419 Scammers Get "Scammed" by ScamBaiters Topics: Security & Insecurity, Networked World, Item, Item Interesting article from the 12 Nov 2007 Newark (NJ) Star Ledger... Web scam artists get taken in, too: --- Just who is Babatope and why is he eating a loaf of bread while holding a dead fish on his head? To prove, of course, that despite his plea for money and despite his location in the Internet swindle epicenter of Nigeria, he is one honest and God-fearing man. Babatope is an Internet scammer, the kind responsible for those ubiquitous e-mails offering untold wealth to anyone willing to help move their funds to the U.S. It might be a $20-million estate entangled in government regulation, or a $30-million charity fund that needs an American handler. The scammers' stories are limitless and ever-changing. But in this particular case, it was Babatope who was the target of a scam that cost him months of effort and the humiliation of posing for a goofy picture to prove his devotion to the fictitious Church of Fish and Bread. Babatope is one of the countless victims of so-called scambaiters, a decentralized group of savvy netsters who spend their time turning the tables on Internet scam-artists by luring them into believing they are a bunch of wealthy patsies. --- Some of the scambaiter sites are 419eater.com,scamorama.com, thescambaiter.com, and scambusters.org. The "trophy room" gallery on the 419eater site is humorous exhibit of how far scammers will go to play a potential victim. Many scambaiting sites will warn that scambaiting can have some risks. After all, the baiter is dealing with criminals and not everybody will play nice. More on 419-type of scams: A nice spoof of the 419 Scammers was the The 3rd Annual Nigerian EMail Conference page. ABC News (US) coverage of various scams Nigeria - 419 Coalition US FBI's Common Fraud Schemes page, including info about the 419 scams Although one hears much about Nigerians in these scams, it should be remembered that fraud is not confined to one nationality. Scammers come from many nations and peoples. Meanwhile, the scammers who are Nigerians have created a reputation problem for their countrymen. They've made it more difficult for legitimate Nigerian bussine people to do business, especially internationally. This is a cost of crime that isn't often mentioned. J.D. Abolins

13.11.07 20:55 Permalink / comment

Frank Abagnale, Jr. on Technology, Crime and Ethics Topics: Security & Insecurity, Insights, Networked World, Cybercrime, Ethics Back in mid-October, ComputerWorld published excepts from an interview it had with Frank Abagnale, Jr., a former con artist and a consultant for the FBI. Abagnale's exploits were depicted in the movie "Catch Me If You Can". One of the questions asked Mr. Abagnale was, "Suppose you'd been born in 1990. How much of what you got away with 40 years ago do you think you'd be able to get away with as a 17-year-old today?" Abagnale answered, "It would be 4,000 times easier to do today, what I did 40 years ago, and I probably wouldn't go to prison for it. Technology breeds crime -- it always has, it always will." He explained how expensive and time consuming it was to pull off some of his scams in the 1960s and how current technologies make the same action cheaper and easier. Also the online information resources make it far easier to scout out information useful for scams.  When asked about ways to make computer crime less attractive to young people, Abagnale commented upon ethical shortcomings in present day society. --- There are about four reasons why we have crime to begin with. One of them is, of course, that we live in an extremely unethical society. We live in a society that doesn't teach ethics at home, a society that doesn't teach ethics in school because the teacher would be accused of teaching morality. We live in a society where you can't find a four-year college course on ethics. I have three sons who went through graduate school; only the one who went to law school had a course even offered on ethics. So today you have a lot of young people who have no character, no ethics and they find no problem in defrauding somebody or stealing from somebody or cheating somebody. Until we change that, crime is just going to get easier, faster, more global, harder to detect. [....]  I really think the more technology there is in the world, the more you have to instill character and ethics. You can build all the security systems in the world; you can build the most sophisticated technology, and all it takes is one weak link -- someone who operates that technology -- to bring it all down. People don't like to talk about that issue, because they think it's over-simplified. But the fact is, in all my experience, that's where the problem lies. Until that changes, crime is always going to be with us. --- It may seem ironic that a former scam artist lectures on the need for teaching ethics, but he is right. Many of the current technology problems such as privacy and cybercrime are much more human problems than technology problems. The technology extends human capabilities to do the good, the bad, and the ugly. In my experience back in the 1990s with kids getting trouble with certain approaches to hacking,  I saw a gap in mentoring. All the people in their lives who could talk about ethics did not know about technology and the techies the kids knew did not talk about ethics. The kids were mentoring each other and, well, they are kids. The online world can look so much like a video game where physical world considerations don't work the same way. Today, I believe it is getting better but we are a long ways off from effective teaching ethics & technology. Some of the current efforts seem to be hobbled by "Thou shalt not pirate music" and similar themes, not really helping to develop the ability think further about what one's actions do to others. (E.g.; The anti-piracy themes and such fail to look further at the ethics "intellectual property", of fair use allowances for the public, and such.) The interview went on to examine international aspects of cybercrime and how organisations can protect themselves. Some good insights. I do question one of Abagnale's comments concerning background checks of people running systems: --- So I think most companies fail to take into consideration that they've developed this great system, but then they've failed to look at the person who's operating the system, the person who has information about the system -- his background and how much that person can be trusted. Companies hire people today with very little background checking; they're put into positions or they earn their way up to positions where they can do something to harm or cheat that company. So we have to pay a lot more attention to that weak link -- the human part of the system. --- I do agree with the importance of knowing who's working for you. But he makes it sound like there were more background checks years ago than today. This strikes as quite odd, given things such as post-9-11 emphases on background checks and the expansion of positions for which a background check is required. Perhaps it is the phrase "very little background checking" that is the misleading. The problem is not the amount of checks but how good they are. Abagnale may be thinking of earlier, less mobile eras, when it was likely people would know a job applicant personally or, at least know people who knew the applicant. Many background checks today rely primarily upon databases and this is a mingled deal. There is more accessible data, but what does the available data really tell about the person? No hits on criminal records checks may seem good but the full data might not be available for the search. The searches tell little about the person's character. How does the person deal with conflict? How mature is the person? How does the person deal with alluring temptations? (In some instances, people with clean records become crooks on the job because they face temptations they never had before in their lives. Before the particular work position, they had nothing valuable to steal and sell.) Perhaps the person is a scoundrel who knows how not to get caught committing a recordable offence. Then there is the problem that the data might not be really connect with the person. Mismatched data or impersonation can make things difficult both for employers hiring a false negative and for innocent people hit with false positives. J.D. Abolins

13.11.07 03:34 Permalink / comment

UK law now can compell disclosure of decryption keys in certain cases Topics: Security & Insecurity, Privacy & Liberties, Cryptography, Law, Investigations, UK, RIPA As of 1 October 2007, a change in UK laws has made it illegal to refuse to decrypt and/or hand over cryptography keys requested by the authorities in criminal or terrorism cases. A person believed to have the keys necessary for decryption who refuses to comply in a criminal case can face a maximum of two years in prison. In a terrorism case, the prison sentence can be five years. This requirement and penalties for non-compliance is specified by Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA).  Here is an excerpt from RIPA specifying situations where the authorities must given the decrypted information and/ot the decryption keys: --- Part III Investigation of electronic data protected by encryption etc. 49 Notices requiring disclosure [...] (3) A disclosure requirement in respect of any protected information is necessary on grounds falling within this subsection if it is necessary— (a) in the interests of national security; (b) for the purpose of preventing or detecting crime; or (c) in the interests of the economic well-being of the United Kingdom. --- Yes, encrypted data can pose significant challenges for investigators. But the RIPA section on investigation of encrypted data presents several difficulties. Among them is the broadness of this section and who may be subject to it. For example, financial institutions may be required to decrypt or hand over keys in, say, a terrorism case involving funds transfers. The possibility may discourage financial firms from basing their operations in the UK. (The interests of UK's economic well-being reference in the above RIPA snippet may raise concerns for foreign firms.) Richard Clayton, a Cambridge University security expert, had commented in 2006: --- The notion that international bankers would be wary of bringing master keys into (the United Kingdom) if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction. With the appropriate paperwork, keys can be seized. If you're an international banker, you'll plunk your headquarters in Zurich. --- (See also Richard Clayton's recent posting on the Light Blue Touch Paper site. He goes into more details about some of the problems with the RIPA crypto provisions.)  One of difficulties that could arise is where a person is believed to possess the ability to decrypt the data sought in the investigation doesn't really have that ability. Perhaps the person really has forgottent the passphrase and/or deleted the cryptographic keys. Would "I simply cannot remember" be an adequate defence? Probably not and the person goes to prison. In some cases, there would be an incentive to pretend to have forgotten or otherwise hamper the access to the encrypted data. If the encrypted data could net a significantly longer sentence, a two or five year prison sentence may be a good deal. But would would be a reasonable penalty to discourage such an option? Give the maximum sentence for whatever crime the police suspected had been committed? That would strain concepts of justice. Many issues to be considereed and resolved.  See also...  There's a posting & an interesting discussion on this matter at Schneier on Security blog. Elsewhere on the Web, J.D. "Illiad" Frazer has done a couple of comic strips on the new law on Oct 5th and this one on Oct 6th: Comic strip posted per Web use conditions specified in the UF FAQ. Actually, the comment in the above comic strip that a decryption key isn't a physical object but something in one's head may be confusing if one is thinking of, say, public and private keys as electronic files. The character's reference fits things such as passphrases that can be required to practically decrypted encrypted data. Still, the comic strip make a good point,  Cryptically yours, J.D. Abolins

12.10.07 01:01 Permalink / comment

A good article on social engineering Topics: Security & Insecurity, Insights, Hacking, Penetration Analysis, Human Factors The InfoWorld article, "How to think like an online con man", gives a better than average overview of social engineering and how it is done. Many tech magazine articles depict social engineering too simplisticly, making reader even more vulnerable to real life social engineering. A common example of the simplistic depiction is that of the human factors hacker calling a corporate employee and poses as a tech support person. "We're having trouble with our network and we need to test your connection.... what your user ID?.... Good, and what's your password?..." The trouble is that the reader is expecting to be approached that obviously and, thus, fail to realise more subtle ways one can be manipulated. This InfoWorld article does a better job without giving away complete SE scripts. InfoWorld also has a related story on "stupid hacker tricks, telling how some "hackers" have gotten tripped up by their own human factors foibles. Have had encounters with unsocialable engineers, J.D. Abolins

2.10.07 03:31 Permalink / comment

Pointer: Philadelphia Inquirer series on Shannen Rossmiller Topics: Security & Insecurity, Networked World, Item, Item Interesting article about an online investigator and her some of her techniques: --- AN UNEXPECTED PATRIOT Shannen Rossmiller is a former Montana judge who hunts terrorists online. After witnessing the 9/11 attacks, she became "radicalized," deciding to learn Arabic and pretending to be an extremist to lure jihadists on the Web into revealing their plans to destroy America. --- Ms. Rossmiller's Web site is at http://www.shannenrossmiller.com/. J.D. Abolins

2.10.07 03:05 Permalink / comment

Another article on public video surveillance Topics: Security & Insecurity,Insights, Privacy & Liberties, Surveillance, Panopticon, Public Safety Related to my recent posting on public video surveillance, I came across an interesting article on the San Francisco Chronicle Web site. The article " S.F. public housing cameras no help in homicide arrests" shows that cameras by themselves will not help if they are not monitored or maintained. Perhaps, there is an economic factor in the support or lack of support for installed video surveillance systems. London's "Ring of Steel" is well supported because it is protecting a major political and financial centre. San Francisco's public housing developments (roughly equivalent to UK's council housing) aren't protecting "high value" sites and funding falls lower in priorities. Maybe, in some cases, the municipal government spends most of the funds on the actual equipment but doesn't allocate funding for supporting the surveillance systems fully. Do the vendors always give the full and accurate picture of the costs? Many of those ongoing support costs, such as the people to monitor the video and responders to deal with detected crimes, do not bring in profits for the camera equipment vendors. The municipal government customers may also have the impression that the cameras mean fewer officers are needed on the streets.  Just my ponderings. Oh, by the way, video surveillance for private businesses is often encouraged by insurance considerations. If the cameras shift the crime elsewhere, that's not the business's concern.  J.D. Abolins

24.8.07 02:17 Permalink / comment

A Good Anaysis of Mpack Topics: Security & Insecurity,Malware, PHP, Fraud, Cybercrime Panda Labs recently published an analysis "Mpack uncovered" [pdf]. It gives an interesting technical overview. See also the Panda Lab blog entry More Mpack information from Panda Labs: Cybercrime... for sale (II) (Part I of the thread doesn't mention Mpack but it explains some ways malware and is sold for a profit.) More about Mpack More about Mpack (II) "MPack: how to infect thousands of websites" This entry mentions various tools, such as FTP-Toolz pack, RooT [iFrame], and FTPCheckIframe, associated with Mpack. F-Secure's blog has a brief explanation of what Mpack does: --- MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment. The kit uses compromised passwords to hack web servers and to insert an IFrame. If you visit a web page with such an IFrame, MPack's PHP script will be run and it will attempt to infect your computer. The PHP script is structured so that OS and browser versions are identified. The IFrame redirects to other PHP scripts depending on the details. These various scripts are easily updated by MPack's authors. --- News.com has an overview of Mpack with a graphic of how it can be used to exploit systems. Meanwhile, Security Focus has an interview with Mpack's developers. There was another Web reference for Mpack that gave some interesting details, but I can't find now. If I do, I'll post it. J.D. Abolins

20.8.07 02:50 Permalink / comment

 [next page]