Blackhacker

A wise man once said :

One might note that easiest way to “prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes” is to NOT PUT IT ON THE CARD.

This was in reference to the Federal Government’s decision to use RFID, as part of the Government Issue IDs that comply with the REAL ID act.

I hate to say I told you so but …

BBC NEWS | Programmes | Click | ePassports ‘at risk’ from cloning
It will, we are promised, keep the unwanted and dangerous outside our borders, while streamlining entry for those welcome to come and visit.

But as the implementation of the scheme gets underway it is becoming clear that there could be serious problems with it.

Dap: Wiki News

One if my favorite series of commercials are the Citibank ones that show the victims of ID Theft talking in the voice of those who have stolen from them.
The NY Times has an interesting piece about a real serial ID Thief. While this peace does a good job of Chronicling, the perpetrators, history as an ID Thief, and covering the motivations, or at least what he tells us where is motivations, this being the NY Times and not a publication more technically oriented, it only glosses over the how. Basically the guy said he just used phishing. To get the needed data, or bought data from online brokers of stolen data. I’m more interested in some of the social engineering, beyond phishing that would be necessary, for him to pull of some of his scams. Or how he would be able to show up at a dealership with 27,000 in cash, in cash i mean actual currency, And him being able to walk out with a vehicle no questions asked. In order for someone his age, to live such an expensive life style, with perceivable source of income, he has got to be part con artists. I want to know about that. Knowledge about the con is the only way we can craft policies, and procedures to defend against them.

CNN is also reporting that the SSNs have not been accessed since the robbery. Not sure how this could be verified, but I do recall that file creation, modification, and access date & times of each file is maintained by the file system. It been a minute since I did any REAL work with a PC so I’m not sure. But I think that the more interesting stuff is at the end of the piece:

According to the documents provided to The Associated Press, the analyst, whose name was being withheld, had approval as early as September 5, 2002, to use special software at home that was designed to manipulate large amounts of data.

A separate agreement, dated February 5, 2002, from the office of the assistant Veterans Affairs secretary for policy and planning, allowed the worker to access Social Security numbers for millions of veterans.

A third document, also issued in 2002, gave the analyst permission to take a laptop computer and accessories for work outside of the VA building.

“These data are protected under the Privacy Act,” one document states. The analyst is the “lead programmer within the Policy Analysis Service and as such needs access to real Social Security numbers.”

The department said last month it was in the process of firing the analyst, who is now challenging the dismissal.

It is not the analysts fault for being robbed. It is the VA’s fault for having insufficient procedures for handling personal data, the analyst apparently followed established procedures for taking and handling the data. This is not just a problem with the VA but with corporate and government organizations all over.

PGP Came out 15 years ago. Ever since their has been cheap, effective security tools available to the masses. To make it easier, WINDOWS ALLOWS YOU TO ENCRYPT FILE SYSTEMS. We should ALL be using some sort of encryption to lock down out sensitive data but yet we have the VA theft and now this …

BetaNews | Laptop Theft Exposes 243k Credit Cards
The theft of a laptop out of an Ernst & Young employee’s car has turned into a massive data breach affecting hundreds of thousands of users of the travel-booking site Hotels.com. Altogether, the names and credit card data of some 243,000 customers have been compromised.

If you are going to take work data home encrypt it !!!

UPDATE: If you have need of an encrypted filesystem but are worried about MSFT’s <sarcasym>steller</sarcasym> record on security you can checkout True Crypt a utlity that provides “on the fly” encrypted file systems. Dap for this goes to Travis Taylor

For the past couple of weeks Bob X has been talking about phishing this week he poses a solution:

The simple way to kill phishing is by making it harder for the phisher to make money from it. Right now, a phisher sends out a million e-mails and gets back 100 replies that yield positive data. There is almost no effort involved in sending out the e-mails after the first one, and the quality of the return data is very high. No wonder this is such a popular business!

Let’s change that. If you get phishing e-mail, go the web sites and enter false data. Make up everything — name, sign-on name, password, credit card numbers, everything. Instead of one million messages yielding 100 good replies, now the phisher will have one million messages yielding 100,000 replies of which 100 are good, but WHICH 100?

This technique kills phishing two ways. It certainly increases the phishing labor requirement by about 10,000X. But even more importantly, if banks and e-commerce sites limit the number of failed sign-on attempts from a single IP address to, say, 10 per day, theft as an outcome of phishing becomes close to impossible.

No bounties are required, no cops, no parallel webmail systems that force us to log-in to e-commerce sites when they tell us to. Phishing just becomes a very unprofitable business, which it should be.

Are you in?

If you ask me thats a bot waiting to be written.