Entries Tagged "theft"

Page 13 of 22

Protecting Against the Snatched Laptop Data Theft

Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was:

There are still two scenarios you aren’t secure against, though. You’re not secure against someone snatching your laptop out of your hands as you’re typing away at the local coffee shop. And you’re not secure against the authorities telling you to decrypt your data for them.

Here’s a free program that defends against that first threat: it locks the computer unless a key is pressed every n seconds.

Honestly, this would be too annoying for me to use, but you’re welcome to try it.

Posted on June 29, 2009 at 6:51 AMView Comments

Did a Public Twitter Post Lead to a Burglary?

No evidence one way or the other:

Like a lot of people who use social media, Israel Hyman and his wife Noell went on Twitter to share real-time details of a recent trip. Their posts said they were “preparing to head out of town,” that they had “another 10 hours of driving ahead,” and that they “made it to Kansas City.”

While they were on the road, their home in Mesa, Ariz., was burglarized. Hyman has an online video business called IzzyVideo.com, with 2,000 followers on Twitter. He thinks his Twitter updates tipped the burglars off.

“My wife thinks it could be a random thing, but I just have my suspicions,” he said. “They didn’t take any of our normal consumer electronics.” They took his video editing equipment.

I’m not saying that there isn’t a connection, but people have a propensity for seeing these sorts of connections.

Posted on June 15, 2009 at 2:26 PMView Comments

Malware Steals ATM Data

One of the risks of using a commercial OS for embedded systems like ATMs: it’s easier to write malware against it:

The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The machine is compromised by replacing the isadmin.exe file to infect the system.

The malicious isadmin.exe program then uses the Windows API to install the functional attack code by replacing a system file called lsass.exe in the C:WINDOWS directory.

Once the malicious lsass.exe program is installed, it collects users account numbers and PIN codes and waits for a human controller to insert a specially crafted control card to take over the ATM.

After the ATM is put under control of a human attacker, they can perform various functions, including harvesting the purloined data or even ejecting the cash box.

EDITED TO ADD (6/14): Seems like the story I quoted was jumping to conclusions. The actual report says “the malware is installed and activated through a dropper file (a file that an attacker can use to deploy tools onto a compromised system) by the name of isadmin.exe,” which doesn’t really sound like it’s referring to a buffer overflow attack carried out through a card emulator. Also, The Register says “[the] malicious programs can be installed only by people with physical access to the machines, making some level of insider cooperation necessary.”

Posted on June 10, 2009 at 1:51 PMView Comments

Using Surveillance Cameras to Detect Cashier Cheating

It’s called “sweethearting”: when cashiers pass free merchandise to friends. And some stores are using security cameras to detect it:

Mathematical algorithms embedded in the stores’ new security system pick out sweethearting on their own. There’s no need for a security guard watching banks of video monitors or reviewing hours of grainy footage. When the system thinks it’s spotted evidence, it alerts management on a computer screen and offers up the footage.

[…]

Big Y’s security system comes from a Cambridge, Mass.-based company called StopLift Inc. The technology works by scouring video pixels for various gestures and deciding whether they add up to a normal transaction at the register or not.

How good is it? My guess is that it’s not very good, but this is an instance where that may be good enough. As long as there aren’t a lot of false positives—as long as a person can quickly review the suspect footage and dismiss it as a false positive—the cost savings might be worth the expense.

Posted on May 13, 2009 at 7:55 AMView Comments

Stealing Commodities

Before his arrest, Tom Berge stole lead roof tiles from several buildings in south-east England, including the Honeywood Museum in Carshalton, the Croydon parish church, and the Sutton high school for girls. He then sold those tiles to scrap metal dealers.

As a security expert, I find this story interesting for two reasons. First, amongst increasingly ridiculous attempts to ban, or at least censor, Google Earth, lest it help the terrorists, here is an actual crime that relied on the service: Berge needed Google Earth for reconnaissance.

But more interesting is the discrepancy between the value of the lead tiles to the original owner and to the thief. The Sutton school had to spend £10,000 to buy new lead tiles; the Croydon Church had to repair extensive water damage after the theft. But Berge only received £700 a ton from London scrap metal dealers.

This isn’t an isolated story; the same dynamic is in play with other commodities as well.

There is an epidemic of copper wiring thefts worldwide; copper is being stolen out of telephone and power stations—and off poles in the streets—and thieves have killed themselves because they didn’t understand the dangers of high voltage. Homeowners are returning from holiday to find the copper pipes stolen from their houses. In 2001, scrap copper was worth 70 cents per pound. In April 2008, it was worth $4.

Gasoline siphoning became more common as pump prices rose. And used restaurant grease, formerly either given away or sold for pennies to farmers, is being stolen from restaurant parking lots and turned into biofuels. Newspapers and other recyclables are stolen from curbs, and trees are stolen and resold as Christmas trees.

Iron fences have been stolen from buildings and houses, manhole covers have been stolen from the middle of streets, and aluminum guard rails have been stolen from roadways. Steel is being stolen for scrap, too. In 2004 in Ukraine, thieves stole an entire steel bridge.

These crimes are particularly expensive to society because the replacement cost is much higher than the thief’s profit. A manhole cover is worth $5–$10 as scrap, but it costs $500 to replace, including labor. A thief may take $20 worth of copper from a construction site, but do $10,000 in damage in the process. And even if the thieves don’t get to the copper or steel, the increased threat means more money being spent on security to protect those commodities in the first place.

Security can be viewed as a tax on the honest, and these thefts demonstrate that our taxes are going up. And unlike many taxes, we don’t benefit from their collection. The cost to society of retrofitting manhole covers with locks, or replacing them with less resalable alternatives, is high; but there is no benefit other than reducing theft.

These crimes are a harbinger of the future: evolutionary pressure on our society, if you will. Criminals are often referred to as social parasites; they leech off society but provide no useful benefit. But they are an early warning system of societal changes. Unfettered by laws or moral restrictions, they can be the first to respond to changes that the rest of society will be slower to pick up on. In fact, currently there’s a reprieve. Scrap metal prices are all down from last year’s—copper is currently $1.62 per pound, and lead is half what Berge got—and thefts are down along with them.

We’ve designed much of our infrastructure around the assumptions that commodities are cheap and theft is rare. We don’t protect transmission lines, manhole covers, iron fences, or lead flashing on roofs. But if commodity prices really are headed for new higher stable points, society will eventually react and find alternatives for these items—or find ways to protect them. Criminals were the first to point this out, and will continue to exploit the system until it restabilizes.

A version of this essay originally appeared in The Guardian.

Posted on April 3, 2009 at 5:25 AMView Comments

Thefts at the Museum of Bad Art

I’m not making this up:

The loss of two MOBA works to theft has drawn media attention, and enhanced the museum’s stature. In 1996, the painting Eileen, by R. Angelo Le, vanished from MOBA. Eileen was acquired from the trash by Wilson, and features a rip in the canvas where someone slashed it with a knife even before the museum acquired it, “adding an additional element of drama to an already powerful work,” according to MOBA.

The museum offered a reward of $6.50 for the return of Eileen, and although MOBA donors later increased that reward to $36.73, the work remained unrecovered for many years. The Boston Police listed the crime as “larceny, other,” and Sacco was reported saying she was unable to establish a link between the disappearance of Eileen and a notorious heist at Boston’s famed Isabella Stewart Gardner Museum that occurred in 1990. In 2006—10 years after Eileen was stolen—MOBA was contacted by the purported thief demanding a $5,000 ransom for the painting; no ransom was paid, but it was returned anyway.

Prompted by the theft of Eileen, MOBA staff installed a fake video camera over a sign at their Dedham branch reading: “Warning. This gallery is protected by fake video cameras.” Despite this deterrent, in 2004 Rebecca Harris’ Self Portrait as a Drainpipe was removed from the wall and replaced with a ransom note demanding $10, although the thief neglected to include any contact information. Soon after its disappearance the painting was returned, with a $10 donation. Curator Michael Frank speculates that the thief had difficulty fencing the portrait because “reputable institutions refuse to negotiate with criminals.”

Be sure and notice the camera.

Posted on April 1, 2009 at 12:55 PMView Comments

Why People Steal Rare Books

Interesting analysis:

“Book theft is very hard to quantify because very often pages are cut and it’s not noticed for years,” says Rapley. “Often we come across pages from books [in hauls of recovered property] and we work back from there.” The Museum Security Network, a Dutch-based, not-for-profit organisation devoted to co-ordinating efforts to combat this type of theft, estimates that only 2 to 5 per cent of stolen books are recovered, compared with about half of stolen paintings.

“Books are extremely difficult to identify,” Rapley continues. “That means they can be sold commercially at near to market value rather than black-market value.” Thieves know that single pages cut from books to be sold as prints are easier to steal and even harder to trace, so they are often even more desirable than books themselves.

Most thieves simply cut out pages with razor blades and then hide them about their person. High bookshelves, quiet stacks or storage areas, or any lavatories located within reading rooms, are obvious places for such nefarious activities.

Regular users will have noticed that libraries have tightened up security in recent years. Among the strategies employed are CCTV cameras, improved sightlines for librarians, ID and bag checks at entrances and exits, and more floorwalking by security, uniformed or otherwise.

Posted on March 20, 2009 at 6:24 AMView Comments

The Story of the World's Largest Diamond Heist

Read the whole thing:

He took the elevator, descending two floors underground to a small, claustrophobic room—the vault antechamber. A 3-ton steel vault door dominated the far wall. It alone had six layers of security. There was a combination wheel with numbers from 0 to 99. To enter, four numbers had to be dialed, and the digits could be seen only through a small lens on the top of the wheel. There were 100 million possible combinations.

Power tools wouldn’t do the trick. The door was rated to withstand 12 hours of nonstop drilling. Of course, the first vibrations of a drill bit would set off the embedded seismic alarm anyway.

The door was monitored by a pair of abutting metal plates, one on the door itself and one on the wall just to the right. When armed, the plates formed a magnetic field. If the door were opened, the field would break, triggering an alarm. To disarm the field, a code had to be typed into a nearby keypad. Finally, the lock required an almost-impossible-to-duplicate foot-long key.

During business hours, the door was actually left open, leaving only a steel grate to prevent access. But Notarbartolo had no intention of muscling his way in when people were around and then shooting his way out. Any break-in would have to be done at night, after the guards had locked down the vault, emptied the building, and shuttered the entrances with steel roll-gates. During those quiet midnight hours, nobody patrolled the interior—the guards trusted their technological defenses.

Notarbartolo pressed a buzzer on the steel grate. A guard upstairs glanced at the videofeed, recognized Notarbartolo, and remotely unlocked the steel grate. Notarbartolo stepped inside the vault.

It was silent—he was surrounded by thick concrete walls. The place was outfitted with motion, heat, and light detectors. A security camera transmitted his movements to the guard station, and the feed was recorded on videotape. The safe-deposit boxes themselves were made of steel and copper and required a key and combination to open. Each box had 17,576 possible combinations.

Notarbartolo went through the motions of opening and closing his box and then walked out. The vault was one of the hardest targets he’d ever seen.

Definitely a movie plot.

Posted on March 12, 2009 at 6:36 AMView Comments

Perverse Security Incentives

An employee of Whole Foods in Ann Arbor, Michigan, was fired in 2007 for apprehending a shoplifter. More specifically, he was fired for touching a customer, even though that customer had a backpack filled with stolen groceries and was running away with them.

I regularly see security decisions that, like the Whole Foods incident, seem to make absolutely no sense. However, in every case, the decisions actually make perfect sense once you understand the underlying incentives driving the decision. All security decisions are trade-offs, but the motivations behind them are not always obvious: They’re often subjective, and driven by external incentives. And often security trade-offs are made for nonsecurity reasons.

Almost certainly, Whole Foods has a no-touching-the-customer policy because its attorneys recommended it. “No touching” is a security measure as well, but it’s security against customer lawsuits. The cost of these lawsuits would be much, much greater than the $346 worth of groceries stolen in this instance. Even applied to suspected shoplifters, the policy makes sense: The cost of a lawsuit resulting from tackling an innocent shopper by mistake would be far greater than the cost of letting actual shoplifters get away. As perverse it may seem, the result is completely reasonable given the corporate incentives—Whole Foods wrote a corporate policy that benefited itself.

At least, it works as long as the police and other factors keep society’s shoplifter population down to a reasonable level.

Incentives explain much that is perplexing about security trade-offs. Why does King County, Washington, require one form of ID to get a concealed-carry permit, but two forms of ID to pay for the permit by check? Making a mistake on a gun permit is an abstract problem, but a bad check actually costs some department money.

In the decades before 9/11, why did the airlines fight every security measure except the photo-ID check? Increased security annoys their customers, but the photo-ID check solved a security problem of a different kind: the resale of nonrefundable tickets. So the airlines were on board for that one.

And why does the TSA confiscate liquids at airport security, on the off chance that a terrorist will try to make a liquid explosive instead of using the more common solid ones? Because the officials in charge of the decision used CYA security measures to prevent specific, known tactics rather than broad, general ones.

The same misplaced incentives explain the ongoing problem of innocent prisoners spending years in places like Guantanamo and Abu Ghraib. The solution might seem obvious: Release the innocent ones, keep the guilty ones, and figure out whether the ones we aren’t sure about are innocent or guilty. But the incentives are more perverse than that. Who is going to sign the order releasing one of those prisoners? Which military officer is going to accept the risk, no matter how small, of being wrong?

I read almost five years ago that prisoners were being held by the United States far longer than they should, because ”no one wanted to be responsible for releasing the next Osama bin Laden.” That incentive to do nothing hasn’t changed. It might have even gotten stronger, as these innocents languish in prison.

In all these cases, the best way to change the trade-off is to change the incentives. Look at why the Whole Foods case works. Store employees don’t have to apprehend shoplifters, because society created a special organization specifically authorized to lay hands on people the grocery store points to as shoplifters: the police. If we want more rationality out of the TSA, there needs to be someone with a broader perspective willing to deal with general threats rather than specific targets or tactics.

For prisoners, society has created a special organization specifically entrusted with the role of judging the evidence against them and releasing them if appropriate: the judiciary. It’s only because the George W. Bush administration decided to remove the Guantanamo prisoners from the legal system that we are now stuck with these perverse incentives. Our country would be smart to move as many of these people through the court system as we can.

This essay originally appeared on Wired.com.

Posted on March 2, 2009 at 7:10 AMView Comments

1 11 12 13 14 15 22

Sidebar photo of Bruce Schneier by Joe MacInnis.