Category Archives: Crime

APWG Atlanta Buckhead

apwgfall08.jpg Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:

Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.

Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.

Brazil: Most phishing is done locally. Is all organized crime.

I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.

CCTV Security Fad Fails

CCTV2_228x342.jpg London probably has more security cameras per square inch than any other city, and:
The billions of pounds spent covering Britain with CCTV cameras has been an “utter fiasco” and failed to slash crime, Scotland Yard’s surveillance chief has said.

Detective Chief Inspector Mick Neville said a Metropolitan Police pilot project found just three per cent of street robberies in London were solved using CCTV images.

He claimed the vast swathes of money spent on cameras had been wasted because criminals don’t fear the cameras.

Billions spent on CCTV have failed to cut crime and led to an ‘utter fiasco’, says Scotland Yard surveillance chief, Just 3% of street robberies in London solved, By DANIEL BATES, Daily Mail, Last updated at 13:48pm on 6th May 2008

Needless to say, there are numerous efforts planned to make the cameras pay anyway.

The basic problem is:

But Mr Neville also castigated the police and claimed officers can’t be bothered to seek out CCTV images because it’s “hard work”.
CCTV is not the only security fad that hasn’t panned out:
For every 800 DNA samples being added by the police – including those taken from innocent people – only one crime is being solved.
We’ll see if either of these white elephant programs get terminated. I’m not holding my breath.

-jsq

Tokyo in May: CeCOS II

cecos2indexLogo.jpg 26-27 May 2008 in Tokyo:
The second annual Counter-eCrime Operations Summit (CeCOS II) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year’s meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.

Counter-eCrime Operations Summit II, APWG Japan, 2008

The Anti-Phishing Working Group continues to expand via national associates, and to put on good workshops.

-jsq

Class Action Coming for Identity Theft?

zerodaythreat.jpg It wouldn’t be a moment too soon:
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point: Continue reading

Phishing Verified

jeremy_clarkson.jpg Or is it really phishing when the victim first broadcasts his bank account details?
BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the scandal of lost CDs containing the personal data of millions of Britons a “storm in a teacup” after falling victim to an internet scam.

The outspoken star printed his bank details in a newspaper to try and make the point that his money would be safe and that the spectre of identity theft was a sham.

He also gave instructions on how to find his address on the electoral roll and details about the car he drives.

However, in a rare moment of humility Clarkson has now revealed the stunt backfired and his details were used to set up a £500 direct debit payable from his account to the British Diabetic Association.

The charity is one of many organisations that do not need a signature to set up a direct debit.

Clarkson stung by fraud stunt, Guardian Unlimited, Monday January 7 2008

He admits he was wrong, but nonetheless tries to pin the blame partly on a privacy law:
“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” he said. “I was wrong and I have been punished for my mistake.”
At least he doesn’t call for revoking that Act; he does call for going after the perpetrators.

-jsq

PS: Seen on BoingBoing.

Hammers to be Outlawed in UK

parliament_logo.gif What can you expect when public, press, and government think “hacker” means criminal?
The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called “hacking tools”.

A revamp of the UK’s outdated computer crime laws is long overdue. However, provisions to ban the development, ownership and distribution of so-called “hacker tools” draw sharp criticism from industry. Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.

The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.

UK gov sets rules for hacker tool ban, Consultants in frame? Definitely Maybe By John Leyden, The Guardian, Published Wednesday 2nd January 2008 15:54 GMT

How long will it be before a simple traceroute gets you not only disconnected from your ISP but also clapped in jail for “hacking”?

It gets better: Continue reading

Sony Rootkitting: How It Happened

sonyrootkit.gif Here’s a paper about Sony and the Rootkit:

While Sony BMG’s customers first became aware of the dangers posed by the rootkit through media reports following Russinovich’s October 31 announcement, the company was on notice that its product contained a rootkit, at the very least, four weeks earlier.12 Finnish anti-virus software developer F-Secure contacted Sony BMG on October 4, 2005, alerting it to the presence of the rootkit.13 Of course, First4Internet, as the developer that chose to incorporate the rootkit into its design, necessarily knew of its presence from the outset.

THE MAGNIFICENCE OF THE DISASTER: RECONSTRUCTING THE SONY BMG ROOTKIT INCIDENT, By Deirdre K. Mulligan & Aaron K. Perzanowski

Yet Sony apparently thought that they could still sneak a rootkit onto CDs its customers paid for. The customers knew better, because Amazon reviews told them, and sales CDs plumetted as soon as rootkit-infested versions were issued.

This maybe illustrates three points:

Continue reading

Bot Roast II: FBI Cracks Down on Bot Herders

cyber110607.jpg FBI indicts, and in some cases gets guilty pleas or sentences, eight people they say were involved in botnet-related activities:
Secure Computing’s prinicipal research scientist Dmitri Alperovitch was quite happy about the news.

“We welcome this news and applaud the FBI’s efforts and law enforcement worldwide in attempting to cleanup the cesspool of malware and criminality that the botmasters have promoted,” Alperovitch said in a press release. “Since botnets are at the root of nearly all cybercrime activities that we see on the Internet today, the significant deterrence value that arrests and prosecutions such as these provide cannot be underestimated.”

FBI Cracks Down (Again) on Zombie Computer Armies, By Ryan Singel, Threat Level, November 29, 2007 | 4:54:32 PM

Indeed, good news.

Now where are the metrics to show how much effect this actually had on number of botnets, number of bots, criminal activities mounted from bots, etc.? Baseline, ongoing changes, dashboard, drilldown?

-jsq

PS: Interestingly, every blog or press writeup I’ve seen about this misuses the word “hacker” to apply to these crackers, yet the actual FBI announcement never makes that mistake: it says cyber crime.

Bot Buyin

Pickers.jpg Bruce, seeing that the Storm Worm has sprouted stock tout popups on its own bots:
(((I’m guessing the next step is to contact Storm bot victims directly and ask them to join the Storm Network voluntarily. AFter all, if you obeyed that Storm spam pop-up, you cashed in; and this would be a valuable opportunity to become a foot-soldier in the biggest online organized=crime outfit ever.)))

Storm Worm spams its own bots, By Bruce Sterling, Beyond the Beyond, November 15, 2007 | 11:34:00 AM

Having proved that it can infect much of the Internet and the alleged security professionals can do nothing about it, Storm now bids to get its victims to join it?

-jsq

Egerstad Arrested: Uses Tor to Snoop Snoopers; Is This a Crime?

So this fellow was just arrested and some of his computers confiscated: danegerstad_narrowweb__300x378,0.jpg
Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails.

After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site, derangedsecurity.com, has since been taken offline.

Swedish Police Swoop on Dan Egerstad – UPDATE by Fergie, Fergie’s Tech Blog, 14 Nov 2007

He got this information by installing Tor, which people use to hide their IP addresses, and looking to see what passed over it. What he saw he thinks was people who had already broken into embassy accounts using them illicitly. He tried to inform governments, who (except for Iran) were uninterested. Then he posted his information online, thus probably stopping the snoopers.

So Egerstad gets arrested, yet this man, who says “Privacy no longer can mean anonymity” walks around free.

-jsq