More Silly ATM Tricks

July 20, 2007

WIRED reports on another ATM manufacturer that printed the default master passwords to their ATM machines directly in their user manuals.  Future Crime readers will recall that I previously reported on a similar issue with the Tranax ATM. 

 Of course the ATM users could change these passwords, but since the machine does not require them to do so, many simply don’t.  As is so often the case, good security starts with common sense, thinking about the problem from the user’s perspective, and a little bit of thoughful design.  It seems Triton could use some help in this area.

Advertisements

Using Google to Commit Crimes

July 18, 2007

This is a somewhat comical true story of some rather clueless criminals in Denver that used WD-40 to “obscure” surveillance cameras and couldn’t open a few safes even though they apparently had the combinations.  Getting a bit creative these obvious amateurs were able to use Google to search for “how to open a safe” and “how to crack a safe.”  With this information they were able to quickly figure out how to open the safes and got away with $12,000.

 It is not difficult to find information that might be useful in the commision of crimes using Google.  For example one can learn to escape from handcuffs or pick a lock, although obviously these skills still do require some practice.  I’ve previously written about the possibility of using Google Calendar to determine both a target and the timing of a crime.  A similar story recently was reported by the Washington Post and made its way around the blogosphere as well.

FBI Spyware Capabilities

July 18, 2007

WIRED has a very detailed and interesting article today detailing the use of spyware by the FBI to catch a teen “prankster” that was behind bomb threats at a Washington High School.

 In the sidebar, the article includes a somewhat terse description of the systems capabilities:

 The full capabilities of the FBI’s “computer and internet protocol address verifier” are closely guarded secrets, but here’s some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.

• IP address
• MAC address of ethernet cards
• A list of open TCP and UDP ports
• A list of running programs
• The operating system type, version and serial number
• The default internet browser and version
• The registered user of the operating system, and registered company name, if any
• The current logged-in user name
• The last visited URL

Once that data is gathered, the CIPAV begins secretly monitoring the computer’s internet use, logging every IP address to which the machine connects.

All that information is sent over the internet to an FBI computer in Virginia, likely located at the FBI’s technical laboratory in Quantico.

Will commercial security software detect police key loggers?

July 17, 2007

Following on the heals of his recent story that a judge approved the use of keylogging software in a DEA case in order to thwart a criminal using encryption, Declan McCullagh and CNET have released the results of his recent survey of PC security software companies which claim they will detect police spyware.  All the companies surveyed claim they can detect police spyware; however only a few acknowledged that they might, at least under threat of a court order, fail to report these detections to the user.  This is an interesting follow up to the 2001 report that MacAfee took measures to avoid detecting FBI spyware. 

Ed Felton reported on audio keylogging a couple of years back, and of course screens and keystrokes can also be captured in some cases by using remote monitoring or screen capture software, by capturing radio emissions, or simply with hidden video cameras.  The average person simply can’t be certain one or more of these techniques isn’t being employed against them.

And it isn’t just law enforcement that has access to these surveillance tools today.  These tools are readily available to high tech criminals and others that might want to know what you are doing on your computer.   For example, keyloggers are sometimes posted to boards and game sites.  Unfortunately, not only can’t you be sure that your security software will detect a particular piece of keylogging or screen capture software, some security software just plain doesn’t work in many cases.  Caveat emptor.  If you want to be sure, you’ll have to write your own software.

Interestingly, at the current time keylogging software is not readily available for most PDAs and mobile devices, while encryption software is.  Future criminals and crime fighters take note.

Future Crime Reader Interests

September 22, 2006

Some readers may not be aware that the search terms you use to find Future Crime are reported and recorded. Interestingly, yesterday 28.5% of Future Crime’s views resulted from searches on the terms:

“how to use” “stolen credit card numbers

I don’t know who you are, but unless you were very careful I expect your IP address was recorded as well your search terms. Not very smart for a supposed future criminal!

ATM Hacking

September 22, 2006

Bruce Schneier reports today on a great future crime story in which the culprit uses an unchanged administrative password to reprogram an ATM to think it holds $5 bills instead of $20 bills. There are a couple of interesting aspects to this story. First the attack exploits a well known security flaw which remains an unbelievably common practice in a variety of settings: failing to change default passwords. Second, the attack doesn’t require the system to be altered, but rather uses the correct operation of the system (the Tranax Mini-Bank 1500 series) as part of the attack.

Another interesting aspect of this story is that it illustrates the tension between competitive business practices and security. Tranax has been trying to use innovative business practices to become more competitive in the ATM business, and these very practices may have enabled or aided this attack. This article from ATM Marketplace describes how Tranax is trying to make it as easy to order an ATM as it is to get a laptop from Dell. In fact a quick visit to the Tranax support pages, tells you that the default passwords can be found in the printed manual which you can also order directly from their site. I note that although its probably a little harder today to get your hands on a Tranax manual, any legitimate owner of a machine has one. And therefore any legitimate owner or employee with access to a manual could easily try this exploit on any Tranax 1500 machine regardless of who owned that machine.

Finally, the role surveillance played in discovering the exploit is interesting. While the culprit might have disguised himself and used a nearly untraceable prepaid ATM card to access the machine, the exploit might have gone undiscovered for a long time without the surveillance video showing how it was accomplished.

What is Crime.net?

September 19, 2006

Crime.net is a term I use to describe the impact of network technologies such as the Internet and mobile phones on crime and criminal enterprises. Applications of Crime.net include the following:

  1. Commission of crimes – this is the one part of Crime.net that’s gotten mainstream press coverage so far. Phishing, hacking into computers for credit card numbers, and so on. Data thefts at major retailers such as BJ’s Wholesale Club and Lowe’s indicate that there is probably more of this going on than has been reported in the media. And smart criminals may target smaller retailers that can’t afford the security resources of large corporations. Although not strictly a network based attack, computers have also been used to steal cars and other items as reported here and here.
  2. Scouting targets – identifying people or places that are likely targets for crimes, and developing intelligence about targets. One blogger recently revealed how to use Google Calendar to scout potential victims for burglarly or worse. Sound far fetched? Criminals in South Africa have been observed using cell phones to photograph potential victims. Google maps provides detailed maps for locating possible escape routes, planning look out locations and so on. Satellite imagery can be used to examine roof tops for covert access points to buildings.
  3. Sharing criminal expertise – Criminals have used websites, blogs, etc. to share methods of operation, criminal techniques and strategies, an even information about specific targets. The notorious Shadowcrew site included instructions on how to commit identity theft and fraud. Some worry that these marketplaces will become a “bazaar of violence” facilitating murder and terrorism.
  4. Online markets for stolen goods – The Shadowcrew created an online market for stolen credit card numbers and eBay is used to “fence” stolen goods. More of these sorts of sites likely exist today.
  5. Avoiding capture – criminals can use surveillance technologies, cell phones, etc. to warn each other of the approach of law enforcement personnel. Usually we think of surveillance technologies being used to fight crime, but criminals can also use them to avoid capture. Picture phones and wireless IP based cameras can be used to warn of the approach of law enforcement. Drug dealers use cellphones and multiple operatives to avoid capture with large quantities of cash and drugs for example. Analysis of publicly reported crime statistics can be used to predict areas with less law enforcement coverage. Imagine a future web site where criminals could determine the locations of police cars in real-time accessible over a cellphone or by using a stolen or otherwise obtained police data terminal.

Chinese Computer Court and the Death Penalty

September 14, 2006

This story from earlier this month describes the use of a computer system called “penalty calculator” to help courts decide on criminal sentencing. The system requires the court to enter relevant details, such as the type of crime and possible mitigating circumstances, and the system uses this information to recommend an appropriate sentence. The system’s advice does not have to be followed by the judges, at least for now.

“The system will avoid different penalties for the same crime. Its usage will help enhance the efficiency of criminal trials,” a document produced professor Chen Xingliang from Peking University, together with six other scholars from the Supreme People’s Court, Tsinghua University, Renmin University of China and the China University of Political Science and Law.

Perhaps more ominously, this story today reports that the system is being used to decide death sentences. China executes more people every year than every other country in the world combined, killing them either by firing squad or lethal injection. In 2004, Amnesty International estimated that at least 3,400 people had been executed and at least 6,000 sentenced to death by the end of the year. Last year of 2,148 documented executions worldwide, and 1,770 were carried out in China according to the Death Penalty Information Center. The death penalty is given for a wide variety of crimes in China including evading gasoline taxes,drug smuggling, and computer hacking. Earlier this year China announced that it would be reforming its laws and procedures regarding the death penalty in order to reduce the number of mistaken executions. In addition to firing squads, China makes use of mobile execution chambers and lethal injections to execute convicted criminals.

The software was developed by a Chinese company Boya-Yingjie Communication Science and has been under development since 2003. The software bases its decisions on a database of Chinese law and precedents. According to software designer Qin Ye, “The software is aimed at ensuring standardised decisions on prison terms. Our programs set standard terms for any subtle distinctions in different cases of the same crime.” It remains to be seen whether use of the software will increase or decrease the number of executions.

Phishing Targeting More Small Instituitions

September 12, 2006

The latest report from the Anti-Phishing Working Group shows that phishers are targeting more insitutions than ever before and targetting more small financial insitutions. The report also documents a rise in the use of the Russian Web Attacker spyware including the phony World Cup soccer site that employed it.

Art Criminal: Hasan M. Elahi

September 11, 2006

This story at We Make Money Not Art describes the artwork of Hasan M. Elahi who isn’t actually a criminal, but was supected of being a terrorist and was investigated and interrogated between June and November 2002 by the FBI. Elahi says the FBI wanted to know everything he had been doing while overseas, “What was I doing there? Who was I speaking with? What did I see? Where did I sleep? And even down to what I ate and drank. I was eventually cleared and to the relief of my friends, family and co-workers, I am officially no longer considered a terrorist – after a 3 hour long polygraph exam which was repeated 9 times.”

Mr. Elahi’s art is influenced by Orwell’s vision of a future state of total surveillance and control. In one piece he wears a device which uploads images tagged with exact GPS coordinates of where the image was taken to a server which then sends the GPS tag to the United States Geological Survey which returns an aerial surveillance image of the his location. The server compiles the returned map with the uploaded images and small thumbnails of the previously used images into the web based file which can then be accessed online.

Artist’s Statement:

I like to think about the appearance of technology rather than technology itself. More importantly how the technology is packaged or should I say, marketed into an appearance of desire and need for the consumer. This need I feel is more based on a social understanding and [social] function of the technology. Just as any other product that has a pioneering stage, an acceptance stage and an obsolescence stage, I feel that the timing of how a certain technology is adopted by society is far more important than the technology itself. It is in these human borders and frontiers that I am interested in…and also the traces that they leave behind. I have been attempting to bridge these virtual conditions with physical geopolitical parallels and have been fascinated at the translations and the mis-translations of them. I find the most potential in these mutual misunderstandings. I find states of designed obsolescence in structures and systems of power as a global citizen. I prefer lo-fi to hi-fi–and in these absurd realities, I find my works attempting to balance and tumble simultaneously.