$4.00 Car Alarm

Is perception of an alarm system good security? Or just another part of a layered defense?
For instance, for US$4.00, you can purchase a blinking red LED box from Radio Shack (part number 276-299). It looks like this:

Add two AA batteries, mount it in your car (some velcro tape is included), position the LED, and flip the switch.

Voila! A car alarm system!

Or at least one that will make a potential theif look twice.

Make Money with Spam

Is spamming mail worthwhile? Consider these numbers from Chris Barton at McAfee (link here: http://www.avertlabs.com/research/blog/index.php/2007/05/21/stats-from-the-bulk-emailer/ )

He noted that one spammer has sent out 1.8 million email messages. Of those, 0.3% were opened, so the spammer gets revenue for that action. Then 0.126% of all the emails sent had a user click on a link. More revenue.

That means (if I can work the calculator correctly) that about 2318 people clicked on a link in the spam message, for which the spammer received revenue. If the spammer gets 15 cents per 'click-through', then that's about $350. If the spammer gets a piece of anything sold due to that click-through (say $5/each), then that's an additional $1750 for that one click through.

I'd think that about $2K gross revenue is not bad for a bit of spam work.

And that's just for one email 'campaign'. If you can do that just once a day, you're talking about a real hunk of yearly revenue, even with the cost of doing business.

No wonder that 85% of the email we get at work is spam.

Geeks in Monterey

Back in town. Eight days in Monterey for a geeky conference (SANS). I took a class on Computer Forensics.

The class was interesting, but leaned heavily towards forensics on Linux-based systems.

Although the techniques used can also be used for Windows systems, the main emphasis on Linux systems presented a challenge for this Linux n00b.

There was some knowleged gained, though. My challenge will be to determine how to adjust that knowlege to Windows systems.

A quiet Sunday, with the usual church things, rounded out this weekend. Back to the office tomorrow. A week's backlog of tasks will keep me busy there for a couple of days.

Self-Service Credit Card Monitoring

Someone asked a question about identity theft protection or credit card monitoring services: Here's a "do-it-yourself" version:

1) Check your financial (checking, credit) statements when you receive them. Even better, check on-line at least weekly. One indication of impending financial fraud is the appearance of a small transaction you don't recall. The evil credit card thief will put a small charge to make sure the account is active. If that charge is accepted, larger ones will follow. Call your bank (use the number on the printed statement, not on any email you might get) and dispute the charge. Ask for (insist) for a replacement credit card, and change your PIN number.

2. Be very careful about inputting credit card numbers on web pages. Never click on a link in an email or web page that asks you to verify your numbers. Banks already know your PIN number; you don't need to tell them.

3. Get a copy of your credit report. Use the free site here (beware of advertised 'free' sites; they are not free) https://www.annualcreditreport.com/cra/index.jsp . You can get one free report each year from each of the three credit reporting companies, so do it once every four months. Print it out, and look for suspicious activity. (Other good information on that site, and here: http://www.privacyprotection.ca.gov/cover/identitytheft.htm .)

4, Invest in a shredder, and then use it. Get a locking mailbox. Remove your name from the bank solicitation lists to reduce those 'free credit card' offers (start here: http://www.dmaconsumers.org/consumerassistance.html#mail )

5. "Identity Theft Insurance" may not pay for all of your losses, or the time spent fixing things, so check the fine print in the policy.

6. And follow those other 'safe computing practices' I keep harping on. You'll find hints all over the place: Microsoft has a good privacy page ( http://www.microsoft.com/athome/security/default.mspx), and some more hints here http://digitalchoke.com/blog/showreports.php?article=reports/home-checklist.php ).

So, use these tips rather than paying for a service. But if you must spend your money, please email me your checking account information and PIN number.

Recipe for Data Theft

Today's Wall Street Journal has a long article about the credit card data theft at TJMaxx. (An online version is only available to WSJ subscribers.)

But, here's the recipe, according to the Wall Street Journal, used by the hackers, who are apparently "made up of Romanian hackers and member sof a Russian organized crime group that also are suspected in at least two other U.S. cases over the past two years".

First, create a 'cantenna' out of a Pringles can to intercept wireless data at longer distances. The cantenna is quite easy (and cheap; total cost under US$15) to make; you can find complete instructions via your favorite search engine.

Next, position yourself outside a store that has a wi-fi connection for their in-house computer system. TJMaxx used wi-fi for their portable price scanners, and for cash-register-to-back-office-systems.

Find a store that uses no encryption of WEP encryption (easy to unencrypt). Use open-source software to decrypt the WEP password. Then monitor wi-fi traffic using a network sniffer to find the passwords used by employees as they log into the stores network.

Now use that login information to create your own accounts on the store's system (or just use those logins). Start wandering around the store's computer until you find the unencrypted credit card transaction database. You can also put in your own software to intercept credit card transactions to the parent company.

Store all of your information using open source PGP encryption. Then put in a backdoor to allow you to connect to the store's system from anywhere on the Internet.

Wait a bit, being careful to keep a low profile. When you get a pile of credit card numbers, sell those in some private areas to others. I think the going rate is about US$10-25 per credit card.

But keep a low profile, so you can keep grabbing credit card info over several years. At TJMaxx, the hackers started in July 2005, and were able to continue through December 2007, eventually getting at least 47.5 million credit card numbers (or as many as 200 million).

So, what do you do? The best thing is to keep an eye on your financial accounts. Look at your credit card charges often -- perhaps daily or weekly. Look for small purchases that you don't remember making. If you find one, immediately contact your credit card company, dispute the charge, and ask for a replacement credit card (cancelling the old credit card number).

And get your credit report. Use this free site (not the ones that are advertised on TV): https://www.annualcreditreport.com/cra/index.jsp . You can request a free credit report from each credit reporting agency each year. (Do one every four months.) Check things carefully.

A good place for information is at the California Dept of Consumer Affairs site here: http://www.privacyprotection.ca.gov/cover/identitytheft.htm . Good information about preventing identity and financial theft, and what to do if you are a victim.

For businesses, make sure that you follow the "Cardholder Information Security Program" (CISP) guidelines to protect your customer's credit card numbers. Start here for info: http://usa.visa.com/merchants/risk_management/cisp.html .You don't want the expense or the exposure of credit card theft.

Just ask TJMaxx. The reports are that it will cost them over US$1 Billion over five years.