Most people have heard about card skimming and other credit card fraud but in Swedish media there are several interesting articles regarding how a local branch office to Swedebank manage to stop a fraud transaction in the last minute. The Swedish police won’t talk about it but media claims that a bank employee took notice off that the mouse pointer on his system was moving by it self. He then quickly looked behind the computer and finally found under his desk a hidden device that was connected to the computer to remotely control his computer. Pulling the cables stopped a transfer of several million Swedish Kronor to vanish.

First question that comes in my mind is how did they manage to set up this equipment without any one taking notice? Well, according to the Swedish police there was a break in during August last year where nothing was stolen… Why didn’t that itself not raise a couple of questions? And better up; the alarm did not go off due to that the alarm wasn’t activated?!

The question that should be asked within this organisation is why would actually someone make an illegal entry with the risk of getting caught and steal nothing? Either was the person extremely stupid or didn’t find what he was looking for or they intrusion had another purpose of for example hide or tamper with the system at the bank office.

The group of seven men where arrested this Monday and Tuesday and are currently under suspicion for attempt to bank fraud and as well for preparing new similar actions.

So far the police has been very silent regarding the technology used during this fraud attempt. But a guess is that since the perpetrator had to hide an “unknown device” under the desk one could assume that they used standard available technology such as pico-itx motherboard together with either gsm or 3g modem to be able to call home or to contact the “unknown device” from remote host by for example using open available remote access software between the two computers. So actually the components used to build a tiny system is not hard at all and I highly doubt that we’re talking about James Bond technology here such as tiny keyboard logger devices with remote capabilities.

The technology is available and has been since many years to build your own equipment or buy spy kit – it’s just a matter how much money you’re willing to spend and to what extent you’re willing to hide your activities.

Keyboard loggers has been around for ages as well most interesting enough most people have actually never seen one. Keyboard loggers can easily be obtained via the internet or you can either build your own using a simple PIC16F84, and a NVRAM chip. The left images shows a home made keyboard logger and the middle shows what a typical keyboard circuit looks like and the right image what a typical keyboard logger looks like that you can get over the internet for around $80.

So once again I ask myself – why would someone make break into a bank and not steal anything without any questions asked?

Kim Haverblad

Bookmark to:

The Swedish tax authorities (IRS), Skatteverket, has lately started to look into home pages that they think generate revenue via banner income and now wants to force Swedish ISP:s to release their customers records.

Swedish ISP Bahnhof is one of several companies that received a request from Swedish IRS to release customer records between 2004-2006 and have specific been asked to release following:

• Name
• Address
• Personal code (identity) number
• Date for check-in
• Date for check-out
• Total billing amount
• Server type and IPs
• List of domains hosted
• Host configuration files

To be mentioned is that Swedish IRS is not asking for specific customers records that they believe have participated in any kind of criminal act - they are asking to get what ever they can get and then poke around until they stumble over something of interest.

Bahnhof:s CEO Jon Karlung says in an interview that they have no reason of releasing such information due to that it would be against the Swedish law (the law about electronic communication). Even if they will be fined 80 000 USD for not comply with the request made by the IRS. Jon Karlung also says that they don’t oppose to release specific information about customers if the IRS (or any other authorities for that matter) can show suspicion about ongoing criminal activities. This is not the case here since the IRS want to harvest ISP customer records for what they define as suspicious economical activities.

Swedish IRS spokesperson, Dag Hardyson, is confident that Bahnhof will release the requested information even if this case has to go to county administrative court and says that he has full confidence in the injunction made towards Bahnhof and that the injunction itself is according to the Swedish laws and don’t want to make any comments to Bahnhof:s legal interpretation and says that he has full confidence with their legal department interpretation and recommendations.

All in all it seems that our privacy is more and more compromised on a national and EC level and in the name of fighting terrorist and criminal activities. Don’t get me wrong here; I fully agree that we should fight activities that threaten our community. But it seems that all laws that wouldn’t be passed 10 years ago due to privacy intrusion gets fast tracked and passed.

To wrap it all up, the problem is also that we have two different laws that collide with each other and by that there is a deadlock regarding this entire story until it has been seattled in court. So I’m looking forward to see what happens next.

Kim Haverblad

Bookmark to:

Computer World, IDG and DN today writes that Microsoft has bought 1.6% of the shares in Facebook for the amount of 240 million dollars! I can just congratulate Mark Zuckerberg and Facebook. But, the questions remains if it’s in the best interest of the users to get Microsoft involved in Facebook due to the enormous wealth of information that the users has provided Facebook with - for free - about themselves!

So how many of the estimated 50 million users has actually given it a thought about the information that they have submitted to Facebook and of them how many have actually read the Terms of Use and the Privacy Policy? It can’t be that many of the existing users! Either people are very well aware of what they sign or they don’t care. But they should; since when they signed up at Facebook they give the company exclusive rights to the material submitted and to be used in what ever way that they like!

“You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about the Site or the Service (”Submissions”), provided by you to Company are non-confidential and shall become the sole property of Company. Company shall own exclusive rights, including all intellectual property rights, and shall be entitled to the unrestricted use and dissemination of these Submissions for any purpose, commercial or otherwise, without acknowledgment or compensation to you.”

Even if you as user have the possibility to delete your account, Facebook has following lines in the Privacy Policy to inform you that the user data may exist in backup copies for reasonable time:

“Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.”

My question to above is how short or long is their definition of reasonable period?

The Terms of Use has a few lines about what you as uses can do or not do when it comes to harvest or collect information about other users; it doesn’t really say anything about what Facebook rights to harvest or collect information about their users; so let’s check the Privacy Policy.

Facebooks Privacy Policy clearly states that they harvest and collect information about you as user and as well tries to figure out user patterns.

“When you use Facebook, you may set up your personal profile, form relationships, send messages, perform searches and queries, form groups, set up events, add applications, and transmit information through various channels. We collect this information so that we can provide you the service and offer personalized features.”

They actually say that they in most cases inform they user about prior activities so that you can choose or not to participate; I would say that they in most cases don’t inform you as user about how they plan to use the collected information.

Following next lines should indicate red flag by most people, when talking about aggregating user information that they’ve gathered and that you as user already given Facebook exclusive rights to, but it doesn’t, sadly:

“Facebook may use information in your profile without identifying you as an individual to third parties. We do this for purposes such as aggregating how many people in a network like a band or movie and personalizing advertisements and promotions so that we can provide you Facebook. We believe this benefits you.”

I’m fully aware of the Facebook is a corporation that wants to make money and that they provide a free service; but are people aware of what kind of spin off industry and products that might come out of this huge information that they’ve gathered? Working with business development at Facebook must be one of the greatest jobs around due to the huge potential they have with all the raw data. And I doubt that Facebook will aggregate more than just what kind of bands or movies that you or a group of users likes.

So think twice when you sign up with Facebook or similar community; you might just end up signing over your entire life story to company behind the community and by that ruin your future.

So when you in the future gets questions about activities that you you’ve done in the past and thought that they where harmless at that time. Think twice before answering; what does he or she knows about you that you forgotten?

Kim Haverblad

Bookmark to: