Friday, July 31, 2009

Hacking for free parking

San Francisco has been working on a computerized parking meter system for some time. Based on smart cards it should collect parking fees via a smart card. It just looks like that this is not working that well. I am sure most Europeans that know about the Chaos Computer Club, which has been doing a lot of research in that regards are not surprised. What do we learn out of this: Smart cards are not a silver bullet...or if they are then you better know where to aim before shooting yourself in the foot.

Read the full article at:

1SSA - Security consulting, training and products:

Thursday, July 30, 2009

US government's latest computer monitoring program

It is nothing new that government's spy on their own people. Not only in the countries that are having a quite different opinion of what democracy is and how it should be implemented but also in other's that normally pride themselves as one of the first one's to implement it.

The US government has been asked to provide more details about the new version of Einstein, a computer program that works at the Telecom level gathering and analyzing data as it passes through the Telecoms' backbones. Version 3 of the Einstein program has raised quite some disturbance with the Center for Democracy and Technology (CDT), which suspects that the new version gathers many privacy related information.

Read the full report at:

1SSA - Security consulting, training and products:

Recording your ATM PIN via the power cable

Two researches from Italy have developed a new form of Skimming (for the people that are not so security lingo savvy - skimming refers to an attack where an attacker eavesdrops the information that you are entering e.g. PIN and your ATM card information). This new attack uses the power line to determine which buttons you pushed on an ATM. Another attack they presented shows how the vibration of a notebook could be recorded and analyzed to replay what was typed.

Their presentation is available at:

1SSA - Security consulting, training and products:

Monday, July 27, 2009

Microsoft to issue critical patches out of band

Normally Microsoft does stick it patch schedule but this time the vulnerabilities are so critical that MS announced some patches to be issued early next week.

Read what the Washington Post has to say:
1SSA - Security consulting, training and products:

Network solutions had major security breach - CC data exposed

Over a 3 month period hackers could collect as many as 500,000 credit and debit card information after Network Solutions' e-commerce service was hacked and a software planted to eavesdrop on transactions. According to Network Solutions that came forward last Friday the eavesdropping took place between March 12th and June 8th.

Network solutions processes credit and debit card transactions for over 4,343 merchants.

Read the full story at

1SSA - Security consulting, training and products:

Monday, July 13, 2009

Microsoft's Office Web Component vulnerable

Our integrated world provided by Microsoft...Microsoft announced that there are exploits available that are using a flaw in Microsoft office web component that can be exploited through (you guessed it) Internet Explorer. A tool to disable this functionality, till it is fixed, is available here:

1SSA - Security consulting, training and products:

Saturday, July 11, 2009

German health-card project at risk due to PKI problems

This is kind of entertaining because it is part of the 101 of PKI, key management. according to Heise, one of the larger publisher of IT magazines in Germany the root key of the CA has been lost. As a result no more health-cards signed by the CA or even revocation of existing health cards can be done. At least this is just the initial trial of this large project, which would mean that nearly every German citizen has a health card signed by that root CA.

According to Heise online, Gematik the company in charge commissioned D-Trust, a subsidiary of the Bundesdruckerei (Mint), to act as the root CA for the health card PKI.

Heise online interviewed Matthias Merx, the firm's managing director, following a voltage drop, "something unusual happened" (comment: whatever that means??) in the D-Trust's "Trustcenter" and the HSM independently deleted the data because it suspected an attack.

Comment: Good job - just like old times when you had your Cyanide capsule.

Read the full article at:

1SSA - Security consulting, training and products:

ATM security, no not the network, the money machines

I think we all use those wonderful ATM machines to get cash from our bank accounts. Who would go to a teller if it is more convenient to just punch in our four digit PIN and get money. The biggest fear we have is that maybe someone is behind us stealing our PIN and ATM card or robbing us after we got the cash...seems like that a gentleman from Juniper had done some research on ATM security and found a way to actually get around the security measures. His talk was expected at Blackhad/Defcon in Las Vegas later this month. It seems that Juniper actually asked him to pull that presentation due to the high impact of what he has to say. We will keep you posted.

Read the full article at:

1SSA - Security consulting, training and products:

Tuesday, July 07, 2009

Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution

Business as usual...this time an Active X control that can be used to remotely execute code on a Windows machine. No patch available just a work around, this time from Microsoft, which seems to understand how critical this one is.

Find the workaround at:

1SSA - Security consulting, training and products:

Sunday, July 05, 2009

New MI6 chief on Facebook

This is kind of funny and kind of shocking but then again it is real life. Here is Sir John Sawers, the upcoming MI6 chief (I am sure I do not need to explain to Bond fans what that stands for, but for the ones that wonder what MI6 stands for: It is the British secret service) and his wife is posting on Facebook all kinds of personal information that you normally do not want the public to have.

Read the full article at:

1SSA - Security consulting, training and products:

Friday, July 03, 2009

Microsoft Update Quietly Installs Firefox Extension

We could call it business as usual for Microsoft or simply another irresponsible move of Microsoft to dominate the browser market. According to various sources, and confirmed by 1SSA, Microsoft has pushed a .Net update that automatically installs an add-on in Firefox that allows for silent(!) installation of code from the web. Some people made a choice to use Firefox because the people creating it prevented this feature. Now Microsoft just installs it without any consent from the user.

Read more here:

Here are instructions on how to de-install it (for sure):

1SSA - Security consulting, training and products:

Hackers crack ColdFusion - Drive-by download attack hits multiple hosts

Time to finally upgrade or at least apply some patches if you run an older version of Cold Fusion on your servers. According to SANS the number of infected hosts is going up by the hour.

Read more:

1SSA - Security consulting, training and products:

Latin Best Buy surfers sprayed by drive-by download malware

This is really bad. A major website that the whole nation is going to once in a while has a malware download problem. I am sure Best Buy's management has some words for its website and security teams, which I believe are both outsourced to a major outsourcing company here in the US.

Read more about it at:

1SSA - Security consulting, training and products:

iPhone crashing bug could lead to serious exploit

As cool as it is the Iphone, the more I read about it the more I am disappointed by some of the features it offers. I was for example not aware that it could not execute multiple applications at once, or at least Apple did not allow for it. So far people are still waiting for a tethering option, which seem to be coming soon. And all those poor people that chose not to use AT&T as provider and got locked out by Apple's patch. And now a simple SMS can crash the whole device. I think Apple needs to adjust a bit here...this hype over the Iphones is only going to last as long as it is special....I only say Starbucks. After that it is just a phone that needs to be fixed ;-)

Read the full story at:

1SSA - Security consulting, training and products:

Thursday, July 02, 2009

Clear the company pre-screening frequent fliers stopped operating

I always though who is doing this, who is paying $199 a year for this privilege of bypassing normal airport security? According to a CSO article 260,000 individuals were part of the program paying each. This is $52M a year...not enough I guess to operate. Clear, the company providing the service has declared that it cannot longer operate the service. Interesting aspect, and nothing new for security professionals, the "data life cycle" for the data collected (e.g. Iris scans, finger prints, etc.) is not clear. Does Clear delete all data or maybe sell it to a competitor?

Read the full article at:

1SSA - Security consulting, training and products: