Saturday, November 12, 2005

RFID, How Effective for the Long Term and What is the Cost?

Back in the nineties, EAS (Electronic article surveillance ) tags were upgraded to explode with ink to prevent shoplifting. At first, they did have an impact in reducing pilferage, but eventually the criminal element and even teenagers started freezing the tags before breaking them off. This made the technology a lot less effective and didn't take a tremendous amount of skill.

If you are like me, someone has left one of those tags on an article that you've purchased. When you left the store, the alarm didn't go off (they often don't, or are set off by something other than the tag) and when you got home it was a major inconvenience. Likewise, the alarm sounding as you are walking out the door (because of a malfunction, or a clerk forgetting to remove a tag) can be quite embarrassing (annoying), also.

Historically EAS, in all it's forms, seems to have a lot of similarities to RFID (Radio Frequency ID). RFID seems to be the replacement for EAS in retail environments and libraries, but as technology progresses there are differences.

Although, extremely inconvenient and sometimes embarrassing, one can recover from this (EAS problems) rather quickly. With RFID (Radio Frequency ID), the potential inconvenience and embarrassment can be long term, especially if one's identity is stolen, or it is used to spy on their personal life. Additionally, where EAS tags are supposed to be removed, RFID stays with whatever it was implanted in and with wireless technology, it can be read from afar.

Like EAS, RFID was initially pushed by security firms to be sold to the retail industry. There are people making a lot of money off this technology, especially now as governments are becoming customers.

There has been a recurring theme of technology being used for the wrong purpose in the name of security, or marketing. Furthermore, it seems that legislation (which is normally mired down in red tape by special interests) has had a hard time keeping up in the internet age. Examples would be all the Spyware, Adware and Keyloggers, all of which were developed for business purposes (questionable) and now are routinely used by criminals to commit fraud. Another example would be with the information industry, which (for years) has gathered all our personal details and then made them available for sale. The problem being that sometimes our information is being sold to, or easily accessed by criminals, who then victimize us for their personal profit.

To make matters more bizarre, this creates more opportunity for (probably some of the same people) to develop products to counter the products that are being abused. This translates into the poor "Joe" on the street paying for the products to counter the products they profited from (and Joe paid for) in the first place. Few of these counter-products are given away free and someone is making a pretty profit from them. In the not too distant future will be paying for products to counter the abuses of RFID?

A glaring example of this would be our three major credit bureaus and some others (financial institutions), who indexed, sold and bought our personal information for years, (they made billions from this). They are now marketing a new product "identity theft protection/insurance," which is a growing business.

If one were to follow recent data intrusions (where untold amounts of personal and financial information were stolen) to the company concerned, you would find many of them selling this product (identity theft/protection insurance). In many instances, it was alleged that the data theft(s) were accomplished due to a lack of , or substandard security practices. Their solution is to continue selling your information and add value to their bottom lines by making you pay for the security (protection).

Now we are headed down the RFID road. There are many legitimate uses for RFID, but can it be defeated and what are potential abuses, when it is routinely for sale over the internet?

Here is an interesting article from Forbes, Forbes.com: A Hacker's Guide To RFID . Although it primarily expresses how easy it might be to defeat RFID in a retail environment, government applications are relatively new.

Stop RFID - RFID privacy issues and news. This site is an excellent resource on the implications, (loss of privacy) that RFID will create.

What concerns me even more is that when I ran some simple searches on Google, such as RFID "Phreak, Hack and Crack," I came up with some pretty astonishing results. The bottom line is there seems to be (even though RFID is a new technology) people developing ways to defeat it and if the "search" results on Google are remotely accurate, we are in trouble.

Even without the hackers working fastidiously, there are other ways defeat RFID besides technology. This is especially in the identification arena, which is one of the most controversial. For years, people have obtained identification with other fake identification/documents. Unless all identification/documents are RFID protected, criminals and even illegal immigrants will be using this method to defeat RFID technology.

We are all paying for RFID, both in the cost of increased prices and in taxes. In addition to this, there are other hidden costs, such as our rights to privacy to consider, as well as, future costs we might be asked to bear. Hopefully, those who are proponents of this technology are being diligent and protecting the interests of their customers and citizenry.

Should they fail to do this, I recommend the citizenry and the customers speak loudly with their vote and their shopping preferences.

Here are some previous posts, I've done on RFID; RFID, Abuse in the Private Sector? and RFID, A Necessary Evil; or an Invasion of Privacy?

Friday, November 11, 2005

Google, Yahoo, now Microsoft..under Attack

In the past three days, the "big three" internet services have come under attack. First Google, then Yahoo and now Microsoft.

Here is the latest alert from our friends at Websense:

"Websense® Security Labs™ has received reports of a email scam disguised as a Microsoft Security Update for Explorer.exe. Users receive a spoofed email message instructing them to click on a link to immediately download and install a bugfix from Microsoft.

The link in the email takes the user to a fraudulent website, designed to appear as the legitimate Microsoft Windows update site. The security update hosted on this page is actually a backdoor Trojan horse . Upon execution, the backdoor sends an HTTP request with the IP address of the infected computer and then waits for a connection from the malware author.

The site hosting the malicious file is in the United States, the site where the IP address is reported is hosted in Germany. Both were online at the time of this alert."

Although not specific, my guess is that the intent in this attack is to capture a computer for use in a botnet. Criminals use botnets to send SPAM and further their various criminal activities, including identity and financial information theft.

Here are few posts, I've done on botnet activity, Zotob Hackers Caught, Attack of the Worms and More Arrests in Zotob Case .

It appears that the criminal element is gearing up for their traditional activities during the holiday season, which is to steal as much as they can using the sales volume (created by the holiday season) as a smoke screen.

For the full alert from Websense, along with screen shots, click on the title of this post.

Vigilantes on the Internet

Recently in the mainstream press, there has been a lot of news and commentary regarding Vigilantes on the southern borders of the United States. Vigilantism against cybercriminals is also becoming an organized effort on the internet via websites, who play along with the scams in order to waste the time of the fraudsters. This post is dedicated to those involved in fighting 419 (Advance fee fraud) activity.

These groups are organized by websites, such as 419Eater.com. Here in their own words is how they play the game, "So what is scambaiting? Well, put simply, you enter into a dialogue with scammers, simply to waste their precious time and resources. Whilst you are doing this, you will be helping to keep the scammers away from real potential victims and screwing around with the minds of gutless thieves."

There are a lot of these sites out there, here are some of them;

Scamorama.com, great collection of information and scambaits
419 Eater, one of the most famous scambaiting sites
419 Eater's scam baiting community - Forum
The Nigerian Letters
Ebola Monkey Man: Pissing Off Nigerian Scammers
(This one is very amusing)
Frank Rizzo and the 419 Zeros - Scamming the Scammers Without Mercy!
P-P-P-Powerbook, scammer ripped off with really fake Apple laptop
thescambaiter.com, many famous freight-baits originated here
Artists Against 419 - Home of the fake bank database and the FlashMob
scammers-exposed.com - notorious 419 scammers revealed by scam baiters
Conversations with a Nigerian Bank Scammer

One that I visited recently, (which is a Yahoo Group) is "Romance Scam 419 Yahoo Group (US)." When I signed up for this group, I started getting more than 200 e-mails daily from them forcing me to "unsubscribe" due to other commitments. They (as many of the sites do) post pictures of their scammers for everyone to see. I did see evidence that they report activity to the authorities and they claim that law enforcement does monitor the site for intelligence purposes.

Many of these sites do expose fake financial and credit services and I would imagine they have the potential to be a intelligence conduit for law enforcement.

Before engaging in any of this, there are dangers to consider. Here is a warning from 419.Eater.com:

"Please remember that these people are CRIMINALS and should be treated as such.

Under no circumstances must you enter into any communications with these people unless you feel you are adequately prepared to deal with them.

Under NO CIRCUMSTANCES give them ANY real private information about yourself. These guys may appear dumb and clueless, but I suspect it wouldn't be so funny if you were to come face-to-face with one of them, although I'll be the first to admit the chances of this happening are astronomical - unless of course you are dumb enough to fly over to meet them in person, in which case you need to be sectioned ASAP!

The tips below are for INFORMATION ONLY. I cannot be held responsible for what you decide to do with the information.

If you are unsure of what you are doing please LEAVE WELL ALONE!"

I would like to add that as technology increases, anyone involved in this activity should become well-versed on the dangers of malware, which is used fraudulent internet activity. Malware can be executed against one's computer system via e-mail and even IM's (instant messaging).

In theory (if not protected properly) this could lead to the scammer turning the tables on the scam baiter and stealing information from their personal computer and even worse, identifying the scambaiter.

There is also the potential in this for sites, or people to be damaged, if wrongfully identified. This has happened in the case of similar sites, which go after sexual predators.

These sites do serve a purpose in fighting fraud and their efforts in most instances are admirable. They can also be used to provide valuable intelligence to law enforcement, who have the resources and expertise to verify the criminal activity and deal with it. If they are simply used for cybersport, then it will confuse and frustrate the scammer, but only temporarily. Nonetheless, these sites serve to raise awareness, which is key in the fight with 419. Besides that sometimes a little revenge is "Chicken Soup for the Soul."

Here is a link, courtesy of my friends at Quatloos, where you can find a lot of resources to report any activity to Law Enforcement.

For the last word from the Ebola Monkey Man, click on the title of this post.

Thursday, November 10, 2005

Yesterday Google, Today Yahoo Users Targeted in Phishing Attack

Yesterday, the good name of Google was being used by the fraudsters to "phish" financial information. Today, Google's main competition "Yahoo" is under attack. Yahoo users are getting instant messages (IM's) telling them their account will be blocked unless they respond to a terms of service (TOS) violation.

The uninformed (unfortunate) person (who responds to this) will be tricked into clicking on a URL that takes them to a malicious (fraudulent) website, where they are asked to provide their login and password information.

This latest scam was discovered by the IMlogic Threat Center, who named it "IM.Marphish.Yahoo."

It's not clear what information will be stolen once this occurs, but that probably depends on what can be accessed on an individual (Yahoo) account. Normally, the goal in these scams is to steal personal and or financial information.

In my humble opinion, the best resource to learn more about phishing and how to protect yourself is the Anti-Phishing Working Group (APWG).

On their website, they have a link that is well worth reading for anyone who wants to learn how to protect themselves; How to Avoid Phishing Scams.

For anyone interested in reading the specific report from the IMlogic Threat Center, feel free to click on the title of this post.

Wednesday, November 09, 2005

Phishing Scam Promises $400 from Google

When something is popular, such as Google, the scammers pick it to perform their misdeeds. Here is a current (site allegedly still active) warning regarding a phishing scam spoofing Google from our friends at "Websense."

"Websense® Security Labs™ has received reports of a new phishing attack that targets users of Google's search engine. Users are redirected to a spoofed copy of Google's front page with a large message claiming "You WON $400.00 !!!". Users are presented with instructions for collecting their prize money. These instructions direct users to enter their credit card number and shipping address. Once the information has been collected, users are directed to Google's legitimate website."

If anyone is interested in protection against rogue websites and phishing, here is a pretty good resource, I mentioned in an earlier post; TrustWatch Search Engine .

For screen shots of what this scam looks like, click on the title of this post.

Sunday, November 06, 2005

Deb Radcliff, Cybercrime Educator/Author

Recently, I have had the honor of corresponding with Deb Radcliff (pictured on right), who has an impressive background as an educator/author. What I like about her style is that she has a "no holds barred" approach and doesn't worry about being "politically correct." Deb also seems to hit a key point in her writing, which is the solution to this type of crime cannot only be technical, but that the social issues must be addressed also.

Some of her accomplishments include:

"Winner of several awards, including two Jesse H. Neal Awards, one for best individual feature, Class B sized magazine for cover story, "Hackers, Terrorists and Spies" (Software Magazine, 1998) and for group reporting, best news story, Computerworld, "Wireless LANs: Trouble in the Air," 2003, by the American Business Press.

Annual speaker at West Point Military Academy, Dept. of Computer Science and Engineering.

Launched a "Hack of the Month" column for Computerworld in 1999.

The FBI requested reprint rights to "Barbarians at the Firewall," Byte, 1996, to train its new cyber crime unit investigators.

Her stories are now posted on more than 500 news, business, hacker, government and consumer sites (many on CNN and The Register) and are also used in training materials, guidebooks and college textbooks, including McGraw-Hill's Violence and Terrorism, 2003/2004."

Although Deb writes for a lot of different publications, she recently accepted an assignment with Network Life, which is owned by Network World. She also does several blogs, Security Chief, Security Awareness and Online Crime Bytes.

Deb is a must read for anyone interested in the constantly changing world of computer/internet crime. With these types of crimes constantly mutating, she is also probably one of the best resources for a person to be educated against the perils that face us from this menace today.

To view Deb's personal website, you can click on the title of this post.