Cleaning up our Mess | TechSNAP 141

Target stores suffer a massive breach, we’ll round up everything you need to know. In light of recent events some of us have called for greater use of Encryption, but are we too late? Has the Internet already been broken? We’ll discuss.

Plus a batch of your questions, our answers, and much more!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Target PoS systems breached, more than 40 million credit and debit cards may have been compromised

“Target confirmed the breach and in a statement said 40 million credit and debit cards were accessed starting the day before Thanksgiving and that hackers had access to the company’s systems until Dec. 15”
“According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores”
Because the breach was of the PoS system, the attackers have the full ‘track data’ from the magnetic stripe and could encode that data on blank cards (or gift cards) and use them to make fraudulent purchases
If the attackers also managed to capture PIN numbers of debit cards, they could also program new cards in order to make cash withdrawals at ATMs
It is not yet clear how the attackers compromised the Point-of-Sales systems
Official Statement
Additional Coverage
Additional Coverage

PHK: We made this mess…

Prolific software developer Poul-Henning Kamp (Varnish, FreeBSD, md5crypt) talks about how more encryption is not the answer, how the people who created and use the Internet need to fight politics with politics
“And that \”we\” is people like you and me, people who connected computers, people who wrote software, people who ran ISPs, and people who told everybody and their grandmother how great the Internet was. … without thinking it fully through.“ “In particular without fully thinking through what people who are not like us might use the Internet for.”
“Any attempt from now on to claw back the privacy which have been illegally removed from our lives, will be met by similar fierce resistance.”
“Resistance from the military industrial complex, for whom \”Cyberwar\” and \”Total Situational Awareness\” is the new cash-cow.”
“A lot of the \”we\”, are currently arguing that adding more encryption will solve the problem, but they are deceiving nobody but themselves: More encryption only means that more encryption will be broken, backdoored, trojaned or otherwise circumvented .”
“If you think you can solve political problems with technical means, you\’re going to fail: Politicians have armies and police forces, you do not.”
Also talks about how Jordan Hubbard (founder of the FreeBSD project) accidentically invented spam and warned that it needed to be controlled, as well as other examples of events the presaged the technical problems of the modern Internet

Krebs: RDP and weak passwords still a huge problem

“Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers”
Many servers have remote administration tools enabled, like SSH or in the case of Windows servers, RDP
Just like the constant barrage of attacks against an SSH server, RDP is also subjected to constant brute force attack, however these servers are often less well defended
Worse yet, there are still prolific numbers of servers with easily guessed username/password combinations remote1/Remote1 and sisadmin/sisadmin
Krebs profiles a service advertised on cybercrime forums that sells credentials to these compromised servers
“Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC’s upload and download speeds”
Looking at the owners of the IP addresses, Krebs even wrote a little seasonal jingle