ALERT:ATM PIN NUMBERS HACKED!

Hackers broke into Citibank's network of ATMs inside 7-Eleven stores this year and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs -- the numeric passwords that theoretically are among the most closely guarded elements of banking transactions -- by attacking the back-end computers responsible for approving the cash withdrawals.

The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.

Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption -- which means encoding them to cloak them to outsiders -- some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

"PINs were supposed be sacrosanct -- what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with Gartner research firm. "The banks need much better fraud detection systems and much better authentication."

It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores in the U.S., but it doesn't own or operate any of them.

Is Windows the Problem?

Using virus and malware-laden software used to just be a bad for one's productivity. As it turns out, it can also be a bad idea for one's career.

Michael Fiola, formerly an investigator with the Massachusetts Department of Industrial Accidents, was charged with possession of child pornography. He lost his community's respect, many of his friends, and his family. His crime? He was given a Windows-based laptop that was riddled with vulnerabilities that were or became prey to malware.

An investigation showed he hadn't downloaded the pornography. His computer did:

When the DIA issued Fiola his Dell Latitude laptop in November 2006, it was so badly configured that it may well have already been hacked, said Tami Loehrs, a forensics investigator hired by Fiola's defense team. The Microsoft Systems Management Server software on the laptop was misconfigured and was not receiving critical software updates, and the laptop's Symantec antivirus software was either misconfigured or not working properly, she said.

"He was handed a ticking time bomb," she said.

In this case, it's called Windows. Or, more accurately, an IT department that inflicted a poorly implemented Windows environment on Mr. Fiola. Could this have happened with Linux or the Mac? Yes and maybe. Yes, because weak IT yields weak security. But maybe, because both of these Unix-based systems handle security much better than Windows traditionally has. But that's not really the point.

The real villain here, of course, is the pornography swine that would inflict themselves on unsuspecting users. There are enough losers out there interested in porn to not have to trick them into viewing it or distributing it.

We like to think of our computers as tools. In this case, however, it was Mr. Fiola that became the tool, however unwittingly.

This calls to mind just how critical it is to ensure our systems are secure. If, in fact, Linux or Mac are more secure from this sort of problem (a point that is debatable), then the "low cost" associated with Windows and ease of use must be balanced against the very real problems that can arise from using Windows (or, at least, older versions of Windows).

Did Microsoft create this problem for Mr. Fiola? No. If anything, it sounds like his IT department is to blame. But if it were me, I'd be asking for a Mac when joining a new company. With the Mac, my odds of having a Fiola-esque experience go down dramatically.

Students Hack Windows Cardspace

Students at the Ruhr University of Bochum, Germany, say they have found a way to steal security tokens in Microsoft's new CardSpace authentication framework. Attackers can apparently get access to protected, encrypted user data – such as passwords, credit card numbers, and delivery addresses – when they are transmitted. CardSpace (formerly InfoCard) is the successor to Passport. In both architectures, users' personal data are stored locally on the user's system. Depending on the web site, users can decide which data they want to transmit. CardSpace is designed to make classic passwords a thing of the past, by replacing them with digital certificates that may be self-signed or signed by an authoritative CA such as Verisign.


According to the report, anti-DNS pinning, DNS rebinding, DNS spoofing, and drive-by pharming are apparently all successful ways to steal transmitted tokens. Attackers basically need to manipulate the user system's name resolution so that the token for the browser-based CardSpace is sent to the attacker. To this end, attackers manipulate the DNS entries on a router, for instance by means of cross-site request forgery, and send the attacked user to a malicious name server. If the attacker manages to switch name resolution during an authentication process so that the victim lands both on a shop's genuine CardSpace website and on a malicious forgery, the attacker then gets the token. During the token's validity, attackers can then pretend to be the user in question when they go shopping.

The students have created a demo server that they claim demonstrates the problem. To reproduce the demonstration, you should change your own DNS settings and install an untrusted certificate. In our test at heise Security, we could not get the demonstration to run, however. Microsoft has apparently already been informed of the problem and is working on a solution. In their report, the students propose improving Same Origin Policy as a security function for browsers.

MICROSOFT SCAMS AGAIN!

Businesses that skip Windows Vista and upgrade their computers directly from the XP operating system to Windows 7 could expose themselves to security risks and other problems, Microsoft says in a new white paper.

Bypassing Vista could have "implications for security, support, and regulatory compliance and reduce flexibility in the face of changing business requirements," writes Microsoft VP Mike Nash, in the paper.Specifically, Nash says that businesses that wait for Windows 7 -- set for release in late 2009 or early 2010 -- to upgrade from XP could find themselves using outdated applications that don't employ proper security safeguards or are no longer supported.

They also won't get the advantage of new security technologies and other improvements that Microsoft embedded in Vista, Nash says. "By not deploying Windows Vista, it means missing out on the proven benefits such as better security, productivity, search, mobility, manageability and infrastructure optimization," Nash says in the paper, which is titled "The Business Value Of Windows Vista."

Do you remember any similar pushes with previous operating systems? This could possibly be because of the absolute travesty that is Vista security, that has kept so many large businesses from switching to the operating system. After such an outcry from the IT community and backlash against their prettiest operating system, Microsoft has decided to switch their tactics from marketing to George Bush-esque "strategertizing". Overheard in a consultation, "OH so you don't want to upgrade to Vista? If you don't You will never be able to Upgrade again!!!" Basically they are trying to tell you that if you don't upgrade to Vista, You can't upgrade to 7. And you can bet that the software of 7 wont allow a install from XP. And will most likely have a discount upgrade to Vista. 49.99 so that you can upgrade to vista so that you can upgrade to 7 (It's a steal!!!)

Microsoft wants your Opinion?

In the continuing effort to improve computer and network security, Microsoft has developed the End to End Trust initiative. As a part of that initiative, Microsoft is seeking input from users and information security professionals to help answer the questions that need to be addressed in order to evolve computer security such as How should we enhance security on the Internet without undermining social values, such as privacy and anonymity? There are more questions to be answered in the End to End Trust Forums. Scott Charney, Microsoft's Corporate Vice President of Trustworthy Computing, has developed a white paper entitled Establishing End to End Trust which provides more details on Microsoft's vision.

While  it is not beyond the stretch of a reasonable person's imagination that a giant of the industry would want to keep it's users secure. The employees and designers of microsoft have showed a lack of willingness to address serious security issues, and wrap every tiny piece of security as the next big step in computing. Rather than the required software that all of this should have been back in Windows 98. It seems that every time Microsoft attempts security, it undoubtedly blows up in it's face. So I would encourage you to voice your opinion to microsoft- Let them know you value your security, as well as your wallet.

Is your cell phone vulnerable?

Recently, it was disclosed that a malformed JPEG image could allow a remote attacker to execute arbitrary commands on a MOTOROLA RAZR phone firmware.

A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.

So some user interaction is required — accepting the MMS. However, people by and large generally trust image files so that isn't a difficult social engineering challenge.

Perhaps we'll see this JPEG exploit used to simplify unlocking older Razrs. Jailbreaking the iPhone was simplified by a TIFF handling exploit after all.

However, next time that cute chick you met on myspace sends you an "Picture"- Think twice about opening it.

Hacker Safe?

Please, don't be lulled into a sense of false security just because a website has the hacker-safe logo on it. "Why not?" You ask me, BECAUSE- *DURRRRR* NOTHING IS HACKER SAFE. But why specifically? The hacker safe certification is a subscription program through various Companies, and although your favorite "Adult" website may be hacker safe when you register. This doesn't mean it will be two weeks down the road. What they companies do is they test each registered website every day using a automatic program, and if they find problems they will tell the website. Thats it, they dont fix it, force the website to take down the certification, nothing- they just say "Hey theres a problem." Dont Believe me?

Geeks Get PwN3D

Geeks.com is a $150 million company specializing in the sale of excess inventory and manufacturers' closeouts. Its Web site says that it is tested on a daily basis by ScanAlert Inc., which offers a service that constantly monitors sites for vulnerabilities.

But ScanAlert spokesman Nigel Ravenhill said via e-mail last week that the vendor, which is being acquired by McAfee Inc., had withdrawn its Hacker Safe certification from Geeks.com "several times" last year after finding vulnerabilities in the retailer's systems. Geeks.com fell out of compliance last June and again in December, he said.

The compromised information included names, addresses, telephone numbers and Visa credit card numbers, according to a copy of the letter posted on The Consumerist blog.

Now, What are the implications of this break in? Am I telling you that you should be a paranoid schizo when doing business on the internet? DUH. A wise man once told me "Putting your credit card on the Internet is like putting your naughty parts in a wood grinder." Although its not the most glamorous quote in the world, its true. Listen to the man, dont stick your wah-wah in the wood grinder.

Calling All Hackers!

Digital Armaments January-February Hacking Challenge: Special 20.000$ Prize - Windows Vulnerabilities and Exploit
Challenge pubblication is 01.04.2008
http://www.digitalarmaments.com/challenge200801566321.html

I. Details
Digital Armaments officially announce the launch of January-February hacking challenge.
The challenge starts on January 1. For the January-february Challenge, Digital Armaments will give a SPECIAL PRIZE of 20.000$ for each submission that results in a Exploitable Vulnerability or Working Exploit for Windows or Windows Diffuse Application. This should include example and documentation.
The submission must be sent during the January/February months and be received by midnight EST on February 29, 2008. The 20.000$ PRIZE will be an extra added to the normal vulnerability payment (check the DACP scheme).