Category: Security

Chip & PIN Broken

ZDNet: Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.

Researchers at Cambridge University have found a fundamental flaw in the EMV — Europay, MasterCard, Visa — protocol that underlies chip-and-PIN validation for debit and credit cards.

As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.

“Chip and PIN is fundamentally broken,” Professor Ross Anderson of Cambridge University told ZDNet UK. “Banks and merchants rely on the words 'Verified by PIN' on receipts, but they don't mean anything.”

(Also, see Ross’s paper on 3D Secure.)

26 or younger? Temple St Hospital has your DNA.

I’m surprised I haven’t seen any Facebook pwotest gwoups or Twatterfests about this subject. In a nutshell, a hospital in Dublin is storing a blood sample, name, address, date of birth, hospital of birth and test result from nearly every person born in Ireland since 1984.

That means if you’re under 26, there’s a good chance your DNA is in there: your health, any genetic diseases you might have, your behaviours and traits*, etc. Well, possibly. They had a couple of servers stolen in the 2007, so maybe it is there, maybe not. Sure it’s not all that important anyway, it’s just your entire personality*.

Is Mark Zuckerberg – the slimey douche, if you’ll pardon my Klatchian – ultimately right, do people really not give a shit about privacy any more? Are are people just too thick to realise the problems – current and future – that can result from this kind of thing?

Here’s two stories from Times Online with more details:

Hospital keeps secret DNA file: A DUBLIN hospital has built a database containing the DNA of almost every person born in the country since 1984 without their knowledge in an apparent breach of data protection laws.

The Children’s University hospital in Temple Street is under investigation by the Data Protection Commissioner (DPC) since The Sunday Times discovered it has a policy of indefinitely keeping blood samples taken to screen newborn babies for diseases.

Unknown to the DPC, the hospital has amassed 1,548,300 blood samples from “heel prick tests” on newborns which are sent to it for screening, creating, in effect, a secret national DNA database. The majority of hospitals act on implied or verbal consent and do not inform parents what happens to their child’s sample.

The blood samples are stored at room temperature on cards with information including the baby’s name, address, date of birth, hospital of birth and test result. The DPC said it was shocked at the discovery.

Records stolen from hospital that held secret DNA database: Two computer servers containing the records of almost 1m patients were stolen from the Children’s University hospital in Temple Street in 2007 and have never been recovered.

The data were far more than that lost on stolen bank laptops in recent years. The theft was investigated by the data protection commissioner (DPC) and the gardai after being reported by the Dublin hospital in February 2007. The organisations had decided that there was no need to inform the public, believing there was little chance of the thief being able to access the data.

Patients’ details, including names, date of birth and reason for admission are thought to have been included.

* To keep my wife happy: strictly speaking ‘behaviour’ is stretching it; and DNA probably accounts for about half of your personality, the other half being learned.

This is a stupid game; we should stop playing it.

On post-underwear-bomber airport security, as ever Bruce Schneier sets the fluff aside and gets to the point:

It’s magical thinking: If we defend against what the terrorists did last time, we’ll somehow defend against what they do one time. Of course this doesn’t work. We take away guns and bombs, so the terrorists use box cutters. We take away box cutters and corkscrews, and the terrorists hide explosives in their shoes. We screen shoes, they use liquids. We limit liquids, they sew PETN into their underwear. We implement full-body scanners, and they’re going to do something else. This is a stupid game; we should stop playing it.

Open Source

“This configuration, NT4.0 / IIS and SQL Server  is fast becoming an industry standard for mid range ecommerce applications – as the skills for development are ‘relatively’ available and affordable.”

*koff* Open Source *koff*.

Ok ok, I shouldn’t go on about it, but I have to – I’m a Linux user and PHP programmer, that’s my job. And I don’t particularly want to get into a “mine is better than yours” style flaming match either, but I do have to state the case for Open Source. For instance, I agree that ASP is being used for a hefty chunk of eCommerce applications, but I think that if anything is “fast becoming the industry standard”, it’s the Linux/Apache/PHP/MySQL combination.

According to Netcraft, Apache now runs on just over 60% of websites, with IIS the next in line at a measly 20% – just *one third* of the Apache coverage. I think those figures speak for themselves, but there’s more – Apache’s coverage consistently goes up, month by month, by at least 1% (last month it was just short of 2%), whereas nearly every other webserver goes down. And this is no Open Source biased survey (said he nodding in the direction of some of the figures on microsoft.com), it’s performed completely automatically on over 13 million sites by simply sending a HTTP request for the server name.

As to the financial aspect, which of course is of prime importance on a list like this – with Open Source solutions you’re already saving a fortune because you’re not paying for your operating system, webserver, programming language or database server. Yes, you can buy the “proper” CD of RedHat Linux, but you can also get a copy from any of the Linux User Groups (LUGs), for just the cost of the CD. In most cases, they’ll post it out to you for nothing as long as you send it back afterwards.

And of course, because of the Open Source licences, that’s completely legal. Matter of fact, if you want to burn it to CD yourself and start selling it on the lovely new website you developed on your Linux machine, you can. That’s the spirit of Open Source. And on that CD there will most likely be copies of Apache, PHP and MySQL, as well as hundreds of other tools. Think they’re a bit old? Go to their websites and download a newer copy — it’s free.

As to the skills for development. I have to give a few points away here, because I realise that some people prefer to learn “properly” – academically that is, in a course or certification program. But for those who don’t, there are plenty of options. Personally, I prefer to “learn by doing” – by creating applications, I learn how to improve them and how to create other apps. There are many, many books out there about Linux, PHP, SQL and even Apache. But most importantly there are thousands, even hundreds of thousands of developers out there willing to give you a hand, on mailing lists and web forums, who in some cases will go completely out of their way to help you. Again, that’s the spirit of Open Source.

And finally, ease-of-use is important. And here again I have to give a few points away – Linux is hard. There’s no doubting that – it’s hard to setup, hard to configure and hard to manage. But the reason for that is because it’s more configurable. Don’t like the way one of your system binaries works? Hack the source code and recompile. Think you can tweak a few more bytes out of that modem – ask around, someone will know. But even with that said, Linux becomes easier to use and configure as time goes on. Installation is easier now, and there’s more and more people every single day to help you if you get stuck.

The same goes for everything else – Open Source means that if you don’t like what something does, you can open up the source code and change it.

My apologies for going on about this, but it’s *important*. Businesses – and businessmen – have to start realising that there are alternatives to Microsoft and others, that there are easier and cheaper ways of doing it. Yes, in the short-term it’s easier to employ a programmer to do it for you, but you can do that with Open Source equivalents too, and you have the added advantage of having the option of learning the skills necessary yourself, and *doing* it yourself — thereby cutting an overpriced developer out of the loop. Maybe I’m cutting my own throat by saying that, but all to the greater good.

And finally, a practical example, and the one I know best – my own company. ieWebs is a small web agency, slowly building a reputation for ourselves. It consists of myself, our designer Gary Edmunds and a few other people who help out, my mammy included. When I started on the web, I was thrown in at the deep end – I knew nothing about Unix or webservers, and I certainly wouldn’t have been able to program a functional shopping application. But because the cost of bandwidth, and so hosting, was so high in Ireland, I was forced to serve my sites from a Unix variant server in the States. Which meant learning how to configure and administer a server from the command line, which could be equated with working on your local machine in DOS all the time.

But I persisted and taught myself Perl, one of the first, and probably still one of the best web programming languages available. And then I moved to PHP, a newer language that can be embedded directly into webpages. And all the while I was tinkering away with the machine I was on, learning how to configure it for better performance, how to secure it from crackers better, etc.

DNA Evidence Can Be Fabricated

This is going around the security networks, but it’s kind of important to everyone else too. Note my emphasis in the quote.

New York Times: Scientists in Israel have demonstrated that it is possible to fabricate DNA evidence, undermining the credibility of what has been considered the gold standard of proof in criminal cases.

The scientists fabricated blood and saliva samples containing DNA from a person other than the donor of the blood and saliva. They also showed that if they had access to a DNA profile in a database, they could construct a sample of DNA to match that profile without obtaining any tissue from that person.

“You can just engineer a crime scene,” said Dan Frumkin, lead author of the paper, which has been published online by the journal Forensic Science International: Genetics. “Any biology undergraduate could perform this.”

Revenue Bouncy Castles

When renewing my Revenue On-Line Service digital certificate, I was presented with the following:

In order to renew your ROS digital certificate, ROS requires that you run third-party software provided by the Legion of the Bouncy Castle. The Legion of the Bouncy Castle is a well-respected supplier of security software that is approved by the Office of the Revenue Commissioners for use with ROS.

bc_warning

I’m sure the Legion produces wonderful software, and I applaud the Revenue for using open source software for security, but you’d think they’d be able to afford a developer to hack the source and change the bloody issuer to something a teeny bit less dodgy-looking…

Bord Gáis Muppets

Since nobody else has asked yet:

What in fuck’s name was that data doing on a laptop?

Some 75,000 Bord Gais customers have been warned to monitor their bank accounts for suspicious transactions after a laptop computer containing their account details was stolen.

The office of the data protection commissioner told those affected that fraudsters could potentially use their information to withdraw money from their accounts or take out loans in their name.

“The risk may be low but there is a risk,” said deputy data protection commissioner Gary Davis.

Four laptops were stolen from Bord Gáis offices on Foley St in Dublin’s north inner city in the early hours of June 5th.

One of the computers, containing the banking details of around 75,000 people, was not encrypted.

The laptop contains details such as account numbers, home addresses and branch details of people who had recently switched from the ESB as part of Bord Gais’s “big switch” campaign.

via The Irish Times

The Met Brother gets Bigger and Bigger

I don’t envy my sister in London, having to deal with the social problems this kind of idiocy propogates. The people responsible for commissioning and approving this should be forced to read 1984 a hundred times, Brazil style.

(Click for bigger.)

Via Boing Boing.

5 laptops stolen from HSE this year

More uncrypted laptops, this time with health information on them. How many more do Gov.ie need before they put laws in place to require encryption, immediate notification, etc?

Irish Examiner: FIVE laptops have been stolen from the Health Service Executive since the beginning of this year, the Irish Examiner has learned.

Confidential details of patients with lung disease, patients’ surgery, their diagnoses, treatment and other personal details were contained on some of the stolen laptops.

None of the five laptops were encrypted.

Health chiefs are to begin notifying patients and clients over the coming days about missing data on two of the laptops, more than two months after they were stolen. These two laptops were taken together in July this year in a HSE office in Mullingar.