Schneier on Security: Tagged theft

Entries Tagged "theft"

Page 20 of 21

Stride-Based Security

Can a cell phone detect if it is stolen by measuring the gait of the person carrying it?

Researchers at the VTT Technical Research Centre of Finland have developed a prototype of a cell phone that uses motion sensors to record a user’s walking pattern of movement, or gait. The device then periodically checks to see that it is still in the possession of its legitimate owner, by measuring the current stride and comparing it against that stored in its memory.

Clever, as long as you realize that there are going to be a lot of false alarms. This seems okay:

If the phone suspects it has fallen into the wrong hands, it will prompt the user for a password if they attempt to make calls or access its memory.

Posted on November 16, 2005 at 6:26 AM • View Comments

Automobile Identity Theft

This scam was uncovered in Israel:

Thief rents a car.
An identical car, legitimately owned, is found and its “identity” stolen.
The stolen identity is applied to the rented car and is then offered for sale in a newspaper ad.
Innocent buyer purchases the car from the thief as a regular private party sale.
After a few days the thief steals the car back from the buyer and returns it to the rental shop.

What ended up happening is that the “new” owners claimed compensation for the theft and most of the damage was absorbed by the insurers.

Clever.

Posted on September 21, 2005 at 7:45 AM • View Comments

Locking Gas Caps

People in this country freak out at the slightest little thing.

Posted on September 20, 2005 at 1:25 PM • View Comments

Global secrets are generally considered poor security. The problems are twofold. One, you cannot apply any granularity to the security system; someone either knows the secret or does not. And two, global secrets are brittle. They fail badly; if the secret gets out, then the bad guys have a pretty powerful secret.

This is the situation right now in Sydney, where someone stole the master key that gives access to every train in the metropolitan area, and also starts them.

Unfortunately, this isn’t a thief who got lucky. It happened twice, and it’s possible that the keys were the target:

The keys, each of which could start every train, were taken in separate robberies within hours of each other from the North Shore Line although police believed the thefts were unrelated, a RailCorp spokeswoman said.

The first incident occurred at Gordon station when the driver of an empty train was robbed of the keys by two balaclava-clad men shortly after midnight on Sunday morning.

The second theft took place at Waverton Station on Sunday night when a driver was robbed of a bag, which contained the keys, she said.

So, what can someone do with the master key to the Sydney subway? It’s more likely a criminal than a terrorist, but even so it’s definitely a serious issue:

A spokesman for RailCorp told the paper it was taking the matter “very seriously,” but would not change the locks on its trains.

Instead, as of Sunday night, it had increased security around its sidings, with more patrols by private security guards and transit officers.

The spokesman said a “range of security measures” meant a train could not be stolen, even with the keys.

I don’t know if RailCorp should change the locks. I don’t know the risk: whether that “range of security measures” only protects against train theft—an unlikely scenario, if you ask me—or other potential scenarios as well. And I don’t know how expensive it would be to change the locks.

Another problem with global secrets is that it’s expensive to recover from a security failure.

And this certainly isn’t the first time a master key fell into the wrong hands:

Mr Graham said there was no point changing any of the metropolitan railway key locks.

“We could change locks once a week but I don’t think it reduces in any way the security threat as such because there are 2000 of these particular keys on issue to operational staff across the network and that is always going to be, I think, an issue.”

A final problem with global secrets is that it’s simply too easy to lose control of them.

Moral: Don’t rely on global secrets.

Posted on September 1, 2005 at 8:06 AM • View Comments

Bluetooth As a Laptop Sensor

Thieves are using Bluetooth phones to find Bluetooth-enabled laptops in parked cars, which they then steal.

Nice example of unintended security consequences of a new technology. And more evidence that new features need to be turned off by default.

Posted on August 22, 2005 at 1:20 PM • View Comments

Stealing Imaginary Things

There’s a new Trojan that tries to steal World of Warcraft passwords.

That reminded me about this article, about people paying programmers to find exploits to make virtual money in multiplayer online games, and then selling the proceeds for real money.

And here’s a page about ways people steal fake money in the online game Neopets, including cookie grabbers, fake login pages, fake contests, social engineering, and pyramid schemes.

I regularly say that every form of theft and fraud in the real world will eventually be duplicated in cyberspace. Perhaps every method of stealing real money will eventually be used to steal imaginary money, too.

Posted on August 10, 2005 at 7:36 AM • View Comments

Evaluating the Effectiveness of Security Countermeasures

Amidst all the emotional rhetoric about security, it’s nice to see something well-reasoned. This New York Times op-ed by Nicholas Kristof looks at security as a trade-off, and makes a distinction between security countermeasures that reduce the threat and those that simply shift it.

The op ed starts with countermeasures against car theft.

Sold for $695, the LoJack is a radio transmitter that is hidden on a vehicle and then activated if the car is stolen. The transmitter then silently summons the police – and it is ruining the economics of auto theft….

The thief’s challenge is that it’s impossible to determine which vehicle has a LoJack (there’s no decal). So stealing any car becomes significantly more risky, and one academic study found that the introduction of LoJack in Boston reduced car theft there by 50 percent.

Two Yale professors, Barry Nalebuff and Ian Ayres, note that this means that the LoJack benefits everyone, not only those who install the system. Professor Ayres and another scholar, Steven Levitt, found that every $1 invested in LoJack saves other car owners $10.

Professors Nalebuff and Ayres note that other antitheft devices, such as the Club, a polelike device that locks the steering wheel, help protect that car, but only at the expense of the next vehicle.

“The Club doesn’t reduce crime,” Mr. Nalebuff says. “It just shifts it to the next person.”

This model could be applied to home burglar alarms:

Conventional home alarms are accompanied by warning signs and don’t reduce crime but simply shift the risk to the next house. What if we encouraged hidden silent alarms to change the economics of burglary?

Granted, most people don’t want hidden alarms that entice a burglar to stay until the police show up. But suppose communities adjusted the fees they charge for alarm systems – say, $2,000 a year for an audible alarm, but no charge for a hidden LoJack-style silent alarm.

Then many people would choose the silent alarms, more burglars would get caught, and many of the criminally inclined would choose a new line of work….

I wrote about this in Beyond Fear:

A burglar who sees evidence of an alarm system is more likely to go rob the house next door. As far as the local police station is concerned, this doesn’t mitigate the risk at all. But for the homeowner, it mitigates the risk just fine.

The difference is the perspective of the defender.

Problems with perspectives show up in counterterrorism defenses all the time. Also from Beyond Fear:

It’s important not to lose sight of the forest for the trees. Countermeasures often focus on preventing particular terrorist acts against specific targets, but the scope of the assets that need to be protected encompasses all potential targets, and they all must be considered together. A terrorist’s real target is morale, and he really doesn’t care about one physical target versus another. We want to prevent terrorist acts everywhere, so countermeasures that simply move the threat around are of limited value. If, for example, we spend a lot of money defending our shopping malls, and bombings subsequently occur in crowded sports stadiums or movie theaters, we haven’t really received any value from our countermeasures.

I like seeing thinking like this in the media, and wish there were more of it.

Posted on July 1, 2005 at 12:19 PM • View Comments

Organized Retail Theft

There are two distinct shoplifting threats: petty shoplifting and Organized Retail Theft.

Organized retail theft (ORT) is a growing problem throughout the United States, affecting a wide-range of retail establishments, including supermarkets, chain drug stores, independent pharmacies, mass merchandisers, convenience stores, and discount operations. It has become the most pressing security problem confronting retailers. ORT losses are estimated to run as high as $15 billion annually in the supermarket industry alone and $34 billion across all retail. ORT crime is separate and distinct from petty shoplifting in that it involves professional theft rings that move quickly from community to community and across state lines to steal large amounts of merchandise that is then repackaged and sold back into the marketplace. Petty shoplifting, as defined, is limited to items stolen for personal use or consumption.

Their list of 50 most shoplifted items consists of small, expensive things with long shelf life: over-the-counter drugs, mostly.

#1 Advil tablet 50 ct

#2 Advil tablet 100 ct

#3 Aleve caplet 100 ct

#4 EPT Pregnancy Test single

#5 Gillette Sensor 10 ct

#6 Kodak 200 24 exp

#7 Similac w/iron powder – case

#8 Similac w/iron powder – single can

#9 Preparation H 12 ct

#10 Primatene tablet 24 ct

Found on BoingBoing.

Posted on June 22, 2005 at 1:06 PM • View Comments

DNA Identification

Here’s an interesting application of DNA identification. Instead of searching for your DNA at the crime scene, they search for the crime-scene DNA on you.

The system, called Sentry, works by fitting a box containing a powder spray above a doorway which, once primed, goes into alert mode if the door is opened.

It then sprays the powder when there is movement in the doorway again.

The aim is to catch a burglar in the act as stolen items are being removed.

The intruder is covered in the bright red powder, which glows under ultraviolet (UV) light and can only be removed with heavy scrubbing.

However, the harmless synthetic DNA contained in the powder sinks into the skin and takes several days, depending on the person’s metabolism, to work its way out.

Posted on June 22, 2005 at 8:39 AM • View Comments

←Previous 1 … 18 19 20 21 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.