security

‘Thomas Crown Affair! Thomas Crown Affair!’

From Improv Everywhere’s “Missions: Best Buy” (23 April 2006):

Agent Slavinsky wrote in to suggest I get either a large group of people in blue polo shirts and khakis to enter a Best Buy or a group in red polo shirts and khakis to enter a Target. Wearing clothing almost identical to the store’s uniform, the agents would not claim to work at the store but would be friendly and helpful if anyone had a question. There aren’t any Targets in Manhattan, so I decided to go with the two-story Best Buy on 23rd Street. …

We met at Union Square North at 3:30 PM. Around 80 agents showed up, most them looking like wonderful Best Buy employees. …

The reaction from the employees was pretty typical as far as our missions go. The lower level employees laughed and got a kick out of it while the managers and security guards freaked out. …

Security guards and managers started talking to each other frantically on their walkie-talkies and headsets. “Thomas Crown Affair! Thomas Crown Affair!,” one employee shouted. They were worried that were using our fake uniforms to stage some type of elaborate heist. “I want every available employee out on the floor RIGHT NOW!”

‘Thomas Crown Affair! Thomas Crown Affair!’ Read More »

Checking papers does no good if the papers are forged

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 April 2006):

Undercover investigators were able to smuggle radioactive materials into the U.S. It set off alarms at border checkpoints, but the smugglers had forged import licenses from the Nuclear Regulatory Commission, based on an image of the real document they found on the Internet. Unfortunately, the border agents had no way to confirm the validity of import licenses. I’ve written about this problem before, and it’s one I think will get worse in the future. Verification systems are often the weakest link of authentication. Improving authentication tokens won’t improve security unless the verification systems improve as well.

Checking papers does no good if the papers are forged Read More »

Spy on no-good boss and lose your job

From Melissa Meagher’s “State Worker Spies on Boss, Loses His Job“:

For 22 years, [Vernon] Blake was a System Administrator for the Alabama Department of Transportation. It was a job he loved, with the exception of his supervisor. …

The running joke around the office? The boss blew off meetings and projects to play games on his computer. Cartoons secretly circled The Right of Way Bureau, jabbing at George Dobbs’ Solitaire habit. Dobbs is a 24-year veteran with the DOT and rakes in $67,000 a year. …

Without proof, Blake felt his accusations would get him nowhere. That’s when he turned to Win-Spy, a free version of spy ware, to tap his boss’s computer.

“My motive was to document well known behavior that already existed.”

For seven months, at random times of the day, the software captured pictures of Dobbs’ computer screen. …

Here’s what he found. Blake says less than 10% of his boss’s computer time, documented by Win-Spy, was spent working. Twenty-percent was spent checking the stock market. And 70% of what the spy ware recorded was the game of Solitaire. …

But DOT didn’t see it that way. When Blake showed them what he found, he was fired. His supervisor got a letter of reprimand, stating “It was brought to the Department’s attention you spent a significant amount of time playing video games… but your work ethic and production are above reproach.” …

It’s worth noting after Blake lost his job, DOT had all computer games, including Solitaire, removed from its system.

Spy on no-good boss and lose your job Read More »

PATRIOT Act greatly expands what a ‘financial institution’ is

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 January 2004):

Last month Bush snuck into law one of the provisions of the failed PATRIOT ACT 2. The FBI can now obtain records from financial institutions without requiring permission from a judge. The institution can’t tell the target person that his records were taken by the FBI. And the term “financial institution” has been expanded to include insurance companies, travel agencies, real estate agents, stockbrokers, the U.S. Postal Service, jewelry stores, casinos, and car dealerships.

PATRIOT Act greatly expands what a ‘financial institution’ is Read More »

Camouflaged weapons

From Noah Shachtman’s “Chameleon Weapons Defy Detection” (Defense Tech: 27 March 2006):

Last week I talked to Anthony Taylor, managing partner of an outfit which makes weapons which can be hidden in plain sight. You can be looking right at one without realizing what it is.

One type is the exact size and shape of a credit card, except that two of the edges are lethally sharp. It’s made of G10 laminate, an ultra-hard material normally employed for circuit boards. You need a diamond file to get an edge on it.

Taylor suggests that the card could easily be camouflaged as an ID card or one of the many other bits of plastic that clutter up the average wallet. Each weapon is individually handmade so they can be tailored to the user’s requirements.

Another configuration is a stabbing weapon which is indistinguishable from a pen. This one is made from melamine fiber, and can sit snugly inside a Bic casing. You would only find out it was not the real thing if you tried to write with it. It’s sharpened with a blade edge at the tip which Defense Review describes as “scary sharp.” …

According to one gun magazine, the CIA has had a ceramic handgun firing caseless non-metallic ammo for years.

Camouflaged weapons Read More »

A new fraud: faking an entire company

From David Lague’s “Next step in pirating: Faking a company” (International Herald Tribune: 28 April 2006):

At first it seemed to be nothing more than a routine, if damaging, case of counterfeiting in a country where faking it has become an industry.

Reports filtering back to the Tokyo headquarters of the Japanese electronics giant NEC in mid-2004 alerted managers that pirated keyboards and recordable CD and DVD discs bearing the company’s brand were on sale in retail outlets in Beijing and Hong Kong.

Like hundreds, if not thousands, of manufacturers now locked in a war of attrition with intellectual property thieves in China, the company hired an investigator to track down the pirates.

After two years and thousands of hours of investigation in conjunction with law enforcement agencies in China, Taiwan and Japan, the company said it had uncovered something far more ambitious than clandestine workshops turning out inferior copies of NEC products. The pirates were faking the entire company.

Evidence seized in raids on 18 factories and warehouses in China and Taiwan over the past year showed that the counterfeiters had set up what amounted to a parallel NEC brand with links to a network of more than 50 electronics factories in China, Hong Kong and Taiwan.

In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – everything from home entertainment centers to MP3 players. They also coordinated manufacturing and distribution, collecting all the proceeds.

The Japanese company even received complaints about products – which were of generally good quality – that they did not make or provide with warranties.

NEC said it was unable to estimate the total value of the pirated goods from these factories, but the company believed the organizers had “profited substantially” from the operation.

“These entities are part of a sophisticated ring, coordinated by two key entities based in Taiwan and Japan, which has attempted to completely assume the NEC brand,” said Fujio Okada, the NEC senior vice president and legal division general manager, in written answers to questions.

A new fraud: faking an entire company Read More »

Some surprising data isn’t encrypted in ATM transfers

From “Triple DES Upgrades May Introduce New ATM Vulnerabilities” (Payment News: 13 April 2006):

In a press release today, Redspin, an independent auditing firm based in Carpinteria, CA, suggests that the recent mandated upgrades of ATMs to support triple DES encryption of PINs has introduced new vulnerabilities into the ATM network environment – because of other changes that were typically made concurrently with the triple DES upgrades.

<begin press release>Redspin, Inc. has released a white paper detailing the problem. Essentially, unencrypted ATM transaction data is floating around bank networks, and bank managers are completely unaware of it. The only data from an ATM transaction that is encrypted is the PIN number.

“We were in the middle of an audit, looking at network traffic, when there it was, plain as day. We were surprised. The bank manager was surprised. Pretty much everyone we talk to is surprised. The card number, the expiration date, the account balances and withdrawal amounts, they all go across the networks in cleartext, which is exactly what it sounds like — text that anyone can read,” explained Abraham.

Ironically, the problem came about because of a mandated security improvement in ATMs. The original standard for ATM data encryption (DES) was becoming too easy to crack, so the standard was upgraded to Triple DES. Like any home improvement project, many ATM upgrades have snowballed to include a variety of other enhancements, including the use of transmission control protocol/Internet protocol (TCP/IP) — moving ATMs off their own dedicated lines, and on to the banks’ networks. …

A hacker tapping into a bank’s network would have complete access to every single ATM transaction going through the bank’s ATMs.<end press release>

Some surprising data isn’t encrypted in ATM transfers Read More »

Another answer to “I have nothing to hide”

From John Twelve Hawks’s “ How We Live Now” (2005):

“And so what if they know all about me?” asks the honest citizen. “I’m good person. I’ve got nothing to hide.” This view assumes that the intimate personal information easily found in our computerized system is accurate, secure, and will only be used for your benefit. What if criminals access your information? What if corporations deny you insurance or employment because the wrong data has ended up in your file? What if you simply want to take control over who knows what about you?

Another answer to “I have nothing to hide” Read More »

Government-created viruses for surveillance

From John Twelve Hawks’s “ How We Live Now” (2005):

The Traveler describes for the first time in any book the secret computational immunology programs being developed in Britain. These programs behave like the leucocytes floating through our bloodstream. The programs wander through the Internet, searching, evaluating, and hiding in a person’s home PC, until they detect a “dangerous” statement or unusual information. After gathering our personal information, they return to the central computer. There is no reason why they can’t easily be programmed to destroy a target computer … such as the one on which you’re reading this essay.

Government-created viruses for surveillance Read More »

What RFID passports really mean

From John Twelve Hawks’s “ How We Live Now” (2005):

The passports contain a radio frequency identification chip (RFID) so that all our personal information can be instantly read by a machine at the airport. However, the State Department has refused to encrypt the information embedded in the chip, because it requires more complicated technology that is difficult to coordinate with other countries. This means that our personal information could be read by a machine called a “skimmer” that can be placed in a doorway or a bus stop, perhaps as far as 30 feet away.

The U.S. government isn’t concerned by this, but the contents of Paris Hilton’s cell phone, which uses the same kind of RFID chip, were skimmed and made public last year. It may not seem like a problem when a semi-celebrity’s phone numbers and emails are stolen, but it is quite possible that an American tourist walking down a street in a foreign country will be “skimmed” by a machine that reads the passport in his or her pocket. A terrorist group will be able to decide if the name on the passport indicates a possible target before the tourist reaches the end of the street.

The new RFID passports are a clear indication that protection is not as important to the authorities as the need to acquire easily accessible personal information.

What RFID passports really mean Read More »

Surveillance cameras that notice aberrations

From John Twelve Hawks’s “ How We Live Now” (2005):

And everywhere we go, there are surveillance cameras – thousands of them – to photograph and record our image. Some of them are “smart” cameras, linked to computer programs that watch our movements in case we act differently from the rest of the crowd: if we walk too slowly, if we linger outside certain buildings, if we stop to laugh or enjoy the view, our body is highlighted by a red line on a video monitor and a security guard has to decide whether he should call the police.

Surveillance cameras that notice aberrations Read More »

Japanese nuclear secrets revealed on P2P network

From Mike’s “That’s Not A New Hit Song You Just Downloaded — It’s Japan’s Nuclear Secrets” (techdirt: 23 June 2005):

While IT managers may not see the importance of security software for themselves, you would think they would be a little more careful with things like interns and contractors. Not so, apparently. Over in Japan, a lot of people are not happy after discovering that a lot of classified technical data on nuclear power plants was leaked onto the internet by a contractor using a computer with a file sharing app that was apparently left open to sharing everything on the machine. First off, what kind of nuclear plant contractor is putting a file sharing app on his work laptop? Also, the article notes that the laptop was infested with viruses, but later seems to blame the file sharing app rather than the viruses — so it’s not entirely clear what the viruses have to do with this story. Update: Another article on this story notes that it was the virus that made the material available via the file sharing app. It also notes that the guy was using his personal computer — and somehow this was allowed. It also details the information leaked, including inspection data, photographs and names of inspectors, as well as where they stayed when they did the inspections. No matter what, you have to wonder why the guy was allowed to use his personal computer or to use any computer for this data that hadn’t been checked first for viruses or other vulnerabilities.

From Mike’s “Security Through Begging” (techdirt: 16 March 2006):

Last summer, the surprising news came out that Japanese nuclear secrets leaked out, after a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It’s only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems — so that the next time this happens, there won’t be anyone on the network to download such documents.

Japanese nuclear secrets revealed on P2P network Read More »

5 reasons people exaggerate risks

From Bruce Schneier’s “Movie Plot Threat Contest: Status Report” (Crypto-Gram Newsletter: 15 May 2006):

In my book, Beyond Fear, I discussed five different tendencies people have to exaggerate risks: to believe that something is more risky than it actually is.

1. People exaggerate spectacular but rare risks and downplay common risks.

2. People have trouble estimating risks for anything not exactly like their normal situation.

3. Personified risks are perceived to be greater than anonymous risks.

4. People underestimate risks they willingly take and overestimate risks in situations they can’t control.

5. People overestimate risks that are being talked about and remain an object of public scrutiny.

5 reasons people exaggerate risks Read More »

Why no terrorist attacks since 9/11?

From Bruce Schneier’s “Movie Plot Threat Contest: Status Report” (Crypto-Gram Newsletter: 15 May 2006):

… you have to wonder why there have been no terrorist attacks in the U.S. since 9/11. I don’t believe the “flypaper theory” that the terrorists are all in Iraq instead of in the U.S. And despite all the ineffectual security we’ve put in place since 9/11, I’m sure we have had some successes in intelligence and investigation — and have made it harder for terrorists to operate both in the U.S. and abroad.

But mostly, I think terrorist attacks are much harder than most of us think. It’s harder to find willing recruits than we think. It’s harder to coordinate plans. It’s harder to execute those plans. Terrorism is rare, and for all we’ve heard about 9/11 changing the world, it’s still rare.

Why no terrorist attacks since 9/11? Read More »

Why disclosure laws are good

From Bruce Schneier’s “Identity-Theft Disclosure Laws” (Crypto-Gram Newsletter: 15 May 2006):

Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information — or to refrain from collecting it in the first place.

Why disclosure laws are good Read More »

Why airport security fails constantly

From Bruce Schneier’s “Airport Passenger Screening” (Crypto-Gram Newsletter: 15 April 2006):

It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns, and 60 percent of (fake) bombs. And recently, testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. …

The failure to detect bomb-making parts is easier to understand. Break up something into small enough parts, and it’s going to slip past the screeners pretty easily. The explosive material won’t show up on the metal detector, and the associated electronics can look benign when disassembled. This isn’t even a new problem. It’s widely believed that the Chechen women who blew up the two Russian planes in August 2004 probably smuggled their bombs aboard the planes in pieces. …

Airport screeners have a difficult job, primarily because the human brain isn’t naturally adapted to the task. We’re wired for visual pattern matching, and are great at picking out something we know to look for — for example, a lion in a sea of tall grass.

But we’re much less adept at detecting random exceptions in uniform data. Faced with an endless stream of identical objects, the brain quickly concludes that everything is identical and there’s no point in paying attention. By the time the exception comes around, the brain simply doesn’t notice it. This psychological phenomenon isn’t just a problem in airport screening: It’s been identified in inspections of all kinds, and is why casinos move their dealers around so often. The tasks are simply mind-numbing.

Why airport security fails constantly Read More »

L.A. police using drones to spy on citizens

From Zachary Slobig’s “Police launch eye-in-the-sky technology above Los Angeles” (AFP: 17 June 2006):

Police launched the future of law enforcement into the smoggy Los Angeles sky in the form of a drone aircraft, bringing technology most commonly associated with combat zones to urban policing.

The unmanned aerial vehicle, which looks like a child’s remote control toy and weighs about five pounds (2.3 kilograms), is a prototype being tested by the Los Angeles County Sheriff’s Department. …

“This technology could be used to find missing children, search for lost hikers, or survey a fire zone,” said Commander Sid Heal, head of the Technology Exploration Project of the Los Angeles County Sheriff’s Department. “The ideal outcome for us is when this technology becomes instrumental in saving lives.”

The SkySeer would also be a helpful tool to nab burglary suspects on rooftops and to chase down suspects fleeing on foot. The drone comes equipped with low-light and infrared capabilities and can fly at speeds up to 30 miles (48 kilometers) per hour for 70 minutes. …

A small camera capable of tilt and pan operations is fixed to the underside of the drone which sends the video directly to a laptop command station. Once launched, the craft is set to fly autonomously with global positioning system (GPS) coordinates and a fixed flight pattern.

As technology improves, the drone will be outfitted with zoom capabilities. For now, the craft simply flies lower to hone in on its target. …

“The plane is virtually silent and invisible,” said Heal. “It will give us a vertical perspective that we have never had.”

The Los Angeles Sheriff’s Department operates a fleet of 18 helicopters, priced between three and five million dollars each. The SkySeer will cost between 25,000 and 30,000 dollars.

L.A. police using drones to spy on citizens Read More »

4 ways to eavesdrop on telephone calls

From Bruce Schneier’s “VOIP Encryption” (Crypto-Gram Newsletter: 15 April 2006):

There are basically four ways to eavesdrop on a telephone call.

One, you can listen in on another phone extension. This is the method preferred by siblings everywhere. If you have the right access, it’s the easiest. While it doesn’t work for cell phones, cordless phones are vulnerable to a variant of this attack: A radio receiver set to the right frequency can act as another extension.

Two, you can attach some eavesdropping equipment to the wire with a pair of alligator clips. It takes some expertise, but you can do it anywhere along the phone line’s path — even outside the home. This used to be the way the police eavesdropped on your phone line. These days it’s probably most often used by criminals. This method doesn’t work for cell phones, either.

Three, you can eavesdrop at the telephone switch. Modern phone equipment includes the ability for someone to listen in this way. Currently, this is the preferred police method. It works for both land lines and cell phones. You need the right access, but if you can get it, this is probably the most comfortable way to eavesdrop on a particular person.

Four, you can tap the main trunk lines, eavesdrop on the microwave or satellite phone links, etc. It’s hard to eavesdrop on one particular person this way, but it’s easy to listen in on a large chunk of telephone calls. This is the sort of big-budget surveillance that organizations like the National Security Agency do best. They’ve even been known to use submarines to tap undersea phone cables.

4 ways to eavesdrop on telephone calls Read More »

Employees willingly installed CDs handed to them by strangers

From Will Sturgeon’s “Proof: Employees don’t care about security” (silicon.com: 16 February 2006):

CDs were handed out to commuters as they entered the City by employees of IT skills specialist The Training Camp and recipients were told the disks contained a special Valentine’s Day promotion.

However, the CDs contained nothing more than code which informed The Training Camp how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers.

The CD packaging even contained a clear warning about installing third-party software and acting in breach of company acceptable-use policies — but that didn’t deter many individuals who showed little regard for the security of their PC and their company.

Employees willingly installed CDs handed to them by strangers Read More »

A new way to steal from ATMs: blow ’em up

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 March 2006):

In the Netherlands, criminals are stealing money from ATM machines by blowing them up. First, they drill a hole in an ATM and fill it with some sort of gas. Then, they ignite the gas — from a safe distance — and clean up the money that flies all over the place after the ATM explodes. Sounds crazy, but apparently there has been an increase in this type of attack recently. The banks’ countermeasure is to install air vents so that gas can’t build up inside the ATMs.

A new way to steal from ATMs: blow ’em up Read More »