Cheap Audio Equipment Makes ATM Theft Easier

November 26, 2010 by Mike Szczys 17 Comments

ATM information theft is nothing new. Neither is the use of skimmers to gain access to the data. But it’s a little surprising just how easy it has become to hack together the devices using audio equipment. The images above are samples of a skimmer for sale from an Eastern-European do-no-good. It is the magnetic stripe sniffer portion of the attack which captures card data as an audio recording. That is later turned into the binary code that was read from the card. We’re just speculating, but that looks an awful lot like the PCB from a pen recorder, something you can pick up for just a couple of bucks.

Of course this is used in conjunction with a camera to capture PIN data as the second part of the security protocol, but it really underscores the need for new ATM technology. Some skimmers don’t even require retrieval of the hardware, and you never know where the sketchy machines might pop up next.

[via Engadget and Slashdot]

Hopefully Detect Trolls Before They Devour You

November 25, 2010 by Joseph Thibodeau 24 Comments

In the cold and mysterious wilderness of Norway, it pays to be ready for anything–especially heavy-walking trolls. The team at [nullohm] decided to prepare thoroughly for their trek into the woods to witness the Leonids meteor shower by putting together an Arduino-based “troll detector”.

The device is based on the superstition of hammering a steel spike into a tree to keep trolls away from camp. This goes one step further by including an accelerometer and LED indicators so that you can tell exactly what type of troll is just about to feast upon your tender human flesh.

When the detector is installed into a nearby tree, it takes an average seismic measurement and then looks for telltale footfalls. Even if you’re not concerned with perpetuating superstitions, you might find a use for the source code for simple seismic activity monitoring at home to supplement your miniature seismic reflector.

Debug Mode Lurking Inside AMD Chips

November 13, 2010 by Mike Szczys 50 Comments

Looks like some hardware enthusiasts have worked out a method to enable debug mode within AMD processors. The original site isn’t loading for us, but the text has been mirrored in this comment. Getting the chip into debug mode requires access passwords on four control registers. We’ve read through the writeup and it means very little to us but we didn’t pull out a datasheet to help make sense of the registers being manipulated. It shouldn’t be hard to find an old AMD system to try this out on. We’d love to hear about anything you do with this debug system.

[via Slashdot]

Exploit Bait And Switch

November 7, 2010 by James Munns 31 Comments

When a new virus or other piece of malware is identified, security researchers attempt to get a hold of the infection toolkit used by malicious users, and then apply this infection into a specially controlled environment in order to study how the virus spreads and communicates. Normally, these toolkits also include some sort of management console commonly used to evaluate successfulness of infection and other factors of the malware application. In the case of the EFTPS Malware campaign however, the admin console had a special trick.

This console was actually a fake, accepting a number of generic passwords and user accounts, and provide fake statistics to whoever looked in to it. All the while, the console would “call home” with as much data about the researcher as possible. By tricking the researchers in this way, the crooks would be able to stay one step ahead of anti-virus tools that would limit the effectiveness of any exploit. Thankfully though, the researchers managed to come out on top this time.

[via boingboing]

Software Security Courtesy Of Child Labor

October 28, 2010 by Mike Szczys 34 Comments

We couldn’t help but poke a little fun in the headline. This is [Alex Miller], a twelve year old who claimed a $3000 bounty from Mozilla. See, [Alex] is a self-taught security guru. When Mozilla upped the reward for discovering and reporting critical security flaws in their software he went to work searching for one. He estimates that he spent an hour and a half a day for ten days to find the hole. Fifteen hours of work for $3000? That’s pretty good!

Is it good or bad to pay for these kind of submissions? The real question: Is the bounty high enough to get blackhats to report vulnerabilities, rather than selling software that exploits them? Let us know what you think in the comments.

[via Zero Day]

Firesheep: Promoting Privacy In A Scary Way

October 25, 2010 by James Munns 50 Comments

Often, software hackers are the activists that push software giants towards updating vulnerable applications. In todays example, [Eric Butler] is pushing Facebook, Twitter, Flickr, and more all at the same time. By creating a user script-kiddie friendly extension for Firefox, he has allowed just about anyone to sniff unsecured connections on public Wi-Fi access points and log into these unprotected accounts.

Right now the extension is available for Windows and Mac, with a Linux port coming soon. Temporarily, the best way for a user to avoid getting taken advantage of would be to not use these social networking sites on a public connection, or to implement a secure proxy for these connections that would keep your data safe. Hopefully these websites will have a quick rebuttal that allows for security without workarounds. With all of the bad press they are recieving, they certainly have incentive to.

Are there any software or security buffs out there? We would love to see someone port this to an iPhone or Android app that could check and log open Wi-Fi points. We’ll leave the foot work to the experts out there, but do be sure to give us a heads up if anyone manages to make it happen, okay?

Embedded RFID For Online Passwords

October 11, 2010 by Mike Szczys 33 Comments

[Jair2K4] is using his unique RFID tag address as an online password. We’d bet that if you went far enough to get an implant in your hand you’d continually search for a reason to use it. Wanting to do more than just start his car with a wave of the hand, he built an interface module out of an Arduino and a Parallax RFID reader. Using a program called AAC Keys on Windows 7 he emulates a keyboard using the input from the Arduino. When it comes time to login he types his username and parks the cursor in the password box. By holding the RFID implant next the reader, the ID is dumped as the password, along with a newline (might be a carriage return, we’re not certain) character which submits the login. Take a look for yourself after the break.

On the one hand, nobody will be able to steal his tag as easily as they could steal one that is on a key ring. But we know RFID is rather notorious for a false sense of security. As long as you’re not using it for state secrets we think it’s a nice solution.

Update: After reading the comments on this feature, [Jair2K4] made some changes to his code. It now reads the tag and verifies it with stored data, then spits out whatever password you wish (making it easy to change passwords from time-to-time). He also added servo control to the sketch.

Continue reading “Embedded RFID For Online Passwords” →