Entries Tagged "crime"

Page 15 of 39

The Problems with Unscientific Security

From the Open Access Journal of Forensic Psychology, by a whole list of authors: “A Call for Evidence-Based Security Tools“:

Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions offered today, however, lack scientific underpinning.

We recommend two important changes to improve the (cost) effectiveness of security policy. To begin with, the emphasis of deception research should shift from technological to behavioural sciences. Secondly, the burden of proof should lie with the manufacturers of the security tools. Governments should not rely on security tools that have not passed scientific scrutiny, and should only employ those methods that have been proven effective. After all, the use of tools that do not work will only get us further from the truth.

One excerpt:

In absence of systematic research, users will base their evaluation on data generated by field use. Because people tend to follow heuristics rather than the rules of probability theory, perceived effectiveness can substantially differ from true effectiveness (Tversky & Kahneman, 1973). For example, one well-known problem associated with field studies is that of selective feedback. Investigative authorities are unlikely to receive feedback from liars who are erroneously considered truthful. They will occasionally receive feedback when correctly detecting deception, for example through confessions (Patrick & Iacono, 1991; Vrij, 2008). The perceived effectiveness that follows from this can be further reinforced through confirmation bias: Evidence confirming one’s preconception is weighted more heavily than evidence contradicting it (Lord, Ross, & Lepper, 1979). As a result, even techniques that perform at chance level may be perceived as highly effective (Iacono, 1991). This unwarranted confidence can have profound effects on citizens’ safety and civil liberty: Criminals may escape detection while innocents may be falsely accused. The Innocence Project (Unvalidated or improper science, no date) demonstrates that unvalidated or improper forensic science can indeed lead to wrongful convictions (see also Saks & Koehler, 2005).

Article on the paper.

Posted on November 5, 2009 at 6:11 AMView Comments

Helpful Hint for Fugitives: Don't Update Your Location on Facebook

Fugitive caught after updating his status on Facebook.”

Investigators scoured social networking sites such as Facebook and MySpace but initially could find no trace of him and were unable to pin down his location in Mexico.

Several months later, a secret service agent, Seth Reeg, checked Facebook again and up popped MaxiSopo. His photo showed him partying in front of a backdrop featuring logos of BMW and Courvoisier cognac, sporting a black jacket adorned with a not-so-subtle white lion.

Although Sopo’s profile was set to private, his list of friends was not. Scoville started combing through it and was surprised to see that one friend listed an affiliation with the justice department. He sent a message requesting a phone call.

“We figured this was a person we could probably trust to keep our inquiry discreet,” Scoville said.

Proving the 2.0 adage that a friend on Facebook is rarely a friend indeed, the former official said he had met Sopo in Cancun’s nightclubs a few times, but did not really know him and had no idea he was a fugitive. The official learned where Sopo was living and passed that information back to Scoville, who provided it to Mexican authorities. They arrested Sopo last month.

It’s easy to say “so dumb,” and it would be true, but what’s interesting is how people just don’t think through the privacy implications of putting their information on the Internet. Facebook is how we interact with friends, and we think of it in the frame of interacting with friends. We don’t think that our employers might be looking—they’re not our friends!—that the information will be around forever, or that it might be abused. Privacy isn’t salient; chatting with friends is.

Posted on October 19, 2009 at 7:55 AMView Comments

David Dittrich on Criminal Malware

Good essay: “Malware to crimeware: How far have they gone, and how do we catch up?;login:, August 2009:

I have surveyed over a decade of advances in delivery of malware. Over this period, attackers have shifted to using complex, multi-phase attacks based on
subtle social engineering tactics, advanced cyptographic techniques to defeat takeover and analysis, and highly targeted attacks that are intended to fly below the radar of
current technical defenses. I will show how malicious technology combined with social manipulation is used against us and conclude that this understanding might even help us design our own combination of technical and social mechanisms to better protect us.

Posted on October 13, 2009 at 7:15 AMView Comments

Don't Let Hacker Inmates Reprogram Prison Computers

You’d think this would be obvious:

Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.

He was left unguarded and hacked into the system’s hard drive at Ranby Prison, near Retford, Notts. Then he set up a series of passwords so no one else could get into the system.

And you shouldn’t give a prisoner who is a lockpicking expert access to the prison’s keys, either. No, wait:

The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.

Next week: inmate sharpshooters in charge of prison’s gun locker.

Posted on October 6, 2009 at 2:32 PMView Comments

Malware that Forges Bank Statements

This is brilliant:

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

Another article.

If there’s a moral here, it’s that banks can’t rely on the customer to detect fraud. But we already knew that.

Posted on October 6, 2009 at 6:40 AMView Comments

Nice Use of Diversion During a Robbery

During a daring bank robbery in Sweden that involved a helicopter, the criminals disabled a police helicopter by placing a package with the word “bomb” near the helicopter hangar, thus engaging the full caution/evacuation procedure while they escaped.

I wrote about this exact sort of thing in Beyond Fear.

EDITED TO ADD (10/13): The attack was successfully carried off even though the Swedish police had been warned.

Posted on October 1, 2009 at 7:01 AMView Comments

Eliminating Externalities in Financial Security

This is a good thing:

An Illinois district court has allowed a couple to sue their bank on the novel grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers’ user name and password.

[…]

In February 2007, someone with a different IP address than the couple gained access to Marsha Shames-Yeakel’s online banking account using her user name and password and initiated an electronic transfer of $26,500 from the couple’s home equity line of credit to her business account. The money was then transferred through a bank in Hawaii to a bank in Austria.

The Austrian bank refused to return the money, and Citizens Financial insisted that the couple be liable for the funds and began billing them for it. When they refused to pay, the bank reported them as delinquent to the national credit reporting agencies and threatened to foreclose on their home.

The couple sued the bank, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, claiming, among other things, that the bank reported them as delinquent to credit reporting agencies without telling the agencies that the debt in question was under dispute and was the result of a third-party theft. The couple wrote 19 letters disputing the debt, but began making monthly payments to the bank for the stolen funds in late 2007 following the bank’s foreclosure threats.

In addition to these claims, the plaintiffs also accused the bank of negligence under state law.

According to the plaintiffs, the bank had a common law duty to protect their account information from identity theft and failed to maintain state-of-the-art security standards. Specifically, the plaintiffs argued, the bank used only single-factor authentication for customers logging into its server (a user name and password) instead of multi-factor authentication, such as combining the user name and password with a token the customer possesses that authenticates the customer’s computer to the bank’s server or dynamically generates a single-use password for logging in.

As I’ve previously written, this is the only way to mitigate this kind of fraud:

Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial institutions. That means that any solution can’t involve the account holders. That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.

They can’t claim that the user must keep his password secure or his machine virus free. They can’t require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren’t reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.

If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.

It’s an important security principle: ensure that the person who has the ability to mitigate the risk is responsible for the risk. In this case, the account holders had nothing to do with the security of their account. They could not audit it. They could not improve it. The bank, on the other hand, has the ability to improve security and mitigate the risk, but because they pass the cost on to their customers, they have no incentive to do so. Litigation like this has the potential to fix the externality and improve security.

Posted on September 23, 2009 at 7:13 AMView Comments

The Global Illicit Economy

Interesting video:

A new class of global actors is playing an increasingly important role in globalization: smugglers, warlords, guerrillas, terrorists, gangs, and bandits of all stripes. Since the end of the Cold War, the global illicit economy has consistently grown at twice the rate of the licit global economy. Increasingly, illicit actors will represent not just an economic but a political force. As globalization hollows out traditional nation-states, what will fill the power vacuum in slums and hinterlands will be informal non-state governance structures. These zones will be globally connected, effectively run by local gangs, religious leaders, or quasi-tribal organizations—organizations that will govern without aspiring to statehood.

Malware is one of Nils Gilman’s examples, at about the nine-minute mark.

The seven rules of the illicit global economy (he seems to use “illicit” and “deviant” interchangeably in the talk):

  1. Perfectly legitimate forms of demand can produce perfectly deviant forms of supply.
  2. Uneven global regulatory structures create arbitrage opportunities for deviant entrepreneurs.
  3. Pathways for legitimate globalization are always also pathways for deviant globalization.
  4. Once a deviant industry professionalizes, crackdowns merely promote innovation.
  5. States themselves undermine the distinction between legitimate and deviant economics.
  6. Unchecked, deviant entrepreneurs will overtake the legitimate economy.
  7. Deviant globalization presents an existential challenge to state legitimacy.

Posted on September 8, 2009 at 7:12 AMView Comments

On London's Surveillance Cameras

A recent report has concluded that the London’s surveillance cameras have solved one crime per thousand cameras per year.

David Davis MP, the former shadow home secretary, said: “It should provoke a long overdue rethink on where the crime prevention budget is being spent.”

He added: “CCTV leads to massive expense and minimum effectiveness.

“It creates a huge intrusion on privacy, yet provides little or no improvement in security.

Also:

Earlier this year separate research commissioned by the Home Office suggested that the cameras had done virtually nothing to cut crime, but were most effective in preventing vehicle crimes in car parks.

A report by a House of Lords committee also said that £500 million was spent on new cameras in the 10 years to 2006, money which could have been spent on street lighting or neighbourhood crime prevention initiatives.

A large proportion of the cash has been In London, where an estimated £200 million so far has been spent on the cameras. This suggests that each crime has cost £20,000 to detect.

I haven’t seen the report, but I know it’s hard to figure out when a crime has been “solved” by a surveillance camera. To me, the crime has to have been unsolvable without the cameras. Repeatedly I see pro-camera lobbyists pointing to the surveillance-camera images that identified the 7/7 London Transport bombers, but it is obvious that they would have been identified even without the cameras.

And it would really help my understanding of that £20,000 figure (I assume it is calculated from £200 million for the cameras times 1 in 1000 cameras used to solve a crime per year divided by ten years) if I knew what sorts of crimes the cameras “solved.” If the £200 million solved 10,000 murders, it might very well be a good security trade-off. But my guess is that most of the crimes were of a much lower level.

Cameras are largely security theater:

A Home Office spokeswoman said CCTVs “help communities feel safer”.

Posted on August 31, 2009 at 5:59 AMView Comments

Banning Beer Glasses in Pubs

Not beer, just the glasses:

The Home Office has commissioned a new design, in an attempt to stop glasses being used as weapons.

Official figures show 5,500 people are attacked with glasses and bottles every year in England and Wales.

The British Beer and Pub Association said it did not want the new plastic glasses to be made compulsory.

I don’t think this will go anywhere, but the sheer idiocy is impressive. Reminds me of the call to ban pointy knives. That recommendation also came out of the UK. What’s going on over there?

Posted on August 27, 2009 at 1:44 PMView Comments

1 13 14 15 16 17 39

Sidebar photo of Bruce Schneier by Joe MacInnis.