Researchers at Secure Science Corporation have managed to break the ExpressPay system used at FedEx Kinko’s stores which is provided by enTrac. The cards are write protected using a 3 byte security code. You can sniff this data using a logic analyzer and then use the code to write any data you want to the card since it is unencrypted. The security code is the same across all cards. FedEx Kinko’s stated that the article is inaccurate, so Lance James and Strom Carlson made a video of themselves doing the hack in the store: They put $1.00 on a card at the kiosk and then use it to log into a computer and show the balance of $1.00. They logout and use a separate laptop and card reader/writer to change the balance to $50.00 and modify the serial number. Next they use the card to log back into a computer and show the balance of $50.00. They let one minute pass so that $0.20 is charge to the card. Finally they logout and use the self-service kiosk to print out a receipt showing their balance of $49.80 with the fake serial number. At this point the attacker can take the card to the service counter and ask for the balance in cash.

[thanks Sith from Midnight Research Labs]

[fix: I had originally stated they bought a new card at the kiosk]

[photo: caribb]

Here are some security podcasts from the last week. Feel free to suggest additional ones. There is never a shortage of podcasts on the internet, about the internet.

Security Catalyst 19 The Secrets of Risk Management (With Ron Woerner) 25:33 SC was suggested last week by sometimes co-host [matt yoder]. It’s a nice interview with Woerner about his experience implementing a risk management program at a large company. I was happy to hear about several upcoming security conventions in Omaha (i.e. ones I don’t have to fly to). Michael Santarcangelo does a great job hosting too.

Security Now! #28 Listener Feedback Q&A #4 40:24 [sentinel] corrected me last week; the ARP spoofing show is next week. This episode does maintain some interest because it is structured by listener questions. Leo mentions that he might make his OPML file public since he tracks about 50 sites. I was thinking about doing this. I’ve currently got about 160 sites in Bloglines (I trim the fat from time to time). It’s certainly no comparison to the 500+ monster that the Engadget writers maintain.

PaulDotCom Security Weekly – Episode 16 51:18 was suggested by co-host [Larry Pesce]. This is a pretty fun group podcast. They mentioned a favorite quote by Geer at ShmooCon, “We need security because at any moment the bad guys are only 150ms away; just ping China”. They also pointed out that there is a GPL version of the Spinning Cube of Potential Doom.

CyberSpeak Feb 25 72:08 Lots of interesting stuff coming from the feds. It starts with Mike Younger discussing some of the problems in validating email since Outlook and Lotus Notes both let you edit messages you’ve already received and ones you’ve already sent. They point out a nice deny hosts script to prevent brute force dictionary attacks. Check the entry’s comments for other solutions. They also mentioned that you should check for firmware updates for your firewire write-blocking devices if you want to read the HPA of a drive. The LiveAmmo podcast from last week specifically stated that you should avoid USB and Firewire write-block devices because they might not be able to access HPA.

LiveAmmo: Digital Forensics and Hacking Investigations, Part 3 46:12 is not nearly as dry as it was the previous weeks. It covers the data collection process and what sort of slip-ups might happen. They suggest reading NIST Special Publication 800-61: Computer Security Incident Handling Guide.

SploitCast #007 44:01 As promised last week, this is an interview with Lance James. This is my favorite podcast of the bunch this week. Lance covers many of the techniques that phishers are using. They’ve been going so far as do distributed hosting of their phishing websites on 0wned computers. Lance also talks about the server-side tools he has been developing to fight malware. The burden is being placed on the server since you can’t expect the users to keep themselves safe.

Blue Box #17 41:00 Another week, another excellent VoIP security podcast.

I promised my friends Cara and Brigitte that I would promote their podcast “Catty Girls Discuss” hosted by the local paper. I hadn’t heard it at that point, but the title kinda gives it away. Here are the highlights from the first show: 10:00 they realize they’ve run out of topics, 15:00 they realize they’ve run out of topics, 20:00 they realize they’ve run out of topics. No, it’s not really that bad and can be pretty funny. Direct links to episode one and two.

Continue reading “Hack Media: Security Podcasts” →