More POS Hacks Grab CC Numbers

Everyone gets a kick out of TV shows and news reports that feature stupid criminals. People who get themselves locked inside the store they are trying to rob or stuck in the air vent attempting to break in. For some reason you don’t hear about the smart criminals very often. Maybe they don’t get caught as much?
Recently there has been a new twist on the old credit card number scam. Criminals have found a way to modify those point-of-sale scanning machines everyone swipes their cards through to make copies of the information. I’ve written about this before here and here. Previously it was Stop & Shop Supermarkets who had their card readers physically altered inside the store to record card information (smart) and the second time it was researchers at the University of Cambridge [PDF] who found how easy it was to tamper with the tamper resistant chip and pin machines (wicked smart). Now it is Lunardi’s Supermarket in Los Gatos California who have found their card swipe machines altered to record the card number and PIN. At least a hundred people so far have reported fraud against their cards.
There isn’t a lot of room inside those little machines, so to be able to take one apart, install your recording device then put it back together and install it inside the store without anyone noticing seems to be pretty damn smart to me.
So you want to be smarter? Don’t trust the machines. Don’t give out your PIN number to every retailer you shop at. When the machine asks for a PIN hit the cancel button and choose ‘credit’ instead of ‘debit’. If your debit card can’t double as a credit card get to your bank today and demand one that can. Don’t give your PIN to the Supermarket or Walmart, and at the corner MOM & POP store use cash. Cash is King. Even at the ATM protect your PIN, look for tampering at the machine, cover your hand when entering the number. Be smarter than the criminals. Sure you may feel like George Costanza in an episode of Seinfeld but better to feel like a stocky bald man than to become the victim of fraud.

Defacement Archive May Close

One of the more popular features of HNN (The Hacker News Network) was the daily list of web page defacements that was maintained at the time by Maintaining such an archive soon overwhelmed Attrition and the task was taken over by Alldas. After the demise of Alldas, a small (at the time) upstart security site in Austria, Zone-H took over. They have been maintaining the defacement archive for years and years slowly adding to it over time as new websites get compromised. Their archive now encompasses over 2.6 million web page defacements. The amount of data they have collected is invaluable and is an amazing resource for security researchers to gain a historical perspective on the frequency and methods of attacks used over the years.
Lately Zone-H has had some rough times, their founder has been arrested in relation to an Italian spying scandal and they have been coming under increasing criticism from people who think their archive is actually promoting web page defacements. As a result they are actually thinking about discontinuing the defacement archive.
This would be an unfortunate occurrence if it was to happen. They are currently running a poll on their front page, (in the left column) as to whether they should continue hosting and updating the archive or not. I urge you to cast your vote and help save a valuable security research tool.

SourceBoston WrapUp

I had been waiting for the folks at Source Boston to update their website with relevant materials before I posted a recap but they are probably waiting until Monday and I know I won’t have time to post anything then. So be sure to check their site for presentation slides, videos, and whatnot, but in the meantime here is what I have.

First of all I don’t think I have been to a better con since HoHoCon ’92 or maybe SummerCon ’97? (Was there a SummerCon that year?). So what made it so great? The excellent talks for one thing. You had to make hard decisions for three days straight about where you wanted to spend your time. All of the talks I listened to were extremely high caliber, better than most talks at Blackhat, Defcon, RSA or elsewhere. Then throw in just enough socializing to make it interesting without going overboard (i.e. Defcon), not to many pushy vendors trying to sell stuff (i.e. RSA), and the small (by Blackhat standards) number of attendees and you had a really intimate setting of knowledge sharing for three days straight.

For a recap of the whole conference check out Jack Daniel’s blog post over at Uncommon Sense Security and check the individual talk write-ups at the Source Boston Blog. So far I have only found slides for Sinan Eren’s talk on Information Operations. Dan Geer’s keynote speach is posted here (If you read nothing else read that!). If you want to relive the con vicariously check out the tweme feed as several people (myself included) were microblogging the whole thing.) Other than that you can check out all the photos posted to Flickr so far.
Oh, and videos of all the talks should be available at Media Archives real soon now. I can personally recommend James Atkinson’s talk about telephone defenses, Andrew Jaquith’s talk about problems with AV software, Matt Moynahan’s talk about software inspections, Carole Fennelly’s talk about Incident response plans, and Frank Reiger’s talk on cell phone security. Oh, and there was a little thing near the end about the L0pht you might want to watch as well.

Anyone got more links? Post in the comments. Thanks.

Last Day for Source2008

Yesterday I unfortunately missed James Atkinson’s talk at Source Boston but evidently it scared a few people and pissed off a few others. I did manage to catch Carole Fennelly’s talk about Incident Response Plans which was very informative even for me. And of course people are still talking about Dan Geer’s keynote. Still great talks lined up for today, listening to Frank Reiger right now telling me how insecure all my cell phones are, scary. Oh, yeah, I have a little talk scheduled later as well, at least thats what their telling me, after last night’s pub crawl I’m not sure I remember right now.

Videos of the talks are said to be available at Media Archives at some point real soon now. If you missed the con be sure to pick up a couple of these.

P.S. If you ever get to sit down with James Atkinson ask him to empty his pockets onto the table. Trust me you won’t be at a loss for conversation.

Smart People

Sometimes I wonder if people who are revered in their field are really all that smart. I am pretty sure that some people have achieved their positions not because they know their subject matter but because they are just charismatic people who are adept at politics and manipulation. However, as I sit here listening to Dan Geer at Source Boston talking about the dangers of a computing mono culture and the coming digital pearl harbor I realize that yes, some people really are that smart. Dan has said that his remarks will be available after his talk. I can’t wait to examine his words more closely.

This is one of the best cons I have been at in a long time. Just the right mix of serious technical talks, socialization and of course a little alcohol. Looking forward to talks today about the tug of war between business and security, Critical Infrastructure Protection, Study on Security Training Programs, and of course Developing an Incidence Response plan.

I’m pretty sure day passes are still available.

Source Boston 2008 Going on NOW!

SourceBoston 2008 Going on now and for the next two days. If your anywhere near Cambridge MA you should head over. The shear number of smart security people in this hotel is mind boggeling. Seriously, you can’t turn around without seeing someone else who is a major industry luminary.
Already listened to talks by Tito Jackson (no, not that Tito), he’s the Director of IT from state of MA. He basically said that Mass is great and that jobs are growing and all hail Gov. Deval! Woohoo! I kid, but it was some interesting opening remarks and good to hear that things may not be all doom and gloom as the economy suggests.
The official keynote was given by Richard Clarke the former head anti-cyber terrorism dude at the White House he runs a consulting company now, oh, and he has a book or two out. He asked a very interesting question about wether the government should disclose software vulnerabilities that it discovers or should it keep them for use in the next ‘cyber war’? IMO my tax dollars paid for it so yeah, I should get a copy!
Then Matt Moynahan from from Veracode spoke about how hard it is to quantify the security in software. A subject I have wrote here many times. Lots of good points, companys don’t want to give up their IP, there are no uniform standards, etc… Of course his company (andcformer L0pht peeps company) Veracode has the answer but it seems like a pretty good answer to me.

Oh, and I set up a Twitter account. Not sure if I will use it after the con but there it is.

Tamper Resistant Point of Sale Machine Isn’t

When I see something labeled tamper-resistant or even tamper-proof I don’t assume it is secure I just think that it is a little more difficult to break into than something that isn’t tamper-resistant. Three researchers at the University of Cambridge have figured out that PIN entry keypads used for Chip+Pin transactions in the UK are anything but tamper-resistant. They have published a paper to show just how easy it is to break them open and record customer data as they swipe their cards and enter their pin numbers. I applaud their effort but all they had to do was look at what happened to Stop & Shop Supermarkets a few short months ago.

Here is some advice which you can use, at least here in the US, don’t trust those card swipe and pin entry machines at the checkout counter. Most Debit cards from US banks will also work as a VISA or MasterCard. If your at WalMart and you whip out the ATM card and the machine asks you for your PIN, hit cancel. If the checkout lady at the supermarket asks “Debit or Credit” always, always say credit. If that little machine at the checkout stand is secretly recording your card number at least you won’t also be giving it your PIN and complete access to your checking account. While this won’t stop fraud it will make the bad guys work a little harder. Hard enough perhaps that they skip your card and go to the next one. Not to mention that VISA and MasterCard probably offer a bit more fraud protection than your local bank.

Less Than Two Weeks to Source2008

So I was having lunch with one of the organizers of the Source Boston 2008 conference yesterday (Spicy Beef Bowl, mmmmm) and realized that this is going to be one really great conference. Not only are there big name speakers like Richard Clarke, Steven Levy and Dan Geer there are some well respected security industry luminaries as well like Carole Fennelly, Frank Rieger, James Atkinson and a host of others. But I think the big thing that will set this conference apart from the big ones like BlackHat or RSA, (besides that the fact that it is within driving distance for me) is the size. There won’t be tens of thousands of people in attendance meaning you will probably be able to get a lot of one on one time with some of the smartest security minds in the country. If your in the Boston area at all you should probably stop by for a day or two or even all three.

Oh, and the L0pht renion panel is scheduled for Friday, the day after the Pub Crawl, which ought to be interesting.


AES = XOR = Secure? WTF!?!

I don’t have time for all of the stupidity out there but this is just to stupid to let pass by. Easy Nova a German company that makes a variety of computer storage accessories, recently released a hard drive case with hardware data encryption with 128-bit AES and access control via an RFID chip. Which on the surface sounds really really cool. Portable secure data, what more could you ask for? As it turns out you still need to ask for it to be secure because according to Heise Online and c’t Magazine that despite the claims of AES hardware encryption the product actually uses XOR encryption to write your data! Evidently the AES is only used to encrypt the RFID signal between the drive and the key fob. AES for the RFID chip but XOR for the data? I mean WTF! How about some truth in labeling. I suppose we should be happy they didn’t use double XOR.

This is yet another example of a security product that isn’t secure. How is the consumer supposed to know? Not everyone has diagnostic labs and forensic tools at the their disposal to test each and every product they buy for security. I’ve mentioned the formation of a Cyber UL before and clearly it is sorely needed.


Responsible disclosure for vendors?

If a vendor finds a vulnerability in a competitors code are they obligated to tell them? What exactly is ethical and or responsible disclosure when it comes to competing vendors? Among security researchers the general consensus these days is to notify the vendor and then wait a reasonable amount time for a patch to be developed before going public. While this scenario is for the most part agreed upon and followed it is by no means a perfect solution. Now through in competing vendors and it gets even stickier.
Recently the Mozilla group was notified of an exploit in their code which they dutifully fixed. In the process they evidently realized that the same hole effected the Opera browser. Like good net citizens they notified Opera of the hole but did not wait around for Opera to fix it.
So is Opera justified in being a little miffed at Mozilla for not waiting for a fix or should they be happy that they got notified at all? Should vendors be held to the same ethical standards as researchers when it comes to vulnerability disclosure even if it is with a competitors product? Why have we had this same problem for decades without some sort of solution?