Archive for August, 2014

The scope of yesterday’s computer attack against JPMorgan Chase and at least one other bank appears to be much larger than initially reported.

In addition to possibly affecting seven financial organizations, instead of two as originally reported, some bank records at JPMorgan were altered and possibly deleted, reported CNN, citing unnamed sources. The source of the attacks is not yet known.

Getting access to bank records is uncommon but not unheard for hackers, who often change computer logs to cover their tracks but can’t always get to more sensitive data, said RedSeal cybersecurity expert Robert Capps.

“Being able to change bank records is an interesting, but not novel, approach to unlawful enrichment,” he said. “There have been reports of embezzlement and outright theft by malicious insiders, since computerized banking records have been in existence.”

This case, however, involved outsiders who targeted specific employees at JPMorgan Chase to gain access to their computers and the bank databases. The Federal Bureau of Investigation and the Secret Service, which are investigating the breach, have not said whether customer bank records or identity details were compromised.

Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said that it wasn’t likely that this kind of attack came from your “average cybercriminal.”

“If hackers are capable of accomplishing this, it means they have spent a significant amount of time studying the [bank's] records system before attempting any kind of serious manipulation,” he said. “It’s not impossible, however, if they were able to modify records using high-level credentials and do it in a way that was undetected.”

The scope of the damage has not been made public yet, and likely will take time to determine. Banks use redundancy systems and backups to ensure that data that’s altered for any reason can be restored.

FBI spokesman Joshua Campbell wouldn’t confirm whether bank records had been accessed or altered, saying that the FBI and Secret Service are attempting “to determine the scope” of attacks against “several American financial institutions.”

“Combating cyberthreats and criminals remains a top priority for the United States Government, and we are constantly working with American companies to fight cyber attacks,” he said in a prepared statement.

JPMorgan did not respond to a request for comment on the possibility that the hackers altered or deleted bank records. Yesterday, JPMorgan spokeswoman Trish Wexler told CNET, “We have multiple layers of defense to counteract any threats and constantly monitor fraud levels.”

Read More

Texting 911 will work in some northwest suburbs

People in parts of the northwest suburbs can now use text messaging on their cellphones to seek help in an emergency.

The Northwest Central Dispatch System announced the Text-to-911 service in August. It has been testing the program since December, according to local officials and the Federal Communications Commission.

“If you can’t call, then this service is available so that when you are in an emergency situation, text is available to get you the help you need,” said Cindy Barbera-Brelle, executive director of Northwest Central Dispatch.

Those with cellphones serviced through AT&T, Sprint, T-Mobile or Verizon and who are within the boundaries of Arlington Heights, Buffalo Grove, Elk Grove Village, Hoffman Estates, Inverness, Mount Prospect, Palatine, Prospect Heights, Rolling Meadows, Schaumburg and Streamwood can send a text message to 911 and get a response from Northwest Central dispatchers.

Any text messages that do not meet the standards will get a text back indicating it did not go through to 911, officials said.

Dispatch system officials said the text message program offers an alternative for people with hearing or speaking disabilities as well as those who might feel compromised by making a call, such as in domestic or burglary situations.

It is not preferred over, nor is it expected to replace, the standard 911 call. Texting is not in “real time” and therefore, will cause more delays. “We do ask, ‘can you call?’” Barbera-Brelle said.

Since April, the texting program has received 11 messages, only two of which were fully dispatched through Northwest Central. A Schaumburg resident texted for help after hearing noises in the vacant apartment above her on July 18 and an Arlington Heights man reported a vagrant in a park on July 27, according to officials.

Three other messages were for incidents in other locations, including a request for an ambulance in Bensenville, a report of an intoxicated person in Hanover Park and a domestic situation in unincorporated Cook County. In each case, Northwest Central turned it over to the appropriate authorities, as is the protocol.

Read More

A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.

The paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks,” will be presented at the 23rd USENIX Security Symposium in San Diego. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.

The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven’t tested the program using the other systems.

The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.

“The assumption has always been that these apps can’t interfere with each other easily,” Qian says. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel — the shared memory statistics of a process, which can be accessed without any privileges. (Shared memory is a common operating system feature to efficiently allow processes share data.)

Read More

This nail polish could help prevent date rape

Four men have teamed up to empower women to prevent sexual assault by giving them a way to detect date-rape drugs. Women will be able to wave over help before a sexual assault occurs when wearing this life- saving nail polish.

Students from North Carolina State University’s Materials Science and Engineering department created “Undercover Colors” nail polish that changes colors when it comes in contact with the date-rape drugs Rohypnol, Xanax and GHB.

The men—Tyler Confrey-Maloney, Stephen Gray, Ankesh Mada and Tasso Von Windheim—have marketed the nail polish as “The First Fashion Company Empowering Women To Prevent Sexual Assault,” by giving an easy way to detect the drugs and get themselves out of dangerous situations. A woman simply sticks her finger in her drink and stirs.

“While date rape drugs are often used to facilitate sexual assault, very little science exists for their detection. Our goal is to invent technologies that empower women to protect themselves from this heinous and quietly pervasive crime,” the team writes on their Facebook. “If her nail polish changes color, she’ll know that something is wrong.”

The team was granted $11,250 from North Carolina State’s Entrepreneurship Initiative that aims to develop solutions to “real world challenges.” Undercover Colors was created because the men all personally know someone who was sexually assaulted. “We were thinking about big problems in our society, the topic of drug-facilitated sexual assault came up,” Madan says. “…We began to focus on preventive solutions, especially those that could be integrated into products that women already use. And so the idea of creating a nail polish that detects date rape drugs was born.”

Under the supervision of technical adviser, Dr. Nathaniel Finney from the NCSU Chemistry Department, the four men developed the prototype in lab space though the College of Veterinary Medicine, the only location in North Carolina where scientists can test these types of drugs.

The four men also received $100,000 from an investor who saw a demo of the nail polish during the K50 Startup Showcase. Still, Undercover Nails is still in the development stage, and is raising money through donations.

Read More

Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information.

Although it was tested only on an Android phone, the team believes that the method could be used across all three operating systems because all three share a similar feature: all apps can access a mobile device’s shared memory.

“The assumption has always been that these apps can’t interfere with each other easily,” said Zhiyun Qian, an associate professor at UC Riverside. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

To demonstrate the method of attack, first a user must download an app that appears benign, such as a wallpaper, but actually contains malicious code. Once installed, the researchers can use it to access the shared memory statistics of any process, which doesn’t require any special privileges.

The researchers then monitor the changes in this shared memory and are able to correlate changes to various activities — such as logging into Gmail, H&R Block, or taking a picture of a cheque to deposit it online via Chase Bank — the three apps that were most vulnerable to the attack, with a success rate of 82 to 92 percent. Using a few other side channels, the team was able to accurately track what a user was doing in real-time.

In order to pull off a successful attack, two things need to happen: first, the attack needs to take place at the exact moment that the user is performing the action. Second, the attack needs to be conducted in such a way that the user is unaware of it. The team managed to pull this off by carefully timing the attacks.

“We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen,” said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. “It’s seamless because we have this timing.”

Of the seven apps tested, Amazon was the hardest to crack, with a 48 percent success rate. This is because the app allows one activity to transition to another activity, making it harder to guess what the user will do next.

Read More

Fake Security Screener Highlights a Concern

THE man wearing a blue shirt and khaki pants stood casually inside a security screening area at a San Francisco airport terminal. As security officers and passengers bustled, he pointed to a woman and took her into the private screening room. Later, he pointed to another woman, and she followed him in as well.

The man, despite also wearing the blue latex gloves used by screeners, was no professional officer, said John S. Pistole, the administrator of the Transportation Security Administration. He was just another passenger with an international ticket.

Mr. Pistole described the encounters for me based on the surveillance video from the international terminal at San Francisco International Airport. Around noon on July 15, the man acted “like a security officer,” Mr. Pistole said, directing two women into the private area for extra screening, for about a minute at a time.

Each woman left the room not exhibiting apparent signs of distress. But an actual screener thought that something was wrong. Only female officers are supposed to accompany women sent into the private room for extra screening, which can include a full-body pat-down. And blue shirt and gloves notwithstanding, the man had no badge or emblem on his shirt, clearly not a screening officer.

The man, whom the San Mateo County Sheriff’s Office identified as Eric Slighton, 53, was arrested, charged with public intoxication, taken to jail and released on bail. He had been scheduled for an arraignment this week, but on Friday, the district attorney’s office said it would not prosecute. “We could not prove the elements of the offense beyond a reasonable doubt,” said Albert A. Serrato, an assistant district attorney.

The police tried to identify which flights any possible victims might have taken or where they might have flown, the sheriff’s office said. But the women have not been found.

Attempts to reach Mr. Slighton, who had a ticket that day to fly to Hong Kong, were not successful. A resident of San Francisco and Hong Kong, Mr. Slighton is a director at Aktis Capital Singapore, a private equity firm. A statement acknowledging the incident by the related Aktis Hanxi Group said, “Mr. Slighton has been granted a leave of absence.” Calls and emails to the group’s offices were not returned.

Read More

Cell Phone Trace

Sometimes all that I’ve located on a skip is a cell phone number. While collection laws prohibit calling cell phones to attempt to speak to a debtor, of course, there are many other ways to get information from a cell phone number. Our society has evolved into a digital world that is constantly on the move. Having a land line phone is not only a waste of money, in these times, it’s more of an inconvenience.

Talk, text and web offered in unlimited prepaid deals with really nicely designed cell phones have dazzled even the least tech-savvy individual. Because of this cell phones are it. I devote a lot of time to seek out new ways to spin on old tricks that get me location information. I ask questions and always get lots of factual information mixed in with heavy opinion.

In my step by step process I use databases, some free and some paid to get as much data collected as I can before I give up and get a professional cell phone investigation done. The companies that do cell phone investigations never reveal the source of how the information is obtained. By pretexting and a subpoena perhaps? Or they just “know” someone that can provide information. I often wonder if my databases can’t find it exactly how would the other investigators get that account owners name and billing address. If I’ve discovered a land line I need the service address too. I can only speculate because I know what I do and what I do works most of the time.

Does the skip have a direct connection with that cell phone company? So many times I’ve run down a cell phone number to find the account in another person’s name. This just gives me another person to look for that’s connected to my skip. By using the White Pages smart phone app (monthly subscription) I get every person’s name and sometimes an address that’s been connected to that phone number. This is a search that is nearly nonexistent on the internet anywhere else outside of professional skip trace databases.

Is the process to discover the cell information legal? If you’re using a database that you’ve been credentialed for a subscription then yes, you’re good to use it to bust cell phone number. Your permissible purpose has been verified. You know your boundaries for the work that you’re doing. Professionals keep it professional. We all know hacking to get detailed call lists is not only a crime, but sometimes a complete wast of time. If you’re involved in a lawsuit you can subpoena these records and if you’re on the front end of a contract you can request the detailed call history as a part of the required documents.

Where am I finding cell phone numbers? On credit reports, MasterFiles and SkipSmasher. These sources have amazing and fresh information. This is the kind of thing that makes you joyfully yell glorious things at your computer screen. If you don’t have these two data providers get the ball on the roll. You’ll be so happy that you did. Each database has some very unique features and it pays to have more than one.

Read More

The immigration reform measure the US Senate began debating on 9 May would create a national biometric database of virtually every adult in the US, in what privacy groups fear could be the first step to a ubiquitous national identification system.

Buried in the more than 800 pages of the bipartisan legislation (.pdf) is language mandating the creation of the innocuously-named “photo tool,” a massive federal database administered by the Department of Homeland Security and containing names, ages, Social Security numbers and photographs of everyone in the country with a driver’s license or other state-issued photo ID.

Employers would be obliged to look up every new hire in the database to verify that they match their photo.

This piece of the Border Security, Economic Opportunity, and Immigration Modernisation Act is aimed at curbing employment of undocumented immigrants. But privacy advocates fear the inevitable mission creep, ending with the proof of self being required at polling places, to rent a house, buy a gun, open a bank account, acquire credit, board a plane or even attend a sporting event or log on the internet. Think of it as a government version of Foursquare, with Big Brother cataloguing every check-in.

“It starts to change the relationship between the citizen and state, you do have to get permission to do things,” said Chris Calabrese, a congressional lobbyist with the American Civil Liberties Union. “More fundamentally, it could be the start of keeping a record of all things.”

For now, the legislation allows the database to be used solely for employment purposes. But historically such limitations don’t last. The Social Security card, for example, was created to track your government retirement benefits. Now you need it to purchase health insurance.

“The Social Security number itself, it’s pretty ubiquitous in your life,” Calabrese said.

Read More

How Your Name Could Get You Scammed

Your personally identifiable information (PII) is all around you, and much of it is impossible to protect. While your driver’s license and Social Security numbers are a significant part of the equation, you can take certain protective measures to keep those from prying eyes. Unfortunately, that’s not the case when it comes to more visible forms of PII—like your birthday, email address, home address and even your name. There are criminals out there who see you as their day job, and they know how to use the most gettable pieces of your PII, like your name, to commit crimes.

The fact is, most everyone will experience some form of identity-related compromise during their lifetime. Yes, you most likely will become a victim. The crimes are often hard to detect, but they happen all the time, and there is absolutely no service out there that can give you complete protection from identity-related crimes.

Here are a few ways you can get scammed that only require the clever application of a name, the most basic piece of your PII.

The Grandparent Scam

The first complaints of this scam were logged by the Internet Crime Complaint in 2008, but as the FBI reports, fraudsters working the senior circuit are becoming more sophisticated, using PII gleaned from social media sites to hone their performance.

Typically, a call comes from overseas either late at night or early in the morning, when people aren’t thinking as clearly as they might. The caller poses as a grandchild in trouble. There is a request for money, and a plea for secrecy: “Please don’t tell mom and dad! They’ll kill me.” Sometimes an attorney or “an arresting officer” makes the call. Money is wired, and fairly soon after that, the victim comes to realize that he or she has been had.

Variations on the scam include military personnel on leave and friends calling friends. With an increasing number of people oversharing their information on social media, it’s not difficult to figure out who will help whom, and when they’re away.

What to do: Tighten your privacy on social media; don’t share details about vacations, and when anyone asks for money over the phone—even a “family member”— stop, think and don’t allow your emotions to drag your good sense and wallet to Western Union.

The Package Scam

Many crimes considered “identity-related” were being perpetrated long before identity theft became part of the national psyche. Stealing mail is one example.

Personally identifiable information has given thievery of mail a real “boost.” The latest ploy in urban areas involves the collection of names. Using a notepad, a local thief slipped into a group of condominiums in my neighborhood and started to document who lived where by looking at the junk mail left in the lobby. He used that to gain entry after the courier services made their daily drops. “This is Gary from 2C. Locked myself out. Can you please buzz me in?” In minutes, every package was in his custody and he was gone.

What to do: Don’t leave junk mail in your lobby, and urge the building to have a policy that doesn’t allow packages to be left unattended.

Read More

AURORA, Colo. — A security camera catches a couple stealing a an iPod from a 5-year-old girl right off of a table at a popular frozen yogurt shop in Aurora according to police.

Watch the video above and you’ll be able to see the pair pick a table at the Menchies at Gardens on Havana where minutes earlier kids were having a birthday party.

Once the couple sits down, one of them picks up the iPod and they look at it. The woman pulls a chair over to the table and the man drops the iPod in her purse.

Then the two take off.

“Originally the family thought the little girl had just lost it,” says Sgt. Chris Amsler of the Aurora Police Department. “As soon these two suspects left the store you can see the little girl running all around the store trying to find the iPod.”

The family asked to see the security video and that’s how they figured out it was stolen.

Crimestoppers is offering a reward worth up to $2,000 for information that leads to an arrest in the case. 303-913-STOP (7867).

View Source