HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Gas Pump Skimmer Sends Card Data Via Text

• Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.

• Skimmers that transmit stolen card data wirelessly via GSM text messages and other mobile-based communications methods are not new; they have been present — if not prevalent — in ATM skimming devices for ages.

• But this is the first instance KrebsOnSecurity is aware of in which such SMS skimmers have been found inside gas pumps, and that matches the experience of several states hardest hit by pump skimming activity.

• see also Gas Theft Gangs Fuel Pump Skimming Scams

Erasing hard drives – dd might be enough – Dan talks about how he erased the drives

• I recently upgraded several 3TB drives to 5TB drives and no longer needs the smaller drives. I usually used DBAN, but this time, it failed to run and I have no idea why

• I started looking around for upgrades in case my newer hardware didn’t work with this version of DBAN

• In September 2012, Blancco of Finland announced its acquisition of DBAN – Windows binary – no use to me

• There is an unofficial fork of DBAN that is actively maintained. The dwipe program that DBAN uses has been forked and is available as a standalone program called Nwipe, which is actively maintained.

• Appears to be more than one unofficial dban fork

• nwipe is included with Parted Magic so I paid my $11 and downloaded UNetbootin and tried to install it

• I failed to get my latest version (2017_06_03) of Parted Magic to boot so I resorted to letting UNetbootin download and install Latest_Live and I think that was 2.4

• I was told DBAN is drive abuse and that dd is sufficient

• Highly recommended NAS configuration – KIds don’t try this at home!

• Originally thought to be serial, butlater confirmed to work in parallel

• Discussion on: when you power cycle, how long do you want to power on?

• Next, tried nwipe but found that that took too long

• Going back to Parted Magic, I found the disk erase UI to have a few interesting features

• Then, I managed to get my SAS2008 card to work, and started doing 8 drives at a time

• dd is always an option, but I found it more convenient to use Parted Magic. Why? I didn’t have to script it and I can use the Secure Erase feature

Feedback

• A question about database migrations – apgdiff SQL Manager – SQLFairy – Dan used to use a tool for designing the database, but hasn’t use one lately. Now he constructs the DDL on the fly to amend the database and keeps them aside for upgrading the production database. Dan once kept the DDL for FreshPorts in a repo, but no longer does. Now he just backs up.

• ZFS Configuration new System76 Oryx pro

• Nigel Brownsey wrote in about Password security all about length

• PostgreSQL password hashing & backups

Round Up:

• The HDFS Juggernaut – Hadoop Distributed File System

• Plans for Partitioning in PostgreSQL v11

• debian-policy: Packages should be reproducible

• Everything You Always Wanted to Know
  About Optical Networking –
  But Were Afraid to Ask
  slides – Youtube video

• Looking at public Puppet servers

• Airbnb’s preferred smart lock vendor accidentally bricks 500 door-locks

• I Bought a Book About the Internet From 1994 and None of the Links Worked

The post Leaky Pumps | TechSNAP 332 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Dropbox Kept Files Around For Years Due To ‘Delete’ Bug

• Dropbox has fixed a bug that caused old, deleted data to reappear on the site. The bug was reported by multiple support threads in the last three weeks and merged into one issue here. An anonymous Slashdot reader writes
• In some of the complaints users reported seeing folders they deleted in 2009 reappear on their devices overnight. After seeing mysterious folders appear in their profile, some users thought they were hacked. Last week, a Dropbox employee provided an explanation to what happened, blaming the issue on an old bug that affected the metadata of soon-to-be-deleted folders. Instead of deleting the files, as users wanted and regardless of metadata issues, Dropbox choose to keep those files around for years, and eventually restored them due to a blunder. In its File retention Policy, Dropbox says it will keep files around a maximum 60 days after users deleted them
• If you have sensitive data, do not rely on delete, rely on encryption.
• If you have sensitive data, you shouldn’t have it on third-party systems without encryption.
• The encryption and decryption should occur on your system, not theirs.
• Imagine you deleted those risky files just before an international trip, you get requested to power up your laptop, and bang, there’s those deleted files back….!

Twitter Activist Security – Guidelines for safer resistance

• We’ve covered privacy on the Internet before. We’ve stated very clearly that using privacy tools such as Tor is not illegal nor is it suspicious, no more so than someone paying cash at the grocery store.
• This guideline is specfically for Twitter, but many of the suggestions can be apply to other social media as well, but I am not sure how well they will travel. Chose carefully
• Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.
  I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.
• Security Principles To Live By The basic principles of operational security are actually very simple, they’re what we call the three Cs: Cover, Concealment, Compartmentation

Move over skimmers, ‘shimmers’ are the newest tool for stealing credit card info

• Consumers and retailers be on guard: there’s a new and more devious way for fraudsters to steal your credit and debit card information.
• “Shimmers” are the newest form of credit card skimmers, only smaller, more powerful and practically impossible to detect. And they’re popping up all over the place, says RCMP Cpl. Michael McLaughlin, who sounded the alarm after four shimmers were extracted from checkout card readers at a Coquitlam, B.C., retailer.
• “Something this sophisticated, this organized and multi-jurisdictional has all the classic hallmarks of organized crime,” said McLaughlin.
• Unlike skimmers, a shimmer — named for its slim profile — fits inside a card reader and can be installed quickly and unobtrusively by a criminal who slides it into the machine while pretending to make a purchase or withdrawal.
• Once installed, the microchips on the shimmer record information from chip cards, including the PIN. That information is later extracted when the criminal inserts a special card — also during a purchase or cash withdrawal — which downloads the data. The information is then used to make fake cards.
• Shimmers have rendered the bigger and bulkier skimmers virtually obsolete, according to Const. Alex Bojic of the Coquitlam RCMP economic crime unit.
• “You can’t see a shimmer from the outside like the old skimmer version,” Bojic said in a statement. “Businesses and consumers should immediately report anything abnormal about the way their card is acting … especially if the card is sticking inside the machine.”
• McLaughlin said the Coquitlam retailer detected the shimmers through its newly introduced daily testing of point-of-sales terminals. A test card inserted into the machines kept on getting stuck and the shimmers were found when the terminals were opened.
• “We want to get the word out,” said McLaughlin. “Businesses really need to be checking for these kinds of devices and consumers need to be aware of them.”
• Bojic said using the tap function of a chip card is one way to avoid being “shimmed.”
  “It’s actually very secure. Each tap transfers very limited banking information, which can’t be used to clone your card,” Bojic said.
• Krebs wrote about this and has a post which is all about skimmer and shimmer
• Not new tech, been around since at least 2015

Feedback:

• FreeBSD + Bacula as a portable VM
• Bank security or lack of!

Round Up:

• Hotel ransomed by hackers as guests locked out of rooms
• ShmooCon 2017 Videos
• Google – Site Reliability Engineering
• Booted up in 1993, this server still runs — but not for much longer
• Digital Ocean re-enabling password authentication for snapshot-based droplets
• HP recalls 101,000 laptop batteries due to fire concerns.
• A Shakeup in Russia’s Top Cybercrime Unit
• Hardening Windows 10 With Zero Day Exploit Mitigations Under The Microscope
• Delta Airlines cancels at least 150 flights due to IT issue
• Texas Police Department Loses Years Worth of Evidence in Ransomware Incident
• A crowd funded effort to review “Secure HTTP without HTTPS”, from the Unity Asset Store, finds it critically flawed
• Backblaze Hard Drive Stats for 2016

The post Three C's to Tweet By | TechSNAP 304 first appeared on Jupiter Broadcasting.