[SecurityRatty] tag: thieves

10 steps to loading dock security

Sun, 05 Oct 2008 20:00:00 +0000

It's the stuff of CSO nightmares. Early on the morning of Sept. 2, while most folks were home sleeping off the hot dogs, thieves used bolt cutters to break into an Alltel Communications warehouse and four of its loading docks in Fort Smith, Ark. Sources say they escaped with an estimated US$10 million worth of cell phones, not a bad haul for their Labor Day efforts.

The asymmetry of data loss - data thief has an upper hand

Wed, 01 Oct 2008 02:33:22 +0000

I read this awesome book by Dan Geer, Economics and Strategies of Data Security. This gave me structure for my thoughts about a complex topic such as data security.

When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data * Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind.

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables - Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

Notorious Crime Forum DarkMarket Goes Dark

Wed, 17 Sep 2008 20:07:20 +0000

The top hangout for credit card thieves and phishers announces it's closing its doors, following the arrest of a Turkish hacker -- and alleged kidnapper -- prominent on the site.

Employee Fraud Spiralling Out of Control in the UK

Tue, 09 Sep 2008 06:08:00 +0000

You have read it before on TheBulletProofBlog - the tougher times get, the more likelihood that people will resort to criminal measures.

We reported it regarding the theft of copper from Churches, Hospitals, Schools - even from new homes still under construction. We brought to your attention the fact that thieves have become bolder, evidenced by the theft of manhole covers in public streets and drilling into fuel tanks on vehicles as petrol and diesel prices rise.

In "Personneltoday", it is reported that employers have been put on "red alert" as the downturn in the economy is prompting employees to make ends meet by dishonest means. One figure that employers every where are bound to find shocking is the fact that employee fraud has cost UK companies more than 77 Million Pounds Sterling (approx. $150,000,000.00),just in the first half of this year alone.

The most disturbing aspect of this figure is the fact that it is up from 10 Million Pounds Sterling (approx. $18,000,000.00)in the same period last year. This represents more than an 8 fold increase in employee fraud in a 12 month period.

The report was conducted by the accountancy firm BDO Stoy Hayward. Mr. Simon Bevan, the head of fraud services there attributes the escalation in criminal activity amongst employees to; "spiralling personal debt as a result of mortgage,food and fuel price hike". Sound familiar?

The population of the UK is one sixth that of the United States. It is frightening to imagine what the figures will look like from U.S. businesses at the end of this year and beyond. In 2002, employee fraud and abuse cost U.S. businesses $6 Billion Dollars (independently reported by the "Association of Certified Fraud Examiners" of which SEXTON is a member).

What would be the outcome to U.S, businesses if fraud costs escalated 8 fold to $48 Billion Dollars by year's end? How many would go under? How much further damage would that inflict on the already struggling economy? The economic circumstances in the U.S. are certainly similar to those of the UK.

U.S. businesses beware. Be proactive and fight fraud and abuse before it is too late. Your very survival just may depend upon it.

Thieves Target Homeowners and Builders

Fri, 29 Aug 2008 15:51:00 +0000

We have written about thefts of copper wire and even street manhole covers in the past. It appears that new homes and those being foreclosed upon are ripe targets for unscrupulous thieves.

Thankfully, there are many more solutions than in days past. Global Positioning Systems can now be hidden in materials and the thieves can be tracked in real time and the Police notified by the security consultant who has been hired to monitor their movements.

The highlighted link from "The New York Times", tells the sad story of a young couple and their 7 month old child who had to live onsite at their new house for many months in order to deter thieves.

We have spoken with home builders in the past regarding supplying security officers to monitor unfinished homes. One of the hurdles has been the cost of security. The escalating cost of these thefts may now make Home Builders think twice though.

The National Association of Home Builders claims that $5 BILLION a year is being stolen nationally by theives from homes under construction. That would purchase a lot of security services. Not to mention the cost of labor to replace that missing copper wire, plumbing fittings, doors & windows, etc.

Like we always say, thieves are opportunists. If you give them an opportunity such as leaving valuable building supplies unprotected, they will take them. On the other hand, if you put an obstacle in their path such as a site that is monitored by security cameras (with somebody on the other end of the camera - you'd be surprised how many businesses put in cameras but have nobody to monitor them)or a roving security vehicle, they will move along and ply their trade elsewhere.

That is called "target hardening". Quite literally, you make yourself (or your property) a harder, more difficult target. They then move along to some other target. Bad for someone else, but good for you.

Wells Fargo Codes Used To Access Personal Information

Mon, 18 Aug 2008 03:30:34 +0000

Personal data on some 7,000 consumers was illegally accessed over the Web by thieves using access codes belonging to Wells Fargo Bank.

Sorry CharlieCard, Your Security Model Is Broken

Sat, 09 Aug 2008 10:57:40 +0000

It sure seems like the CharlieCard, which is used by the Boston subway system, has a serious security weakness. The MBTA has sued 3 MIT students to stop them from giving a planned talk at DEFCON.

Doesn’t this seem backwards to you? Shouldn’t the MBTA be suing the vendor who sold them the flawed system? Security problems go away by mandating independant security testing before a product is accepted, not by trying to get security researchers to be quiet. This is a good example of how the reactive approach doesn’t work. The flaws are still in the system and suing researchers has just shined a bright light on them.

Update 08/09/2008 6:00pm EST:

The EFF is appealing the injunction which is blocking the students from speaking about the results of their testing.

A telling quote from Kurt Opsahl, staff attorney at the EFF gets to the heart of the issue:

“Courts have found that the First Amendment covers these things. We believe that this is a protected speech activity. When you discuss security issues, if you are telling the truth, that is something that should be protected.”

Apparently the MBTA has known about this problem since at least March, 2008 when a graduate student from the University of Virginia announced he was able to break the encryption system.

The U of VA researcher gave an interview where he described why security by obscurity is not a valid security approach for a cryptosystem:

Q: What are your thoughts on security by obscurity? Is NXP using this method of protection?

A: Security-through-obscurity hardly ever works. The lack of proper peer-review often even hurts the security of the system. Our Mifare work discovered several vulnerabilities that could be fixed without increasing the cost of the cards. NXP did for a long time rely on obscurity for the security of some of their products, but now decided against this outdated design approach and instead bases the security of newer RFID cards on publicly scrutinized cryptography and independent evaluations.

Q: Can you explain “Kerckhoffs Principle” and why it applies to your work?

A: Kerchoff, who lived in the 19th century, observed that keeping anything secret is really hard. So instead of relying on the secrecy of your whole system, it would a lot easier to only rely on the secrecy of a small secret key. Security systems should hence be publicly known and analyzed, and only the key should be secret. When properly realised for RFID cards, Kerchoff’s principle means that by analyzing their own cards, thieves cannot compromise your cards. This is contrary to our Mifare work, where we only analyzed a few copies of the the secret algorithm that is found in all cards and were consequently able affect the security of all the other billion cards out there.

The MBTA not only accepted a security system which relied on security by obscurity but once accepting this flawed model must try to maintain this obscurity with the court system.

The documents detailing the presentation are here.

ID theft ring attacked retailers on multiple levels

Tue, 05 Aug 2008 20:00:00 +0000

A ring of identity thieves that targeted U.S. retailers used sophisticated and multifaceted attacks to steal more than 40 million credit and debit card numbers from TJX, OfficeMax, Barnes & Noble and other companies, according to court documents.

Busch alerts N.H. residents: Stolen laptop had personal data

Fri, 01 Aug 2008 20:00:00 +0000

About 2,250 New Hampshire residents have been notified that their personal information was stored on a laptop computer taken by thieves that burgled an Anheuser-Busch Co. office in Missouri in June.

Washington DC Metro Farecard Hack

Tue, 22 Jul 2008 08:29:04 +0000

Clever:

Thieves took a legitimate paper Farecard with $40 in value, sliced the card's magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out.

My guess is that the thieves were caught not through some fancy technology, but because they had to monetize their attack. They sold farecards on the street for half face value.