Episode102

From Security Weekly Wiki
Revision as of 15:43, 20 March 2008 by Larry (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search


Tech Segment:

Vendor, vendor, vendor - [Larry] The vendor who was proud for securing Hannafords supermarket chain, seems to no longer be proud...

Hannaford Brothers hacked - [Larry] - This story is all over the news (and see our other related story as well), so I I will gloss over it a bit. Plain and simple, they got owned, and had 4.2 million CC and Debit card numbers stolen. Bad. However, as Martin McKeay pointed out, Hannaford's does something good (well at least better) when they store the info. They do not associate the card number info with name and address info. This makes the use of the numbers a little more difficult.

Mifare Classic hack explained - [Larry] - Wow, this has to be one of the most complex, dedicatd hardware hacks I've ever seen. The researchers evaluated the Crypto-1 cypher implementation as implemented on the chip with a microscope, and peeled back all 10 layers of the silicon. They then recreated the chip in Matlab...and discovered that the 16 bit random number generator was easy to manipulate.

The Honey Stick Project - [Larry] - Cool. Honey-anything is neat to me (but maybe not valuable). Either way, here some testing for a number of things that Paul and I talk about all the time. I particularly would like top review USB security. See this on a related note.

CC RFID hacking - [Larry] - By utilizing an actual PayPass terminal, Pablos is able to read RFID CC info from a wallet on his Mac. A simple yet, elegant hack of an existing device. Why? because the decryption of the RFID signal happens locally, and is then sent from the reader to the attached device in the clear. This is a clear use of using the technology to do the work for us, as an attacker. On another note, a lot of folks are giving Pablos crap for the $8 hardware comment. I've exchanged some e-mails with him and 3ric, and I can confirm that the hardware IS inexpensive - and certainly in the $8 range.

ZZZIIIIIIP! - [Larry] - Multiple vulnerabilities in archive pro-cessing.

Security and HR should talk - [Larry] - One thing that I think is important with security policies is the unilateral enforcement of of the policies. One thing that becomes disappointing is all of the work that goes in the enforcement of the policy, and the offender is given a slap on the wrist, and the incident is swept under the carpet. This, in my opinion is a bad thing.

Stories of Interest

Listener Submitted

For Your Enjoyment

Beer Of The Week

Psw poweredby.png