Hardware & InfoSec

When a “Fix” is Not a Fix - The Fix is In

In my previous post, I discussed the Time Warner/SMC modem enormous security flaw.

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

According to Mr. Chen, Time-Warner claimed to have pushed out a “temporary fix.” But here is his latest conclusion:

UPDATE: Finally figured out what the “patch” Time Warner deployed was. If a user tries to login with the user/user account, it simply kicks them back to the login page with javascript. All routers are still open to the internet and all still have the same default admin password.

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Next Generation ATM Skimmers

I was over on identitytheft.info watching some video feeds when I came across this one. It’s worth taking a look at not because the technique for attaching Bad Things is all that different, but because of the hardware the Bad Thing is using.

Check out the hardware used: a modified cell phone (to call home with numbers? how convenient!) a camera and an SD card. It’s the hack of the cell phone I find the most interesting. Of course, they didn’t give us any details on that, but I would be interested to know how it was modified, wouldn’t you?

Although identitytheft.info is rather self-serving in its presentation (providing a variety of services to “victims”) they often have newsfeed videos that are very well done.

For instance, there’s another video that shows a keypad that can capture the pin (instead of a camera) as you type it in glued over the regular keypad.

They recommend notifying the bank if you discover a skimmer; I recommend notifying the police. They’ll take care of notifying the bank(s).

Pumping Gas and Losing Your Shirt

I hadn’t really thought about it, but it made perfect sense the first time I read about it: thieves are capturing credit card and debit card data at the gas pump.

Given that the pump is acting as a big cash register, it makes perfect sense that skimmers could be attached the same way they are attached to an ATM.

Thieves open the pump using a skeleton key and install skimming devices to cables leading to the card reader and PIN pad that pulls data from a card’s magnetic stripe and records the cardholder’s PIN. If the PIN pad encrypts the PIN at the pump, they can attach a miniature camera to record PINS as cardholders enter them.

And this is what is significant: you can’t see the skimmer on the pump because it is inside the pump. There’s no way to know if you’re paying for gas and a little fraud, too.

The skimmers steal credit card numbers, but thieves prefer debit cards because they mean quick cash at automated teller machines. They use the information to make fake cards and hit ATMs – some across the country from the originating theft – for $200 to $800 a pop.

The money is often gone before the debit card holder knows it, and it can take time to correct the problem. One recommendation is to use the Credit rather than Debit feature when filling your tank. Debits allow immediate access to cash and don’t require a signature, two other reasons they are more attractive to criminals.

Skimming has been ramping up starting last year due to the bad economy; thieves need to access cash rather than goods they can resell elsewhere.

Thieves can leave these skimmers attached to pumps for months before removing them—and collecting data from thousands of credit cards. Then, the thieves either sell the credit card information on the internet or they make fraudulent duplicate cards with victim’s account numbers and expiration dates.

In one case, thieves left the same skimmer attached to a single gas pump in Washington for eleven months. (Did no one see this thing???) Then they came back, retrieved the device and drained hundreds of bank accounts in a single weekend.

In May 2008, an investigation was opened into a case in San Jose California in which thieves stole more than $200,000 from 180 victims. Authorities estimate that between $1 million and $3.5 million has been stolen from victims of gas pump identity theft in five states over recent months.

Best advice: If you do want to use a credit or debit card at the gas station, go inside and make the purchase there. Inconvenient, but so is losing all the money in your checking account, or having to close your credit card account.

Hard Disks Never Die - They go to Digital Forensics

I’m attending an absolutely fascinating course on Digital Forensics provided by SANS. One of the things we will be doing is collecting data from hard drives for various practice exercises.

Imagine my amusement when the handout and appendixes recommend where to get used hard drives to practice on: eBay or Craigslist. Didn’t Simson Garfinkel do this a few years ago? And come up with a whole bunch of juicy information?

How do you dispose of hard drives? There are overwriting programs and businesses that will pick them up and dispose of them securely, providing a certificate (and thus transferring your risk). But how do you know they are performing as agreed?

I’m looking forward to my eBay hard drives and what they will disclose. Hope they’re not yours!

Securing the Security Devices

OK, so you’ve bought the glow-in-the-dark, meets all the compliance requirements and looks really shiny “security solution” from a vendor (one or many).

Or maybe your management has bought it and presented it to you as a fait accompli. (Hope I’m spelling that fancy French right!) And of course either you have to manage it (without training, “that’s too expensive, just watch the consultants put it in”), or it’s been “outsourced.”

Or as an auditor, you’ve been told to use it for all auditing functions, and not worry about doing any follow up or periodic testing because this product is such a “time-saver.”

So, how do you know (my favorite question) it’s working and doing a good job? Not what the fancy report it produces says, not what the consultant says, not what the manual says, not what the boss says. What you can actually see.

I’ve been following a discussion on the Security Focus “pen-test” mailing list about how security software has just as many issues as regular software. I don’t like thinking that the software protecting me and writing to a SQL database is using an unencrypted ODBC connection that can be captured by ARP poisoning.

So, although I am rarely asked to audit or test a firewall, IDS or host IDS, having run and learned on all of them, I have some suggestions for you to try out.

NEXT: How to Audit Your IDS/Firewall/ECM for free.

More on ATMs - The Daily Store Owner Log

Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction.

So if I do an account balance request, that comes up in the log. The amount in my account comes up in the log.

The log includes all transactions done on that machine, so everyone’s name, Bank name, how much they have, how much they took out, etc, is all there on the log.

I was chatting with an acquaintance who owns a store in Maine, and she pretty much knows everyone who comes in her store. When she had an ATM put in, after numerous customer requests, she began getting those daily reports (probably because she gets a percentage of transactions). She was embarrassed at how much information she could see about people she knows. I would be, too.

Where does this report get stored? Who has access to the reports? The manager? The clerks?

Here’s an acronym I really like: TMI (TOO MUCH INFORMATION)

Why does a store owner need that much information? I’ll try and find out.

More on Cell Phone (IN)Security

I’m having very mixed feelings, I must say, on what I’ve been reading about accessing information from cell phones. On the one hand, in my line of work, which occasionally includes forensics, I’m pleased to see new tools come out that make my job that much easier. The Cell Seizure Investigator “stick” from Paraben for under $500 is a great new piece of equipment for pulling all information off of a corporate cell phone.

On the other hand, knowing that there is a quick tool to pull all the data off my phone in five minutes or so doesn’t give me warm feelings inside. Given that there isn’t really a secure delete function that is available, anything that is on my phone could be recovered in the same way we can recover deleted data from a hard drive. When will we have the ability to encrypt the storage on these things?

I have seen some early reports of cell phones that use biometric identification, but none that appear to be here in the USA.

I have run across a free tool for deleting data on your cell phone by recellular.com that offers some software based on model of phone. Not all models are covered, and I haven’t had a chance to test it out. If you do, please let me know your results.

In the meantime, review what is on your cell phone, and keep it to a minimum!

Physical Security Part II

The most secure Data Centers I’ve seen utilize electronic access cards of some type that have a good reporting mechanism, right down to which door. Of course, these systems don’t do you a bit of good if no one looks at the logs, but that seems to be the exception, rather than the rule. Thank goodness!

I’ve seen some systems that you must swipe in order to exit, as well as enter. This seems a smart way to make sure employees and cards are being utilized properly. Also, doors should alarm if they are propped open or not quite secured. Depends on how much you value your data, doesn’t it?

Camera systems can be a very good alternative to swipe cards, but ONLY if you have sufficient coverage of the area you’re trying to secure. I tested a system that could see me going up the steps to the Data Center, but didn’t capture me until I was two feet from the door. If I scuttled sideways to the right, it missed me entirely! We adjusted that camera together.
Does your system overlap all areas inside the Data Center? Can you track where someone goes throughout the area?

Finally, is your camera system secured away from the Data Center? Make sure only specific people have access, and make sure the captures are stored securely. How long should you keep them? I’d say a year, which would give you a good period of time to track back possible miscreants. But it really depends on your storage space. If you can use WORM (Write Once, Read Many) storage, even better.

Ultimately, it does come down to your employees. I can’t tell you how many times I’ve slid in the door behind someone holding an armful of books and thanking them for holding the door. If someone strange is sitting in the conference room, it could be me hacking your network. Just ’cause I’m a lady dressed in a really nice business suit doesn’t mean a thing.

How are you disposing of your physical computer equipment? Never underestimate the ability of people to be lazy and just “toss” stuff. Find a way to securely wipe your data OR transfer the risk by hiring someone that will give you a certified receipt that THEY have destroyed it for you. Expensive? Probably? More expensive? Getting your company’s name in the paper.

ATMs with Bugs - At the Grocery Store

From the Wall Street Journal comes the disturbing news that a high-tech wireless “bug” has been found in hundreds of grocery store ATMs in five different European countries. According to WSJ:

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug reads an individual’s card number and the corresponding personal identification number, then packages and stores the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

The easiest way police have been finding these things is to weigh the ATM, although the bug (a card, actually, and I think has to be plugged into the motherboard) only weighs about 4 ounces. How many more will they find? Now that ATM fraudsters can go “upscale” to a wireless bug instead of a clumsy card skimmer, theft becomes even easier. These bugs are big enough to be programmable, so that they could only collect information from Platinum level cards, for instance, instead of my Uncle Bert’s VISA card.

Although the article does not address debit cards, I would have to wonder what the impact was on those? Did they escape due to the lack of PIN capture? Possibly.

The first solution I would think of would be to lock down the phone line so that it ONLY can dial home (and not to Lahore to deliver its’ payload). Not only that, log and report any attempts to dial elsewhere.

This is a VERY sophisticated attack, and appears to be widespread. Early estimates indicate a theft between 50 to 100 million dollars.

Just who has had access to the inside of those machines, that were built in China? How are they secured? The report mentions that the bug is “attached behind to the motherboard.” Somebody has some inside knowledge of this equipment and has used that knowledge to quite an effect.

Thieves keep getting smarter.

ATMs Redux - Why I Don’t Use My Debit Card

In a previous post about Automatic Theft Machines I commented on the worrisome rise in skimming with these machines.

Now, to add to our pain, we should be concerned about gas station pumps, according to NBC. Take a look at the picture of the device - makes me wonder how they set it up without inside help.

The article goes on to discuss the rising crime rate from debit card theft. Once these folks pluck your card number and PIN, they can clean out your bank account in no time flat. Unlike credit card fraud, where the bank removes your liability after $50, people are reporting a struggle to get their bank accounts credited after all the cash has been extracted.

So, let’s see, ATMs, airline check-in machines, and now gas pumps.

I’d decided after the Hannaford breach that we would no longer use our debit card unless standing inside the bank. And even that is not risk free from skimming.