Page 11 of 13
In Australia, criminals are posing as census takers and harvesting personal data for fraudulent purposes.
EDITED TO ADD (8/21): I didn’t notice that this link is from 2001. Sorry about missing that, but it actually makes the story more interesting. This is the sort of identity-theft tactic that I would have expected to see this year, as criminals have gotten more and more sophisticated. It surprises me that they were doing this five years ago as well.
Another in our series on the security problems of trusting people in uniform:
A thief disguised as a security guard Tuesday duped the unsuspecting staff of a top Italian art gallery into giving him more than 200,000 euros ($253,100), local media reported.
The thief showed up Tuesday morning at the Pitti Palace, a grandiose renaissance construction in central Florence and one of Italy’s best known museums, wearing the same uniform used by employees of the security firm which every day collects the institution’s takings.
After the cashier staff gave him three bags full of money, he signed a receipt and calmly walked out.
Really nice social engineering example. Note his repeated efforts to ensure that if he’s stopped again, he can rely on the cop to vouch for him.
Smooth-talking escapee evades police
Woe is Carl Bordelon, a police officer for the town of Ball, La. His dashboard camera captured (below) his questioning of Richard Lee McNair, 47, on Wednesday. Earlier that same day, McNair had escaped from a federal penitentiary at nearby Pollock, La., reportedly hiding in a prison warehouse and sneaking out in a mail van. Bordelon, on the lookout, stopped McNair when he saw him running along some railroad tracks. What follows is a chillingly fascinating performance from McNair, who manages to remain fairly smooth and matter-of-fact while tripping up Bordelon. The officer notices that the guy matches the description of McNair—who was serving a life sentence for killing a trucker at a grain elevator in Minot, N.D., in 1987—observes that he looked like he’d “been through a briar patch” and had to wonder why he would choose appalling heat (at least according to that temperature gauge in the police car) to go running, without any identification, on a dubious 12-mile run. But he doesn’t notice when McNair changes his story—he gives two different names (listen for it)—and eventually, Bordelon bids him farewell, saying: “Be careful, buddy.” McNair remains on the loose. (Note: Video is more than eight minutes long but worth it.)
On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win.
Enter “Victoria.”
Victoria was a hoax UCLA co-ed, created by Cal’s Rally Committee. For the previous week, “she” had been chatting with Gabe Pruitt, USC’s starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends.
On Saturday, at the game, when Pruitt was introduced in the starting lineup, the chants began: “Victoria, Victoria.” One of the fans held up a sign with her phone number.
The look on Pruitt’s face when he turned to the bench after the first Victoria chant was priceless. The expression was unlike anything ever seen in collegiate or pro sports. Never did a chant by the opposing crowd have such an impact on a visiting player. Pruitt was in total shock. (This is the only picture I could find.)
The chant “Victoria” lasted all night. To add to his embarrassment, transcripts of their IM conversations were handed out to the bench before the game: “You look like you have a very fit body.” “Now I want to c u so bad.”
Pruitt ended up a miserable 3-for-13 from the field.
Security morals? First, this is the cleverest social engineering attack I’ve read about in a long time. Second, authentication is hard in little text windows—but it’s no less important. (Although even if this were a real co-ed recruited for the ruse, authentication wouldn’t have helped.) And third, you can hoodwink college basketball players if you get them thinking with their hormones.
It’s all social engineering:
If you want to crash the glitziest party of all, the Oscars, here’s a tip from a professional: Show up at the theater, dressed as a chef carrying a live lobster, looking really concerned.
[…]
“The most important technique is confidence,” he said. “Part of it is being dressed the part, looking the part, and acting the part and then lying to get in the door.”
The biggest hole in the elaborate Oscars security plan, Mamlet said, is that while everyone from stagehands to reporters have to wear official credentials, the celebrities and movie executives attending the event do not.
“If you really act like a celebrity, the security guards will worry that they will get into trouble for not recognizing you,” Mamlet said.
This whole article is worth reading, but I found this tidbit particularly interesting:
He was alluding to databases maintained at an AT&T data center in Kansas, which now contain electronic records of 1.92 trillion telephone calls, going back decades. The Electronic Frontier Foundation, a digital-rights advocacy group, has asserted in a lawsuit that the AT&T Daytona system, a giant storehouse of calling records and Internet message routing information, was the foundation of the N.S.A.’s effort to mine telephone records without a warrant.
An AT&T spokeswoman said the company would not comment on the claim, or generally on matters of national security or customer privacy.
But the mining of the databases in other law enforcement investigations is well established, with documented results. One application of the database technology, called Security Call Analysis and Monitoring Platform, or Scamp, offers access to about nine weeks of calling information. It currently handles about 70,000 queries a month from fraud and law enforcement investigators, according to AT&T documents.
A former AT&T official who had detailed knowledge of the call-record database said the Daytona system takes great care to make certain that anyone using the database – whether AT&T employee or law enforcement official with a subpoena – sees only information he or she is authorized to see, and that an audit trail keeps track of all users. Such information is frequently used to build models of suspects’ social networks.
The official, speaking on condition of anonymity because he was discussing sensitive corporate matters, said every telephone call generated a record: number called, time of call, duration of call, billing category and other details. While the database does not contain such billing data as names, addresses and credit card numbers, those records are in a linked database that can be tapped by authorized users.
New calls are entered into the database immediately after they end, the official said, adding, “I would characterize it as near real time.”
According to a current AT&T employee, whose identity is being withheld to avoid jeopardizing his job, the mining of the AT&T databases had a notable success in helping investigators find the perpetrators of what was known as the Moldovan porn scam.
In 1997 a shadowy group in Moldova, a former Soviet republic, was tricking Internet users by enticing them to a pornography Web site that would download a piece of software that disconnected the computer user from his local telephone line and redialed a costly 900 number in Moldova.
While another long-distance carrier simply cut off the entire nation of Moldova from its network, AT&T and the Moldovan authorities were able to mine the database to track the culprits.
Identity thieves trick the unwary into revealing their personal details by telling them they’ve failed to report for jury duty and warrants for their arrest are being issued.
Read about it here, or in even more detail.
I find this phishing attack impressive for several reasons. One, it’s a very sophisticated attack and demonstrates how clever identity thieves are becoming. Two, it narrowly targets a particular credit union, and sneakily uses the fact that credit cards issued by an institution share the same initial digits. Three, it exploits an authentication problem with SSL certificates. And four, it is yet another proof point that “user education” isn’t how we’re going to solve this kind of risk.
Or maybe they’re fake real ID cards. This website sells ID cards. They’re not ID cards for anything in particular, but they look official. If you need to fool someone who really doesn’t know what an ID card is supposed to look like, these are likely to work.
There was an interesting security tidbit in this article on last week’s post office shooting:
The shooter’s pass to access the facility had been expired, officials said, but she apparently used her knowledge of how security at the facility worked to gain entrance, following another vehicle in through the outer gate and getting other employees to open security doors.
This is a failure of both technology and procedure. The gate was configured to allow multiple vehicles to enter on only one person’s authorization—that’s a technology failure. And people are programmed to be polite—to hold the door for others.
SIDE NOTE: There is a common myth that workplace homicides are prevalent in the United States Postal Service. (Note the phrase “going postal.”) But not counting this event, there has been less than one shooting fatality per year at Postal Service facilities over the last 20 years. As the USPS has more than 700,000 employees, this is a lower rate than the average workplace.
Sidebar photo of Bruce Schneier by Joe MacInnis.