Holy payment protocol, batman!

Posted by wa8dzp

From: “David S. H. Rosenthal” <dshr@abitare.org>

Date: December 28, 2015 at 22:27:52 EST

To: dewayne@warpspeed.com

Subject: Holy payment protocol, batman!

http://arstechnica.com/security/2015/12/common-payment-processing-protocols-found-to-be-full-of-flaws/

David.

Common payment processing protocols found to be full of flaws

Stealing PINs and pillaging bank accounts are both trivial.

By Peter Bright

Dec 28 2015 Credit card users could have their PINs stolen, and merchants could have their bank accounts pillaged, in a set of attacks demonstrated by researchers Karsten Nohl and Fabian Bräunlein at the Chaos Computing Club security conference. Much research has been done into the chips found on credit cards and the readers and number pads used with these cards, but Nohl decided to take a different approach, looking instead at the communications protocols used by those card readers. There are two that are significant; the first, ZVT, is used between point of sale systems and the card readers. The second, Poseidon, is used between the card reader and the merchant’s bank. Nohl found that both had important flaws. The ZVT protocol was originally designed for serial port connections, but nowadays is used over Ethernet, both wired and wireless. The protocol has no authentication, meaning that if an attacker can put themselves on the same network, they can act as a man-in-the-middle between the point-of-sale system and the card reader. The attacker can then read the magnetic stripe data from the card, and can also request a PIN. This could then be used to harvest card details at a retailer. Each time the PoS system asks the card reader to perform a PIN-authenticated transaction, the card reader can intercept the request, and replace it with a request for the mag stripe, and then a request for the PIN. With this data harvested, the attacker can easily create cloned cards. To avoid raising suspicion, the attacker’s man-in-the-middle can then direct the card reader to perform an unauthenticated PIN-less transaction using the magstripe data, leaving both cardholder and retailer unaware that anything has gone wrong. [snip]

China and Russia’s Orwellian attacks on Internet freedom

Posted by wa8dzp

Date: December 26, 2015 at 08:16:36 EST

To: Dewayne Hendricks <dewayne@warpspeed.com>

Subject: China and Russia’s Orwellian attacks on Internet freedom – The Washington Post https://www.washingtonpost.com/opinions/keep-the-internet-free/2015/12/25/e9141c8a-a821-11e5-bff5-905b92f5f94b_story.html

China and Russia’s Orwellian attacks on Internet freedom

LAST WEEK brought a positively Orwellian moment to the debate about Internet freedom. Chinese President Xi Jinping spoke at a state-organized Internet conference in Wuzhen, in Zhejiang province, where he was once party secretary. Mr. Xi declared, “As in the real world, freedom and order are both necessary in cyberspace.” He added, “Freedom is what order is meant for, and order is the guarantee of freedom.” These slogans are more than just propaganda from the leader of a country with the world’s largest Internet censorship operation. Behind them lurks a dangerous ambition.

In China today, there is no Internet “freedom,” if the word means freedom to visit Facebook, Google or other vast stores of online information that are blocked off by the authorities and their Great Firewall. On vibrant social media, China’s 670 million online users can often find a way to be heard, if fleetingly, but a sustained challenge to the ruling power of the Communist Party is invariably squelched. Mr. Xi talking about “freedom” is like saying black is white. His words were live-tweeted by Xinhua, China’s official news agency, and posted on YouTube, even though Twitter and YouTube are blocked for most people in China. The real danger in Mr. Xi’s remarks is the word “order,” because he envisions not only politeness but also obedience. In China, the party-state sets the rules that determine what Internet users can see and say, and they have been tightened recently. Having established “order” within the walls of China, Mr. Xi has increasingly promoted it as a model of “Internet sovereignty” for the rest of the world, saying that each nation should set its own rules for the Internet within its boundaries. Russia has been heading in the same direction for several years as President Vladimir Putin attempts to extinguish any serious opposition. The security services in Russia have direct access to the Internet through a physical monitoring system. In July 2014, Russia adopted a law requiring that citizens’ data be stored on Russian soil and, therefore, subject to monitoring. This is a challenge to Facebook, which has tens of millions of users in Russia, as well as to other tech giants such as Apple and Google. Compliance with the Russian law has not been enforced yet, but there are reports that it may begin in January. The companies should resist the effort. An online petition drive directed at the leaders of the tech companies has garnered more than 42,000 signatures with the appeal “Don’t move personal data to Russia!” China and Russia have both attempted in recent years to nudge global Internet governance toward their misguided “sovereignty” model, so far without a lot of success. But as Mr. Xi’s speech suggests, they haven’t given up. And they won’t. The digital revolution has delivered a truly global information superhighway. This powerful and remarkable invention must not be squandered or put in the hands of those who would use it to stifle free speech, freedom of association and human rights.

Things to Celebrate, Like Dreams of Flying Cars

Posted by wa8dzp

Date: December 25, 2015 at 05:57:55 EST To: Dewayne Hendricks <dewayne@warpspeed.com>

Subject: Things to Celebrate, Like Dreams of Flying Cars – The New York Times http://www.nytimes.com/2015/12/25/opinion/things-to-celebrate-like-dreams-of-flying-cars.html

Things to Celebrate, Like Dreams of Flying Cars

By Paul Krugman

Dec 25 2015

In Star Wars, Han Solo’s Millennium Falcon did the Kessel Run in less than 12 parsecs; in real life, all the Falcon 9 has done so far is land at Cape Canaveral without falling over or exploding. Yet I, like many nerds, was thrilled by that achievement, in part because it reinforced my growing optimism about the direction technology seems to be taking — a direction that may end up saving the world. O.K., if you have no idea what I’m talking about, the Falcon 9 is Elon Musk’s reusable rocket, which is supposed to boost a payload into space, then return to where it can be launched again. If the concept works, it could drastically reduce the cost of putting stuff into orbit. And that successful landing was a milestone. We’re still a very long way from space colonies and zero-gravity hotels, let alone galactic empires. But space technology is moving forward after decades of stagnation. And to my amateur eye, this seems to be part of a broader trend, which is making me more hopeful for the future than I’ve been in a while. You see, I got my Ph.D. in 1977, the year of the first Star Wars movie, which means that I have basically spent my whole professional life in an era of technological disappointment. Until the 1970s, almost everyone believed that advancing technology would do in the future what it had done in the past: produce rapid, unmistakable improvement in just about every aspect of life. But it didn’t. And while social factors — above all, soaring inequality — have played an important role in that disappointment, it’s also true that in most respects technology has fallen short of expectations. The most obvious example is travel, where cars and planes are no faster than they were when I was a student, and actual travel times have gone up thanks to congestion and security lines. More generally, there has just been less progress in our command over the physical world — our ability to produce and deliver things — than almost anyone expected. Now, there has been striking progress in our ability to process and transmit information. But while I like cat and concert videos as much as anyone, we’re still talking about a limited slice of life: We are still living in a material world, and pushing information around can do only so much. The famous gibe by the investor Peter Thiel (“We wanted flying cars, instead we got 140 characters.”) is unfair, but contains a large kernel of truth. Over the past five or six years, however — or at least this is how it seems to me — technology has been getting physical again; once again, we’re making progress in the world of things, not just information. And that’s important. Progress in rocketry is fun to watch, but the really big news is on energy, a field of truly immense disappointment until recently. For decades, unconventional energy technologies kept falling short of expectations, and it seemed as if nothing could end our dependence on oil and coal — bad news in the short run because of the prominence it gave to the Middle East; worse news in the long run because of global warming. But now we’re witnessing a revolution on multiple fronts. The biggest effects so far have come from fracking, which has ended fears about peak oil and could, if properly regulated, be some help on climate change: Fracked gas is still fossil fuel, but burning it generates a lot less greenhouse emissions than burning coal. The bigger revolution looking forward, however, is in renewable energy, where costs of wind and especially solar have dropped incredibly fast. Why does this matter? Everyone who isn’t ignorant or a Republican realizes that climate change is by far the biggest threat humanity faces. But how much will we have to sacrifice to meet that threat? Well, you still hear claims, mostly from the right but also from a few people on the left, that we can’t take effective action on climate without bringing an end to economic growth. Marco Rubio, for example, insists that trying to control emissions would “destroy our economy.” This was never reasonable, but those of us asserting that protecting the environment was consistent with growth used to be somewhat vague about the details, simply asserting that given the right incentives the private sector would find a way. But now we can see the shape of a sustainable, low-emission future quite clearly — basically an electrified economy with, yes, nuclear power playing some role, but sun and wind front and center. Of course, it doesn’t have to happen. But if it doesn’t, the problem will be politics, not technology. [snip]

NSA Helped British Spies Find Security Holes In Juniper Firewall

Posted by wa8dzp

Date: December 23, 2015 at 23:53:38 EST To: Dewayne Hendricks <dewayne@warpspeed.com>

NSA Helped British Spies Find Security Holes In Juniper Firewalls

NSA Helped British Spies Find Security Holes In Juniper Firewalls

By Ryan Gallagher and Glenn Greenwald

Dec 23 2015

A TOP-SECRET document dated February 2011 reveals that British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks, a leading provider of networking and Internet security gear.

The six-page document, titled “Assessment of Intelligence Opportunity – Juniper,” raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disclosed by Juniper last week. While it does not establish a certain link between GCHQ, NSA, and the Juniper hacks, it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the “NetScreen” line of security products, which help companies create online firewalls and virtual private networks, or VPNs. It further indicates that, also like the hackers, GCHQ’s capabilities clustered around an operating system called “ScreenOS,” which powers only a subset of products sold by Juniper, including the NetScreen line. Juniper’s other products, which include high-volume Internet routers, run a different operating system called JUNOS.

The possibility of links between the security holes and the intelligence agencies is particularly important given an ongoing debate in the U.S. and the U.K. over whether governments should have backdoors allowing access to encrypted data. Cryptographers and security researchers have raised the possibility that one of the newly discovered Juniper vulnerabilities stemmed from an encryption backdoor engineered by the NSA and co-opted by someone else. Meanwhile, U.S. officials are reviewing how the Juniper hacks could affect their own networks, putting them in the awkward position of scrambling to shore up their own encryption even as they criticize the growing use of encryption by others.

[snip]

Lauren’s Blog: Wishing on a Drone: Analyzing the U.S. Air Force’s New “Portable Hobby Drone Disruptors” Solicitation

Posted by wa8dzp

[Note: This item comes from Lauren Weinstein’s NNSquad list. DLH] From: Lauren Weinstein <lauren@vortex.com>

Date: December 24, 2015 at 18:26:38 EST

Subject: [ NNSquad ] Lauren’s Blog: Wishing on a Drone: Analyzing the U.S. Air Force’s New “Portable Hobby Drone Disruptors” Solicitation

Wishing on a Drone: Analyzing the U.S. Air Force’s New

“Portable Hobby Drone Disruptors” Solicitation

http://lauren.vortex.com/archive/001140.html One thing is certainly clear. Governments around the world are having a

very difficult time coming to grips with a technological reality.

Inexpensive and powerful hobby drone systems, that can be trivially

purchased — or be assembled from scratch using commodity parts and open

source firmware — are not going away. In fact their proliferation has

only begun, and — like it or not — there are no effective means

available to control them. Yes, the potential for serious drone accidents — and even attacks — is

real. But so far, the suggested approaches to dealing with this reality

seem more out of a Disney fantasy film than anything else. Not that governments aren’t trying.

Here in the U.S., we have the new FAA hobby drone registration

requirement, which won’t prevent a single drone incident (and bad actors

will never register or accurately register), but will present a

potential privacy mess for law-abiding citizens — the FAA has now

admitted that names and physical addresses of registrants will be

publicly accessible online via their database. More on this at my

earlier blog entry: http://lauren.vortex.com/archive/001138.html Over in Japan, they’re talking about trying to use bigger drones with

nets to try capture hobby drones. I’m not kidding! I’m picturing the

attack drones and target drones getting all tangled up together in the

nets and plummeting to earth to hit whatever is unfortunate enough to be

underneath. Ouch. Seems like a concept from “Godzilla vs. Dronera” to

me. (Hey, Toho, if you use this idea, I want a royalty!)

But the more direct, military approach is also in play.

The U.S. Air Force has just issued a solicitation for a radio-based

“Portable Anti Drone Defense” system — essentially a remote drone

disruption device that can be easily used by someone familiar with —

well — shooting guns. The Air Force wants three units to start with.

Delivery required 30 days after awarding of the contract.

You can learn all about it here:

https://www.fbo.gov/index?s=opportunity&mode=form&id=7495ac616b40525dfbb5c9840a89a726

It does indeed make for interesting reading, and I thought it might be

instructive to dig into the technical details a bit.

So here we go.

The requirement specifically is addressed to the disruption of

commercially available personal drones. This appears to implicitly admit

that self-built drones (built from easily available commodity parts as I

noted above) may represent a more problematic target category. In practice though, even commercially available drones will often be

running altered and/or open source firmware, making their behavior

characteristics less of a sure bet (to say the least).

A key attribute of the Drone Disruptor is that it be able to interfere

with drone operator communications links in the 2.4 and 5.8 Ghz

unlicensed bands.

These of course are the same bands used for Wi-Fi, and are indeed the

most common locations for hobby drone comm links. (More advanced

hobbyists also may control their drones through ground station links in

the 433 Mhz and/or 915 Mhz bands, but who am I to tell anything to the

Air Force?)

Another key bullet point of the solicitation is the ability to interfere

with the GPS receivers that an increasing number of drones use for

Return to Launch (RTL) functions, and for fully autonomous “waypoint”

flights that can proceed without any operator comm link active. All of this gets really, seriously complicated in practice, because any

given hobby-class drone can behave in so many different ways (both

planned and unplanned) when faced with the sorts of disruptions the USAF

has in mind. The cheapest variety are usually completely dependent on the comm link

for flight stability. Jam or otherwise disrupt the link, and they’ll

usually go crazy and come crashing down. It’s a taller order if you want to actually take over control of such

drones, since you need to have a compatible transmitter and a way to

“bind” it to the receiver. Not impossible by any means, but a lot

tougher, especially if a drone is unstable during the comm link attack

process. More sophisticated hobby drones can be programmed to do pretty much

anything in the case of their comm link being interrupted or tampered

with. They might be configured to just “loiter” in position, or more

commonly to activate that RTL — Return to Launch — function that I

mentioned (yes, handy if you want to trace a drone back to its point of

origin). But many hobby drones now include sophisticated GPS receivers and

magnetometers (that is, electronic compasses) — and sometimes more than

one of either or both for flight control redundancy.

This is obviously why the USAF solicitation includes GPS jamming

requirements (it doesn’t mention anything about magnetometers).

Here again though, how any given drone will react to such interference

is difficult to predict with any degree of accuracy, especially if it

isn’t running the firmware you presume it does (and we know even

commercial drones with restricted firmware will be “rooted” and

“jailbroken” to run “unapproved” firmware without restrictions, often by

users just to prove that they could do it.)

For example, in the case of GPS disruption, a drone could be programmed

to simply fly away as far as it can using its magnetometer references.

Even without reliable magnetometer readings, a drone could execute a

“dead reckoning” escape plan using only its internal electronic

accelerometers and gyros (even cheap toy drones now usually include

three of each to deal with the required calculations for stable flight

in 3D space).

What’s more, at lower altitudes, a small, $100 laser ranging (“LIDAR”)

system can provide another source of internal control data.

If you weren’t already familiar with the field of modern hobby drones,

your reaction to this discussion might understandably be something like,

“Gee, I didn’t realize this stuff had gotten so sophisticated.”

But sophisticated it is, and becoming more so at a staggeringly fast

rate.

The bottom line seems to be that while it’s understandable that the USAF

would wish for a portable magic box that can “shoot down” drones via

radio jamming and other remote techniques, the ability of such a system

to be effective against other than the “low hanging fruit” of less

sophisticated hobby-class drones seems notably limited at best.

And that’s a truth that all the “wishing on a drone” isn’t going to

change.

So if a drone shows up under your Christmas tree, please do us all a

favor and fly it responsibly!

Merry Christmas and best for the holidays, everyone!

–Lauren–

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren

Dewayne-Net Archives

No matter where you go, there you are…

Month: December 2015