CUISPA
Podcast #31 – Try Not to Fall Asleep!
Panelists:
John Brozycki, Alex Rams, Larry Porres
Recorded:
7/19/2010
Questions, comments, or something youÕd like us to cover? Contact us at: podcast@cuispa.org
I. News stories
1) Security researcher discloses MS vulnerability
Security researcher discloses vulnerability 5 days after notifying MS because he doesnÕt think theyÕre taking it seriously enough. Hackers start using it to write exploits. ÒSecurity researchersÓ get upset with the way first researcher was treated, form group to release other MS exploits. Really? Really? Grow up!
http://www.csoonline.com/article/598978/microsoft-to-patch-google-engineer-s-zero-day-http://www.computerworld.com/s/article/9178878/Angry_researchers_disclose_Wi
2) Internet Fraud Alert site established. Looks to provide a conduit for providing FIs with customer/member info recovered from criminal activity.
3) FBI investigating AT&T iPad security breach
The FBI says it is investigating a data breach at AT&T that exposed the e-mail addresses of more than 114,000 owners of the Apple iPad, including government officials.
The agency said on Thursday that it is looking into "the potential cyber threat" from the breach.
AT&T Inc. said it has no comment. The Dallas-based phone company acknowledged Wednesday that it had exposed the e-mail addresses through a Web site, and had closed the breach.
The vulnerability only affected iPad users who signed up for AT&T's "3G" wireless Internet service.
http://www.businessweek.com/ap/financialnews/D9G922CG0.htmAT&T apologizes, blames hackers for iPad e-mail breach
4) Chip and PIN is broken
We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN.
Our technical paper Chip and PIN is Broken explains how. It has been causing quite a stir as it has circulated the banking industry privately for over 2 months, and it has been accepted for the IEEE Symposium on Security and Privacy, the top conference in computer security. (See also our FAQ and the press release.)
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking itÕs doing a chip-and-signature transaction while the terminal thinks itÕs chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalistsÕ cards. The transactions went through fine and the receipts say ÒVerified by PINÓ.
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/
5) Court shuts down "card services" robocallers
A federal judge in Washington shut down three "card services" telemarketing companies that pelted consumers with robocalls offering them assistance cutting their interest payments.
The Federal Trade Commission, which sued the companies, said AMS, Rapid Reduction, PDMI and their owners promised consumers they could help them cut their credit card interest payments.
Consumers who signed up for the services were charged $499 to $1,590. They were told they could get their money back if the companies didn't get them at least $2,500 in interest rate reductions, the FTC said. But all the companies sent was information on paying off cards early. Consumers who demanded refunds either couldn't get them or were told that a $199 nonrefundable fee would be deducted, the FTC said.
http://www.cleveland.com/consumeraffairs/index.ssf/2010/05/court_orders_card_services_com.html
L6) Financial hackers attacking Visa/MasterCard users with fake 3-D Secure logins
Criminal hackers are using more advanced methods of trying to extract users card credentials, the latest attack vector being malware that launches a fake Visa/MasterCard 3-DSecure screen.
L7) Stealing $10 Million, 20 cents at a time
ÒOn June
28, 2010, the Federal Trade Commission unveiled a law suit against unknown credit
card fraudsters, seizing the assets of 16 companies run by at least fourteen
"money mules". The companies named were: API Trade, LLC; ARA Auto
Parts Trading LLC; Bend Transfer Services, LLC; B-Texas European, LLC; CBTC,
LLC; CMG Global, LLC; Confident Incorporation; HDPL Trade LLC; Hometown
Homebuyers, LLC; IAS Group LLC; IHC Trade LLC; MZ Services, LLC; New World
Enterprizes, LLC; Parts Imports LLC; SMI Imports, LLC; SVT Services, LLC. Each
of these companies was run by a money mule recruited for the job via a spam
email message. Each of them was instructed to establish their LLC to receive
payments from small transactions, which they would then aggregate and wire to
bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan.
Before the law suit hit, a Preliminary Injunction had already been issued
back in March to freeze the assets of the company in question.
The consumers are charged as little as 20 cents in a single fraudulent transaction, and as much as $10. 90% of the charges were never disputed. Those that were received instructions to call non-existent telephone numbers, or answering services from which calls were never returned. More than 1000 consumers have filed complaints with the FTC about these illegal practices.Ó
http://garwarner.blogspot.com/2010/07/stealing-10-million-20-cents-at-time.html
http://www.ftc.gov/opa/2010/06/adele.shtm
A8) Russian Spy Ring
Using Steganography
Remember
hearing about the 11 Russian spys? Turns out that more than 100 text files
were found after a 27-charter password for a Steganography program was found on
a slip of paper during a search.
http://www.darkreading.com/insiderthreat/security/encryption/showArticle.jhtml?articleID=225701866
http://www.theregister.co.uk/2010/06/29/spy_ring_tech/
J9) Firefox add-on
steals information (namely passwords) from users.
ÒMozilla SnifferÓ was added on June 6th and pulled July 12th. Mitigating this somewhat is the fact that it was on a separate area for experimental plugins. Still, do you allow your users to add their own plugins? How do you check them?
http://www.csoonline.com/article/599514/mozilla-yanks-password-stealing-firefox-add-on
II. Discussions
1) The future of tablets- A pleasure to use, quick to start up, long battery low, relatively low cost, portability. They will likely be at your credit union sooner or later.
III. Tech Segment
None this podcast.
IV. Cooltility (Cool + Utility = Cooltility)
F.lux
- changes the color of your screen depending on the time of day on the theory
that exposure to bright light at night interferes with normal sleeping
patterns.
http://www.stereopsis.com/flux/
V. Smarter U.
Got a suggestion for this space? Please send it to podcast@cuispa.org.