiny argument not dissimilar to the bright-and-shiny qualities of Apple products themselves. It’s hot air meant to scare customers and promote vendor products and ahem, “demonstrate thought leadership.” That’s fine, but customers should not be misled. The security issues with Apple devices are far less dramatic, and far more prosaic, than whether a sly programmer can slip malware past the App Store screeners. As an analyst at Forrester, I wrote extensively about why anti-malware software won’t be needed on Apple iPhone and iPad devices, due to core security features in iOS like code signing, mandatory access control (“sandboxing”) and trusted boot processes. Moreover, despite all of the screeching about potentially overly privileged applications that might or might not be beaming your contact list to Outer Mongolia, chatty apps aren’t a major issue either (at least not yet).

The real security issue that the increasingly omnipresent Apple devices force us to confront is much more basic. And it is related to what the devices are used for — getting email. Companies I speak with about mobile security issues want to make sure that their employees access e-mail and other company resources safely, and in accordance with standard security policies. That means:

• Automatically provisioning your e-mail accounts and global address books
• Encrypting traffic to and from e-mail servers
• Locking the device with a PIN or passcode, 6 digits at a minimum
• Setting a policy so that devices automatically lock themselves after 15 or 30 minutes of inactivity, and automatically erase themselves after excessive timeouts
• Activating the “remote wipe” feature that allows administrators to brick a device if it has been lost or stolen

In other words, the major security issue with Apple products is how to implement security controls, and not about repelling the wily hacker. The good news is that policy controls are not very hard or expensive to do — just configure your Microsoft Exchange server or Lotus Notes Traveler server to enforce the relevant security policies via ActiveSync. PerimeterUSA customers, for example, can implement iOS security features as a standard feature of our hosted Exchange service. Apple also provides the iPhone Configuration Utility that allows customers to generate policy files that can be distributed to air to iPhones and iPads.

So to sum up: what Apple’s blowout quarter means for security is three things, in the short term is this:

• It means that you will soon see a lot more Apple devices on your corporate networks
• It means you will need to configure these devices with sensible security policies, but that…
• …most of the things you need to do are straightforward, and can be done inexpensively

Over the longer term, the iPad in particular has interesting implications for security in addition to the e-mail, connectivity and configuration topics I’ve mentioned in this post. With the iPad, it’s all about the apps. I will write about that in a future post. In the meantime, good luck finding a fashionable case for your new device.

What are the greatest challenges now?

• Attacks are becoming so sophisticated that hackers have developed methods to bypass or subvert traditional IDS/IPS systems.
• Additionally, more and more hackers are using Malware to do their dirty work for them rather than traditional inbound attacks where IDS/IPS systems are most effective.  If the hacker can get malware on the internal system, it renders IDS/IPS systems useless.  This is why methods to install and spread malware have absolutely exploded; especially malware websites (although this is just one of several methods).  Once malware in installed in the local system, the bad guys can create encrypted tunnels back to their command and control networks.  IDS/IPS systems cannot read encrypted packets so essentially this all happens “under the radar” from traditional security solutions.

Which industries are most/least vulnerable?

• Any industry that houses valuable data is always a greater target.  These include anything that can assist in identity theft or fraud for the hackers.  Usually this means companies that house financial data or personally-identifying data.  So, banks and healthcare providers are at the top of the list.

What are myths and realities about some of the current strategies and solutions?

• Unfortunately, people still think that edge-based security solutions are enough to keep the bad guys out.  A firewall, network-based IDS/IPS and other technologies that are in the network or “cloud” are still necessary but are far from enough to keep the hackers at bay.

What are the key points you want to make in this interview?

• See the answer above to myths and realities again…then…the only effective way to secure sensitive data and mission-critical systems are through the next generation HOST-BASED intrusion prevention system.  Rather than network-based systems that can be bypassed or subverted, HIPS can be installed directly on the system you are trying to protect.  It can protect it at a much higher level than traditional network-based solutions.  It combines signature matching capabilities to behavioral techniques.  When combined with 24×7 management and monitoring, it offers the greatest protection for these targeted industries.  And, don’t feel like you have to install HIPS everywhere…you only need it on those “mission-critical” systems that if they were compromised by a hacker or were unavailable for a period of time, it would be problematic for your organization.

MarkMonitor put out a new report that shows that phishing attacks are at an all time high, up 62 percent from 2008. It was also interesting to see that only 33 percent of victims of phishing attacks had never been phished before. So it would seem that the phishers are going after the tried and true targets.

One of the biggest increases noted in the report is the use of social networking for phishing attacks which rose 376 percent from 2008 to 2009. Keep in mind that this still only constitutes about 2 percent of all phishing attacks. However, those that get phishing attacks from a social networking site are about 10 times more likely to fall prey to it.

Attackers are still primarily going after financial institutions and financial services companies.

Dave Nelson is a FDIC examiner that reported on March 5 that malware on customer computers cost banks more than $40 million each month during the last full quarter (July – September 2009). In these cases the hackers trick people into opening “weaponized” emails or tricking them into visiting malicious or compromised websites where their systems can be infected.

I thought this was interesting because this is the first time I have heard the regulators say that business accounts do not receive the reimbursement protection that consumer accounts have. That means the business is left holding the bag…which in these cases they should. The bank shouldn’t be held liable for a business customer allowing malware to get installed on one of their systems, hackers capturing login credentials from a business customer employee, and then using it to steal money. The incident had nothing to do with the bank or their security policies or processes. But there is still this prevailing notion that the bank should be responsible for everything.

I think that financial institutions should invest heavily of a marketing campaign to their business customers letting them know this is the policy and that they should take appropriate precautions to protect their systems.

Mariposa is said to have as many as 12.7 million compromised computers (Zombies) worldwide. The software acted as a Trojan horse and captured login credentials for online bank accounts. Following the arrests, police recovered personal information of more than 800,000 people. Zombies were in many of the Fortune 1000 companies as well as in 40 major banks. The Mariposa Working Group, which is a coalition of security experts, academics and law enforcement, were the ones who got it shut down.

Yesterday I posted a blog about a potential tipping point in consumer liability for fraud where RBS was holding consumers liable for some cases of fraud. Well, there appears to be more evidence that this is a growing movement. PlainsCapital Bank in Texas is suing one of its corporate customers Hilary Machinery Inc., after cyber thieves tried to steal $800,000 from Hilary Machinery’s account. The bank was able to recover $600,000 of the stolen funds. Hillary Machinery was suing the bank for lack of adequate security measure for the remaining $200,000. The bank is suing the company as well as getting audit verification that proper security measures were in place.

In my opinion, this is where companies are getting greedy. They expect the bank to hold all the liability, but that simply isn’t realistic. If someone breaks into your company based on your lack of security, captures account credentials, and then uses those valid account credentials to steal your money, then you should be held liable. Mark my words, it will be cases like this that begin swinging liability back to the customer/consumer and it will ruin them.

“Verified by Visa” and “MasterCard SecureCode” is a process that is designed to have fewer chargebacks for merchants due to greater security when individuals make purchases online. What I found interesting is that some banks, such as the Royal Bank of Scotland, are now holding consumers to a higher level of liability as a result. The liability for fraud and consumer credit issues have been moving further and further away from consumers until this. Security will take a dramatically different approach when individuals are held responsible.

Read more here and here.

Read More:

• http://www.networkworld.com/news/2009/110309-fbi-warns-of-100m-cyber-threat.html
• http://news.cnet.com/8301-27080_3-10390118-245.html?part=rss&subj=news&tag=2547-1009_3-0-20
• http://www.securityfocus.com/brief/1032
• http://www.scmagazineus.com/FBI-Money-mule-scams-top-100-million/article/157066/

The reason I think this is interesting is because this bank realizes just how big of a deal a data breach can be. A single email, even with a single customer’s account information, would constitute a data breach. In an effort to keep from having to disclose it, they went directly after Google. They were smart. Because they were able to get Google to delete it, they don’t have to go through the pains and often times class action lawsuits that often accompany data breaches. Financial institutions are starting to take this data breach stuff very seriously…especially now that laws require the disclosure in nearly every state.

It sure seems like financial institutions are losing the game of “who is left holding the check.” Regulators are coming down on them harder and more often than ever. Consumers are rightfully expecting their personal information to be protected, but usually unwilling to pay any more for these measures. Criminals are getting better and better about effectively compromising systems in more diverse, complex, and innovative ways. FI’s vendors and partners are often the source of issues and breaches and yet the FI still has to pay the bill and do the clean-up…not to mention the reputational impact. It is tough to be a FI these days.

Remember, try to avoid any suspicious looking ATMs. If an ATM in a bank looks suspicious, alert an employee of the bank. If you must use it, push and pull on various areas of the ATM, like the card scanner or any items that appear like the don’t belong. Thieves are getting better and better at making it difficult to distinguish the real from the fake.