ProSecurityNews » admin

PSN012 – New Threats and Old Heists

admin — Sun, 12 Apr 2009 23:30:24 +0000

In this show we will cover credit card skimming, the rewards and some hazards of being a locksmith today, some computer security threats, an amazing diamond heist, some new electronic locks, and finally an interesting patent application.

I am back after taking a short break to work on some big projects. Keep listening to this podcast and stay in touch with the Lockmasters Security Institute website for some interesting news in the next few months.

This podcast is brought to you by the Lockmasters Security Institute in Nicholasville Kentucky. LSI has been the nation’s leading educational organization for technical and security education for more than 50 years. Our students come from the federal government, US military, Fortune 500 companies, private industry and law enforcement.

Here are some security related stories that you might not have heard about in the news over the last few weeks.

Computer Security

We’ve all seen the various mutations of the Nigerian phishing scam but now there is a new one targeted at cell phone users. Unfortunately for the bad guys, they happened to contact Steve Hunt, a noted security exert and consultant. He reports on his blog, SecurityDreamer.com, that he got a text message from CHASE stating Chase annual maintenance, please call 877-257-1139. When you call the number you hear a recorded voice that asks for your debit card number and pin. If you google the number you’ll notice others have received calls from the same number, but using different bank names. I wonder how many naive people actually fell for that one?

The Wired Magazine Threat Level Blog is reporting that a number of servers working at upscale restaurants in the Washington DC area just a few blocks from the White House, were recently arrested for allegedly using skimming devices to clone customer card data. The year long counterfeiting operation has netted over $750,000.

The ringleader would use the counterfeit data to purchase American Express gifts cards at local retail stores and then use them to purchase goods at high end retail shops.

The skimming operation was first spotted by CitiBank who observed fraudulent transactions immediately after legitimate card use at Clyde’s, one of the restaurants. A similar pattern emerged at 701 restaurant, frequented by Hilary Clinton. Cash register logs tied these transaction to a particular server who was later arrested.

So what can we learn from this story? First, we are reminded that credit card companies have some pretty nice software designed to spot patterns like this. And we should keep in mind that this type of thing happens all to frequently. My wife’s credit card was cloned at a small restaurant and then ‘tested’ with a small purchase at a local gas station. Within a few hours the bank was calling to see if a recent charge in Indonesia was legitimate. Second, we are reminded that magnetic stripe data is not secure at all. It is very easy to duplicate a credit card, or a mage stripe security access card.

The business of locksmithing

As we all know the economic times have devastated the housing market and many homes are in foreclosure all over the country. However, as we have reported before, in spite of the tough times, many locksmiths are benefitting through the increased sales of security products, safes, and field service work such as rekeying foreclosed homes for the banks and mortgage companies.

These good times for locksmiths are not without peril however. The Phoenix news media recently reported that a local locksmith arrived at a foreclosed home to unlock and rekey it. He expected the home to be vacant, and when he started working on the front door lock, he was shot through the door by the occupant of the home. The occupant of the home claimed no knowledge of the foreclosure and defended his actions stating he thought someone was breaking into his home.

So from this story we can learn to be a little more careful. Not withstanding the occupancy issue, foreclosures can be a very emotional time for the occupant which can lead to extreme unpredictability. Every attempt should be made to determine that the home is vacant before starting work and that the property is the legal possession of the bank . How do you handle foreclosures in your locksmith business? Do you have a written policy to follow? Drop us a note and let us know.

Locksmith Scams

While we are talking about how good the locksmith business is right now, we should also point that the scam artists are also trying to take advantage which gives the rest of us a bad name. If you google locksmith scam, you will get about 65,000 hits. It wont take much reading for you to find out that the problem is with phony locksmith companies who operate in dozens of different cities with generic names.

The Better Business Bureau blames most of the problem on two companies: Dependable Locksmith based in New York and Basad Inc. based in Englewood, Colorado. The BBB says unhappy customers complain that Dependable and Basad significantly overcharge, charge for unnecessary services, and use intimidation tactics. In some cases, the final bill is four times as much as the quoted price.

According to the Associated Locksmiths of America, These “phony locksmith” companies purposely manipulate phone book and internet listings with multiple false addresses and phone numbers to make it seem like a neighborhood business. In actuality, consumers are calling out-of-state operations that are not locksmith companies. The consumer is quoted a reasonable price over the phone, but when a person posing as a locksmith finishes the job, the consumer is charged a considerable amount more for unnecessary and/or sub-standard work.

The complaint heard most often by consumers is for car openings. The price quoted over the phone to stranded motorist is around $45. When the individual arrives and unlocks the car, he hands the motorist a bill for $135 – $150. This unscrupulous individual tells the frustrated consumer that the $45 was just the service call and that it was another $90 – $100 for servicing the lock. ALOA has record of a number of incidents of elderly consumers locked out of their homes and being charged $900 to $1700 to replace a $12 lock. These out-of-state operations are set up solely to make money by purposely defrauding the public.

Just this week the Missouri state Attorney General took action today to stop a Florida locksmith company from deceiving and overcharging customers in Kansas City. According to the report, Dependable Locks, Inc., violated Missouri law by fraudulently advertising itself by at least 16 different names that all led consumers to one company. In addition, company workers charged consumers 2-3 times more than the price quoted them to unlock their cars.

Investigators found that addresses listed for the different business names led to vacant lots and even homes of individuals not associated with the company. In addition, this locksmith company operated under business names that were not registered with the state. For more information on what you can do about phony locksmiths, visit ALOA.ORG. The link is in the show notes.

Computer Worms

The other big news in the lats few weeks was about the conficker worm. First detected in October 2008, this worm has infected an estimated 9 to 15 million windows based computers. It was expected to hatch its evil plans on April Fools day, but that day passed with no incident, and was the source of a lot of humor on some of the blogs. For example, former hacker and current wired editor Kevin Poulsen blogs “Dashboard oil light illuminated on drive to War Room. Conficker in car computer? Investigating.”, and later he blogs, “False alarm (apparently). Dipstick analysis suggests I was just low on oil.”

However, on April 8, Infosec reports that The Conficker worm is finally doing something. It is updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers. Researchers are analyzing the code of the software that is being

dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine.

In the war against conficker, the conficker working group dot org has set up a simple web site you can visit to see if your PC is infected. It is called the conficker eye chart, and if you are infected your PC will not load certain images on the website because the worm is known to block access to over 100 anti virus web sites. Give it a shot, it only takes a few seconds. The link is in the show notes. Of course if you use a MAC or Linux, don’t bother, you cannot catch this virus.

While we are on the subject of nasty computer viruses we should warn you about one that can infect your home or office router or cable modem. Known as “psyb0t” or Bluepill, this is the first worm known to be able to infect residential routers and modems. As of this date over 55 different home-based routers and DSL/cable modems are affected including common brands like Linksys and Netgear. See the article in the show notes for more details.

And finally, at the risk of boring you with computer security topics, some of the computer anti-virus vendors have twitter accounts so they can send out instant message alerts as they become aware of new threats. The list includes Cisco, Verisign, McAfee, Kapersky, Sophos, F-Secure, Websense, Trend Micro, and Panda Labs. See the show notes for links and twitter names.

The Great Diamond Caper

The April issue of Wired Magazine and Wired.com contains a great story of the worlds biggest diamond heist. The 100 million dollar theft occurred February 15, 2003 in Antwerp Belgium. The target was the Antwerp Diamond Center vault, protected with 10 layers of security. I won’t detail the entire story here as you can read it online. The link is in the show notes. I will tell you enough details you amaze you and tempt you to read the article. As security professionals it is very instructional for us to study successful crimes as it gives us insight into how the bad guys think, not to mention the mistakes we may have made in our defensive systems.

This operation was well funded by its sponsor, even to the point of a replica vault built inside an abandoned warehouse outside Antwerp. Briefly, some of the technical aspects were as follows. Months before the heist a small camera located over the vault recorded the combination as it was dialed and it was sent wirelessly to a watertight compartment inside a nearby fire extinguisher that contained electronics to record the video signal. The video camera also captured an image of the vault key.

Two days before the heist the armored card delivered the diamonds. One day before the heist, one of the perpetrators, who was a frequent visitor to the vault, was buzzed in again. The guard was used to seeing him by now and not pay close attention to him. He used a can of hair spray to cover the heat and motion sensor with a thin film. On the day of the heist the team entered through a balcony where they defeated the alarm sensors. Once at the vault they unscrewed the fasteners that held the magnetic sensor to the vault door and removed it while keeping it aligned with the magnet with a home made aluminum bracket. Next, even though they had carefully made a vault key from the photograph, they looked around the security office and found the original key hanging on a hook. Using the combination obtained with the camera, and the original key , and some final work on the alarm system and they were inside the vault.

They got away cleanly but like any good mystery, there is a surprise ending. Remember my mention of a sponsor? Did he have an ulterior motive? Were the bad guys actually set up? Read the story to find out. It is very entertaining.

ResortLock – for your vacation home or cabin in the woods.

In lock news, or as my boss would say, stories about brass, the folks at RESORT LOCK have recently launched an interesting product for vacation homes. It is not a new idea, Ilco launched a similar product several years ago. The lock works on a future code concept that allows you to control access to your property remotely, but without wires. How does it work? Inside the ResortLock is a computer chip that runs a complex algorithm. This algorithm is able to to compute what the code should be during any given time period. One way to think of it is that the lock is pre-loaded with codes. If you wanted to give someone access to your property from Friday at 2:00pm to Sunday at 12:00pm, your lock would already know that the code should be, for example, 12345678.

A computer program on your computer knows what the lock is thinking. It contains the exact same algorithm that the lock’s computer chip has. So essentially. your computer will know what your lock is thinking because they were both “pre-configured” to make the same computations and, as a result, come up with the same codes. The software & lock are synchronized with each other via the unique serial number of each lock. .

In the software you enter the start date and time along with the ending date and time which is the duration of allowed access. The software generates a code that will work only for the duration you specified.

Schlage Link iPhone App

This Resort Lock is a good idea and well executed, however their timing has conflicted with the release of other similar products released at the same time, but with more features. The Resort Lock retails for between $299 and $549. The price range reflects various additional features such as audit trail, scheduled access time zones, and weather resistance.

For a similar price you can look at the Schlage Wireless Link product. We have reported on this product before, but there are two new developments.

First, the Schalge Link is now available at Lowes and is priced at $299.00 The second development is a new free iPhone app to access the online features of the lock.

By way of review, the Schlage LiNK, is unlocked with either a 4-digit code, or with an iPhone or BlackBerry or other web-enabled phone. Further, the lock can be remotely interrogated as to its status and you can integrate other Z-Wave devices like thermostats and security cameras. It can even send you emails or texts when specific codes are entered on the locks—like when your child gets home from school. And you can make temporary codes for visitor access such as guests or contractors or just unlock the door with your phone.

Finally, unlike the Resort Lock, the Schlage lock is a deadbolt, not just a latch. The ResortLock does not carry a monthly fee and the Schlage Link costs 12.99 per month for access to the internet portal that is the bridge to connect all the other devices to the system.

Patent Application

Our last story is about a patent application filed by Security Door Controls for a Lock With Latch Sensor. The patent shows a cylindrical lock equipped with magnetic sensors to detect the “position of a latch mechanism within the housing of a lock”.

Ordinarily this would not be very interesting since magnetic sensor have been used in this way before. However the unique part of this approach is the use of a sensor made by Magnasphere as the detection switch. This magnetic switch can use an external magnet but it does not require one. The small ball inside the switch is a magnet and it moves according to an external magnetic field, or if a ferrous material is brought in range. Since locks a re loaded with ‘ferrous materials’ such a sensor greatly simplifies detecting movement of internal parts.

According to the Magnasphere web site, this device is the only high security sensor in the world that is resistant to external and internal magnetic defeat tampering and meets the NEW UL 634 Level 2 high security standard for magnetic contacts and sensors.

Closing thoughts

And in closing, I’d like to talk to the 65% of you that listen online sitting at your desk versus the 35% that listen via iTunes, and presumably transfer the show to their ipod or iphone.

That 35% of our audience is enjoying this program in a true “time shifted” manner by listening to it whenever they want, but with the added advantage of it being portable and listening anywhere they want. With an MP3 player you can listen during your commute to work, while you are working out at the gym, walking in the park, grocery shopping, or wherever you want. So if you are not downloading it automatically to your ipod, iphone, zune, or any mp3 player, I encourage you to do so. And along with our excellent podcast, you will find hundreds of others that will appeal to your personal and professional interests.

————————-

If you have any questions about any of the topics discussed today, or if you have a technical question you need an answer for, send me an email at info at prosecurity news dot com. I will answer both via email, and on the show so others can learn.

LSI offers 27 differentclasses covering security management practices, lock & safe technical skills, and law enforcement covert technical operations skills. Check the website at lsieducation.com for the 2009 schedule of classes.

//Jon

PSN012E – (Enhanced) New Threats and Old Heists.

admin — Sun, 12 Apr 2009 23:00:31 +0000

(Enhanced Podcast) In this show we will cover credit card skimming, the rewards and some hazards of being a locksmith today, some computer security threats, an amazing diamond heist, some new electronic locks, and finally an interesting patent application.

This is the enhanced version of the podcast with embedded images and chapter markers much like a DVD. See PSN012 for the show links and the full text of the podcast.

PSN011 – Hacks, Threats, Dumpster Diving and a new schedule

admin — Mon, 23 Feb 2009 11:11:50 +0000

In this episode we discuss more smart phone threats, defeating facial recognition biometric login on laptops, how your Word documents can reveal your secrets, dumpster diving, and a change to our show schedule.

Show Links

Smartphone Threats Intensify – DarkReading
Security researchers crack laptop facial biometrics
Black Hat ® DC 2009 Briefings Archives
How Attackers Use Your Metadata Against You
ShmooCon 2009: Chris Paget’s RFID cloning talk – Hack a Day
SecurityDreamer Dumpster Diving

Your Face is NOT Your Password - how they did it (PDF File)

//Jon

Click the link to read the entire show transcript.

Smartphone Threats Increase

We have commented several times about the security threats posed by smartphones, and a study was just released that adds more fuel to the fire.

In previous articles we have mentioned the hazards of cell phones in the workplace. Besides hindering productivity, they may be equipped with data gathering technologies that early James Bonds would have only dreamed of. They can record conversations both on and off the phone. They can take both still and motion pictures of your company secrets. They have access to your corporate VPN. And many can act as portable storage devices connected like a thumb drive to a USB port on a network computer. Armed with email and web access, your stolen data can be sent out of the building in record time.

According to a new report released by McAffee, the famous anti virus company, more than half of mobile device-makers said their products experienced malware, voice-, or text spam attacks last year. McAfee’s report, which is based on a survey of 30-plus mobile device manufacturers from around the world, found these vendors are getting hit with more malware attacks than ever before.

Experts have long warned that smartphones, such as Windows Mobile and iPhone handsets, could become the new weakest link in the enterprise, with more users relying on them for accessing corporate email, surfing the Web, and other applications.

Enterprise smartphones are starting to get hit with the types of security problems wireless LANs have been facing, industry experts say. Viruses — especially via Windows — can be carried from smartphones to the network, he says, which puts the entire infrastructure at risk.

So now we not only have to worry about what a smart phone can remove from your business, but also what it might inject in the form of malware or a virus.

Laptop Facial Recognition Cracked

You may be aware that many laptop computers have a small built in web cam just above the screen. They have been put to several interesting uses. One such use is sending you an email photograph of the guy who just stole your computer. Another recent use available on a few laptops is facial recognition. The first time I saw someone use this I thought it was kind of bizarre. I observed Lloyd pick up his laptop and bring it near his face to log in instead of using a password.

Anyway, researchers in Vietnam have cracked the facial recognition on many of these laptops and they demonstrated the technique a the Black Hat security convention in Washington DC this week. They cracked the systems built into Lenovo, Toshiba and Asus laptops.

Essentially the researchers were able to bypass the security systems by showing the camera a picture of the registered user, they were also able to gain entry by showing the camera pictures of other people’s faces, after manipulating light and shade settings.

The Link to the technical paper explaining the technique is on our website in the show notes.

So what can we learn from this? Probably that it is best to let new technology be tested by others before you adopt it.

META Data Used Against You

While we are talking about computer related threats, did you know that the mere act of attaching a Word Document or PowerPoint presentation to an email could reveal confidential data to the recipient?

The Dark Reading Blog explains how. Metadata is a powerful feature of many document and file types, including Microsoft Office documents, PDFs, JPGs, ZIP files, and multimedia formats. Depending on the application and the file, metadata might contain information such as author names, user names, version of the software used to create the file, the user’s operating system, and sometimes even the computer’s MAC address. Armed with this data, an attacker can develop exploits that might work not only on a specific file, but on all similar file types in an enterprise.

The report goes on to explain that metadata is also helpful in social engineering attacks. Knowing the five different authors of a document, an attacker can “drop names” via the phone to make his scheme seem more credible. Similarly, location information contained in photos could be mentioned, making the calls seem more legit.

Metadata can also help with physical theft. For example, users may post images to Flickr or Twitter from a phone that enables geo-tagging. This information can give attackers the location about a target’s home or business, and where he might be on a daily basis. Similarly, the MAC address of the system can indicate the type of hardware used, making it easier to identify mobile workers who are likely to have laptops that are kept in places where they might be easy to steal.

If you want to know more, see the link to this article in the show notes. The original article has a link to a white paper titled Document MetaData, The silent killer. The article also has a few real life examples of how meta data tripped up a pharmaceutical company who deleted damaging data from a research report, how former president Bush was taken to task about the original author of a speech about Iraq, and about how redacted information in released Pentagon document was easily revealed.

Electronic Combination Locks

Listener Dave in Virginia wrote in recently to remind us about the many benefits of electronic safe locks. Obvious benefits, but benefits that we need to remind ourselves of from time to time. Dave was primarily concerned that todays economic climate was causing businesses to be a little foolish with cost cutting.

For example, if a managers salary is tied to profitability of his organization, they it is only natural to cut cost wherever possible to increase profit and increase his bonus. The problem comes in when this cost cutting involves security procedures.

By way of example lets consider the case of a fast-food chain who found that managers were reluctant to change safe combinations. Despite a specific security policy about safe combination changes when user turnover occurred, some managers ignored the policy and did not make timely combination changes to save money and increase their bonus.

The solution to this problem was electronic safe combination locks that the manager could change. So instead of calling a locksmith and paying for a service call, the manager could, and would, change the combination upon employee turnover thus maintaining security.

The electronic locks also have other benefits over mechanical combination locks, which are roughly Civil War era technology. Mechanical combination locks must be dialed in a precise sequence and dialed accurately to open them. This can be time consuming and frustrating for the user. So much so that it is common that the safe will not be locked properly during the day. The dial might be turned just enough to lock the safe boltworks, but requiring only a quarter turn to open it again, without dialing the combination.

Electronic locks can help because a pin number is much easier and faster to enter to unlock the safe, and policies require that in a manager has to be in and out of a cash management safe many times per day. Combine the rapid ease of use with the ease of setting a new combination and you have a winner for the security department.

Electronic safe locks have 3 basic categories and price points.

At the low end, electronic safe locks provide basic PIN access and user-changeable PINs
The middle range locks offer multiple-user capabilities, programmable time delays and an electronic token combined with a pin for extra security
At the high end, the locks include time windows to restrict lock opening to business hours, audit trail capabilities and even dual custody. Some even have a ‘door left open’ alarm.

So what can we learn from this? The most significant reason electronic safe locks have become so popular is the user-changeable access code feature. By allowing users to quickly and easily change individual access codes, store personnel can maintain security policies while not impacting store profitability. Often, the cost savings associated with user-changeable access codes can justify the capital investment of an electronic safe lock within the first year of operation. If you want to know more about electronic safe locks, consider signing up for the Safe Lock Servicing class at Lockmasters Security Institute. Visit the website at lsieducation.com to learn more.

RFID Passport Cloning

In the last episode we spoke about Researcher Chris Paget who planned to release the details of his ‘drive by passport cloning system’ during the Shmoocon hacker convention held in Washington DC. You may recall he used components purchased on eBay for less than $250 to do some drive by discovery of RFID enabled devices. In a manner similar to Wardriving where a mobile laptop discovers insecure wifi network resources, the researcher equipped his vehicle to discover nearby RFID devices and capture the unique identifier code. During a 20 minute drive in downtown San Francisco he was able to copy the RFID tags of two passports without the knowledge of the passport holder.

Anyway, his talk is available as a video on the hackaday.com website of you are interested. There is a link in the show notes.

Dumpster Diving

Steve Hunt of the Security Dreamer blog has an interesting video blog post of the results of his recent dumpster diving score. He wanted to prove the point that the IT guys in a facility don’t have exclusive domain over “data protection”. It is not only an IT issue, the data sits on hardware, or in the trash next to the copier, or in the recycling bins, or in this case, outside in the dumpster. In only 3 minutes he found wire transfer information, copies of checks complete with social security numbers, and even a discarded laptop from the Chicago Board of Trade with the hard drive still inside! The video is well worth watching.

What can we learn from this. Once again, valuable data can leak out of a facility in all sorts of ways, and sometimes it is even thrown away in the trash. How does your facility handle potentially sensitive information? Do you have a document destruction service to deal with all the paper that gets thrown away? How about old computers? What is your security policy regarding the data on the hard drives?

Closing

In closing, I want to take this opportunity to announce a format change. We have decided to move to a biweekly podcast format so beginning in March we will produce Pro Security News every other week. Also, I will be away from the office for a while, so look for our next show on Monday, March 16. In the meantime, I will post interesting news items to the website at www.ProSecurityNews.com. You will get the same weekly automatic notification in your email letting you know about items I have posted.

This podcast has been brought to you by the Lockmasters Security Institute in Nicholasville Kentucky. For more than 50 years LSI has been the nation’s leading educational organization for technical and security education. Our students come from the federal government, US military, Fortune 500 companies, private industry and law enforcement. LSI offers 27 different classes covering security management practices, lock & safe technical skills, and law enforcement covert technical operations skills. Check the website at lsieducation.com for the 2009 schedule of classes.

PSN011E – Hacks, Threats, Dumpster Diving, New Schedule (enhanced)

admin — Mon, 23 Feb 2009 11:07:15 +0000

(enhanced podcast) In this episode we discuss more smart phone threats, defeating facial recognition biometric login on laptops, how your Word documents can reveal your secrets, dumpster diving, and a change to our show schedule.

This is the enhanced version of the podcast with embedded images and chapter markers much like a DVD. See PSN011 for the show links and the full text of the podcast.