PSN012 – New Threats and Old Heists
Apr 12th, 2009 by admin
In this show we will cover credit card skimming, the rewards and some hazards of being a locksmith today, some computer security threats, an amazing diamond heist, some new electronic locks, and finally an interesting patent application.
Show Links
- Cell phone phishing attempt – SecurityDreamer
- D.C. Restaurants – Credit Card Cloning
- Locksmith shot by homeowner
- Attorney General sues locksmith company
- ALOA – Battle Phony Locksmiths
- Conficker War Room!
- Conficker wakes up, drops payload
- Conficker Eye Chart – are you infected?
- New Worm Targets Home Routers
- IT Security Vendors on Twitter
- The World’s Biggest Diamond Heist
- Resort Lock
- Wireless Schlage LiNK at Lowes.com
- Schlage LiNK on iPhone App Store
- Lock with latch sensor – Google Patents
- Superior Magnetic Switch Technology
I am back after taking a short break to work on some big projects. Keep listening to this podcast and stay in touch with the Lockmasters Security Institute website for some interesting news in the next few months.
This podcast is brought to you by the Lockmasters Security Institute in Nicholasville Kentucky. LSI has been the nation’s leading educational organization for technical and security education for more than 50 years. Our students come from the federal government, US military, Fortune 500 companies, private industry and law enforcement.
Here are some security related stories that you might not have heard about in the news over the last few weeks.
Computer Security
We’ve all seen the various mutations of the Nigerian phishing scam but now there is a new one targeted at cell phone users. Unfortunately for the bad guys, they happened to contact Steve Hunt, a noted security exert and consultant. He reports on his blog, SecurityDreamer.com, that he got a text message from CHASE stating Chase annual maintenance, please call 877-257-1139. When you call the number you hear a recorded voice that asks for your debit card number and pin. If you google the number you’ll notice others have received calls from the same number, but using different bank names. I wonder how many naive people actually fell for that one?
The Wired Magazine Threat Level Blog is reporting that a number of servers working at upscale restaurants in the Washington DC area just a few blocks from the White House, were recently arrested for allegedly using skimming devices to clone customer card data. The year long counterfeiting operation has netted over $750,000.
The ringleader would use the counterfeit data to purchase American Express gifts cards at local retail stores and then use them to purchase goods at high end retail shops.
The skimming operation was first spotted by CitiBank who observed fraudulent transactions immediately after legitimate card use at Clyde’s, one of the restaurants. A similar pattern emerged at 701 restaurant, frequented by Hilary Clinton. Cash register logs tied these transaction to a particular server who was later arrested.
So what can we learn from this story? First, we are reminded that credit card companies have some pretty nice software designed to spot patterns like this. And we should keep in mind that this type of thing happens all to frequently. My wife’s credit card was cloned at a small restaurant and then ‘tested’ with a small purchase at a local gas station. Within a few hours the bank was calling to see if a recent charge in Indonesia was legitimate. Second, we are reminded that magnetic stripe data is not secure at all. It is very easy to duplicate a credit card, or a mage stripe security access card.
The business of locksmithing
As we all know the economic times have devastated the housing market and many homes are in foreclosure all over the country. However, as we have reported before, in spite of the tough times, many locksmiths are benefitting through the increased sales of security products, safes, and field service work such as rekeying foreclosed homes for the banks and mortgage companies.
These good times for locksmiths are not without peril however. The Phoenix news media recently reported that a local locksmith arrived at a foreclosed home to unlock and rekey it. He expected the home to be vacant, and when he started working on the front door lock, he was shot through the door by the occupant of the home. The occupant of the home claimed no knowledge of the foreclosure and defended his actions stating he thought someone was breaking into his home.
So from this story we can learn to be a little more careful. Not withstanding the occupancy issue, foreclosures can be a very emotional time for the occupant which can lead to extreme unpredictability. Every attempt should be made to determine that the home is vacant before starting work and that the property is the legal possession of the bank . How do you handle foreclosures in your locksmith business? Do you have a written policy to follow? Drop us a note and let us know.
Locksmith Scams
While we are talking about how good the locksmith business is right now, we should also point that the scam artists are also trying to take advantage which gives the rest of us a bad name. If you google locksmith scam, you will get about 65,000 hits. It wont take much reading for you to find out that the problem is with phony locksmith companies who operate in dozens of different cities with generic names.
The Better Business Bureau blames most of the problem on two companies: Dependable Locksmith based in New York and Basad Inc. based in Englewood, Colorado. The BBB says unhappy customers complain that Dependable and Basad significantly overcharge, charge for unnecessary services, and use intimidation tactics. In some cases, the final bill is four times as much as the quoted price.
According to the Associated Locksmiths of America, These “phony locksmith” companies purposely manipulate phone book and internet listings with multiple false addresses and phone numbers to make it seem like a neighborhood business. In actuality, consumers are calling out-of-state operations that are not locksmith companies. The consumer is quoted a reasonable price over the phone, but when a person posing as a locksmith finishes the job, the consumer is charged a considerable amount more for unnecessary and/or sub-standard work.
The complaint heard most often by consumers is for car openings. The price quoted over the phone to stranded motorist is around $45. When the individual arrives and unlocks the car, he hands the motorist a bill for $135 – $150. This unscrupulous individual tells the frustrated consumer that the $45 was just the service call and that it was another $90 – $100 for servicing the lock. ALOA has record of a number of incidents of elderly consumers locked out of their homes and being charged $900 to $1700 to replace a $12 lock. These out-of-state operations are set up solely to make money by purposely defrauding the public.
Just this week the Missouri state Attorney General took action today to stop a Florida locksmith company from deceiving and overcharging customers in Kansas City. According to the report, Dependable Locks, Inc., violated Missouri law by fraudulently advertising itself by at least 16 different names that all led consumers to one company. In addition, company workers charged consumers 2-3 times more than the price quoted them to unlock their cars.
Investigators found that addresses listed for the different business names led to vacant lots and even homes of individuals not associated with the company. In addition, this locksmith company operated under business names that were not registered with the state. For more information on what you can do about phony locksmiths, visit ALOA.ORG. The link is in the show notes.
Computer Worms
The other big news in the lats few weeks was about the conficker worm. First detected in October 2008, this worm has infected an estimated 9 to 15 million windows based computers. It was expected to hatch its evil plans on April Fools day, but that day passed with no incident, and was the source of a lot of humor on some of the blogs. For example, former hacker and current wired editor Kevin Poulsen blogs “Dashboard oil light illuminated on drive to War Room. Conficker in car computer? Investigating.”, and later he blogs, “False alarm (apparently). Dipstick analysis suggests I was just low on oil.”
However, on April 8, Infosec reports that The Conficker worm is finally doing something. It is updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers. Researchers are analyzing the code of the software that is being
dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine.
In the war against conficker, the conficker working group dot org has set up a simple web site you can visit to see if your PC is infected. It is called the conficker eye chart, and if you are infected your PC will not load certain images on the website because the worm is known to block access to over 100 anti virus web sites. Give it a shot, it only takes a few seconds. The link is in the show notes. Of course if you use a MAC or Linux, don’t bother, you cannot catch this virus.
While we are on the subject of nasty computer viruses we should warn you about one that can infect your home or office router or cable modem. Known as “psyb0t” or Bluepill, this is the first worm known to be able to infect residential routers and modems. As of this date over 55 different home-based routers and DSL/cable modems are affected including common brands like Linksys and Netgear. See the article in the show notes for more details.
And finally, at the risk of boring you with computer security topics, some of the computer anti-virus vendors have twitter accounts so they can send out instant message alerts as they become aware of new threats. The list includes Cisco, Verisign, McAfee, Kapersky, Sophos, F-Secure, Websense, Trend Micro, and Panda Labs. See the show notes for links and twitter names.
The Great Diamond Caper
The April issue of Wired Magazine and Wired.com contains a great story of the worlds biggest diamond heist. The 100 million dollar theft occurred February 15, 2003 in Antwerp Belgium. The target was the Antwerp Diamond Center vault, protected with 10 layers of security. I won’t detail the entire story here as you can read it online. The link is in the show notes. I will tell you enough details you amaze you and tempt you to read the article. As security professionals it is very instructional for us to study successful crimes as it gives us insight into how the bad guys think, not to mention the mistakes we may have made in our defensive systems.
This operation was well funded by its sponsor, even to the point of a replica vault built inside an abandoned warehouse outside Antwerp. Briefly, some of the technical aspects were as follows. Months before the heist a small camera located over the vault recorded the combination as it was dialed and it was sent wirelessly to a watertight compartment inside a nearby fire extinguisher that contained electronics to record the video signal. The video camera also captured an image of the vault key.
Two days before the heist the armored card delivered the diamonds. One day before the heist, one of the perpetrators, who was a frequent visitor to the vault, was buzzed in again. The guard was used to seeing him by now and not pay close attention to him. He used a can of hair spray to cover the heat and motion sensor with a thin film. On the day of the heist the team entered through a balcony where they defeated the alarm sensors. Once at the vault they unscrewed the fasteners that held the magnetic sensor to the vault door and removed it while keeping it aligned with the magnet with a home made aluminum bracket. Next, even though they had carefully made a vault key from the photograph, they looked around the security office and found the original key hanging on a hook. Using the combination obtained with the camera, and the original key , and some final work on the alarm system and they were inside the vault.
They got away cleanly but like any good mystery, there is a surprise ending. Remember my mention of a sponsor? Did he have an ulterior motive? Were the bad guys actually set up? Read the story to find out. It is very entertaining.
ResortLock – for your vacation home or cabin in the woods.
In lock news, or as my boss would say, stories about brass, the folks at RESORT LOCK have recently launched an interesting product for vacation homes. It is not a new idea, Ilco launched a similar product several years ago. The lock works on a future code concept that allows you to control access to your property remotely, but without wires. How does it work? Inside the ResortLock is a computer chip that runs a complex algorithm. This algorithm is able to to compute what the code should be during any given time period. One way to think of it is that the lock is pre-loaded with codes. If you wanted to give someone access to your property from Friday at 2:00pm to Sunday at 12:00pm, your lock would already know that the code should be, for example, 12345678.
A computer program on your computer knows what the lock is thinking. It contains the exact same algorithm that the lock’s computer chip has. So essentially. your computer will know what your lock is thinking because they were both “pre-configured” to make the same computations and, as a result, come up with the same codes. The software & lock are synchronized with each other via the unique serial number of each lock. .
In the software you enter the start date and time along with the ending date and time which is the duration of allowed access. The software generates a code that will work only for the duration you specified.
Schlage Link iPhone App
This Resort Lock is a good idea and well executed, however their timing has conflicted with the release of other similar products released at the same time, but with more features. The Resort Lock retails for between $299 and $549. The price range reflects various additional features such as audit trail, scheduled access time zones, and weather resistance.
For a similar price you can look at the Schlage Wireless Link product. We have reported on this product before, but there are two new developments.
First, the Schalge Link is now available at Lowes and is priced at $299.00 The second development is a new free iPhone app to access the online features of the lock.
By way of review, the Schlage LiNK, is unlocked with either a 4-digit code, or with an iPhone or BlackBerry or other web-enabled phone. Further, the lock can be remotely interrogated as to its status and you can integrate other Z-Wave devices like thermostats and security cameras. It can even send you emails or texts when specific codes are entered on the locks—like when your child gets home from school. And you can make temporary codes for visitor access such as guests or contractors or just unlock the door with your phone.
Finally, unlike the Resort Lock, the Schlage lock is a deadbolt, not just a latch. The ResortLock does not carry a monthly fee and the Schlage Link costs 12.99 per month for access to the internet portal that is the bridge to connect all the other devices to the system.
Patent Application
Our last story is about a patent application filed by Security Door Controls for a Lock With Latch Sensor. The patent shows a cylindrical lock equipped with magnetic sensors to detect the “position of a latch mechanism within the housing of a lock”.
Ordinarily this would not be very interesting since magnetic sensor have been used in this way before. However the unique part of this approach is the use of a sensor made by Magnasphere as the detection switch. This magnetic switch can use an external magnet but it does not require one. The small ball inside the switch is a magnet and it moves according to an external magnetic field, or if a ferrous material is brought in range. Since locks a re loaded with ‘ferrous materials’ such a sensor greatly simplifies detecting movement of internal parts.
According to the Magnasphere web site, this device is the only high security sensor in the world that is resistant to external and internal magnetic defeat tampering and meets the NEW UL 634 Level 2 high security standard for magnetic contacts and sensors.
Closing thoughts
And in closing, I’d like to talk to the 65% of you that listen online sitting at your desk versus the 35% that listen via iTunes, and presumably transfer the show to their ipod or iphone.
That 35% of our audience is enjoying this program in a true “time shifted” manner by listening to it whenever they want, but with the added advantage of it being portable and listening anywhere they want. With an MP3 player you can listen during your commute to work, while you are working out at the gym, walking in the park, grocery shopping, or wherever you want. So if you are not downloading it automatically to your ipod, iphone, zune, or any mp3 player, I encourage you to do so. And along with our excellent podcast, you will find hundreds of others that will appeal to your personal and professional interests.
————————-
If you have any questions about any of the topics discussed today, or if you have a technical question you need an answer for, send me an email at info at prosecurity news dot com. I will answer both via email, and on the show so others can learn.
This podcast has been brought to you by the Lockmasters Security Institute in Nicholasville Kentucky. For more than 50 years LSI has been the nation’s leading educational organization for technical and security education. Our students come from the federal government, US military, Fortune 500 companies, private industry and law enforcement.
LSI offers 27 differentclasses covering security management practices, lock & safe technical skills, and law enforcement covert technical operations skills. Check the website at lsieducation.com for the 2009 schedule of classes.
//Jon
.gif "Subscriptions for generic MP3 players")
![[Valid RSS]](http://lsieducation.com/blog/images/valid-rss.png "Validate my RSS feed")
