So, I went to Walmart with my fiancé, and while we were checking out, I showed my credit card and ID to the employee at the checkout, and the person said, “I don’t know why people do that, it’s not like we check ID for credit cards.” The checkout clerk didn’t even want to look at my card, or my ID, nor did he validate that my card was signed. (Which it’s NOT)
I tried to explain that when using a credit card that identification is also supposed to be checked, and this person replied, “What if someone gave their card to another person to buy things for them?, it’s not like we [Walmart] have a policy against people using other people’s cards, it’s not like we can stop them or anything.” They followed with, “we allow people to use cards that aren’t theirs, we do it all the time.”
I took a moment to try to explain that this was fraud, but the person behind the register simply said, “Well how can it be illegal, we do it all the time?”
I finally finished with the statement, “Well, now I know how my credit card was used illegally in Lawrenceville Georgia last month at a Walmart.” It seems to be the place to purchase goods with stolen credit cards.
Needless to say, Walmart seems to be the lowest common denominator when it comes to Credit Card Fraud. Read some of the stories below to learn more…
Do you have a retailer that doesn’t check cards well? Please comment and let us know.
- Walmart Rejects Con Men’s First 12 Fake Credit Cards – Then Accepts 2(dailyfinance.com)
- New Walmart Policy Requires Customers To Fork Over Their Credit Card’s 3-Digit Security Code(consumerist.com)
- Walmart Protects Cyberthief Privacy While Choosing To Not Prosecute(storefrontbacktalk.com)
- Suspect wanted for alleged credit card theft, fraud in Suffolk(wtkr.com)
- Police Seek Fraud Suspect(stlouis.cbslocal.com)
- 302 Counts of Fraud Offenses In Wallingford Arrest(connecticut.cbslocal.com)
- Woman admits gambling fraud, credit card theft(billingsgazette.com)
- How One Woman Stopped Card Fraud at Walmart(storefrontbacktalk.com)
Today while going through some of our logs, I was alerted to several instances of systems that are susceptible to a “reverse HeartBleed” attack. As the company I work for is very risk averse, I tried to contact the hosting company (SoftLayer) to discuss this with them. I reached out to them via their online chat application, and chatted with a nice fellow, presumably named “Jason S.” The transcript of the conversation appears below, with my name redacted, and my companies information redacted.
Thank you for choosing SoftLayer. A representative will be with you shortly.,<telephone#>,
You are now chatting with ‘Jason S’
Jason S: Hello, thank you for contacting SoftLayer. How can I help you today?
dc0de: Jason, how can I get in contact with your Information Security Group? We are receiving attempts to break into our systems from one of your hosted IP Addresses
dc0de: Actually, from several.
Jason S: I’m sorry to hear this dc0de
Jason S: May i have your account number?
dc0de: We do not have an account number.
dc0de: I’m with , and I’m a Sr. Information Security Analyst, working for the VP of Information Security.
dc0de:dc0de Information Security Analyst
dc0de: ^^ My information
dc0de: If you could put me in contact with your information security team, I would greatly appreciate it.
Jason S: You will need to email email@example.com
Jason S: Put all the information you have in the email and our abuse team will take care of it
dc0de: I would like to speak to someone on the phone or we will have to block your IP ranges from coming to our data centers, thereby potentially impacting your customers.
dc0de: Could you have someone in your Information Security team contact me directly, or provide me with a phone number to call?
Jason S: You can try our support number
Jason S: SUPPORT: 866.403.7638
Jason S: But I’m afraid they are going to tell you the same thing.
dc0de: are you saying that you do not have an information security department?
Jason S: We do take these things seriously and will look in to it
Jason S: That would be our abuse team
dc0de: and they are only available via email? That’s not very approachable.
Jason S: Is there anything else I can assist you with dc0de?
Jason S: Thank you for choosing SoftLayer. We value your feedback. Please click the “Close” button at top right to answer a few questions about your experience with us today.
As you can see, there wasn’t a very simple method to get in touch with their “InfoSec” people, and as such, I’ve gone to Twitter, and posted this, to show how poorly hosting providers are these days, and how difficult they make doing our jobs in InfoSec.
The worst part? SoftLayer is hosting several systems for a company based out of Nigeria, in their Dallas Data Center that are at the heart of the problem. Whelp, if you’re a SoftLayer customer and have difficulty communicating with some businesses in North America, don’t blame us, we just blocked the SoftLayer network blocks at our border.
Note to SoftLayer – We tried to get in touch with you, and you made it very inconvenient, if not impossible to work together. Kthnxbye.
Today, many of us have at least one portable device (smart phone/tablet/mobile hotspot/etc) in our households. These devices provide us the ability to do more things when we are in and out of the office. This new era of technology is certainly changing the landscape of how we work, play, and communicate. We would like to explore a scenario that could happen to you, that has already happened to countless others, so that we can explore the risks and pitfalls that also come with this new technology.
What we’re talking about is having your device infected, lost, or stolen. Understanding the risks will help you recover more quickly from these events, and hopefully make you a smarter portable device user. So let’s start out with the basics, the risks of smartphones.
These top risks have one thing in common, data theft or loss. This is a huge area where criminals are eager to gain a larger foothold. Let’s take a minute to think about the data on your device.
First, you have your name, most likely, your home address, some contact information for friends and family, and most of the time, you have information about your employer, and perhaps even email, remote access, and other sensitive data. Some people actually do their banking from their devices; send information via SMS/Test Messaging, social networks, and much more.
Most people store this on their phone, and save passwords, so that someone gaining access their phone, could potentially gain access to all of the accounts and data that your phone is enabled to connect to.
Thankfully, there are a few simple things that you can do, to make this much more difficult for these actors to get YOUR data and information.
- Notify your carrier immediately if your device is lost or stolen. This allows your carrier to try to locate and/or wipe your device remotely, reducing the risk of data loss or malicious use of your device.
- Password Protect and Encrypt your device. These steps can decrease the risk of data loss in the event that your phone is lost or stolen. Install remote detection, remote wipe, and remote photo capturing software applications. If your device can be remotely wiped it will ensure that a lost phone does not turn into a Data Breach.
- Install only approved applications from approved application sources (Google Play, or the Apple Store). Beware of “free” applications, many applications that appear to be “free” also collect data from your device, WITH YOUR consent.
- Do NOT automatically connect to Wireless Networks. Many devices are set to connect automatically to wireless networks, however, there are many public places with open wireless, which are not secure and are easily spoofed. How do you know that the wireless network you connected to really is the official “coffee shop” wireless access point(s)? There could be someone sitting in the coffee shop with a fake Wireless device in their backpack, spoofing the same wireless ID of the “coffee shop”. It happens more frequently than many would like to admit, and is a great way to get people’s account information, personal data, and install back doors on mobile devices. Use care when connecting and only connect to wireless networks that you are certain aren’t under malicious control.
- Disable auto-discovery of your Bluetooth on mobile devices and laptops. Many devices are left in the “broadcast” mode of bluetooth, allowing other devices to find, and potentially connect to your device. While some strides have been made to make this a more secure method of communications for short distance, many devices still are broadcasting their Bluetooth ID’s blatantly, for the world to see.
Five Steps to Mitigate the Risks of BYOD(shoretel.com)
BYOD continues to revolutionize communications(shoretel.com)
How to Find a Lost or Stolen Android Smartphone or Tablet(gottabemobile.com)
Minnesota enacts 1st law on cellphone disabling(kansascity.com)
The Beginners Guide to Bring Your Own Device (BYOD)(marblesecurity.com)
Top Ways To Protect Gadgets(smartsign.com)
Why You Should Do More to Secure Your Smartphone(dailyfinance.com)
Mobile Operator Takes a Stand Against Stolen Devices(mylookout.com)
Today, more than ever, with the release of the recent NSA Spying scandal, the new version of CALEA going forward in Washington, and ever present movement by governments to read into the private messaging of individuals, we all need to get smarter, and use tools that we may have never touched before, to regain the privacy in interpersonal communications across the internet. There are many tools out there, and there are many different ways to achieve the same goals, however, today, I’m going to talk about a few p̶r̶o̶d̶u̶c̶t̶s tools that I use on a daily basis for Instant Messaging (IM) from my Windows 7 computer.
First and foremost, I use Pidgin for all my IM needs. Pidgin is available, for free, to anyone, simply by going to http://pidgin.im/. For those of you who are reading this with limited experience with Free Open Source Software (FOSS), this will be a revelation, that yes, there are free tools out there that allow you to download, install, and use, with no charge, no catch, no penalties. Pidgin is my main tool for chatting inside, and outside of work. It also allows me to have multiple connections to different IM services, as seen by the list that they have on their website:
I’m only using AIM, Google Talk, IRC, MSN, and Yahoo! & also use SIPE, which allows connection to my internal Microsoft Communicator, through the use of the rich plugin architecture built into Pidgin. Pidgin allows developers to build plug-ins, so that you can extend the functionality of the tool, and SIPE, is one of those that works very well, allowing me to use one client to “rule them all” so to speak, with regards to my Instant Messaging. While there isn’t a Pidgin for mobile devices yet, (I’m ever so hopeful), this tool does allow me to have all of my IM contacts available in one tool, where I spend the majority of my day, on my computer. This plugin architecture is critically important for the privacy aspect that I mentioned above, as there is an external plugin that is needed, in order to achieve secure Instant Messaging.
Once you have installed Pidgin, and have gone through the setup of the client, you should easily find how to add your accounts into the tool. Once this is done, and you’ve tested the functionality with your Instant Messaging contacts, it’s time to go private… Now here is the difficult part. If you want to encrypt your communications end to end, the person you’re Instant Messaging with, has to have the same type of encryption. In this write up, we’re talking about the tool called OTR, or Off-The-Record Messaging. OTR supports several IM clients, to date, they’re Pidgin, from the https://otr.cypherpunks.ca/ page, I see that OTR can function with the following IM clients: Pidgin, Adium, Miranda, Kopete, and they also support an AIM proxy. You can read more and view video tutorials on their page
Simply put, adding OTR to pidgin is a trivial windows install, requiring that you specify the location of the installed Pidgin program, (if you changed it from the default when you installed Pidgin), and a restart of the Pidgin application. Once installed, you simply launch Pidgin, go to the Tools menu, select Plugins (or press CTRL-U), in the plugins list, scroll down to Off-the-Record Messaging, put a check in the box to the left of the title, and select the “Configure Plugin” button on the bottom. Inside the plugin’s configuration dialog box, you’ll find two tabs, Config and Known fingerprints.
The config tab has the configuration for your Default OTR settings, as well as the ability to generate private and public key pairs, for use when communicating secure with someone else. You will see your defined IM accounts in a drop down list, and you can select each one, and generate a key. You should only need to generate these keys once per computer, and there are methods to back these keys up, and take them with you, however, I will not be covering that process here. There are many sources of how to do this on the internet, and google is your friend (giyf). If you’d like to know how to do this, bookmark this post, and come back to it later, as I’ve added a google search for the instructions here.
Once you have that setup done, now it’s time to find your friends and get them using one of the OTR supported IM clients, and setup some conversations. I’ve looked through the data that passes through the OTR plugin, and saw that it was completely encrypted, appears as total garbage to whomever is spying on your communications. Bear in mind, that you are responsible for ensuring that your communications are encrypted, and the OTR plugin adds informational messages into your IM window, showing you the status of your communications.
receiving encrypted IM, when you’re not encrypted
setup of encrypted communications and confirmation of encryption
Note, that even though I do not log my OTR conversations, doesn’t mean whomever I’m communicating with, isn’t logging theirs, so it’s no guarantee that your conversations won’t come back to haunt you, but it does encrypt the transport end-to-end to ensure that no one can snoop on the wire.
When you first setup your communications, you’ll receive a notice that your buddy is not “Authenticated”. This page, shows how that authentication can be accomplished. Please use NON IM methods of confirming your identity if you are not sure who you are chatting with. A more full step through process of how to setup and use Pidgin and OTR can be found here. (https://securityinabox.org/en/pidgin_securechat – no affiliation)
Once you’ve got everything working, it’s wonderful to know that your communications cannot be intercepted by your employer, your government, your enemies, or anyone else out to remove your privacy from your communications.
If I have time, I’ll follow up on how to setup some other methods to increase your privacy on the internet. Please stay tuned.
- The FBI wants a backdoor into all communications software(vr-zone.com)
- 28 European Union countries warn US over spying scandal(huffingtonpost.com)
- Cartoon: NSA Spying Scandal(englishblog.com)
- Google’s Eric Schmidt: NSA spying ‘outrageous’(rt.com)
- Encrypt your GTalk / Hangout / Facebook chat(phrozenblog.com)
- Enhance Your Online Security. 7 Encryption Tools to Protect Your Data(maketecheasier.com)
- Technology to Protect Against Mass Surveillance (Part 1)(eff.org)
- It’s 2013. We’re all being spied on. Why do security software websites not use HTTPS?(micahflee.com)
- Avoid PRISM: Change Your Instant Messenger(news.softpedia.com)
- Mike Tyson Cartoon Coming to Adult Swim(contactmusic.com)
- Adult Swim Acquires Off-Network Rights To ‘Bob’s Burgers’(deadline.com)
- Things You Need To Know About The New Law Against Internet Piracy(womenlovetech.com)
- Piracy is Still More Convenient(zeropaid.com)
- 3 Common Misunderstandings About Anti-Piracy Enforcement(plagiarismtoday.com)
- BitTorrent Absurdly Sensitive About Being Linked to Piracy – Scolds Netflix For Conflating a Protocol With Piracy(dslreports.com)
- Piracy in cinemas(robertmclaughlin100.wordpress.com)
So, a geek friend of mine (we’ll call Joe) has a teenage girl (we’ll call Ana) who started sleeping in late, and skipping her first few classes of school. “Joe” has a rule for “Ana” about school. That rule is very simple, “Don’t make me have to talk to the school, ever.”
Well, “Ana’s” behavior was causing the school to contact “Joe” daily, and after discussing the problem with “Ana” for several days, with no real change in her behavior, “Joe” took the problem on as only a geek would do. He decided that he would wake her up at 0530, to ensure that she could get up, showered, dressed, eat breakfast, and walk to school on time.
At this point of the story, it is important to inform you that “Joe” is a night owl. He is a very grumpy morning person, if not as bad as me, perhaps a bit worse.
- He does NOT do mornings.
- At All.
So, “Joe” goes down to harbor freight, purchases a “100 dB Old Fashioned Sound ‘Ooga’ Air Horn” , couples it with an Arduino on his home network, places it under “Ana’s” dresser in her bedroom, and sets up a cron job to fire off at 0530. This was all done while “Ana” was in school.
Fast forward to the next morning…
The cron job fires, 100db of OOoooga Goodness goes off for 5 seconds, and “Ana” bolts out of her room angry, showers, gets dressed, eats breakfast, and gets to school on-time.
That afternoon, when she comes home, she and “Joe” sit down and talk again, and “Joe” asks, “So, you seem to be having a problem with getting up in the morning. We discussed this problem, and it’s impact on me, as I don’t want to get calls from the school. So, your problem, became MY problem. I’m a problem solver. Are we going to have a problem getting up tomorrow morning? I can set an alarm for you.”
“Ana” replied, “No, we’re not going to have a problem.”
“Joe” is a kindred spirit, we’re problem solvers. Don’t make YOUR problem MY problem, I WILL solve it.
FYI, “Ana” has been getting up in the morning on time ever since…
“Exactly two things have made sexism lower at DEFCON since DEFCON 8:
An increased number of women in technology attending, and attendees who now know that they may have to step in to help. Everything else … is security theater.”
Paying Homage to the Community…
As we begin to prepare to go to DEFCON 20 we need to be humbled that something that Dark Tangent (aka Jeff Moss) started twenty years ago, is not only still going on, but is THRIVING more than ever. When I went to DEFCON in 2000, (DEFCON #8), I never really expected that I would be able to support the community that makes this convention possible. Not only was I awestruck by the amount of knowledge and camaraderie that defines DEFCON, but also wanted to help continue to give something back to the community that makes DEFCON possible. As DEFCON grew, and moved from the venerable Alexis Park to the Riviera Hotel, I was asked by noid (Head of Security Goons) to become a Security Goon. Not only was I honored, but I had very little knowledge of how much work was involved and how great an organization the Security Goons and DEFCON Goons were.
Now that I am a Goon, and this will be my 7th year donating over a week of vacation, personal expense, and compromise to volunteer my time to work at DEFCON. Some of the maladies that befall a Goon while walking anywhere from 11 to 21 miles per DAY, for at least three days, (This year looks like 4 days of work) include:
- leg cramps
- sore feet
- loss of voice
- “DEFCON Flu”
- Sharpie on body parts
- over ingestion of alcohol
- verbal and physical abuse
- The DEFCON Documentary(ascii.textfiles.com)
- DefCon: 20 Years of Hackers, Hijinks and Snooping Feds(wired.com)
- An Insider’s Look at the Social-Engineer.Org SE CtF at DEFCON(ethicalhacker.net)
- Defcon 20 SECTF For Kids: Return of the Schmooze(social-engineer.org)
- Defcon 20 SECTF – Battle of the SExes(social-engineer.org)
A friend of mine had his motorcycle stolen between 11/4/11 19:30 and 11/5/11 10:00 near 25th and Gaffey, San Pedro CA. Please be on the look out for it, it’s a 1977/76 Motoguzzi 850 t3, with the following distinguishing features.
• Clutch lever is original Motoguzzi aluminum (as seen in photo)
• Rear brake lever is newer, black, very diff from clutch lever
• The pipes you see in that picture are specific. They aren’t unique but you probably won’t see another Motoguzzi with them
• The tank has a ‘scar’ on the right side just below the Motoguzzi logo
• Seat is new marine vinyl except for the rear section which still has the original material, with a crack, and the original MotoGuzzi silk screened on it
• Has non-stock, aftermarket spoke wheels
• Front tire has a groove in it, just right of center (as your facing it)
If you have any information at all regarding this motorcycle, please contact flea23b at gmail dot com, or me at mr.dc0de at gmail dot com. (note that there is a ZERO in my username)
I just read this article on computerworld.com, and was happily surprised for the first time in 10 years.
Finally, someone get’s “it”.
The FFIEC is planning on requiring stronger dual authentication methods for online transactions, which is a very good thing. PCI, Sarbanes-Oxley, HIPAA, GLBA, and a myriad of other regulations and requirements are not keeping pace with the ever shifting threat landscape. In fact, most of them are so committee driven, it simply takes YEARS to get a new requirement instituted in the standard, and then there are YEARS allowed to implement the new standard. The FFIEC is a bit different however. I’ve worked in the financial sector for many years, (12+), and have respected the FFIEC’s direction with information security. I feel that they set the strongest set of standards today, with the exception of Top Secret Government networks.
The greatest part of the FFIEC, is that their governance has teeth. If a financial institution fails the audit, and fails to remediate the failings, the FFIEC’s Regulatory Agencies can go so far as to close that financial institution. This is different from most every other regulation or requirement, as the business is simply closed. Not fined, not shamed on the front page of national news papers, it simply has it’s doors closed. Ponder that for a moment, you fail, and you’re closed. You can’t Risk Manage away the costs of LOSING THE ORGANIZATION, unlike a fine for non-compliance, … so, IMHO, those are REAL TEETH. I’ve added a link to the FFIEC’s Standards and Regulations at the bottom of this post.
My two favorite comments in the article are below:
“Obviously, some of the banks thought that it was enough if they simply added cookies or challenge/response-based authentication,” Litan said.
“What has happened is that the FFIEC has realized that some banks need to be told in black and white what they need to do.”
- Govt May Soon Force Banks to Impose New Online Authentication Steps (pcworld.com)
- FFIEC Guidelines – Update Imminent? (silvertailsystems.wordpress.com)
- SC Magazine on whether or not authentication is sufficient (silvertailsystems.wordpress.com)
- Incite 1/25/2011: The Real-Time Peanut Gallery (securosis.com)
- Hurricane Beacon 2011-01-26 (hurricanelabs.com)
- Experi-Metal vs. Comerica Case Heads to Trial (krebsonsecurity.com)
- Escrow Co. Sues Bank Over $440K Cyber Theft (krebsonsecurity.com)
- Silver Tail Systems webinar with Brian Krebs (silvertailsystems.wordpress.com)