2014 has been the year of the celebrity bugs, we take a look at the new trend of giving security vulnerabilities names & logos & ask who it truly benefits.

Plus practical way to protect yourself from ATM Skimmers, how they work & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

• Are you a BSD User? The first question we ask in every interview is “How did you get started with BSD?” Send your video clip or writeup before December 17th for our Christmas Episode

• Spam Nation: The Inside Story of Organized Cybercrim

• Brian Krebs’s “Spam Nation”

• Best of JB Submission Form

Wiretapping ATMs

• “Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.”
• “The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
• “It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”
• So, they attach to the REAL card reader, and siphon off a copy of the data as the card is read
• That makes this form of skimming pretty much undetectable (except possibly by the fake decal used to cover the hole cut in the front of the ATM)
• The Krebs article also talks about new “insert transmitter skimmers”, that use a small battery and transmit the skimmed data a short distance, meaning the attacker does not have to return to the scene of the crime to collect the stolen data, decreasing their risk of getting caught
• “It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots”
• “Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).”

Bug naming and shaming

• This article discusses the advantages and disadvantages to having named and branded bugs like Heartbleed, as well as some behind the scenes info on that exploit, and the people behind the naming of various other vulnerabilities since then
• “If the bug is dangerous enough, it gets a name. Heartbleed’s branding changed the way we talk about security, but did giving a bug a logo make it frivolous… or is this the evolution of infosec?”
• Heartbleed was discovered some time before Friday, March 21, 2014 by a Google security researcher. It was later shared with Open SSL, Red Hat, CloudFlare, Facebook, and Akamia
• Finnish security company Codenomicon separately discovered Heartbleed on April 3, and informing the National Cyber Security Centre Finland the next day”
• They then immediately went to work on a marketing plan. This discovery was going to launch their small firm into super stardom. They had a logo and website designed, and prepared for the public disclosure of the bug
• The original public disclosure was supposed to be made on April 9th. However, after details started to leak, and the OpenSSL team decided that if more than 1 group had already discovered the bug, more would quickly follow, they released the details early, on April 7th
• “Half an hour after OpenSSL published a security advisory the morning of April 7, CloudFlare bragged in a blog post and a tweet that it was first to protect its customers, and how CloudFlare was enacting an example for “responsible disclosure.”
• “An hour after CloudFlare’s little surprise, Codenomicon tweeted to announce the bug, now named Heartbleed, linking to a fully prepared website, with a logo, and an alternate SVG file of the logo made available for download.”
• “Heartbleed — birth name CVE-2014-0160 — became a household term overnight, even though average households still don’t actually understand what it is.”
• “The media mostly didn’t understand what Heartbleed was either, but its logo was featured on every major news site in the world, and the news spread quickly. Which was good, because for the organizations who needed to remediate Heartbleed, it was critical to move fast.”
• In the end, it seems Heartbleed was a success, most systems were patched quite quickly, although many systems did not follow the full procedure, and that has had some fallout that we have covered
• In justifying the name given to a Russian hacking group, iSight Partners said: “Without naming these teams, it would be impossible for a network defender to keep track of them all. We think that’s essential, because intimately understanding these teams is the first step to mounting an effective defense. Giving a name to a team — as we have done with Sandworm — helps practitioners and researchers track and attribute tactics, techniques, procedures and ongoing campaigns back to the team. By assigning identities, It helps to bring these actors out of the shadows and into the light.“
• Other vulnerabilities, like POODLE, had alarmingly bad reporting that may have done more harm than good
• ShellShock was the anti-case. It didn’t have a logo, or an official website. ShellShock timeline
• It was actually originally dubbed BashDoor by its creator, but when it was leaked to the press by someone else, they provided the name ShellShock
• Further, because the initial fix for the ShellShock vulnerability did not entirely solve the problem, there was much confusion, where people thought they had already patched, but didn’t have the “latest” patch
• Then, there were a number of follow-on vulnerabilities in bash, that didn’t have names, but were lumped in with ShellShock, which lead to even more confusion
• Closing Quote: “The researchers didn’t tell their closest biz-buddies in a game of telephone, one in which Heartbleed became an arms race of egos, insider information trading, and opportunism”
• Who gets to decide what bugs are bad enough to get a name instead of just a CVE number? Should MITRE start tracking names along with the CVE numbers?
• Who gains more for naming bugs, the end users who might become more aware of the issue and be able to protect themselves, or the PR powered firms that exploit it for their own good?

Feedback:

• Why is md5 not secure?

• Md5crypt Password scrambler is no longer considered safe by author — PHKs Bikeshed

• VMware’s page-sharing woes

• Brute Force, How Do They Know They Got It?

• Thank you – seriously

• BSDCan 2015 Call for Papers — Due by Jan 19th

Round Up:

• NSA spies on carriers to break call encryption, report suggests
• Government sites remain hacked 2 weeks later — The problem with not disclosing security breaches
• U.S. Intelligence Agency Aims to Develop Superconducting Computer
• The Cost of HTTPS everywhere
• Google Can Now Tell You’re Not a Robot With Just One Click
• Samsung announces 3.2TB PCI-E SSD, Intel/Micron announce 3D NAND, hard drives stuck at 7200rpm (or lower)
• “Its signed, must be legit” — Lessons in Interface Design
• ExplainShell.com — Explain what that code is actually doing, a quick way to learn to read shell scripts
• Prosecutors charge “hacker” with 44 felonies in typical scare tactics (10 year max on each, resulting in a total sentence that would be multiple lifetimes), final charges: a single misdemeanor with a $10,000 fine
• Crash CentOS6 init by touching a bunch of files
• Judge rules that IP addresses should not be exempt from a public records request because of “security”
• Nuclear weapons use fluctuating radiation fields to generate their own one-time passwords to restrict their use
• Your new 500GB external hard drive, guaranteed to be quieter than any other external hard drive