[SecurityRatty] tag: thief

Set a Smartphone Password

Wed, 12 Nov 2008 21:00:00 +0000

I've never lost a smartphone, but I've felt dumb after temporarily misplacing a device. I don't care about the cost of replacing a BlackBerry or iPhone; the lost data is its value. It takes a special thief or opportunist to cash in on your cached data, but why take the chance? Lock down your smartphone with a password.

How IT Helped Catch the Jewelry Thief

Tue, 11 Nov 2008 21:00:00 +0000

It used to be that after a robbery, the police would review a surveillance tape for clues into who broke in, at what time and what the bad guys looked like. Since the thieves would be long gone by the time the tape was reviewed, there would often be little the authorities could do about it.

Horrible Identity Theft Story

Thu, 30 Oct 2008 09:10:29 +0000

This is a story of how smart people can be neutralized through stupid procedures.

Here's the part of the story where some poor guy's account get's completely f-ed. This thief had been bounced to the out-sourced to security so often that he must have made a check list of any possible questions they would ask him. Through whatever means, he managed to get the answers to these questions. Now when he called, he could give us the information we were asking for, but by this point we knew his voice so well that we still tried to get him to security. It worked like this: We put him on hold and dial the extension for security. We get a security rep and start to explain the situation; we tell them he was able to give the right information, but that we know is the same guy that's been calling for weeks and we are certain he is not the account holder. They begrudgingly take the call. Minutes later another one of us gets a call from a security rep saying they are giving us a customer who has been cleared by them. And here the thief was back in our department. For those of us who had come to know him, the fight waged on night after night.

Mac security focus: Privacy

Tue, 07 Oct 2008 20:00:00 +0000

At the very least, losing your wallet to a thief is a major pain in the neck: you lose your cash and (possibly) some precious mementos, and you have to cancel your credit cards and replace your driver's license. More seriously, the thief could steal your identity, using your personal information to make purchases, get loans, or cause you all kinds of grief by pretending to be you.

The asymmetry of data loss - data thief has an upper hand

Wed, 01 Oct 2008 02:33:22 +0000

I read this awesome book by Dan Geer, Economics and Strategies of Data Security. This gave me structure for my thoughts about a complex topic such as data security.

When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data * Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind.

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables - Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

Software to Facilitate Retail Tax Fraud

Tue, 02 Sep 2008 08:24:22 +0000

Interesting:

Thanks to a software program called a zapper, even technologically illiterate restaurant and store owners can siphon cash from computer cash registers and cheat tax officials.
[...]

Zappers alter the electronic sales records in a cash register. To satisfy tax collectors, the tally of food orders, for example, must match the register's final cash total. To hide the removal of cash from the till, a crooked business owner has to erase the record of food orders equal to the amount of cash taken; otherwise, the imbalance is obvious to any auditor.

[...]

The more sophisticated zappers are easy to use, according to several experts. A dialogue box, which shows the day's tally, pops up on the register's screen.

In a second dialogue box, the thief chooses to take a dollar amount or percentage of the till. The program then calculates which orders to erase to get close to the amount of cash the person wants to remove. Then it suggests how much cash to take, and it erases the entries from the books and a corresponding amount in orders, so the register balances.

Hacking Mifare Transport Cards

Thu, 07 Aug 2008 02:07:02 +0000

London's Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won't be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.

Here's the story. Every Oyster card has a radio-frequency identification chip that communicates with readers mounted on the ticket barrier. That chip, the "Mifare Classic" chip, is used in hundreds of other transport systems as well — Boston, Los Angeles, Brisbane, Oslo, Amsterdam, Taipei, Shanghai, Rio de Janeiro — and as an access pass in thousands of companies, schools, hospitals, and government buildings around Britain and the rest of the world.

The security of Mifare Classic is terrible. This is not an exaggeration; it's kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design. NXP attempted to deal with this embarrassment by keeping the design secret.

The group that broke Mifare Classic is from Radboud University Nijmegen in the Netherlands. They demonstrated the attack by riding the Underground for free, and by breaking into a building. Their two papers (one is already online) will be published at two conferences this autumn.

The second paper is the one that NXP sued over. They called disclosure of the attack "irresponsible," warned that it will cause "immense damages," and claimed that it "will jeopardize the security of assets protected with systems incorporating the Mifare IC." The Dutch court would have none of it: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

Exactly right. More generally, the notion that secrecy supports security is inherently flawed. Whenever you see an organization claiming that design secrecy is necessary for security — in ID cards, in voting machines, in airport security — it invariably means that its security is lousy and it has no choice but to hide it. Any competent cryptographer would have designed Mifare's security with an open and public design.

Secrecy is fragile. Mifare's security was based on the belief that no one would discover how it worked; that's why NXP had to muzzle the Dutch researchers. But that's just wrong. Reverse-engineering isn't hard. Other researchers had already exposed Mifare's lousy security. A Chinese company even sells a compatible chip. Is there any doubt that the bad guys already know about this, or will soon enough?

Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for. NXP's security was so bad because customers didn't know how to evaluate security: either they don't know what questions to ask, or didn't know enough to distrust the marketing answers they were given. This court ruling encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers.

It's unclear how this break will affect Transport for London. Cloning takes only a few seconds, and the thief only has to brush up against someone carrying a legitimate Oyster card. But it requires an RFID reader and a small piece of software which, while feasible for a techie, are too complicated for the average fare dodger. The police are likely to quickly arrest anyone who tries to sell cloned cards on any scale. TfL promises to turn off any cloned cards within 24 hours, but that will hurt the innocent victim who had his card cloned more than the thief.

The vulnerability is far more serious to the companies that use Mifare Classic as an access pass. It would be very interesting to know how NXP presented the system's security to them.

And while these attacks only pertain to the Mifare Classic chip, it makes me suspicious of the entire product line. NXP sells a more secure chip and has another on the way, but given the number of basic cryptography mistakes NXP made with Mifare Classic, one has to wonder whether the "more secure" versions will be sufficiently so.

This essay originally appeared in the Guardian.

Are the Inmates Running the Jails in Maryland?

Sat, 26 Jul 2008 00:29:00 +0000

The front page of today's Washington Post tells us that the Prince George's Facility has come under scrutiny after the sudden death of Police murder suspect, Ronnie L. White.

The Post lists a number of correction officers who have been investigated, suspended and even jailed for wrong doings. One 13 year veteran was convicted on second degree assault after he beat a woman so badly that he broke her rib. That was not his first violent outburst however. In the late '90s his then wife had to get three protective orders issued against him.

In 2004, he pleaded guilty to breaking a woman's rib. The woman whose rib he broke was pregnant with his child. A judge put him on probation for that assault and ordered him to take anger management classes. The child that the woman was carrying was not so lucky. She miscarried days afer the beating.

The jail which incarcerates 1500 inmates, is said to be overcrowded by Government reports. The jail was built to hold 1330 inmates. One hundred and seventy extra inmates is hardly a serious "overcrowding" problem. The reported number of correction officers at 450, means that the ratio of imates to officers is not even 4:1. Compare that to a place like Riker's Island in New York City where the ratio of inmates to officers is probably closer to 25:1 and you will see that the officers in Maryland should not have many reasons to complain.

Of course, they should not have any reason to break the law either, but they do. Take the case of Renardo Humphrey, for instance. He was jailed this week after being convicted of armed robbery. Along with four others, he held up a couple of teenagers. Then there is Officer Kenneth Paul St. Clair, who joined the Department in 2004. This oxygen thief was convicted of second degree child abuse involving an 11 month old baby boy.

According to Police reports, the baby suffered multiple rib fractures, a skull fracture, internal bleeding, bruises on his face, chest, forehead and a bite mark on his shoulder. If I ever receive a call from a telemarketer tying to solicit money from me to support the fine upstanding members of the Prince George's Correction Department, I will make sure I tell him the story of the the little baby boy that was brutalized by one of his clients.

You may wonder why supervisors do not take more action and do not closely monitor the staff who apparently have a lot of anger management problems. Some Departments admitted that they only do background checks when officers are going for promotion. Therfore, if an officer is prone to beating up little babies and pregnant women, he just might go about his merry way without ever coming to notice - just so long as he does not seek promotion.

It would seem that all is not well with the Maryland Penal system. Perhaps a good overhaul is called for. It is not too much for society to expect that those who are entrusted with great authority do not abuse that authority. If they do and start behaving like those who have been removed from society, then they too should suffer the same fate.

Indiana State University professor's laptop is stolen

Thu, 17 Jul 2008 05:29:35 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Indiana State University

Contractor/Consultant/Branch:
None

Victims:
"students who took economics classes from 1997 through the spring semester 2008"

Number Affected:
"more than 2,500"

Types of Data:
"names, grades, e-mail addresses and student identification numbers"*

*Until 2003, student identification numbers were the equivalent of each student’s Social Security number.

Breach Description:
"A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday."

Reference URL:
Indiana State University
Associated Press via WTHI Channel 10 News
Associated Press via Chicago Tribune

Report Credit:
Indiana State University

Response:
From the online sources cited above:

A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday.
[Evan] What do you suppose the purpose of the "password-protected" mention is? I hope it is not meant to reassure anyone that the information is safe. For those of you that do not know, password-protection is easily bypassed and in the opinion of many information security professionals (this one included), does NOT provide adequate protection for confidential information.

While there is no evidence to suggest that password security was breached, the university is taking the precaution of notifying all affected students for whom it has current contact information.
[Evan] If someone were to breach the "password security", what evidence would the school see? None. There would be no evidence (except locally on the laptop) if the local password store had been compromised. The school no longer has possession of the laptop, so the school would have no evidence.

The laptop contained data for students who took economics classes from 1997 through the spring semester 2008, estimated at more than 2,500 individuals.

If you took an economics class during this time period, but did not receive a letter, please call the Registrar’s Office to verify that you were on the list, and to update your address so that we may send you a letter.
[Evan] Contact information for the Registrar's Office, click here.

The information includes names, grades, e-mail addresses and student identification numbers.

Beginning in 2003, use of social security numbers as student ID numbers was discontinued in favor of university-specific identification numbers.
[Evan] A sound security decision by the university would have been to follow up with a project to identify and remove Social Security numbers already held as student IDs. Maybe it was, but the information on this laptop was missed.

The theft occurred Saturday while the professor was traveling in southern Indiana

the professor was traveling with his family and briefly left the computer unattended
[Evan] A laptop can grow legs in a flash. A person doesn't need to leave a laptop unattended for very long for it to disappear.

The incident occurred on July 12, 2008 and was reported to university officials on July 14, 2008.

The incident was reported immediately to the appropriate law enforcement agency and early Monday to university officials.

The extent of the information contained on the computer was not determined until Monday night.

Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers.
[Evan] Excellent policy provision. Policy does little if it is not communicated, enforced, audited against, and improved. Where was the failure in the breach? Was the policy not communicated to this professor, and thus he/she was not aware?

In addition, laptops provided to faculty are equipped with several security measures including encryption and a bio-metric fingerprint reader to prevent access by anyone other than the assigned user.
[Evan] An excellent standard (or procedure).

Approximately 500 ISU faculty members have laptop computers.

The university is reviewing its procedures to ensure compliance with existing policies, said Interim President C. Jack Maynard, the university’s provost and vice president for academic affairs

From the FAQs:

Q: What can someone do with a stolen SSN?
A: "With just a SSN there is little anyone can do in the way of setting up a false identity or securing credit. Generally an identity thief would need more information and documentation to set up false credit.
[Evan] A SSN needs to be held in strict confidentiality in today's financial, employment, health, and other systems. It is often used for identification and authentication. Once an identity thief has a SSN, the owner of that SSN is now a prime target because the thief has the most confidential piece of information (ingredient) in the identity theft recipe. The rest of the information is typically easier to come by, i.e. name, address, employer, etc. It is true that an SSN alone is not enough information to commit identity theft, but it is an EXCELLENT start.

Commentary:
We can assume that the school knows the risks involved in storing confidential information on a poorly protected laptop. Otherwise, they probably wouldn't have policy and procedure against it. The school's statements that are meant to minimize the risk, seemingly without fact, are disappointing.

Past Breaches:
Unknown

Nice try, but I'm not buying it...

Thu, 17 Jul 2008 03:18:47 +0000

So a backup tape was stolen, no equipment was taken, nothing else appeared to be disturbed, and we're supposed to believe the thief wasn't after the data on the tape. In other words, the tape was taken without any idea how to retrieve the data. Maybe it was taken to serve as a paperweight.