Thursday, December 02, 2010

Now this is interesting... No indication if they were able to do this remotely or if they visited each ATM. Either way, this is ambitious.

Russian gang used customized virus bought from hacker forum on ATMs

December 2, 2010 by admin

Members of an organized criminal group responsible for infecting ATMs with a computer virus have been arrested in Yakutsk, capital of the far eastern Russian Republic of Sakha (Yakutia) according to the Ministry of the Interior.

The leader of the gang sought the services of a hacker through an international Internet forum. Once recruited the hacker then customized a computer program specifically for the group, so they could use it to target bank accounts through ATMs. The virus cost the gang 100,000 rubles ($3200).


The criminals managed to infect and gain control of all the ATMs in the city of Yakutsk. However, officers from Department ‘K’ of the Ministry of the Interior in the Republic of Yakutia apprehended the members of the gang before the plan could be put into full operation.

Read more on Host Exploits.

Gary Alexander tipped me off to this. It is now mandatory reading for my Computer Security students.

Verizon 2010 Data Breach Report Is Eye Opening

The 2010 Verizon and U.S. Secret Service breach report is chock full of enlightening facts, figures and statistics. I highly recommend you read it cover to cover. It breaks down the breaches by demographic, threat agents, threat actions, attack difficulty and targeting, vertical, and time span. It also compares how PCI compliance affected the number and severity of breaches.

You can grab it here

For my Ethical Hackers: Another way to “confirm” a user's ID. Also a Business Opportunity: Develop a “fingerprint eradicator”

Race Is On to ‘Fingerprint’ Phones, PCs

December 1, 2010 by Dissent

Julia Angwin and Jennifer Valentino-Devries report:

David Norris wants to collect the digital equivalent of fingerprints from every computer, cellphone and TV set-top box in the world.

Companies are developing digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. WSJ’s Simon Constable talks to Senior Technology Editor Julia Angwin about the next generation of tracking tools.

He’s off to a good start. So far, Mr. Norris’s start-up company, BlueCava Inc., has identified 200 million devices. By the end of next year, BlueCava says it expects to have cataloged one billion of the world’s estimated 10 billion devices.

Read more in the Wall Street Journal.

[From the article:

… Advertisers no longer want to just buy ads. They want to buy access to specific people. So, Mr. Norris is building a "credit bureau for devices" in which every computer or cellphone will have a "reputation" based on its user's online behavior, shopping habits and demographics.

Tracking companies are now embracing fingerprinting partly because it is much tougher to block than other common tools used to monitor people online, such as browser "cookies," tiny text files on a computer that can be deleted.

There's not yet a way for people to delete fingerprints that have been collected. In short, fingerprinting is largely invisible, tough to fend off and semi-permanent.

Ori Eisen, founder of 41st Parameter, says using fingerprinting to track devices is "fair game" because websites automatically get the data anyway.

I don't know what they will do, but I hate it?”

FCC To Vote On Net Neutrality On December 21

"The FCC just released its tentative agenda for the December 21st open meeting, where the Commission will vote on whether to adopt rules to preserve net neutrality. According to the agenda the FCC will consider "adopting basic rules of the road to preserve the open Internet as a platform for innovation, investment, competition, and free expression." House Republicans have already promised to oppose any solution [When did this become a “Liberal” issue? Bob] put forth by FCC chairman Julius Genachowski."

How the government sees Privacy?

December 01, 2010

FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers

News release: "The Federal Trade Commission, the nation’s chief privacy policy and enforcement agency for 40 years, issued a preliminary staff report today that proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services. The proposed report also suggests implementation of a “Do Not Track” mechanism – likely a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities.... The report states that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The framework outlined in the report is designed to reduce the burdens on consumers and businesses."

[From the report:

Some consumers are troubled by the collection and sharing of their information. Others have no idea that any of this information collection and sharing is taking place. Still others may be aware of this collection and use of their personal information but view it as a worthwhile trade-off for innovative products and services, convenience, and personalization. And some consumers – some teens for example – may be aware of the sharing that takes place, but may not appreciate the risks it poses.

[Four simple categories? Bob]

If this is Okay for Google, why isn't it Okay for YouPorn?

History Sniffing: How YouPorn Checks What Other Porn Sites You’ve Visited and Ad Networks Test The Quality of Their Data

December 1, 2010 by Dissent

OK, so you don’t go to any porn sites and may think this technology doesn’t affect you. Guess again and read on.

Kashmir Hill writes:

YouPorn is one of the most popular sites on the Web, with an Alexa ranking of 61. Those who visit the homemade-porn featuring site — essentially, a YouTube for porn enthusiasts — are subject to scrutiny, though, of the Web tracking variety. When a visitor surfs into the YouPorn homepage, a script running on the website checks to see what other porn sites that person has been to.

How does it work? It’s based on your browser changing the color of links you’ve already clicked on. A script on the site exploits a Web privacy leak [Actually, the intent was to show the users links that had already been visited, to avoid wasting time revisiting sites. Bob] to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,” meaning you’ve clicked them before. YouPorn did not respond to an inquiry about why it collects this information, and tries to hide the practice by disguising the script with some easy-to-break cryptography.*

The porn site is not alone in its desire to know what other websites visitors have visited. A group of researchers from the University of California – San Diego trolled through the Web’s most popular sites to see which ones were collecting this information about visitors. They found it on 46 other news, finance, sports, and games sites, reporting their findings in a paper with the intimidating title, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.”

Read more on Forbes.

Recommended: Evaluating Data Breach Disclosure Laws

December 2, 2010 by admin

Sasha Romanosky writes:

I imagine most of you have received one or more letters from companies informing you that they lost your personal information. If so, what, if anything, did you do about it? Did you check your credit history?; close a financial account?; something else?; or nothing at all? If you did act, you likely did it to reduce your risk of suffering identity theft. My research question is: did it work? This is something that I’ve been examining for a number of years now.

In a paper coauthored with Rahul Telang and Alessandro Acquisti at Carnegie Mellon University, we empirically examine the effect of data breach disclosure (security breach notification) laws on identity theft. For a policy researcher, this represents a fantastic opportunity: a clear policy intervention (adoption of laws across different states), a heated controversy regarding the benefits and consequences of the laws that is both practically and academically interesting, good field data, and a powerful empirical analysis methodology to leverage (criminology).

An initial version of the paper used consumer reported identity theft data collected from the FTC from 2002-2006. Using just these data, we found a negative but not statistically significant result. In fact, I was quoted as saying, “we find no evidence that the laws reduce identity theft.” And it was true, we didn’t.

However, we have since augmented that work to include data up to 2009, which allowed us to include more observations, allowed the law to exist for longer, and allowed companies to adapt to them, and perhaps empowered more consumers to take action. We find that the laws did, indeed, reduce identity theft by about 6%. Moreover, we can say that we have a fair amount of confidence in this estimate because the results hold up to many kinds of permutations and transformations — which is very nice to see.

Read more on Concurring Opinions.

Legal extortion? Which Law School course teaches them how to do this?

Torrent users sue US Copyright Group for fraud and extortion

Dmitriy Shirokov is suing a Washington law firm that sent threatening letters to thousands of alleged movie downloaders, accusing the firm of fraud and extortion. He filed the 96-page lawsuit, which argues that lawyers at Dunlap, Grubb & Weaver made a business of threatening people with expensive litigation and fines unless they pay "settlement offers" of $1,500 to $2,500, in the US District Court of Massachusetts.

The firm was apparently never interested in actually litigating these claims. Although the legal firm threatened victims with expensive court action if they didn't cough up the cash, it neither had the resources nor the inclination to do so, meaning the letters in question were simply intended to frighten and get cash out of P2P users.

Shirokov wants to make the case a class action that represents him and 4,576 other people who received threatening letters for having allegedly downloaded copies of Far Cry. Despite being released in the summer of 2007 (Canada) and in December 2008 (US), the lawsuit says attorney Thomas Dunlap obtained a US copyright on the work by falsely asserting a date of "first publication" of November 24, 2009, allowing the law firm to claim that downloaders would be liable for statutory damages of up to $150,000 per download. Actual damages under the limited protection for works shown long before the copyright date would be a fraction of the retail DVD price of $27.

In short, Shirokov's lawsuit is accusing Dunlap, Grubb & Weaver of knowingly breaching copyright law to make money. The big picture is that it's alleging that the US Copyright Group is guilty of extortion, fraudulent omissions, mail fraud, wire fraud, computer fraud and abuse, racketeering, fraud upon the court, abuse of process, fraud on the Copyright Office, copyright misuse, unjust enrichment, and consumer protection violations.

It's not good to have a Judge tell you you made a mistake – a half-hour dressing down has got to really make you sweat. (But it is amusing to us non-lawyers)

Judge Berates Prosecutors In Xbox Modding Trial

"Opening statements in the first-of-its-kind Xbox 360 criminal hacking trial were delayed here Wednesday after a federal judge unleashed a 30-minute tirade at prosecutors in open court, saying he had 'serious concerns about the government's case.' ... Gutierrez slammed the prosecution over everything from alleged unlawful behavior by government witnesses, to proposed jury instructions harmful to the defense. When the verbal assault finally subsided, federal prosecutors asked for a recess to determine whether they would offer the defendant a deal, dismiss or move forward with the case that was slated to become the first jury trial of its type. A jury was seated Tuesday."

For my Ethical Hacker toolkit - For The Tracking Of Email Senders

As its name implies, Trace Email offers a suite of tools for the tracking of email senders. These include a reverse email address lookup tool, a tracer of email headers, a tracer of email IPs and an email finder by name. The four of them can be used at no cost, and without needing to sign up or anything like that.

None of these four tools is difficult to use. You seldom have to do more than cut and paste the relevant information such as the email header or the IP address to be tracked.

When it comes to the email finder by name, now, you must specify the State the person resides in for the search to be carried out. And if you are missing that information, you can simply do a countrywide search and see if your luck is in.

Ultimately, Trace Email is a great set of tools. It can lend itself both to personal and professional uses, and it brings a lot of transparency to something as pivotal as computerized communications.

No comments: