Friday, 22 August 2014

Stealthy, Razor Thin ATM Insert Skimmers

An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.
The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM’s card slot by a bank technician after the ATM’s “fatal error” alarm was set off, warning that someone was likely tampering with the cash machine.
A side view of the stainless steel insert skimmer pulled from a European ATM.
A side view of the stainless steel insert skimmer pulled from a European ATM.
“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee said. “We didn’t capture any hidden camera [because] they probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras.”
Here’s a closer look at the electronics inside this badboy, which appears to be powered by a simple $3 Energizer Lithium Coin battery (CR2012):
The backside of the insert skimmer reveals a tiny battery and a small data storage device (far left).
The backside of the insert skimmer reveals a small battery (top) and a tiny data storage device (far left).
Flip the device around and we get another look at the battery and the data storage component. The small area circled in red on the left in the image below appears to be the component that’s made to read the data from the magnetic stripe of cards inserted into the compromised ATM.
Virtually all European banks issue chip-and-PIN cards (also called Eurocard, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard.
For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.
This angle shows the thinness of this insert skimmer a bit better.
This angle shows the thinness of this insert skimmer a bit better.
According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries with a total deployment of more than 640,000 cash machines, European financial institutions are increasingly moving to “geo-blocking” on their issued cards. In essence, more European banks are beginning to block the usage of cards outside of designated EMV chip liability shift areas.
“Fraud counter-measures such as Geo-blocking and fraud detection continue to improve,” EAST observed in a report produced earlier this year. “In twelve of the reporting countries (two of them major ATM deployers) one or more card issuers have now introduced some form of Geo-blocking.”
Source: European ATM Security Team (EAST).
Source: European ATM Security Team (EAST).
As this and other insert skimmer attacks show, it’s getting tougher to spot ATM skimming devices. It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots.
Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Facebook given 4 weeks to respond to "largest privacy class action in Europe"

Austrian law student Max Schrems has won the first round in his class action lawsuit against Facebook over online privacy.
After an initial hearing yesterday, Austria's Vienna Regional Court gave Facebook Ireland four weeks to respond, though it can ask the court for an extension of an additional four weeks if required.
Speaking after the decision, Mr Schrems said:
The order is very likely on the way to Facebook via registered mail. The first step in the legal procedure is hereby taken.
He also explained how the court could pass judgement in absence if Facebook Ireland failed to submit a counter-statement within the allowed timescale.
Schrems revealed that 25,000 users from outside of the US and Canada have signed up to support the case, subject to review by his legal team. This, he says, makes it "the largest privacy class action in Europe."
A further 35,000 Facebook users have registered their support via and await a decision from lawyers as to whether the case can be expanded to include their claims.
Facebook v Europe said it had to cap the number of claimants to 25,000 for logistical reasons, Schrems said.
With this number of participants we have a great basis, to stop complaining about privacy violations and actually do something about it. If we are successful, the outcome will of course have a positive impact on all users.
Schrems and the other members of the class action lawsuit are seeking damages of €500 each ($664/£400) for alleged data violations by Facebook - including the unauthorised use of data, supporting NSA spying, tracking users on external websites and passing on user data to third-party companies and apps without authorisation.
The action is being taken against Facebook Ireland for jurisdictional reasons – Dublin is the European HQ for the New York-based social network.
Mr Schrems has been challenging Facebook over its use of data for some time now and currently has more than 20 active complaints lodged with the Irish Data Protection Commission.
The most high profile of those complaints is based around the social network's relationship to the US National Security Agency (NSA) and its PRISM programme.
In a recent landmark case, Schrems' claimed that Ireland's Data Protection Commissioner Billy Hawkes had misinterpreted and applied the law when challenged over the transfer of Facebook user data to the NSA.
High Court Justice Gerard Hogan, however, ruled that Schrems was entitled to protest over data being shared with an organisation that was not entirely compatible with the Irish constitutional views on privacy, regardless of whether he could prove his own data had been spied upon or not.
The case was subsequently escalated to the European Court of Justice.

NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide

There's a new story on the c't magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties.
The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they've completed port scans of 27 different countries and are prepared to do more.
The point of this is to create ORBs, or Operational Relay Boxes. Basically, these are computers that sit between the attacker and the target, and are designed to obscure the true origins of an attack. Slides from the Canadian CSEC talk about how this process is being automated: "2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible." They've automated this process into something codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA, 24 people were able to identify "a list of 3000+ potential ORBs" in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected.
Slides from the UK's GCHQ also talk about ORB detection, as part of a program called MUGSHOT. It, too, is happy with the automatic process: "Initial ten fold increase in Orb identification rate over manual process." There are also NSA slides that talk about the hacking process, but there's not much new in them.
The slides never say how many of the "potential ORBs" CSEC discovers or the computers that register positive in GCHQ's "Orb identification" are actually infected, but they're all stored in a database for future use. The Canadian slides talk about how some of that information was shared with the NSA.
Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks.
The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. Usually, if the documents the story is based on come from Snowden, the reporters say that. In this case, the reporters have said nothing about where the documents come from. I don't know if this is an omission -- these documents sure look like the sorts of things that come from the Snowden archive -- or if there is yet another leake

Researchers Made a Fake Social Network to Infiltrate China's Internet Censors

It's no secret that China has been censoring and controlling the information its citizens can send and receive, especially on the internet. But, until Harvard researchers recently broke into the system, no one knew exactly how it worked.
Today, researchers from Harvard and the University of California San Diego released a report in Science that reads more like a spy novel than a scientific paper.
In order to get inside China's notorious filter, researcher Gary King and his team created dozens of shill accounts and posted hundreds of messages on China's most popular social networks to see what would be filtered. But then, the team went one step further, creating its own fake social network in order to gain access to the programs used to censor content, so it could reverse-engineer the system.
"From inside China, we created our own social media website, purchased a URL, rented server space, contracted with one of the most popular software platforms in China used to create these sites, submitted, automatically reviewed, posted, and censored our own submissions," King wrote.

the government is promoting innovation and competition in the technologies of censorship

"We had complete access to the software, documentation, help forums, and extensive consultation with support staff; we were even able to get their recommendations on how to conduct censorship on our own site in compliance with government standards," he continued.
These are the two basic methods of censorship. Image: Science
After running a series of tests on both Weibo (China's Twitter) and its own fictitious social network, King and his team came to a surprising conclusion: It's generally OK to criticize the government in China, as long as you aren't inciting others to act.
The country, he says, is worried about uprisings, protests, and anything that could spur real-life action, not government criticism. Many of those posts are caught in an auto keyword filter or are deleted by manual censors, who have dozens of options for banning IP addresses, users, and deleting or hiding social media posts.
While China is essentially autocratic, King says that it's a "responsive" autocracy, meaning the government is cool with people criticizing their local leaders. In fact, it actually serves the government well if they do so.
"The knowledge that a local leader or government bureaucrat is engendering severe criticism—perhaps because of corruption or incompetence—is valuable information," he wrote. "That leader can then be replaced with someone more effective at maintaining stability, and the system can then be seen as responsive."
So, that's why criticism is allowed, but calls to action aren't: The most commonly censored posts include words like "masses," "incident," "terror," "go on the streets," and "demonstration."
A list of the various options available for censorship. Image: Science
What makes King's report truly notable is sorting out how China censors content, and on that, China has found, perhaps, a Silicon Valley-esque solution: Allowing each social media network to attempt to disrupt censorship itself.
"We conclude that the government is (perhaps intentionally) promoting innovation and competition in the technologies of censorship," he wrote. "Such decentralization of policy implementation as a technique to promote innovation is common in China."
It makes sense, if you think about it. China can maintain the illusion of not censoring posts if it's implemented on a slightly different basis by hundreds of companies throughout the country. At the same time, companies know that they have to censor content that incites people to action, allowing the Chinese government to keep people held down without the illusion that it's actually doing so.

Obama Will Personally Chair U.N. Security Council Meeting

President Barack Obama chairs a meeting of the United Nations Security Council in 2009
President Barack Obama chairs a meeting of the United Nations Security Council in 2009

President Barack Obama will preside over a meeting of the United Nations Security Council during his attendance of the U.N.’s annual General Assembly, ThinkProgress has learned, marking the second time in history that a U.S. president has done so.
The last time the U.S. was president of the Council during the weeklong opening of the U.N. General Assembly (UNGA) was 2009, the year that President Obama assumed office. Then the meeting was convened to discuss the spread of nuclear weapons and material, and Obama’s presence ensured it was a widely attended event that lead to the unanimous passage of a resolution meant to strengthen safeguards against nuclear proliferation. According a draft schedule for this year’s UNGA week, seen by ThinkProgress, the current plan is to have President Obama take advantage of the Council’s presidency once again, this time to discuss counterterrorism.
Specifically the meeting will cover the phenomenon of foreign fighters travelling to conflict zones and joining terrorist organizations, as seen in the surge in foreigners joining ranks with such groups as Jahbat al-Nusra in Syria. “Certainly the problem of terrorists traveling to foreign conflicts is not new, but the threat posed by foreign terrorist fighters has become even more acut,” a U.S. Mission to the U.N. official told ThinkProgress when asked about the meeting. “The internet and social media have given terrorist groups unprecedented new ways to promote their hateful ideology and inspire recruits. The conflicts in Syria and Iraq have highlighted this threat, with an estimated 12,000 foreign terrorist fighters joining that conflict.”
Currently the plan is to have a U.S.-drafted resolution to address the phenomenon negotiated and ready to pass during the September meeting. During the last time Obama chaired the Council, the leaders of Russia, the United Kingdom, France, and China — the other permanent members of the Council — were all in attendance. This time, the audience is not guaranteed to be quite so lustrous. France’s mission to the United Nations told ThinkProgress that French president Francois Hollande should be attending the General Assembly but would not confirm whether he would be attending the Security Council meeting. A spokesperson for the British mission said that plans were still being finalized for that week, but “will take into account” President Obama chairing the meeting. Neither China nor Russia’s missions responded to queries from ThinkProgress, but Russian president Vladimir Putin has proven himself an infrequent attendee at the annual General Assembly meeting.
Every month, the presidency of the Security Council rotates between the 15 member body, giving them the chance to set the agenda and lead meetings of the body. September, the next time that the U.S. is slated to hold the gavel, is also when the General Assembly — which comprises all 193 member-states — holds its annual meeting at U.N. headquarters. World leaders and other high-level dignitaries flock to New York and diplomatic meetings on the sidelines often produce results, including last year when the U.S. and Iran spoke direct at the highest level since 1979. Obama’s presence will make the upcoming meeting the first Head of Government-level Security Council session since 2009.
“When President Obama first chaired a Security Council meeting, the question of the US relationship with the organization was much more salient than it is today,” David Bosco, an assistant professor at American University and author of a book on the workings of the Security Council, told ThinkProgress in an email. “Obama’s first time in the chair was an opportunity to very visibly distance himself from what was perceived–not always fairly–as the hostility of the Bush administration to the UN’s work. The US/UN relationship has now become much less fraught. There are plenty of frictions, but there’s no sense of hostility from Washington.”
Richard Gowan, associate director at New York University’s Center for International Cooperation, agreed that Obama’s first time at the U.N. was a success, noting that the president “didn’t just chair the Security Council but gave an expansive speech to the General Assembly about common interests and convened a special meeting with other leaders on UN peacekeeping.” While this drew a line under the Bush years, Gowan continued in his email to ThinkProgress, “this was a prelude to repeated multilateral setbacks like the 2009 Copenhagen climate summit mess, the Syrian horror story and the South Sudan debacle.”
“Counterterrorism is a smart topic for a top-level Security Council debate,” Gowan wrote, pointing to the fact that such disparate Council members as France, China, Nigeria, and Russia would all want to discuss the issue because of their relationship with Mali, worries over the Xinjiang provence, the rise of Boko Haram, and unrest in the Caucasus respectively.
“But there may be blowback too,” Gowan cautioned. “This being the UN, someone inside or outside the Council will equate Israel’s behaviour in Gaza with terrorism. The Russians may well talk about the ‘terrorists’ that overthrew the government in Kiev, while Western governments could push back and accuse Russia of supporting terrorists in eastern Ukraine. Perhaps everyone will be on good behaviour and show President Obama due deference, but at a minimum there will be a lot of barely-suppressed political tensions around the Security Council table.”

Abdul Kalam calls for research in cyber security

India's IITs, IISc, and unique universities should significantly enhance their research on cyber security, he said.
He was addressing a two-day 'Security and Hacking Conference Cocon-2014' being organised by Kerala police.
Offensive and defensive cyber capabilities were as important as nuclear expertise for the nation and institutions like IITs need to enhance their research in cyber security with active industry role, former President, Dr A P J Abdul Kalam said on Friday.
Addressing a two-day ‘Security and Hacking Conference Cocon-2014′ being organised by Kerala police here, he also stressed on the need for technology upgradation and investment education in Cyber security for counter cyber security threat.
“India’s IITs, IISc, and unique universities should significantly enhance their research on cyber security with an active participation from the industry,” he said.
“We will soon have only two types of nations — with cyber offensive and defensive capabilities and those without. Cyber capabilities would soon assume the proportion of Comprehensive Test Ban and would become points of negotiations between nations,” he said.
“There is a need to call in professionals – scientists, computer software and hardware experts – to impart latest skills in computer hacking, cyber warfare, etc. Like, hacking is institutionalised in China wherein virus writing is taught in Chinese military schools’.
To build a cadre of elite security technologists, the country needed to promote hardcore computer science education in technical institutes of high caliber, Kalam said.
With the Snowden exposures about US snooping many countries, including India, there was need to have a more aggressive approach to cyber security, he said.
“Our missions abroad and our officials on tour outside must be given a safe and secure information access not only when using wired networks but also while using wireless.”
The country should also master the Social Media Analytics, he said.
Use of social media has been increasing exponentially and it was believed that in India alone there would be 283 million users by 2017, majority of them from the younger generation, Kalam said.
Social media world over has been used for good and bad purposes, and by covert and overt social groups. Social media has become the most effective tool in peace disruptions and it has or suspected to have played a key role in events such as the Blackberry riots in London in 2011, the Delhi Rape protest, 2012, Muzzafarnagar riots, 2013, he noted.
The future of cyber security and in fact the national security would be centered around social media, he said.
Speaking at the conference, Kerala Home Minister Ramesh Chennithala said ‘Cyber Dome’ project had received the cabinet clearance and it would be operated on a PPP basis.

UPS store at 51 locations hit with Malware, Customers' Card data at risk

UPS Store, a subsidiary of UPS, said that 51 US Stores in 24 States were hit with a malware which was not detected by current Antivirus software.

The breach puts customers who used a credit or debit card at one of the affected locations between January 20,2014 and August 11 at risk.

Customer information that may have been exposed in this breach includes names, postal addresses, email addresses and payment information.

The company hired an IT Security firm to conduct forensic investigation after receiving a notification about a "broad-based malware intrusion" from US Government.

The UPS Store said it eliminated the malware as of August 11.  The company is offering identity protection and credit card monitoring services to impacted customers.

GCHQ and NSA spooks leaking Tor bugs to developers

Spooks tipping Tor off about possible hacks
UK and US intelligence officers are tipping the Tor Project off about possible vulnerabilities in the anonymising network, according to developer Andrew Lewman.
Lewman, who oversees Tor operations, claimed the organisation has received a number of bug reports that look like they stem from intelligence officers and agents within the US National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ).
"There are plenty of people in both organisations who can anonymously leak data to us to say, 'maybe you should look here, maybe you should look at this to fix this', and they have," he said during an interview with the BBC.
"It's a hunch. Obviously we are not going to ask for any details. You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs."
At the time of publishing the Tor Foundation, GCHQ and NSA had not responded to V3's request for comment on Lewman's comments.
Tor is a network built from volunteer nodes designed to let people surf the internet anonymously and host services without them indexing on the public internet. The network is commonly used by journalists in censored countries to relay information to the outside world and whistleblowers looking to report wrongdoing anonymously.
It is also used for criminal purposes and is known to host cyber black markets and illegal services. The GCHQ and NSA workers' alleged activities are contrary to most law enforcement and intelligence agencies' approach to Tor. Recent reports have suggested that most agencies and governments are actively working to find ways to track Tor users.
The Russian government is offering 3.9 million roubles, around £65,000, to anyone who can produce a system for finding data relating to those using Tor. An FBI child pornography sting on hidden web services provider Freedom Hosting led to concerns that the law enforcement agency is using websites hosted on Freedom Hosting's servers to track people using Tor in August 2013.
Government agencies are not the only groups working to hack Tor. The Foundation reported detecting evidence that an unknown private group was hunting for hidden services using a previously undiscovered vulnerability in March.

Hackers breach social network MeetMe

Anyone who logged into social network MeetMe between Aug. 5 and Aug. 7 is being asked to change their password because hackers breached the MeetMe network and compromised certain user information.
How many victims? Undisclosed.  
What type of personal information? Usernames, email addresses and encrypted passwords.
What happened? Hackers breached the MeetMe network and gained access to the information.
What was the response? The vulnerability has been closed. MeetMe is notifying users and recommending that they change their passwords.
Details: Hackers gained access to the information between Aug. 5 and Aug. 7. Financial information was not compromised.
Quote: “There is no evidence that any accounts were accessed, but MeetMe contacted its users regarding the incident by email and with a notice posted on the site,” Aaron Curtiss, senior executive with communications firm G.F.BUNTING+CO, told in a Tuesday email.
Source: A Tuesday email correspondence with communications firm G.F. BUNTING+CO.

Gmail smartphone app hacked by researchers

Android phone  
Researchers stole login details and passwords from apps including Gmail
US researchers say they have been able to hack into Gmail accounts with a 92% success rate by exploiting a weakness in smartphone memory.
The researchers were able to gain access to a number of apps, including Gmail, by disguising malicious software as another downloaded app.
Gmail was among the easiest to access from the popular apps tested.
The hack was tested on an Android phone, but the researchers believe it could work on other operating systems.
A Google spokeswoman said the technology giant welcomed the research. "Third-party research is one of the ways Android is made stronger and more secure," she said.
The research is being presented later at a cybersecurity conference in San Diego by academics from the universities of Michigan and California.
Other apps hacked included H&R Block, Newegg, WebMD, Chase Bank, and Amazon.
Passwords stolen The Amazon app was the hardest to access, with a 48% success rate.
The hack involves accessing the shared memory of a user's smartphone using malicious software disguised as an apparently harmless app, such as wallpaper.
This shared memory is used by all apps, and by analysing its use the researchers were able to tell when a user was logging into apps such as Gmail, giving them the opportunity to steal login details and passwords.
"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an assistant professor at the University of California and one of the researchers involved in the study.
"We show that assumption is not correct, and one app can in fact significantly impact another and result in harmful consequences for the user."
In another example the researchers were able to take advantage of a feature of the Chase Bank app which allows customers to pay in cheques by taking pictures of them with their device's camera.
The researchers were able to access the camera to steal the pictures as they were being taken, giving them access to personal information including signatures and bank details.
The tests were carried out on Android phones, but the researchers believe the attacks could be successful on other operating systems, including Windows and the iOS system developed by Apple.

Malicious app can get past Android WITHOUT PERMISSIONS

Researchers presenting at Usenix have lifted the lid on yet another Android vulnerability: the way apps use memory can be exploited to leak private information with a success rate “between 82 and 92 per cent of the time”.
Announced by the University of California, Riverside here, the researchers' paper gives a pretty good idea of what's going on in its title: “Peeking into Your App without Actually Seeing It: UI State Inference andNovel Android Attacks”.
They note that UI state can be spied on by a malicious app without requiring any permissions, in what they call a “UI inference attack”. Their demonstration included stealing login credentials and obtaining sensitive camera images taken by the user (in the demo case, they copied a cheque a user had shot for use with a banking app).
The paper explains that UI state reflects a specific piece of functionality at the window level – for example, in the login window the user's text inputs may change, but layout and functionality are consistent. If the attacker builds a UI state machine based on UI state signatures, they can infer UI states “in real time from an unprivileged background app”.
That might look like there's nothing to worry about. After all, knowing that a user is accessing a login screen isn't sensitive, since it doesn't reveal what the user keys into that login screen.
Here's where the attack gets interesting: “based on the inferred UI states, we can further break the GUI integrity by carefully exploiting the designed functionality that al-lows UI preemption, which is commonly used by alarm or reminder apps on Android”, the paper states.
State changes at the UI level, they explain, can be observed through a shared-memory side channel, which “can be used to detect window events in the target application.
“This side channel exists because shared memory is commonly adopted by window managers to efficiently receive window changes or updates from running applications,” they continue.
As the university statement notes, “The researchers monitor changes in shared memory and are able to correlate changes to what they call an “activity transition event,” which includes such things as a user logging into Gmail”.
Against Gmail and H&R Block apps the researchers claimed a 92 per cent success rate, but interestingly they only hit 48 per cent for Amazon's app because “its app allows one activity to transition to almost any other activity, increasing the difficulty of guessing which activity it is currently in.”
Although they haven't yet repeated the tests on other operating systems, the researchers believe similar architectural flaws could exist in iOS and Windows.