According to WCBS, a woman in Westchester NY was not only able to locate her stolen laptop on the Internet but also was able to remotely photograph the thieves using the laptop’s internal web camera. The perpetrators were caught as a result. Apparently a friend of the laptop’s owner noticed that the stolen machine was online, and notified the true owner who was able to use Back to My Mac to take control of her Mac over the Internet to obtain the pictures. Future criminals and crime fighters take note.
Archive for the ‘criminal tools’ Category
Bruce Schneier reports today on a great future crime story in which the culprit uses an unchanged administrative password to reprogram an ATM to think it holds $5 bills instead of $20 bills. There are a couple of interesting aspects to this story. First the attack exploits a well known security flaw which remains an unbelievably common practice in a variety of settings: failing to change default passwords. Second, the attack doesn’t require the system to be altered, but rather uses the correct operation of the system (the Tranax Mini-Bank 1500 series) as part of the attack.
Another interesting aspect of this story is that it illustrates the tension between competitive business practices and security. Tranax has been trying to use innovative business practices to become more competitive in the ATM business, and these very practices may have enabled or aided this attack. This article from ATM Marketplace describes how Tranax is trying to make it as easy to order an ATM as it is to get a laptop from Dell. In fact a quick visit to the Tranax support pages, tells you that the default passwords can be found in the printed manual which you can also order directly from their site. I note that although its probably a little harder today to get your hands on a Tranax manual, any legitimate owner of a machine has one. And therefore any legitimate owner or employee with access to a manual could easily try this exploit on any Tranax 1500 machine regardless of who owned that machine.
Finally, the role surveillance played in discovering the exploit is interesting. While the culprit might have disguised himself and used a nearly untraceable prepaid ATM card to access the machine, the exploit might have gone undiscovered for a long time without the surveillance video showing how it was accomplished.
Crime.net is a term I use to describe the impact of network technologies such as the Internet and mobile phones on crime and criminal enterprises. Applications of Crime.net include the following:
- Commission of crimes – this is the one part of Crime.net that’s gotten mainstream press coverage so far. Phishing, hacking into computers for credit card numbers, and so on. Data thefts at major retailers such as BJ’s Wholesale Club and Lowe’s indicate that there is probably more of this going on than has been reported in the media. And smart criminals may target smaller retailers that can’t afford the security resources of large corporations. Although not strictly a network based attack, computers have also been used to steal cars and other items as reported here and here.
- Scouting targets – identifying people or places that are likely targets for crimes, and developing intelligence about targets. One blogger recently revealed how to use Google Calendar to scout potential victims for burglarly or worse. Sound far fetched? Criminals in South Africa have been observed using cell phones to photograph potential victims. Google maps provides detailed maps for locating possible escape routes, planning look out locations and so on. Satellite imagery can be used to examine roof tops for covert access points to buildings.
- Sharing criminal expertise – Criminals have used websites, blogs, etc. to share methods of operation, criminal techniques and strategies, an even information about specific targets. The notorious Shadowcrew site included instructions on how to commit identity theft and fraud. Some worry that these marketplaces will become a “bazaar of violence” facilitating murder and terrorism.
- Online markets for stolen goods – The Shadowcrew created an online market for stolen credit card numbers and eBay is used to “fence” stolen goods. More of these sorts of sites likely exist today.
- Avoiding capture – criminals can use surveillance technologies, cell phones, etc. to warn each other of the approach of law enforcement personnel. Usually we think of surveillance technologies being used to fight crime, but criminals can also use them to avoid capture. Picture phones and wireless IP based cameras can be used to warn of the approach of law enforcement. Drug dealers use cellphones and multiple operatives to avoid capture with large quantities of cash and drugs for example. Analysis of publicly reported crime statistics can be used to predict areas with less law enforcement coverage. Imagine a future web site where criminals could determine the locations of police cars in real-time accessible over a cellphone or by using a stolen or otherwise obtained police data terminal.
The latest report from the Anti-Phishing Working Group shows that phishers are targeting more insitutions than ever before and targetting more small financial insitutions. The report also documents a rise in the use of the Russian Web Attacker spyware including the phony World Cup soccer site that employed it.