Chip and Pin Bank Cards

US banks are finally rolling out a new and more secure type of debit and credit card technology that should strengthen their security. Currently cards use a magnetic strip that holds the card number and expiration date which provides very little security since the card number is being transmitted over the point of sale device and the magnetic strip makes it easy to clone a credit card with stolen information. The EMV “smart card” technology (a joint effort of Europay, MasterCard, and Visa) cards have a built in chip that replaces the functionality of the magnetic strip. However, the chip provides much more security because every time it is used, it generates a one-time transaction code that is cryptographically signed and transmitted. This means that if thieves are able to skim a point of sale terminal or hack into a retailer’s network the codes they steal are worthless. This could have prevented much of the damages caused by breaches like Target, where millions of card numbers where stolen.
emv-credit-card~126313
These EMV card are not exactly new technology since they have been available since the early 2000’s and most of the rest of the world has already adopted them as the gold standard. The roll out in the US has been very slow because of the great costs of issuing new cards and upgrading point of sale terminals at retail locations. However, with the rise in identity theft and credit card fraud at an all time high, the credit card companies are pushing for the new more secure technology. They are forcing the retailers to transition to the EMV chip and pin terminals by setting a deadline of October 1st, 2015. After that all any company that accepts credit and debit card payments but doesn’t have chip and PIN readers in place could face increased liability and fines for fraudulent transactions incurred if card data is stolen from them.
Author: Charles Leavitt

Source: http://www.wired.com/2015/04/hacker-lexicon-chip-pin-cards/

Apple Releases ‘Rootpipe’ Patch

Apple released a software patch this past week to address a security hole created by a hidden backdoor API known as Rootpipe. Rootpipe was discovered in October of 2014. It leaves a vulnerability in OS X that has existed since at least release 10.7. The API can be exploited to gain root privileges.

A patch has been released this past week to address the issue. Latest updates to the OS X operating system will include this patch. However, Apple will not be releasing a patch for any system running below version 10.10. Of three billion internet users NetMarketShare data shows that around 3.1 percent of them are using Mac OS versions with the vulnerability, 10.7/8/9 that will not be patched. Forbes estimates that conservatively this will mean that two percent of three billion internet users will remain vulnerable to the exploit, around sixty million computers.

Although the vulnerability was discovered last October it has been part of Mac OS X since 2011 when version 10.7 was originally released. Mac users should update their software as soon as possible to patch this as well as around eighty other security issues.

Jacob R Hooker

Edit: An earlier version of this article misstated the world’s estimated three billion internet users as Mac users and has been updated to correct the error.

Source:

http://www.forbes.com/sites/thomasbrewster/2015/04/09/apple-leaves-rootpipe-backdoors-in-3-per-cent-of-all-pcs-on-the-planet/?ss=Security

http://www.securityweek.com/apple-finally-patches-%E2%80%9Crootpipe%E2%80%9D-privilege-escalation-flaw-os-x

 

The Importance of a Strong Password

Passwords are important to prevent unauthorized access. In some cases, a strong password might not be thought necessary due to other security measures. Many iPhones are protected with a 4 digit pin, which is trivial to crack via brute force means. For security, iPhones are set to wipe all data on the phone after too many passcode mistakes are made. However, there’s a new attack that doesn’t allow the iPhone to keep track of passcodes attempted, making a short 4 digit pin much more dangerous.

Using a simple black box, a device that sends passcodes and keeps track of failed combinations, brute forcing an iPhone suddenly became viable. By wiring the device into the iPhone’s battery, the device can cut power to the iPhone before it can be recorded that a bad passcode was attempted. After a reboot, the phone has no idea that someone tried a bad passcode, allowing for every combination to be tried.

Black Box being used to crack an iPhone passcode

The device in action

With the time it takes to reboots (~40 seconds) it would take upwards of 5 days to crack a 4 digit pin with 10,000 combinations. The issue is known and likely has been patched in iOS 8.2 (the vulnerability being in iOS 8.1). While the problem is easily fixed at the software level, the problem can also be easily avoided with a stronger password. The reason this brute force works is because of the 4 digit pin; having a character password or even a longer pin would make a brute force less viable. Even at the expense of convenience, a strong password is vital for protecting your information, as other means of security may not always be as secure as you think.

Sources:

The researchers who discovered and tested the device – http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-screenlock.html

Sophos blog with more details on the device and pin security – https://nakedsecurity.sophos.com/2015/03/17/black-box-brouhaha-breaks-out-over-brute-forcing-of-iphone-pin-lock/

One retailer with the device in question – http://www.teeltech.com/mobile-device-forensic-tools/ip-box-iphone-password-unlock-tool/

More about the device:

The actual device works via a usb connection to the iPhone and a separate connection to the battery. It sends virtual input to the iPhone, and measures the iPhone’s screen brightness for certain levels of intensity, so that it is known if a pin was good, cutting power if it wasn’t. It’s called an “IP Box”, and isn’t hard to get online, though it isn’t easy finding the original developer for this specific device. Devices like this that hook into phones for virtual input is not a new concept, so the same kind of exploit is theoretically possible for other types of phones (e.g. Android). However, it’s unknown whether this specific exploit to brute force without data being wiped is also on other phone platforms.

 

-Maximillian McMullen

Hackers Use an Android App for Sex Extortion

Trend Micro, a cybersecurity firm based in Texas, has discovered an Android app that hackers are using to extort victims.

The app would essentially turn a victim’s device into a recorder, and intercept all messages and phone calls that went through. First, the hackers would attempt to lure their victims through the use of chatting tools like Skype. They would then fake audio and messaging issues to try and fool a potential victim into downloading a malicious Android app, which has the ability to steal phone numbers, as well as passwords and address books.

plan

Many of the hackers have used the stolen information in an attempt to extort and blackmail victims. Trend Micro traced the email, social media, and bank accounts of the Android app developers to China, and discovered that multiple bank accounts were opened for several extortion campaigns. It is believed that hackers are mostly preying on victims in China and Korea.

maliciouspackage1

maliciouspackage2

Benny Tan


Sources:

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-sextortion-in-the-far-east.pdf

http://bits.blogs.nytimes.com/2015/03/24/hackers-use-an-android-app-for-sex-extortion/?_r=0

http://timesofindia.indiatimes.com/tech/tech-news/Hackers-use-an-Android-app-for-sex-extortion/articleshow/46681750.cms

Update on the CISA Bill

The bill that I brought up in my last presentation has been making headway ever since, though no one is sure if it’s for worse or better. For those who don’t remember, this bill was the one that would allow the government and private companies to share data–including personal information–with each other in order to “to prevent and respond to cybersecurity threats.” As was aptly pointed out last time around, it was clear that there were a lot of loopholes in this bill that would essentially allow the government/companies to share whatever data they deemed necessary without any users knowing that their personal information was being circulated.

On March 12th, a slightly updated version of the bill was passed by a vote of 14-1. The one man who voted against it, Senator Ron Wyden, had this to say: “If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill—it’s a surveillance bill by another name. It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.” These worries aren’t unfounded, as the most recent publicly released iteration of CISA (Cybersecurity Information Sharing Act) shows that it also allows for sharing of private data that could “prevent terrorism or an imminent threat of death or serious bodily harm.” Robyn Greene, of the Open Technology Institute privacy counsel, argues that could mean CISA might “facilitate investigations into garden-variety violent crimes that have nothing to do with cyber threats.” Even more worrying is the fact that the information could be used in investigations into crimes with no connection to cybersecurity, like carjacking or ID fraud; while these crimes are terrible, they should not be investigated using information that is ostensibly only about cybersecurity.

There is still some hope for this bill being an actually good thing though, depending on how you look at it. Before it was passed, a closed-door session saw a dozen amendments added onto the bill, none of which have had information released about them yet, though intelligence committee chairman Richard Burr said that some of them were designed to prevent user information from being shared with the government too openly. If all goes well and we believe strongly enough, this bill could have had enough protections for users added into it that it can be an objectively good thing in preventing cyber crime in coming years. But, if all goes poorly, then the bill has potential to seriously harm privacy rights. The fact that these amendments were added without public knowledge of what they are is a seemingly damning factor, but for now, it’s unclear just how good or bad this really could be.

 

Article on wired.com : http://www.wired.com/2015/03/cisa-cybersecurity-bill-advances-despite-privacy-critiques/

– Arron Reed