Stealing packages from unattended porches is a rapidly rising crime, as more of us order more things by mail. One person hid a glitter bomb and a video recorder in a package, posting the results when thieves opened the box. At least, that’s what might have happened. At least some of the video was faked, which puts the whole thing into question.
That’s okay, though. Santa is faked, too. Happy whatever you’re celebrating.
Posted on December 25, 2018 at 6:13 AM •
Kaspersky is reporting on a series of bank hacks—called DarkVishnya—perpetrated through malicious hardware being surreptitiously installed into the target network:
In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.
Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.
The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:
- netbook or inexpensive laptop
- Raspberry Pi computer
- Bash Bunny, a special tool for carrying out USB attacks
Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.
Posted on December 7, 2018 at 10:50 AM •
Modern cars have alarm systems that automatically connect to a remote call center. This makes cars harder to steal, since tripping the alarm causes a quick response. This article describes a theft attempt that tried to neutralize that security system. In the first attack, the thieves just disabled the alarm system and then left. If the owner had not immediately repaired the car, the thieves would have returned the next night and—no longer working under time pressure—stolen the car.
Posted on August 21, 2018 at 5:58 AM •
This is weird:
Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers.
The theft, reported by Fox 2 Detroit, took place at around 1pm local time on June 23 at a Marathon gas station located about 15 minutes from downtown Detroit. At least 10 cars are believed to have benefitted from the free-flowing gas pump, which still has police befuddled.
Here’s what is known about the supposed hack: Per Fox 2 Detroit, the thieves used some sort of remote device that allowed them to hijack the pump and take control away from the gas station employee. Police confirmed to the local publication that the device prevented the clerk from using the gas station’s system to shut off the individual pump.
Hard to know what’s true, but it seems like a good example of a hack against a cyber-physical system.
Posted on July 13, 2018 at 6:18 AM •
Ross Anderson has a really interesting paper on tracing stolen bitcoin. From a blog post:
Previous attempts to track tainted coins had used either the “poison” or the “haircut” method. Suppose I open a new address and pay into it three stolen bitcoin followed by seven freshly-mined ones. Then under poison, the output is ten stolen bitcoin, while under haircut it’s ten bitcoin that are marked 30% stolen. After thousands of blocks, poison tainting will blacklist millions of addresses, while with haircut the taint gets diffused, so neither is very effective at tracking stolen property. Bitcoin due-diligence services supplant haircut taint tracking with AI/ML, but the results are still not satisfactory.
We discovered that, back in 1816, the High Court had to tackle this problem in Clayton’s case, which involved the assets and liabilities of a bank that had gone bust. The court ruled that money must be tracked through accounts on the basis of first-in, first out (FIFO); the first penny into an account goes to satisfy the first withdrawal, and so on.
Ilia Shumailov has written software that applies FIFO tainting to the blockchain and the results are impressive, with a massive improvement in precision. What’s more, FIFO taint tracking is lossless, unlike haircut; so in addition to tracking a stolen coin forward to find where it’s gone, you can start with any UTXO and trace it backwards to see its entire ancestry. It’s not just good law; it’s good computer science too.
Posted on March 28, 2018 at 6:30 AM •
Brian Krebs is reporting sophisticated jackpotting attacks against US ATMs. The attacker gains physical access to the ATM, plants malware using specialized electronics, and then later returns and forces the machine to dispense all the cash it has inside.
The Secret Service alert explains that the attackers typically use an endoscope—a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body—to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.
“Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert.
At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.
“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.
Lots of details in the article.
Posted on February 1, 2018 at 6:23 AM •
This is an interesting tactic, and there’s a video of it being used:
The theft took just one minute and the Mercedes car, stolen from the Elmdon area of Solihull on 24 September, has not been recovered.
In the footage, one of the men can be seen waving a box in front of the victim’s house.
The device receives a signal from the key inside and transmits it to the second box next to the car.
The car’s systems are then tricked into thinking the key is present and it unlocks, before the ignition can be started.
Posted on November 28, 2017 at 6:03 AM •
The press is reporting a $32M theft of the cryptocurrency Ethereum. Like all such thefts, they’re not a result of a cryptographic failure in the currencies, but instead a software vulnerability in the software surrounding the currency—in this case, digital wallets.
This is the second Ethereum hack this week. The first tricked people in sending their Ethereum to another address.
This is my concern about digital cash. The cryptography can be bulletproof, but the computer security will always be an issue.
Posted on July 20, 2017 at 9:12 AM •
The website key.me will make a duplicate key from a digital photo.
If a friend or coworker leaves their keys unattended for a few seconds, you know what to do.
EDITED TO ADD (7/20): Another article.
Posted on July 6, 2017 at 6:27 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.