[SecurityRatty] tag: metropolitan

Wireless Security In-Depth

Sun, 14 Sep 2008 09:30:02 +0000

If we had told you eight years ago, when 802.11b was really taking off, that one day in the future you would be able to pick up at least ten different wireless networks on any given block of a major metropolitan city, you might have believed us.

The MTA Seeks Compliance on Their Antique Vending Machines

Mon, 21 Jul 2008 04:44:25 +0000

At the time I posted my recent blog about finding a New York City Transit MetroCard vending machine running Windows NT 4 Service Pack 3 I contacted the MTA (Metropolitan Transit Authority) to ask them about it. I received a response from Paul Fleuranges, vice president of Corporate Communications, MTA NYC Transit:

Assuring the security of the MetroCard system is a multi-layered effort encompassing technical solutions and procedures aimed at preventing unauthorized access and detecting unauthorized activities during the course of normal operations. The activity of the system is monitored for unusual behavior at many points in the operation. Procedures are in place to quickly respond to unusual occurrences in ways that not only limit risk, but can lead to immediate remedial action. NYC Transit is in the process of completing an extensive effort to become compliance [sic] with Payment Card Industry (PCI) rules relating to credit/debit transactions. While directly related to the business of accepting bank cards, these rules have also helped NYCT further harden its automated fare collection system against potential unauthorized access to sensitive transaction information by hackers and employees. In regards to your security related questions, which we will not address here in any detail, it is safe to say network environment is constructed in such a way that the serious security implications and vulnerabilities you reference do not exist.

So we'll have to take their word for it that it's impossible for anyone to hack into their machines. If the machines were actually on a network of some kind I would be worried, but it's likely they all just have a dial-up connection and some weird, old version of SLIP. The reference to PCI compliance is interesting. Seeing as how Requirement 6 of the PCI DSS states that you must "Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release" I would think they can't possibly be compliant running NT 4 SP3, and that they must have a goal of upgrading these systems. That's good news.

The MTA Seeks Compliance on Their Antique Vending Machines

Mon, 21 Jul 2008 04:44:25 +0000

Assuring the security of the MetroCard system is a multi-layered effort encompassing technical solutions and procedures aimed at preventing unauthorized access and detecting unauthorized activities during the course of normal operations. The activity of the system is monitored for unusual behavior at many points in the operation. Procedures are in place to quickly respond to unusual occurrences in ways that not only limit risk, but can lead to immediate remedial action. NYC Transit is in the process of completing an extensive effort to become compliance [sic] with Payment Card Industry (PCI) rules relating to credit/debit transactions. While directly related to the business of accepting bank cards, these rules have also helped NYCT further harden its automated fare collection system against potential unauthorized access to sensitive transaction information by hackers and employees. In regards to your security related questions, which we will not address here in any detail, it is safe to say network environment is constructed in such a way that the serious security implications and vulnerabilities you reference do not exist.

"Metro" employee information mistakenly posted to Web

Tue, 15 Jul 2008 06:39:14 +0000

Technorati Tag: Security Breach

Date Reported:
7/14/08

Organization:
Washington Metropolitan Area Transit Authority ("Metro")

Contractor/Consultant/Branch:
None

Victims:
"past and present employees"

Number Affected:
4,675

Types of Data:
Names and Social Security numbers

Breach Description:
"Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month."

Reference URL:
Metro Press Release
Associated Press via Forbes.com
NBC Channel 4 News
The Washington Post

Report Credit:
Washington Metropolitan Area Transit Authority

Response:
From the online sources cited above:

Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month.

The information was posted between June 9 and 25 as part of a solicitation from Metro to companies interested in providing worker’s compensation and risk management services.
[Evan] Rather than post this information to a public web site, why wasn't a more secure method of tranmission used such as VPN or secure FTP?

The document mistakenly included the social security numbers of 4,675 employees.
[Evan] According to Metro spokeswoman Candace Smith the sensitive information was supposed to be redacted. I wonder how well this mandate was communicated to the employee(s) responsible for compiling and posting the information.

A smaller group of employees had their names and social security numbers posted in the lengthy document. Metro officials continue to analyze the information for any other data breaches.

Three Metro employees have been disciplined

The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said.
[Evan] This implies that the employees responsible for the mistake should have known better. We can probably assume that they were informed of the proper procedure, but did not follow it.

Letters warning of the breach were sent out to the affected employees.

The letter urges employees to watch their credit reports for signs of identity theft.

Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted.

The agency is offering the 4,700 employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services.

"We deeply regret this incident, and believe the likelihood of misuse of the information is low," said Metro Chief Safety Officer Ronald Keele.

"However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly."
[Evan] Checks and balances are typically lacking in these types of breaches, so I think it’s a good sign that Metro is addressing these.

Metro officials say they are not alone in this type of data breach.
[Evan] So what?

According to the Identity Theft Resource Center, data breaches at businesses, governments and universities were up 69 percent in the first half of 2008 compared with a similar period in 2007.

Commentary:
The end result of this oversight is three disciplined employees (with no pay for a month) and nearly 4,700 people with an increased risk of identity theft. Forethought is there for a reason, whether or not you use it is your choice.

Past Breaches:
Unknown

D.C. Police Detective Arressted for Propositioning a "Prostitute".

Sat, 12 Jul 2008 14:58:00 +0000

Some time clients call us up and ask if we can send them off-duty cops for Executive Protection assignments. My first inclination is to tell them why we are reluctant to use off-duty police.

Yesterday, WTOP radio reported that a Detective Wheeler from the Washington D.C. Metropolitan Police had been arrested for trying to hire a Prostitute. Unfortunately for Detective Wheeler, the "prostitute" was an undercover Police Detective herself.

The story gets better, however. It seems that Detective Wheeler is assigned to the Vice Unit. For those of you who don't know what a Vice Unit does, they set up "stings" and dress female Police officers to look like prostitutes in order to arrest those who try and do business with "prostitutes". One wonders if Detective Wheeler should be charged with the prostituion charge or one involving gross stupidity.

Just becaause a Police officer carries a gun, does not mean that this qualifies him or her to do everything security related. While most of them are decent, hard working indivduals, there are also some who break laws and circumvent the system for their own benefit. When you hire an "off-duty cop", you do not know what you are getting. Perhaps you will get a bad apple(s) who will do more harm than good. Afterall, what way is there to vet them?

A professional security company like ours, train their own people and enforce from day one a strong sense of Ethics. We have a zero policy for any behaviour that might be detrimental to us or the client. On the rare occassion when someone does something that we do not condone, they are terminated. There is no room for Union intervention or "three strikes, you're out" or any other delaying tactic.

Our reputation is too important. Then again, we do not have "jobs for life" but must instead earn buisness by constantly performing. The next time you need a security person, keep this in mind.

Personal Internet Security: follow-up report

Tue, 08 Jul 2008 09:05:04 +0000

The House of Lords Science and Technology Committee have just completed a follow-up inquiry into “Personal Internet Security”, and their report is published here. Once again I have acted as their specialist adviser, and once again I’m under no obligation to endorse the Committee’s conclusions — but they have once again produced a useful report with sound conclusions, so I’m very happy to promote it!

Their initial report last summer, which I blogged about at the time, was — almost entirely — rejected by the Government last autumn (blog article here).

The Committee decided that in the light of the Government’s antipathy they would hold a rapid follow-up inquiry to establish whether their conclusions were sound or whether the Government was right to turn them down, and indeed, given the speed of change on the Internet, whether their recommendations were still timely.

The written responses broadly endorsed the Committee’s recommendations, with the main areas of controversy being liability for software vendors, making the banks statutorily responsible for phishing/skimming fraud, and how such fraud should be reported.

There was one oral session where, to everyone’s surprise, two Government ministers turned up and were extremely conciliatory. Baroness Vadera (BERR) said that the report “was somewhat more interesting than our response” and Vernon Coaker (Home Office) apologised to the Committee “if they felt that our response was overdefensive” adding “the report that was produced by this Committee a few months ago now has actually helped drive the agenda forward and certainly the resubmission of evidence and the re-thinking that that has caused has also helped with respect to that. So may I apologise to all of you; it is no disrespect to the Committee or to any of the members.”

I got the impression that the ministers were more impressed with the Committee’s report than were the civil servants who had drafted the Government’s previous formal response. Just maybe, some of my comments made a difference?

Given this volte face, the Committee’s follow-up report is also conciliatory, whilst recognising that the new approach is very much in the “jam tomorrow” category — we will all have to wait to see if they deliver.

The report is still in favour of software vendor liability as a long term strategy to improving software security, and on a security breach notification law the report says “we hold to our view that data security breach notification legislation would have the twin impacts of increasing incentives on businesses to avoid data loss, and should a breach occur, giving individuals timely information so that they can reduce the risk to themselves“. The headlines have been about the data lost by the Government, but recent figures from the ICO show that private industry is doing pretty badly as well.

The report also revisits the recommendations relating to banking, reiterating the committee’s view that “the liability of banks for losses incurred by electronic fraud should be underpinned by legislation rather than by the Banking Code“. The reasoning is simple, the banks choose the security mechanisms and how much effort they put into detecting patterns of fraud, so they should stand the losses if these systems fail. Holding individuals liable for succumbing to ever more sophisticated attacks is neither fair, nor economically efficient. The Committee also remained concerned that where fraud does take place, reports are made to the banks, who then choose whether or not to forward them to the police. They describe this approach as “wholly unsatisfactory and that it risks undermining public trust in the police and the Internet“.

This is quite a short report, a mere 36 paragraphs, but comes bundled with the responses received, all of which from Ross Anderson and Nicholas Bohm, through to the Metropolitan Police and Symantec are well worth reading to understand more about a complex problem, yet one where we’re beginning to see the first glimmers of consensus as to how best to move forward.

Life Is A Technology Museum

Sat, 05 Jul 2008 16:13:08 +0000

I went this morning with my family to the Museum of Natural History on Manhattan's Upper West Side. In the subway I noticed one of the machines that sells MetroCards (the fare cards for the NYC transit) rebooting;. I wasn't able to get my cell phone camera going until it was in the boot-time banner. Turns out the machine was a bit of a museum piece itself. Before that I watched it in blue-screen mode and observed that it was running Windows NT 4.0 Workstation Service Pack 3. Wow, that's pretty old. There hasn't been any support at all for NT 4 since January 2005, and that was for Service Pack 6 I believe. To date the software, SP3 was released 8 years ago. Back to the MetroCard machine itself, there's some more detail on the screen: The banner is customized with "Metropolitan Transportation Authority" and it says, I think, "with CTS AVM". I did a little Googling and struck out on what that means. If any of you can help me out I'm curious. The moral of this story is an old one, how technology users can be incredibly conservative, or perhaps "thrifty" is the right word. I ought to follow up with the MTA to see if they plan to leave these systems as-is. Yeah, maybe "if it ain't broke don't fix it," but why did it reboot?

Life Is a Technology Museum

Sat, 05 Jul 2008 16:13:08 +0000

I went this morning with my family to the Museum of Natural History on Manhattan's Upper West Side. In the subway I noticed one of the machines that sells MetroCards (the fare cards for the NYC transit) rebooting. I wasn't able to get my cell phone camera going until it was in the boot-time banner. Turns out the machine was a bit of a museum piece itself. Before that I watched it in blue-screen mode and observed that it was running Windows NT 4.0 Workstation Service Pack 3. Wow, that's pretty old. There hasn't been any support at all for NT 4 since January 2005, and that was for Service Pack 6 I believe. To date the software, SP3 was released eight years ago. Back to the MetroCard machine itself, there's some more detail on the screen: The banner is customized with "Metropolitan Transportation Authority" and it says, I think, "with CTS AVM." I did a little Googling and struck out on what that means. If any of you can help me out, I'm curious. The moral of this story is an old one, how technology users can be incredibly conservative, or perhaps "thrifty" is the right word. I ought to follow up with the MTA to see if they plan to leave these systems as is. Yeah, maybe "if it ain't broke don't fix it," but why did it reboot?

Your 419 Mail Roundup

Wed, 02 Jul 2008 13:11:42 +0000

A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...
Subject:
FROM THE DESK OF MR. STEVEN JAMES
From:
"Steven James"
Date:
Mon, 30 Jun 2008 19:17:03 +0100
BCC:

FROM THE DESK OF MR. STEVEN JAMES
CHAIRMAN INTERNATIONAL RELATION
FIRST BANK OF NIGERIA PLC
# 1 BANK ROAD WUSE FCT
ABUJA-NIGERIA.
PHONE: +234-80-66520277
Email: stevenjames809@live.co.uk

Very Urgent Attention,

Please permit me to introduce my humble self to you, my name is Mr. Steven James, I am the Manager of International Relation with First Bank of Nigeria Plc, I 'm 38yrs old, and I got your email address from a friend of mine, and my confidence reposed on you. I hope you read this message carefully and reply me immediately. Although we have not met before, but I suggest that this transaction will bring us together.

My dear, we had a customer, a foreigner but base here in Nigeria, his Name was Mr. Hamilton Creek. He is from Atlanta Georgia United State of America, but based here with his wife and his two children, Mr. Hamilton has being banking with us for the past 4yrs and some time in August 2002, Mr. Hamilton was on his way to his house, and unfortunately ran into a Trailer load of Groundnut Oil, and died   immediately, Their car got burnt, no single soul was saved, Mr. Hamilton Creek and His entire family was confirmed dead.

My Board of Directors and the Management of First Bank has mandated and instructed me to look for Mr. Hamilton Creek? Relation(s) and his Next of Kin to come and claim his fund, Since August 2003 till date, I have been looking for his relation's or his next of Kin to come and claim his fund which he Deposited with our bank, I have contacted his Embassy and after 3days, his Ambassador told me that Mr. Hamilton Creek has no relation and no next of Kin, their Ambassador told me that he used his first son as His next of kin, but it is quite unfortunate that Mr. Hamilton Creek Died with all his family members.

The reason why I contacted you is thus, Mr. Hamilton is dead, and his only son who supposed to inherit his properties and money also died with him. As at this moment, nobody or person[s] is coming to   claim this Money from our bank. The Board of Directors and management of our bank told me that if nobody or person[s] apply for the claim of Mr. Hamilton Fund, the bank will return the entire Fund into our Federal reserve. In the Light of the above, I want you to stand as the next of kin to Late Mr. Hamilton Creek; it might interest you to know that he had a Domiciliary Bank Account with our Bank and he has a total sum of US$9.2M Nine Million Two Hundred thousand Dollars, this is the exact amount which he had in his domiciliary account before the ugly incident occurred, and this money is still in his account as unclaimed money.

This transaction is very easy and simple, and it is 100% risk free, I'm the Manager for International Relations with First Bank of Nigeria Plc, and the Management and Board of Directors of the Bank are waiting for me to provide to them the Relation or next of Kin to late Mr. Hamilton Creek, of which I told them that I am still searching the next of kin to the deceased. Finally, if you are interested with this transaction, I will front you to the bank as the only next of kin to late Mr. Hamilton Creek, and I will let the bank know that you are the only right person to inherit Late Mr. Hamilton Funds and properties. If you are interested, just email me or call me on my   direct and private line#: +234-80-27536038 and late Mr. Hamilton's Funds will be credited into your account and all his Properties will be released to you either through Courier Services or the Bank will Cargo all his properties to you in any were you want it.

So reply me immediately and feel free to ask any question with regards to this transaction. You will take 50% of the US$9.2M. Which is? US$4.600, 000.00 Four Million Six Hundred Thousand Dollars, while the Balance of the same amount will be mine.

Your swift response will be highly appreciated.

Thanks and have a nice day.

Friendly Regards

Mr. Steven James

*******************************************************************************************

Subject:
REPRESENTATIVE NEEDED
From:
DFS SALES LTD UK
Date:
Tue, 01 Jul 2008 23:00:55 +0800
To:
undisclosed-recipients: ;

COMPLIMENT OF THE DAY TO YOU.

I am PETER WOODS from DFS SALES LTD UK.(
Website: www.dfs-online.co.uk ) Visit our site

We are into furnitures and we sell shares to people in
Canada,America, Australia and Europe.

We are in need of a book keeper. someone who can represent our company
in his/her country.

Our client in your location will contact you and make the company
payment to you.

You will be entitle to 11% of every payment been made out to you.

This is because most of our officer are from china and they do not

understand english very well.its hard for them to contact our
customers.

Our head office is located in CHINA. But we have a sub-office in the
uk.

If you are interested, Kindly send the entries for more understanding.

NAME IN FULL :.........
COMPANY NAME: .....
POSITION:......
FULL ADDRESS: .......
CITY/TOWN:........
STATE:............
ZIP CODE:........
COUNTRY:.......
MOBILE:.......
HOME TEL: .....
EMAIL ADDRESS: ........
OCCUPATION: ...........
BANK NAME :.......
AGE:............

You are to send the above details to

NAME : PETER WOODS.
EMAIL : dfs_woods@yahoo.co.uk
PHONE NUMBER : +44-704-575-0212

HOPE TO HEAR FROM YOU

*****************************************************************************************

To:
undisclosed-recipients:;

Good day!!!

We have been waiting for you since to contact me for your Confirmable Bank Draft of ?18 Million (Eighteen Million Pounds sterling) but we did not hear from you since for a couple of weeks now. Then we went to the bank to confirm if the draft that expired or getting near to expire and Metropolitan Police Uk told us that before the funds will get to your hand that it will expire.So I told him to cash the ?18 Million (Eighteen Million Pounds sterling) to cash payment to avoid losing this fund under expiration as I will be out of the country for a 6 Months Course.

What you have to do now is to contact FED EX COURIER SERVICES as soon as possible to know when they will deliver of your funds to you because of the expiring date. For your information we have paid for the delivering Charge Insurance premium. The only money you will send to the FED EX COURIER SERVICES to deliver your cheque direct to your postal Address in your country is ?250.00 being Security Keeping Fee of the Courier Company so far. Again don't be deceived by anybody to pay any other money except ?250.00 for the Security Keeping Fee.We would have paid that but they said no because they don't know when you will contact them and in case of demurrage. You have to contact FED EX COURIER SERVICES now for the delivery of your Draft with this
information below:

CONTROLLER: Mrs.Helen Williams
NAME: FED EX COURIER SERVICES
ADDRESS: fedexofficeuk@gmail.com
PHONE NUMBER: +447024080684

IF YOU ARE THE OWENER OF THE FUNDS AND YOU WILL SEND YOUR INFORMATION TO US SO THAT WE CAN DELIVERY YOUR FUNDS TO YOU WITHIN THE NEXT 84HRS TIME.IF YOU DO NOT RECEIVED YOUR FUNDS WITHIN THE NEXT 72HRS TIME AND YOU REPORT US THE UK FBI AND THE METROPOLITAN POLICE (SCOTLAND YARD) or YOU CONTACT YOUR LAWYER TO TAKE UP PROCEDURES AGAINST US.

Let me repeat again try to contact them as soon as you receive this mail to avoid any further delay and remember to pay them their Security keeping fee of ?250.00 for their immediate action. The FED EX COURIER SERVICES don't know the contents of the funds. This is to avoid them delaying with the funds.

Thanks as you contact them today.

Yours Faithfully

Mrs Helen Williams.

(The above actually comes with a nifty graphic that they've thrown in, thinking it makes it all look more legitimate. It doesn't, but here it is anyway):

....altogether now: oooooh. A slightly shorter 419 roundup than usual, but I'm sure I'll have piles of the things next week.

Latest 802.11 Standard Boosts Wi-Fi Power in New Band

Wed, 25 Jun 2008 10:01:44 +0000

The nearly finished IEEE 802.11y could make Wi-Fi more practical over longer distances: Wi-Fi is a compromise. In the unlicensed bands in which it operates, it has to deal with interference from noise sources and other networks, while using very low power, and trying not to make a pest of itself. It's done very well. In the 2.4 GHz band and parts of 5 GHz, the maximum power from the radio is 1 watt (W), and the effective power (EIRP) is 4 W on an omnidirectional antenna. (You can push far more power if you narrow the antenna's beam. And parts of the 5 GHz band restrict radio power below 1 W. I wrote a long rundown of 5 GHz issues back in Jan-2007.)

But there's this lovely new segment of lightly licensed spectrum in the U.S., the 3.65 GHz band. It's a non-exclusive licensed band available only in parts of the country that don't have pre-existing ground-to-satellite or radar uses that overlap. This omits most of the eastern seaboard and most major cities; Seattle is one exception.

The licensing mechanism allows any number of operators to obtain inexpensive licenses, and register the base stations they use by location. If interference arises among base stations, operators are required to work out the problems themselves. I wrote extensively about this band and its rules on 9-May-2008 in profiling Azulstar, formerly a metro-scale Wi-Fi firm, but now a big proponent of WiMax in 3.65 GHz. I also went over the rules for the band on 11-June-2007 when the FCC announced the arrangement.

Several firms offer base station and customer premises equipment for this band now, so close to the 3.5 GHz band more commonly exclusively licensed in Europe and elsewhere. WiMax equipment is available because the 3.65 GHz band can be used with WiMax without any modifications to that protocol, although limited to just 25 MHz of the 50 MHz that the FCC set aside.

Equipment that conforms to a more stringent set of rules about contention and other factors can use the whole 50 MHz, and that's where 802.11y comes in. It's an extension of Wi-Fi to cope with the specific needs--and to open Wi-Fi technology up to 20 W EIRP, a vastly higher power output. This could allow connections over 5 km, the group says.

The Wikipedia entry on 802.11y, clearly written by someone involved with the specification, notes that three specific additions are needed: a tweak to support the way in which the FCC wants contention among competing devices to work; a method for an access point to tell a station (a connecting radio) that it's about to switch its channel or its channel's bandwidth, and the station should do likewise; and a mechanism to handle a base station allowing or revoking permission to use the spectrum without uniquely identifying the user's system or broadcasting its precise GPS-based location.

The standard is near completion and initial approval. I don't have any knowledge about whether any mainstream Wi-Fi equipment makers or metro-scale equipment makers are looking into building 802.11y into their gear.

The fact is that this could be a great technology for the mostly sub-metropolitan markets that 3.65 GHz is available in, although it has the same pain as WiMax: all new gear on the towers and all new adapters for customers.