Do-it-Yourself Phishing Kit
PC World has found a do-it-yourself phishing kit for sale on the Internet. Of course, because they’re a fine, upstanding magazine, they don’t include any information about how to buy it or how much it costs.
Entries Tagged "crime"
Page 27 of 39
1933 Article on Crooked Gambling Technology
Fun reading. In every generation, criminals are near the leading edge in applying new technology to steal things.
Surveillance Cameras Catch a Cold-Blooded Killer
I’m in the middle of writing a long essay on the psychology of security. One of the things I’m writing about is the “availability heuristic,” which basically says that the human brain tends to assess the frequency of a class of events based on how easy it is to bring an instance of that class to mind. It explains why people tend to be afraid of the risks that are discussed in the media, or why people are afraid to fly but not afraid to drive.
One of the effects of this heuristic is that people are more persuaded by a vivid example than they are by statistics. The latter might be more useful, but the former is easier to remember.
That’s the context in which I want you to think about this very gripping story about a cold-blooded killer caught by city-wide surveillance cameras.
Federal agents showed Peterman the recordings from that morning. One camera captured McDermott, 48, getting off the bus. A man wearing a light jacket and dark pants got off the same bus, and followed a few steps behind her.
Another camera caught them as they rounded the corner. McDermott didn’t seem to notice the man following her. Halfway down the block, the man suddenly raised his arm and shot her once in the back of the head.
“I’ve seen shootings incidents on video before,” Peterman said, “but the suddenness, and that he did it for no reason at all, was really scary.”
I can write essay after essay about the inefficacy of security cameras. I can talk about trade-offs, and the better ways to spend the money. I can cite statistics and experts and whatever I want. But—used correctly—stories like this one will do more to move public opinion than anything I can do.
The Problem with "Hiring Hackers"
The Communications Director for Montana’s Congressman Denny Rehberg solicited “hackers” to break into the computer system at Texas Christian University and change his grades (so they would look better when he eventually ran for office, I presume). The hackers posted the email exchange instead. Very funny:
First, let’s be clear. You are soliciting me to break the law and hack into a computer across state lines. That is a federal offense and multiple felonies. Obviously I can’t trust anyone and everyone that mails such a request, you might be an FBI agent, right?
So, I need three things to make this happen:
1. A picture of a squirrel or pigeon on your campus. One close-up, one with background that shows buildings, a sign, or something to indicate you are standing on the campus.
2. The information I mentioned so I can find the records once I get into the database.
3. Some idea of what I get for all my trouble.
Cybercrime Hype Alert
It seems to be the season for cybercrime hype. First, we have this article from CNN, which seems to have no actual news:
Computer hackers will open a new front in the multi-billion pound “cyberwar” in 2007, targeting mobile phones, instant messaging and community Web sites such as MySpace, security experts predict.
As people grow wise to email scams, criminal gangs will find new ways to commit online fraud, sell fake goods or steal corporate secrets.
And next, this article, which claims that criminal organizations are paying student members to get IT degrees:
The most successful cyber crime gangs were based on partnerships between those with the criminals skills and contacts and those with the technical ability, said Mr Day.
“Traditional criminals have the ability to move funds and use all of the background they have,” he said, “but they don’t have the technical expertise.”
As the number of criminal gangs looking to move into cyber crime expanded, it got harder to recruit skilled hackers, said Mr Day. This has led criminals to target university students all around the world.
“Some students are being sponsored through their IT degree,” said Mr Day. Once qualified, the graduates go to work for the criminal gangs.
[…]
The aura of rebellion the name conjured up helped criminals ensnare children as young as 14, suggested the study.
By trawling websites, bulletin boards and chat rooms that offer hacking tools, cracks or passwords for pirated software, criminal recruiters gather information about potential targets.
Once identified, young hackers are drawn in by being rewarded for carrying out low-level tasks such as using a network of hijacked home computers, a botnet, to send out spam.
The low risk of being caught and the relatively high-rewards on offer helped the criminal gangs to paint an attractive picture of a cyber criminal’s life, said Mr Day.
As youngsters are drawn in the stakes are raised and they are told to undertake increasingly risky jobs.
Criminals targeting children—that’s sure to peg anyone’s hype-meter.
To be sure, I don’t want to minimize the threat of cybercrime. Nor do I want to minimize the threat of organized cybercrime. There are more and more criminals prowling the net, and more and more cybercrime has gone up the food chain—to large organized crime syndicates. Cybercrime is big business, and it’s getting bigger.
But I’m not sure if stories like these help or hurt.
Gift Card Hack
This is a clever hack against gift cards:
Seems they take the cards off the racks in stores and copy down the serial numbers. Later on, they check to see if the card is activated, and if the answer is yes, they go on a shopping spree from the store’s website.
What’s the security problem? A serial number on the cards that’s visible even though the card is not activated. This could be mitigated by hiding the serial number behind a scratch-off coating, or opaque packaging.
Insider Identity Theft
Banks are spending millions preventing outsiders from stealing their customers’ identities, but there is a growing insider threat:
Widespread outsourcing of data management and other services has exposed some weaknesses and made it harder to prevent identity theft by insiders.
“There are lots of weak links,” said Oveissi Field. “Back-up tapes are being sent to offsite storage sites or being mailed and getting into the wrong hands or are lost through carelessness.”
In what many regard as the biggest wake-up call in recent memory for financial institutions, thieves disguised as cleaning staff last year nearly stole the equivalent of more than $400 million from the London branch of Sumitomo Mitsui.
Remotely Eavesdropping on Cell Phone Microphones
I give a talk called “The Future of Privacy,” where I talk about current and future technological developments that erode our privacy. One of the things I talk about is auditory eavesdropping, and I hypothesize that a cell phone microphone could be turned on surreptitiously and remotely.
I never had any actual evidence one way or the other, but the technique has surfaced in an organized crime prosecution:
The surveillance technique came to light in an opinion published this week by U.S. District Judge Lewis Kaplan. He ruled that the “roving bug” was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect’s cell phone.
Kaplan’s opinion said that the eavesdropping technique “functioned whether the phone was powered on or off.” Some handsets can’t be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.
Seems that the technique is to download eavesdropping software into the phone:
The U.S. Commerce Department’s security office warns that “a cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone.” An article in the Financial Times last year said mobile providers can “remotely install a piece of software on to any handset, without the owner’s knowledge, which will activate the microphone even when its owner is not making a call.”
Nextel and Samsung handsets and the Motorola Razr are especially vulnerable to software downloads that activate their microphones, said James Atkinson, a counter-surveillance consultant who has worked closely with government agencies. “They can be remotely accessed and made to transmit room audio all the time,” he said. “You can do that without having physical access to the phone.”
[…]
Details of how the Nextel bugs worked are sketchy. Court documents, including an affidavit (p1) and (p2) prepared by Assistant U.S. Attorney Jonathan Kolodner in September 2003, refer to them as a “listening device placed in the cellular telephone.” That phrase could refer to software or hardware.
One private investigator interviewed by CNET News.com, Skipp Porteous of Sherlock Investigations in New York, said he believed the FBI planted a physical bug somewhere in the Nextel handset and did not remotely activate the microphone.
“They had to have physical possession of the phone to do it,” Porteous said. “There are several ways that they could have gotten physical possession. Then they monitored the bug from fairly near by.”
But other experts thought microphone activation is the more likely scenario, mostly because the battery in a tiny bug would not have lasted a year and because court documents say the bug works anywhere “within the United States”—in other words, outside the range of a nearby FBI agent armed with a radio receiver.
In addition, a paranoid Mafioso likely would be suspicious of any ploy to get him to hand over a cell phone so a bug could be planted. And Kolodner’s affidavit seeking a court order lists Ardito’s phone number, his 15-digit International Mobile Subscriber Identifier, and lists Nextel Communications as the service provider, all of which would be unnecessary if a physical bug were being planted.
A BBC article from 2004 reported that intelligence agencies routinely employ the remote-activation method. “A mobile sitting on the desk of a politician or businessman can act as a powerful, undetectable bug,” the article said, “enabling them to be activated at a later date to pick up sounds even when the receiver is down.”
For its part, Nextel said through spokesman Travis Sowders: “We’re not aware of this investigation, and we weren’t asked to participate.”
EDITED TO ADD (12/12): Another article.
Forecasting Murderers
There’s new software that can predict who is likely to become a murderer.
Using probation department cases entered into the system between 2002 and 2004, Berk and his colleagues performed a two-year follow-up study—enough time, they theorized, for a person to reoffend if he was going to. They tracked each individual, with particular attention to the people who went on to kill. That created the model. What remains at this stage is to find a way to marry the software to the probation department’s information technology system.
When caseworkers begin applying the model next year they will input data about their individual cases – what Berk calls “dropping ‘Joe’ down the model”—to come up with scores that will allow the caseworkers to assign the most intense supervision to the riskiest cases.
Even a crime as serious as aggravated assault—pistol whipping, for example—”might not mean that much” if the first-time offender is 30, but it is an “alarming indicator” in a first-time offender who is 18, Berk said.
The model was built using adult probation data stripped of personal identifying information for confidentiality. Berk thinks it could be an even more powerful diagnostic tool if he could have access to similarly anonymous juvenile records.
The central public policy question in all of this is a resource allocation problem. With not enough resources to go around, overloaded case workers have to cull their cases to find the ones in most urgent need of attention—the so-called true positives, as epidemiologists say.
But before that can begin in earnest, the public has to decide how many false positives it can afford in order to head off future killers, and how many false negatives (seemingly nonviolent people who nevertheless go on to kill) it is willing to risk to narrow the false positive pool.
Pretty scary stuff, as it gets into the realm of thoughtcrime.
Fighting Fraudulent Transactions
Last March I wrote that two-factor authentication isn’t going to reduce financial fraud or identity theft, that all it will do is force the criminals to change their tactics:
Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses.
Here are two new active attacks we’re starting to see:
- Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank’s real website. Done right, the user will never realize that he isn’t at the bank’s website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time.
- Trojan attack. Attacker gets Trojan installed on user’s computer. When user logs into his bank’s website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.
See how two-factor authentication doesn’t solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.
The solution is not to better authenticate the person, but to authenticate the transaction. (Think credit cards. No one checks your signature. They really don’t care if you’re you. They maintain security by authenticating the transactions.)
Of course, no one listens to me. U.S. regulators required banks to implement two-factor authentication by the end of this year. But customers are rebelling, and banks are scrambling to figure out something—anything—else. And, amazingly enough and purely by accident it seems, they’ve stumbled on security solutions that actually work:
Instead, to comply with new banking regulations and stem phishing losses, banks and the vendors who serve them are hurriedly putting together multipronged strategies that they say amount to “strong” authentication. The emerging approach generally consists of somehow recognizing a customer’s computer, asking additional challenge questions for risky behavior and putting in place back-end fraud detection.
[…]
Despite the FFIEC guidance about authentication, the emerging technologies that actually seem to hold the most promise for protecting the funds in consumer banking accounts aren’t authentication systems at all. They’re back-end systems that monitor for suspicious behavior.
Some of these tools are rule-based: If a customer from Nebraska signs on from, say, Romania, the bank can determine that the log-on always be considered suspect. Others are based on a risk score: That log-on from Romania would add points to a risk score, and when the score reaches a certain threshold, the bank takes action.
Flagged transactions can get bumped to second-factor authentication—usually, a call on the telephone, something the user has. This has long been done manually in the credit card world. Just think about the last phone call you got from your credit card company’s fraud department when you (or someone else) tried to make a large purchase with your credit card in Europe. Some banks, including Washington Mutual, are in the process of automating out-of-band phone calls for risky online transactions.
Exactly. That’s how you do it.
EDITED TO ADD (12/6): Another example.
Sidebar photo of Bruce Schneier by Joe MacInnis.