It's summer time. Swelter. No outstanding security news. It seems that even hackers are on vacation! Hopefully, there will be some fresh news at upcoming Black Hat and DefCon, in just one month. See you there!
I will be presenting at the live webcast organized by Tripwire.
LIVE WEBCAST: HACKING POINT OF SALE: HOW MEGA RETAILERS ARE COMPROMISED
Tuesday, July 15, 2014 – 11:00 AM Pacific / 2:00 PM Eastern
PCI SSC to release version 2.0 of P2PE (Point-to-point Encryption) security standard during 2014. The goal is to increase market acceptance of P2PE technology while maintaining the high security level of its implementations. The new version of the standard is supposed to be more understandable, contain less requirements, and clarify the validation process for solution providers. P2PE v.2.0 will also combine both Hardware/Hardware and Hardware/Hybrid standards (the difference is that HW/HW requires both encryption and decryption to be performed in cryptographic hardware, while HW/Hybrid allows some parts of decryption process to be done in software). Hybrid encryption (do not confuse with hybrid decryption), Software Encryption, and Software Decryption options will be discontinued due to security concerns.
P2PE is the PCI Security Standard Council’s most recent standard (others include PCI DSS, PA-DSS, and PTS) for merchants, HW/SW vendors, and service providers. Although the first version of the standard was released almost 3 years ago (in September 2011), due to complexity and uncertainty of multiple PCI P2PE requirements only 3 companies are currently listed on the PCI website as certified P2PE solution providers.
Interesting idea and implementation of virtual EMV chip in the cloud.
Host Card Emulation (HCE) is a mobile technology that emulates a physical smart card using only software. It gives payment issuers more control and flexibility over their mobile payments strategy as credentials can be stored on a remote server rather than on the mobile (NFC) device.
Unfortunately, it still requires a physical NFC transmitter...
PF Chang's restaurants switch to manual credit card processing as a protection measure against ongoing card data breach
It turns out that the most effective way of card data breach prevention is... stop swiping the cards and take them manually, just like it was done 50 years ago! The old manual imprinting machine is still alive and very relevant, and can become an alternative to being PCI compliant and breached. Target would not have all those security problems if they switched to manual processing ahead of time. It saves electricity too!
Scottsdale, Ariz. (June 12, 2014) — On Tuesday, June 10, P.F. Chang's learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.
Expedia is one of the largest online travel agencies, and so far it is probably the largest retailer to accept Bitcoin as a payment method.
If you have free access to government or university supercomputer - don't miss your chance to become a millionaire!
the National Science Foundation (NSF) revealed that more than $8,000 (£4,760) worth of bitcoins had been generated from NSF-funded computers.
A member of the Harvard community was stripped of his or her access to the University’s research computing facilities last week after setting up a “dogecoin” mining operation using a Harvard research network.
The US payment industry is disconnected from the the rest of the world so any insight on different implementation abroad is always interesting and helpful. My book about payment security is going to be translated to Korean, so I guess they will be surprised to see some differences between the US and South Korean models such as lack of acquirers (payment processors have direct links to card issuers which eliminates the need to pass transactions through acquirers and payment brand networks, which means less complexity and lower fees for merchants). However, I guess security issues on store/POS level remain the same regardless the back end implementation.
PCI compliance tool - DLP card data scanner - is used by hackers to validate the stolen magnetic tracks
At least they have found a good practical use case for those merchants' PCI DLP tools.
While researching POS RAM scraper malware, I came across an interesting sample: a RAR archive that contained a development version of a POS RAM Scraper malware and a cracked copy of Ground Labs’ Card Recon software. Card Recon is a commercial Data Leakage Prevention (DLP) product used by merchants for PCI compliance. It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards.
The PCI scanning tools such as Card Recon are not used by hackers directly to scan the RAM and search for the card numbers because they are slow. But they are good for validating and refining the results of the search and filtering out the false positives.
The criminals need to check and validate the data they have stolen, which they then sell in the underground carder marketplace. Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility.
Apple just released the spec (of course, only available on Apple iBookstore) of Swift - new programming language which is supposed to replace the relict Objective C currently used to code the apps for Apple devices.
At first glance, there is no breakthrough or innovation, all the language constructs and methodologies are trivial and known for many years. But it is definitely better than extremely outdated Objective C.
Apple always make everything by themselves, including language. There are a lot of good languages created already, but the problem is that Apple need a full control plus some money, similar to Microsoft's C# and VB. The difference is that at the time C# or VB were introduced they actually WERE innovative.
And finally... It looks like Swift does not have any runtime error/exception handling – I actually verified it, there is nothing in the spec about errors or exceptions! I can’t believe it, this is ridiculous, it must be some kind of mistake of beta release or incomplete spec... I like Apple devices, and I am sure there is no chance there will be any unexpected errors in apps running on Apple OS and hardware, but come on, just in case - there is a good tradition of supporting exception handling in some other languages such as Pascal, Java, C++, or C#...