The BBC discusses a man-in-the-middle attack on EMV payment cards, also known as Chip-and-PIN. The attack was developed by a team at Cambridge University in the UK. Using a real card wired up to a laptop, connected to a fake card that is inserted in the POS terminal, this attack can authorize payments with an arbitrary PIN.
I am not sufficiently familiar with the cryptography in use for the EMV protocol, but my first thought is that astute observation by POS personnel should provide substantial defense against this entire class of attack: if someone shows up at your cash register with an EMV card wired to his backpack, something fishy is probably afoot.
My other thought has to do with the notion that banks might attempt to shift the responsibility for fraudulent Chip-and-PIN transaction to the consumer. “Since EMV is so secure,” the reasoning goes, “the PIN authorization is proof positive that the transaction is valid.” Except it has now been shown that PIN authorization can be spoofed.
Security is not black and white: it does not make fraud impossible, but makes it harder and more expensive to commit fraud. The protection level provided by a security feature should be commensurate to the value of the transaction it protects. Too high a protection level is likely to be more cumbersome, or more expensive, than the transaction in question justifies.
The The Web Hacking Incidents Database 2009: Bi-Annual Report is out. If I recall correctly, the first report Breach did, in 2007, did not mention any bi-annualness. Also, the eventual landing page has as HTML title “<title>The Web Hacking Incidents Database 2008: Annual Report</title>”. Is it possible that they simply didn’t get their act together last year and retroactively declared the report bi-annual?
I went in through the link above, gave up my e-mail, phone number and name of my first born, and downloaded the report. This will probably land me another copy of every marketing e-mail Breach sends out (guess how I learned of this report?), and a phone call from some poor guy in a cube who has to make 75 phone calls a day for a living. Oops, guess I put down a fax number. Sorry dude, hope your headset isn’t too loud.
Anyway, after you go though the lead generation form you land here and can follow a direct link to the PDF. This is fairly standard practice, but from a security company I would expect that they would make some more effort to not inadvertedly expose the goods.
I will give this report a read, and probably discuss it in my upcoming talk at ApacheCon US 2009. Oh, they just extended the early bird registration deadline… without changing their own website to tell you about it. Register now and experience the mayhem.
Comments Off
At the end of my Hardening Enterprise Apache Installations Against Attacks presentation at ApacheCon US 2008 I had a slide of interesting reading material. Here are the books on the list, and links to some of the articles: (more…)
Comments Off
Man In The Middle is defeated by context. – Bruce Schneier
As has been widely discussed, Firefox 3.0 is a little over-zealous when it encounters an unknown certificate on an SSL website. Where previous versions would just warn the user about the observed irregularities, the new version requires that the user add an exception for every certificate that has an unknown certification chain, is expired or for which the hostname does not match the information in the certificate.
Adding an exception takes four clicks, most met with a stern warning that will deter anyone but the most determined user. Folks who use self-signed certificates as a matter of habit are howling, because they have to tediously make exceptions for all of them. This Firefox features seems over the top, but is it? (more…)
Comments Off
At the end of my conference presentations, I usually put a Conference Roadmap slide. This slide shows sessions at the conference that are related to mine, and that attendees may find worth while to check out. For my Hardening Enterprise Apache Installations session this coming Thursday, I would suggest the following related conference content:
Besides the training (which happened on Monday), this means that you can pretty much stay in the same room all Thursday and catch all the Security-related talks. In addition, of course, this track will be streamed live for a modest fee, so you can watch from the comfort of your own office if you find yourself unable to make it to ApacheCon this year.
According to the Web Hacking Incidents Database 2007 Annual Report, SQL Injection is still the most common attack vector for security breaches on websites. Consider the following cartoon:
Why is it that our websites almost universally use a data access language whose statements can be completely subverted by the parameters fed into the queries? The problem is that (more…)
I have turned on SSL on my site, primarily to be able to log into the management interface of the blog engine over a secure connection. You are welcome to read the blog over SSL. The certificate was signed by Cacert.org, so you will want to download their root certificates and install them into your browser.
No guarantees that using SSL will make me post more often. Life has been busy.
Comments Off
Registration is now open for ApacheCon US 2008. There will be an Early Bird discount, so register early and Save! The schedule is up and I’m very happy to see the return of the schedule grid that shows the entire conference on one page. J. Aaron has done a great job on the site.
I will be presenting one session at the conference: Hardening Enterprise Apache Installations Against Attacks will discuss security issues with the Apache Web Server and how the developer team reacts to issues as they are found. We’ll also talk about protecting applications that are served by the Apache server and may be the target of attacks that do not subvert the web server itself, but the code behind it.
The first time I did this talk, at AacheCon EU 2008, I ran out of time. There’s so much to talk about! The feedback forms submitted by the attendees did, however, identify some spots I can tighten up, so I’m looking forward to present a new, updated version of the talk this fall.
Hope to see you, first week of November, in New Orleans!
Firms whose business interests are served by having us be scared of scams advise us to expect scams. Film at eleven.
We’re doing a PGP Keysigning again at ApacheCon Europe 2008, but the Apache Wiki is down today so I can’t update its PGPKeySigning page. Several folks have already sent me their key: thank you very much!
The Keysigning session will happen at the tail end of the Welcome Reception, and hopefully be done before the BOFs start. If you would like to participate, send your public key to sctemme at apache dot org before 3PM on Wednesday. I will compile the key list after I’m done with my talks.
Comments Off
