Entries Tagged "Russia"

Page 13 of 13

Hacking the U.S. Post Office

This is clever:

Many USA ecommerce shops don’t send their goods to Russia or to the countries of the Ex-USSR.

Some shops send but delivery costs differ greatly from the homeland ones, they are usually much bigger.

So what did some Russians invented? They got a way to fool the delivery.

It’s no secret that many bigger shops use electronic systems processing orders. So in order to see if this address is in USA or Canada it uses ZIP code, state or province name and words “USA” or “CANADA”.

So what was possible to do is to put totally Russian address in the order delivery form, like: Moscow, Lenin St. 20, Russia in the address fields, usually there is a plenty of space to enter long things like this, and in the field country they put Canada in the field ZIP code ­ Canadian zip code.

What happens next? The parcel travels to Canada, to the area to which the specified ZIP code belongs and there postal workers just see it’s not a Canadian address but Russian. They consider it to be some sort of mistake and forward it further, to Russia.

Posted on April 23, 2007 at 1:00 PMView Comments

Huge Online Bank Heist

Wow:

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona—up to £580,000—in what security company McAfee is describing as the “biggest ever” online bank heist.

Over the last 15 months, Nordea customers have been targeted by emails containing a tailormade Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved.

This is my favorite line:

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea security procedures.

Um…hello? Are you an idiot, or what?

Posted on January 23, 2007 at 12:54 PMView Comments

Class Break of Citibank ATM Cards

There seems to be some massive class break against Citibank ATM cards in Canada, the UK, and Russia. I don’t know any details, but the story is interesting. More info here.

EDITED TO ADD (3/6): More info here, here, here, and here.

EDITED TO ADD (3/7): Another news article.

From Jake Appelbaum: “The one unanswered question in all of this seems to be: Why is the new card going to have any issues in any of the affected countries? No one from Citibank was able to provide me with a promise my new card wouldn’t be locked yet again. Pretty amazing. I guess when I get my new card, I’ll find out.

EDITED TO ADD (3/8): Some more news.

Posted on March 6, 2006 at 2:44 PMView Comments

Wireless Dead Drop

Dead drops have gone high tech:

Russia’s Federal Security Service (FSB) has opened an investigation into a spying device discovered in Moscow, the service said Monday.

The FSB said it had confiscated a fake rock containing electronic equipment used for espionage on January 23, and had uncovered a ring of four British spies who worked under diplomatic cover, funding human rights organizations operating in Russia.

BBC had this to say:

The old idea of the dead-drop (‘letterboxes’ the British tend to call them) – by the oak tree next to the lamppost in such-and-such a park etc – has given way to hand-held computers and short-range transmitters.

Just transmit your info at the rock and your ‘friends’ will download it next day. No need for codes and wireless sets at midnight anymore.

Transferring information to and from spies has always been risky. It’s interesting to see modern technology help with this problem.

Phil Karn wrote to me in e-mail:

My first reaction: what a clever idea! It’s about time spycraft went hi-tech. I’d like to know if special hardware was used, or if it was good old 802.11. Special forms of spread-spectrum modulation and oddball frequencies could make the RF hard to detect, but then your spies run the risk of being caught with highly specialized hardware. 802.11 is almost universal, so it’s inherently less suspicious. Randomize your MAC address, change the SSID frequently and encrypt at multiple layers. Store sensitive files encrypted, without headers, in the free area of a laptop’s hard drive so they’re not likely to be found in forensic analysis. Keep all keys physically separate from encrypted data.

Even better, hide your wireless dead drop in plain sight by making it an open, public access point with an Internet connection so the sight of random people loitering with open laptops won’t be at all unusual.

To keep the counterespionage people from wiretapping the hotspot’s ISP and performing traffic analysis, hang a PC off the access point and use it as a local drop box so the communications in question never go to the ISP.

I am reminded of a dead drop technique used by, I think, the 9/11 terrorists. They used Hotmail (or some other anonymous e-mail service) accounts, but instead of e-mailing messages to each other, one would save a message as “draft” and the recipient would retrieve it from the same account later. I thought that was pretty clever, actually.

Posted on January 31, 2006 at 7:17 AMView Comments

Automatic Lie Detector

Coming soon to airports:

Tested in Russia, the two-stage GK-1 voice analyser requires that passengers don headphones at a console and answer “yes” or “no” into a microphone to questions about whether they are planning something illicit.

The software will almost always pick up uncontrollable tremors in the voice that give away liars or those with something to hide, say its designers at Israeli firm Nemesysco.

Fascinating.

In general, I prefer security systems that are invasive yet anonymous to ones that are based on massive databases. And automatic systems that divide people into a “probably fine” and “investigate a bit more” categories seem like a good use of technology. I have no idea whether this system works (there is a lot of evidence that it does not), what the false positive and false negative rates are (this article states a completely useless 12% false positive rate), or how easy it would be to learn how to fool the system, though. And in all of these trade-off discussions, the devil is in the details.

Posted on November 21, 2005 at 8:07 AMView Comments

Cold War Software Bugs

Here’s a report that the CIA slipped software bugs to the Soviets in the 1980s:

In January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline, according to a new memoir by a Reagan White House official.

A CIA article from 1996 also describes this.

EDITED TO ADD (11/14): Marcus Ranum wrote about this.

Posted on November 14, 2005 at 8:04 AMView Comments

Caches of Explosives Hidden in Moscow

Here’s a post-Cold War risk that I hadn’t considered before:

Construction workers involved in building a new hotel just across from the Kremlin were surprised to find 250 kg of TNT buried deep beneath the old Moskva Hotel that had just been demolished to make way for a new one. Police astonished Muscovites further when they said that the 12 boxes of explosives lodged in the basement could have been there for half a century.

And now, new evidence points to the possibility that Moscow could be dotted with such explosive caches—planted by the secret police in the early days of World War II.

Posted on August 4, 2005 at 7:58 AMView Comments

Russia's Black-Market Data Trade

Interesting story on the market for data in Moscow:

This Gorbushka vendor offers a hard drive with cash transfer records from Russia’s central bank for $1,500 (Canadian).

And:

At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner considers his options: $43 for a mobile phone company’s list of subscribers? Or $100 for a database of vehicles registered in the Moscow region?

The vehicle database proves irresistible. It appears to contain names, birthdays, passport numbers, addresses, telephone numbers, descriptions of vehicles, and vehicle identification (VIN) numbers for every driver in Moscow.

I don’t know whether you can buy data about people in other countries, but it is certainly plausible.

Posted on July 6, 2005 at 6:10 AMView Comments

Lighters Banned on Airplanes

Lighters are now banned on U.S. commercial flights, but not matches.

The Senators who proposed the bill point to Richard Reid, who unsuccessfully tried to light explosives on an airplane with matches. They were worried that a lighter might have worked.

That, of course, is silly. The reason Reid failed is because he tried to light the explosives in his seat, so he could watch the faces of those around him. If he’d gone into the lavatory and lit them in private, he would have been successful.

Hence, the ban is silly.

But there’s a serious problem here. Airport security screeners are much better at detecting explosives when the detonation mechanism is attached. Explosives without any detonation mechanism—like Richard Reid’s—are much harder to detect. As are explosives carried by one person and a detonation device carried by another. I’ve heard that this was the technique the Chechnyan women used to blow up a Russian airplane.

Posted on April 20, 2005 at 4:21 PMView Comments

1 11 12 13

Sidebar photo of Bruce Schneier by Joe MacInnis.