Card skimmers at a supermarket chain – Inside job?

From the Mercury News (via ars technica):
“Further evaluation uncovered an extra computer board that had been placed inside the checkout machine, recording customers' financial information.”
So…how did a skimmer get inside the checkout machine?

How not to disburse financial aid

Years Decades ago I worked for a small college with strong, forward looking leadership that firmly believed a significant fraction of our interactions with students should be computerized. He believed that if we automated background bureaucracy we could better handle the budgets cuts and shift more resources into classrooms. He also believed that if students had a clear, consistent interface into our bureaucracy they’d be better, happier learners.

My job was to make that happen.

Car goes over cliff, undetected

A car goes over the edge of a cliff on a narrow mountain road. The driver survives, but the accident goes undetected for six days. After five days, the family files a missing persons report. Law enforcement tells them that follow up will take days. The family doesn’t wait. They locate the car using their own means with the help of a detective and the phone company, including what appears to be one of the controversial warrantless cell phone locates that law enforcement does millions of times per year.

Comcast Internet Essentials - Low Cost Internet


Comcast is bringing their ‘Internet Essentials’ to our local service area. Under this program, families who qualify for free school lunches are eligible for $10/month internet from Comcast.

Kudo’s to Comcast.

What do Linux.com & Kernel.org have in common?






Down for maintenance. Hacked…pwned…rooted…

Can you imagine the holy shitstorm that the Linux fanboys would be flinging out the door if this had happened to Microsoft?

The root cause analysis on these will be interesting reads.

HP Drops State of the Art Tablet, Re-Introduces Antique Calculator


HP’s Touchpad Tablets are dead. HP’s RPN calculators are back.

What’s next, single pen flatbed plotters?

BTW- I must be old. I still have an HP 11C…



…and I remember when we upgraded our single pen flatbed plotter to a state of the art 6 pen moving paper plotter complete with automatic pen selection. Instead of the plotter stopping and waiting for you to switch from the black pen to the red pen, the plotter would automagically put the black pen back into the carousel and pick up the red pen.

We were impressed. 

Kernel.org hacked…


The message from kernel.org is consistent with the message from pretty much everyone that gets hacked. 
  • Don’t worry
  • Be happy
  • We know what we are doing
  • Everything is Ok

I’ll be looking forward to something resembling ‘full disclosure’. It should be an interesting read.

Oracle 11.2.0.n - Sev 1, Sev 1, Sev 1, and Sev 1




One database, four SR’s at Sev one. The oldest one has been a one for 16 days.

Nice, eh?

We’re pretty sure that Oracle 11.2.0.wtf doesn’t play anywhere near as nice with our workload as 10.2.0.[45].

FWIW - The ‘SUN box stuck’ SR is open because a diagnostic script that Oracle had us run deadlocked a DB writer on libaio bug in Solaris 10 (Bug 6994922).

Deprovisioning as a Security Practice II

In Service Deprovisioning as a Security Practice, I asserted that using a structured process for shutting down unused applications, servers & firewall rules was good security practice.

On the more traditional employee/contractor deprovisioning process, I often run into managers who view employee deprovisioning as something that protects the organization from the rogue former employee who creates chaos after they leave. If they feel that the former employee is leaving on good terms and unlikely to ‘go rogue’, they treat account deprovisioning as a background, low priority activity.

Have all big government internet projects

According to a UK ePetition by Harel Malka, we should:
Have all big government internet projects pass the approval of a technical panel made of professionals from the tech statup[sic] sector.
This is an interesting idea – and one that I could buy into (under the right conditions…)
I’m a government employee that manages systems and projects that run into the millions of dollars. Would advice from the private sector help me?

Maybe.

Gig.U, Gigabit to the Home


Gig.U is on track. That’s cool.

I’ll be very interested if Gigabit Ethernet to the home makes a difference to the ordinary home user. I’ll go on record and say that I don’t think it will. The Gig.U experiment might come up with novel and interesting uses that can’t be met by a 10 or 100Mbps home connection, but if the interesting & novel new uses for high bandwidth to the home show up, they will not radically change ordinary home users lives.

A new means of releasing software

From a recent conversation with a colleague, I learned that worms have been around a lot longer than I imagined:


.                      JOHN WALKER   JANUARY 1975
.
.
. THIS PROGRAM IS A TOTALLY NEW WAY OF DISTRIBUTING VERSIONS OF
. SOFTWARE THROUGHOUT THE 1100 SERIES USER COMMUNITY.  PREVIOUS
. METHODS REQUIRED THE DELIBERATE AND PLANNED INTERCHANGE OF
. TAPES, CARD DECKS, OR OTHER TRANSFER MEDIA.  THE ADVENT OF
. 'PERVADE' PERMITS SOFTWARE TO BE RELEASED IN SUCH A MANNER THAT
. IF SOMEONE CALLS YOU UP AND ASKS FOR A VERSION OF A PROCESSOR,
. VERY LIKELY YOU CAN TELL THEM THAT THEY ALREADY HAVE IT, MUCH
. TO THEIR OWN SURPRISE.


Self replicating software a decade before the Morris worm.

Cool.

Government Remotely Disables Software on Personal Computers



The FBI remotely disabled software installed on privately owned personal computers located in the United States.

If this isn’t controversial, it should be.

The software is presumed to be malicious, having been accused of stealing account information and passwords from hundreds of thousands of people.

Does that make it less controversial?

Hundreds of thousands of computers have one less bot on them. That’s certainly a good thing. Hundreds of thousands of computer owners had their computers remotely manipulated by law enforcement. Is that a good thing? A dangerous precedent?

Interesting, for sure.

Update: Gary Warner has an excellent write-up.

Your package has arrived.

I’m impressed by this scam e-mail:
Return-path: <tracking@ups.com>
Reply-To: <tracking@ups.com>
From: UPS Shipments <tracking@ups.com>
Subject: Your package has arrived!
Date: Thu, 2 Dec 2010 14:31:34 +0000
To: Undisclosed recipients:;
Dear client<br />
Your package has arrived.<br />
The tracking# is : 1Z45AR990*****749 and can be used at : <br />
<a href="http://www.ups.com/tracking/tracking.html">http://www.ups.com/tracking/tracking.html</a><br />
The shipping invoice can be downloaded from :<br />
<a href="http://thpguild.net84.net/e107_files/cache/invoice.scr">http://www.ups.com/tracking/invoices/download.aspx?invoice_id=3483273</a> <br />
<br />
Thank you,<br />
United Parcel Service<br />
<p>*** This is an automatically generated email, please do not reply ***</p&gt
UUCLJNFYSDMJENHSLBIXJFGSUGKCVUTDYVBOGM


I’ve snipped the delivery related headers (not interesting) and *’d out a bit of the tracking number. The links are intact.

What is interesting is that when rendered as HTML, the message contains valid URL's for all visible text, including the tracking URL. If click on the tracking URL and paste in the tracking number, you'll get some poor dudes house in Florida. If you click on what appears to be a valid link to an invoice, you have the opportunity to download what I assume is an interesting payload. (But alas, the golden hour has passed - those how amuse themselves by downloading interesting payloads will have to amuse themselves elsewhere.)

The finance people I know never met an invoice they didn't like. I'd imagine that for them, the temptation to click is overwhelming.

It’s not hard to make a case for reading mail in plain text.

BTW - Most bloggers mangle potentially hostile URL’s prior to publication. This blogger presumes that the readers of this blog are smart enough to know what’s safe and what isn’t.

OS X Adaptive Firewall Automated Blacklisting

OS X Mini Server comes with an incarnation of 'ipfw' as its built in kernel firewall. Configuration of ipfw in an IPv4-only world is pretty simple. The Server Admin GUI covers the basics. The details are in /etc/ipfilter.

Square & VeriFone, My phone accepts payment cards

Square allows you to turn your phone into a payment card terminal.

Cool. For a mere 2.75% overhead, a merchant can accept credit cards using a free magnetic card reader attached to your phone headset jack. Your customers swipe their card and scribble their signature on your iSplat’s screen, your bank account gets a credit.

The obvious questions: How do you secure a mobile application such that it can safely handle payments? Is your Square enabled phone now covered under some sort of compliance regime?

Temporal Juxtaposition - The future of mobile banking

E-mail from a colleague:
So, within minutes of one another: 
Roundtable's Pitts: Mobile Will Connect Channels, Improve Security
"Mobile and banking fit together like chocolate and peanut butter," says Jim Pitts, project manager of the Financial Services Technology Consortium, the technology solutions division within The Financial Services Roundtable.
[ ... ] 
Google Kicks Rogue Apps Out of the Android Market
"[ ... ] Before their removal, the apps garnered between 50,000 and 200,000 downloads. The apps caused the phone to perform functions without the owner's consent. The Trojan embedded in them used a root exploit to access all of the phone's data and download malicious code. 
The publisher has been removed from the Android Market completely, and its apps reportedly have been deleted from phones, but this won't remove code that has been back-doored into a phone's program. Google reportedly is working on that problem.
[ ... ]

Awesome. We are going to bet our financial future on a rootable platform. I wonder how that will turn out.

I’m feeling déjà vu.

Somewhere in the OraBorg, an RSS feed is being updated


It’s Tuesday. My pre-OraBorg Google reader subscription shows a stream of security updates. Looks pretty bad:



Backup Performance or Recovery Performance?


“There is not a guaranteed 1:1 mapping between backup and recovery performance…” Preston de Guise, “The Networker Blog
Prestons post reminded me of one of our attempts to build a sane disaster recovery plan. The attempt went something like this: 
  1. Hire consultants
  2. Consultants interview key staff
  3. Consultants draft recovery plan
  4. Consultants present recovery plan to executives

Well formed Comcast phishing attempt - “Update Your Account Information”



A well formed e-mail:



No obvious spelling errors, reasonably good grammar, etc. One red flag is the URL to the Comcast logo, but I wouldn’t bet on users catching that. The embedded link is another red flag:

http://login.comcast.net.billings.bulkemail4sale.com/update/l0gin.htm

[s/0/o/]

But one that would fool many. Users will not see that URL unless their e-mail client has the ability to ‘hover’ a link destination.

The ‘login page’ is well formed & indistinguishable from Comcast’s Xfinity login page:



All the links in the bogus login page (except the form submit) go to real Comcast URL’s, the images are real, the page layout is nearly identical. The only hint is that the form submit doesn’t post to Comcast, but rather to[snip].bulkemail4sale.com/Zola.php:



Zola.php? Hmmm…

Filling out the bogus login page with a random user and password leads to a “Comcast Billing Verification” form requesting last, middle & first names, billing address, credit card details including PIN number, card issuing bank, bank routing number, SSN, date of birth, mothers maiden name, drivers license number, etc…

The “Comcast Billing Verification” form is very well constructed, generally indistinguishable from normal Comcast/Xfinity web pages. The submit action for the “Comcast Billing Verification” form is:



Hacker.php? This is not going to end well.

This is a very well constructed phishing attempt. Impressive, ‘eh?

It took me a bit of detective work to determine the non-validity of this phish. Ordinary users don’t have a chance.

Where is anonymous when you need them?

The benevolent dictator has determined…

…that you are not qualified to decide what content you read on the device you’ve purchased.

If the New York Times story is true, Apple is rejecting an application because the application allows access to purchased documents outside the walled garden of the iTunes app store.

“Apple told Sony that from now on, all in-app purchases would have to go through Apple, said Steve Haber, president of Sony’s digital reading division.”
I keep thinking that there’d have been an outcry if Microsoft, at the height of their monopoly, had exercised complete control over the documents that you were allowed to purchase and read on your Windows PC’s.

$100 million dollars per mile and no redundancy?

“Light-rail service throughout downtown Minneapolis was halted Thursday for about four hours because of a downed wire that powers the trains from overhead…”

Apparently there is no redundancy.

I’m not thinking about this because I care about the commuters who were stranded, but rather because of how it relates to network and server redundancy and availability.  My group delivers state wide networking, firewalling, ERP and eLearning applications to a couple hundred thousand students and tens of thousands of employees. 
  • Availability is expensive 
  • We hear about it when our systems suck 
  • We have no data that can tell us how much an outage costs. We are an .edu. Our students don’t switch vendors if they can’t access our systems for a few hours.
In that environment, how do you make a cost vs. availability decision?

LeanEssays: A Tale of Two Terminals

Mary Poppendieck's LeanEssays: A Tale of Two Terminals compares the smooth opening of Terminal 3 at Beijing Capital Airport with the rough opening of Heathrow Terminal 5.

A great read for those who've been at the tail end of a long, complex, schedule slipping scope creeping IT project (or for those who have been at the head end of a long, complex IT train wreck).

Via: Tom Limoncelli, Testing is a waste of time.