Did you miss Playstation Network?

Originally posted 05/16/2011 on lubbockonline.com

I've been remiss in not reporting the Sony Playstation Network breach and outage. The network started going back up this weekend. Ok, yesterday.

You might wonder why I would seemingly ignore one of the largest data breaches ever. Part of it was waiting to see what came out. Part of it was that if you were active on the PSN you were probably already more aware of the situation and following it closer than I had time to. But now there's more information, and I might actually be able to tell you a few things you don't know about a breach like this. Sadly, it won't be good news

Joshua Grech of the Daily Telegraph reports that the PSN started coming back up sometime Sunday, although it may take a few days for everything to be available again. He also reports that Sony is going to offer a "Welcome Back" package of software and content to encourage people to stay with Sony and Playstation (or come back if they've bought an Xbox during the outage). As part of the increased security in the system users will have to change passwords when they log back in, and will have to prove they are the account holder to do it. When announcing the return to service Sony Group CEO Kazuo Hirai had one of the best non-apologies I've seen:

"I wish I could tell you that technology is available to completely protect any company against cyber attack. "But unfortunately the threat of cyber crime and data theft will continue to plague networks, companies, government agencies and consumers around the world for some time to come."

Translation: "Sorry, people. It's not our fault. We can't prevent it and neither can anybody else, now and forever."

It's true that there is no perfect protection against bad guys, online or in the real world, the disturbing thing is how hard it is to track a truly skilled attacker online. Bianca Bosker at the Huffingtong post looks at just how hard it can be. A truly skilled attacker will use botnets, spoofed IP addresses and spoofed MAC addresses as well as multiple hops through computers - some under the control of the attacker, some not, but all used to obscure the origin of the attack.

When a breach is discovered there are steps taken to find out what happened. What those steps are varies from company to company, but one of the first is to check the system logs:

Once a company discovers its network has been breached, investigators will usually first comb the server’s log files, which record all traffic to and from the server including attempts to access the network or extract information from it. Reviewing these records -- the digital equivalent of watching security camera footage -- offers a look at any suspicious communication with a company’s network and where it may have originated.

Unfortunately, though logs are one of the best tools for seeing what happened on the server, skillful attackers can easily negate them by editing all evidence of their activities out. By doing that they could keep an attack from being noticed for weeks, months, or even years. Unlike theft in the real world, theft online leaves the original on the server. Removing the logs entirely would tip off the systems administrators that something happened. Editing the logs removes the evidence that something unusual has happened while leaving all records of normal activity in place.

Sony has gotten a lot of bad publicity for having the PSN down for so long, and are being sued for the breach. We don't know what kind security they had in place. I would be tempted to say that it obviously wasn't adequate, but the truth is, no one has adequte security. Sony's real failure was in the handling of the breach. Instead of being open and informative they were secretive and withheld important information in the hopes of controlling the damage. They did the same thing when they loaded rootkits on CD's, and I imagine they'll do the same thing the next time they have an event like this. Because breaches like this will happen it makes no sense to hide when they happen. The thing to do is have policies and procedures in place that cover breaches and provide for the rapid dissemination of information to the people affected, law enforcement and the media. That doesn't mean to tell everything, but each of those groups should receive the appropriate information.

Every company should have every possible protection in place, but must admit that they are not immune to breaches and prepare for that eventuality. It's the only responsible thing for them to do.

Cord Blood Registry suffers breach

Originally published 3/17/11 on lubbockonline.com/glasshouses

Last month Scamsafe.com reported that Cord Blood Registry (CBR), a company that stores umbilical cord for future use, suffered a data breach in December of 2010:

A CBR computer and data backup tapes were stolen from an employee's locked automobile. The stolen tapes contained customer names, Social Security numbers, driver's licenses and/or credit card numbers. This is the "mother load" of personal identifying information for identity thieves.

This is a pretty serious breach, and a good (sic) example of how not to handle any type of data, but especially sensitive customer data. The thief broke into the car through the window. Never leave your computer in the passenger compartment where it can be seen. Even if you've encrypted the data, which CBR didn't do. It's even more tempting to some thieves than a purse.

Because unencrypted customer data was kept on the seat of a car 300,000 people are at risk for identity theft. If this was the first time this had happened it might be understandable. But there have been several widely publicized breaches involving stolen or lost laptops, including a breach more than 100 times the size of this one at the Department of Veteran Affairs. There is no excuse for a business allowing unencrypted data anywhere, but especially not on laptops or portable media.

The most popular password on Gawker? 123456

I commented a couple of days ago that '12345' was probably about as popular a password as 'password' on Gawker. After analyzing roughly 1/3 of the passwords stolen from Gawker, researchers have learned that the most popular password is '123456.' Second is 'password.' I remember laughing at King Roland in Spaceballs because the combination to the air shield was '12345,' and laughing more when President Skroob announced it was the same as the combination to his luggage.

Strong passwords aren't as important as they used to be. Sites limit the number of password attempts before locking you out, so it's not as easy for someone to brute force an account. And if a site doesn't lock you out after so many failed attempts, a "strong" password may not matter. Using rainbow tables a strong 12 character password will hold out less than 3 minutes.

But '123456' is still a poor choice for a password.

Gawker breach compromised government sites

It's no secret now that Gawker had a major data breach. 1.3 million user names have been made available in a torrent file. These days that would almost be no big deal. For everyone but the 1.3 million, anyway. Even the more interesting statistics aren't surprising. Almost 2000 people used "password" for their password. I'm sure there are similar numbers using '12345'.

But those aren't the usernames and passwords that cause concern. The Rundown News Blog on PBS.org reports that what appears to be a sublist of accounts belonging to federal, state and local governments. Apparently they were parsed for future attack. Gawker has been telling people to change their Gawker password but many, if not most, people use the same username and password for multiple sites. So there is a good (or bad) chance that we will see a government breach resulting from this - unless all of the government employees whose Gawker accounts are compromised change their passwords on all of their accounts.

Even if they don't use the same password on all sites, it would be a good idea to change all of their passwords. Unless they use a password generator, many people tend to use similar passwords. Old girlfriends names, old pets, take a word, add a number or symbol and rotate the number or symbol, action heroes, comic book characters, etc.

We see talk of how interconnected we are and how exposed online. Incidents like this serve to drive that lesson home. Because of a data breach on a private web site an unknown amount of government data of unknown sensitivity is at risk. Not to mention the citizens accounts that risk compromise. The damage is done in this breach, but what can we do to prevent the next one? And the next one?

iTunes breach: Much ado about nothing.

It's a big story. It was reported on TechCrunch that there's a flaw in iTunes that allows bad guys to go in and empty your bank account if you have Paypal selected as the payment method. One poor customer racked up $4700 worth of charges in a matter of hours. Other customers were reporting hundreds and thousands of dollars stolen. The story grew from there.

There was just one problem. It was wrong. The real culprit wasn't a flaw in iTunes or Paypal, it was a successful phishing attack that harvested peoples usernames and passwords, allowing the hackers to access accounts and rack up charges as if they were the legitimate owners.

An overzealous reporter or editor at TechCrunch fails to adequately check a story, uses twitter to verify that there's a problem, and runs with it. There was a real newsworthy story here, but it wasn't a flaw in iTunes, it was gullible users passing on their passwords.

Don't trust requests for identifying information in email. Don't trust anything in such an email, and whatever you do, don't give out your information just because the email looks pretty. You'll keep your account and your sanity intact.

 

Google accidentally spys on open WiFi

Ben Rooney of cnnmoney.com reports that the Google has admitted that it's Streetview cars have been collecting data from open WiFi hotspots. Google first admitted to collecting the publicly broadcast information of open hotspots, things like the network names and router numbers, on April 27th. But after being asked for more information, Google says that they discovered more data was being collected - private data in the packets being transmitted across the network. Supposedly the code that gathered data packets was accidentally entered into software used to gather public information on WiFi.

The software changes channels five times a second, so only bits and pieces of data would be gathered. Encrypted data, like the communications between you and your bank account, cannot be read, so it won't have been compromised by Google's illicit scans.

Google is, of course saying that it was an accident. In response they have stopped all scanning of open WiFi by their streetview cars until they can repair and replace the faulty software. They have arranged for a third party to review the software and the data collected from public WiFi networks.

This is a major blunder by Google. Whether it was a case of pushing the envelope to see what the reaction would be or an honest mistake, it's going to hurt Google's reputation. This one I tend to believe was an accident. In many nations it is illegal to tamper with electronic communications. Google may want to gather and use information, but breaking the law to do it isn't good business.

A blip from Blippy

A few months ago a new social networking service started up, one with a model I thought would never take off. Blippy posts your credit card purchases online in short, twitterlike 'blips'. The information posted includes what was purchased, where, and for how much. It's not supposed to include your credit card number. But according to Gigaom.com's Liz Gannes, for 196 transactions last week that's exactly what happened. According to Philip Kaplan, cofounder of Blippy, the transactions were from early in the services beta period, but was still being cached by Google. The problem has since been fixed - the search that had revealed credit card numbers doesn't now.

But this just brings us to the burning question in my mind. Why would you want this information to be published online, even without the credit card number? I do see a bright spot, however. Whenever I tried to use Blippy NONE of my accounts showed up to be shared. I guess they know how I really feel about their service.

Update: Blippy has since apologized, contacted affected users and promised to help them with any issues that might come up from the exposed data. They have also commited to hiring a Chief Security Officer (they didn't have one?!!!).

Who owns your Facebook?

ZDNET's Ryan Naraine and Dancho Danchev reported on a blackmarket sale of 1.5 million Facebook accounts. The accounts vary from active accounts with loads of friends to semi-autogenerated acounts that don't have any friends yet. The price depends on how many friends the account has.

The article is a FAQ on a report by Verisign's iDefense team, and covers a lot of ground, far more than I can cover here. But one of the things I find very intriguing is the section on "Cybercrime as a Service" (CAAS), something that I'd never thought about, but that is a logical progression when you think about the development of legal business on the web.

Of course, the real question that's probably on your mind right now is either "How concerned about this should I be," or "What can they do with my Facebook account?" Those might be closely followed by, "Why would anyone, especially a criminal, want my Facebook account?"

To answer the last question first, an established Facebook account is instant trust, allowing a criminal to get things from people with far less risk and effort than sending spam or actually burglarizing a house or robbing a bank. It just makes sense that if you can approach a person as someone they know and trust, they're more likely to agree to risky behaviors you might suggest. They also are more likely to open malware you send them and open links, making Facebook accounts perfect mules for infecting their friends.

So how worried should you be about this? Well, you're probably not one of the 1.5 million accounts being sold, but I'd change my password anyway from a computer that is known free of malware just because you can't be sure. There are reported to be more than 400,000,000 users on Facebook. That means that this list of accounts for sale has less than 1/2 of 1% of all Facebook users on it. I've seen people say they are leaving Facebook because of this breach, but I wouldn't leave Facebook because of this problem alone. Of course, there are plenty of other problems that make Facebook a risky proposition.

Bad security a financial industry issue, not just banks

Alan of Sun Country's Weblog reports that FINRA (the Financial Industry Regulatory Authority) recently fined the brokerage firm Davidson & Co. $375,000 for failing to use adequate security measures to protect customers information.

The breach occurred in 2007, but Davidson & Co. didn't find out until 2008. To make it worse, they didn't find it, one of the hackers tried to extort money in return for not releasing the stolen data to the public.

According to FINRA, Davidson made such basic security blunders as not encrypting customer data, keeping the customer data on a web server with default admin password, and keeping the insecure webserver online 24 hours a day. The company also failed to follow a 2006 auditors recommendations that it implement an intrusion detection system and review server logs so that they could have detected the breach sooner.

According to a Davidson spokeswoman the FINRA statement ignored some pertinent information, such as a third party auditor being unable to break into their systems shortly before the breach, and the attack using what were, at the time, very cutting edge techniques.

What the FINRA report does tell us is that the attack was a SQL injection attack. In 2007 SQL injection was going on 10 years old, hardly cutting edge. Changing the default admin password is basic security. So is encrypting your customer data and not placing the database on a server directly connected to the web. Different companies use different terminology for the same tasks, so I suspect Davidson was looking for a pentester and hired something else, but I can't be sure. Any pentester should have hacked a server using the default admin password in no time. But an auditor might not even try.

These types of problems are coming to light often enough to show that a large segment of the financial sector has major security problems. I would like to see the industry police itself, but the stakes are too high, and the industry moves too slow. It's time for regulatory involvement.

Court says "NO" to "potential damage" from data breach

When I first saw alerts on this story I thought it was another case of a bad court decision in favor of a corporation. Then I read Mark Mcreary's blog post, Aetna Wins Dismissal on "Increased Risk of Identity Theft" Damages Sought for Class Action. I also read the amended decision by Judge Legrome D. Davis, and after all that reading, I can see two things:

1. Had this lottery ticket paid off, it would have paid off big.
2. Even so, no lawyer should have been willing to plead this case.

Aetna had a security breach on their employment website. The email addresses of over 400,000 applicants and 65,000 employees were stolen. Other information may have been stolen, but no one knows for sure (except the thief). Aetna sent notification of the breach to everyone who might have been affected by the breach. Some of those people received a bogus email claiming to be from Aetna asking for more information. One of the people who received the notice from Aetna, but not the phishing email, decided to sue Aetna for potential damages from potential identity theft.

Yes, that's right. Cornelius Allison sued Aetna for damages because he might, someday, have his identity stolen. Since he did not receive the phishing email, he didn't even know if his email address or any other data had been part of the breach.

He was suing for money the maybe perps would possibly take if they ever stole his identity. I wonder if either he or his lawyer was really surprised when the case was thrown out?

Hotels highly hackable

The ID Security Solutions blog reports that Data Breaches are Heaviest at Hotels. According to the post, both Trustwave's Spiderlabs and Verizon Business found that in 2009 Hotels were the had more data breaches than any other industry. That's not very encouraging when you realize that there's not a lot we can do as consumers to protect our data once we've turned it over to the hotel.

To make it worse, the weakest link appears to be the point of sale software. The software is often administered by third parties who log in to systems remotely. If they don't change default passwords, use weak password, or leave passwords blank, then it's easy pickings for data thieves. But I'm not sure I believe that most of the breaches are caused by poor password practices. The Heartland breach that occurred from late 2008 to early 2009 took place after they had passed security audits. Whether the audits were for Sarbanes-Oxley or PCI-DSS compliance, having blank or default passwords would not have passed.

As we move to more and more plastic based economy our financial data becomes more dependent on the security of the businesses we deal with. That is something we have little control over. I'm not sure what the best answer is, but we need to find one.

OS X: Safer but less secure than Windows

Darren Murph at Endgadget reports that Charlie Miller is going to expose 20 zero day exploits for OS X at the upcoming CanSecWest. Mr. Miller has been exposing holes in OS X for years, and has twice won the PWN 2 OWN hacker contest by taking control of Apple computers. A third time he took control of an iPhone.

A zero day exploit is a piece of malware that takes advantage of a vulnerability that is not generally known, so there are no patches, updates, or workarounds to keep it from being used. Unless the person who discovers the zero day exploit informs the creators of the software being exploited the vulnerability probably won't patched until after someone writes some type of malware that takes advantage of the exploit.

If you, like me, are a big fan of Apple Macs, you know that Apple likes to tout the security of OS X and the Mac. If you are an honest Mac user you realize that OS X has vulnerabilities. Some have even been exploited, if not very successfully.

Charlie Miller is very good at what he does - find security holes so they can be patched before the bad guys can take advantage of them. His years of work in computer security have given him a good perspective on the state of Mac security vs Windows security, and that insight produced one of my favorite quotes on the subject:

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

In other words, Macs are safer, because there aren't that many people trying to break into them. Windows computers are more secure because the security holes are constantly being patched. As much as I wish it weren't so, the analogy works.

OS X: Safer but less secure than Windows for now

Darren Murph at Endgadget reports that Charlie Miller is going to expose 20 zero day exploits for OS X at the upcoming CanSecWest. Mr. Miller has been exposing holes in OS X for years, and has twice won the PWN 2 OWN hacker contest by taking control of Apple computers. A third time he took control of an iPhone.

A zero day exploit is a piece of malware that takes advantage of a vulnerability that is not generally known, so there are no patches, updates, or workarounds to keep it from being used. Unless the person who discovers the zero day exploit informs the creators of the software being exploited the vulnerability probably won’t patched until after someone writes some type of malware that takes advantage of the exploit.

If you, like me, are a big fan of Apple Macs, you know that Apple likes to tout the security of OS X and the Mac. If you are an honest Mac user you realize that OS X has vulnerabilities. Some have even been exploited, if not very successfully.

Charlie Miller is very good at what he does – find security holes so they can be patched before the bad guys can take advantage of them. His years of work in computer security have given him a good perspective on the state of Mac security vs Windows security, and that insight produced one of my favorite quotes on the subject:

“Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”

In other words, Macs are safer, because there aren’t that many people trying to break into them. Windows computers are more secure because the security holes are constantly being patched. As much as I wish it weren’t so, the analogy works. Hopefully Apple is working to change that.

PlainsCapital vs Hillary: Symptom of a larger problem

Tom Field of the Field Report blog wrote an entry titled, "Trust on Trial" after returning from the RSA security conference. According to him there were three words on everyones mind: cloud, computing, and trust.

Trust was the surprise word. It seems a lot of business people are questioning the safety of using a bank at all, let alone banking online. Two cases are specifially mentioned in his post:

Experi-Metal, Inc. vs Comerica Bank and PlainsCapital vs Hillary Machinery.

These two aren't picked because of their unusual nature (although PlainsCapital vs Hillary is unusual), but because they are the latest in an ongoing trend: business customers account is pilfered, bank claims no responsibility. Normally the customer sues the bank, but in the case of PlainsCapital, the bank preemptively sued the customer, asking a court to declare it's security practices "reasonable".

What is reasonable security for a bank? Nobody really knows, since no clearcut definition has ever been coined. That doesn't mean there aren't standards and minimum requirements, it just means that there isn't an official definition of "reasonable."

If you think about it, there is actually a very good reason why that particular term isn't defined. And many security experts fervently hope it remains that way. Internet security changes quickly. What is reasonable today may be totally hopeless tomorrow. Defining reasonable security will give banks a hardcoded standard to comply with - a standard that will quickly become unreasonable. What needs to be done is not define "reasonable security," but to require financial institutions to keep abreast of the latest security risks and adapt their protections accordingly. Hopefully the judge in PlainsCapital vs Hillary will recognize the danger of giving banks a definition to hide behind and will refuse to define exactly what reasonable means when it comes to banking security.

So outside of lawsuits, what can be done to solve this problem of banks being robbed and refusing to accept any culpability? First of all, business accounts should be given the same protections that personal accounts enjoy.  Second, the regional and smaller banks that seem to be the main offenders in the lack of adequate security category should honestly examine their security measures in light of what is currently out there in the way of bad guys and take steps to protect against them. Banks that are involved in lawsuits need to review their security and see if they should just settle to save time.

The business customers aren't totally innocent either, although the cases I've seen appear to implicate the banks more. If a customer who does 1 or 2 electronic transfers a month suddenly has 10 a day it should ring alarm bells and stop the transfers. This failure to stop unusual transfers is a common complaint by business customers who have had money stolen by electronic transfers. The business may have to accept some blame, however. Are their virus definitions up to date? Has someone been going to questionable websites? Are their security policies clear and well thought out?

If things keep going the way they are now, before long no business will trust their banks. That will make for some serious headaches, since it's almost impossible to do business without a bank account these days.

Maryland students teach teachers

The Washington Post reports that a group of students at Potomac high school stole teachers passwords and were changing their grades for several months  before they were caught.

They used keylogging software to capture the passwords, then logged on to the teachers computers and change grades. Because of the computer system and the way it was accessed there is no way to discover who changed the grades. Instead of punishing all the students whose grades were changed (some may have been red herrings), the school is just changing them back to the original grades.

The tools the students used to log passwords is easily and  cheaply available online. To prevent this kind of problem students need to be locked out of adding software and of mounting or running .exe files from USB drives - in fact, flash drives, or any USB drive shouldn't mount from teacher or student accounts. If schools don't take these kinds of steps we eventually won't be able to trust our schools to truly teach our kids the things they need to grow - up, or to trust anything they tell us about how well the students are doing their learning.

FTC: Beware P2P Breach

The Federal Trade Commission is warning 100 companies and organizations that their data has been compromised by P2P software. According to the FCC press release data on both employees and customers is involved.

The release also indicates that the breach is not because of any new exploit, but because of poorly configured P2P clients. Some P2P clients, like Limewire, set a specific share folder and only make files in that folder available to the network by default. Others share the entire hard drive by default. If you are using a client that shares the entire drive by default and don't set it to only show one specific folder, anything on your HD can be seen and downloaded by anyone else on the network.

This is nothing new, but it is obviously something that is still relevant. FTC Chairman Jon Leibowitz said,

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft,”

I remember being amazed at what I could find with gnutella way back when. Sadly, it's not surprising that more than a decade since I first noticed really neat stuff that obviously shouldn't be on a P2P network the neat stuff that shouldn't be there still is. P2P is really neat, and really useful (not just for sharing music). But if you are a business, and you use P2P, or one of your employees decides he needs to use P2P on his work computer and it shares the wrong folder or the whole drive you could find yourself in violation of laws such as the Gramm-Leach-Bliley Act or HIPAA. As an individual, you know that Quicken or Microsoft Money file that has all of your banking info and can connect to your bank account? Your neighbors 14 year old in now has access to all your money. And all he wanted was music.

The FTC isn't just talking about the users of P2P software. The say that it's just as important that companies who "distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing. The easy way to do that is to have the P2P software's default setting "share this folder." And that's what you need to do if you are developing P2P software.

More fallout from PlainsCapital vs Hillary Machinery

Last week Hillary Machinery filed it's counter to PlainsCapitals lawsuit. The PlainsCapital suit seeks nothing from Hillary (other than legal fees and court costs), but wants a judge to rule that PlainsCapitals security measures were commercially reasonable at the time of the bogus transfers. Hillary is seeking the return of the unrecovered monies and legal costs.

Most of the security community, or the most of the portion making their opinion known, seem to believe Hillary is in the right. But not everyone is ready to pick a side just yet. Benjamin Wright, an expert in data security and cyber investigations law has pointed out in his blog that we only have Hillary's side of things, so until PlainsCapital has it's say, any conclusions we come to are speculation.

But as things have developed, PlainsCapital's say may be too little, too late. Hillary has not stood still and has not played the quiet game. They have told their story loudly to anyone willing to listen, and it is a compelling story. Even if PlainsCapital had security measures in place that Hillary hasn't mentioned, the Banks reputation has been tarnished, and this incident will probably pop up when least expected for years to come. And regardless of who wins, both litigants will probably both find the way they handle financial transfers changed forever when this is over, because real fallout from this whole event is not going to hit just PlainsCapital or Hillary Machinery. It could change the way banks do business, and that will affect anyone who deals with banks.

DarkReading.com reports that at next weeks RSA Security conference Authentify, Inc. (who are consulting with Hillary) will be asking security professionals to sign a petition to Congress in an effort to force banks to establish better security for business customers. I don't think anyone wants more government regulation, but the fact is that what happened to Hillary Machinery and PlainsCapital isn't unique, or even unusual, even if the lawsuit is. Apparently small and medium size banks haven't done anything to correct the situation. With the attention of Washington being called to it, the government probably will.

The lighter side of data breaches

Apparently a Swiss bank has been the victim of a data breach. Erik Kirschbaum reports through Reuters that German tax dodgers are running scared after data breach. The report says that which bank it was is unknown, but the German government seeing a huge increase in the number of tax dodgers turning themselves in. There is a good reason it's happening. German tax law says that a tax dodger can avoid prosecution if he turns himself in before the government starts to investigate him.

It seems there are a lot of German tax evaders with money in Swiss banks. But they may not have even noticed if the German government wasn't willing to pay 2.5 million Euros for the data. Which allows great quotes like this:

"There's been a delightful rise in tax compliance," said Daniel Abbou, spokesman for the finance department in the city of Berlin after 74 people volunteered this week to pay back taxes on previously undeclared income.

Great stuff.

Should LEDA sue PlainsCapital?

It's amazing how much bad publicity one little lawsuit can generate. And PlainsCapital, formerly of Lubbock, has managed to put it's foot in it good. If I was in investor I would be seriously questioning the leadership of the company right now. And if I were part of the Lubbock Economic Development Alliance I would be looking at damage control for Lubbock's reputation.

From the Denver Post: Lewis: Firm sued for being robbed

Why would I be looking at damage control? Because some of the authors of national stories about PlainsCapital suing Hillary Machinery don't know that PlainsCapital is now based in Dallas. So  the stories talk about Lubbock based PlainsCapital, and proceed to make PlainsCapital - and Lubbock - look like a bunch of ignorant hicks.

ComputerWorld: Bank sues victim of $800,000 cybertheft

Of course, unless they had security measures in place that they aren't mentioning and someone just messed up, PlainsCapital acted like ignorant hicks, then acted more ignorant by trying to sue for vindication. I said it in the comments of my original post on this subject that email is not a secure verification method, and that point is being made by other observers. It's not like an expensive, high tech solution was needed. A simple requirement that no transfers be made without a phone call to verify they're legit would have prevented this.

From the codetechnology blog: Authentication issue at heart of lawsuit

So what would LEDA sue PlainsCapital for? Or maybe it should be the City of Lubbock suing them? I'm thinking defamation of character, damage to their brand, brand dillution...shoot, I don't know, but surely there's some stupid lawsuit they can hit them with that won't be as stupid as PlainsCapitals suit against Hillary.

From BankinfoSecurity.com: Texas Bank Sues Customer After $800,000 Scam

And a few more just because four stories don't demonstrate how widely this is being reported:

From Foxnews: A video clip

From Dallas Morning News: PlainsCapital suing customer Hillary Machinery over cybersecurity

From the e-business blog: Cybertheft victim gets sued by bank

From Techdirt: Bank Sues Identity Fraud Victim After $800,000 Removed From Its Account

And from the forums at Barrelhorseworld.com: We were cyber attacked/robbed...

Enjoy your weekend.

Anatomy of a Craigslist scam

Our van went belly up a couple weeks ago, and we need another one. A friend sent me a link to a van for sale on Craigslist for $300.  Here is the listing:

$300 OR BEST OFFER
1996 CHRYSLER TOWN & COUNTRY LX MINIVAN
MOVING SOON & I CAN'T BRING IT WITH ME

- 106,970 MILES
- SECOND & 3RD ROW CUP HOLDERS ON BOTH SIDES
- SEPARATE REAR HEAT & AC
- AC/HEAT
- SEVEN PASSENGER
- NEWLY REBUILT AUTOMATIC TRANSMISSION
- ROOF RACK
- 3.8 LITER V6
- DUAL FRONT AIR BAGS
- AUDIOVOX 12.1 INCH DROP-DOWN DVD PLAYER
- GREY UPHOLSTERY
- METALLIC GREEN
- TINTED WINDOWS
- TWO SLIDING DOORS
- STEREO WITH CD & CASSETTE PLAYER
- HAS NO MECHANICAL PROBLEMS
- SECOND ROW FOLD-IN-FLOOR BUCKET SEATS
- FWD
- NEW TIRES
- POWER STEERING, WINDOWS, SEATS & DOORS

CONTACT ME @xxxxxx@yahoo.com

What makes this a classic scam is the appeal to our greed, in this case our desire to get something really good for as close to nothing as we can manage. Looking at the listing again, there was an obvious clue this was bogus from the start: 1996 Chrysler vans didn't have fold in the floor 2nd row seats. I know this because the van that died was a loaded 1998 Caravan. But not noticing that, this was still obviously too good to be true. It was probably a typo, though, so I checked it out. I clicked on the email address and sent a query. Shortly I received this email:

[caption id="attachment_875" align="alignnone" width="500" caption="Odd name for a personal website..."][/caption]

The URL seems a little odd for a personal website, but I'll check it out...

[caption id="attachment_878" align="alignnone" width="500" caption="Appears to be a graphic, except for the phone entry fields"][/caption]

Here's where the warning bells become intolerable. Some of this may be my own paranoia, but...

• He's holding a raffle to see who gets to look at his van?


• He's using a graphic for text - classic scam move. It's a lot more work than simply typing the text in - unless you're creating a bunch of ads. Then it's easier to create one document to upload instead of two or three (text and art)


• He's using the Craigslists automated phone system to set this up? If he really works for them, he's fired.


• He wants me to give him my phone number so Craigslists APS can text me?


• I can give him as many textable numbers as I want to, he doesn't mind.

I checked the page source, and the only thing the page did is make sure you actually put something in the fields. It didn't check what you put in, just that the fields weren't empty. so I entered u, u, u. It worked. It sent me to a 5 second countdown page, which I think was setting up a hotmail account to email my phone number to. It then sent me here:

[caption id="attachment_885" align="alignnone" width="500" caption="Same page, but single code entry field now."][/caption]

Just the blank field I'm supposed to wait and fill in when I get texted. The other hole in the blue is some of the 'text' that has a bit of cloudiness around it. That's a visual clue it's an image file, not actual text.

I look at the pagesource on this page and find a couple of interesting tidbits. There is a hotmail address and a password that I think are auto-generated every time someone enters data into the fields on the previous page. I'm pretty sure that's the case because the hotmail account is different every time. Yes, I clicked on it several times. Was that smart? Not really. I'm as protected as I can be, but there's no guarantee the doesn't have something new on his site that could compromise my computer.

Am I being paranoid? Craigslist didn't think so. By the time my friend saw the ad and told me, it had already been pulled off the site. It still showed up as a result in searches, but when you tried to go to it a page saying the ad had been marked for deletion popped up.

So what was he trying to accomplish? At first I thought he was just generating phone lists to sell. After all, all he asked for was a phone number. Then I realized what he really wanted was numbers to cell phones. SMS messaging capable cell phones that he could send simple little, "your code is: xxxxx" sms messages - at 9.99 per message. If the ad appeared in 10 cities long enough to get 1000 valid, textable numbers in each city that would be roughly $100,000 to the conman. Not a bad morning for a crook.

UPDATE: Once I was someplace I could log into hotmail, I went through the process again and tried the hotmail account and password that were on the page. Not only did it create a hotmail account, there was an email from Craigslist - it had created a new account on Craigslist. I imagine it also placed more ads. I'm bordering legality here (the scammer sent me the account info in the source code of the page), so I'm not going any further, but I suspect that the account on craigslist may have the same username and password as the hotmail account. Of course, this is all automated, so it doesn't have to be the same.