[SecurityRatty] tag: park

Ifoothills.org Registrants Personal data and credit card numbers possibly stolen in Foothills Park & Recreation facilities Breach

Thu, 02 Oct 2008 16:51:30 +0000

Foothills Park & Recreation District in South Jefferson County is working with the Jefferson County Sheriff’s Office in the investigation of a theft of personal information from the district’s computer network. The information have been accessed through an illegal hacking and could contain credit card information and other personal information that could be used to [...]

Sheraton Lounge with Free Wi-Fi in Central Park's Sheep Meadow

Tue, 16 Sep 2008 05:49:57 +0000

Sheraton builds lounge in Central Park with Wi-Fi: It's a publicity stunt, but the hotel chain wants to promote the fact that it's updated its hotel lounges or some nonsense, so they've taken over the famous Sheep Meadow, blanketing it in free Wi-Fi through September, and offering snacks and such next Monday. Central Park already has some Wi-Fi, including at Sheep Meadow.

Modelling Shoplifting

Sun, 07 Sep 2008 03:30:15 +0000

The other day I was thinking that I should write about specific situation models and by coincident Marc Adler pens CEP and Shoplifting. In Marc’s post, Marc begins to model shoplifting as if shoplifting is “market data,” with Level 1 to Level 4 shoplifting “quotes” - the natural approach for a brilliant guy from Citi. In reality, this model does not work very well, and I’ll touch on a few reasons why today.

Marc’s initial shoplifting model in his post is based on John Colapinto’s concepts of matching a pattern of customer movements in the store with their estimated patterns of shoplifting behavioral patterns. Marc’s asks how Coral8 might address this. We are not ready to seek a vendor solution. We do not yet have a workable detection model.

As indicated above, I don’t think the example situation cited by John and Marc is a viable model for automated processing. Tracking the behavior of customer’s movements, by machine, would require some very sophisticated image processing technology that would be too expensive compared to any possible loss at most retails stores. This type of behavioral pattern recognition. in retail stores, is performed by people (security personnel), not machines, observing people.

To develop a machine pattern recognition application to detect retail shoplifting we need to build detection models that are economically feasible. If we are going to use a model of shoplifting pattern recognition versus anomaly detection, we need to define the objects we must track.

In the most simple model, we have merchandise-objects. Stores normally (physically) track merchandise-objects only at the exit/entry points of the store using some electromagnetic proximity detection technology. In this model, the detection configuration is a combination of simple alerting with humans watching the store (”minding the store”). This is not complex event processing.

However, if we added another object to our model, the customer-object, then we start to get more “complex,” but we have not defined “complexity” yet because we have not defined the object properties, the possible states of the objects, and the relationships between the objects that are the basis for estimated situations.

Hence, model building is constrained by available resources, simple economics and risk (cost-benefit). If we are detecting shoplifting in Walmart the cost-benefit model for implementing an automated shoplifting detection system would be different than at a top diamond store on 5th Avenue in NYC. Protecting loss at a weapons-grade uranium respository follows a different model than protecting loss at a handicraft shop, naturally.

Like Marc, I find models to automatically detect shoplifting interesting, so permit me to close with a general discussion of shoplifting in the context of our CEP/EP reference model.

One approach would be do determine what objects will be represented in our model. For example, if we are going to track merchandise, we need to model the ”merchandise-object”. If we are going to track people, we need to define the properties of this “person object.” If we are going to represent the store layout, we need to define all these objects (store-object, table-object, shelf-object, entry-object and so forth). The model can get “complex” quite quickly.

Editorial Note: An object-oriented approach greatly assists complex model building because we can benefit from OO properties such as encapsulation and polymorphism. For example, we can define a basic “person object class” and then create superclasses of this object for “customer-object”, “manager-object”, “or criminal-object.”

Generally speaking, each object we define will require a state-model, for example, in Marc’s example of a customer moving around the store, we would need to model the possible states (customer at the entrance, at table 1, at table 2, at shelf 1, in the bathroom, at the cashier, etc.) Indeed Marc, this is complex event processing if we have modelled multiple objects and defined object-object relationships that indicate situations of interest. For example, customer-object at table2 where merchandise-object has the property of ”very expensive, high risk” and then customer-object changes state to “in bathroom”. Of course, we need more key indicators, but you get the idea.

Right now, I am typing from the Taste from Heaven Vegetarian Restaurant in Chiang Mai and my battery is running low. The owner of this excellent restaurant also runs the Elephant Nature Park, a non-profit organization advocating and acting on behalf of the rights of the mighty elephants in Thailand. Would be great if we could also automatically detect the situation of “elephant abuse” by poachers and other crimes against nature. Time to get back to my delicious mushroom salad, Northeastern Thai style.

As always, thanks for reading, time for me to get back to eating!

A Diverse Portfolio of Fake Security Software - Part Five

Tue, 02 Sep 2008 01:04:58 +0000

The "campaign managers" behind these fake security software propositions are not just starting to take park them at up to three different locations, localize the sites to different languages and introduce client-side exploits, just in case the end user gets suspicious and doesn't install it, but also, the natural evasive practices. For instance, once some of their domains get detected and blocked, they put them in a stand by mode and relaunch them online in a week or so, or ensure that only those coming to the domains from where they are supposed to come - yet another blackhat SEO or SQL injection attack - are the only ones getting to see the download screen.

Some of the new additions parked at the same IPs offered by the "known suspects" include :

main-scanner .com - (77.244.220.138; 78.159.97.247; 89.149.209.251; 212.95.37.154)
scanner-mainpro .com
scanner-online1 .com
alldiskscheck300 .com
myscanners101 .com
download-a1 .com
scanner-online1 .com
multilang1 .com
ratemyblog1 .com
multisearch1 .com
filescheck-list303 .com
woodst-sale .com
scanner-mainpro .com
main-scanner .com
directrevisions .com

supersolution-freeantivirus .com - (213.155.2.69)
antivirus-bestsolution .net
antivirus4protection .net
antivirusproxp .com
freebest-antivirus .net
goodantivirus-free .net
noadwareantivirus .com
pwrantivirus2009 .com
solution-freeantivirus .com
supersolution-antivirus .com
supersolution-freeantivirus .com
antivirusdwl .com
securesoftdl .com
viva-codec .com
win-antivirus-protect .com
avxp-2008 .net
antivirusq .net
antivirus2008b .net
antivirus2008m .net
antivirus2008n .net
antivirus2008v .net
antivirus777 .com
antivirusq .net
antivirusr .net
antivirust .net
antivirusw .net
antivirusu .net
expressantivirus2009 .com
spywarezscan .net
antispywareq .net
free-anti-spywaree .net
avcheckyourpc .net

software-for-me08 .com - (78.157.143.250)
software-for-me-08 .com
softwarefor-me2008 .com
softwarefor-me-2008 .com
software-forme08 .com

doctor2antivirus .com - (217.112.94.226; 87.248.163.56)
doctor5antivirus .com
doctor6antivirus .com
doctor7antivirus .com
doctor8antivirus .com
doctorantivirus2008a .com
doctor-antivirus .com
bcodecnow .net

mysoftwarefreezone .com - (91.203.92.97)
hotvid44 .com
totsec2009 .com
getdefender2009 .com
totalsecure2009 .com
myveryprivatevid .com
mustseethatvid .com
onlythebestvid .com
ie-antivirus-order .com
ie-anti-virus .com
secure-order-box .com

secureexpertcleaner .com - (89.149.227.50)
bestxpclean2008 .com
virusremover2008 .com
registrydoctor2008 .com
securefileshredder .com
hypersecurefileshredder .com
bestsecureexpertcleaner .com

getdefender2009 .com - (58.65.238.34)
malwarebell .com
free-viruscan .com
tmptmpservvv .com
cometoseemyshow .com

getneededsoftware .com - (91.203.93.25)
gettotalsec2008 .com
thedownloadvid .com
scan.pc-antispyware-scanner .com
totalsecure2009 .com

wista-antivirus2009 .com - (216.255.179.203)
usawindowsupdates .com - (85.17.143.213)
mswindowsupdates .com

The campaigns and the hosting providers are continuously monitored, especially taking into consideration the fact that the domains are already appearing in Alexa's web rankings with sudden peaks of traffic.

Related posts:
Fake Security Software Domains Serving Exploits
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

Let's Play Two

Tue, 12 Aug 2008 08:47:51 +0000

Every year my Dad and I go to see a Red Sox series. Last weekend was this year's trip and we went to Chicago to see the World Champion Boston Red Sox (saying that never gets old) play the White Sox. Of course, while you are in Chicago you have to see Wrigley Field, and we really lucked out. This weekend was Red Sox versus the White Sox (the battle of the Soxes they used to call it on Channel 38) on the southside and northside featured Cubs versus Cardinals! The last four World Series winners in town on the same weekend (Red Sox 04, 07, White Sox 05, Cards 06).

We learned several things- first in heaven the Cubs play the Red Sox in the World Series. Those ballparks are true gems. (In hell its probably the Yankees versus Phillies). Also, the people on the southside and northside *really* have a rivalry going. Its basically Boston v NY but they live in the same town! Here is one example from the southside

One of the great things about Wrigley (and there are many despite what southsiders say), is that its in the middle of a real neighborhood

Epicenter of Cub universe

Lots of action before and after game time, lots of people wandering around with gloves catching batting practices homers outside the stadium...err Field. Key point - Wrigley is a field, not a Stadium. Also Fenway is a Park. The Greek root of the word "paradise", means "enclosed green space", not concreteopolis

Wrigley is baseball Mecca

The greatest Cub of all, Ernie Banks, was our touchstone for the day - "Let's Play Two." we started at Wrigley for the day game (Zambrano got shelled) and then got crosstown for the night game.

To pull this off the L is your friend. As several Chicagoans pointed out, they are the only city that can have a true subway series, because the Red Line services both the White Sox and Cubs, whereas Mets-Yankees involves numerous transfers and so on.

We got to US Cellular Field which is fine but a shadow of Wrigley and absolutely nothing good to eat. Luckily we had Daisuke Matsuzaka on the hill

Before every game, Big Papi holds court in center with some players from the other team, he is to be a very popular guy. Ozzie Guillen told him before the series that with Manny gone, he wouldn't see a pitch to hit all weekend (ps. he did and crushed a bases loaded double)

The question we got most was - what about the Manny trade? His replacement strikes out a lot, but is otherwise a promising player

The Red Sox and White Sox share a little history, most especially Pudge Fisk who hit the famous homer in the 75 world series for the Red Sox and then had a great career for the White Sox (actually played more games for Chicago than Boston, but went into Cooperstown with a B on his hat)

Red Sox won, hanging out in Wrigley was an even bigger highlight, and Chicago is a beautiful city to visit, by far the most accessible of the big US cities. Also, lots of good places to eat courtesy of Thomas Ptacek.

Meru Networks erects a "cone of silence"

Wed, 30 Jul 2008 04:05:48 +0000

Who doesn't remember the cone of silence from the original Get Smart TV series. Whenever Max and the Chief had something important to discuss they would lower the cone of silence so that no one else could hear them or eavesdrop. So it is only fitting with the recent release of the Get Smart movie, Meru Networks has released a wireless cone of silence.

Meru is one of few stand alone wireless companies still hanging on out there. So they need to be innovative to survive. Their latest product, RF Barrier puts antennas around a physical plant to dampen and make it impossible to to listen in on wireless data exchanges. They claim this is a first of its kind. Thinking about it though, I don't see a big barrier to other companies having similar technology. I don't think you have to be a genius to broadcast traffic that puts out "noise" to hide legit traffic. I think the real special sauce is that this works in conjunction with Meru's other security products like wireless firewalls and secure access points.

With Motorola's recent purchase of AirDefense is having wireless IPS soon going to be table stakes in the wireless provider game? I think it is and while Meru's RF barrier is a nice story, they are going to need to have some sort of IDS/IPS in their product line to keep up.

Meru Networks erects a "cone of silence"

Wed, 30 Jul 2008 03:05:48 +0000

Anti-Terrorism Stupidity at Yankee Stadium

Thu, 24 Jul 2008 02:50:24 +0000

They's at Yankee Stadium:

The team contends that sunscreen has long been on the list of stadium contraband, but there is no mention of it on the Yankee Web site.
Four weeks ago, Stadium officials decided that sunscreen of all sizes and varieties would not be permitted, a security supervisor told The Post before last night's game.

"There have been a lot of complaints," he said. "We tell them to apply once and then throw it out."

For fans who bring babies or young children to cheer on the home team, the guard had suggested they "beg" to take the sunblock in.

Seeing the giant bag full of confiscated sunscreen Saturday, one steaming Yankee fan asked whether he could take one of the tubes and apply it before heading into the park.

"Absolutely not," the guard told him. "What if you get a rash? You might sue the Yankees."

Next, I suppose, is confiscating liquids at pools.

We've collectively lost our minds.

This story has a happy ending, though. A day after The New York Post published this story, Yankee Stadium reversed its ban. Now, if only the Post had that same affect on airport security.

Lazy Summer Days at UkrTeleGroup Ltd

Tue, 22 Jul 2008 03:12:02 +0000

The result of building extra confidence into your malicious hosting provider's ability to remain online, is a scammy ecosystem that's constantly jumping from one netblock to another, whose very latest exploit URLs and rogue security software nexto to the codecs served, always represent a decent sample of malicious activities to analyze.

UkrTeleGroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), a personal favorite due to its historical connection with the Russian Business Network, and hosting provider for a countless of number of injected and malware embedded campaigns during the last two years, is still keeping it as lazy as possible, a laziness allowing you to easily expose a great deal of the malicious activities going on there, and establish the connections between the hosting provider, its current and historical customers.

Take microsoftcodecs.com (88.214.198.220) for instance, and avxp08.com where it redirects the user into yet another rogue security software. avxp08.com is responding to 194.110.162.114; 216.195.41.11; 216.195.41.11; 216.240.139.169, and to UkrTeleGroup Ltd's 85.255.117.163.

Each of these IPs are also being shared by other rogue software and fake codecs simultaneously :

(216.195.41.11)
antivirusxp2008 .com
malwareprotector2008 .com
antivirxp08 .com
antivirusxp08 .com
avxp08 .com
youpornztube .com
winifixer .com
advancedxpfixer .com
encountertracker .ws

It gets even more UkrTeleGroup Ltd related upon the malware (Trojan:Win32/Tibs.HK) served at the avxp08.com gets sandboxed. The malware phones back home stat.avxp08 .com (85.255.118.172) announcing the successful infection winifixer .com/log2.php?affid=980382bdb4e7b779ff6308b0b706571c&uid=06f80eaf-94d7-4b8b-9cf0-5c6f75d2c69f&tm=1211198022 (85.255.118.171), and the scammy ecosystem continues using the same hosting provider. The rest of the rogue tools are also using the same subdomain structure, and IP, stat.antivirusxp2008 .com (85.255.118.172), stat.antivirxp08 .com (85.255.118.172), stat.antivirusxp08 .com (85.255.118.172) in order to phone back home.

winifixer .com, a well known rogue software, is entirely relying on UkrTeleGroup's hosting services hosted at 85.255.117.163; 85.255.118.171; 85.255.120.115; 85.255.120.139; 216.195.41.11 pinpoing several other obvious and well known netblocks hosting anything starting from fake celebrity video sites serving fake Windows Media Player videos, to rogue security software and live exploit URLs. Take for instance their efficiency centered approach to park numerous malicious domains on a single IP, like 85.255.117.218 in this case :

bestfunnyvids .com
celebs69 .com
celebsnofake .com
celebstape .com
celebsvidsonline .com
codecservice1 .com
freevidshardcore .com
newfunnyvideo .com
sexlookupworld .com
starfeed1 .com
starfeed2 .com
topdirectdownload .com
topsearchresults1 .com
topsoftupdate .com
yourfavoritetube .com

Now that it's becoming clear who's providing the hosting infrastructure, it's perhaps also worth pointing out who's using the hosting infrastructure to serve rogue security software and fake codecs on the basis of participating in an affiliate program? A great number of domains used by the rogue security software are registered by krab@thekrab.com behind which is supposidely Mishakov Viktor Ivanovich support@tobesoftware.com, and ironically tobesoftware.com is again hosting within UkrTeleGroup (85.255.120.115). The personal efforts into the number of the typosquatted domains and the persistence applied when registered and spamming them across the web, is the result of the incentives provided to them by the affiliate program they participate in.

Mailing error at the University of Maryland exposes student information

Fri, 18 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
University of Maryland

Contractor/Consultant/Branch:
Department of Transportation Services

Victims:
All students registered for Fall 2008 classes

Number Affected:
23,727

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News

Report Credit:
University of Maryland

Response:
From the online sources cited above:

On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.

On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.

The error was discovered on the morning of July 8 when calls were made to the University.

This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.

The mailing list numbered 23,727 individuals.

In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.

This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.

Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.

It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!

The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?

This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.

Currently, there is no evidence that anyone's Social Security number has been misused.

The University apologizes and deeply regrets this unfortunate mistake.

We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?

The University of Maryland values the critical importance of your personal information.

We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.

In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.

Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.

Please do not release any personal information in response to contacts claiming to be from the University.

In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.

If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.

If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1(877) 935-2428, Monday - Friday, 8:30 a.m. - 5 p.m. EST.

You may contact us in one of the following ways:
By telephone: Toll-free 1(877) 935-2428, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail: parkingmailer@umd.edu
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742

Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.

Past Breaches:
Unknown