Kids Hack The Darndest Things…

SC Magazine is reporting that a survey has found that one in four schoolchildren have attempted some level of hacking.  Despite 78% agreeing that it is wrong, a quarter have tried to surreptitiously use a victims’ password, with almost half saying that they were doing it ‘for fun’.  Whatever happened to just catching squirrels in a cardboard box, building a tree fort, or pulling the legs off spiders?   21% had aimed to cause disruption and 20% thought they could generate an income from the activity.  5% said that they would consider it as a career move.  One thing that the article seems to neglect is the actual ages of the kids surveyed.  “Schoolchildren” could mean K-12, spanning 4 – 17 years (older if they were so clever that they did a couple years over ’cause working sux).  Wonder how they look in orange…


CBC – Who’s Minding The Store

Credit card theft is a rampant problem.  As quickly it seems that we develop new ways of protecting credit card data, criminals are developing new techniques to bypass those same security measures.  On Friday March 12th, Marketplace aired a new episode titled “Who’s Minding the Store?” describing some of the new techniques being used to gain access to credit and debit card information.  The episode features computer forensics and security expert Ryan Purita of Sherlock Forensics.

You may be surprised to find out just how easy it is to get credit and debit cards along with other information.  One way is to steal actual point of sales terminals.  These are the machines used to pay for your goods at various retailers, restaurants, and stores.  Once a thief has possession of a PoS terminal, they can access whatever information it contains.  What may shock people is that there are currently no disclosure laws within Canada that require companies to disclose security breaches or data loss.  If your credit card data is stolen from a PoS terminal, you may never know.

Computer forensics and data security are essential to corporations that handle customer’s financial data.  Companies should invest in encryption just as they would with insurance or CCTV systems, according to Purita.   To learn more about these new forms of credit and debit card theft, view the episode online anytime at

Hacker Runs Up $45k Phone Bill on SMB

Since 1944, the Sherrill Furniture Company located in the Hickory, North Carolina area have supplied custom home furnishings to major furniture and department stores throughout the US and Canada.  It only took 12 hours for a hacker to run up $45,582 in telephone charges for a local furniture company.  More than 10,000 minutes of phone calls were made from the phones at Sherrill Furniture on Highland Ave. NE in Hickory from 9 p.m. on Friday, March 5 to 9 a.m. the following day.

The company reported the security breach to police Tuesday and a preliminary investigation revealed that the phone calls originated in Somalia.  Investigators know that calls were made to Austria, Bulgaria, France, Korea, and the Philippines, sounding like a scam to re-sell phone time for cash involving teams of well organized hackers and salesmen on the streets.  The thieves target corporate phone systems because they tend to be the weak link in a lot of companies’ security systems, and are particularly vulnerable on weekends when most staff are not in.

Sherrill’s phone company, Century Link, is working with the company to resolve the problem, according to the police report.

Sherill Furniture

Hickory Record

Royal London Mutual Insurance Society Security Breached – Action Taken

The UK’s Information Commissioner’s Office (ICO) has found that after 8 laptops were stolen from the company’s Edinburgh offices, the Royal London Mutual Insurance Society was in breach of the Data Protection Act (DPA).  2 of the laptops contained the personal details of 2,135 people.  Those affected were employees of firms which had sought pension scheme illustrations.

The laptops containing personal information were unencrypted but were password protected.  This is a common mistake made by management and IT folks alike.  Password protection can be easily circumvented.  Usually moving the hard disk into another computer is enough, but there are also TOOLS available to those who have their minds set on accessing your PII.  An internal report showed that the company was uncertain about the precise location of the laptops at times, and that physical security measures were inadequate.  Managers were not aware that personal information was stored on any of the laptops, meaning no additional precautions secure the data had been taken.

The CEO has signed an Official Undertaking to ensure that portable and mobile devices are encrypted going forward.  The Undertaking also requires appropriate physical security measures to be put in place.  Learn a lesson from the mistakes of others.  Learn to sleep at night, adopt encryption on all mobile devices, and consider it for ALL electronic devices, PERIOD.  It is not a silver bullet for all of your security concerns, but it is definitely high-caliber ammunition!

ICO Enforcement

Your Company Too Small For Security Worries?

The Plaza location of Mary’s Pizza Shack in Sonoma California has been identified as the target of a penetration against the restaurant’s computer systems with a key-logger virus that captured credit card numbers at the transaction terminal.  The virus was uncovered internally on Feb. 10 after the family-run company received reports from friends about unauthorized credit card charges.  CEO Vince Albano, grandson of the founder, said the company immediately contacted VISA, MasterCard, Discover and American Express, and then hired Trustwave, a Chicago-based data security firm recommended by the card companies.

Only credit card numbers were taken, no PII, such as Social Security numbers or bank account records were exposed, although VISA and MasterCard debit accounts were apparently raided.  Trustwave identified and removed the virus on Feb. 23.  Sheriff’s Office investigators reported there were at least 70 cases of stolen credit card number use reported, some 50 of which were traced to Mary’s.

Now, Mary’s is not a large enterprise, 18 locations at last count.  This is the look of malware attacks to come.  To date, malware has had the most impact on large companies, and these targets have remained in the sights of attackers.  Since so much effort, time and technology has been spent on the corporate fort knox’s out there, large to medium sized businesses with a website, commercial presence, and Internet connected networks are the next targets.  Many of these businesses have skated by security requirements with freeware anti-virus, consultant provided or poorly maintained security solutions, and have sacrificed security initiatives and contracts as the failing economy has progressively nibbled away at the bottom line.

It’s time to pay the piano player…

Mary’s Pizza Shack

Sonoma News

Elevation of Privilege: Threat Modeling Card Game

Are you interested in learning more about, or running tabletop exercises  for Threat Modeling in your organization?  Want to introduce the Software & Security Development Life Cycle to your dev teams and security folks?  How about making it interesting, educational and FUN!?

Microsoft has made a card game out of threat modeling, find the details and downloads here.  The idea is to print out security scenarios on cards and create a competition to figure out how each scenario can be applied to an application.  They do a good job of enumerating common scenarios for each stride element – it isn’t exhaustive, but it covers a good deal of ground and should provide good guidance to staff that may not be accustomed to thinking about attack scenarios.  A development team may even enjoy finding and documenting security threats.   It’s a clever way to approach threat modeling.

Just like in the classic threat modeling process, the diagram of the application is incredibly important.  It balances the entire exercise, and provides the hinge-point to success or failure.  A diagram that doesn’t model ALL of the data flows is going to miss threats and be incomplete.  A diagram that is too high level or leaves crucial details in the abstract (for example a series of components collapsed into one entity, hiding a trust boundry), could be be a real handicap.  A diagram  that shows unnecessary elements is also problem because it presents more information than humans can consume in a single session. 

For those of us looking to introduce threat modeling into your organization, this is a good starting point.   If your organization develops its own applications, you should consider threat modeling in some capacity.  It is the best methodology I have found for doing design level security analysis.