Henry Baker <firstname.lastname@example.org>
Date: Tue, 04 Mar 2014 06:34:04 -0800
FYI—"Banks everywhere are in a race against time to upgrade their ATMs _before_ they become hot targets for hackers." "Before" ???
I can't wait for the security popup window (see link below) to show up on the 8th of each month on my bank's XP ATM machine.
Of course, the cure may be worse than the disease: "Modern technology allows companies to push software updates via their networks instead of paying each ATM a physical visit." What could possibly go wrong with this plan, especially when these same banks have yet to upgrade to TLS1.2 on their own websites ? --- Published on Dec 29, 2013 Electronic Bank Robberies: Stealing Money from ATMs with Malware:
BTW, these US banks are subsidized by US taxpayers through below-market interest rates from the Fed, so US taxpayers are paying for this folly, not bank management.
"Yes, Microsoft will use a popup to push users off of Windows XP" http://www.pcworld.com/article/2103495/yes-microsoft-will-use-a-popup-to-push-users-off-of-windows-xp.html http://money.cnn.com/2014/03/04/technology/security/atm-windows-xp/index.html
95% of bank ATMs face end of security support By Jose Pagliery @Jose_Pagliery March 4, 2014: 6:59 AM ET
Nearly all ATMs run on Windows XP, and that'll soon be a problem. NEW YORK (CNNMoney)
Banks everywhere are in a race against time to upgrade their ATMs before they become hot targets for hackers.
An estimated 95% of American bank ATMs run on Windows XP, and Microsoft is killing off tech support for that operating system on April 8. That means Microsoft (MSFT, Fortune 500) will no longer issue security updates to patch holes in Windows XP, leaving those ATMs exposed to new kinds of cyberattacks.
"This isn't a Y2K thing, where we're expecting the financial system to shut down. But it's fairly serious," said Kurtis Johnson, an ATM expert with U.S. manufacturer Triton.
If banks fail to upgrade their ATMs to a newer version of Windows by April, customers might be at risk. If hackers discover new flaws in Windows XP, those bugs will go unaddressed, leaving attackers free to exploit them.
It can't yet be known what hackers could do with a Windows XP ATM after April 8. But the prospect of providing a potentially compromised machine with your account and PIN information is unsettling.
Major banks are now cutting special deals with Microsoft to extend life support for their Windows XP machines while they replace their fleet of ATMs. JPMorgan (JPM, Fortune 500) bought a one-year extension of service and plans to start upgrading ATMs to Windows 7 at Chase banks in July. Citibank (C, Fortune 500) and Wells Fargo (WFC, Fortune 500) said they're also upgrading ATMs, but they wouldn't provide details about their plans. Bank of America (BAC, Fortune 500) did not respond to requests for comment.
Replacing the operating systems on ATMs is a major undertaking. In the United States, there are 210,500 bank ATMs, about 200,000 of which run on Windows XP, according to Retail Banking Research in London. In most cases, banks must upgrade the software one ATM at a time, and some will need the entire computer inside replaced too. Labor included, it's a process that experts in the ATM industry say could cost anywhere between $1,000 and $3,500 apiece.
"Once they start using an operating system, they'll ride it as long and as hard as they can," said Wes Dunn, a sales executive at ATM manufacturer Genmega.
Microsoft CEO: "Mobile first, cloud first"
It might sound odd that ATMs are running on aging software better suited to a home PC. In fact, security experts have chastised the financial industry for putting ATMs on a PC operating system in the first place. They argue ATMs should be using software that is scaled down and less buggy, such as Linux.
But banks long ago decided that Microsoft's familiar way of displaying windows and text would sit well with customers.
Upgrading to Windows 7 or 8 will give ATMs more of a sleek feel that resembles the latest apps on tablets and smartphones, said Jeff Dudash, a spokesman for ATM manufacturer NCR.
One ATM manufacturer, Diebold (DBD), says banks are using this opportunity to add newer card readers to their ATMs that accept more secure chip-and-PIN cards. Those cards have already been adopted worldwide but have yet to grow popular in the United States.
Banks that retrofit their ATMs with new hardware will, in the future, be able to upgrade their entire fleets of ATMs with a click of a button. Modern technology allows companies to push software updates via their networks instead of paying each ATM a physical visit.
Ironically, bank customers have less to worry about from those nondescript ATMs found in malls, bars and tiny convenience stores. Those 208,000 independently-run kiosks, built by Triton, Genmega and Nautilus Hyosung, make up the other half of the nation's ATMs. And nearly all of them run on an even older, simpler operating system called Windows CE—which Microsoft still supports.
First Published: March 4, 2014: 6:59 AM ET
Jaikumar Vijayan via Gene Wirchenko <email@example.com>
Date: Tue, 04 Mar 2014 09:15:44 -0800
Jaikumar Vijayan, Computerworld, March 4, 2014 (via InfoWorld) Wearable computers like smart watches offer myriad benefits, but they also raise security concerns. http://www.infoworld.com/slideshow/142881/7-hidden-dangers-of-wearable-computers-237591
Bill Snyder via Gene Wirchenko <firstname.lastname@example.org>
Date: Thu, 06 Mar 2014 09:34:42 -0800
Bill Snyder, InfoWorld, 6 Mar 2014 From distracted driving to virtual money, the law and lawmakers can't keep up with technological change. Let's clue them in. http://www.infoworld.com/d/the-industry-standard/techies-take-congressman-and-cop-work-you-237780
As we all know, technology moves at a lightning pace. But the law moves much, much slower. A glance at some of the events that have made news recently shows why we need to periodically get policy makers and enforcers into the tech trenches.
Kevin Lee via Gene Wirchenko <email@example.com>
Date: Wed, 05 Mar 2014 08:28:23 -0800
Kevin Lee, *Tech Radar*, 4 Mar 2014 Bitcoin taking the one-two punch http://www.techradar.com/us/news/internet/cloud-services/hacker-theft-hits-two-more-bitcoin-exchanges-losing-hundreds-of-thoudands-of-virtual-coins-1231
A pair of Bitcoin exchanges have gone down after a bout of hacking attacks.
Flexcoin announced that its virtual vault was emptied by Internet thieves and that it will be shutting down immediately.
The second bad news for Bitcoin came from Poloniex, which admitted it lost 12.3% of its cryptocurrency funds in an estimated $50,000.
Galen Gruman via Gene Wirchenko <firstname.lastname@example.org>
Date: Tue, 04 Mar 2014 09:12:23 -0800
Galen Gruman, InfoWorld, 04 Mar 2014 Even in a highly controlled environment, the popular notion struggles to work as needed. http://www.infoworld.com/d/consumerization-of-it/what-disney-world-teaches-us-about-mobile-payments-237456
Ars Technica via Lauren Weinstein <email@example.com>
Date: Tue, 4 Mar 2014 12:17:02 -0800
"Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library. The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers. The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates." http://j.mp/1jPcVOr (Ars Technica via NNSquad
Bob Gezelter <firstname.lastname@example.org>
Date: Wed, 05 Mar 2014 00:58:40 -0700
There is reportedly another vulnerability in a SOHO router product, this time affecting a family of Linksys products. Apparently, the vulnerability affects the Home Network Administration Protocol (HNAP) used for remote management of routers and firewalls. From the report, it appears to be another case of weak authentication. The ARS Technica report can be found at: http://arstechnica.com/security/2014/02/bizarre-attack-infects-linksys-routers-with-self-replicating-malware/ The SANS blog post is at: https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633 Bob Gezelter, http://www.rlgsc.com
Bob Frankston <email@example.com>
Date: 3 Mar 2014 20:21:30 -0500
It's hard to tell how open the interface is from these announcements. According to http://goo.gl/Lg7rpk it is a factory feature. Given it's 2014 why not make this a generic network connection? Do others on the list have more details?
There's a risk here in locking cars into Apple's silo instead of a more open protocol. http://goo.gl/TvVyiC laments automobile manufacturers understand these new technologies.
What would be nice is more of an open BYOD (Bring Your Own Device) attitude with a place for mounting devices and access to screens but then we get into regulations, liability, the business model of the automobile industry and more risks.
Scott Miller <SMiller@unimin.com>
Date: Tue, 4 Mar 2014 07:41:51 -0500
On the other paw, there is this article stating that a poll taken at the RSA conference to which TrustyCon is the intended counterpoint has 52% of respondents disagreeing that NSA surveillance went too far. Which, if accurate and representative, suggests that the enemies of privacy are not only the NSA and companies such as RSA that depend on the MIC and the Wars On Everything, but a very large number of individual information security practitioners, as well. Perhaps a case should be made to restructure organizations for infosec professionals to reflect who is on which side here (I do think that at this point in the debate, "sides" is an appropriate metaphor). http://www.darkreading.com/privacy/fewer-than-half-of-it-pros-at-rsa-confer/240166418
Chris Drewe <firstname.lastname@example.org>
Date: Wed, 05 Mar 2014 19:10:40 +0000
This may be old news now, but I just spotted this on *The Telegraph* web site.
Jessica Winch, *The Telegraph*, 5 Mar 2014 http://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/10677764/Caller-ID-shows-your-banks-number-but-its-actually-a-fraudster.html
Caller ID shows your bank's number—but it's actually a fraudster
Conmen are using fake 'caller ID' numbers to persuade victims that the call is from their bank; Watch out for phony e-commerce sites looking to steal your money and personal data.
Fraudsters are targeting bank customers with a new scam using fake caller ID numbers.
The conmen call the customer and pretend to be a representative from their bank or credit card company. They convince customers the call is from their bank because the caller ID matches a legitimate bank number, often the one printed on the back of a bank card. The scammers then persuade the customer to hand over sensitive personal and financial information.
The scam, known as "number spoofing", has been widespread in the United States for at least a year and is now becoming common in Britain. According to Ofcom, the phone regulator, the fraudsters use software to manipulate the caller ID number. [...]
Amos Shapir <email@example.com>
Date: Wed, 5 Mar 2014 17:58:18 +0200
Inherited iPad cannot be used because Apple does not know how to deal with wills. Full story at: http://www.bbc.com/news/technology-26448158
Beside the technical points, there is an interesting point of principle here: Do rules set up by a multi-national company trump the law of the land?
Lauren Weinstein <firstname.lastname@example.org>
Date: Wed, 5 Mar 2014 16:56:24 -0800
"Anne Rice signs petition to protest bullying of authors on Amazon"
"The Interview with the Vampire author is a signatory to a new petition, which is rapidly gathering steam, calling on Amazon to remove anonymity from its reviewers in order to prevent the "bullying and harassment" it says is rife on the site." http://j.mp/1fISk9B (*The Guardian* via NNSquad)
Anne Rice apparently only wants good reviews. Because the problem with removing anonymity in book (or app!) reviews is that it skews reviews toward the positive. It creates a "fan boy" atmosphere were anyone who dares to speak out against a book or app (or whatever) is set upon by the fan boys. And it discourages people who may have special knowledge about sensitive topics from reviewing at all. Think of a parent who has a child with a disease that carries stigma—afraid to comment non-anonymously for fear of the impact on that child. Sorry, Anne, you're missing the point. Bullying is bad, but trying to kill anonymity is even worse.
Lauren Weinstein <email@example.com>
Date: Thu, 6 Mar 2014 09:43:20 -0800
"This is a delicate issue," says Lee Rowland of the American Civil Liberties Union, who says the legislation is "spreading like wildfire." "The ACLU is concerned both with the protection of privacy and free speech rights." "But the reality is that revenge porn laws tend to criminalize the sharing of nude images that people lawfully own," says Rowland, a lawyer with the ACLU's Speech, Privacy and Technology Project. "That treads on very thin ice constitutionally." The compelling constitutional questions, however, have not slowed the state-level efforts to criminalize the distribution and posting of explicit photos or videos without the consent of the subject. http://j.mp/1fbdVau (NPR via NNSquad)
The intersection of privacy and free speech is clearly among the most complex policy-related Internet areas. No simple answers.
Shawn Merdinger <firstname.lastname@example.org>
Date: Tue, 4 Mar 2014 14:47:14 -0500
"You may use these stickers to write your username and password and post on your computer monitor." http://www.medtronic.com/emails/carelink/downloads/carelink-patient-brochure-aug2012.pdf https://twitter.com/shawnmer/status/440702641153142784
While I can understand the rationale behind this, and in some ways it makes sense. For a home health monitoring system, the user is likely sick, older, perhaps mentally not all there, or otherwise incapacitated...and perhaps relying on a family member or outside caregiver or skilled computer user. So the time delays in finding or remembering a lost/forgotten password may have a higher HEALTH risk than the risk of these credentials openly displayed in the home...and the vendor helpdesk costs of handling customer password resets were also likely a driver here. That said, there are risks. It's a matter of who pays the price, wittingly or not.
Ben Rothke <email@example.com>
Date: Mon, 3 Mar 2014 19:50:16 -0500
When it comes to measuring and communicating threats, the most ineffective example in recent memory was the Homeland Security Advisory System—which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear. What was the difference between levels such as high, guarded, and elevated? From a threat perspective, which color was more severe - yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented “little practical information'' to the public While the DHS has never really provided meaningful threat levels, in *Threat Modeling: Designing for Security*, author Adam Shostack (full disclosure: Adam and I are friends) has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts.
[Adam's initial epigram (attributed to George Box) is “All models are wrong, some models are useful.'' This is a large book, xxxiii+590 pp., Wiley, 2014. It distills considerable practically oriented wisdom and experience, and should be a very valuable resource for developers of would-be more-secure systems. Indeed, the emphasis is on practicality, as Adam eschews higher-end more formally based approaches.
In contrast to Adam's threat-driven approach, I noted in RISKS-27.73 the top-down approach that Nancy Leveson and Bill Young describe in their Inside Risks article in the February 2014 issue of the *Communications of ACM*, which begins with the enterprise-level emergent properties (e.g., for security and human safety) rather than driven bottom-up from the threat models, and implicitly exposes the threat models to encompass intentional and accidental threats.
Perhaps both of these approaches *together* might dramatically improve on the state of the art in commercial system developments today. Adam's approach might be limited by the incompleteness of the threat set, and Nancy and Bill's by the difficulties in refining the analysis to encompass all realistic threats and failure modes. PGN.]
The major sections of Adam's book have these titles:
Part 1: Getting Started Part 2: Finding Threats Part 3: Managing and Addressing Threats Part 4: Threat Modeling in Technologies and Tricky Areas Part 5: Taking It To the Next Level Appendix A: Helpful Tools Appendix B: Threat Trees Appendix C: Attacker Lists Appendix D: Elevation of Privilege: The Cards Appendix E: Case Studies Bibliography (24 pages) and index