Archive for the ‘Blogroll’ Category

In Brief: CODIS DNA Database To Catch Horse Thieves

May 2, 2008

Horses are valuable and stealing horses is a big business. “EDNA Test” is now offering Equine CODIS, based upon the same process as the FBI’s human own CODIS system which is used for human DNA analysis. CODIS stands for Combined DNA Information Systems. The CODIS software enables State, local, and national law enforcement crime laboratories to compare DNA profiles electronically. Horses don’t have fingerprints and therefore DNA is the most accurate available method for horse identification. Implanted microchips have potential health risks, and along with tattoos or brands can be altered or removed. Reference


Future Crime Reader Interests

September 22, 2006

Some readers may not be aware that the search terms you use to find Future Crime are reported and recorded. Interestingly, yesterday 28.5% of Future Crime’s views resulted from searches on the terms:

“how to use” “stolen credit card numbers

I don’t know who you are, but unless you were very careful I expect your IP address was recorded as well your search terms. Not very smart for a supposed future criminal!

Break In at Second Life

September 9, 2006


I have written elsewhere about the likelihood that Second Life would be targeted by criminals for identity theft purposes and sadly such an event has come to pass. The volume of money flowing through Second Life’s economy ($64 million annually according to Popular Science) makes it an obvious target for attack. And apparently Linden Labs’ security practices have been less than stellar.

Linden Labs posted a security bulletin yesterday on the Second Life site announcing that a “zero-day exploit” had been used to access customer account records including passwords and possibly payment information. While the original security bulletin itself was quite terse and made no mention of compromised payment information, a subsequent e-mail and included FAQ revealed:

We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.

“Zero-day exploit” is a general term for any attack that is launched the same day as a new product or patch is released. For example, Microsoft announced a zero-day exploit attack on Internet Explorer back in 2005. Linden Labs didn’t reveal exactly what software was compromised, stating only that it was “third party” software.

Personally I don’t find this answer very satisfying nor should other SL users. Passing the buck to a “third party” won’t protect user data. It is clear from the brief description of the events which was released that the company has not been following industry best practices. There is simply no excuse for storing private information such as credit card numbers or users’ true names in the clear. According to the e-mailed FAQ, Linden Labs uses MD5 hash encryption for protecting payment information, however cracks for MD5 hashes are available on-line from several sources. For example, here, here, and here. Also see this article for a more technical explanation of the state of the art attacks on MD5. Wikipedia also has a good introduction to the issues surrounding MD5 here.

While the objective of the attackers probably was to obtain personal information and credit card numbers for the purposes of identity theft and credit card fraud, the breach also revealed SL users’ true names raising the spectre of more personal attacks and in world impersonations. It is less than clear where this information might end up. Participants in Gorean slavery or other unusual on-line sexual practices within Second Life, may not be too pleased to learn that their true identities might be revealed to spouses or employers. Second Life users may want to think twice before strapping on that genitalia next time.

HP Investigation into Boardroom Leaks Employed Impersonation and “Pretexting”

September 8, 2006

Over the past several days reports have come to light that indicate that Hewlett Packard‘s investigation into boardroom leaks may have gone too far, including impersonation of HP board member Tom Perkins of well known venture firm Kleiner Perkins Caufield and Byers and now break ins to voice mail boxes of reporters covering the story.

The investigations were initiated after confidential information known only to HP’s board appeared in a CNET News article on January 23rd. According to WIRED News, Perkins and other board members were apparently not informed of the extent of HP’s investigation or the methods being used until May 18, when in a board meeting on that date, Patricia Dunn, chairman of the board of directors, announced that investigators had discovered the identity of the source for the CNET story. The investigation by HP has apparently determined that board member George Keyworth was the source of the leak of confidential information. Keyworth has refused to step down from his board seat, but apparently will be voted out at the next HP board meeting.

Perkins resigned in protest and apparently later requested information on how Dunn identified Keyworth as the leak. Perkins is apparently cruising the Mediterranean in his new $100 yacht the Maltese Falcon and isn’t talking to the press about the incident.

What is really interesting about this case is that investigators hired by HP appear to have broken the law in order to conduct their investigation by using a technique well known to criminals and private investigators called “pretexting”. Pretexting is the practice of getting personal information under false pretenses. According to WIRED News, “Dawn Kawamoto and Tom Krazit of CNET, and Pui-Wing Tam of The Wall Street Journal were contacted this week by the California attorney general’s office regarding allegations that investigators working for HP had impersonated them to obtain their private phone records”. WIRED also reports that as many as seven other reporters’ records may have been improperly accessed including those of a Business Week reporter.

Pretexting isn’t a recent development, but this is the first case of a corporation using pretexting to investigate board members or employees that I’ve heard about. Generally pretexting targets individual consumers and is used as part of identity theft scams. Pretexting works by using easily obtained personal information from which private information is subsequently obtained. For example, a pretexter might call a prospective victim pretending to be from a survey firm to obtain personal information about the victim. Using this information the pretexter then uses it to obtain private information from a financial institution, communications or utility provider, etc. The pretexter pretends to be the victim or someone else with authorized access to the victim’s account. Pretexters are often able to obtain personal information such as Social Security numbers, checking and credit card account numbers, and credit reports. In some cases pretexters can determine the existence and size of savings accounts or investment holdings. It is also possible to directly attack a victim through pretexting, for example by cancelling insurance, terminating utility services, or running up large bills for extra services not required by the true account holder.

According to Information Week, HP claimed in a recent SEC filing that pretexting is “generally not unlawful” but that’s false. The Gramm-Leach-Bliley Act specifically addresses pretexting and makes it an illegal act punishable under federal statutes. Plausible denial? Investigators hired by Dunn apparently subcontracted another firm to actually do the dirty work, so it’s not clear yet who if anyone will be charged in this case.

Movies and music are crimes in Somalia

September 7, 2006

An interesting article in Monsters and Critics today describes a Somali film Leopards in the Snow, which aired at the Toronto film festival in which Somalis tell their stories of the tragedies and difficulties they’ve been through during the devastating Somali civil war. According to the director of the film, Laura Forth, the film gives “a message of hope and also peace”, but “no one in Somalia is allowed to watch it. They’d be given 40 lashes or worse.”

In Somalia, it is now illegal to watch a movie, a video, or a television show. Popular music is also illegal. Over the last few weeks the international media has reported that armed gunmen representing the United Islamic Courts (UIC) known as the “Soldiers of Allah” entered movie houses making arrests and confiscating media and equipment. The raids also followed the imposition of new restrictions that forbid all forms of trade and public transport during prayer times.

Witnesses reported that at least 30 people were detained in the raids when armed Soldiers of Allah entered two movie theaters in southern Mogadishu’s Wardhiigley district. The soldiers dispersed audiences who were watching Indian Bollywood movies which are very popular in Somalia and other parts of Africa, but are deemed pornographic by the UIC. Witnesses reported that the soldiers also confiscated projection equipment and generators. “We managed to arrest 30, but most of them fled,” militia commander Nuur Hassan Raghe reported. “They were watching movies that are ethically unfit.”
(Middle East Times, Sept. 4, 2006)

Watching movies and listening to music is an everyday pleasure enjoyed commonly by men and women around the world. Turning this into a crime makes everyone into a criminal. Similarly, a convenient side effect for governments that want to control people by burning books for example, is to criminalize book owners.

Media control is of course also one of the primary tools of both past and modern fascist and communist regimes. Controlling what media people can consume in effect allows you to control what they can think, feel, and know. And it doesn’t matter whether its the government, a group of armed militia, or corporations that are exercising control. Consider for example the MPAA and the RIAA’s efforts to control what media you can consume through the use of Digital Rights Management software and its campaign of intimidation through mass litigation.

Welcome future criminals and crime fighters…

September 5, 2006

This blog is devoted to understanding the future of crime, and specifically how technology and technological culture is changing the nature of crime and crime fighting. My name is Peter Rothman, and I am the chief scientist of a company developing crime fighting technologies employing biometrics, pattern recognition, and other advanced technologies.

The topics I’ll be covering here include:

  • How the Internet and networks more generally are impacting the nature of crime.
  • Art Crime: Art as crime, criminal artworks, and illegal art.
  • Data Crime: Criminal use of databases, data theft, and related items.
  • Thought Crime: Neuropsychology and crime, brain imaging, and criminal thoughts.
  • Virtual Crime: Crime inside online virtual worlds and multi-player games.
  • Identity Crime: Identity theft and impersonation.
  • Criminal Governments: Governments that commit crimes and criminals that take over or create de facto governments.
  • Corporate Criminals: Corporations commit that crimes, corporate criminals, criminals who use corporations to hide illegal operations or launder money.
  • Future Crime Fighting: New technologies offer new capabilities to law enforcement, from body armor and sonic cannons to tools that allow investigators t predict criminal behavior.
  • Everyone is a Criminal: How technology is turning everyone into a criminal, from the war on drugs to P2P file sharing and machine traffic violation monitoring.