Why the Internet needs it’s own version of cancer researchers, bypassing chip and pin protections & the 2016 Pwnie Awards from Blackhat!

Plus your questions, our answers & much, much more!

Thanks to:


DigitalOcean

Ting

iXsystems

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Patreon

Show Notes:

Fixing this Internet before it breaks again

  • “What we call the Internet, was not our first attempt at making a global data network that spanned the globe. It was just the first one that worked.”
  • “There is no guarantee that the internet will succeed. And if we aren’t careful we can really screw it up. It has happened before and we can do it again.”
  • “Kaminsky, who was delivering the keynote to over 6,000 Black Hat USA 2016 attendees, said problems that need to be addressed within the security community are political, technical and how the security community collaborates.”
  • “The internet doesn’t have the equivalent of ‘the guy’ that’s working on cancer. We need institutions and systems. We need to have something like NIH (National Institutes of Health) for cyber. It needs to have good and stable funding,” Kaminsky said. Research, problem solving and solutions are too often conducted in fiefdoms that seldom share the collective solutions needed to help fix the big security issues of the day. “I’m worried. I’m worried about our ability to innovate and our ability to create and I’m worried that we are not building the sort of infrastructure to make the internet a safe place.”
  • “By taking a NIH type of approach, Kaminsky argued, the internet would foster a large number of deeply committed security experts to work independently and away from commercial interest that push the security sector to come up with quick fixes to solve big security problems. “We need to make changes and we need to have studies about the way we program and the method that people use to build secure things”
  • “So what I’m looking to answer is – forget the layers of abstraction and the politics – how do we get 100 nerds working on a project for 10 years without interrupting them or harassing them and telling them to do different things. How do you make that happen? How you don’t make that happen is how we are doing that in InfoSec today – and that’s with the spare time of a small number of highly paid consultants. We can do better than that”
  • “Kaminsky doesn’t see the NIH approach as a panacea to all that ails the security world. In fact, in his talk he described a delicate balancing act where the security community derives the benefits of broader administration without being hamstrung by potential politics. Control, greed and companies driven by profits, he argue, killed the internet of the 1990s. He argues AOL tried to create a walled garden and control everything and make billions. But that internet failed”
  • “There are two models of an internet. There is the walled garden and freedom. The walled garden is, ‘okay here is your environment and go ahead and try to use it.’ The other model is that people can put stuff up and other people can use and abuse it. People don’t need to ask for permission they don’t need to beg. Maybe it works and maybe it doesn’t.”
  • Are Apple, Facebook, Google, and Microsoft, taking us towards their own versions of AOLs walled garden of the Internet?
  • How often does your family’s internet browsing actually leave Facebook?
  • He warns, the same way AOL’s walled garden threatened a free internet of the 1990s, government control over encryption could have the same stifling effects on innovation and cyber liberties. “Let’s stop the encryption debate. This is actually useless. It’s driving all the energy away from what are we need to fix,”
  • Topping Kaminsky’s fixit list was devising better ways for the security community to collectively move the security ball forward and not view security solutions as individual races to win. “Let’s take our obscure knowledge and real expertise and making it available the rest of the security community,” he said. By sharing knowledge and solutions it allows us to find flaws quicker and fix them even faster.”
  • It is not about the splashiest vuln with the coolest name, or having the fastest fix, it is about being in it for the long term, and actually fixing things.

Researchers bypass chip and pin protections by attacking the PoS terminals

  • “The payment industry is becoming more driven by security standards. However, the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security.”
  • “Credit card companies for the most part have moved away from “swipe and signature” credit cards to chip and pin cards by this point; the technology known as EMV (Europay, MasterCard, and Visa) which is supposed to provide consumers with an added layer of security is beginning to see some wear, according to researchers.”
  • Except in the US
  • The chip card transition in the US has been a disaster
  • “Nir Valtman and Patrick Watson, researchers with NCR Corporation, staged a series of malicious transactions in a talk here at Black Hat on Wednesday, demonstrating how they could capture Track 2 data and bypass chip and pin protections.”
  • “Instead of attacking the operating system of the POI and POS devices, the researchers bypassed much of the built-in security. This includes integrated cryptographic security schemes. Breaking crypto, after all, is very hard. That’s because cryptography is just math, and math (for the most part) works. But the crypto is just part of the overall security system, the other pieces of which are vulnerable to attack. This was made even easier since much of the information the team sought in their attacks was not encrypted on the payment device.”
  • “In their first demonstration, the duo used a Raspberry Pi to capture Track 2 data packets in real time. Via a passive man-in-the-middle compromise, Wireshark picked up two interactions from data entered into a pinpad running flawed production software that’s currently in the wild. The two declined to specify the company’s name, but claimed they had spoken with the vendor and asked them to implement TLS connections, but said they couldn’t as they ran old hardware.”
  • “The garbled data can be transformed into readable bits, service code expiration data, discretionary data, and so on, data that can tip a hacker off whether the card is a chip card.”
  • The pair showed how easy it’d be to use a malicious form to trick a consumer into re-entering their PIN or a CVV on a card machine. “Consumers trust pinpads, they usually think they entered it wrong,”
  • “According to the two researchers, attackers could compromise a pinpad – by injecting a form, Malform.FRM in this instance, when no one’s in the store and quickly change it back to a customized “Welcome!” message. Both Valtman and Watson advocate that pin pads leverage strong crypto algorithms and allow only signed whitelist updates. Point of sale pin pads are usually PCI certified but the two pointed out PCI doesn’t require encryption over a local area network, which is how an attacker could carry out a MiTM attack.”
  • So they used the API of the payment terminal to trick the user into actually typing in the CVV, so they could capture it.
  • They also socially engineer the user into thinking they mistyped their PIN, and having them enter it a second time. One of which is not expected by the software, and is instead captured by the attackers software
  • “Consumers should never re-enter their PIN, as it’s a telltale giveaway that a pin pad may have been compromised, Valtman claimed, before adding that he usually frequents stores that allow him to pay with his Apple Watch, as he finds the technology more secure than EMV”
  • “It’s cool, but not a secure standard,” Nir said.
  • “As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs from various channels.”
  • Slides
  • Additional Coverage

The 2016 Pwnie Awards!

Feedback:

Round Up:

Question? Comments? Contact us here!