Security-related events and commentary from around the web, with emphasis on issues that affect physical, electronic, and data security management.
There is no doubt that securing the global infrastructure against card skimming is a critical task. Despite the cost and complexity of upgrading our technology, the U.S. has reached a point where we can no longer sit idly by while the frequency and sophistication of credit card thefts grows. This problem has always come down to cost. The sheer number of card reading devices in use today has made it economically unjustifiable to switch technologies, given the losses incurred by credit card issuers. It is estimated that bank losses from compromised cards is $2.4 Billion (not including losses borne by merchants themselves, which could be tens of billions), while replacing all payment cards, terminals, and ATM/gas pump readers would top $5.8 Billion.
The reluctance to switch to “EMV” or “Chip and PIN” cards, as many countries in Europe and elsewhere have done, seems shortsighted, but certainly not surprising where such large expenditures are involved. The trends in crime and loss, however, paint a much more serious picture – and will become the driving force to bring the U.S. closer to where we need to be. As one would expect, as countries around the world transitioned to more secure payment systems, crime shifted to the ones that did not – primarily the U.S. – and figures reported by some banks show that fraud has quintupled here in the past five years.
Compounding the problem is the availability of custom electronic devices, known as skimmers, that make reading cards are retrieving PINs easier than ever. Brian Krebs has a great collection of posts and photos of such equipment here (look for “All About Skimmers” in his Categories section). Skimmers can be designed to blend into the exterior of ATMs, mounted inside gas pumps, and attached to retail credit card terminals, making detection very difficult. The security industry has helped raise awareness, but realistically, there is little that can be done to protect the current technology. Applying tamper-evident tape to gas pump access panels, as the Association for Convenience and Fuel Retailing suggests, barely qualifies as a countermeasure, and Barnes & Noble’s PIN pads were compromised, despite being located in a busy public space (to be fair, it is unclear whether the B&N terminals were modified in-place or prior to installation). Even with a vigilant public and reliable tamper detection for these devices (neither of which exist today), the inherent insecurity of today’s magnetic stripe credit cards demands change. Consider the proliferation of low cost, high resolution cameras – some of which are already finding their way into skimmers. With cameras mounted on either side of a card reader, the potential exists to capture the card number, PIN, and verification code of a card without direct tampering of any kind – and at greater and greater distances.
The good news, as reported early in 2012, is that a program to support smart-card technology upgrades is in the works. The costs will likely be paid by both the merchants and card issuers through direct investment, and changes to the rules regarding security (PCI-DSS), auditing, and liability for fraud. More information can be found here. It is sure to be a long process, however, despite the fact that some retailers are already installing upgraded card readers.
Meanwhile, a press release this week from MasterCard makes it clear that card security will continue to advance. They announced a partnership with Standard Chartered Bank Singapore to roll out cards with an embedded keypad and one-time password generator (picture above). Don’t expect to find one of these in your (U.S.) mailbox anytime soon…
— UPDATE 12-11-2012 —
I decided to make this an anchor post, and will update it periodically with stories and information about skimmers and countermeasures.
12-07-2012 Article from NBC in Southern California about the widespread use of skimmers, including pictures of newer devices with Bluetooth capabilities. Here is one of the images:
8-13-2013 Well, we’re finally seeing some better options being deployed. Here is an article detailing a few of them.
Following up on an earlier article about self-monitored security equipment, I wanted to share a recent incident that brings to light an important consideration for anyone wishing to pursue such technology.
According to an article in the Star-Telegram, a businessman in Fort Worth, Texas was unable to dispatch authorities to his store for a burglary in progress that he witnessed live via a remote video system. The municipality has a “no permit, no dispatch” policy, and the permit for the business had been expired for almost a year, so the police department is standing by its decision for now.
This is an interesting case for a number of reasons:
1. The business owner, Leroy Reber, is a security equipment reseller and installer, licensed by the State of Texas, so he was likely aware of the local dispatch policy.
2. The remote video connection was manually initiated by Mr. Reber after he received a text message informing him of the alarm. It is not clear whether the text message originated from a monitoring center (central station) or from the equipment at the premise. This could be relevant, since a central station would normally dispatch the alarm immediately upon receipt (or after following verification procedures), so the PD may have already been informed and known that the alarm was triggered by a system with an expired permit.
3. There appears to be some confusion over what was said during the dispatch request. It is plausible that the refusal to dispatch was triggered by semantics. If the PD heard, for example, that “my alarm went off and there is a burglary in progress,” it seems reasonable that they might follow the no dispatch rule. If, on the other hand, they heard “I am viewing my business on a live video feed and I can see someone trying to break in,” their response might have been different. In other words, if the PD believes the dispatch is the result of an alarm system activation, they may automatically treat it differently than if some other security technology (e.g. live video from an owner’s networked camera) is involved.
So what does this mean for those who wish to self-monitor a video camera, alarm panel, or other device that might result in a call to police? Unfortunately, the answer is not clear at all. Most alarm permit statues were written with traditional monitored systems in mind: keypads, door contacts, motion detectors, and the like. Definitions are often loose, however, and it wouldn’t be surprising if some jurisdictions interpret any device that triggers a signal transmission – even if sent directly to a property owner’s cell phone – to be a monitoring system that requires a permit. This is certain to catch users off guard, since the first time they need police may be the first time they realize that a permit is required – possibly years after the equipment was installed. Current and future-generation IP cameras will increasingly be used this way, capturing events and acting as an all-in-one remote video and alarm reporting system.
I suspect that it will be some time before statues are rewritten to address self-monitoring, since it is still in the early-adopter phase. If anything, police departments are much more likely to dispatch in cases like Mr. Reber’s than to refuse, mainly due to the situation the Fort Worth PD is facing today: it is difficult to explain why “no permit, no dispatch” is a good idea to a taxpayer who witnessed their property being damaged and called for help. A police spokesman acknowledged that the department is investigating to determine exactly what was reported, and when. I will post updates as they are available…
You’re probably familiar with the term “war dialing” – but just in case – it refers to the practice of scanning a large block of phone numbers, attempting to connect to a modem or other device – usually for the purpose of hacking into systems. This can be done at random, in the sense that a hacker is just looking for anything they can find, or it can be used as a targeted attack by scanning numbers likely to be associated with a particular target. In the days when almost all connections were handled with dial-up modems, war dialing was a popular sport – but you might assume that in the modern world, there wouldn’t be much left to find… unfortunately, you would be wrong.
In a recent interview broadcast by the online show Hak5, two modern variations were described in detail. The first is the one most are familiar with: scanning the Internet for vulnerable targets. One of the search sites referenced (by link to Matt Krebs’ article) in my recent post about industrial controller vulnerabilities, called Shodan, was discussed as a popular way for hackers to jump-start their work, since a user can search and sort results to look for specific types of systems. The ability to use scripting to interface with Shodan’s database was also given as an example of how a hacker can automate the process of connecting to large numbers of systems. In a creative example of how this is used, the hacker detailed how he set up a script to take a screen shot of each system’s login/connection screen. This allowed, prior to any type of actual hacking, for thousands of sites to be reviewed and sorted. Larger screen shot file sizes, for example, might be found on more interesting targets because they are serving up logos, splash screens and other graphics.
It wasn’t only the enterprise systems that piqued the hacker’s interest, however, since searching through the Shodan data also yielded a number of smaller, unsecured systems – whose operators probably never considered they would be found online. These included red-light cameras, SCADA devices, and in one case, a power plant monitoring system.
The second interview described a method of conducting modem-based war driving scans, using VOIP connections to contact landlines. Of particular concern was the report that enterprise-class routers are often found connected to telephone lines, without adequate security, to allow remote access when IP networks go down. Speculation was that the administrators simply didn’t think about securing these connections, focusing instead on the far more “obvious” network-based attacks.
Aside from the mention of security cameras being a common search on Shodan, there was little attention given to the large number of security devices connected to both networks and telephone lines. Alarm control panels, in particular, have escaped widespread hacking only because most use non-standard connection methods over PSTN and/or require special sequences to initiate a connection. As these systems move onto the Internet, they are certain to become more popular targets.
Definitely more to come…
Digital Bond, a control system security consulting company, released information about a critical vulnerability in numerous programmable logic controllers (PLCs) and other hardware used to automate everything from motors to complex industrial processes. The affected software is known as the CoDeSys ladder logic system, from 3S Software Gmbh. CoDeSys is used by 261 manufacturers of control equipment to execute programming and operate connected devices. Essentially, Digital Bond discovered that the software allows a remote connection without user authentication. They created Python scripts that take advantage of this lack of security and provide a method for execution of commands and gaining access to data on the devices.
This vulnerability could have major implications for public utilities, manufacturing plants, and anywhere else this type of valve, motor, and system control is used. Of particular concern are controllers that are exposed on the Internet, but even systems behind a firewall are likely to be targeted, given the nature of the weakness and the simplicity of the exploit.
More information about Digital Bond’s findings and the Python scripts can be found here.
The U.S. ICS-CERT issued an alert as a result of the above, and Matt Krebs wrote an informative blog post that expands on the issue. In it, he notes that the availability of online search tools that scrape the Internet looking for all types of connected devices (including PLCs) make this problem even more serious. It appears, at present, that even the most novice hacker could launch an attack on exposed controllers, possibly causing severe damage or disruption of service.
At least for now, it would be prudent to isolate these devices – especially in cases where they control critical processes/equipment. Of course, it would be nice to think such measures were already in place for such important applications – but we know better.
In the security world, few technologies have become more entrenched than proximity-based access control. The cards and readers are everywhere – and overall, they provide a level of convenience and security that far exceeds the systems they replaced, such as mechanical locks, barcodes, magnetic stripes, and the like. A typical access card operates in the same manner as an RFID tag – since it is essentially the same thing. A reader emits RF energy, which energizes a coil inside the card powering a small circuit, which in turn, communicates a unique ID number back to the reader. There are many data formats and matched reader/card frequencies involved, but almost all systems operate in this (simplified) manner.
Over the years, there have been many documented examples of proximity access control hacking. From card emulation and brute-force transmissions at the reader, to surreptitious card data capture. So with that in mind, why revisit the subject here? The answer lies in the proliferation and rapidly declining cost of RFID components and other low-energy RF communications, which are poised to transform the way in which we connect and interact with systems and assets of all types.
The growing popularity of RFID tagging (especially in retail), environmental monitoring, intelligent edge devices, and building automation has spurred the development of a wide range of wireless/RF-enabled data collection and triggering. Examples include Zigbee (and similar 802.15.4 products), advanced RFID readers, and Z-Wave. For some developers, security is an afterthought, since the equipment is believed to be so obscure and/or specialized that it is unlikely to be attacked. What we are beginning to see, however, is that the same tactics used by “war-drivers” in the early days of commercial WiFi can expose insecure platforms and potentially open the door (pun intended) to serious security problems.
The good news is that security can be engineered into most of these platforms – in fact, it is often a core component – but it must be “switched on” and used properly. Follow the links below to read about some of the vulnerabilities and hacks that exist today. In practice, being aware of the potential for hacking – especially with immature products, proximity cards, etc… will help you make good design decisions. For example, once you understand how an access badge can be cloned – you probably won’t allow that badge to also disarm your alarm system, even if the vendor promotes it as a convenience feature. Likewise, if you are testing a new Zigbee-based data collection solution in your retail store, have a discussion with your vendor about how security has been implemented – and even if you like the answer, keep that network isolated until it is well-proven.
More on this subject:
Wardriving for Zigbee: Blog article describing a method for finding and mapping Zigbee networks
Kisbee: Open-source hardware project to capture Zigbee wireless communication
Bootable RFID Live Hacking System: A platform for hacking MIFARE access control cards
Proximity Card Cloning: HID ProxCard-II, ISOProx, and others
Long Range Cloning: 125KHz Proximity Cards
Following the suggestions for password management posted recently, I thought I would also share my preferences for personal data encryption.
Years ago, at least for me, using PGP or one of the proprietary security suites to protect data on a hard drive was far too onerous. I would usually give up shortly after installing the software due to the number of steps required to encrypt/decrypt data, the speed of the processing, or some other user interface issue. As a result, I would revert back to “security by obscurity” – hiding folders, placing documents inside zip files, etc…
The good news is that encryption solutions have come a long way. If you are trying to go paperless – or even if you just store copies of your tax returns as PDFs – then you have no
excuse reason to avoid them any longer. My preferred solution is a popular one: TrueCrypt
TrueCrypt software is available for Windows, Mac, and Linux and has more features than you would want to read about here – the best of which is creating “secure containers” for files you want to protect. The best part is that it’s free (though a donation is money well spent). In short, once you create a file container, you “mount” it as if it were a separate hard drive on your system, and simply copy files in and out. When you un-mount the container, your files are protected by the level of encryption you initially selected during setup, which can be incredibly secure – incorporating multiple passes and multiple encryption methods, if desired. TrueCrypt can also protect entire drives, but unless you have huge amounts of data to store, this is not necessary.
Speaking of whole-drive encryption, you may have heard of solutions offered by your operating system – like BitLocker / EFS (Windows), or the Disk Utility in Mac OS X. While these solutions can be used to protect your entire hard drive (or portions), I find them more likely to cause problems for the casual user. Unless you need to secure every single file on your system, having one or more TrueCrypt containers makes more sense. You can easily back up a container as if it were a file (because in encrypted form, it is), which makes it easy to keep secure copies on cloud services or removable media. If you backup files from an encrypted drive to an unencrypted drive – they are no longer protected. Of course, you have to actually USE the TrueCrypt software for it to be effective, which is one argument for whole-disk solutions.
As an aside, if you need an extremely lightweight solution for just a few files, then definitely check out AESCrypt. It does little more than just encrypt and decrypt one operation at a time – but it is free, open-source, and very secure.
Finally, don’t just take my word for it. Do some reading and decide for yourself! Here is an article to get you started: LifeHacker “Five Best File Encryption Tools“
Barnes and Noble reported today that PIN pads at their registers had been tampered with at 63 stores across nine states.
Even though only one pad per store was compromised, this clearly represents an organized effort to target the chain. B&N has advised customers to change their PIN numbers, and keep a watchful eye for fraudulent charges on cards used at their stores. At this time, the retailer reports that the perpetrator(s) did not gain access to their customer database, and that online/mobile transactions are secure.
All existing PIN pads were disconnected on September 14th until the situation could be addressed.
Some POS vendors have begun supervising the connection between the PIN pad and POS terminal in an effort to detect device substitution. It will be interesting to learn more about the approach used here, and whether such a feature would have prevented the hack. The official statement references a “bug” being placed in the devices, but it is unclear whether the bugs were installed “hot” in the field, or if the PIN pads were swapped out with matching devices that were modified elsewhere.
Here is the company’s press release.
There have been a number of DIY projects documented recently that transform inexpensive TV tuner dongles into software defined radios (SDRs) capable of receiving a wide range of broadcasts. While this potentially allows someone access to frequencies used for security equipment/communications, our concerns are primarily limited to the interception of data – which can be addressed in a variety of ways.
Now, some projects – like this one – are taking the concept further and adding the ability to transmit. As the hardware becomes more affordable, the likelihood of misuse will rise. These systems could, for example, transmit false GPS information, replay wireless transmitter signals, or mimic a wireless host or monitoring system. Many older wireless platforms use little or no security for transmission validation, and even those that do may be susceptible to certain types of attacks – such as brute forcing and jamming. Of course, the technology to interfere with wireless transmissions is already available, but it is generally cost prohibitive and complicated to operate.
Software projects like GNU Radio promise to simplify the user interface for those exploring SDR, and we will undoubtedly see a range of purpose-built attack tools in the future that can break or compromise various wireless systems. Many of these will be useful to pen-testers, but like all such tools, their existence in the wild must be considered when selecting wireless equipment or evaluating an existing infrastructure.
The FTC released a document on October 22, 2012 calling for the protection of privacy by those who develop and use facial recognition technology. Many of the suggestions involve obtaining “affirmative express consent” before using identity information.
The document does not directly address the use of facial recognition in security, but the recommendations appear to be at odds with some of the likely applications – especially the use of shared shoplifter databases.
“To begin, staff recommends that companies using facial recognition technologies design
their services with privacy in mind, that is, by implementing ‘privacy by design,’”
“For example, companies using digital signs capable of demographic detection – which often
look no different than digital signs that do not contain cameras – should provide clear notice to
consumers that the technologies are in use, before consumers come into contact with the signs.”
“Perhaps of most concern, panelists surmised that advances in facial recognition
technologies may end the ability of individuals to remain anonymous in public places.32 For
example, a mobile app that could, in real-time, identify anonymous individuals on the street or
in a bar could cause serious privacy and physical safety concerns, although such an app might
have benefits for some consumers. Further, companies could match images collected by digital
signs with other information to identify customers by name and target highly-personalized ads
to them based on past purchases, or other personal information available about them online.33
Social networks could identify non-users of the site – including children – to existing users, by
comparing uploaded images against a database of identified photos. Although staff is not aware
of companies currently using data in these ways, if they begin to do so, there would be significant
Also, a document cited in the report that details digital signage best practices can be found here.