Monthly Archives: January 2014

Social engineering attack on GoDaddy and PayPal to blame in Twitter hijacking

Naoki Hiroshima lost access to his unique Twitter handle after being pressured by the criminal responsible for compromising his PayPal and GoDaddy accounts.


Update: GoDaddy confirms the social engineering aspects of this Twitter extortion scheme.

Update 2: Added commentary from Chris Hadnagy and Michele Fincher, from Social-Engineer Inc.

Leverage. That’s what the criminal had when he contacted Naoki Hiroshima. Until recently, he had one of the highly prized single letter Twitter profiles; his was @N, but now it’s @N_is_stolen.

The details of his story are posted to his Medium account.

In order to steal the coveted Twitter account, the criminal behind this scheme started with PayPal. Initially, they tried to reset the account password, but Hiroshima uses two-factor authentication, so that attempt failed. The attacker tried again, this time allegedly calling PayPal and posing as an employee, where they claim they managed to get the customer service representative to give out the last four digits of Hiroshima’s credit card.

In a statement, PayPal said that Hiroshima’s personal details and credit card details were not shared, noting that Hiroshima’s PayPal account was not compromised.

“We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal… Our customer service agents are well trained to prevent, social hacking attempts like the ones detailed in this blog post. We are personally reaching out to the customer to see if we can assist him in any way.”

It’s entirely possible the criminal lied to Hiroshima, that’s what criminals do. So their claims that they posed as a PayPal employee could be completely false. But whoever is behind the attack did have the last four digits of the credit card in question, because this person used them to gain access to Hiroshima’s GoDaddy account.

According to the criminal, explaining the process to Hiroshima, they called GoDaddy and gained access to his account by pretending to have lost the card on file, but told the customer service representative that they recalled the last four digits – which can be used for verification of account ownership.

Compounding the problem, the criminal noted that they were allowed to guess the first two digits of the card GoDaddy had on file to prove they were the owner of the account. They guessed correctly on the first try. Now, Hiroshima’s GoDaddy account was in the hands of the criminal behind this scheme, and they altered all of the account details.

With the details changed, GoDaddy told Hiroshima that he wasn’t the owner of the account, and as such, there was nothing that could be done to help him. Stuck, with few options, Hiroshima is left to deal with an attacker who wants to make a trade.

GoDaddy didn’t respond to emails seeking comment for this story [see statement below], but they have told Hiroshima they are willing to assist him, now that the story is out in the open.

As Hiroshima put it:

“It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.”

Once the attacker had control over Hiroshima’s GoDaddy account, they threated to delete data unless Hiroshima gave up his Twitter profile. Felling pressure, Hiroshima relented and released the @N account.

Keeping to their word, the criminal returned control of the GoDaddy account back to its rightful owner, which allowed Hiroshima to start the recovery process and attempt to protect his remaining accounts.

Twitter is investigating, but wouldn’t comment further when asked for details on the status of @N.

Social engineering is an attack on the mind, and one that plays into basic human traits. In this case, if the attacker is to be believed, a PayPal representative shared information because they were under the impression they were helping a co-worker.

However, even if the criminal lied, their claims are valid, because such security blunders happen all the time. If the information is presumed to be of little value, then there is little effort made to protect it.

In this case, the last four digits of a credit card are seen as useless, because on their own they don’t amount to much. But the problem is that they’re often used as a means of identification, which is a bad idea no matter how you look at it.

Adding to that, the fact the criminal was allowed by GoDaddy to guess at the first two numbers of the card on the account, which are uniform to begin with, and you have a breach just waiting to happen.

These little gaps in security are what social engineers will focus on, and given that people generally want to help others, all one needs is time. Eventually they’ll get what they want simply by asking.


GoDaddy’s CISO, Todd Redfoot, sent the following statement:

Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy.  The hacker then socially engineered an employee to provide the remaining information needed to access the customer account.

The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers.  We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.

Update 2:

Chris Hadnagy and Michele Fincher, two well-known social engineering experts, told the Hash that this was “a pure social engineering attack from start to finish.”

This would be a good opportunity to remind people to review their various accounts, passwords, and whether they allow any entities to store credit card or personal information. The attacker did his homework and came at the guy through multiple channels.  The guy in the article suggested using a Gmail password as opposed to the domain password in case of compromise and extending your TTL  – but it is a safer bet to do some things like:

Call your hosting / payment / card companies and have notes put on your account about information needed to give out your details;

Do not reuse passwords and make them stronger that you think you need;

Finally, review the companies you use to host and control things. It is a lot of work to switch companies especially if you host a lot of domains, so do your due diligence and chose one that will server your needs.

Companies that hold our information are obviously not going to any extent to protect our information, so it’s up to the individual user.  I am amazed at how easy it was for the attacker to trick PayPal.  It is something that we just can’t imagine as many of us with PayPal accounts have had problems trying to do legit business with them.  So this just blows me away personally.  But it also points to the increasing number of MULTI-STAGED [Social Engineering] attacks.  This is not new, but in the last few years we are seeing much more of these popping up.



Via: csoonline

Hackers deface Angry Birds website following NSA spying claims

The hackers placed an image with the message “Spying Birds” on the site’s home page.

The official Angry Birds website was defaced by hackers following reports that U.S. and U.K. intelligence agencies have been collecting user information from the game and other popular mobile apps.

Some users trying to access the website late Tuesday were greeted by an image depicting the Angry Birds game characters accompanied by the text “Spying Birds.” The U.S. National Security Agency’s logo was also visible in the image.

The NSA and Britain’s Government Communications Headquarters (GCHQ) have been working together to collect geolocation data, address books, buddy lists, telephone logs and other pieces of information from “leaky” mobile apps, The New York Times reported Monday based on documents provided by former NSA contractor Edward Snowden.

Mobile apps commonly collect data about their users and share it with advertising networks, which then use the information to build user profiles for targeted advertising.

A secret 20-page GCHQ report from 2012 contained code needed to extract the profiles generated when Android users play Angry Birds, The New York Times reported. It’s not clear if and how this data collection happens, but the reports were apparently enough to anger some hackers.

The defacement of the Angry Birds website seems to have been the result of a DNS (Domain Name System) attack where the site’s name servers were swapped with others under the attackers’ control.

”The defacement was caught in minutes and corrected immediately,” said Saara BergstrAPm, vice president of marketing communications at Rovio Entertainment, the Finnish company that develops Angry Birds. “The end user data was in no risk at any point.”

BergstrAPm said the attack was similar to the one against The New York Times last year, referring to an incident where attackers pointed the domain to a server they controlled by changing its DNS settings.

Because of how DNS changes propagate on the Internet, the incident was only visible to some users.

In many areas the attack was not visible at all, but in some affected areas it might take time for the correct information to be updated, BergstrAPm said.

This delay is caused by how DNS resolvers — servers that resolve domain names to IP (Internet Protocol) addresses — cache records. Some servers might cache the information for a particular domain for a longer time than others, in which case changes won’t be visible to users that rely on those servers until the cached record expires.

A copy of the defacement can be viewed on Zone-H, a website defacement archive. It is attributed to a hacker using the handle Anti-NSA.

Rovio issued a statement Tuesday on its website denying that it collaborates or shares data with any government spy agencies.

“The alleged surveillance may be conducted through third party advertising networks used by millions of commercial web sites and mobile applications across all industries,” the company said. “If advertising networks are indeed targeted, it would appear that no internet-enabled device that visits ad-enabled web sites or uses ad-enabled applications is immune to such surveillance. Rovio does not allow any third party network to use or hand over personal end-user data from Rovio’s apps.”


Via: csoonline

Latest iTunes update bricks thousands of PCs

If you’re trying to install the latest iTunes update, version 11.1.14, on a Windows computer, you may be in for a rocky ride. Windows-based iTunes customers report problems with the latest update, and solving the issues can be a complex process.

If you’re trying to install the latest iTunes update, version 11.1.14, on a Windows computer, you may be in for a rocky ride. Customers have reported problems with corrupt Registry entries, MSVCR80.dll missing errors, nightly Genius update crashes, problems locating an attached iPhone, and much more.

Many — but not all — of those problems succumb when all Apple products are removed and reinstalled. Not just iTunes, mind you, but every program Apple has installed on your Windows computer. The screw-up is so common that Apple has a Knowledge Base article on the topic. It says:

In some rare instances, it may be necessary to remove all traces of iTunes and related software components from your computer before reinstalling iTunes. For most technical issues, reinstalling iTunes is an unnecessary and overused troubleshooting step. If you’re directed to reinstall iTunes by AppleCare, an article, or an alert dialog, you can do so by following the steps in this article.

I know a few thousand people who would dispute the “rare instances” characterization, but never mind.

The steps given in the KB article instruct you to use the Control Panel to remove all Apple products from your computer — iTunes, Apple Software Update, Apple Mobile Device Support, Bonjour, Apple Application Support — then download fresh copies and install them from scratch using Administrator rights (right-click on the downloaded EXE and choose “Run as administrator”).

Apple doesn’t mention it, but if your machine is locked up so tight it won’t boot, you have to go into Safe Mode. That’s easy in XP, Vista, and Windows 7, though a little bit tricky in Windows 8/8.1.

If you can’t uninstall Apple Mobile Device Support, you may be able to skip it and get the re-install to work correctly.

If you can’t remove the programs by using Safe Mode, try running a File Check.

A full uninstall and re-install shouldn’t remove any of your media files, but it should get everything working again.


Via: infoworld

Arts and crafts chain Michaels investigates possible data breach

Michaels, a large U.S.-based arts and craft store chain, said Saturday it is investigating a possible data breach after suspicious activity was detected on payment cards used at its stores.

The company opted to come forward without confirming a compromise because of the “widely reported criminal efforts to penetrate the data systems of U.S. retailers,” according to a company statement.

CEO Chuck Rubinsaid “it is in the best interest of our customers to alert them to this potential issue” so they can scan payment card statements for unauthorized charges, according to the statement.

The Irving, Texas, company, which had more than 1,105 stores in the U.S. and Canada as of May 2013, said it has contacted federal law enforcement and hired third-party data security consultants. It also owns Aaron Brothers, a 123-store chain in 11 U.S. states.

If Michaels confirms a breach, it would become the latest victim in a string of data attacks rattling merchants across the U.S. High-end retailer Neiman Marcus and department store Target announced data breaches earlier this month.

Both of those breaches occurred after attackers installed malicious software on their network that collected payment card details.

Target said as many as 40 million payment cards and up to 70 million other personal records were compromised between Nov. 27 and Dec. 15, 2013. CEO Gregg Steinhafel said malware was installed on point-of-sale terminals used to swipe cards.

Neiman Marcus said between July and October 2013, malware “scraped” payment card information from its system before the company learned of the fraud in December.

Security experts have seen point-of-sale malware for sale on underground forums since at least March 2013. The Target malware is believed to be a derivative of malware called “Kaptoxa,” which is Russian for “potato.”

That malware, also called “BlackPOS,” steals unencrypted card data just after it is swiped and sits in the POS terminal’s memory. This type of malware has also been termed a “RAM scraper.”

Last week, a 23-year-old living in Russia said he contributed code the Kaptoxa malware. Rinat Shabayev, who lives in Saratov, Russia, told that the program could be used for illegal purposes but was intended as a defensive tool.

Computer security experts believe that Shabayev used an online nickname “ree4” and may have sold copies of the program for $2,000 or for a share of the profits. He hasn’t been charged, although experts think his customers may be behind the attacks.

There are many indications on underground forums that point-of-sale hacking campaigns are continuing, said Dan Clements, president of the cyberintelligence company IntelCrawler.

One hacker, believed to be based in the U.K., has posted a video on YouTube showing access to the system of an events company in the U.S. midwest. The company has not responded to a request for comment.

Another one of the hacker’s videos shows how he performs the attacks using a Microsoft connection protocol, RDP, or Remote Desktop Protocol.

RDP was developed by Microsoft to let administrators access other remote computers. Since many POS terminals are Windows-based, Visa warned merchants in last August that RDP log-ons should be disabled.

Postings on the underground forums seen by IDG News Service show that cybercriminals buy and sell access to point-of-sale terminals and other systems that have RDP enabled.

Intruders often try the default login and password for terminals, and if that doesn’t work, attempt brute-force attacks, which try many combinations of credentials. Vulnerable IP addresses can be probed from anywhere in the world for weaknesses.

The hacker who posted on YouTube showed he had access to sales orders of the events company between 2009 through 2012. Various video frames show customer names, addresses, email addresses, credit card numbers and expiration dates.

An analysis by IntelCrawler shows a thriving interest in RDP hacking. Its analysts gather data from password-protected forums used by cybercriminals, which gives insight into the latest trends.

On Nov. 27, the day that Target believes hackers began collecting payment card details, a posting on a Russian-language forum showed a buyer offering $100 for access to a hacked RDP POS terminal.

The buyer was interested in Track 1 and Track 2 data, which is information coded on the back of a payment card’s magnetic stripe. Track 1 data contains a card number, the holder’s name expiration date, while Track 2 data contains the card number and expiration date.


Via: csoonline

Microsoft nixes SkyDrive, picks OneDrive as new name

After trademark lawsuit loss to BSkyB last year, announces rebranding for consumer and commercial online storage service.

Microsoft said it had renamed its SkyDrive online storage services as OneDrive, picking a name six months after striking a deal with a British broadcaster that had taken the American firm to trademark court.

“Changing the name of a product as loved as SkyDrive wasn’t easy,” Microsoft acknowledged in a post to a new blog. “We believe the new OneDrive name conveys the value we can deliver for you and best represents our vision for the future.”

Microsoft picked a new name for its online storage service after agreeing to give up SkyDrive last year. (Image: Microsoft.)

Microsoft was forced to rebrand the service — as well as its for-business SkyDrive Pro, which took the name OneDrive for Business — after it lost a trademark infringement case last year brought by British Sky Broadcasting Group (BSkyB), the massive television and broadband Internet service provider owned in part by Rupert Murdoch.

In late July, Microsoft and BSkyB announced a settlement that gave the former a “reasonable period of time to allow for an orderly transition to a new brand” for SkyDrive. In return, Microsoft pledged to drop its plans to appeal the U.K. court’s ruling.

Current users of SkyDrive and SkyDrive Pro need do nothing as the name change propagates through Microsoft’s properties. “The service will continue to operate as you expect and all of your content will be available on OneDrive and OneDrive for Business respectively as the new name is rolled out across the portfolio,” said Ryan Gavin, general manager of Microsoft’s consumer apps and services group, in the blog.

It wasn’t the first time that Microsoft stumbled with a brand name.

In mid-2012, the Redmond, Wash. company dropped the term “Metro” — which it had used to describe the tile-based, touch-first interface in Windows 8 and the apps that ran in the UI — after Metro AG, a Dusseldorf, Germany-based retail conglomerate, threatened the company. Microsoft has failed to find a catchy replacement for Metro. At one point it cited “Modern” as the new term, then settled on the forgettable “Windows Store” to label the apps, all to little avail: Most references to the UI and apps continue to use Metro.

One public relations expert took Microsoft to the woodshed last year for flailing a second time in branding. “It’s unbelievable to me that Microsoft did not see this coming,” said Peter LaMotte, an analyst with Washington, D.C.-based strategic communications consultancy Levick.

According to a WHOIS search of domain registrations, was originally claimed in 1998. On Jan. 23, 2014, the status of the domain was updated; it now shows as owned by Dynadot, a San Jose, Calif. domain name registrar and website hosting firm.


Via: computerworld

FBI warns of crimewave hitting cash registers

The US Federal Bureau of Investigations (FBI) has warned retailers to harden their defences against cyber-heists – particularly those that latch onto credit card details from shoppers, as apparently happened to Target.

The BBC reports that Reuters got its hands on the warning, which went out as a confidential report to large retailers.

The FBI reportedly said that over the past year, it’s seen about 20 cases in which data was stolen using the same type of malware as that inserted onto Target’s credit and debit card swiping-machines, cash registers and other point-of-sale (PoS) equipment.
The agency expects PoS malware crime to continue to grow in the near term, despite whatever mitigations law enforcement and security firms throw at it.

The profits are huge, and the PoS virus code is both too cheap and too widely available on underground markets for thieves to resist, the FBI said.

According to the FBI’s report, one copy of this type of PoS malware was found on sale for only $6,000 (£3,600).


That’s actually a bit pricey. I don’t know where they’re shopping, but they’re paying top dollar.

Cybersecurity consultants Group-IB back in September 2013 actually found booby-trapped bank card readers for half that price.

The ones they came across were bundled with a suite of money-stealing support services that offered to make fraud crimes a snap: $2,000 (£1,200) on a hire-purchase basis or $3,000 (£1,800) for those crooks who just want to buy the hacked terminals outright.

The FBI wasn’t naming names when it came to whose PoS systems have been ambushed, mind you, but the name Target is the one that’s ringing a lot of bells in that department these days.

A couple weeks ago, Target CEO Gregg Steinhafel told CNBC in an interview that there was malware installed on the retailer’s PoS registers.

We don’t know yet whether those rigged registers were behind the breach of Target’s (at least) 70 million data records (I know, I know, there were 40 million records originally thought to be stolen, then there was another clump of 70 million, but like Paul Ducklin has said, we don’t know if there’s overlap between the two data sets, so let’s echo his “at least 70 million”).

But it wouldn’t be terribly surprising if those hacked PoS systems were the means by which the thieves got to the vast universe of Target customers and guests.

As SophosLabs researcher Numaan Huq describes in this Naked Security article, this type of card fraud is ripe for setting us up to get card data plucked from our hands if we so much as pull out the plastic to pay for one measly candy bar.

In fact, “Buy candy, lose your credit card” is the name of a 2014 RSA security conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this type of card fraud, in February.

The subject of the paper and the presentation is one specific type of PoS malware called RAM scraping – very interesting stuff that gets into the nuances of how data is most definitely not encrypted end-to-end in PoS systems, in spite of their being compliant with the payment card industry’s data security standards, PCI-DSS, and how RAM scraping takes advantage of that.

What’s the best approach to keeping your card data safe?

Like the FBI most likely detailed in its confidential report and Numaan absolutely did advise, businesses both big and small need to invest in protecting their critical PoS infrastructure.

As consumers, we should proactively sign up for credit monitoring so we can stay on top of our identities before they’re stolen out from under us, he also recommends.

And when it comes to paying for that candy bar, should you perhaps: a) not buy it? Sugar’s bad for you! Or maybe even b) think about using that relic we call cash?

What do you think? Have you been hit by the Target or any other PoS breach? I’ve had to cancel one card in the past week, myself.

Please feel free to share your own personal breach story below, and do let us know how you’re handling the recent rash of PoS theft, whether it’s with credit monitoring services, paying cash or any other measure.


Via: nakedsecurity

Yahoo Acquires Virtual World Gaming Startup Cloud Party, Will Shut It Down

Yahoo is doing more than just throwing shade at Google on Twitter today and then taking it back – the company has acquired Cloud Party, a browser-based game creation engine. In a blog post, the Cloud Party team shared that they will be joining Yahoo after two years of operation, and that the service will shut down on February 21, 2014.

Cloud Party is the work of a founding team of MMO and console game industry vets, including Sam Thompson (formerly of Cryptic and Pandemic), Jimb Esser (also ex-Cryptic), Conor Dickinson (ex-Facebook, Tomb Raider dev and Cryptic alum) and Jered Windsheimer (Cryptic, natch). They built Cloud Party as a sort of free-form virtual world experience, similar to Second Life, but with an updated view of what an online virtual world might look like with more emphasis on user-generated 3D content.

It’s not exactly clear what the team will be working on at Yahoo, but it will definitely be games related, as Thompson notes in his farewell blog post that the Cloud Party squad is “excited to bring [its] vision and experience to a team that is as passionate about games as [they] are.”

Of course, Yahoo has a games portal of its own, but nothing quite so ambitious as a browser-based virtual world. Perhaps it’s thinking about doing something in that direction, but it’s more likely this was a small acquisition designed to bring some strong video game engineering (Cloud Party works in the browser with no plugins necessary) on board, with the ultimate aim of using that talent to fuel Yahoo’s own separate ends.

If you happen to be an existing Cloud Party user, there’s a guide provided by the startup to help you export your data. Yahoo continues its habit of picking up small startups with unique and divergent skill sets, but only time will tell if these are merely an engineering talent grab to help shore up some of Yahoo’s talent losses to more appealing firms over the past few years, or whether some of these things result in new product launches for the big purple exclamation mark.

It’s also worth noting that Yahoo acquired a gaming infrastructure startup back in May of last year. PlayerScale, the company in question, builds the bones for cross-platform gaming, and supported over 150 million players worldwide at the time of acquisition. The platform continues to operate, and is slated for updates and improvements with the help of Yahoo’s backing, according to PlayerScale’s founder Jesper Jensen. Together, PlayerScale’s backend and Cloud Party’s everything else could make for some very interesting games-related development coming out of Yahoo.

When contacted for comment, a Yahoo spokesperson provided the following statement to TechCrunch:

Yahoo has acquired Cloud Party, a company that has created a virtual 3D experience, directly in users’ browser. With Cloud Party, users can build and create a world, customize an avatar, and share easily on the web without any downloads or plug-ins. The Cloud Party team is extremely committed to user experience and to the creativity that their product released in people. We’re excited to merge their unique perspective and experience with a team that is just as passionate about gaming.


Via: techcrunch

PC Monitor Lets You Monitor Your IT Systems From Your Phone, Adds Raspberry Pi, Zendesk And PagerDuty Support

PC Monitor is an Irish startup that was born of a simple idea: Why is it so hard to remotely shut down your computer? That’s what its founder and CEO Marius Mihalec asked himself in 2011. Because he wanted to build a modern and extensible service, he decided that just having remote desktop access to a PC wasn’t enough. Instead, he wanted a cloud-hosted solution with a user-friendly mobile app that abstracted the desktop away.

What started out as a very basic idea has now morphed into a full-blown IT monitoring solution for desktops, servers and applications that run in the cloud. The service currently has over 200 enterprise customers that include the likes of Dell, Louis Vuitton, Northwestern University, Condé Nast and British Columbia Institute of Technology.

Using PC Monitor, Mihalec tells me, IT admins can quickly diagnose issues with a given PC, router or other asset remotely and reboot the machine. Users can also get notifications for virtually any event on their machines. Thanks to its API, it’s also essentially a complete monitoring platform that you could use to keep an eye on their machines and servers. When it comes to alerts, Mihalec believes, his solution can go as deep as New Relic.

Because of this extensibility, PC Monitor is now able to natively support Raspberry Pi, too (besides PCs, Macs, Linux machines and .NET and Java apps). Using the company’s standard APIs, Raspberry Pi owners can now use the service to bridge the gap between the real world, hardware connected to the Pi and their mobile devices.

As part of an update the company released today, PC Monitor now also features integrations with PagerDuty to create SMS and phone notifications and ZenDesk to automatically create tickets based on PC Monitor’s notification criteria. The service now also supports VMWare systems, which allow users to check up on their virtual machines and hosts remotely.

“Enterprise IT isn’t typically seen as a business with lots of innovation, but we’ve worked very hard at PC Monitor to provide an amazing product experience to our customers,” Mihalec said. “With these latest product additions, we’re continuing our commitment to our customers to provide an unparalleled experience for IT administrators all over the world.”

PC Monitor is free for users who want to monitor fewer than five systems and just need a single admin account. Subscriptions start at $1 per system/month for those who need to monitor more machines. The service offers mobile apps for iOS, Android and Windows Phone, as well as Metro styles  and desktop Windows apps.


Via: techcrunch

Microsoft Azure Drops Storage Prices To Match Amazon’s Latest Price Reduction

Earlier this week, Amazon Web Services reduced its prices for its S3 cloud storage service and today, Microsoft is following suit with a price reduction for its own cloud storage services.

Locally redundant storage on Azure now matches Amazon’s prices and Azure Storage transactions are getting a 50 percent price cut, which matches Amazon’s latest price cuts. In addition, Microsoft’s Locally Redundant Disks/Page Blobs Storage is seeing a 28 percent price reduction.

Last April, Microsoft said it would match any AWS price drop, so today’s announcement isn’t surprising. Given that its new prices are effective worldwide, Microsoft argues, today’s price drop actually means that Azure storage will now be less expensive than AWS’s offerings in some regions.

In its announcement today, Microsoft also stressed that, while pricing is obviously important for its users, it also wants to offer “best in class reliability / scalability.” Specifically, the company argues that its redundant storage option means data will also be replicated in data centers that are at least 400 miles apart. Microsoft also argues that because its users get durable storage with their virtual machines at no extra charge – whereas AWS customers have to pay for storage space on EBS – its service can be significantly cheaper for customers who rely on this kind of storage for their apps.


Via: techcrunch

ATMs could be compromised when Windows XP support ends

The vast majority of bank ATMs today run Windows XP. This could become a problem come April.

If you think getting your father or elder family member to upgrade their old XP PC is tough (“Why?” they ask. “It works just fine,” they say.), imagine what the banks face. They will be hit hard by the end of support for Windows XP because almost all of the automatic teller machines (ATMs) in the country use XP.

Bloomberg reports that the majority of the 420,000 ATMs in the U.S. run XP, although there are some using Windows XP Embedded, a basic version of the OS that is less susceptible to viruses. Microsoft will support that until early 2016.

And the rest? Well, hopefully most of them can be upgraded to Windows 7, because like the XP on your grandfather’s eight-year-old Dell PC, these ATMs will no longer receive upgrades and patches. Either that or they will be junked, and chances are good for the latter. There are independent ATMs out there, the kind you find in gas stations and convenience stores, not allied with any one bank, that look like they are 30 years old.

And unlike the old Windows PCs sitting in doctor offices that likely don’t have an Internet connection, ATM machines have to be wired 24/7 for transactions.

An executive with an ATM software provider says he expects only 15% of bank ATMs in the U.S. to be on Windows 7 by the April deadline, but that it’s not unusual for the ATM industry to move slowly. “As a rule, security patches that directly affect the machines might be issued only once a quarter,” he said.

Coming on the heels of the Target breach, that does not inspire confidence.

How quickly the banks respond remains to be seen. Maybe the Target incident will motivate them. No one wants to end up on the news like Target has. Microsoft is selling custom extensions to the banks, but the costs can be considerable when multiplied over the number of ATMs. No one would discuss the price, but I hope it’s cheap, because this is no time to get greedy.

The cost of upgrading an ATM ranges from a few hundred dollars if it’s just software to a few thousand if new hardware is needed and the ATM is upgradable. The good news is that Windows 7 will enable advanced touch features, like swipe and pinch, something we’re all used to on our smartphones.

But something tells me come April, we’ll be better off staying away from non-bank ATMs.


Via: networkworld