I always thought it was strange that Apple Stores used Windows CE devices to take payments. It is testament to the power that Microsoft's Mobile OS has in the payment field, while Apple seems to have a struggled in this area.
Supposedly some folks are trying to change this and the new Card Readers for Apple portable devices are appearing.
The only reason this story is appearing here in the ZIS blog is due to the lack of basic security provision in these new addons. Slide card readers should be on their last legs and I was surprised by use of them in North America when I was last there.
Supposedly, new cards issued by North American Banks are being shipped with chips but the hardware suppliers should be on this movement as well. While chip and pin has its problems as well documented by the security group out of Cambridge and specifically Stephen J Murdoch, no one would dispute the technical advantages it has over the older magnetic strip system. The main concern that S J Murdoch has is the banks assertions that the system is completely secure and that any fraudelent activity that takes place is due to card user lack of diligence and not their systems.
I would assume that products being designed now would include at least chip and pin and adhere to the basic PCIDSS requirements.
Saturday, 2 January 2010
Tuesday, 8 December 2009
Wireless Security
Lack of Wireless protection is again in the headlights of security scrutiny.
The line for acceptable wireless security controls is constantly moving. WEP was never considered secure. It arrived broken and just became “brokener”.
WPA is now replaced by WPA2 and that latest version is under attack by dictionary attacks. It is very impressive that a wireless secret key is now worth 34 dollars.
The easiest way to protect yourself from attacks on your wireless device is to work on the elements that go into the encryption process. For the WPA-PSK process that involves the password and the SSID. Having a non-default SSID was always a good idea since it tells the potential attacker nothing about the network that they are sniffing. it is easy to change and can reflect your personality. Since the SSID (and SSID length) are used to slat the algorithm changing these from the default is the first step in securing a wireless connection.
Secondly, you need to choose a passkey of a reasonable length. To avoid repetitive phrases, I tend to use GRC password generator for 63 character keys. This can be a bit of pain for devices where the key has to be entered by hand (sometimes with a wiimote).
These two tasks should leave your wireless access device fairly secure but the other side of the coin (detective controls) should also be in place. More on that later.
The line for acceptable wireless security controls is constantly moving. WEP was never considered secure. It arrived broken and just became “brokener”.
WPA is now replaced by WPA2 and that latest version is under attack by dictionary attacks. It is very impressive that a wireless secret key is now worth 34 dollars.
The easiest way to protect yourself from attacks on your wireless device is to work on the elements that go into the encryption process. For the WPA-PSK process that involves the password and the SSID. Having a non-default SSID was always a good idea since it tells the potential attacker nothing about the network that they are sniffing. it is easy to change and can reflect your personality. Since the SSID (and SSID length) are used to slat the algorithm changing these from the default is the first step in securing a wireless connection.
Secondly, you need to choose a passkey of a reasonable length. To avoid repetitive phrases, I tend to use GRC password generator for 63 character keys. This can be a bit of pain for devices where the key has to be entered by hand (sometimes with a wiimote).
These two tasks should leave your wireless access device fairly secure but the other side of the coin (detective controls) should also be in place. More on that later.
Wednesday, 2 December 2009
Mark Zuckerberg has finally realised that Facebook may have some security issues and announced that there will be more granularity on the exisiting security controls. Also the massive Networks will no longer be the basis for information sharing.
Monday, 26 October 2009
Cryptography at IBM
A great video from the IBM Smarter Planet series on their Cryptography team with a short introduction to “privacy homomorphism,” or “fully homomorphic encryption". This breakthrough makes possible the deep and unlimited analysis of encrypted information — data that has been intentionally scrambled — without sacrificing confidentiality.
Extended abstract on privacy homomorphism can be found here.
Extended abstract on privacy homomorphism can be found here.
Wednesday, 16 September 2009
Adam Savage at HOPE
Interesting stuff from HOPE
I never noticed this when it first appeared a while back.
I guess when the well known attacks become mainstream - that the lawyers show up.
I never noticed this when it first appeared a while back.
I guess when the well known attacks become mainstream - that the lawyers show up.
Friday, 31 July 2009
Tuesday, 24 March 2009
Worm Attacking Home Routers and DSL Modems
Very good article detailing the psyb0t botnet worm.
This is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems.
It stresses the importance of changing all passwords on internet facing network kit.
Use a random string of sufficient length or grab a 63 character string from GRC.
This is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems.
It stresses the importance of changing all passwords on internet facing network kit.
Use a random string of sufficient length or grab a 63 character string from GRC.
Saturday, 6 September 2008
Tuesday, 2 September 2008
The BGP intercept attack as described by Anton "Tony" Kapela and Alex Pilosov at Defcon 16 has been gaining notoriety, so I thought I would start gathering some of the information here as a centralised resource.
The Wired article is probably the best place to start. They added an additional article to further describe the attack and a bit of the history behind it.
The effect of the BGP re-route has already been seen with the Pakistan – YouTube incident.
The link to the Defcon slides is here.
The Wired article is probably the best place to start. They added an additional article to further describe the attack and a bit of the history behind it.
The effect of the BGP re-route has already been seen with the Pakistan – YouTube incident.
The link to the Defcon slides is here.
Another Security Truism
It seems that restaurant owners are able to alter their sales records on electronic cash registers using zappers.
It just proves that physical access to a computer means you can alter it.
In other words, if you can touch the box, you can own the box.
It just proves that physical access to a computer means you can alter it.
In other words, if you can touch the box, you can own the box.
Monday, 1 September 2008
Zen Info Sec Starts
Decided on Zen info Sec after deciding the previous company name was terrible.
I will be using this to post general Security postings. Mainly so that I can keep track of stuff
I will be using this to post general Security postings. Mainly so that I can keep track of stuff
Subscribe to:
Posts (Atom)
Posts
