A House of Lords committee has called on the government to make banks, not customers, legally liable for internet fraud.
The House of Lords Science and Technology Committee called for legislation to force banks to cover customer losses incurred through e-crimes in its follow-up report into personal internet security published in August 2007.
The report claims that, under the current system, banks often deny liability for password and Pin fraud, claiming customer negligence or even complicity in the fraud.
"We reiterate our strongly held view that the current reporting sequence is wholly unsatisfactory and that it risks undermining public trust in the police and the internet," says the report.
The committee also recommended that victims of cyber-crime should be able to report incidents directly to the police, reversing the current process which requires them to report incidents to their bank.
The peers also called for a data breach notification law that would require organisations publicly to acknowledge breaches when customer security has been compromised.
The report acknowledged recent proactive moves in terms of protecting UK citizens from online crime, following the government's embarrassing data breaches.
"A level of indifference on the part of the government has now been dispelled only as a result of recent incidents involving serious losses of personal data, " the report said.
The call was backed by Bill Beverley, security technology sales manager at F5 Networks.
"If people were to adopt best practices, many of these data breaches would not have occurred," he told vnunet.com.
Beverley believes that this move would "add some teeth to the legislation" and help spur complacent companies into action when it comes to the protection of data and the liabilities involved when breaches occur.
He added that it is imperative that government agencies are held to the same standards at private companies.
by Guy Dixon and Ian Williams
Showing posts with label General. Show all posts
Showing posts with label General. Show all posts
Wednesday, July 16, 2008
Wednesday, July 9, 2008
US criminals target large corporate web sites - VNU Net - 07 Jul 2008
Large corporate web sites were heavily targeted by hackers in the early part of 2008, said the threat round-up report from US security firm Trend Micro.
Cybercriminals launched SQL injection attacks on thousands of web pages belonging to some of the largest companies in the US, as well as state government agencies and educational institutions.
Criminals are increasinlgy targeting affluent users such as C-level executives in the hope of accessing lucrative bank accounts and sourcing log-in credentials and email addresses that span whole organisations.
Criminals are keeping pace with technology and becoming more ambitious in selecting targets, said Raimund Genes, chief technology officer of Trend Micro.
"This is a good example of how cyber criminals are evolving with the times. They are moving away from threats that use old or waning technologies and instead focusing on the lucrative threats that bring a bigger payload," he said
In its report, Trend Micro said mobile threats are continuing to emerge, and it discovered malware disguised as multimedia content was being used to infect older Nokia mobile phones.
Tracking software ware infections declined by 15 per cent between May 2007 and April 2008 while adware and keyloggers were also down.
Cybercriminals launched SQL injection attacks on thousands of web pages belonging to some of the largest companies in the US, as well as state government agencies and educational institutions.
Criminals are increasinlgy targeting affluent users such as C-level executives in the hope of accessing lucrative bank accounts and sourcing log-in credentials and email addresses that span whole organisations.
Criminals are keeping pace with technology and becoming more ambitious in selecting targets, said Raimund Genes, chief technology officer of Trend Micro.
"This is a good example of how cyber criminals are evolving with the times. They are moving away from threats that use old or waning technologies and instead focusing on the lucrative threats that bring a bigger payload," he said
In its report, Trend Micro said mobile threats are continuing to emerge, and it discovered malware disguised as multimedia content was being used to infect older Nokia mobile phones.
Tracking software ware infections declined by 15 per cent between May 2007 and April 2008 while adware and keyloggers were also down.
Thursday, June 12, 2008
Are Hacktivists the new Cyberterrorists? - pcmag-mideast.com - 11 Jun 2008
All you ardent PC Magazine readers already know that our magazine now has a new and redesigned presence online. However, the website is still under beta testing, as we add new and exciting features into it. And putting anything under ‘beta testing mode’ means new security holes can pop up anytime, anywhere.
So, it didn’t come to me as a surprise, when my colleague Hatim Kantawalla messaged me the other day, saying that our website PCMag-MidEast.com had gotten hacked. I quickly logged onto the website to assess the damage – all the headlines of each entry (reviews, news and so on) were changed to “Hacked by” statements.
I copied the name of the hacker and Googled it out. Google threw up umpteen search results suggesting that the damage done was a handiwork of some politically influenced activists. Apparently more than 100 websites from the UAE region, including the website of a daily newspaper and key Arab government, university and company websites were hacked.
According to news reports the Iranian hacking team, which called itself ‘Mafia Hacking Team’, said that the hacking exercise was conducted to protest the change of the name of ‘Persian Gulf’ into 'Arabian Gulf’. Apart from PC Magazine’s website, other prominent regional websites hacked by the group included UAE's al-Khaleej newspaper, Arab League Gulf, Iraq's Higher Education Ministry, UAE's Abu Dhabi Police Office, Saudi Arabia's Mayadin University, UAE's People's Board, and Oman's Gas Company.
I believe Hacktivism is soon building itself as the new form of Cyberterrorism. Formed by combining ‘hack’ with ‘activism,’ hacktivism is the act of hacking into a website or computer system in order to communicate a politically or socially motivated message.
Unlike a malicious hacker, who may disrupt a system for financial gain or out of a desire to cause harm, the hacktivist performs the same kinds of disruptive actions (such as a Denial of Service attack) in order to draw attention to a cause. For the hacktivist, it is an internet-enabled way to practice civil disobedience and protest, in order to advance political causes.
Hacktivism indeed is becoming a disturbing trend, and one which can have serious ripple effects that interfere with internet operational continuity — sometimes in ways which we may have not even thought of yet. The availability of social networks and 'hacktivist' tools do contribute to both increasing number of attacks and their effectiveness.
Most professionals that closely follow politically motivated computer crimes and hacktivism believe there has been a steady increase in activity for several years, with ups and downs following political events in the real world (such as Olympic protests, Israeli-Palestinian conflicts, and so on).
These attacks purely demonstrate not only the viability of online attacks to support the political agendas of the antagonists; they show that in the virtual world, third parties thousands of miles away from the conflict and not directly involved could become protagonists or victims of the online skirmishes.
Such instances allow countries or organisations to insert their agenda into the situation with minimal chance of detection. In such as scenario, corporations around the world need to understand the unnecessary threat posed to their organisations by individuals and groups with political agendas.
Hence you might want to rethink the IT security policies of your organisation with utmost care. First you need to determine if your organisation is a potential target of such attacks. Next, perform regular formal risk assessments. Develop comprehensive incident response plans and test them regularly. Analyse your network infrastructure and perform regular scans for malicious activities. By doing so, you can at least keep security holes at bay. Remember, prevention is always better than cure.
So, it didn’t come to me as a surprise, when my colleague Hatim Kantawalla messaged me the other day, saying that our website PCMag-MidEast.com had gotten hacked. I quickly logged onto the website to assess the damage – all the headlines of each entry (reviews, news and so on) were changed to “Hacked by” statements.
I copied the name of the hacker and Googled it out. Google threw up umpteen search results suggesting that the damage done was a handiwork of some politically influenced activists. Apparently more than 100 websites from the UAE region, including the website of a daily newspaper and key Arab government, university and company websites were hacked.
According to news reports the Iranian hacking team, which called itself ‘Mafia Hacking Team’, said that the hacking exercise was conducted to protest the change of the name of ‘Persian Gulf’ into 'Arabian Gulf’. Apart from PC Magazine’s website, other prominent regional websites hacked by the group included UAE's al-Khaleej newspaper, Arab League Gulf, Iraq's Higher Education Ministry, UAE's Abu Dhabi Police Office, Saudi Arabia's Mayadin University, UAE's People's Board, and Oman's Gas Company.
I believe Hacktivism is soon building itself as the new form of Cyberterrorism. Formed by combining ‘hack’ with ‘activism,’ hacktivism is the act of hacking into a website or computer system in order to communicate a politically or socially motivated message.
Unlike a malicious hacker, who may disrupt a system for financial gain or out of a desire to cause harm, the hacktivist performs the same kinds of disruptive actions (such as a Denial of Service attack) in order to draw attention to a cause. For the hacktivist, it is an internet-enabled way to practice civil disobedience and protest, in order to advance political causes.
Hacktivism indeed is becoming a disturbing trend, and one which can have serious ripple effects that interfere with internet operational continuity — sometimes in ways which we may have not even thought of yet. The availability of social networks and 'hacktivist' tools do contribute to both increasing number of attacks and their effectiveness.
Most professionals that closely follow politically motivated computer crimes and hacktivism believe there has been a steady increase in activity for several years, with ups and downs following political events in the real world (such as Olympic protests, Israeli-Palestinian conflicts, and so on).
These attacks purely demonstrate not only the viability of online attacks to support the political agendas of the antagonists; they show that in the virtual world, third parties thousands of miles away from the conflict and not directly involved could become protagonists or victims of the online skirmishes.
Such instances allow countries or organisations to insert their agenda into the situation with minimal chance of detection. In such as scenario, corporations around the world need to understand the unnecessary threat posed to their organisations by individuals and groups with political agendas.
Hence you might want to rethink the IT security policies of your organisation with utmost care. First you need to determine if your organisation is a potential target of such attacks. Next, perform regular formal risk assessments. Develop comprehensive incident response plans and test them regularly. Analyse your network infrastructure and perform regular scans for malicious activities. By doing so, you can at least keep security holes at bay. Remember, prevention is always better than cure.
Fraudsters exploit multi-million pound crack in card fraud protection system - pressreleasenetwork.com - 11 Jun 2008
UK - Jun 11, 2008 (PRN): A system designed to help protect retailers and consumers from credit card fraud is now being used by fraudsters to steal goods from retailers, according to fraud protection specialists the 3rd Man. The potentially serious flaw in the system, which fraudsters are already exploiting and could result in millions of pounds of card crime, was spotted by one of the 3rd Man�s fraud analysts as she was monitoring daily card transactions on behalf of a retailer.
Address Verification System (AVS) is used by credit card companies and banks to verify the identity of a person claiming to own a credit card. AVS checks the billing address of the credit card provided by the user with the address on file at the credit card company. It works by matching the house number and postcode numbers for each card issued. For example, 43 Crooks Close, B10 7GB would result in an AVS number of 43107.
With retailers like Cotton Traders and TK Maxx having their customer databases hacked, fraudsters can simply obtain card details and use them for personal gain.
What we've observed is that fraudsters are now compromising and using card details where the genuine cardholder's address numerals exactly match the address they want delivery to, explains Andrew Goodwill, Director and fraud expert at the 3rd Man. So, not only are they obtaining goods fraudulently, they have them delivered to their chosen address.
This is a serious problem, one that fraudsters have not only cottoned onto but are exploiting in significant volume. Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk.
Internet and mail order retailers often rely on AVS matches to help them determine that the order has been placed by the card holder. By using compromised cards and address details fraudsters can virtually guarantee that although the transaction appears genuine, the retailer actually has no realistic way of verifying the correct address details. The Security Code check is also useful, but again has been compromised in these recent frauds.
Another method of security is for the merchant to sign up for Verified by Visa or MasterCard SecureCode, explains Goodwill. However, this is also open to compromise as when a fraudster finds card details that have not been registered by the cardholder or 3D Secure the fraudster will simply register the card themselves, using a password of their choice.
If this trend continues and nothing is done about it, we will have multi million pound losses to UK business and banks.
More needs to be done to encourage retailers to engage with specialist fraud screening companies who detect irregular behaviour and will review unusual transactions manually. These frauds are usually detected.
In April 2008, the 3rd Man issued statistics which showed that CNP fraud in the UK is higher than official statistics suggest1 and is in danger of getting worse. Over �500 million of fraud was attempted during 2007. This information supported a BBC investigation into card not present crime.
Address Verification System (AVS) is used by credit card companies and banks to verify the identity of a person claiming to own a credit card. AVS checks the billing address of the credit card provided by the user with the address on file at the credit card company. It works by matching the house number and postcode numbers for each card issued. For example, 43 Crooks Close, B10 7GB would result in an AVS number of 43107.
With retailers like Cotton Traders and TK Maxx having their customer databases hacked, fraudsters can simply obtain card details and use them for personal gain.
What we've observed is that fraudsters are now compromising and using card details where the genuine cardholder's address numerals exactly match the address they want delivery to, explains Andrew Goodwill, Director and fraud expert at the 3rd Man. So, not only are they obtaining goods fraudulently, they have them delivered to their chosen address.
This is a serious problem, one that fraudsters have not only cottoned onto but are exploiting in significant volume. Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk.
Internet and mail order retailers often rely on AVS matches to help them determine that the order has been placed by the card holder. By using compromised cards and address details fraudsters can virtually guarantee that although the transaction appears genuine, the retailer actually has no realistic way of verifying the correct address details. The Security Code check is also useful, but again has been compromised in these recent frauds.
Another method of security is for the merchant to sign up for Verified by Visa or MasterCard SecureCode, explains Goodwill. However, this is also open to compromise as when a fraudster finds card details that have not been registered by the cardholder or 3D Secure the fraudster will simply register the card themselves, using a password of their choice.
If this trend continues and nothing is done about it, we will have multi million pound losses to UK business and banks.
More needs to be done to encourage retailers to engage with specialist fraud screening companies who detect irregular behaviour and will review unusual transactions manually. These frauds are usually detected.
In April 2008, the 3rd Man issued statistics which showed that CNP fraud in the UK is higher than official statistics suggest1 and is in danger of getting worse. Over �500 million of fraud was attempted during 2007. This information supported a BBC investigation into card not present crime.
Tuesday, June 10, 2008
Identity theft growing in undocumented job market - gazetteonline.com - 09 Jun 2008
Undocumented workers increasingly are turning to identity theft to gain access to jobs as technology and training make it harder for forged documents to pass muster, experts say.
Buying fraudulent documents costs anywhere from $100 to thousands of dollars.Generally speaking, you get what you pay for, Immigration and Customs Enforcement spokesman Tim Counts said.
"Sometimes the documents will only be good enough to fool the person who is buying them," Counts said.
He said immigration agents sometimes can spot a fake a mile away. They've seen documents with misspellings of common words, with odd colorations, or that purport to be forms of identification that don't even exist, like an international drivers license.
Hundreds of workers without proper documents were charged for falsely using Social Security numbers after a May 12 raid of Postville's Agriprocessors kosher meatpacking plant.
Investigators said 738 of the 968 employee Social Security numbers in a company payroll report were invalid or belonged to other people.
It still is not certain if plant managers will be criminally charged.To work in the United States, people must prove their identity and work eligibility by presenting a permanent resident card, passport or combination of driver's license and Social Security card.
Employers get "no-match" letters from the Social Security Administration when they submit phony numbers, or numbers that have been issued to other people. They can find fraud even faster by using an Internet-based E-Verify system to check the eligibility of their newly hired employees.
Using a stolen identity won't set off those alarms.A good fake can be virtually undetectable by people who aren't trained, especially if forgers have used more easily counterfeited documents to obtain a legal ID.
"We encounter a lot of people with genuine drivers licenses but they were obtained with false information," Counts said.
"If the documents they present are actual documents, law enforcement who encounters them may not look further into it."Vendors often sell a set of IDs in one area, retire the numbers for a while, then move to another area and sell those same identities again. Sometimes prisoners or other people "who have little left to lose" sell their own identities, Counts said.
A group of undocumented Agriprocessors employees have filed a class-action lawsuit claiming that Agriprocessors acquired false IDs for workers. Counts, who said he couldn't comment on the Postville investigation or raid, said bringing charges against employers involves sophisticated white-collar crime investigations that can take years.Employers must accept documents that appear genuine, Counts said.
"So the presence of illegal employees doesn't mean the employer is complicit," he said. Iowa City immigration lawyer Dan Vondra said people don't even have to know they're using someone's Social Security number to be guilty of identity theft. He said conviction is punishable by a mandatory two years in prison.
By Jennifer Hemmingsen
Buying fraudulent documents costs anywhere from $100 to thousands of dollars.Generally speaking, you get what you pay for, Immigration and Customs Enforcement spokesman Tim Counts said.
"Sometimes the documents will only be good enough to fool the person who is buying them," Counts said.
He said immigration agents sometimes can spot a fake a mile away. They've seen documents with misspellings of common words, with odd colorations, or that purport to be forms of identification that don't even exist, like an international drivers license.
Hundreds of workers without proper documents were charged for falsely using Social Security numbers after a May 12 raid of Postville's Agriprocessors kosher meatpacking plant.
Investigators said 738 of the 968 employee Social Security numbers in a company payroll report were invalid or belonged to other people.
It still is not certain if plant managers will be criminally charged.To work in the United States, people must prove their identity and work eligibility by presenting a permanent resident card, passport or combination of driver's license and Social Security card.
Employers get "no-match" letters from the Social Security Administration when they submit phony numbers, or numbers that have been issued to other people. They can find fraud even faster by using an Internet-based E-Verify system to check the eligibility of their newly hired employees.
Using a stolen identity won't set off those alarms.A good fake can be virtually undetectable by people who aren't trained, especially if forgers have used more easily counterfeited documents to obtain a legal ID.
"We encounter a lot of people with genuine drivers licenses but they were obtained with false information," Counts said.
"If the documents they present are actual documents, law enforcement who encounters them may not look further into it."Vendors often sell a set of IDs in one area, retire the numbers for a while, then move to another area and sell those same identities again. Sometimes prisoners or other people "who have little left to lose" sell their own identities, Counts said.
A group of undocumented Agriprocessors employees have filed a class-action lawsuit claiming that Agriprocessors acquired false IDs for workers. Counts, who said he couldn't comment on the Postville investigation or raid, said bringing charges against employers involves sophisticated white-collar crime investigations that can take years.Employers must accept documents that appear genuine, Counts said.
"So the presence of illegal employees doesn't mean the employer is complicit," he said. Iowa City immigration lawyer Dan Vondra said people don't even have to know they're using someone's Social Security number to be guilty of identity theft. He said conviction is punishable by a mandatory two years in prison.
By Jennifer Hemmingsen
Thursday, June 5, 2008
Some domain names are more risky than others - TOI Delhi - 05 Jun 2008
San Jose (California): When surfing the internet for safe websites, not all domains are equal. Companies that assign addresses for websites appear to be cutting corners on security more when they assign names in certain domains than in others, according to a report to be released on Wednesday by antivirus software vendor McAfee Inc.
McAfee found the most dangerous domains to navigate to are “.hk” (Hong Kong), “.cn” (China) and “.info” (information). Of all “.hk” sites McAfee tested, it flagged 19.2% as dangerous or potentially dangerous to visitors; it flagged 11.8% of “.cn” sites and 11.7% of “.info” sites that way. A little more than 5% of the sites under the “.com” domain — the world’s most popular — were identified as dangerous.
More spammers, malicious code writers and other cybercriminals can establish an online presence when domain name registry businesses cut requirements for registering a site in order to boost their profit and profile. The report doesn't identify domain name registration companies McAfee believes are responsible for those lapses.
Hundreds, perhaps thousands, of companies are in the business of registering domain names; some are large and well known, while others are small and less reputable, offering their services on the cheap and with flimsy or no background checks to lure in more customers.
The fact that internet scam artists gravitate to domain name services with lower fees and fewer requirements isn’t new. What McAfee’s ‘Mapping the Mal Web’ report, now in its second year, tries to do is identify the domains that are populated with the highest concentration of risky sites. The servers for “.hk” and “.cn” websites don’t have to be in China; website operators can register sites from anywhere to target different geographies
Tuesday, May 27, 2008
Software to track persons sending threatening e-mails - Deccan Herald - 27 May 2008
The software, which costs around Rs 12,000 including biometric equipment, also has anti-hacking provisions making it difficult to tamper the database. After installing the software, those visiting cyber cafes will be identified as soon as they sit in front of the computer, with the help of a web camera.
With Uttar Pradesh Police making it mandatory for cyber cafe owners to verify identity of net surfers in the aftermath of Jaipur blasts, a city-based firm has come up with a software which prepares database of persons sending e-mails with their photographs and finger prints.
The technical wing of the state police has already seen the demonstration of the software named CRISH (Customer Registration and Identification) and is making its technical analysis, claimed Director, GI Biometrics, Amit Kaushal.
After installing the software, those visiting cyber cafes will be identified as soon as they sit in front of the computer for surfing the net with the help of a web camera.
"The photographs and finger prints of the net users will be automatically stored in the database of the computer with date, time and terminal in which they logged on eliminating the need for maintaining registers of visitors in the cyber cafes", Kaushal told PTI.
Also with the use of the software there would be no need to prepare sketches of the suspects of sending threatening e-mails as their photo and finger prints would be stored in the computer database.
"The software can be of great use for investigating agencies.... If the software is installed in all cyber cafes those sending threatening e-mails could be easily identified with the help of database", a senior police official said. The software, which costs around Rs 12,000 including biometric equipment, also has anti-hacking provisions making it difficult to tamper the database.
The software can also be used by the hotel industry and help in identifying visitors.
After serial blasts in Jaipur and an e-mail sent to news channels by a group called Indian Muzahedeen through a cyber cafe in Ghaziabad, the software was purchased by a number of cyber cafes in the capital to avoid "unnecessary grilling" by the security agencies after any such incident.
"We will produce the database of visitors with pictures and finger prints, whenever needed by police with the help of the software", Pawan, a cafe owner here, said.
Kaushal said that he has also written a letter to the Union Home department for analysing the software and recommending its use.
"We have been getting queries regarding the software from various districts of the state and outside also", he said.
With Uttar Pradesh Police making it mandatory for cyber cafe owners to verify identity of net surfers in the aftermath of Jaipur blasts, a city-based firm has come up with a software which prepares database of persons sending e-mails with their photographs and finger prints.
The technical wing of the state police has already seen the demonstration of the software named CRISH (Customer Registration and Identification) and is making its technical analysis, claimed Director, GI Biometrics, Amit Kaushal.
After installing the software, those visiting cyber cafes will be identified as soon as they sit in front of the computer for surfing the net with the help of a web camera.
"The photographs and finger prints of the net users will be automatically stored in the database of the computer with date, time and terminal in which they logged on eliminating the need for maintaining registers of visitors in the cyber cafes", Kaushal told PTI.
Also with the use of the software there would be no need to prepare sketches of the suspects of sending threatening e-mails as their photo and finger prints would be stored in the computer database.
"The software can be of great use for investigating agencies.... If the software is installed in all cyber cafes those sending threatening e-mails could be easily identified with the help of database", a senior police official said. The software, which costs around Rs 12,000 including biometric equipment, also has anti-hacking provisions making it difficult to tamper the database.
The software can also be used by the hotel industry and help in identifying visitors.
After serial blasts in Jaipur and an e-mail sent to news channels by a group called Indian Muzahedeen through a cyber cafe in Ghaziabad, the software was purchased by a number of cyber cafes in the capital to avoid "unnecessary grilling" by the security agencies after any such incident.
"We will produce the database of visitors with pictures and finger prints, whenever needed by police with the help of the software", Pawan, a cafe owner here, said.
Kaushal said that he has also written a letter to the Union Home department for analysing the software and recommending its use.
"We have been getting queries regarding the software from various districts of the state and outside also", he said.
Saturday, May 24, 2008
The James Bond-style methods that help hackers - .pcadvisor.co.uk - 24 May 2008
Researchers utilise everyday objects in a bid to steal data
When it comes to hacking tools, you can’t but imagine its always very sophisticated bits of kit. However, researchers have identified two ways of stealing data using some unlikely everyday tools including cameras and telescopes.
In methods reminiscent of those James Bond might use researchers at Saarland University in Germany managed to read computer screens from their tiny reflections on everyday objects such as glasses, teapots, and even the human eye. Meanwhile researchers at the University of California worked out a way to analyse a video of hands typing on a keyboard to guess what was being written.
Computer security research tends to focus on the software and hardware inside the PC, but this kind of 'side-channel' research, which dates back at least 45 years, looks at the physical environment. Side-channel work in the US was kicked off in 1962 when the US National Security Agency discovered strange surveillance equipment in the concrete ceiling of a US Department of State communications room in Japan and began studying how radiation emitted by communication components could be intercepted.
Much of this work has been top secret, such as the NSA's Tempest program. But side-channel hacking has been in the public eye too.
In fact, if you've seen the movie 'Sneakers' then the University of California's work will have a familiar ring. That's because a minor plot point in this 1992 Robert Redford film about a group of security geeks was the inspiration for their work.
In the movie, Redford's character, Marty Bishop, tries to steal a password by watching video of his victim, mathematician Gunter Janek, as he enters his password into a computer. "Oh, this is good," Redford says, "He's going to type in his password and we're going to get a clear shot"
Redford's character never does get his password, but the UC researchers' Clear Shot tool may give others a fighting chance, according to Marco Cova, a graduate student at the school.
Clear Shot can analyse video of hand movements on a computer keyboard and transcribe them into text. It's far from perfect, Cova says the software is accurate about 40 percent of the time, but it's good enough for someone to get the gist of what was being typed.
The software also suggests alternative words that may have been typed and more often then not the real word is in the top five suggestions provided by Clear Shot, Cova said.
Clear Shot works with an everyday webcam, but the Saarland University team has taken things up a notch, training telescopes on a variety of targets that just might happen to catch a computer monitor's reflection: teapots, glasses, bottles, spoons and even the human eye.
Researchers have hit on novel ways of stealing data using everyday objects such as teapots and cameras. We talk to two researchers about how fiction reminiscent of a James Bond film is becoming reality
The researchers came up with this idea during a lunchtime walk about nine months ago, said Michael Backes, a professor at Saarland's computer science department. Noticing that there were a lot of computers to be seen in campus windows, the researchers got to thinking. "It started as a fun project," he said. "We thought it would be kind of cute if we could look at what these people are working on."
It turned out that they could get some amazingly clear pictures. All it took was a £250 telescope trained on a reflective object in front of the monitor. For example, a teapot yielded readable images of 12 point Word documents from a distance of 5m. From 10m, they were able to read 18 point fonts. With a £14,000 Dobson telescope, they could get the same quality of images at 30m.
Backes said he's already demoed his work for a government agency, one that he declined to name. "It was convincing to these people," he said.
That's because even though the reflections are tiny, the images are much clearer than people expect. Often, first time viewers think they're looking at the computer screen itself rather than a reflection, Backes said.
One of his favourite targets is a round teapot. Looking at a spoon or a pair of glasses, you might not get a good view of the monitor, but a spherical teapot makes a perfect target. "If you place a sphere close by, you will always see the monitor," he said. "This helps; you don't have to be lucky."
The Saarland researchers are now working out new image analysis algorithms and training astronomical cameras on their subjects in hopes of getting better images from even more difficult surfaces such as the human eye. They've even aimed their telescopes and cameras at a white wall and have picked up readable reflections from a monitor 2m from the wall.
Does Backes think that we should really be concerned about this kind of high tech snooping? Maybe, just because it's so cheap and easy to do. He said he could see some people shelling out the £250 for a telescope just to try it out on their neighbours.
So how to protect yourself from the telescopic snooper? Easy. "Closing your curtains is maybe the best thing you can do," he said.
When it comes to hacking tools, you can’t but imagine its always very sophisticated bits of kit. However, researchers have identified two ways of stealing data using some unlikely everyday tools including cameras and telescopes.
In methods reminiscent of those James Bond might use researchers at Saarland University in Germany managed to read computer screens from their tiny reflections on everyday objects such as glasses, teapots, and even the human eye. Meanwhile researchers at the University of California worked out a way to analyse a video of hands typing on a keyboard to guess what was being written.
Computer security research tends to focus on the software and hardware inside the PC, but this kind of 'side-channel' research, which dates back at least 45 years, looks at the physical environment. Side-channel work in the US was kicked off in 1962 when the US National Security Agency discovered strange surveillance equipment in the concrete ceiling of a US Department of State communications room in Japan and began studying how radiation emitted by communication components could be intercepted.
Much of this work has been top secret, such as the NSA's Tempest program. But side-channel hacking has been in the public eye too.
In fact, if you've seen the movie 'Sneakers' then the University of California's work will have a familiar ring. That's because a minor plot point in this 1992 Robert Redford film about a group of security geeks was the inspiration for their work.
In the movie, Redford's character, Marty Bishop, tries to steal a password by watching video of his victim, mathematician Gunter Janek, as he enters his password into a computer. "Oh, this is good," Redford says, "He's going to type in his password and we're going to get a clear shot"
Redford's character never does get his password, but the UC researchers' Clear Shot tool may give others a fighting chance, according to Marco Cova, a graduate student at the school.
Clear Shot can analyse video of hand movements on a computer keyboard and transcribe them into text. It's far from perfect, Cova says the software is accurate about 40 percent of the time, but it's good enough for someone to get the gist of what was being typed.
The software also suggests alternative words that may have been typed and more often then not the real word is in the top five suggestions provided by Clear Shot, Cova said.
Clear Shot works with an everyday webcam, but the Saarland University team has taken things up a notch, training telescopes on a variety of targets that just might happen to catch a computer monitor's reflection: teapots, glasses, bottles, spoons and even the human eye.
Researchers have hit on novel ways of stealing data using everyday objects such as teapots and cameras. We talk to two researchers about how fiction reminiscent of a James Bond film is becoming reality
The researchers came up with this idea during a lunchtime walk about nine months ago, said Michael Backes, a professor at Saarland's computer science department. Noticing that there were a lot of computers to be seen in campus windows, the researchers got to thinking. "It started as a fun project," he said. "We thought it would be kind of cute if we could look at what these people are working on."
It turned out that they could get some amazingly clear pictures. All it took was a £250 telescope trained on a reflective object in front of the monitor. For example, a teapot yielded readable images of 12 point Word documents from a distance of 5m. From 10m, they were able to read 18 point fonts. With a £14,000 Dobson telescope, they could get the same quality of images at 30m.
Backes said he's already demoed his work for a government agency, one that he declined to name. "It was convincing to these people," he said.
That's because even though the reflections are tiny, the images are much clearer than people expect. Often, first time viewers think they're looking at the computer screen itself rather than a reflection, Backes said.
One of his favourite targets is a round teapot. Looking at a spoon or a pair of glasses, you might not get a good view of the monitor, but a spherical teapot makes a perfect target. "If you place a sphere close by, you will always see the monitor," he said. "This helps; you don't have to be lucky."
The Saarland researchers are now working out new image analysis algorithms and training astronomical cameras on their subjects in hopes of getting better images from even more difficult surfaces such as the human eye. They've even aimed their telescopes and cameras at a white wall and have picked up readable reflections from a monitor 2m from the wall.
Does Backes think that we should really be concerned about this kind of high tech snooping? Maybe, just because it's so cheap and easy to do. He said he could see some people shelling out the £250 for a telescope just to try it out on their neighbours.
So how to protect yourself from the telescopic snooper? Easy. "Closing your curtains is maybe the best thing you can do," he said.
Subscribe to:
Posts (Atom)