China goes on a hacking spree, compromising a Point of Sale system is as simple as an ebay purchase.

Plus what’s bad about about GoodGoogle, your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

What can you find on a used POS terminal off ebay?

• Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal — a brand of computerized cash register widely used in the hospitality industry — on eBay for US$200.
• The Aloha POS system is sold by NCR, which came under its wing with its acquisition of Radiant Systems in July 2011 for $1.2 billion. It is one of the most popular systems in the hospitality industry behind those of Micros Systems, which Oracle bought last month for $5.3 billion.
• Oh found default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system.
• Oh’s research illustrates the security issues facing the hospitality industry, outdated POS systems which it sometimes cannot afford to update.
• Companies don’t appear to be paying enough attention to security issues with their POS terminals, and older systems are often still in use, which may not be as secure.
• The Problem is also impacting the food industry, where there is little budget to upgrade POS systems.
• P.F. Chang’s was listed as a customer of Radiant Systems in an SEC filing in March 2011, a few months before Radiant’s acquisition by NCR.
• P.F. Chang’s disclosed a credit and debit card breach last month.
• P.F. Chang’s said on July 1 the breach remains under investigation. The company temporarily shut down its POS system and switched to an old-style manual imprinting system for processing payment cards to prevent further damage.
• HP Security Research Blog

Hackers breach three Israeli Defense firms behind Iron Dome

• Brian Krebs breaks the news that the three defense contractors responsible for the design and building of the Iron Dome missile defense system have had their computer systems breached
• Iron Dome intercepts inbound rockets and mortars and has been credited with intercepting approximately one-fifth of the more than 2,000 rockets that Palestinian militants have fired at Israel during the current conflict
• The attackers stole huge quantities of sensitive documents pertaining to the missile shield technology
• The breach occurred between Oct. 10, 2011 and August 13, 2012, but was not disclosed
• The three victims were: Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems
• The breach was investigated by Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI)
• CyberESI managed to gain access to the secret communications infrastructure set up by the attackers, and from that learned that a very large volume of data had been exfiltrated from the victim networks
• The stolen material included a 900-page document that provides detailed schematics and specifications for the Arrow III missile, plus documents about Unmanned Aerial Vehicles (UAVs), ballistic rockets, and other related technical documents
• “Joseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry that these companies are involved in suggests that the Chinese hackers were looking for information related to Israel’s all-weather air defense system called Iron Dome.”
• Iron Dome is partially funded by the US Government, and was designed in cooperation with some US defense contractors
• “Most of the technology in the Arrow 3 wasn’t designed by Israel, but by Boeing and other U.S. defense contractors,” Drissel said. “We transferred this technology to them, and they coughed it all up. In the process, they essentially gave up a bunch of stuff that’s probably being used in our systems as well.”
• Many of the documents that were stolen have their distribution restricted by International Traffic in Arms Regulations (ITAR), a U.S. State Department control that regulate the defense industry, raising questions about the lack of timely disclosure
• “According to CyberESI, IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. Drissel said the attacks bore all of the hallmarks of the “Comment Crew,” a prolific and state-sponsored hacking group associated with the Chinese People’s Liberation Army (PLA) and credited with stealing terabytes of data from defense contractors and U.S. corporations.”
• “Once inside the IAI’s network, Comment Crew members spent the next four months in 2012 using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files. The actors compromised privileged credentials, dumped password hashes, and gathered system, file, and network information for several systems. The actors also successfully used tools to dump Active Directory data from domain controllers on at least two different domains on the IAI’s network.
• “Once the actors established a foothold in the victim’s network, they are usually able to compromise local and domain privileged accounts, which then allow them to move laterally on the network and infect additional systems,” the report continues. “The actors acquire the credentials of the local administrator accounts by using hash dumping tools. They can also use common local administrator account credentials to infect other systems with Trojans. They may also run hash dumping tools on Domain Controllers, which compromises most if not all of the password hashes being used in the network. The actors can also deploy keystroke loggers on user systems, which captured passwords to other non-Windows devices on the network.”
• “While some of the world’s largest defense contractors have spent hundreds of millions of dollars and several years learning how to quickly detect and respond to such sophisticated cyber attacks, it’s debatable whether this approach can or should scale for smaller firms.”

Chinese hackers breach National Research Council of Canada computers while they are working on new security system to prevent attacks

• The Canadian federal government revealed on Tuesday that the NRC’s computer networks were the target of a cyber attack, and had been shut down to contain the compromise
• The NRC is working with both the private sector and university research teams to create a physics-based computer encryption system
• “NRC is developing photonics-based, quantum-enhanced cyber security solutions … collaborating to develop technologies that address increased demands for high-performance security for communications, data storage and data processing.” says the NRC’s website.
• “NRC is continuing to work closely with its IT experts and security partners to create a new secure IT infrastructure”. “This could take approximately one year however; every step is being taken to minimize disruption.”
• The intrusion came from “a highly sophisticated Chinese state-sponsored actor,” said the Treasury Board. “We have no evidence that data compromises have occurred on the broader Government of Canada network.”
• The article states “… comes as the agency is working on an advanced computer encryption system that is supposed to prevent such attacks.”
• Encryption does not prevent your computer systems from being breached by attackers, especially if the attackers get a foothold via Phishing and other social engineering type attacks
• The encryption system is a defense against eavesdropping, and possibly can defend sensitive documents in cold storage, but it does not prevent systems from being compromised

Service offers to defeat your competitors online advertising

• Krebs brings us more news, this time about an online service that exhausts the daily advertising budget of your competitors, making your own advertisements less expensive and more visible
• A common scam involving Google’s AdSense service is “click fraud”. A fraudster sets up a website to display ads, then drives fake traffic to the site, and fake clicks on the ads
• The fraudster then gets paid by Google a portion of what the advertiser paid to show the ad
• However, Krebs found someone doing the opposite, defrauding the AdWords side of the business
• “GoodGoogle” is the name of one of these fraudster services. It promises to click the ads of your competitors, driving up their costs and exhausting their advertising budget early in the way (or early in each hour, depending on the Google settings)
• This means your own ads will be less expensive (your lower bid normally wouldn’t win, but if all of the higher bidders have expended their budget for the day, you are now the high bidder), and you cost your competitors more money
• “The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitors’s ads indefinitely. Fees are paid up-front and in virtual currencies and the seller offers support and a warranty for his work for the first three weeks.”
• “Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, speculated that GoodGoogle’s service consists of two main components: A private botnet of hacked computers that do the clicking on ads, and advanced software that controls the clicking activity of the botted computers so that it appears to be done organically from search results”
• This could also be an interesting case of double-dipping, If the fraudster ran fake sites with content specific to the keywords his customers wanted to attack, he could make money via the click fraud from the AdSense side, while charging for his services from the AdWords side
• “Amazingly, the individual responsible for this service not only invokes Google’s trademark in his nickname and advertises his wares via instructional videos on Google’s YouTube service, but he also lists several Gmail accounts as points of contact. My guess is it will not be difficult for Google to shutter this operation, and possibly to identity this individual in real life.”

Feedback:

• RPMfusion.org Not Secure

• William asks on mumble asks if anyone knows of an alternative to the ZeusRAM , a SAS SSD used in many ZFS boxes, but that uses a PCI-E interface, rather than being limited by a SAS interface. Or a modern version of the DDR-Drive, a PCI-E “ram disk”, but using DDR3 or 4 and with a supercapacitor to survive a reboot. I found the ‘SATADIMM’, an SSD that fits in a RAM slot
  • There is also the ULLtraDIMM which actually interfaces with the CPU via the memory controller, but it is not clear how it works or how it interfaces with the operating system. Additional Video – Technical Explaination

Round-Up:

• Symantec Endpoint Protection 0day
• Turning your USB devices against you
• Tor attackers tried to peek into the Deep Web, anonymity network reveals
• New SSL rules go into effect November 1st, no more internal SSL certificates
• Apple’s multi-terabit, $100M CDN is live—with paid connection to Comcast
• Comcast now carries 1Tbit/s of IPv6 traffic
• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk
• Software that runs US bar exams fails
• Contries do not own their ccTLDs
• Social Engineering attack lets con artist defraud Apple out of over $300,000 in hardware over 42 occasions in 12 states
• How to invent a compression algorithm for a TV show
• Explaining the importance of Software Security