Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

I actually saw one of these....

[Shakrai]

One of my consulting clients is a small (<$10,000,000 in assets) credit union. The disk was mailed directly to the CEO. According to him the letter contained therein actually resembled the form and structure of NCUA correspondence but had grammatical errors. I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

Thankfully he knew better than to load random CDs received in the mail and gave me a call. The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously. I hope they catch the bastards. Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

Re:I actually saw one of these....

[CannonballHead]

Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

We're on Slashdot. At least insult them properly: they probably use Windows.

Re:I actually saw one of these....

[shentino]

Actually, mimicking government incompetence is a necessary step to enhancing its value as a forgery.

Re:I actually saw one of these....

[Jurily]

The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously.

Proving once again that debt institutions have a priority over everything else. Except maybe oil companies.

Re:I actually saw one of these....

[Ohrion]

Interesting, sounds like the "penetration testers" are trying a snail mail version of whaling. Make sure your customers know not to plug in miscellaneous USB sticks they find laying around the parking lot. It's just another way for "pen testers" to bypass your security.

Re:I actually saw one of these....

[Shakrai]

The backend software package used by this particular credit union actually runs on Linux and Oracle. All but one of the workstations run Linux too. The holdout is a Windows 2000 machine that they keep around for some legacy software that they haven't been able to replace. The tellers don't even realize it's Linux because they are locked into the interface for the management system and can't navigate out of it. The loan officers can navigate out of it but the only other applications they have access to are Open Office and a handful of white-listed websites (webmail, credit scoring and a few compliance sites).

That's actually how I got the gig -- I was the only local person who responded to the CEOs bid who had a meaningful amount of Linux experience. He inherited the platform from his predecessor and wasn't inclined to spend the money to migrate to something else. AFAIK the vendor for his software doesn't even offer a Windows server option, although they do have a Windows option for the clients. They had previously used this option until I showed them how much they were spending on software licenses.

I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

Re:I actually saw one of these....

[Shakrai]

Umm, do you know what the definition of a credit union is? It's a member-owned cooperative financial institution. It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive other than the goal of paying a competitive dividend (interest) on their members deposits.

Go find one in your local area. Most of them are much more pleasurable to do business with than any bank. Community banks occasionally match them for customer service but no national bank ever will. I've yet to have one of my calls to my credit union answered in India or to have the interest rate on my credit card jacked up just because they can.

Re:I actually saw one of these....

[fuzzyfuzzyfungus]

I agree with the general sentiment; but I think the story a few days back about the FBI picking up that quant accused of stealing code(or heck, our exciting bailouts and pretty much anything the federal reserve does) was a better example.

From the Secret Service website:

"1984 Congress enacted legislation making the fraudulent use of credit and debit cards a federal violation. The law also authorized the Secret Service to investigate violations relating to credit and debit card fraud, federal-interest computer fraud, and fraudulent identification documents."

"2001 The Patriot Act (Public Law 107-56) increased the Secret Service's role in investigating fraud and related activity in connections with computers. In addition it authorized the Director of the Secret Service to establish nationwide electronic crimes taskforces to assist the law enforcement, private sector and academia in detecting and suppressing computer-based crime; increased the statutory penalties for the manufacturing, possession, dealing and passing of counterfeit U.S. or foreign obligations; and allowed enforcement action to be taken to protect our financial payment systems while combating transnational financial crimes directed by terrorists or other criminals. "

Having the secret service investigate a cracking attempt at a bank is about as natural as having the local cops investigate a burglary. These guys are, in essence, the counterfeit currency and bank haxx0ring police, the protecting the president gig is just a flashy sideline. The fact that we have a dedicated counterfeit currency and bank haxx0ring police force does indeed say something about our priorities; but the fact that a police force does exactly what it was set up to do isn't much of a demonstration in itself.

Re:I actually saw one of these....

[maxume]

They generally pay pretty meager interest on deposits though (My primary financial institution is a credit union, I'm just sayin').

Re:I actually saw one of these....

[dltaylor]

home-brew apps or off-the-shelf package?

if OTS, whose is it?

Re:I actually saw one of these....

[Shakrai]

That really depends on the credit union and how they conduct their business. I just bought a bunch of 10 month CDs from my credit union at 2.75% They run a promotion every year offering a "special" CD rate and it's always been extremely competitive. I couldn't even match this particular offer at the online only banks like ING Direct.

Their standard rates are competitive with the other local brick and mortar institutions. They might get beaten by a few of the big boys and the online-only institutions but the flip side to that is that none of those institutions can even come close to the loan rates offered by my credit union.

Re:I actually saw one of these....

[maxume]

My CU is currently paying 1.9% on a 1 year CD, and 0.25% on a savings account. The former GMAC does pretty good against that (though they offer very few services with an account):

http://www.ally.com/index.html

I have to admit, I haven't shopped it around much (I don't have enough money for 1% to matter a great deal, and my money is earned and spent a great deal faster than it is compounded), but I don't really think I missed the mark.

Re:I actually saw one of these....

[Mozk]

I just bought a bunch of 10 month CDs from my credit union

Doesn't AOL give out 10-month CDs for free?

Re:I actually saw one of these....

[lysergic.acid]

Yea, I think more people would bank at credit unions if they knew about them. I'd never heard of a credit union myself until I went to college (in Urbana-Champaign, IL of all places). Actually, I thought that "credit union" was just the name of a popular banking chain in the Midwest, like Wells Fargo or Bank of America or something. It wasn't until my roommate explained to me what a credit unit was that I actually learned what they were.

Frankly, I'm kinda surprised that the Midwest has so many power co-ops and credit union while the part of Southern California I live in has neither. Maybe the poorer communities here have never heard of them or don't have the resources to set them up, while the rich communities just don't care for that sort of cooperative community organization (I suppose stocks, private equities, and off-shore bank accounts pay better).

Next we just need to extend the idea of credit unions & power co-ops to telecommunications, so we'll finally have decent broadband and mobile phone service that doesn't screw over consumers.

Re:I actually saw one of these....

[Ron+Bennett]

What you describe is what credit unions are supposed to be. The reality for many of them is very different.

Many credit unions spend a bundle on advertising, including in public schools, and charge numerous fees much like for-profit banks do.

A prime example is Discovery Federal Credit Union in Berks County Pennsylvania - they aggressively advertise, charge lots of fees ( https://www.discoveryfcu.org/disclosure-main.html ), and even bought naming rights to the Wilson *public high school* gymnasium.

In regards to the malware CDs, they are in a sense, though not intended as that by the theives, a great training tool on computer security; test of how well their computer policy is followed, including by high-level management, who often feel none of the policies apply to them; very costly mistake in the computer realm.

Ron

Re:I actually saw one of these....

[rtechie]

It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive...

They are a "debt institution" because they loan money at interest (usury). Their non-profit status is not relevant.

To argue that they have "no profit incentive" is highly misleading. Like most nonprofits and charities most credit unions have EXTREMELY well-compensated executives whose compensation is based on how much money the credit union makes. So the employees (not the members per se) have a profit incentive. I'd also point out that in most nonprofits executive nepotism is rampant (it's not uncommon for ALL of a nonprofit's executives to be related somehow).

Re:I actually saw one of these....

[Shakrai]

Many credit unions spend a bundle on advertising, including in public schools, and charge numerous fees much like for-profit banks do.

I wouldn't say "many" but there are a few that behave in this manner. Our local large credit union behaves like this. They charge you a fee each time you swipe your debit card and use the pin instead of signing for it. They charge a fee for their billpayer service. They charge you a fee for exceeding a certain number of teller transactions per month. They have a huge advertising budget. TV Commercials, billboards, promotions with local businesses, etc, etc.

By contrast, the credit union from the small town in which I grew up does none of this. Every single service they offer is fee-free. Free billpayer, free debit card regardless of how you use it, free ATM usage, etc, etc. They advertise a little bit but mostly in the small town fashion, i.e: on placemats/coffee mugs at local restaurants, in the town newspaper, at the little league field, etc. They are still my primary financial institution in spite of the fact that I have long since moved out of that town and have to conduct the bulk of my business by mail. I keep a savings account at a local bank so I can cash checks but other than that everything goes through my credit union.

I think like any institution a credit union is more prone to losing sight of it's original mission as it grows. Eventually it becomes more about protecting the institution than it does fulfilling the original mandate. It doesn't happen all the time but the behavior that you describe seems to be more common among the larger credit unions than the smaller ones, at least in my experience. The nice thing with credit unions is that you can still find ones that are committed to serving their members and which haven't lost sight of the reason why they exist.

Re:I actually saw one of these....

[Hurricane78]

What? A story with a CEO turning out not to do the dumbest thing in history?? Unpossible!

Are they by any chance... hiring?

.
.

If I were the attacker, I'd do it again. This time properly with no errors at all. And with a special warning included, that fake mailings are in circulation, and with a big official seal of trustworthiness, etc. Something that C?Os love. The whole package of "*drool* want". With no fingerprints, genetic material, etc, but real pressed CDs, with professional labels. I'd let the real NCUA send me some presentational CDs as templates. (Of course to a fake place with no traces on the mailbox.) Oh and the trojan... oh the trojan... I wouldn't even start attacking their network! I would straight out start with making the banks attacking each other for alleged fraud, industrial espionage, etc. It would be a wonderful mess with everybody accusing everybody. A psychological fight club finale.
But I guess criminals and ideas like mine, are usually mutually exclusive. ;)

Re:I actually saw one of these....

[Hurricane78]

Problem is: It's still a loan. With a rate. It's still ethically unacceptable, because there is always at least one of those who get one, who will not be able to pay it back. (Where would those extra percents of money come from, when all money is just passed on, and never created?)

I stopped using banks as much as I can. Which means that I immediately withdraw everything that's landing on my one bank account, and only sign a contract for such an account, if they guarantee to me in writing, that they will never ever give me a credit, loan, or any money I don't own. (Which is easy, if you know what kills their trust to lend you money. ^^)

I invest only in real physical things that raise in value. Gold was an excellent thing to invest in, in the last years. Because as in every "recession", it's only a recession, if you are in their game, playing it, and things like gold and silver rise like crazy, giving you huge (relative) profits, if you're not.

Re:I actually saw one of these....

[SixGunMojo]

A few caveats on this post
1. I belong to a credit union
2. I do not believe in name calling in posts
3. I am about to violate caveat #2 like a bitch

YOU STUPID IGNORANT LUDDITE MOTHERFUCKER
Your whole premise is wrong, credit unions are not non-profits they are not-for-profits. Non-profits don't operate for money, not-for-profits operate to make enough money to pay for their services and distribute that money among its (as far as credit unions are concerned) members and employees . This is how that pretty teller gets paid and why the interest on my loans is higher than the interest I earn on my savings account. As far as your claim of executive compensation, show us some facts. If the guy running my credit union is well compensated I have no problem with that. I am pretty sure he is not making millions and getting share options as I read the newspaper down here and they have an annual richest business ranking and I'm pretty sure he's never been on it. As far as your claims about nepotism in non-profits, once again show me the facts, but if I am forming one, its going to probably start out small and the people I'm going to be looking to are family and friends.

Re:I actually saw one of these....

[Shakrai]

Problem is: It's still a loan. With a rate. It's still ethically unacceptable, because there is always at least one of those who get one, who will not be able to pay it back.

Dude, put the bong down and back away slowly ;) Or at least share it with the rest of us.

I invest only in real physical things that raise in value. Gold was an excellent thing to invest in, in the last years. Because as in every "recession", it's only a recession, if you are in their game, playing it, and things like gold and silver rise like crazy, giving you huge (relative) profits

I took Mr. Buffets advice to heart (buy when everyone else is selling, sell when everyone else is buying) and started buying stocks as the markets tanked. So far I'm up ~41% overall. Only one of my picks (TIE if you are wondering and I'm only down 6% on it) is in the red. Made my first buys in November of 08. My annual yield works out to ~64% Have your gold investments matched or beaten this performance?

Re:I actually saw one of these....

[SydShamino]

We're members of three credit unions, having kept open our accounts from college in another state, then added a joint account here in Austin at one credit union and recently, when we refinanced our home then I bought a car, at another.

The best thing in Austin is that all the credit unions are members of a shared network, so all credit union ATMs from any credit union in town are free to all credit union members. It makes their ATM network rival the size of any major bank, at least while in the local area.

I really can't say enough good things about United Heritage Credit Union. They offer interest rates on mortgages and auto loans that are as much as 2 points less than any national bank (and a point and a half less than my other local credit union), have multiple convenient locations in town, and even pay as of now more interest on checking accounts than HSBC does on their internet savings accounts. Plus they don't charge for anything or have silly rules like a fee if you don't have an automated direct deposit.

Re:I actually saw one of these....

[SL+Baur]

I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

I find it amusing that someone could be found to code up an auto execute function for inserted media. I find it even more amusing that there was a stupid enough manager to sign off on it.

Was Dilbert written at Microsoft?

Re:I actually saw one of these....

[libkarl2]

I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

That was the first thing that popped in to my head when I saw the article. Hacking brand new malware to see how it works and what it does is fascinating to me. Of course, when the Secret Service says "no touch", they really really mean it.

Re:I actually saw one of these....

[glitch23]

The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously.

Granted, it should be taken seriously since it is a crime after all. However, I didn't know the SS had the time to deal with crimes like this that are not against the POTUS. Did you contact them or did they get contacted indirectly? Just wondering how and why they entered the picture as opposed to the FBI (for interstate crimes). I believe I recall hearing that the SS gets involved with counterfeit operations but never heard them getting involved with malware issues.

Re:I actually saw one of these....

[Sycraft-fu]

In fact the only reason that they do protect the president is back when the issue came up, they were it for federal law enforcement. When congress wanted protection for the president (when McKinley was assassinated) they were pretty much the only choice. There was no FBI, the US Marshals didn't have the man power, and the US Postal Inspectors were just for the post office.

Perhaps they should have created a specific police force for presidential protection, but they didn't.

However, just because the USSS had a new job, didn't mean they stopped doing their old jobs. They were still tasked with protecting the nation's money, they just had another job to do now as well.

Re:I actually saw one of these....

[yorktimsson]

My credit union is offering 4.3%

Re:I actually saw one of these....

[TheCabal]

Secret Service was originally part of the Department of Treasury. Now part of DHS, they still have jurisdiction over counterfeiting and fraud investigations and share jurisdiction with the FBI on some areas such as computer crime. It's well within their baliwick.

Re:I actually saw one of these....

[cyphercell]

I got really interested in the stock market was heading down for record lows. Did a little research and some rabid buying :D I made a lot of mistakes in hindsight, yet I'm still up 52% now, but I expect most of my profits to realize over the next year. The commodities market is a different beast altogether. In this respect you'll find that the reality is that a lot of a companies' value is derived from it's ability to invest in hard goods.

If you plan on outsourcing to India you need to effectively gauge the exchange rate of the Indian Rupee over the period of time needed for an acceptable ROI. This is the same principle behind GP's investment strategy as gold will always rise in value as fiat currencies begin to look unstable.

True some people get gold fever, but there is some method to the madness.

Re:I actually saw one of these....

[sconeu]

Where in SoCal? There's credit unions all over...

Telesis, Premier America, Wescom, Kinecta, employer specific (Ventura Schools, Lockheed, etc...).

Re:I actually saw one of these....

[cyphercell]

murp! sorry, my "play" account is up 5.2%. I stand on the assertion that most of my profits will realize off in the not too distant future. That said, with real money I've seen 500% profits in as little as three months with commodities. I don't see anything wrong with someone investing a specified amount of money in gold each month.

Re:I actually saw one of these....

[lxs]

People who know how to write properly are usually smart enough not to get mixed up in petty crime.

If they are of a criminal bent, they get a job at the company and go for the big fraud.

Re:I actually saw one of these....

[maxume]

If you think interest is unethical, you shouldn't be willing to use government backed currency, as governments often create or destroy money without doing anything to tie that activity to anything real.

(Interest works because the debtor is exchanging future consumption for present day consumption, presumably to their own advantage)

Re:I actually saw one of these....

[Shakrai]

One of my best performing stocks is a commodity stock. I bought FCX at $23 and change. It's now at $64. There was no reason other than unfounded panic for it to be priced as low as it was. Worked out well for me though.

I don't see anything wrong with investing in gold either. I just don't think you'll be able to match the ROI that you can see with good stock picks.

Re:I actually saw one of these....

[Hal_Porter]

They generally pay pretty meager interest on deposits though (My primary financial institution is a credit union, I'm just sayin').

That's because they believing in providing cheap loans to the oppressed proletariat, not interest to the rentier class of rich capitalists like you.

Re:I actually saw one of these....

[RobertLTux]

actually they started as a money protection force and only got the presidential gig later.
Any time you start dealing with a large about of iffy money then the Secret Service will show up
(and i think its in the regs for law enforcement that if they see more than X dollars at stake they summon the SS)

Re:I actually saw one of these....

[maxume]

You have insulted rich capitalists the world around.

Re:I actually saw one of these....

Please, please mention the name! I want to deal with this credit union!

At least one financial institution in this country realizes what a horrible security risk Windows is!

Re:I actually saw one of these....

[EvilBudMan]

Mr. Buffet also said by Euros when the dollar was being and still is being devalued to pay debt. He is just about always right. I knew the late 90's bubble when I said buy some 5 year CD's. Everyone said I was crazy too. No stocks are better, etc. At 120 times earnings without any potential I don't think so. 2.75% for CD's? Hell, WWII war bonds paid 3% which was considered incredibly low even at that time. It's probably about time to sell again though except for stocks that we'll, deal in commodities. Just a guess but, until there is an actual increase in GDP, we haven't seen everything yet. So if I was up ~41%, I would take cover for a while and count the winnings.

The first point I made, I think that decreasing interest rates so much doesn't inspire confidence in the US by the rest of the globe.

Re:I actually saw one of these....

[EvilBudMan]

--The fact that we have a dedicated counterfeit currency and bank haxx0ring police force does indeed say something about our priorities; but the fact that a police force does exactly what it was set up to do isn't much of a demonstration in itself.--

I know that, but why again would this not be a high or even higher priority? The financial transactions have to work. Most money is just a stored number on a computer, without any physical currency. It's really a worse threat than counterfeiting. The local police have absolutely no idea how to deal with this, but now having them involved in other electronic crimes seems like overstepping what they are there for. Having them involved in copyright and trademark disputes and calling it crime seems a little bit more a job for the FBI.

Re:I actually saw one of these....

[squallbsr]

At least one financial institution in this country realizes what a horrible security risk Windows is!

Of course they came to this realization entirely by chance, and money was the motivator to start using Linux as the client OS anyway...

Re:I actually saw one of these....

[Gilmoure]

Yup. And Credit Unions are one of the stronger/more reliable financial institutions right now. Hate to see something happen to them.

Re:I actually saw one of these....

[Gilmoure]

Part of the problem may be the fact that Credit Unions were originally tied to group of people (Teacher's union, large employer, etc.) but back in the 90's (I think) they were deregulated and allowed to open up membership to anyone. Some, like the Teacher's CU I belonged to, back in Fla., became almost as bad as a bank, service wise and fee wise. They were advertising like crazy on tv and building branches and all this stuff required more income for the CU. Sure, they're non-profit but in this case, were acting pretty much like a chain bank.

Now, I'm with a small CU that's tied to my work. Sure, they're open to anyone to join but they're not pushing things. Was able to get really good home loan and car loan through them. For investment, CU's might not be the thing for everyone but for day-to-day banking service and loans, is worth it to check them out.

Re:I actually saw one of these....

Make sure your customers know not to plug in miscellaneous USB sticks they find laying around the parking lot.

That's swell an all (really, I'm not saying I disagree), but if inserting media is a risk, then those people already have a problem and it's a near certainty that their boxes will eventually get compromised, assuming it hasn't already happened.

If you've got a computer where connecting a hostile USB drive is a risk, then you need to fix that now, before someone fucks up and does it. That's higher-priority, more important advice, than don't-insert-untrusted-media. Training users can wait -- fix your gaping-obvious defect!

Mount removable drives noexec, period, unless you have some weird case (e.g. a semi-embedded appliance) where you're booting off that drive. (And in that case, physically tape the drive into the USB connector so that people know it's not to be treated as removable.)

Re:I actually saw one of these....

[lysergic.acid]

I live in the IE (Inland Empire). And upon further research, it appears that you're right. There is actually a Wescom very close to where I live and a few others in neighboring cities, but I'd never heard of these places. Everyone I know banks at a commercial banking chain. Do you bank at a CU in SoCal? If so, what's your experience with ATMs? http://www.cufriendly.net/ doesn't show any CU-friendly ATM machines in my area. Are those fee-free CU ATMs pretty rare?

Re:I actually saw one of these....

[lysergic.acid]

If the members are shareholders, then shouldn't they be the ones who dictate the CU's policy? Or did the majority of the members agree to these policy changes because they felt it would allow them to provide better benefits to members (higher interest rates on deposits, more ATMs, etc.)?

Interestingly enough, it looks like the legislation limiting CU membership was the result of lobbying by banks. But I guess once membership restrictions were lifted and some CUs started getting as big as banks, it was inevitable that they became more like banks. It's harder to get directly involved in policy-making in large organizations. So a CU with 1000 members will be more impersonal than a CU with 100 members, where each member has a greater say in CU policy.

Re:I actually saw one of these....

[TheRaven64]

Given that the grandparent is one of the people who posts rabid diatribes about fiat currency, how wealth creation is impossible, and how gold is the only thing which has intrinsic value, I would imagine that he probably agrees with your assertion.

Re:I actually saw one of these....

[TheRaven64]

If the members are shareholders, then shouldn't they be the ones who dictate the CU's policy?

In the UK, building societies are run on a similar principle to credit unions. In the '90s, a lot of them became banks. The problem was that everyone who had money with them made a killing in terms of shares on the transition. A lot of people would open an account and put a few K in. Then the board would propose that they became a bank, and hold a vote. The vote would pass, these people would then get a large chunk of shares and immediately withdraw their money and put it in the next building society, where they'd repeat the process. They'd offload the shares within a year or two, before their value collapsed and invest the money in other things. It's a fairly good example of the tragedy of the commons. If you want something like this to work, then you need a charter which prevents this kind of exploitation and needs a supermajority to amend.

Re:I actually saw one of these....

[maxume]

I have no problem demanding logical consistency from the incoherent. If he is going to use currency, he might as well take advantage of the convenience of a bank account.

Re:I actually saw one of these....

[SlashReality]

Ally Bank (an online only bank) had 12 month CDs with a 2.7 or 2.8 rate just a couple months ago. They are down to 2.0 if you open one now, but in all fairness I have seen an online only bank match that particular rate.

Re:I actually saw one of these....

[Shakrai]

So if I was up ~41%, I would take cover for a while and count the winnings.

I'll be counting my winnings soon enough. Can't do it yet unless I want to pay the short term capital gain rate. I'll be evaluating my positions once I've held them for a year and see where I stand at that point. Until then I'm not real worried about the day to day ups and downs of the market.

Re:I actually saw one of these....

Some suggested reading for those who wish to compare banks to credit unions:

http://www.consumersavvytips.org/the_credit_union_vs_the_bank.html

http://articles.moneycentral.msn.com/Banking/BetterBanking/DitchYourBankForACreditUnion.aspx

http://www.banklady.com/Credit-Union-or-Bank.asp

http://banking.about.com/od/creditunions/Credit_Unions.htm

Re:I actually saw one of these....

[Lord+Ender]

Actually, I know the guys at the company who ran this test. They are definitely a Linux shop. MSI is a do-anything security company that will dig through your trash to test your shredder discipline, send phishing messages to your company to test your employee information security training, and try and sneak into your datacenter to test your security guards, as well as the normal vulnerability scanning type stuff.

The outrage over this is pretty funny, because the company behind it was under contract from the organizations which were mailed. What a great big bag of lulz.

Re:I actually saw one of these....

Don't know if they're all this badass though.

Re:I actually saw one of these....

Home brew would be insanely difficult due to the complexities of US banking regulations.

Re:I actually saw one of these....

[Have+Brain+Will+Rent]

If only that were true. My credit union just jacked my (and every other member's) line of credit rate up by 3/4% on the existing balance and the only explanation was that this was the "fairest" way to be able to increase the rate of interest they wanted to offer on deposits.

Sadly I have come to believe that there is little difference between banks and credit unions (even small ones like mine with only 4 branches). Other credit unions here have done, or tried to, the same things to their members with lines of credit.

Re:I actually saw one of these....

[TheRaven64]

Auto-execute seems pretty silly now, but back at the time it wasn't totally stupid. This was back in '95, when the only CD ROMs that anyone had were professionally produced by software companies and occasionally magazine cover disks. It wasn't hard to believe that you could trust executable on this kind of media; even without autorun, most users would just click on setup.exe immediately after inserting the disk, so what's the harm in autorun? It wasn't until CD writers became cheap that it started being a bad idea. Oh, and enabling it for USB drives was just stupid.

Re:I actually saw one of these....

[Mean+Variance]

If the members are shareholders, then shouldn't they be the ones who dictate the CU's policy? Or did the majority of the members agree to these policy changes because they felt it would allow them to provide better benefits to members (higher interest rates on deposits, more ATMs, etc.)?

Interestingly enough, it looks like the legislation limiting CU membership was the result of lobbying by banks. But I guess once membership restrictions were lifted and some CUs started getting as big as banks, it was inevitable that they became more like banks. It's harder to get directly involved in policy-making in large organizations. So a CU with 1000 members will be more impersonal than a CU with 100 members, where each member has a greater say in CU policy.

The members dictate the policies of the credit union via the Board of Directors. Some facts about the boards and the directors:

• Must be members; mine requires 5 years min.
• Unpaid; you do get to travel to conferences, but a reputable CU will be very careful to stay within the rules, no reimbursement for your golf outings or room upgrades, etc.
• Must have the member's interests at the forefront, not the executive staff
• It's hard work if you take it seriously
• My credit union in California is over 50 years old and incredibly well run; I've learned a ton in 2 years with the board

Memberships come in many flavors. It can be geographical, tied to a company or industry, or some combination.

About some earlier comments regarding executive pay, that's in the eye of the beholder. Typical pay for a largish CU (500 million in assets or higher) is low to mid six figures. Make of it what you will, it's not exhorbitant. CUs are under a huge burden of regulation and requires competent and experienced execs.

Are CUs interested in profit? Yes, absolutely. But ROI (return on income) is not the key measure. That's a shareholder-centric measure. Instead ROA (return on assets) is key along with net worth ratios. If a CU gets flooded with deposits, profit needs to be generated, and loans are the best avenue and serve the members best. Otherwise, net worth (your capital ratio) drops. In California, if that ratio drops below 5%, the regulators are in the building to explore how you are going to get that ratio up to 8% or merge or go out of business.

That's some detail in a nutshell regarding various comments about credit unions made in this thread.

Re:I actually saw one of these....

Most (many?) credit unions around here are members of the Co-Op Network, which charges no ATM fees if you belong to a member CU. They're all over the place: http://www.co-opfs.org/public/locators/ATMlocator/index.cfm

Re:I actually saw one of these....

[SL+Baur]

Auto-execute seems pretty silly now, but back at the time it wasn't totally stupid. This was back in '95

The principle of not executing something arriving off host had only been established about a decade before. Shar (shell archives and the typical distribution format) was invented shortly after Usenet source groups were invented. Unshar was invented in the mid 1980s because everyone with half a brain was terrified of executing something coming from even the venerated and moderated `comp.sources.unix'.

We made our own mistakes http://www.regatta.cs.msu.su/doc/usr/share/man/info/ru_RU/a_doc_lib/cmds/aixcmds5/uux.htm but competent administrators had learned long before 1995 to disable uux.

Now, get off my lawn!

Re:I actually saw one of these....

The spelling error phenomenon on forged government items is nothing new. There are several occasions throughout the history where money forgers have made either grammar errors or treated the text as just another decoration on the item. For example, see Napoleon I forging Russian money prior to the campaign or the forged Roman coins from the days Julius Caesar.

Re:I actually saw one of these....

[TheRaven64]

There's a big difference between auto-executing something from a pressed CD that you've bought and auto-executing something from an untrusted source on the Internet. When Autorun was added to Windows 95 (based on the same feature that already existed in Mac OS), it was only automatically running programs from trusted distribution sources. No one was inserting CDs from untrusted sources, because the only people who could produce CDs had to invest a lot in the process. Anyone with an Internet connection could put things on Usenet.

Re:I actually saw one of these....

[SL+Baur]

There's a big difference between auto-executing something from a pressed CD that you've bought and auto-executing something from an untrusted source on the Internet.

Nope. How many times has malware been distributed accidentally on such media as you describe? More than once and (at least) once from Microsoft.

Autoexecute anything was discredited long before Microsoft Windows 95. At least to anyone with at least half a brain and any knowledge of history. Apparently those resources were not available to Microsoft.

Re:I actually saw one of these....

Most but not all. In my area, there are not that many of the huge faceless chain banks, the banks are also local. So UICCU has about the same rates, and had about the same service. BUT, they placed me from a free bank account to one that still paid 0 interest *AND* charged a monthly fee, WITH NO NOTICE! They were real shocked when I closed my account -- they offered to put me back on a free account, but I pointed out they took me off it to begin with without notice and I simply found that unacceptable. I now bank with Hills Bank instead.

Re:I actually saw one of these....

Next we just need to extend the idea of credit unions & power co-ops to telecommunications, so we'll finally have decent broadband and mobile phone service that doesn't screw over consumers.

Funny you should mention this, Iowa Telecom and I Wireless are an affiliation of over 100 telephone cooperatives in Iowa... they found that (especially post Bell-breakup) the telecom companies were not showing a bit of interest in rural markets, and took care of them themselves instead. It works too!

          I live in Iowa City, which is the 6th largest town in Iowa (over 60,000 population) and cannot get DSL, while my friend that lives over 10 miles out of town has had DSL available for over 10 years. Why? Iowa City is covered by Qwest, his house is covered by Sheraton Telephone Coop.

          (In the interest of fairness, Qwest is rolling fiber now, they just stopped about 3 houses from me... 8-( I'm using an aircard now, after the cable co screwed me over with false "3 strikes" style bittorrent disconnections. I finally told them they could take their cable modem and shove it; I brought printed proof the IP address they had was not mine, but decided not to bother arguing over it. If they're going to attempt "3 strikes" type BS, and THEN get it wrong, they can just suffer from customer collapse as far as I'm concerned.)

Re:I actually saw one of these....

[rtechie]

As far as your claim of executive compensation, show us some facts.

How the fuck am I supposed to "show you the facts" for your UNNAMED credit union? Psychic powers?

As a member of a credit union YOU have access to their financial statements. You would know how much the executives made if you read those and you also might get hints of their relations (same last names). Feel free to post this information yourself.

Training

[sexconker]

Did the penetration testing "training" CDs at least provide a helpful "Lesson Number 1: Never do what you just did." video?

Re:Training

[svtdragon]

Really, I think this is just a massive cover-up for what happened when they found a copy of "Penetration Training 14" on the CEO's desk, and a bottle of hand lotion in the drawer.

Mailing is to customers

[Rainbird98]

I don't think they are mailing them to the Credit Unions. Instead, maybe to the Credit Union customers?

Re:Mailing is to customers

You're wrong. That is all.

Re:Mailing is to customers

[Orion+Blastar]

Actually Credit Union customers get "Phising" emails that pretend to be from the Credit Union and goes to a fake web site that looks like the Credit Union but steals their password, user ID, account number, etc.

This happened to a friend of mine, and he phoned it in and the Credit Union asked him to come into their nearest branch and present ID and get his account changed to verify who he is, only the Credit Union near him closed down and he didn't know it and the next one was 100 miles away. He had to drive that far to resolve the problem and eventually switched to a different Credit Unions. It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.

Re:Mailing is to customers

[Runaway1956]

whoosh

No capitals, no exclamation mark, just a quiet little whoosh. Just about the volume of a tired gnat flying past a dog's ass. Had you bothered to read ANYTHING before you commented, then you might warrant a real whoosh.

Re:Mailing is to customers

[Shakrai]

It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.

Where are you getting your information from? There's been a handful of credit unions that have failed but taken as a whole they've failed at a significantly lower rate than the banks. This is actually a boom time for credit unions and local community banks because the big boys are cutting back and people are looking for an alternative. The big players are closing accounts, jacking up interest rates and imposing all sorts of new fees. The credit unions are humming along with the same business model they've had for the last few decades: Slow sustained growth backed by proper lending standards and an emphasis on member service

Go through the NCUA/FDIC data some time and compare the percentage of "well capitalized" credit unions to the percentage of similarly capitalized banks. I think you'll find that credit unions are doing just fine.

Re:Mailing is to customers

[toejam13]

If the credit union was a member of the CUService co-op, your friend should have been able to go to a closer branch. For the most part, any member credit union is practically as good as his own.

Re:Mailing is to customers

You're just sucking the cocks of credit unions all OVER this thread! Hilarious. You, morgan_greywolf, and mcgrew are probably all masturbating into the upturned, wide-open, awaiting mouths of prostitutes.

I mean, I know that you feel that you owe it to this "small credit union", which bailed out your shitty "consultancy" business by giving you a pathetic contract, to defend them, but come on. Syyyyyycophannnnnnnt!

Re:Mailing is to customers

[Shakrai]

Go fuck yourself

Re:Mailing is to customers

This bout of reasonable discourse brought to you by: Slashdot

Shoes for Turds, Stuff that Splatters.

Re:Mailing is to customers

There has been a huge multi billion dollar bailout of the US Central and the Corporate Credit Unions. The Corporate Credit Unions are owned by the natural person credit unions that you & I use to 'bank' at. US Central is owned by the Corporate Credit Unions. The US Goverment via the NCUA bailed out these guys. It will be years before the natural person credit unions recover as their ownership stakes in the Corporate Credit Unions are being written close to or down to 0.

Re:Mailing is to customers

[Sloppy]

I think it's really sad that phishing credit unions is even possible. Today's web browsers suck so bad that everyone involved ought to be deeply ashamed.

Credit unions are always local. You always physically meet them. You also (usually) probably have at least some ongoing snail mail communication with them.

You don't even need a trusted introducer, like Verisign. It ought to easy to directly check fingerprints and certify keys yourself, without having to trust anyone else. But no... we're still using X.509 and CAs for this stuff, instead of a system that actually makes sense (OpenPGP). Credit unions and banks ought to be some of the most popular signed and signing keys in existence, practically CAs in themselves.

But we are all still using hopelessly 20-years-out-of-date obsolete key exchange systems in our web browsers. It's a disgrace. And phishing is a great example of why it matters.

The only reason we shouldn't be using OpenPGP for all communications with people and entities that we physically meet, is that large media (optical disks, flash drives, etc) has gotten so big'n'cheap that OTP itself has actually become viable.

Goddamn our software sucks. This situation is pathetic.

Re:Mailing is to customers

Ah the usual Kuro5hin trolling of Slashdot yet again. That used to be funny in the year 2000, but in modern times it isn't so funny.

Rusty said Slashdot should be trolling plastic.com by 2001. But that never happened.

Come on you can do better than that, using pre-canned trolls from drop down lists isn't that funny anymore. Try to be a bit more creative next time.

Re:Mailing is to customers

Fuck you and your bullshit Asperger diagnosis. Oh, it's not your fault that you are a fag-magnet? Cuz your asshole shrink told you so? Eat a fat turd, shitslap.

Windows Autorun

The problem here is Windows Autorun. As soon as you insert a CD, Windows checks for the presence of an "autorun.inf" file, and if it exists, it can specify a binary program on the disc to execute immediately, as whatever user is currently logged in. Thus, killing your security immediately.

Re:Windows Autorun

[CannonballHead]

Recent versions of Windows prompts and asks if you want to run it.

Re:Windows Autorun

[sexconker]

Easily disabled or dismissed.

The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

Re:Windows Autorun

[0123456]

Easily disabled or dismissed.

Uh, no; there are so many different places where autorun is configured in Windows that the average clueless user has no hope of managing to completely disable it. The whole thing is a disaster.

Re:Windows Autorun

[iYk6]

Easily disabled

Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

or dismissed.

For some versions of Windows, yes. For the most popular version in credit unions (based on my limited anecdotal experience) "dismissing" is not an option. Windows 2K just runs whatever the CD tells it to.

The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

Users will do silly things, but that is no reason to just give up on security and make an OS insecure by default.

Re:Windows Autorun

[Vancorps]

ummm... there is one place to disable autorun on removable media although there are multiple methods available for accomplishing this task. Are you referring to auto-execution of other vectors? Like emails? Here's a reference for you to help you out. Windows XP or above you just modify it in the local security policy and you're done. Of course with Vista and Win7 they ask you if you want to run autorun so you don't really have to do anything.

Re:Windows Autorun

[CSMatt]

Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

Of course, you could also just hold down the shift key.

Re:Windows Autorun

[wgoodman]

uhm.. hold down shift while you stick the cd in.. it's not that complicated. yes, that doesn't disable it for more than that one insertion, but you get used to just hitting shift when you end up bouncing around to several computers a day.

Re:Windows Autorun

[TheCabal]

You mean you're challenged by the nice little GUI that says "Turn off Autoplay"? If a GUI is a challenge, how are you ever going to master the command line?

Re:Windows Autorun

[TheCabal]

Any financial institution that deploys a "bare metal" installation of ANY OS without any hardening, be it Windows, Linux or whatever, shouldn't be handling the public's money to begin with and needs to be slapped severely about the face and ears. I wouldn't deploy a stock install of Linux either without spending time hardening it. Anyone who thinks Linux is "Secure by default" has drunk a little too much of the Kool-Aid. Believe me when I say that Windows can be hardened to a point where it is rather difficult to break, and the amount of effort is no more than it takes to harden a Linux distro to a nice standard.

Autorun in a corporate environment? Disabled across the entire network with just a few clicks and refresh of Group Policy.

Re:Windows Autorun

[LeperPuppet]

While we're making it simple, why don't we just open up all the keyboards on site and solder the shift key connectors permanently closed? No autorun all the time and anyone who doesn't know about holding down the shift key won't have to learn. It's a perfect solution.

Re:Windows Autorun

[natehoy]

Great idea. Then we all know who is secure because of their typing style. Let me implement this, hang on a second..

YEAH WORKED GREAT I FEEL MORE SECURE ALREADY THANKS FOR THE TIP!!!

Re:Windows Autorun

IF you already placed the CD into your drive, you probably already had full intention of running the software.

NO ammount of security can save you when the user believes the source of the software to be safe.

Re:Windows Autorun

[EvilBudMan]

How right you are. For their needs maybe they couldn't tell the difference if you used another OS and applications on Linux. Just rename them. Like call firefox IE and so on. If you were real clever you could probably move the Icons too. I know I did this FireFox on Windows a few years back to stop spyware and it worked for a couple of years. Now they just go out on the net and run programs without permission. I can't just shut it all down either, the higher ups get mad at you for this as they are the worst offenders.

Re:Windows Autorun

[TheRaven64]

If your financial institution is employing 'most users' to configure its network, then you should probably seek a new financial institution.

Re:Windows Autorun

[sowth]

"Secure by Default" is OpenBSD's claim, it is not from Linux. The previous poster didn't mention anything about Linux in his post. Nice of you to deliberately confuse the issue. Microsoft shill much?

Ah, the old days of slashdot, where at any mention of Linux, some bastard would morph the conversation to claim someone had said Linux is "bulletproof" "perfect" "impossible to hack", when in fact, no one had made any such claim at all.

Re:Windows Autorun

[TheCabal]

In between rounds of slurping up Theo's man-juice, you might want to enroll in the local community college's reading comprehension class.

Another scam

[Orion+Blastar]

like those Emails from Microsoft with attachments that say they are operating system patches you must install to prevent a virus.

Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

The attached files usually have malware in them.

Microsoft does updates via Windows Update or Microsoft Update or via their web site in downloading patches, they never attach the patches to email.

I also get mail saying I won the UK Microsoft lottery and other BS as well. I am keeping a "Scams" folder for that sort of stuff.

I'd expect Credit Unions to have better sense than to run random CDs on their systems without verifying that the NCUA sent them. "What? We didn't send them to you."

Re:Another scam

[Pentium100]

Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

Can't you spoof an email address if you do not need to receive a reply? I remember doing this a few years ago. Maybe they patched it now, with the spam filters and such...

Re:Another scam

[Vancorps]

Microsoft will send you direct links to download hotfixes when you request them from their website. Not quite the same as an attachment and you have to request it first but it would be the same result if you got such an email while you were expecting a reply from Microsoft which can sometimes take a few days.

I created a spam account on our domain where users can forward their spam if they are getting it on a regular basis. That way I can extend my filters and content blockers. Keeps the spam pretty low for everyone except the one old lady in the office that actually responds to spam. She then proceeds to come to my office to complain about all the spam she is getting. Gotta love it!

Re:Another scam

[Kozz]

Yep, trivial.

Years back (about 1995 or so) I configured my MTA to provide "president@whitehouse.gov" as the "From" address when I sent an obvious prank to a co-worker. He replied (!) cussing me out and joking, "I'm going to kill you". You can imagine he quickly realized what he'd done and sent another email explaining himself. Who knows if he managed to get himself on an FBI watchlist or not. ;)

Re:Another scam

[nihongomanabu]

A friend of mine in university got in a bit of trouble when he spoofed the reply address in a joke email. The IT dept wasn't happy they had to explain to a student that they didn't really get an email from god@heaven.com.

Re:Another scam

Okay, this is interesting. Because I know a GIRL, who went to PITT, and her friend did exactly this to her. And she responded in exactly the same way, with the "I'm gonna kill you" thing. And the Secret Service did, indeed, come talk to her.

So my question is... DO YOU KNOW CARA?!

Re:Another scam

[Hurricane78]

Hey! Shhh... I'm twying to hunt wetawds hewe...

*sends out more very obvious scams targeted at IQs below 80*

You know... fow natuwaw sewection and such...

Re:Another scam

they didn't really get an email from god@heaven.com

Well d'uh. Everyone knows its god@heaven.org.

Re:Another scam

[atheistmonk]

For a moment there I thought you were going to say that the "updates" went ahead and installed WGA...

Re:Another scam

[moonbender]

I once played around with that, 10, 12 years ago, writing emails using telnet -- ostentatiously with an address billgates@microsoft.de (or some such shenanigans). Apparently I did something wrong, because a couple of days later I got a stern but friendly mail from a Microsoft admin. I probably sent it to myself, misspelled my own address and it got bounced back to them.

Re:Another scam

I'd expect Credit Unions to have better sense than to run random CDs on their systems without verifying that the NCUA sent them. "What? We didn't send them to you."

15. Virgin. Idiot.

Re:Another scam

[charlesnw]

Yes that's true. However it will come from microsoft.com, have you're case number referenced in the subject and the contact info for the engineer you are working with. So pretty hard to forge.

I suppose one could work up a scenario where they randomly crash servers with a new exploit. You call microsoft. They try sending you some hot fixes. The hacker intercepts the e-mail and DNS. Hardly seems likely though.

Re:Another scam

[aynoknman]

I suppose then it would be devil@hades.gov

Expect this more in the future

[improfane]

Expect malware to appear or be in the wild already on/in:

• pirated DVDs, the ones with dual film and PC content, like the Pokemon DVDs
• more flash drives
• mp3 players, iPods (using hard drive mode)
• Music CDs, the ones with dual PC and audio player content
• Facebook applications
• second hand routers (Linux routers)
• second hand laptops and computers
• more flash drives
• Windows install CDs
• FireFox plugins
• web development templates
• Packages (deb, rpm whatever), makefiles etc
• PDF files

The more I use my laptop, the more I wish to install a hypervisor on the BIOS (preferably based on Linux CoreBOOT or something) and use it to track my laptop and profit from it if it gets stolen.

Hey if someone steals my laptop, sit and cry?

Re:Expect this more in the future

[fuzzyfuzzyfungus]

Don't bother. At the rate malware is proliferating, somebody will install a hypervisor on your BIOS for you. Think of it as a "citizen's automatic update".

Re:Expect this more in the future

[rtb61]

At the current price why would anyone bother with second hand routers, switches etc. They would do it with new gear, redo the factory default in a chip programmer and, then offer them at a discount, in the thousands. Especially with countries deeming it appropriate to become involved in large scale computer hacking as intelligence operations and, for the inevitable rogue agents and contractors, a future 'route' to profits.

Re:Expect this more in the future

[fluffy99]

Happens more often that you'd realize. China is very, very good at hacking and spying. They also happen to manufacture a significant portion of the IT components that we all buy and consider trustworthy. I've convinced that if we ever piss of China, they can send out some magic icmp packet that will start bricking every Cisco switch in the US.

Re:Expect this more in the future

[TheCabal]

Where do you think Cisco has all of its gear manufactured?

Now think just a few years back when the FBI release a warning about fake Cisco gear coming out of China with possibly some dodgy software loaded?

Hackers can be pen testers

[Zero__Kelvin]

The set of hackers and Pen Testers is not disjoint. The summary writer is thinking of crackers. And yes, I know 1200 morons will pipe up to say that Hacker is in common usage, to which I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds. The world can be divided many ways. One way is those who know what Hacker means, and those who mistakenly think it is a synonym for cracker. I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

On a side note, I happen to see an old Sopranos where Silvio is asking "what are they called, crackers?", and Tony replies "Hackers". I almost laughed my Ass off. Silvio get's it right, and the boss "corrects" him ... ROTFLMAO

Re:Hackers can be pen testers

how 'bout you get that stick out yo ass?

Re:Hackers can be pen testers

0 K must be the temperature in your bed

Re:Hackers can be pen testers

[rafemonkey]

Man I hear ya... It's just like all those fools calling that box on the desk a computer, when we all know a computer is actually a person who performs computations. Anyway, I gotta jump into the old horseless carriage for a spot of motoring. ;)

Re:Hackers can be pen testers

[Zero__Kelvin]

That would be a brilliant retort if it were not for the fact that I live on the bleeding edge. I spend a lot more time there than you, and I get cut much less often than you do (I guarantee it.)

Re:Hackers can be pen testers

[Faylone]

I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings...yes. As long as the meaning the speaker intended is imparted to the listener, they served their purpose.

Re:Hackers can be pen testers

[Runaway1956]

Mod parent up. Everyone who reads slashdot WANTS to think that they are technically inclined. Those who are unable or unwilling to distinguish between pentesters, hackers, crackers, script kiddies, and the myriad other classes of people out there are only deluding themselves about their technical abilities.

Oh - wait. Maybe I'm deluding myself. Slashdot. I actually read arguments here that Windows is better than Linux for no better reason than an author is afraid of the CLI. Let me shut up and slink out of here - I've done nothing but embarrass myself by talking to the wrong audience.

Re:Hackers can be pen testers

[Zero__Kelvin]

"Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings..."

Since your premise is false, your conclusion is fault ridden. Maybe you missed the part about the 1200 morons? Did you really feel so left out of the conversation that you just had to pipe up?

Re:Hackers can be pen testers

[spiffmastercow]

The set of hackers and Pen Testers is not disjoint. The summary writer is thinking of crackers. And yes, I know 1200 morons will pipe up to say that Hacker is in common usage, to which I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds. The world can be divided many ways. One way is those who know what Hacker means, and those who mistakenly think it is a synonym for cracker. I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

You know there's a whole school of philosophy dedicated to the common usage vs. defined meaning problem. As for which one is right.. Inconclusive.

Re:Hackers can be pen testers

[Zero__Kelvin]

"Oh - wait. Maybe I'm deluding myself. Slashdot. I actually read arguments here that Windows is better than Linux for no better reason than an author is afraid of the CLI. Let me shut up and slink out of here - I've done nothing but embarrass myself by talking to the wrong audience."

Maybe you also missed the part of my post about the 1200 morons? It should have conveyed to you I was well aware that there is a faction of the audience that is as ignorant as you describe. There are, however, quite a few people with a clue as well or I wouldn't bother with the site. Presumably you feel the same way, or you wouldn't be posting here either, right?

(Faction is NOT a typo)

Re:Hackers can be pen testers

[Zero__Kelvin]

... and you needed to quote my whole post to state that? Actually, you again have those with a clue against those without a clue who refuse to admit it. If it is common usage, but not part of defined meaning, we have an actual defined meaning for that ! It's called slang.

Re:Hackers can be pen testers

[DerekLyons]

One way is those who know what Hacker means, and those who mistakenly think it is a synonym for cracker. I don't care what percentage of society is cluless in this regard even if it is 99+%.

Get the fuck over yourself. 'Hacker' is a synonym for 'cracker' and has been for nearly thirty years. Language, slang, and jargon - they all mutate and change over time. Grow up and get with the times.

Re:Hackers can be pen testers

(Faction is NOT a typo)

+1 Dick

Re:Hackers can be pen testers

[Zero__Kelvin]

"Get the fuck over yourself. 'Hacker' is a synonym for 'cracker' and has been for nearly thirty years. "

What you mean is that almost 30 years ago Steven Levy mistakenly described a cracker as a hacker because he didn't know enough about what he was reporting. Someone said "RTM? He's one of those hackers", and Levy mistakenly reported that hackers are people who break into computers. It is as though he was trying to find out about "Jack the Ripper" and someone said "Oh, he's one of those doctors", so he writes that "Doctors" are people that hack people to bits. Everyone then reads it and the error propogates. No matter how popular the misinformation, it is still misinformation. Now get to bed. You've got to be up for school in the morning.

Re:Hackers can be pen testers

[Faylone]

Just because "minute" means 60 seconds, it is not prohibited from gaining other valid meanings.

Re:Hackers can be pen testers

[That's+Unpossible!]

Right, right. It's like when my wife goes, "Why do you bother reading what a bunch of frigtards think on some lame site for dorks?"

And I correct her, "Honey, they're FREETARDS, not frigtards. And the site is for nerds, not dorks!"

Then she blows me!

Re:Hackers can be pen testers

[Zero__Kelvin]

True, but Gang Bangers are prohibited from doing the defining ;-) Also, clueless reporters are similiarly excluded.

Re:Hackers can be pen testers

[maxume]

No, the descriptivists are right. Probably even in France.

If nearly every language had not changed drastically over time, there might at least be an interesting conversation there, but alas.

Re:Hackers can be pen testers

[maxume]

I'm not sure a large percentage of the populace even has a clear idea what an OS is.

Re:Hackers can be pen testers

[Faylone]

Why are they prohibited from doing so? Many languages may have official language regulators, but English does not. What makes you more authoritative than them?

Re:Hackers can be pen testers

[maxume]

We all know AC loves dick, but it is a little unusual for one to come right out and say it.

Re:Hackers can be pen testers

You're proud to know the "proper" meaning of hacker? That's trivia at best, akin to knowing all the state capitals, or knowing just how filthy "A Midsummer Night's Dream" can be (lots of double entendres there). You've niche knowledge... congrats we all do. Try to take pride in something a bit more unique.

Re:Hackers can be pen testers

[Zero__Kelvin]

The difference is that I actually know what I am talking about.

Re:Hackers can be pen testers

[Mozk]

As long as the meaning the speaker intended is imparted to the listener, they served their purpose.

That's the problem. When a word (like "hacker") has different usages and definitions to different people and can be interpreted in various ways, the meaning is not conveyed properly.

Re:Hackers can be pen testers

[Spy+der+Mann]

A large percentage of the populace thinks they run the best, most secure OS in the world

Most people think they're runing Linux? Oh, wait...

Re:Hackers can be pen testers

[Zero__Kelvin]

"Then she blows me!"

Which begs the questions: "In what country can you marry your dog and what brand of peanut butter does he prefer ? (No hiding behind feminine pronouns for you sweetheart)

Re:Hackers can be pen testers

lol. I bet he tells people that he is gay when he is happy too,

Re:Hackers can be pen testers

[e9th]

You're really hung up on language issues. So why do you say "Which begs the questions..." when you mean "Which raises [asks] the questions..."? To beg the question is to commit the fallacy of petitio principii.

Re:Hackers can be pen testers

[Zero__Kelvin]

"You're really hung up on language issues."

This isn't even remotely a language issue. It is a matter of fact. I know many people would rather be wrong and popular than right and unpopular. If you fit into that category, go for it. I am under no delusion that millions of people will suddenly get a clue just because they are presented with the facts .

Re:Hackers can be pen testers

[Mr.+Vage]

For someone who is fighting so strongly that hacker =/= cracker and that language shouldn't change like that, you've horribly misused "begs the question". Begging the question refers not to a statement causing a question to arise, but instead to a circular argument.

Re:Hackers can be pen testers

If only one could find a way to post a facepalm image... never before have I seen a slashdot post that deserved it so much.

Fucking moron.

Re:Hackers can be pen testers

Note to self - linking to your own idiotic post four or five times in one thread doesn't make it any less idiotic.

Re:Hackers can be pen testers

[chis101]

Language can and does evolve over time. Look up Hacker in the dictionary.

http://www.merriam-webster.com/dictionary/hacker

4 : a person who illegally gains access to and sometimes tampers with information in a computer system

Just because something started out as a mistake, doesn't make it incorrect now. Try taking a look at the dictionary definition of "nauseous," as I would guess you would be one of those people who say that "I feel nauseous" is incorrect, while "I feel nauseated" is the only correct way to convey the feeling. http://www.merriam-webster.com/dictionary/nauseous

Those who insist that nauseous can properly be used only in sense 1 and that in sense 2 it is an error for nauseated are mistaken. Current evidence shows these facts: nauseous is most frequently used to mean physically affected with nausea, usually after a linking verb such as feel or become; figurative use is quite a bit less frequent. Use of nauseous in sense 1 is much more often figurative than literal, and this use appears to be losing ground to nauseating. Nauseated is used more widely than nauseous in sense 2.

Note how 'the most frequently used' definition becomes the correct one? Language changes, and sometimes people just make honest word/grammar mistakes. Get used to it.

Re:Hackers can be pen testers

[e9th]

You're annoyed because some people confuse hackers with crackers. I'm annoyed because some people confuse begging the question with asking the question. Let's both just let it go, we've lost.

Re:Hackers can be pen testers

Did you honestly just write that? THE BLEEDING EDGE? The whole post was epic. You are either parodying, or you are COMPLETELY detached from reality, and humanity (I guarantee it.)

Re:Hackers can be pen testers

Just because "minute" means 60 seconds, it is not prohibited from gaining other valid meanings.

I thought minute meant small?

Re:Hackers can be pen testers

Your nice little rant there sidestepped the FACT that you INCORRECTLY used the term "begs the question". You used it in a way that DIFFERS from the TRUE DEFINITION, yet has become ACCEPTED into COMMON SPEECH. The irony here is so unbelievable that I must conclude that your whole attitude on this topic is an epic troll, and you don't believe any of the stupid shit you are rabidly babbling about.

Re:Hackers can be pen testers

[Jah-Wren+Ryel]

I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds.

Yeah, I don't think so. Your definition of "a long time" is something that YOU have pretty much made up on the spot and in the process ruined any claim to being an authority on english word definitions. Very few teenagers, or anyone else, mean "a long time" when they say "minute" - its pretty rare for anyone to mean anything even approaching an hour when they say "minute." And unless you are a fruit-fly or suffer from ADD, an hour hardly ever qualifies as "a long time."

But, since a "short space of time" is a merriam-webster endorsed standard meaning of the word "minute," you kinda had to make up some BS in order to support your rather unsupportable point. It's ironic that you misused the key word in your own rant on people misusing words. I think its the best case of grammar-nazi karma I've seen to date.

Re:Hackers can be pen testers

Wait... we're getting a lecture on language usage from someone who doesn't know what begging the question is?

Oh, the irony.

Give up, while you're not too far behind.

Re:Hackers can be pen testers

[Zero__Kelvin]

"Yeah, I don't think so. Your definition of "a long time" is something that YOU have pretty much made up on the spot and in the process ruined any claim to being an authority on english word definitions. Very few teenagers, or anyone else, mean "a long time" when they say "minute" - its pretty rare for anyone to mean anything even approaching an hour when they say "minute.""

You know about all of the teenagers on the planet??? Who would have thought that Santa Clause posts on Slashdot under the SlashID Jah-Wren Ryel !!!

Re:Hackers can be pen testers

[DerekLyons]

As I said to the OP, the meanings of words change regardless of the source of that change. Get the fuck over yourself.

Re:Hackers can be pen testers

[Jah-Wren+Ryel]

You know about all of the teenagers on the planet??? Who would have thought that Santa Clause posts on Slashdot under the SlashID Jah-Wren Ryel !!!

You know about all of the teenagers on the planet??? Who would have thought that Santa Clause posts on Slashdot under the SlashID Zero_Kelvin !!!

Re:Hackers can be pen testers

[Hurricane78]

Interesting... I just noticed, that when you would exchange the quote and the answer of your comment, GP would still be right. I've never seen that before, but it's certainly cool. I'm going to try to reproduce that... ^^

Re:Hackers can be pen testers

Dude, you're a moron. You are the one claiming you know all of the teenagers on the planet. ZK is saying some of the teenagers (many?) say this. You are claiming that NONE of them do. Only one of you is claiming to know all of the teenagers on the planet.

Re:Hackers can be pen testers

[Zero__Kelvin]

Nobody told you? So many people use the phrase erroneously that the erroneous use has come into common usage and is now correct! ROTFLMAO

Re:Hackers can be pen testers

words are but a finger pointing the way towards the moon: focus on the finger and one will miss all the heavenly glory.

Re:Hackers can be pen testers

[spiffmastercow]

... and you needed to quote my whole post to state that? Actually, you again have those with a clue against those without a clue who refuse to admit it. If it is common usage, but not part of defined meaning, we have an actual defined meaning for that ! It's called slang.

Yah, Wittgenstein was a hack!

Re:Hackers can be pen testers

[spiffmastercow]

+5 insightful to the AC!

Re:Hackers can be pen testers

You sir, are a complete and utterly arrogant prick. Good day.

Re:Hackers can be pen testers

Please sir.. Shut up. You are wrong.

Language is a mode of communication (stated by Faylone).
Communication is a function required by communities to coordinate.

If communication succeeds in coordinating, it has served its purpose. (Note: I'm using coordinate to include art. Art is a method of coordinating our souls!) (That last was total BS. :-p)

Seriously, though. The beauty of English is that it is a living language. (And, for that matter, most other languages.) So maybe the poster didn't use technical parlance. The distinction in this case has become obsolete except for the extreme minority of purists. Everyone else will understand what you mean. Purists will ask for clarification.

It's like any other technical subject... the technically informed will understand the differences, the technically uninformed will use whatever works for them. That doesn't make either set wrong.

So... Cracker... Like saltines? Or a white person? Or maybe you're talking about fireworks? Or maybe we're just trying to describe what kind of noise my spine makes. Or a wedge? Is my point sufficiently made?

As a hint, using language to communicate makes you friends. Using language to troll and to correct other peoples' usage doesn't make you friends.

Re:Hackers can be pen testers

As in, you fucked her for one minute with your minute penis?

Re:Hackers can be pen testers

[gwbennett]

Just because "minute" means 60 seconds, it is not prohibited from gaining other valid meanings.

Such as "very small" for instance

Re:Hackers can be pen testers

[Jah-Wren+Ryel]

Dude, you're a moron. You are the one claiming you know all of the teenagers on the planet. ZK is saying some of the teenagers (many?) say this. You are claiming that NONE of them do. Only one of you is claiming to know all of the teenagers on the planet.

Do you really believe that Zero_Kelvin knows "millions of teenagers?" For all practical purposes he is claiming the exact same thing I am, except I'm applying common sense and he's just making shit up to support his own little pet peeve.

Re:Hackers can be pen testers

[pwfffff]

Haha, everyone look at this idiot. He said 1200 morons would pipe up, and there's only been about 25 so far. Hell, I don't remember the last slashdot story that had 1200 comments total, much less in reply to one troll. I wish the douchebag would learn his numbers before attempting to communicate.

Really though, I wish you a quick recovery. I've laughed my ass off before too; I know how bad it can hurt. Here's hoping yours grows back.

Re:Hackers can be pen testers

[Zero__Kelvin]

So to recap your position, you don't understand exaggeration, and that makes me an idiot. Thanks. I needed a laugh this morning ;-)

Re:Hackers can be pen testers

[pwfffff]

It's called a parody, referencing the fact that you apparently think someone's a liar when they are not, in fact, gone for 'a minute'.

You're so bad at trolling it hurts.

Re:Hackers can be pen testers

Thanks for pointing out the fact that Mr. Vage was laughing at your hypocritical stupidity.

Re:Hackers can be pen testers

[Lord+Ender]

You are the greatest troll I've seen in a while. You appoint yourself the defender of language, even though you're wrong (as language has moved on without you). But then you go off and misuse the phrase "to beg the question." That's really awesome. You're a talented troll or a hilariously confused and proud idiot. Either way, stay around and amuse us.

Re:Hackers can be pen testers

You don't even understand what was actually stated. Your not even close. You are truly a fscking moron.

Where are the jokes?

More than twenty comments and still no penetration joke?

Re:Where are the jokes?

the penetration joke is in your pants.

at least that's what your girlfriend told me.

Re:Where are the jokes?

[MadKeithV]

No-one on slashdot has the necessary experience to make penetration jokes.

Bad name for pen-testing

[twistah]

Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.

Re:Bad name for pen-testing

[Lord+Ender]

What, specifically, did the pen-testers do wrong? It sounds like the credit union is the group which screwed up. They contracted a pen-test, but then went ahead an called the cops *anyway*.

What would you have done differently if you were doing the pen-test?

Wait, I've heard this one before.

[rayd75]

In fact, I've used it. Until last year I worked for a credit union and frequently described a scenario almost exactly like this to justify things like a least-privilege security model for end users. It's scary to consider what an attacker might be able to accomplish with a scheme like this. The article only touches the surface in pointing out that credit unions are typically smaller than banks and lack security resources. Mine was one of the largest and probably the most technologically progressive credit union in my state but I had a lot of interaction with smaller credit unions due to their cooperative, less competitive nature. (less competitive with each other, that is.) My experience is that most credit unions have IT departments that can be counted on one hand, and no security-oriented individuals on staff at all. (IT or otherwise) In fact, there are many credit unions whose ENTIRE staff can be counted on one hand. Not long before I left, we absorbed a failed credit union's assets and member base at the NCUA's request. This particular example's infrastructure consisted of three desktop computers and an Access database. Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.

Re:Wait, I've heard this one before.

[John+Hasler]

> Credit unions make great financial sense but only the largest ones have the
> kind of IT and security resources most of us associate with a bank.

Considering what the banks accomplish with those resources, I'll take the credit unions.

Re:Wait, I've heard this one before.

[CodeBuster]

Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.

And yet smug credit union users always mock those of us who use larger banks for our personal banking because they charge a few bucks more for services. It seems that you really do get what you pay for. How much is security worth? It is worth a few bucks more to me that's for sure.

CDs?

[Culture20]

Hostile takeover by Sony?

CU's dont always have securityin mind

[rivetgeek]

I've tried repeatedly to warn my own credit union of a security breach in their "self-help" terminal. It's running windows and a modified version of IE (no close out x). The problem is that the "View cookies" menu item open an explorer window in focus and the whole directory can then be traversed and written to. It's also internet friendly and not firewalled for third party sites. Sounds like a perfect recipe for a keylogger to me.

Re:CU's dont always have securityin mind

I had a similar terminal at a gas station I used to work at while in college.

Issue: It is legally required to post signage on inoperative gas pumps. It is against company policy to use handwritten signs for anything, could be fired to do so.

I used a similar hack to access notepad to print out a sign for the broken gas pumps.

Racism!

[dangitman]

Why are you so down on white people? You could at least call them "honkeys" as it has a more lyrical sound.

Pen testers

I'm in favor of it; I think that banks really need pen testers.

Their pens usually are broken off of those little chain things, and when you do find one that's still attached, it doesn't write.

Re:Pen testers

[evilandi]

Barclays Bank in the UK got bad news coverage a few years ago for refusing to lend a pen to a customer. To counteract this bad coverage, they got rid of all the pens-on-a-chain and now have disposable ballpen dispensers throughout their branches. You can just walk in off the street and help yourself to a pen, no questions asked. I must have a dozen by now. They have amusing mottos down the side such as "Steal me" or "Bank swag".

And they write pretty well.

http://www1.banner-online.biz/whybanner/barclaysbank_175.html
http://images.onesite.com/my.telegraph.co.uk/user/bent_society/20080206111643.jpg

Re:Pen testers

[aynoknman]

And I thought it was a typo for PIN testers; making sure that people don't use 1234, 1111 or 9999 as their PIN on the ATMs.

ObSimpsons

[istartedi]

I gotta jump into the old horseless carriage for a spot of motoring.

"Fill it up with petroleum distilates, post haste!"

We also would have accepted: "My car gets 40 rods to the hogshead, and that's the ways I likes it."

Re:ObSimpsons

[TheCabal]

I'd like to send this letter to the Prussian consulate in Siam by aeromail. Am I too late for the 4:30 autogyro?

It's like herbal tea

[Bragador]

Haha, I hear you. As for myself, people who call a tisane simply "tea" or "herbal tea" get on my nerves. If it's not made with the "tea" plant, it's not "tea" damnit!!!! But most grammar softwares don't even know the correct word anyway...

Don't bother man

[Sycraft-fu]

The GP is just one of many "Banks are evil!" types online. You aren't going to convince them otherwise. They have little understanding of finance and less of banking. Also the reason he's whining is because the USSS was involved. He also doesn't understand that they are responsible for this kind of crime, he thinks the president ordered them on the case because banks are special.

I've debated with the "Use only cash, banks are evil, we need the gold standard!" types and there is just no reasoning with them. You are completely correct about the differences with a credit union, but you aren't going to convince him of it. They are a "bank" and banks are evil and so on.

Re:Don't bother man

[Shakrai]

I wouldn't mind seeing a return to something similar to the gold standard but it's not because I think banks are "evil" It's because I don't like the fact that the Fed can effectively confiscate the savings that I've worked so hard to acclimate through inflation.

I've worked with the USSS three times in my professional career. Twice were for financial crimes. Once when somebody hacked our e-commerce server when I was in the ISP business and the other time for this. The other occasion I had to work with them was when an employee of the company I was working for at the time decided to a not-so-nice e-mail to George W. Bush. I've learned a few things about them from these experiences:

1) USSS agents are generally more outgoing and humble than their FBI counterparts
2) They are extremely competent and professional
3) The financial guys have a sense of humor. The Presidential protection guys do not ;)

Re:Don't bother man

[Gilmoure]

What about the warehouse guys? Are they really as goofy as they show on TV?

Why did it take so long to come back?

[hyades1]

Truly, there's a sucker born every minute. Most of them seem to wind up working in business, and most of them have the technological competence of a retarded toaster. With any luck, the movers and shakers will figure out that paying the IT guy more than minimum wage...and having somebody competent to watch over HIM...is a wise investment.

Re:Why did it take so long to come back?

[Lumpy]

With any luck, the movers and shakers will figure out that paying the IT guy more than minimum wage...and having somebody competent to watch over HIM...is a wise investment.

Only when they realize paying an Executive to play golf and schmoose all day for ungodly amounts of money a year is stupid and eliminate the worthless position all together.

for every underpaid IT guy there is at least 1 worthless Executive that can be tossed out of the company and nobody would notice. It amazes me how many executive positions are out there in companies that are not needed at all, yet they keep the dead weight around while cutting departments that are vital.

Mail Fraud or something like that... maybe?

[realsilly]

Wait, they fake where the CD's were coming from? Wouldn't that constitute as Mail Fraud? And isn't that a Federal offense? Hmmm, it reminds me of the movie "the Firm". Sending a CD with Malware may not be illegal, but faking the source might be. I'm not sure of the law here, but I would think this would draw greater attention to federal authorities.

or not...

Re:Mail Fraud or something like that... maybe?

[VGPowerlord]

Wait, they fake where the CD's were coming from? Wouldn't that constitute as Mail Fraud? And isn't that a Federal offense? Hmmm, it reminds me of the movie "the Firm". Sending a CD with Malware may not be illegal, but faking the source might be. I'm not sure of the law here, but I would think this would draw greater attention to federal authorities.

or not...

You act like impersonating a federal agency isn't a crime in and of itself.

Re:Mail Fraud or something like that... maybe?

[realsilly]

Unfortunately, this is not how I wanted the comment to come across. I was thinking along the lines of how many crimes had been committed in even one single act of sending fraudulent mail to a banking institution throught the US mail via the fake mailing. Since I'm not really sure of all of the various laws that may have been broken I was more curious than anything else. I'm guessing that one act alone would be breaking at least (and this is a guess) 5 federal laws, not to mention how many local laws would fall on-top of that.

The simplest tactics

[nurb432]

Often are the best.

Sadly...

[hesaigo999ca]

Sadly, I am sure that many of the employees...would not even consider this type of vector for an attack, and with no regard to safety plop it in and press play without scanning with an anti virus, or even contacting head office and asking them why send a manual without warning. Good one hax0rs

It takes money to make money

Thanks to the recession some of us weren't in a position to buy when everyone else was selling.

Remember, if you are unemployed, your personal unemployment rate is 100%.

Re:It takes money to make money

[Shakrai]

WTF is your point besides "woe is me"?