Monthly Archives: May 2013

Malware targeting point-of-sale (POS) systems has been a major trend of the last six months or so, with a flock of interrelated malware families being sold, shared, exchanged, tweaked and improved by the various denizens of the cyber underworld.

With easy pickings to be had from under-protected small operations, this pattern is only going to grow until people start fighting back with better system security, and ideally better payment card systems.

How point-of-sale malware works

A few weeks ago I looked at a report highlighting the high levels of data breaches in the retail and food and drink sectors, areas not famed for handling large bank accounts or valuable industrial secrets.

For some time before that, we’ve seen a number of reports on malware strains targeting POS systems. Both here on this blog and elsewhere, I’ve read reports analysing a slew of attacks, all aiming to harvest data from POS systems. The main aim is to pick up small batches of card numbers from mom-and-pop operations where the least attention is payed to best security practices.

These are in a way the opposite of the high-profile, high-sophistication targeted attacks which make most of the headlines these days. Big-name brands are rarely involved, and no huge sums of money are being stolen from any single victim.

Instead, large numbers of smaller targets are being taken for small amounts of cash, in the end making for big windfalls for the bad guys with much less risk of aggressive countermeasures.

POS present

These malware families are being diligently worked on to improve and expand their functionality, and as most seem to be available for sale to anyone willing to buy them online, their implementation grows more diverse by the day.

The functionality is used as a standalone data exfiltration technique in more focused attacks, or rolled into more general-purpose crime kits, which can probe for any likely POS data just as they would for anything else of potential value.

In the last week or two, there have been some detailed analyses of some of the major strains, including a multipart blog series from Trustwave’s SpiderLabs, whose annual report inspired my first look at this topic.

More recently, we’ve seen a hugely in-depth study from Team Cymru, a specialized Internet security research firm dedicated to making the Internet more secure. Their report covers several of the major POS-targeting families, particularly one they dub ‘Alina’, and includes some basic recommendations for businesses on how to mitigate such attacks.

Both these studies highlight the complex web of interrelationships between several seemingly different malware strains, the similarities being in the structure of their command and control systems.

This implies some degree of organisation and pooling of ideas and resources. All of this effort is aimed purely at harvesting card info, and converting that info into cash.

What payment systems are affected?

To clear up some misunderstandings from recent pieces on this topic, these problems don’t only affect operations in the US, where the EMV or ‘Chip and Pin’ system hasn’t yet been implemented. There have been reports of data breaches all over the world, but they do share one common trait, they all impact locations where the chip-and-pin system is not widely used.

Outside of the US, this is mainly international hotels where large numbers of foreign guests are processed. In the US, it’s just about anywhere.

The chip-and-pin system itself is not entirely perfect, as we’ve seen some reports of that being bypassed too, but they seem to be almost exclusively physical breaches, where pin-reading machines have been doctored, or replaced with Trojan lookalikes.

That kind of attack is pretty hard to defeat of course – you can be as careful as you like with your anti-virus updates, your software patches and your firewall rules, but if the bad guys can come into your house and replace your PC with an identical-looking one under their control, it’s basically game over.

Mitigation: what can be done to stop point-of-sale attacks?

Chip-and-pin at least provides some protection against the indiscriminate data-harvesting conducted by the likes of ‘Alina’, ‘Vskimmer’ and ‘Dexter’. Once it is properly and universally adopted, with no-one anywhere carrying old-style, easily copied ‘Track 2’ style cards, this whole cabal of scammers should be out of business.

In the meantime, there are some things business owners can do to protect themselves, starting with the basics of ensuring all software running on their customer-facing networks is kept up-to-date with the latest patches. They should also ensure that any services allowing remote access have secure passwords – many of these attacks have simply used default passwords in common tools to penetrate networks.

In happier news, a convicted Romanian carder has invented a device which protects ATMs from card-skimming add-ons. Joy.

Via: sophos

Wi-Fi plus an app that enables live streaming of the hunt.

This is for those who may like Tec stuff and weaopns.

A high-tech Texas gun designer has started shipping its first generation shooting system that combines a hunting rifle with a Linux-based scope that takes so much guesswork out of hitting targets a quarter mile away that even novices can do it.

TrackingPoint Xact System consist of the rifle and electronic scope that accounts for distance, temperature and movement before freeing up the trigger to shoot, the company says. (Watch a demo of the product.)

It was originally designed with the goal of hitting a volleyball at 450 yards but has surpassed that, and the company says that someone with no shooting experience can achieve long-range marksman performance with the weapon the same day.

The scope has a laser range finder to calculate distance and temperature and pressure sensors to calculate relative humidity, which can affect the behavior of a bullet. It also includes objective lenses capable of magnifying a heads-up display image of the target 30x or 35x depending on model.

It also has gyroscopes and an accelerometer to determine how the weapon is positioned and moving in space.

Input from the scope is run through the system’s tracking engine that decides when the gun is properly aimed to hit the target. The engine runs on Linux kernel 2.6.37 based on the OpenEmbedded project.

The scope uses a barrel-referencing system that accounts for any changes in angle between the scope and rifle that may occur during shipping or due to the barrel heating up during use. The system automatically makes adjustments so the tracking engine remains accurate.

The scope also has a shot counter and calculates how the muzzle velocity of bullets the gun fires will change over time and works in that change as it analyzes each shot.

The only judgment the shooter has to make is estimating the wind speed and direction, and entering that information into the scope.
Shooters sight the target via a heads-up display, place the crosshairs on the target and hit a “tag” button on the trigger guard that imposes a red dot on the target. The dot – updated 50 times per second – remains on the target even if it moves or the scope is moved side to side or up and down.

Shooters squeeze and hold the trigger to arm the system and align the crosshairs with the red dot. The tracking engine allows the gun to fire only when the dot and crosshairs align.

Inside the scope the hardware consists of four major, three minor processors, says Oren Schauble, who is in charge of TrackingPoint, marketing.  Here’s how he describes the processors and their functions in an email:

“Main processors include the Predictive Image Processing Pipeline (PIPE) in [a field programmable gate array], the Tracking DSP for foreground target tracking and ballistics computation, the Imaging Processor for active imaging control and the User Interface Processor which runs the Linux operating system and is responsible for the HUD graphics, WiFi and off scope video processing. There are also 3 smaller processors used for image compression and power management.”

The Xact System also includes a Wi-Fi server that communicates with iOS or Linux devices equipped with TrackingPoint apps. As part of an introductory offer, the system comes with an iPad Mini.

The apps can receive the 640x480p H.264 video at 30 frames per second streaming live video that depicts what is displayed on the heads-up display on the shooting system. With it an instructor up to 50 feet way can see exactly what the student sees. The apps can also capture the video and upload it to sites such as Facebook or YouTube, and can pull down updates to the system software.

The apps also enable configuring the Xact System by entering, for example, the ammunition being used, and setting policies for how long before and after a shot video is recorded. The apps are free and available at the Apple Store and Google Play store.

Two rechargeable 2600mAHr Lithium Ion batteries power the system for more than 6 hours of continuous shooting.

The price for TrackingPoint systems starts at $22,500. It comes in three models: one tuned for 850 yards, one for 1,000 yards and one for 1,200 yards. The last fires .338 ammunition and the other two fire .300 ammunition.

Via: networkworld

Yahoo’s Flickr photo-sharing service is now offering one full terabyte for users, enough storage space to hold whole swathes of the world’s photos. The service is offering this benefit in addition to its full resolution photo storage service.

While the average user will probably not touch the outer limits of this storage space in a lifetime, this alone is probably enough to draw dedicated photographers to the service and, more important, bring lapsed users back to the Yahoo fold.

This move is important. Given the odd nature of most photo sharing services, you are either limited to a few dozen gigabytes or, in the case of Instagram and other mobile services, an unstated upper limit that is not part of the marketing collateral. While I don’t doubt that Google or Facebook could make the terabyte claim in the near future, being first to market with this particular feature is an important milestone.

This move is quite clearly a play by Yahoo to make its wares relevant. The long-beleaguered Flickr has at once enthralled and frustrated pro users with claims of abandonment by the web giant.

As Marissa Mayer noted in her presentation, this is about “bringing lifetimes of beauty into Flickr.” It’s also about convincing casual photographers to trust Flickr as a universal shoebox for their old snaps – a lucrative and surprisingly important thing to be.

Via: techcrunch

WordPress CEO Matt Mullenweg claims the platform saw an unusually high number of imported posts from Tumblr Sunday night, perhaps an early indication that some are looking to flee in light of the pending Yahoo acquisition.

Mullenweg (pictured) wrote on his blog that WordPress received 72,000 imports during one hour on Sunday, versus the usual 400 to 600 posts. He added that WordPress is friendly with Tumblr, and the two use each other’s services.

“News like this, whether from a friend or a competitor, is always bittersweet: I’m curious to see what the creative folks behind Tumblr do with their new resources, both personal and corporate, but I’m more interested to know what they would have done over the next 5-10 years as an independent company,” he wrote.

The 72,000 figure is a small portion of WordPress’s 50.9 billion blog posts. Mullenweg could not be reached for an update on the stats.

As of last year, WordPress powered 60 million websites versus the current 100 million for Tumblr. Robert Minton VP North America for Six Apart, a paid blogging platform, said despite those stats “everyone’s had a downward trend” in their business.

There are a couple of reasons for this, according to Minton, including too much oversight from the makers of the blogging platforms and a preponderance of startups in the content management system segment. Minton said there are some 122 CMSes with measurable market share and “on Kickstarter there are a ton of CMSes.” Minton said he doesn’t have any new stats showing an exodus from Tumblr.

via:  mashable

The ATLAS infrastructure leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the ATLAS program, and are sharing data on an hourly basis.

The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not show the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world. As you can see traffic drops to virtually nothing earlier on today.  The actual traffic interruption is likely to have occurred between 1000 and 1100 today, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

(UPDATED: as of 5:50am ET on 12/1/12)

As a reminder, this is not the first time we have seen a complete cut off of Internet access in the Middle East. You may recall back in January 2011, something similar occurred in Egypt,

UPDATE: Syria’s back online

via:  Arbor Networks

Apple has released iTunes 11.0.3 for OS X and Windows today.

This update fixes a certificate validation issue for both Mac and Windows. If this vulnerability were exploited an attacker would be able to spoof an SSL certificate without a warning being presented, allowing the attacker to potentially execute arbitrary code.

They also fixed 40 other vulnerabilities in the Windows version of iTunes, which sounds really terrible (and might be), until you consider why.

iTunes renders a lot of HTML and Mac users already have the WebKit-based browser, Safari, installed on their Macs.

The Windows version of iTunes cannot rely on the Safari version of WebKit being present (thank God Apple doesn’t require Safari to be installed), so Apple includes the needed libraries inside of the iTunes for Windows package.

What is unclear is why Apple has waited for so long to release these fixes for Windows users of iTunes. Let’s take a look at the history of the oldest vulnerability fixed, CVE-2012-2824.

CVE-2012-2824 is a “use after free” vulnerability in the SVG parsing code in WebKit. It has a CVSS severity score of 10, is considered easy to remotely exploit and could result in remote code execution (RCE).

It was first reported on 27 April 2012 by miaubiz and was fixed in Google Chrome’s implementation of WebKit on 26 June 2012, about 2 months from initially being reported.

Apple’s first attempt at fixing this flaw was in iOS 6.0.1 and Safari 6.0.2 on 1 November 2012, approximately six months after being reported.

It is on of the vulnerabilities bundled into today’s iTunes 11.0.3 update more than one year after disclosure.

Another vulnerability of note fixed in today’s Windows version of iTunes is CVE-2012-5112, or as it is better known the Pinkie Pie vulnerability from Google’s Pwnium 2 contest at the Hack in the Box 2012 conference.

In combination with another flaw this bug won Pinkie Pie $60,000 USD and a Chromebook courtesy of Google.

While I do question the amount of time Apple needed to fix these bugs, that isn’t the point of this post.

The point is you should update iTunes now, especially if you are a Windows user who needs it to manage your music, movies, TV shows, iPad or iPod.

The latest version of iTunes for Windows or OS X is always available at http://www.apple.com/itunes/download/.

Via: nakedsecurity

Microsoft released its monthly security update today that fixes a critical flaw in Internet Explorer (IE).

Users are being advised to update their systems following the release of Microsoft’s monthly Patch Tuesday security update, as the May edition includes a critical fixes for zero-day vulnerability in IE and one other flaw rated by the company as a critical security risk.

If exploited, the flaws could allow an attacker to remotely execute code on a targeted system.

Microsoft has listed the critical patches as a top deployment priority as do most of us in the industry.

The flaws impacted every current supported version of both IE and Windows, along with the zero-day status make the deployments an important fix for all users.

Other security issues addressed in the update include eight bulletins rated by Microsoft as important security risks. The flaws include remote code execution as well as a denial of service and another elevation of privilege flaw which could prove to be bigger issues for some customers.

Administrators of Windows Server 2012 systems need to patch as a flaw in the HTTP.sys component could be targeted to perform denial of service attacks, possibly crippling a system and preventing user access for the duration of the attack.

Similarly, a flaw in Windows XP could be exploited in conjunction with other attacks.

Windows XP is not recommend to be run as the dated platform has security concerns, such as an attacker could potentially target one of the Internet Explorer flaws to access a system and then target the elevation privilege flaw to gain total control over the system and potentially wreak further havoc.

Support for Windows XP is ending on April 8, 2014. If you’re running this version after support ends, you won’t get security updates for Windows.

After fighting with Google for a while with no results I finally made the move to my own blog not hosted by them for free.

Even after being there since 2008 (nearly 5 years).

Sometimes you do get what you pay for (this coming from someone who thinks in most cases “free” is a good thing).

I just could not get around there rules, and I quote:

“Google reserves the right to:

• Disable an account for investigation.
• Suspend a Google Account user from accessing a particular product or the entire Google Accounts system, if the Terms of Service or product-specific policies are violated.
• Terminate an account at any time, for any reason, with or without notice.”

So for those who may have actually read my blog, thank you and I am starting up again.

For those who don’t. check it out more often. I try share a little for everyone each week.

Thanks again to all and sorry for the interuption and bear with me as I get this new site up and running right.