via Top German cop uses spyware on daughter, gets hacked in retaliation: It’s sad how frequently law enforcement officials bend or break the law to achieve their ends.

Problem 1: This guy forgot he was a father, and treated his kid as just another suspect.

Problem 2: The story reveals the Germans have a program for tracking individuals’ locations via cell phone and car GPS systems, and they had to take it offline because this guy’s home security sucked so hard.

Fortunately for connoisseurs of the weird, Der Spiegel revealed a stranger story in its magazine yesterday. According to the report, a top German security official installed a trojan on his own daughter’s computer to monitor her Internet usage. What could possibly go wrong?

Nothing—well, at least until one of the daughter’s friends found the installed spyware. The friend then went after the dad’s personal computer as a payback and managed to get in, where he found a cache of security-related e-mails from work. The e-mails, in turn, provided the information necessary for hackers to infiltrate Germany’s federal police.

In another great example of What Not To Do, the intelligence firm Strategic Forecasting, Inc, apparently made no attempt whatsoever to comply with PCI DSS.

via Antisec hits private intel firm; millions of docs allegedly lifted:

Antisec breached Stratfor’s networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chat. But that’s just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information—up to 200GB worth, in parts throughout the week leading up to New Year’s Eve. That trove allegedly includes 860,000 usernames, e-mails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no-card-present transactions; and over 2.5 million Stratfor e-mails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.

[...]

According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

So they stored the security code, stored the entire unencrypted credit card number, used plain-jane md5-hashed passwords, and left everything wide open, and disabled what security features were built-in to the software they were using.

Very Bad Practice.

One thing I really enjoy about computer sercurity is learning from other peoples’ mistakes.

via How hackers gave Subway a $3 million lesson in point-of-sale security:

While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.

“With PCI compliance, those apps shouldn’t be on those systems,” said Konrad Fellmann, audit and compliance manager for SecureState, an IT security firm with a practice in retail security auditing, in an interview with Ars. But small retailers who don’t store credit card data are not required to have the same level of auditing as larger companies, Fellmann said.

It’s hard to believe a corporation as large as Subway put so little effort into PCI compliance, but this could have easily been discovered with an external scan, log monitoring, in-scope review, systems change monitoring, malware scanning, and so on and so forth.

So will Subway now have to post the Black Mark of Shame in every franchise?

It’s amazing how much data our cell phones provide to so many different parties.

As we noted in several stories in the past few weeks, Carrier IQ software is installed on more than 140 million phones, including various Androids and iPhones, although Apple says it is in the process of stripping it out. Carrier IQ, handset manufacturers and wireless service providers have said the software is used only for diagnostic information to improve service, and that it is not used to record keystrokes or read users’ messages. However, the companies have faced questions from Sen. Al Franken D-MN and class-action lawsuits. How much data Carrier IQ collects from smartphones and what happens to it have not been fully answered, and the FBI’s statement does not clarify whether it is investigating Carrier IQ to determine if its software violates any federal laws, or if it is using data from Carrier IQ for other investigations.

via FBI using Carrier IQ info for “law enforcement purposes,” refuses to release records.

The old wisdom said “Don’t trust any e-mail or attachment from someone you don’t know.”  Unfortunately, your friends are pretty likely to click any old link they receive from anywhere, so be extra suspicious of suspicious e-mails from people you do think you know.

Last week, friends of Kyle and Kelly Peron got a disturbing email that appeared to be from the couple, a husband-and-wife magic act. It told of trouble overseas, claiming that the two had been mugged while vacationing briefly in the Phillipines. “We’ve been to the Embassy and the Police here but they’re not helping issues at all and our flight leaves in few hours from now but we’re having problems settling the hotel bills and the hotel manager won’t let us leave until we settle the bills,” the email pleaded. “Please, let me know if you can help us out?”

If the email had been from the Perons, it would have been some serious magic—seeing as they were at home in the Philadelphia area at the time. Like many people who use social media to promote their businesses and keep in touch with colleagues and customers, the Perons’ personal information was easily converted into a bit of social engineering that could fool the less skeptical.

The email, which asked for the pair’s friends to wire $2,500 by Western Union to the couple at an address in Manila, turned out to be an example of the latest mutation of the sort of friend-stranded-overseas scam that has run rampant through Facebook for years. Because of new password recovery schemes and other counter-fraud schemes being used by Facebook to prevent the social network from being used directly by fraudsters, the new modus operandi is much more subtle—and much more difficult for those being impersonated to stop. And once a scam’s been exposed, they quickly move on to another target.

via Suspension of Disbelief: magicians’ friends targeted by new phishing scam.

The worst offender against privacy and security is always government.

The latest round of documents published by Wikileaks offers a rare glimpse into the world of surveillance products. The collection—which Wikileaks calls the Spy Files—includes confidential brochures and slide presentations that companies use to market intrusive surveillance tools to governments and law enforcement agencies.

A report that Wikileaks published alongside the documents raises concern about the growing use use of mass surveillance tools that indiscriminately monitor and analyze entire populations. The group also points out that some of products described in the documents are sold to authoritarian regimes, which use them to hunt and track political dissidents.

via Wikileaks docs reveal that governments use malware for surveillance.

A couple of weeks ago I saw someone mention a little script called BozoCrack on Twitter and I decided to check it out. What caught my attention is that BozoCrack simply “cracks” md5 hashes by doing a search on Google for that hash. Once it finds the hash and the text that goes with it, it spits it back out on the screen. Not really cracking of course, but its pretty dang effective.

I imagine that with search engines archiving ever more data, this sort of “cloud-based” rainbow table use will become more common.

via PaulDotCom: Archives.

You can’t hide anymore behind security obscurity. You can’t assume you aren’t a target. It’s just too easy for some of these folks to break in, so they will. But the good news is with some decisive action and a little work you won’t be the path of least resistance. There are plenty of other ostriches being disintermediated as we speak, which should keep the bad guys busy for a little while. A very little while, so get to work.

via Security Ostriches and Disintermediation – Dark Reading.

It’s funny, because it’s true.

When I was an IT admin, I had the pleasure of dealing often with people who would submit urgent service requests and then leave for the day, leaving their office empty and computer locked by the time I could get there to help. Fortunately, I was often able to fix their problem while they weren’t there. Why? Their password was somewhere on their desk in one of these easy-to-find locations.

via The Most Common Hiding Places for Workplace Passwords.

Looks interesting:

A while ago, Dave Hoelzer did a nice video on how to use Windows PowerShell to hack domain user accounts. Basically, Dave leveraged PowerShell commands which any domain user can execute on a domain and receive either a positive and negative response based on the legitimacy of the username and password combination. This got me thinking. Since I’m not typically handed, or able to spawn, a PowerShell right from the get go, what else could I use to accomplish the same goal? The answer is attempting to connect to the IPC$ share of a domain controller. Using the following command, you can spray a huge list of domain users with a small number of passwords (to avoid lockout) and try to catch someone using something simple.

@FOR /F %n in (names.txt) DO @FOR /F %p in (passwords.txt) DO @net use \\DC01 /user:mydomain\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DC01\IPC$ > NUL

WARNING: Make sure the number of passwords in your file is less then that of the account lockout policy.

And the other obligatory warning – make sure you have approval from Corporate before trying this.

via PaulDotCom: Archives.