Amazing video. Thanks for BoingBoing for spotting it.
Category Archives: Security
Chip and PIN is “broken”
Looks like Ross Anderson and his colleagues have done it again. This report of their new research paper says that Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud.
Researchers at Cambridge University have found a fundamental flaw in the EMV — Europay, MasterCard, Visa — protocol that underlies chip-and-PIN validation for debit and credit cards.
As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.
“Chip and PIN is fundamentally broken,” Professor Ross Anderson of Cambridge University told ZDNet UK. “Banks and merchants rely on the words ‘Verified by PIN’ on receipts, but they don’t mean anything.”
The researchers conducted an attack that succeeded in tricking a card reader into authenticating a transaction, even though no valid PIN was entered. In a later test, they managed to authenticate transactions, without the correct PIN, with valid cards from six different card issuers. Those issuers were Barclaycard, Co-operative Bank, Halifax, Bank of Scotland, HSBC and John Lewis.
The central problem with the EMV protocol is that it allows the card and the terminal to generate ambiguous data about the verification process, which the bank will accept as valid.
In particular, the terminal can record that a PIN verification has taken place, while the card itself receives a verification message that does not specify that a PIN has been used. The resultant authorisation by the terminal is accepted by the bank, and the transaction goes ahead.
This means that while a PIN must be entered, any PIN code would be accepted by the terminal.
Sigh. Back to barter again. Or perhaps that fancy new-fangled thing called cash?
Google turns to the spooks
I know that cloud computing is wonderful, etc. but have you noticed this development?
Just the thought is enough to send an involuntary little shiver up your spine: Google — keeper of a vast repository of data on our activities, interests and connections — working hand-in-hand with the National Security Agency — the top-secret electronic surveillance specialists who have been known to go rogue from time to time. But according to sources who spoke to the Washington Post, there are delicate talks now going on to form such a partnership with the goal of fortifying Google’s defenses against the kind of espionage-oriented hacking attacks launched from China against it and dozens of other U.S. companies in December.
Google reportedly approached the NSA shortly after the attacks, but in an indication of the sensitivity of such arrangement, the talks have been going on for weeks. Reports the Post: “Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google’s policies or laws that protect the privacy of Americans’ online communications. The sources said the deal does not mean the NSA will be viewing users’ searches or e-mail accounts or that Google will be sharing proprietary data.” What the agency would be do, as it has with other corporations, is help Google evaluate hardware and software vulnerabilities and gauge the sophistication of its attackers.
At face value, it all sounds reasonable, especially given the suspicions of state support for the Chinese hacking, but of the many things the NSA can tap, a deep reservoir of public trust is not one.
Amen.
The FT’s Gideon rachman spent the morning at the International Institute for Strategic Studies’s briefing on their annual survey of the ‘Military Balance’. He reports that
The briefing offered by the IISS experts ranged fascinatingly over a variety of topics from the Iranian nuclear programme, to Russia’s new military doctrine and the links (or lack of them) between al-Qaeda and Iran.
But the thing I found most interesting was the confirmation that cyber-security is the hot issue of the day. John Chipman, the head of the IISS, says the institute is about to launch a special study of cyber-security which raises all sorts of fascinating issues about hard power, about the responsibilities of states and about international law. What if a country’s infrastructure could be destroyed as effectively by a cyber-attack, as by an invasion of tanks? How do you defend against that? How do you identify the culprits? And what does international law have to say about the issue – might we have to revise our definitions of what constitutes an act of war? Chipman argues, plausibly, that we are now at an equivalent period to the early 1950s. Just as strategists had to devise whole new doctrines to cope with the nuclear age, so they willl have to come up with new ideas to cope with the information age.
And over at the Guardian Charles Arthur has an exhaustive (or should that be exhausting?) analysis of whether the UEA Climate Research Unit’s emails were hacked. His conclusion:
After the July incident, perhaps CRU failed to batten down the hatches, either through technical failings or because someone inside was subverting the efforts. So what happened in November?
Rotter blogged his theory last year. “In the past I have worked at organisations where the computer network grew organically in a disorganised fashion. Security policies often fail as users take advantage of shortcuts … one of these is to share files using an ftp server … This can lead to unintentional sharing with the rest of the internet.”
He added that files were perhaps put “in an ftp directory which was on the same central processing unit as the external webserver, or even worse, was on a shared driver somewhere to which the webserver had permissions to access. In other words, if you knew where to look, it was publicly available”.
If this hypothesis turns out to be true, UEA may end up looking foolish. For there will be no one to arrest.
In other words, the cock-up theory of history rules ok.
‘Climate emails hacked by spies’
From today’s Independent.
A highly sophisticated hacking operation that led to the leaking of hundreds of emails from the Climatic Research Unit in East Anglia was probably carried out by a foreign intelligence agency, according to the Government's former chief scientist. Sir David King, who was Tony Blair's chief scientific adviser for seven years until 2007, said that the hacking and selective leaking of the unit's emails, going back 13 years, bore all the hallmarks of a co-ordinated intelligence operation – especially given their release just before the Copenhagen climate conference in December.
The National Security State
When I opened this morning’s Guardian I had a fleeting thought that it must be April 1st. But it isn’t. This crazed stampede into ubiquitous surveillance is really scary. The big question now is whether a Tory administration would pull back from this precipice. I’m not holding my breath.
And the lead contractor, BAE Systems, is the company that Tony Blair decided should not be prosecuted by the Serious Fraud Office on ‘national security’ grounds.
Not us, guv
You may be puzzled by this Telegraph report.
Both France and Germany’s governments have respectively advised computer users to download an alternative web browser to the most popular browser in the world, after a security flaw was detected.
The French government issued an advisory to computer users, recommending that they switch to a different web browser, such as Firefox or Google Chrome. It follows a similar move by the German government, after it was discovered that Internet Explorer contained a serious security flaw that could be exploited by hackers and cybercriminals.
However, a spokesman from the British Cabinet Office told The Telegraph that the British government would not be issuing a similar warning and instead would be referring anyone who was concerned about cyber security to getsafeonline.org.
Microsoft last week admitted that its Internet Explorer browser was the weak link in recent attacks by hackers who pried in to the email accounts of human rights activists in China. But the company said that the German government had over-reacted about the threat posed by the vulnerability, and that general users were not at risk.
Cliff Evans, head of Security and Privacy at Microsoft UK, advised people who were still using Internet Explorer version 6 to upgrade to version 8 – which is the most recent version of browser and less susceptible.
He said: “The quantity of exploits which have occurred been minimal and very targeted. The general public do not need to worry and we have not yet had a case in the UK.”
Of course, this could be an example of the UK government keeping its head while all around them others are losing theirs.
Alternatively, it could be due to the awkward fact that every PC in the vast NHS system is required to run IE 6 — which is a real pain if you’re a company trying to pitch web 2.0 products at the health service.
LATER: Charles Arthur’s take on it in the Guardian.
The Chinese ‘attack’ on Google
Best explanation I’ve come across.
Now the French government is advising people to stop using IE
Well, well. Even I’m surprised by this.
Following in the footsteps of Germany last week, France is now advising its population to use an alternative browser pending a patch for an Internet Explorer vulnerability.
The French Computer Emergency Response Team (CERT) published an advisory on Friday January 15 stating “pending a patch from the publisher, CERT recommends using an alternative browser.” In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6.
Last week the German Federal Office for Security in Information Technology (BSI) issued a similary advisory urging its population to stop using IE. According to the BSI the flaw will, put simply, “perform reconnaissance and gain complete control over the compromised system.” The BSI noted that even running Internet Explorer in Protected Mode isn’t enough to stop the flaw. Microsoft issued further insight into the vulnerability this morning in a company blog posting. The software giant confirmed the exploit is only effective against Internet Explorer 6.
Wonder if French and German users will pay any attention to this.
How secure is the cloud?
Not as secure as the vendors might like to think — at least according to this useful and informative piece by David Talbot.
Computer security researchers had previously shown that when two programs are running simultaneously on the same operating system, an attacker can steal data by using an eavesdropping program to analyze the way those programs share memory space. They posited that the same kinds of attacks might also work in clouds when different virtual machines run on the same server.
In the immensity of a cloud setting, the possibility that a hacker could even find the intended prey on a specific server seemed remote. This year, however, three computer scientists at the University of California, San Diego, and one at MIT went ahead and did it. They hired some virtual machines to serve as targets and others to serve as attackers–and tried to get both groups hosted on the same servers at Amazon’s data centers. In the end, they succeeded in placing malicious virtual machines on the same servers as targets 40 percent of the time, all for a few dollars. While they didn’t actually steal data, the researchers said that such theft was theoretically possible. And they demonstrated how the very advantages of cloud computing–ease of access, affordability, centralization, and flexibility–could give rise to new kinds of insecurity. Amazon stressed that nobody has successfully attacked EC2 in this manner and that the company has now prevented that specific kind of assault (though, understandably, it wouldn’t specify how). But what Amazon hasn’t solved–what nobody has yet solved–is the security problem inherent in the size and structure of clouds.
Good article, worth reading in full. Also includes an interesting animation of how the exploit was carried out.
What Homeland ‘Security’ knows about US citizens (and probably us too)
This is just one of a series of interesting pics of a document obtained under a Freedom of Information request in the US. More details here.