Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Chip and Pin security flaw exposed by Cambridge Researchers

• Chip and Pin technology replaces the traditional magnetic strip and signature method of authorizing a Credit Card or Debit Card transaction
• The technology uses the chip embedded in the card to authenticate itself to the PoS (Point of Sale) terminal, once the PIN is entered, proving that it is not a forged or cloned card
• This provides stronger authentication of the card holder, using the secret PIN rather than comparing signatures
• The original idea behind this concept was to shift liability for fraudulent transactions to the card holder, since the transaction could only go through if the PIN was provided, the transaction must have been authorized by the card holder, or the card holder was careless with their PIN number
• This liability shift was never enacted, due to various flaws found in the system, including one where a blank card, connected to a stolen card, could be used to access the funds on the stolen card with an arbitrary pin number
• The most recent flaw takes the form of a pre-play attack, which allows the attacker to determine the information required to authorize a transaction without the PIN number
• The authentication protocol used between the PoS and the Chip requires the PoS terminate to generate a nonce , referred to in the documentation as an ‘unpredictable number’. The purpose of the nonce is to ensure that the authentication is fresh, preventing an attacker from using an old authentication response
• The problem is in the implementation, many PoS terminates do not generate a random (or even pseudo-random) number for the nonce, but rather use a timestamp or counter
• This allows an attack, that from the logs at your bank, appears as if your card was cloned, which is supposed to be nearly impossible due to the chip embedded in your card
• The researchers discovered this vulnerability while investigating the case of an HSBC customer who was refused a refund from his bank, who stated that he must have entered his PIN at the ATM where his cash was withdrawn, in a different country
• At the behest of the researchers, he demanded the banks logs of the transaction
  Date Time UN
  2011–06–29 10:37:24 F1246E04
  2011–06–29 10:37:59 F1241354
  2011–06–29 10:38:34 F1244328
  2011–06–29 10:39:08 F1247348
• As you can see, the ‘unpredictable number’s do not seem very random at all, infact they appear to be a 17 bit fixed value, followed by a 15 bit counter that is incremented every few milliseconds, and rolls over every 3 or so minutes
• The research discusses how this weakness could use used to execute a ‘pre-play’ attack
• An employee working at a restaurant or retail store, could run your card through a device that would provide the authentication code required to access the card during some specific window of time in the future, allowing them to withdraw funds from your account at an ATM without knowing your PIN number. This attack could also be executed by malware built in to a PoS terminal or vending machine
• The researchers built their own special card that could extract the unpredictable number from each transaction they performed, and by doing a number of ‘balance check’ transactions, where we able to assess the randomness of the UNs
• Research Paper
• Blog post by Reseacher

---

NIST chooses keccak as new SHA–3 hashing algorithm

• Pronounced catch-ack
• The algorithm was designed by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors, and was one of 63 entrants to the NIST competition
• The competition started in 2007 when it looked like there may be issues with SHA–2
• Those issues never surfaced and SHA–2 is still considered secure
• Because keccak is not derivative of SHA–2, but entire different, it means that an attack against SHA–2 will be very unlikely to also be effective against SHA–3

---

Feedback:

• I need help finding the correct chat server

• Openfire Server

• Some information on the Nexus S and NFC

• rsync Hard Links and full backups?

• An easy way to encrypt on the go?

• Why do banks use passwords at all?

• Can we get TechSNAP on Stitcher?

Jupiter Broadcasting on Stitcher

Have some fun:

• What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

• Regulators shut down global PC ‘tech support’ scam
  • “Hello, I’m definitely not calling from India. Can I take control of your PC?”
• Britain in talks on cybersecurity hotline with China and Russia
• New Oracle hacks revealed
• The Most Important Meeting You’ve Never Heard of
• Facebook denied private messages were leaked, messages were old wall-to-wall posts that users misunderstood
• Squirrels account for 17% of all cable damage at Level3 communications
• 10 most bizarre cable cuts
• Server Room Nightmares
• Obligatory XKCD