Saturday, June 30, 2007

Japanese cop exposes confidential information on 6,000 people using P2P (file-sharing) software

Japanese police car picture courtesy of Flickr

We spend a lot of MONEY protecting computer systems and the information in them. Despite this, information is stolen or compromised from computers, pretty frequently.

One reason for this is it only takes one person, with access to compromise a system and it's security.

Recently, Japan Today, disclosed that a policeman did just this by using P2P file sharing software:

Personal information on some 12,000 people related to criminal investigations has leaked onto the Internet from a computer of a Tokyo police officer via Winny file-sharing software, the Metropolitan Police Department said Friday. This is believed to be the largest volume of data leaked from the police on record, the department said.

In case you've never been exposed to P2P (file sharing) software, it's normally used to share porn, movie, or music files.

Wikipedia lists the dangers of using this type of software, of which there are many:
  • poisoning attacks (e.g. providing files whose contents are different from the description)

  • polluting attacks (e.g. inserting "bad" chunks/packets into an otherwise valid file on the network)

  • defection attacks (users or software that make use of the network without contributing resources to it)

  • insertion of viruses to carried data (e.g. downloaded or carried files may be infected with viruses or other malware)

  • malware in the peer-to-peer network software itself (e.g. distributed software may contain spyware)

  • denial of service attacks (attacks that may make the network run very slowly or break completely)
  • filtering (network operators may attempt to prevent peer-to-peer network data from being carried)

  • identity attacks (e.g. tracking down the users of the network and harassing or legally attacking them)
  • spamming (e.g. sending unsolicited information across the network- not necessarily as a denial of service attack)

Using any of these services, normally slows a computer down to a slow crawl. It can even destroy your computer.


Besides that, it's illegal to share copyrighted material (I think it's considered stealing). Not a very good situation for a policeman to get caught up in. What was he thinking?


Japan Today story, here.


Here is another post, I wrote about the murky world of P2P last year:


How P2P Software like Limewire Compromises Personal and Financial Information

Attrition.org tracks how often information is compromised, and the reasons why, here.

Friday, June 29, 2007

Scambusters predicts a lot of scammers will use the iPhone as a lure to steal money

IPhone picture, already up on eBay, at the time I posted this. It comes from an offer to become a iPhone distributor.

Scambusters.org did a thoughtful article on the iPhone, and how, scammers will probably take advantage of the situation.


After reading Audrey and Jim's well though-out predictions, I'm going to opt to share their sage advice.


In Audrey and Jim's own words:

Apple's iPhone is one of the most anticipated -- and hyped -- products ever. And with any huge product launch, the scammers come out in droves. So, if you want to make sure you don't get ripped off, you've come to the right place.
For Scambuster.org's sage predictions, link here.


I've written a lot about auction fraud, which is where we will probably see a lot of these scams surface, here.


A good place to look at iPhones is the Apple store. You can go to their site, here.


From what I hear, discount iPhones will not be available for awhile!


A too good to be true deal on a iPhone, probably IS NOT a real deal!

Thursday, June 28, 2007

eBay sends high-tech care package to Romanian cops

Romanian fraudsters are known as Vlads. Vlad Tepes, a Romanian prince, was the inspiration for the original Dracula story. Interestingly enough, some Romanians consider him a a folk-hero, who drove away invading armies. Photo courtesy of Flickr.

We hear a lot about Romanian organized crime being involved in fraud on auction sites. They are also well known in the world of payment (credit/debit) card skimming.

One of the more infamous Romanian fraudsters goes by the name of Vladuz. Vladuz openly mocked eBay for awhile, publically hacking the site and creating an uproar, but he seems to be laying low, recently.

Apparently, eBay is now providing Romanian law enforcement with technical resources. Ed Sutherland (AHN News) reports:

EBay is assisting Romanian law enforcement to detect and stop fraud targeting losing auction bidders. For months, the auction giant said a large portion of online fraud was coming from the Eastern European nation.

First noticed in 2005, criminals in Romania are taking advantage of a gap in the tech knowledge of local police to prey on eBay users that are outbid in auctions.

"The fraudster can see that a user that didn't win was prepared to spend $145 on a particular item," Matt Henley, part of eBay's Fraud Investigations Team, told News.com. The fraudsters knew most people used their email account name for their eBay username. The criminals would contact the losing bidder by email away from eBay, offering a second chance to obtain the item.

Since uncovering the fraud, eBay began hiding user names when bids exceed $80.


AHN story, here.

Here is a post, I did on a group that fights Romanian fraud on a volunteer level (although I hear they provide a lot of useful intelligence to law enforcement, also):

Auction Fraud and the Romanian Connection

Firemeg.com is also a good place to keep up on eBay fraud happenings, or other rants about eBay. Their site can be viewed, here.

For a lot of information on auction fraud, click here.

AOL has a collection of videos showing some of the hacking/fraud activity on auction sites, here.

Tuesday, June 26, 2007

RFID sniffing could be used by spies and criminals to commit all kinds of dastardly deeds!

Dark Reading wrote about a pretty scary flaw in RFID technology this week. Apparently, it's now possible for corporate spies and even organized retail criminal types to "sniff" RFID chips in a cargo container and use the information to commit a dastardly deed.

Apparently, truckers will be particularly vulnerable to being "sniffed" (compromised). Of course, if you use a little imagination, sniffing RFID might put more than "truckers" at risk, also.

From the story in Dark Reading:

That means your competitor could use this information for intelligence purposes. "He could get an idea of what you are shipping and how much, and how often," Perrymon says, adding that an attacker could also write to those tags, either disabling or changing them if you don't apply the proper authorization and passwords to your EPC system. That's PacketFocus's next step in its research.

And sniffing the truck's payload could also provide criminals with intelligence they wouldn’t otherwise be able to get very easily, thus helping them target their holdups or other heists, he says. "Unless they had a lot of inside information, they don't have enough information to rob that truck. Now they can scan it if it's not secure -- they don't want to rob that toilet paper truck, but if it's got plasma TVs with surround sound, [that's their] target."

RFID has been pushed by retailers, such as Walmart, and the military (not mentioned in the Dark Reading article). The Department of Defense now uses RFID to monitor it's supply management system.

Stealing shipments of plasma TVs is one thing, but on a personal level, I'm a little more worried about how some of this technology might be used by those with more sinister intentions than stealing high-tech merchandise.

So far as the passwords mentioned in the article -- easily compromised by the Packet Focus folks, they can be made more secure -- but passwords are hacked by software and more social methods, fairly frequently.

All it takes is one dishonest person with access to one, or even a honest person, who is tricked into giving up one to compromise an entire system.

Hacking for Dummies has an interesting write-up on how passwords are hacked, here.

Besides that, the bad guys are always coming up with new exploits to defeat security fixes.

Interestingly enough, according to Wikipedia, RFID's predecessor was invented by a Soviet inventor as a tool to commit espionage. It also was used the World War II era for a lot of military applications.

Perhaps, in this case, history (or the original intent) should give us a little perspective on RFID?

In the recent past, government experts have seen China show an interest in stealing (hacking) logistics (supply) information. Here is a post, I wrote about that:

How Dangerous is China

Dark Reading's interesting article, here.

I've written a few posts about RFID and it's potential abuses, which can be seen, here.

Dark Reading got it's information for the article from PacketFocus Security Solutions, which is a company that performs what is known as "ethical hacking" for the public at large. Ethical hacking is where good guys test vulnerabilities in technology to stay ahead of the bad guys.

There might very well be some useful applications for RFID, but we need to slow down, and consider the safety implications before continuing to have this technology take over our daily lives.

It's not worth the money a very few people are making off it!

Sunday, June 24, 2007

ID Theft Victim puts her Evil Twin back on probation in San Francisco

San Francisco's Hall of Justice

Identity theft victims often get pretty frustrated after being accused of being deadbeats by collection agencies, or even being charged with a crime they didn't commit.

Trying to seek justice seems to do little good, either. Law enforcement rarely has the resources to investigate individual cases, unless an identity thief is caught "red handed."

Mike Weiss (San Francisco Chronicle) did an interesting article about a victim (Karen Lodrick), who caught her evil twin, Maria Nelson.From the Chronicle story:


The only other time Lodrick, a 41-year-old creative consultant, had seen that particular coat was on a security camera photo that her bank, Wells Fargo, showed her of the woman who had stolen her identity. The photo was taken as the thief was looting Lodrick's checking account.

Now, here was the coat again. This woman -- a big woman, about 5 feet 10, maybe 150 pounds -- had to be the person who had put her through six months of hell and cost her $30,000 in lost business as she tried to untangle the never-ending mess with banks and credit agencies.



During the pursuit -- Karen confronted Nelson, who had noticed she was being followed -- asking her to wait until the Police arrived. Nelson informed her she couldn't wait for the Police because she was on probation.This might be one of the more honest statements Nelson has made in the recent past.

In fact, Nelson has eight previous convictions for fraud, and is on probation for one of them! She also had a warrant for her arrest in Yolo County, which is about 2 hours North of San Francisco.

Shortly after this confrontation, Nelson dumped a wallet in a trash can. Here is what it had inside:


In front of West Coast Growers, she dropped a wallet into an abandoned shopping cart. Lodrick, still after her, picked up the wallet -- also Prada -- and found an entire set of identification, including credit cards, a Social Security card and a debit card all in the name of Karen Lodrick.

Later, when she returned to the bank that had been her original destination that morning and took possession of the lost driver's license, it was a perfect forgery -- with a hologram and a California seal -- and it had Lodrick's name but Nelson's photo and physical characteristics.

Because of Karen's individual efforts, the San Francisco Police responded, and Nelson was apprehended.

Eventually, she was convicted, but this probably did little to give Karen satisfaction for everything she went through.

At her sentencing, Nelson showed little remorse, smirking and waving at Karen. And why not, despite her long criminal record, Nelson received 44 days (time already served) and yet (another) three-year probation.

Karen was able to make a statement at Nelson's sentencing, where she said:


I can't believe it. I went through six months of hell, and she's going to get probation? She was on probation when she victimized me. Obviously, probation's not helping.


Chronicle story with more detail, here.

It's pretty obvious why Nelson was smirking, committing identity theft is relatively easy, the consequences are pretty lacking, and it pay's well.

So far as the ease common criminals can obtain all sort of counterfeit identification documents, I have a lot of information how bad a problem this is, here.

The abuse and lack of controls on certain technologies have made counterfeiting pretty easy to accomplish. Likewise, the ease in with credit is issued, makes committing identity theft a pretty lucrative venture.

I did a post about how easy it is for criminals to use someone else's credit, here.

Where do you think the millions of illegal immigrants get the necessary documentation to obtain employment?

Of course, illegal immigrants aren't the only people using these documents.

Counterfeit documents are distributed by organized crime gangs, who sell them to ANYONE with the money to buy them.

As long as the consequences for identity theft remain minimal, we are going to see a lot of good people like Karen, go through hell.

When are laws going to start protecting the people, paying all the taxes to enforce them?

Collection agency and security company try to scam African government by stealing a corporate identity

Collection agencies don't make money by being nice people. Here is a story about how one of them wasn't very honest, either.

I found this interesting story from a press release, courtesy of the FBI website:

Late last month, we helped wrap up a case that took identity theft to a whole new level: one company trying to steal $23 million by pretending to be another company.

It was made possible by a remarkable coincidence: two private security companies with nearly identical names. One of the firms, based in Michigan, was named Executive Outcome Inc. The other, based in South Africa, was called Executive Outcomes Inc.

The criminal maneuvering began in late 2001, when a British debt collector called the Michigan-based Executive Outcome, run by Pasquale John DiPofi. The collection agency asked if DiPofi wanted help collecting $23 million owed by the government of Sierra Leone for military equipment, security, and training.

One slight problem. The millions of dollars weren't owed to DiPofi's company. It was owed to the other firm, Executive Outcomes, a half a world away.

At this point, the greed element took over, and they attempted to deceive the government of Sierra Leone into paying the wrong company.

FBI press release, here.