New Identity Theft Tool
This program mimics a human in a chat room, and attempts to extract personal information.
And I thought ELIZA was so 1960s.
Entries Tagged "crime"
Page 23 of 39
Police Helping Thieves
This is a weird article. Local police are putting yellow stickers on cars with visible packages, making it easier for thieves to identify which cars are worth breaking into.
How odd.
EDITED TO ADD 12/19): According to a comment, this was misreported in the news. The police didn’t just put signs on cars with visible packages, but on all cars. Cars with no visible packages got a note saying: “Nothing Observed (Good Job!).” So a thief would have to read the sign, which means he’s already close enough to look in the car. Much better.
Security in Ten Years
This is a conversation between myself and Marcus Ranum. It will appear in Information Security Magazine this month.
Bruce Schneier: Predictions are easy and difficult. Roy Amara of the Institute for the Future once said: “We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run.”
Moore’s Law is easy: In 10 years, computers will be 100 times more powerful. My desktop will fit into my cell phone, we’ll have gigabit wireless connectivity everywhere, and personal networks will connect our computing devices and the remote services we subscribe to. Other aspects of the future are much more difficult to predict. I don’t think anyone can predict what the emergent properties of 100x computing power will bring: new uses for computing, new paradigms of communication. A 100x world will be different, in ways that will be surprising.
But throughout history and into the future, the one constant is human nature. There hasn’t been a new crime invented in millennia. Fraud, theft, impersonation and counterfeiting are perennial problems that have been around since the beginning of society. During the last 10 years, these crimes have migrated into cyberspace, and over the next 10, they will migrate into whatever computing, communications and commerce platforms we’re using.
The nature of the attacks will be different: the targets, tactics and results. Security is both a trade-off and an arms race, a balance between attacker and defender, and changes in technology upset that balance. Technology might make one particular tactic more effective, or one particular security technology cheaper and more ubiquitous. Or a new emergent application might become a favored target.
I don’t see anything by 2017 that will fundamentally alter this. Do you?
Marcus Ranum: I think you’re right; at a meta-level, the problems are going to stay the same. What’s shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren’t effective. It’s 2007 and we haven’t seemed to accept that:
- You can’t turn shovelware into reliable software by patching it a whole lot.
- You shouldn’t mix production systems with non-production systems.
- You actually have to know what’s going on in your networks.
- If you run your computers with an open execution runtime model you’ll always get viruses, spyware and Trojan horses.
- You can pass laws about locking barn doors after horses have left, but it won’t put the horses back in the barn.
- Security has to be designed in, as part of a system plan for reliability, rather than bolted on afterward.
The list could go on for several pages, but it would be too depressing. It would be “Marcus’ list of obvious stuff that everybody knows but nobody accepts.”
You missed one important aspect of the problem: By 2017, computers will be even more important to our lives, economies and infrastructure.
If you’re right that crime remains a constant, and I’m right that our responses to computer security remain ineffective, 2017 is going to be a lot less fun than 2007 was.
I’ve been pretty dismissive of the concepts of cyberwar and cyberterror. That dismissal was mostly motivated by my observation that the patchworked and kludgy nature of most computer systems acts as a form of defense in its own right, and that real-world attacks remain more cost-effective and practical for terror purposes.
I’d like to officially modify my position somewhat: I believe it’s increasingly likely that we’ll suffer catastrophic failures in critical infrastructure systems by 2017. It probably won’t be terrorists that do it, though. More likely, we’ll suffer some kind of horrible outage because a critical system was connected to a non-critical system that was connected to the Internet so someone could get to MySpace—and that ancillary system gets a piece of malware. Or it’ll be some incomprehensibly complex software, layered with Band-Aids and patches, that topples over when some “merely curious” hacker pushes the wrong e-button. We’ve got some bad-looking trend lines; all the indicators point toward a system that is more complex, less well-understood and more interdependent. With infrastructure like that, who needs enemies?
You’re worried criminals will continue to penetrate into cyberspace, and I’m worried complexity, poor design and mismanagement will be there to meet them.
Bruce Schneier: I think we’ve already suffered that kind of critical systems failure. The August 2003 blackout that covered much of northeastern United States and Canada—50 million people—was caused by a software bug.
I don’t disagree that things will continue to get worse. Complexity is the worst enemy of security, and the Internet—and the computers and processes connected to it—is getting more complex all the time. So things are getting worse, even though security technology is improving. One could say those critical insecurities are another emergent property of the 100x world of 2017.
Yes, IT systems will continue to become more critical to our infrastructure—banking, communications, utilities, defense, everything.
By 2017, the interconnections will be so critical that it will probably be cost-effective—and low-risk—for a terrorist organization to attack over the Internet. I also deride talk of cyberterror today, but I don’t think I will in another 10 years.
While the trends of increased complexity and poor management don’t look good, there is another trend that points to more security—but neither you nor I is going to like it. That trend is IT as a service.
By 2017, people and organizations won’t be buying computers and connectivity the way they are today. The world will be dominated by telcos, large ISPs and systems integration companies, and computing will look a lot like a utility. Companies will be selling services, not products: email services, application services, entertainment services. We’re starting to see this trend today, and it’s going to take off in the next 10 years. Where this affects security is that by 2017, people and organizations won’t have a lot of control over their security. Everything will be handled at the ISPs and in the backbone. The free-wheeling days of general-use PCs will be largely over. Think of the iPhone model: You get what Apple decides to give you, and if you try to hack your phone, they can disable it remotely. We techie geeks won’t like it, but it’s the future. The Internet is all about commerce, and commerce won’t survive any other way.
Marcus Ranum: You’re right about the shift toward services—it’s the ultimate way to lock in customers.
If you can make it difficult for the customer to get his data back after you’ve held it for a while, you can effectively prevent the customer from ever leaving. And of course, customers will be told “trust us, your data is secure,” and they’ll take that for an answer. The back-end systems that will power the future of utility computing are going to be just as full of flaws as our current systems. Utility computing will also completely fail to address the problem of transitive trust unless people start shifting to a more reliable endpoint computing platform.
That’s the problem with where we’re heading: the endpoints are not going to get any better. People are attracted to appliances because they get around the headache of system administration (which, in today’s security environment, equates to “endless patching hell”), but underneath the slick surface of the appliance we’ll have the same insecure nonsense we’ve got with general-purpose desktops. In fact, the development of appliances running general-purpose operating systems really does raise the possibility of a software monoculture. By 2017, do you think system engineering will progress to the point where we won’t see a vendor release a new product and instantly create an installed base of 1 million-plus users with root privileges? I don’t, and that scares me.
So if you’re saying the trend is to continue putting all our eggs in one basket and blithely trusting that basket, I agree.
Another trend I see getting worse is government IT know-how. At the rate outsourcing has been brain-draining the federal workforce, by 2017 there won’t be a single government employee who knows how to do anything with a computer except run PowerPoint and Web surf. Joking aside, the result is that the government’s critical infrastructure will be almost entirely managed from the outside. The strategic implications of such a shift have scared me for a long time; it amounts to a loss of control over data, resources and communications.
Bruce Schneier: You’re right about the endpoints not getting any better. I’ve written again and again how measures like two-factor authentication aren’t going to make electronic banking any more secure. The problem is if someone has stuck a Trojan on your computer, it doesn’t matter how many ways you authenticate to the banking server; the Trojan is going to perform illicit transactions after you authenticate.
It’s the same with a lot of our secure protocols. SSL, SSH, PGP and so on all assume the endpoints are secure, and the threat is in the communications system. But we know the real risks are the endpoints.
And a misguided attempt to solve this is going to dominate computing by 2017. I mentioned software-as-a-service, which you point out is really a trick that allows businesses to lock up their customers for the long haul. I pointed to the iPhone, whose draconian rules about who can write software for that platform accomplishes much the same thing. We could also point to Microsoft’s Trusted Computing, which is being sold as a security measure but is really another lock-in mechanism designed to keep users from switching to “unauthorized” software or OSes.
I’m reminded of the post-9/11 anti-terrorist hysteria—we’ve confused security with control, and instead of building systems for real security, we’re building systems of control. Think of ID checks everywhere, the no-fly list, warrantless eavesdropping, broad surveillance, data mining, and all the systems to check up on scuba divers, private pilots, peace activists and other groups of people. These give us negligible security, but put a whole lot of control in the government’s hands.
Computing is heading in the same direction, although this time it is industry that wants control over its users. They’re going to sell it to us as a security system—they may even have convinced themselves it will improve security—but it’s fundamentally a control system. And in the long run, it’s going to hurt security.
Imagine we’re living in a world of Trustworthy Computing, where no software can run on your Windows box unless Microsoft approves it. That brain drain you talk about won’t be a problem, because security won’t be in the hands of the user. Microsoft will tout this as the end of malware, until some hacker figures out how to get his software approved. That’s the problem with any system that relies on control: Once you figure out how to hack the control system, you’re pretty much golden. So instead of a zillion pesky worms, by 2017 we’re going to see fewer but worse super worms that sail past our defenses.
By then, though, we’ll be ready to start building real security. As you pointed out, networks will be so embedded into our critical infrastructure—and there’ll probably have been at least one real disaster by then—that we’ll have no choice. The question is how much we’ll have to dismantle and build over to get it right.
Marcus Ranum: I agree regarding your gloomy view of the future. It’s ironic the counterculture “hackers” have enabled (by providing an excuse) today’s run-patch-run-patch-reboot software environment and tomorrow’s software Stalinism.
I don’t think we’re going to start building real security. Because real security is not something you build—it’s something you get when you leave out all the other garbage as part of your design process. Purpose-designed and purpose-built software is more expensive to build, but cheaper to maintain. The prevailing wisdom about software return on investment doesn’t factor in patching and patch-related downtime, because if it did, the numbers would stink. Meanwhile, I’ve seen purpose-built Internet systems run for years without patching because they didn’t rely on bloated components. I doubt industry will catch on.
The future will be captive data running on purpose-built back-end systems—and it won’t be a secure future, because turning your data over always decreases your security. Few possess the understanding of complexity and good design principles necessary to build reliable or secure systems. So, effectively, outsourcing—or other forms of making security someone else’s problem—will continue to seem attractive.
That doesn’t look like a very rosy future to me. It’s a shame, too, because getting this stuff correct is important. You’re right that there are going to be disasters in our future.
I think they’re more likely to be accidents where the system crumbles under the weight of its own complexity, rather than hostile action. Will we even be able to figure out what happened, when it happens?
Folks, the captains have illuminated the “Fasten your seat belts” sign. We predict bumpy conditions ahead.
EDITED TO ADD (12/4): Commentary on the point/counterpoint.
Trucker Steals Guinness from Brewery
Someone drove a truck through the front gate of the Guinness brewery in Dublin, loaded the trailer with 450 kegs of beer, and drove out the gate. Security presumed it was just another legitimate contractor coming to pick up beer for distribution, and ignored him.
Moral: look like you belong.
EDITED TO ADD (12/5): Looks like they were caught before they drank all the beer.
Hacking a Soda Machine
The idea is simple: prevent the machine from completing an action and place it in an error state, and then exploit that state. In this instance, the hacker prevents the machine from dispensing the drink bottle. The machine refunds the money, but the bottle stays on the conveyor belt. Then the hacker purchases a second bottle, and receives them both.
The Sham of Criminal Profiling
Malcolm Gladwell makes a convincing case that criminal profiling is nothing more than a “cold reading” magic trick.
A few years ago, Alison went back to the case of the teacher who was murdered on the roof of her building in the Bronx. He wanted to know why, if the F.B.I.’s approach to criminal profiling was based on such simplistic psychology, it continues to have such a sterling reputation. The answer, he suspected, lay in the way the profiles were written, and, sure enough, when he broke down the rooftop-killer analysis, sentence by sentence, he found that it was so full of unverifiable and contradictory and ambiguous language that it could support virtually any interpretation.
Astrologers and psychics have known these tricks for years. The magician Ian Rowland, in his classic “The Full Facts Book of Cold Reading,” itemizes them one by one, in what could easily serve as a manual for the beginner profiler. First is the Rainbow Ruse—the “statement which credits the client with both a personality trait and its opposite.” (“I would say that on the whole you can be rather a quiet, self effacing type, but when the circumstances are right, you can be quite the life and soul of the party if the mood strikes you.”) The Jacques Statement, named for the character in “As You Like It” who gives the Seven Ages of Man speech, tailors the prediction to the age of the subject. To someone in his late thirties or early forties, for example, the psychic says, “If you are honest about it, you often get to wondering what happened to all those dreams you had when you were younger.” There is the Barnum Statement, the assertion so general that anyone would agree, and the Fuzzy Fact, the seemingly factual statement couched in a way that “leaves plenty of scope to be developed into something more specific.” (“I can see a connection with Europe, possibly Britain, or it could be the warmer, Mediterranean part?”) And that’s only the start: there is the Greener Grass technique, the Diverted Question, the Russian Doll, Sugar Lumps, not to mention Forking and the Good Chance Guess—all of which, when put together in skillful combination, can convince even the most skeptical observer that he or she is in the presence of real insight.
[…]
They had been at it for almost six hours. The best minds in the F.B.I. had given the Wichita detectives a blueprint for their investigation. Look for an American male with a possible connection to the military. His I.Q. will be above 105. He will like to masturbate, and will be aloof and selfish in bed. He will drive a decent car. He will be a “now” person. He won’t be comfortable with women. But he may have women friends. He will be a lone wolf. But he will be able to function in social settings. He won’t be unmemorable. But he will be unknowable. He will be either never married, divorced, or married, and if he was or is married his wife will be younger or older. He may or may not live in a rental, and might be lower class, upper lower class, lower middle class or middle class. And he will be crazy like a fox, as opposed to being mental. If you’re keeping score, that’s a Jacques Statement, two Barnum Statements, four Rainbow Ruses, a Good Chance Guess, two predictions that aren’t really predictions because they could never be verified—and nothing even close to the salient fact that BTK was a pillar of his community, the president of his church and the married father of two.
Identity Theft Study
Interesting study: “Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement,” October 2007. It’s long, but at least read the executive summary. Or, even shorter, this Associated Press story:
Researchers reviewed 517 cases closed by the Secret Service between 2000 and 2006. Two-thirds of the cases were concentrated in the Northeast and South and there were 933 defendants. The Federal Trade Commission has said about 3 million Americans have their identities stolen annually.
The study found that 42.5 percent of offenders were between the ages of 25 and 34. Another 18 percent were between the ages of 18 and 24. Two-thirds of the identity thieves were male.
Nearly a quarter of the offenders were born outside the United States.
Eighty percent of the cases involved an offender working solo or with a single partner, the report found.
While identity thieves used a wide combination of methods, fewer than 20 percent of the crimes involved the Internet. The most frequently used non-technological method was the rerouting of mail through change of address cards. Other prevalent non-technological methods were mail theft and dumpster diving.
Of the 933 offenders, 609 said they initiated their crime by stealing fragments of personal identifying information, as opposed to stealing entire documents, such as bank cards or driver’s licenses.
Most of the offenses were committed by non-employees who victimized strangers. Employee insiders were the offenders in just one-third of the 517 cases. When an employee did commit identity theft, the offenders were employed in a retail business in two out of every five instances, the report said. Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals were all considered retail operations in the study.
In about a fifth of the cases, the employee worked in the financial services industry.
Understanding the Black Market in Internet Crime
Here’s a interesting paper from Carnegie Mellon University: “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants.”
The paper focuses on the large illicit market that specializes in the commoditization of activities in support of Internet-based crime. The main goal of the paper was to understand and measure how these markets function, and discuss the incentives of the various market entities. Using a dataset collected over seven months and comprising over 13 million messages, they were able to categorize the market’s participants, the goods and services advertised, and the asking prices for selected interesting goods.
Really cool stuff.
Unfortunately, the data is extremely noisy and so far the authors have no way to cross-validate it, so it is difficult to make any strong conclusions.
The press focused on just one thing: a discussion of general ways to disrupt the market. Contrary to the claims of the article, the authors have not built any tools to disrupt the markets.
Partial Fingerprints Barred from Murder Trial
Brandon Mayfield, the Oregon man who was arrested because his fingerprint “matched” that of an Algerian who handled one of the Madrid bombs, now has a legacy: a judge has ruled partial prints cannot be used in a murder case.
“The repercussions are terrifically broad,” said David L. Faigman, a professor at the University of California’s Hastings College of the Law and an editor of Modern Scientific Evidence: The Law and Science of Expert Testimony.
“Fingerprints, before DNA, were always considered the gold standard of forensic science, and it’s turning out that there’s a lot more tin in that field than gold,” he said. “The public needs to understand that. This judge is declaring, not to mix my metaphors, that the emperor has no clothes.”
Detecting Restaurant Credit Card Fraud with Checksums
Clever technique to put a checksum into the bill total when you add a tip at a restaurant.
I don’t know how common tip fraud is. This thread implies that it’s pretty common, but I use my credit card in restaurants all the time all over the world and I’ve never been the victim of this sort of fraud. On the other hand, I’m not a lousy tipper. And maybe I don’t frequent the right sort of restaurants.
Sidebar photo of Bruce Schneier by Joe MacInnis.