Rossander’s Security Reader

Yesterday, I had the chance to get a security briefing from the local FBI office. They are reporting a wave of ATM skimmers discovered in the last 30 days in Kent, Stow and Cuyahoga Falls. So far, the financial losses have been low and they are working hard to catch this ring of thieves before they move to some other area.

In the meantime, the FBI recommends that you use the “wiggle test” at ATMs and gas pumps. ATM skimmers are glued onto the front of the existing machine. If something looks even slightly out of place or sticks up from the face of the machine, give it a good yank. If it feels loose (or worse, something comes off), immediately report it to the merchant. And if it just looks suspicious, well, take your business somewhere else.

We first talked about ATM skimmers in 2006. They are back in the news in 2010 as a wave of skimmers are being installed by what the FBI describes as organized crime from Eastern Europe. The latest reports show that these skimmers are taking in about $350,000 per day. And unlike the prior exploits, these criminals often wait weeks or even months before using the stolen information, making it much more difficult to connect the monetary loss to the crime.

A quick refresher: An ATM skimmer is a device glued on the front of an ATM machine or gas station card reader that records the magnetic information off your card as it passes the card through to the real reader. Some of these devices are quite thin and can look just like the original equipment. Many are also rigged with hidden cameras which record your fingers as you key in your PIN. Snopes has a good set of pictures, as does CSOonline.

Look carefully at the machine before swiping your debit card. If you see any signs of tampering, loose components, mismatched colors or anything else that makes you suspicious, go to a different machine.

And as always, leave your debit card at home whenever possible. Credit cards carry better legal protections if/when they get exploited.

A while back, CBS News ran an “exposé” on the security risks of digital copiers. I answered a few emails but quickly let it drop. Apparently, this story is being run around the internet again, though, so let’s take a few minutes to formally debunk it.

One version of the scare article can be found here. The story goes that digital copiers contain hard-drives and the hard-drives store copies of all the documents being copied. When the copier is sold or thrown away, all the documents copied on it are visible to any hacker and the information on it can be used for identity theft.

Like any good urban legend, there is a kernel of truth to the story but the dangers are overstated. Let’s take the elements in turn:

• Digital copiers contain hard-drives – True.
• The hard-drive keeps a copy of the documents being copied – True.
• The hard-drive keeps copies of all the documents copied – False. The scanned images are big and the copier hard-drives are as small as the manufacturer can feasibly make them. They have to be to control costs. So, yes there are images on the hard-drive but they get overwritten on a regular basis. A high-use copier might have documents a few days old but not much older.
• The images remain visible to the new owner of the copier – Maybe. If your company’s IT department is even half-way on the ball, they keep track of copiers so they can keep the operating system patched. They will also have a decommissioning process that wipes the hard-drive before selling, donating or throwing it away.

So the lessons from this story are:

1. If your company does not keep copiers on their IT asset list, they should. (Though they should primarily because of the risk of an unpatched OS.)
2. If you don’t have an IT shop, run a few dozen pages of non-sensitive garbage through your copier before you sell it or throw it away. Pages from the phone book or pictures of your cat would do. Anything to fill up the drive and overwrite the older files.

Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers.

Update: This post got picked up by CFO Magazine as part of their Risk Management series. You can read their article here.

Note: For best results with the “poor man’s disk wipe”, set your copier to it’s highest resolution, in color, and run a stack of stuff through as fast as the copier will take it. It still won’t stop a hacker with a forensics lab but it will frustrate the 13 year old who pulls the drive out of the trash.

After the last impressive sophistication of the last two scams we’ve talked about, the one I got today is laughable. Note the poor grammar, absurd payout claim, lack of personalized address, generic reply address and, of course, the inevitable request for a copy of your drivers license. There’s been a significant uptick in these classic phishes in the past few months. It’s embarrassing that people still fall for these scams.

Unfortunately, the statistics still show that we do fall for these scams at an appalling rate. Ironically, this one will probably do better than average because it alleges to offer compensation for being the victim of a prior scam. Clearly, the scammers are thinking that if you fell for the earlier scam (and with a massive spam blast, they’re sure to get some), you might be emotionally vested enough to want revenge and won’t look at the details in this “offer”.

Never reply to a spammer. And please do everything you can to help teach your co-workers, family members and friends how to avoid these scams. If it sounds too good to be true, it is.

I just read two security articles with some interesting implications when you take them together. The first noted that anti-virus software, while still vitally important to your computer, only stops 35-40% of malware attacks – down from about 47% last year. The second described a “sexy Candid Camera Prank” attack being currently launched against Facebook users.

In this Candid Camera Prank attack, someone posts fake video message on your profile page showing a woman on a bicycle in a short skirt. Clicking the movie thumbnail does not display the video but instead takes you to a Facebook application that tries to get you to download a “video player” which is really the old Hotbar adware. If you do fall for it, not only are you flooded with spam and other junk but your Facebook account is now used to spread the infection to your friends.

The interesting thing about putting the two articles together is that the hackers are no longer just trying to attack your computer directly. Sure, many still use old-fashioned scripts and viruses that try to directly attack your computer. But more and more have largely moved their attacks to social media. Their attacks depend more on you to fall for a trick, giving them an inlet to your network. Facebook, MySpace and other social media sites are very powerful and important tools but the same things that make them valuable to you also make them easy avenues to use for attacks against you.

Having a good anti-virus program and keeping it up to date is still vitally important. Even though the ratio is down, there are still hundreds of attacks against the average computer every day. But for the new attacks, vigilence and paranoia are the word of the day. No matter how good your technical defenses are, you can not rely on them alone.

If something looks too good to be true, it probably is. Trust your suspicions.