PacSafe Security enhanced computer backpack
By Matt | January 30, 2010
My next backpack:
Schweet.
Topics: Uncategorized | No Comments »
Card Skimmers
By Matt | January 30, 2010
Photos from Mikko Hypponen, originally linked from Kreb’s On Security:
Note how close the arrows are to the slot, that’s because there’s a skimmer inserted:
Battery pack, pinhole camera to watch what PIN is typed in, and cell phone which would send the information from the card swipe + PIN as a text message live time to the thieves:
Eastern Europeans pulled off an attack like this in the Boston area in December, 2009:
Two more arrested in alleged ATM scheme
Pair is accused of stealing PIN, credit card dataTwo more suspects, including one who was in possession of nearly $100,000 when he was arrested, are facing charges in an alleged scheme to steal ATM card data from unwitting customers in Eastern Massachusetts, authorities said yesterday.
One of the two, Anton Venkov, 40, of Toronto, was arrested Thursday by the US Secret Service in Boston and charged with using counterfeit bank account access codes and aiding and abetting the plot. He has not yet entered a plea and has a detention hearing scheduled for Tuesday in federal court. Authorities say he had $99,100 in $20 bills in his car when he was arrested at Best Western Roundhouse Suites on Massachusetts Avenue.Another alleged member of the plot, Vladislav Vladev, 36, of Quincy, was also arrested Thursday while sitting on a plane that was headed for Germany, at Logan International Airport, Norfolk County prosecutors said. He was arraigned in Quincy District Court yesterday on larceny and identity fraud charges relating to a theft from a Milton ATM on Granite Avenue. He pleaded not guilty and was ordered held on $1 million cash bail. He has a hearing scheduled for Monday.
State Police said Vladev is from Bulgaria.
Prosecutors say Venkov and Vladev teamed up with Ivaylo Hristov, 28, of Ontario, who was arrested Wednesday, and stole debit and credit card data and PIN numbers by placing scanner devices and hidden cameras in ATM machines at several locations. Authorities believe they have stolen at least $100,000 from customers at Citizens Bank and other institutions.
Hristov was also charged yesterday in the Milton ATM theft and ordered held on $500,000 cash bail. He was charged Thursday for an alleged similar scheme in Quincy and was ordered held on $1 million cash bail. He is due back in Quincy District Court on Monday.
The Secret Service learned in December that a Bank of America ATM in Saugus had been rigged with the scanner device, called a skimmer, and a pinhole camera, according to a court affidavit from a Secret Service agent. A surveillance photo showed Vladev attaching the skimmer, the affidavit said. Another photo allegedly showed Hristov removing the camera.
Authorities were informed on Jan. 22 of ATM tampering at Citizens Bank locations in Quincy, Milton, Braintree, and Somerville, the affidavit said. Surveillance photos showed the same men at the Citizens locations, according to the affidavit.
Three days later, photos showed the men rigging Bank of America ATM machines in Saugus, Milton, Weymouth, Cambridge, Dorchester, and Roslindale, the affidavit said.
Hristov was arrested on Wednesday near a Citizens ATM in Quincy, with local police acting on a tip from the bank’s security team. He had $1,380 in $20 bills at the time of his arrest, according to the affidavit, as well as Dunkin’ Donuts gift cards and American Express cards with post-it notes that had “PIN’’ and various numbers written on them.
Quincy police said Hristov told them that he received 10 percent from the thieves’ withdrawals and gave the rest to Vladislav to deposit into an account in Chicago. He also had a card for a storage unit in Weymouth that he said contained equipment used in the scam, police said. They are seeking a search warrant for the unit.
The Secret Service learned yesterday that Venkov had checked into the Best Western and rented a black Infiniti, the affidavit said. He was arrested soon afterward and allegedly told investigators that Vladev urged him to come to the United States to make some easy money. Hristov and Venkov told authorities that they were born in Bulgaria but had Canadian citizenship.
David Traub, a spokesman for Norfolk District Attorney William R. Keating, said authorities believe this group of suspects is responsible for most of the ATM thefts in Eastern Massachusetts. He declined to say whether investigators believed there were others working in other parts of the state or region.
Keating told reporters yesterday that bank customers should check their balances and contact their banks and local police if they notice any suspicious withdrawals
Topics: General Security | No Comments »
Legal liability of compromised wifi
By Matt | December 15, 2009
This comes from a post on the NAISG mailing list:
Does anyone know if there is any civil or criminal precedence for unauthorized use behind a firewall? Specifically, I am at home and have a wireless network that gets compromised and someone does something “bad” from the IP addressed that is traced back to me. Is there anything saying I am or am not liable for those actions.
I had a series of three email replies that I think added to the conversation:
First:
> Is there anything saying I am or am not liable for those actions.
I’m not one to use “IANAL” too often, but the post screams that I make clear I am not a lawyer.On the most generic level the U.S. does not have clear laws or legal precedent in this situation. So the correct answer is “yes, you could be liable.” There is no statutory law or case law that clearly say as a general rule you would be held liable; at the same time you are not protected by an explicit safe harbor provision.
The DMCA defines a “service provider” as “offering” digital access and grants them safe harbor in exchange for cooperating with certain requests. In your scenario you said “compromised,” which to me says you weren’t offering and thus couldn’t be considered a service provider. It doesn’t seem fair that Panera Bread is protected from illegal use of their offered free service, while a home wifi that has been compromised isn’t explicitly protected.
While oriented towards software, here’s an interesting paper proposing the creation of “The Tort of Negligent Enabling of Cybercrime.” http://www.law.suffolk.edu/faculty/addinfo/rustad/rustad.koenig.final.pdf
Issues like those two above are things the courts and legislatures will be grappling with over the next couple decades.
While you may not be liable, having an open access point can open you up to unpleasantness.
In U.S. v. Javier Perez, the Fifth Circuit Court of Appeals upheld a search warrant that was issued against Mr. Perez despite the fact he had an open wireless access point, and two room mates who had wired network connections. The account the IP was associated with was in his name so, “there was still a fair probability that Perez was the party responsible for the illegal transmissions.” http://cases.justia.com/us-court-of-appeals/F3/484/735/580310/ . I do not know if Perez applies to other circuits beyond the Fifth, but the I think the reasoning is sound.
Maine saw a jump in IP addresses associated with child pornography from 15,000 in 2007 to 43,500 in 2008. Rather then a whole bunch of new perverts, that it is likely a lot more war driving to find open access points. http://www.bangordailynews.com/detail/104152.html . It’s chilling to think of what the statistics for bigger, more urbanized state would be like.
My guesstimate is that means several thousand, perhaps closing in on ten thousand, Maine residents and businesses could be at risk of having a search warrant served because of the activity of someone using their open wifi. Fortunately for most folks the police have to prioritize their limited resources and don’t have the time to search each potential location they could develop probable cause on.
If you don’t want to deal with a search warrant because your neighbor was surfing kiddie porn on your wifi and you have a fine collection of marijuana plants growing in your living room, it would be good to enable WPA. For a business that doesn’t need to provide easy guest access, a modest investment in WPA2 + Radius avoids the potential for a much greater expense dealing with an investigation of someone abusing your wifi.
Bruce Schneir also has a nice essay with quite a bit of discussion following it at: http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
Second, the next morning:
>For example, someone stealing your station
>wagon to use as a getaway car, probably no liability on your part.
I suspect it’s more nuanced then that.If your car is stolen from a locked garage, and the thief needs to break a car window and hot wire it, you’re probably in a bit better position then if your car is stolen while running in your yard defrosting in the morning, and that’s better than if it is stolen because you left it unlocked, running, outside of a bar at 2am on a Saturday.
I don’t have time before leaving for work to try and find the citation, but there’s a case that’s somewhat illustrative to the original question:
– Painter is informed by the homeowner to lock the door when leaving.
– Painter does not.
– House is robbed.
– Thief is criminally responsible for the theft.
– Painter is held civilly responsible for his negligence in allowing the theft to occur by not locking the door.If someone uses your wireless to access an uninvolved party, there may or may not be any liability (like my other post said, that’s still legally uncertain).
Now if I’m hired to audit a business, I have a wifi that I use to connect my audit team’s laptops together, one of those laptops is also connected to the client’s LAN so we can print documents, and someone uses that wifi via the LAN connected laptop to bypass the client’s corporate perimeter defenses and access the network I think there would be liability very similar to the painter’s in the case above.
Third, when I had a little more time to follow up:
The case of the painter in my earlier post was Stansbie v. Troman http://www.a-level-law.com/caselibrary/STANSBIE%20v%20TROMAN%20%5B1948%5D%202%20KB%2048%20-%20CA.doc , which is a case from the U.K. decided not on a contractual requirement, but by a common law decision that what the painter did in leaving the premise unprotected was unreasonable.
In googling for that, I found what I think will be helpful to Mike’s original request:
“In a similar case, the defendant put a scaffold in place next to the plaintiff’s apartment building. Armed robbers used the scaffold to gain entry to the plaintiff’s apartment and stole his goods. The New York Supreme Court denied the defendant’s petition for summary judgment. The defendant had encouraged free radicals by making a scarce and tempting opportunity available to them. In an analogous case, involving information security, the bookseller Barnes and Noble allegedly permitted cyber rogues to gain unauthorized access to confidential client information through security vulnerabilities in its web site. Barnes and Noble entered into a settlement agreement with the New York Attorney General in April 2004.”
http://www.law.northwestern.edu/journals/njtip/v4/n1/2/
I think either my earlier scenario of auditors bypassing a client security perimeter with wifi, or Joe Peter’s example of an open wifi connection exposing a PC which is running a VPN back to a client asset, could fit under this doctrine, in that we owe someone we have a relationship a duty to “not leave the front door unlocked.”
The Barnes & Noble case’s press release from the New York AG reads,
The agreement follows an investigation into the company’s privacy and information security practices, in which the Attorney General found that a design vulnerability in Barnes & Noble.com’s web site permitted unauthorized access to consumers’ accounts and personal information and enabled users to make purchases on the site from consumers’ accounts.
The vulnerability arose from Barnes & Noble.com’s use of “cookie-less” shopping, whereby, in order to avoid the use of “cookies” – textual identifiers or markers placed on users’ hard drives – Barnes & Noble.com stored certain user information in the web page URL. In certain situations (such as a consumer forwarding or posting a web page link), the consumer information in the URL was inadvertently posted or forwarded to third parties.
“Consumers are concerned about how their personal information is secured and protected by online merchants, Spitzer said. Our effort here should help assure that the terms of Barnes and Noble’s internet privacy policy are met.”
Under the terms of the agreement, Barnes & Noble.com will establish an information security program to protect personal information; establish management oversight and employee training programs; hire an external auditor to monitor compliance with the security program; and pay $60,000 in costs and penalties. Spitzer commended Barnes & Noble.com for its cooperation with the investigation and its implementation of appropriate security safeguards.
Topics: Uncategorized | No Comments »
Random Links…
By Matt | December 10, 2009
That I need to integrate to the sidebars…
http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf
http://www.ossec.net/main/getting-started-with-ossec/
GNS3 on Ubuntu 
(sudo apt-get install gns3)
Topics: Uncategorized | No Comments »
Disk Recovery Software
By Matt | December 7, 2009
http://www.grc.com/sr/spinrite.htm
Topics: Uncategorized | No Comments »
My first production C program…
By Matt | October 30, 2009
Took the class like six years ago but never had a need to actually put any code in production best I can remember.
Shell was taking, at best I could optimize it, 13 hours to create the files I needed…with C I can do it in a about 5 minutes. Wow. It’s a really simple program designed to make many (millions if necessary) entries in a file that http_load then uses to randomly pick URLs from.
sequential.c:
#include <stdio.h> #include <stdlib.h> #include <time.h>
int
main (int argc, char *argv[])
{
int q; q = atoi(argv[2]);
while (( q <= atoi(argv[4]) ))
{
printf ("%s%u\n", argv[1], q);
q = q + atoi(argv[3]);
}
return 0; }
Usage example:
./sequential http://192.168.7.148:9101/raid_1/75K_File_ 1 64 214748364 > sequential_test_urls
Which writes a file that starts with: http://192.168.7.148:9101/raid_1/75K_File_1 http://192.168.7.148:9101/raid_1/75K_File_65 ... http://192.168.7.148:9101/raid_1/75K_File_214748289 http://192.168.7.148:9101/raid_1/75K_File_214748353
Multiple instances of sequential can be used, with different starting numbers, to divide the workload amount multiple http_loads each calling a different url load file.
Topics: Uncategorized | No Comments »
Random ranging…
By Matt | October 30, 2009
This was an attempt to provide random urls to http_load, which didn’t work since http_load just reads the file once. Looks like I may have delve into C and implement the randomness in http_load itself.
But I like the code. It takes the square root of the highest possible number in the file name to set a limit for $RANDOM.
square=$(echo "sqrt($file_choices)" | bc) load_pid_wait_list="" for (( q=1; q<=$tests; q++ )) do (while [[ 1 -lt 2 ]] do let R=$RANDOM%$square let P=$RANDOM%$square filenum=$(echo "$P * $R" | bc) echo "http://192.168.7.148:9101/raid1/"$file_size"_File_"$filenum > "./http_load_urls_"$q echo "http://192.168.8.148:9101/raid2/"$file_size"_File_"$filenum >> "./http_load_urls_"$q done )& load_pid_wait_list="$load_pid_wait_list $!" done
Later on in the script, these processes are killed:
for pid in $load_pid_wait_list do kill -9 $pid done
Topics: Uncategorized | No Comments »
Finding total number of lines in multiple files
By Matt | October 29, 2009
find ./ -name “http_load_urls_*” -print0 | xargs -0 wc -l
Topics: Uncategorized | No Comments »
Yet another one line shell script :)
By Matt | October 26, 2009
grep -R ‘>1254511748.80104′ * | awk -F: ‘{print $1}’ > filename; filename=$(head -1 filename); grep -n ‘%idle’ $filename | awk -F: ‘{print $1 + 13}’ > linenum; sed -i ‘s/^/head -/g’ linenum; sedfilename=$(head -1 filename | sed ‘s/\//\\\//g’); sed -i “s/$/ $sedfilename | tail -1 /g” linenum; chmod 755 linenum; ./linenum | sed ‘s/^.*”>//g’ | sed ‘s/<.*$//g’ | awk ‘{print 100 – $1}’
Topics: Uncategorized | No Comments »
Now that’s a one liner…
By Matt | October 21, 2009
grep -R -n 'pgpgin/s' * | grep ':16' | awk -F: '{printf "file="$1"\n pagein=$(head -"$2 + 12" "$1" |\
tail -1 | sed \"s/^.*Number\\\"\>//g\" | sed \"s/\<.*$//g\") \n echo \$file \t \$pagein \n"}' \
> pagein.bash; ./pagein.bash > page_in.txt; sed -i 's/.xml//g' page_in.txt; sed -i 's/K_.*_/K /g' \
page_in.txt; sed -i 's/M_.*_/M /g' page_in.txt; sed -i 's/^.*x//g' page_in.txt; sed "s/^.*_//g" \
page_in.txt > page_in.txt.2 ; sort page_in.txt.2 > page_in.txt
Now let’s see if I remember what this all does when I come back to document this
Topics: Uncategorized | No Comments »
« Previous Entries Next Entries »