What’s taking the states so long to catch up to the rest of the civilized world and dip the chip? Turns out it’s really complicated, we explain. Plus keeping a Hospital secure is much more than following HIPAA, and an analysis of Keybase malware.

Plus great questions, our answers, and much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The great American EMV fake-out

• “Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe).”
• But how many people have been to a retailer and ended up swiping their chip card?
• “Comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers”
• “Visa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV. Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.”
• This leaves the question of why more retailers are not using the chip. In Canada, and the EU, almost all transactions use chip-and-pin
• “New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.”
• “Some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.” “They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store”
• It seems that even with the liability shift, which Visa and Mastercard hopes would push merchants to be ready on time, many merchants have not completed upgrades to their payment systems and cash registers. Apparently many of the acquiring banks have long queues to ‘certify’ the upgraded software, further causing delays
• “Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.”
• In Canada, the transition was fairly quick, although this might be due to the fact that many people use debit cards that already required a pin, so the change for the customer was just inserting the card rather than swiping it
• “The United States is the last of the G20 nations to move to more secure chip-based cards. As late as the United States is on EMV implementation globally, the process of merchants shifting to all-EMV transactions is still going to take several more years. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.”
• “Historically, software was developed by terminal manufacturers and some-few contract programmers who kept up with the old-school operating systems, software development kits and so on for each terminal manufacturer. It was so easy that merchants and processors installed specialized tweaks that created countless variants in the marketplace.”
• Now the software is more complicated, as it involves correctly implementing cryptography, and the terminal vendors seem to be struggling to keep up
• “There are very few EMV software developers who understand the U.S. market”
• “There’s an invisible hand at work that is about to kick everyone in the pants and accelerate U.S. dipping into EMV slots,” Crowley said. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me – there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”
• Note that this is still fraud, and you could go to jail
• “If you’re curious about chip card swipe adoption in your area, take an informal survey: My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.””
• Does typing your pin really take much longer than signing the receipt?

Securing Hospitals

• Researchers working for a hospital were able to compromise both Patient Monitors and the Drug Dispensary
• “The research results from our assessment of 12 healthcare facilities, 2 health care data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report.”
• “One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective. The background, motivating factors, nuances, and misunderstandings that perforate the healthcare industry with regard to security are discussed at length in this report. In summary, we find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.”
• “The two major flaws in the healthcare industry with regard to threat model are that 1) the focus is almost entirely on protecting patient records, and 2) the measures taken address only unsophisticated adversaries: essentially, only one of the adversaries listed above — the Individual or Small Group adversary highlighted above in yellow. The industry is aware and speaks to Organized Crime and Nation State adversaries, but underestimates their sophistication and motivation. The strategies aim to curtail blanket, untargeted (i.e., indiscriminate) attacks to obtain patient healthcare records, and ignores the motivations and strategies that would be employed if targeting patient health or specific victims’ health records. These motivations and scenarios are highlighted in red in the above table”
• The protection of health records has been the focus for quite some time, even before records were computerized, but it seems the industry has not “noticed” that medical devices have been connected to the network, and are insufficiently protected from attack
• Devices compromised during the testing were: an insulin infusion pump, a patient monitor station, and a barcode reader
• The following attack surfaces / areas of vulnerability were identified:
  • Patient Health
  • Patient Records
  • Service Availability
  • Community Confidence and Trust
  • R&D, Intellectual Property
  • Business Advantage
  • Hospital Finances
  • Hospital Reputation
  • Physician Reputation
• PDF Report, 71 pages

KeyBase malware analysis

• “The usage of a rather simple keylogger malware has gone through the roof after its builder got leaked online last summer”
• “KeyBase is a spyware family that can capture keystrokes, steal data from the user’s clipboard, and take screenshots of the victim’s desktop at regular intervals”
• “Caught red-handed, its author promised to stop working on the malware, closed down the website from where he was selling KeyBase for $50 / €45, and abandoned the project.”
• “Researchers also discovered that while KeyBase’s control panel was secured with authentication, the folder in which images were sent for storage was not, meaning that after all this time, they could easily put together a simple script and find all the KeyBase panels available online.”
• “Using this simple method, Palo Alto staff discovered 62 Web domains where the KeyBase control panel was installed, 82 different control panels, and 125,083 screenshots from 933 Windows computers.”
• “Of all infected computers, 216 were workstations in corporate environments, 75 were personal computers, and 134 were used for both. 43 of the 933 computers also included details from more than one user, meaning they were shared assets, used by multiple family members or work colleagues.”
• “Taking a look at the screenshots, researchers discovered images depicting banking portals, invoices, blueprints, video camera feeds, email inboxes, social media accounts, financial documents, booking software, and many more.”
• Both personal and corporate banking details were seen, as well as a Hotel reservation system
• “The set for educational institutions wasn’t notably attributable to any one panel, but equally distributed. What made it stand out though is that the same tactic for delivering the KeyBase phish was applied here and “Admissions” people were targeted. These individuals are constantly sent Word or PDF documents, allegedly from parents, so it’s no surprise they would open the malicious files”
• “In the original KeyBase report, Palo Alto revealed that the malware’s creator managed to infect himself during the keylogger’s tests, and had his activities recorded through screenshots and then sent to the Web control panel. This apparently happened again, and 16 of the actors behind this new wave of KeyBase infections also managed to infect their computers. The screenshots saved from their PCs shows that while a few were just curious script kiddies, some of the other hackers were actually professionals involved in highly-targeted campaigns.”
• These screenshots provide interesting insight into the attackers
• “This next actor’s resolution was such that the screenshots only captured the top left portion of his or her screen; however, it was enough to make some interesting observations on tactics. The actor appears to be trying to engage in romance scams with multiple women, along with preying on seniors through dating sites”
• “Our analysis provides a unique opportunity to see the entire life cycle of a malware infection. Commonly, we’d see the first image in a set to be the KeyBase executable or malicious document all the way through until the Anti-Virus alerts of an infection. Sometimes that happened all within one screenshot.”

Feedback:

• Read Only File Server?

• How much Power Does a Server use at Home ?

• pfSense on TP-LINK?

• Software Freedom Conservancy condemns Ubuntu including ZFS

Round Up:

• MouseJack Technical Details
• How To Kill A Supercomputer: Dirty Power, Cosmic Rays, and Bad Solder — In the IBM Blue Gene, After weeks of searching, the culprit was uncovered: the solder used to make the boards carrying the processors. Radioactive lead in the solder was found to be causing bad data in the L1 cache
• FBI Insists It’s Not Trying To Set A Precedent, But Law Enforcement Is Drooling Over Exactly That Possibility
• OpenSSL to release new versions on March 1st to fix “high” severity issues
• Google Is Lighting Up Dark Fiber All Over the Country
• Asus Settles FTC Charges re: security vulnerabilities and negligent practices related to Asus routers and accompanying services, Agrees To 20 Years Of Supervision
• Judge confirms what many suspected: Feds hired CMU to break Tor
• Linux Mint site hacked, ISOs injected with malware. This is why posting an MD5 checksum on the site is not good enough
• Researchers manage to disarm SimpliSafe Wireless Home Security System
• glibc vulnerability worse than thought, “a skeleton key of unknown strength”
• Rumor: IBM gobbles Bruce Schneier, Resilient for $100m