STE WILLIAMS

Mobile point of sale (MPOS) systems have changed the way business is done for small vendors around the world. These small devices from companies like Square, PayPal, and iZettle allow the smallest businesses to accept credit and debit cards from customers without having to go through the expense and complication of establishing a merchant account with a bank. With millions of these little devices in the market, though, it’s reasonable to ask just how secure transactions can be when they come through a device that costs less (in some cases, far less) than $50.

Leigh-Anne Galloway and Tim Yunusov – Positive Technologies’ security researcher and senior banking security expert, respectively – sought to answer that question in research presented at Black Hat USA and DEF CON. Galloway and Yunosov chose four providers – Square, iZettle, PayPal, and SumUp – and seven separate readers for their research. “We now have quite a few different vendors who are operating in the marketplace. And we’ve also noticed from a personal experience that we’re starting to see these terminals in many different small businesses,” Galloway said in a pre-Black Hat USA interview. “We really wanted to see what the significant differences are between different vendors and different regions.”

There is one key difference between the US and Europe when it comes to reducing fraud: in Europe, EMV chip-enabled cards (created to protect against counterfeiting and card-present fraud) are accepted by roughly 95% of all the MPOS devices in service, while in the US, they’re accepted by roughly 13% of MPOS devices, according to data cited by Galloway and Yunusov. It’s not that EMV cards aren’t present in the US; 96% of credit cards in US circulation support EMV, but less than half of all transactions use the chip, say Yunosov and Galloway.

In testing the devices, the researchers sought to send arbitrary commands to the MPOS device, tamper with the amount of the transaction, and perform remote code execution on the device.

The type of attack changes depending on the aim of the theoretical criminal. Sending arbitrary commands can be part of a social-engineering attack in which the customer is asked to re-try a transaction using a less secure method. Transaction amount tampering amounts to a man-in-the-middle attack in which a $1 transaction at the reader becomes a $50 transaction at the financial institution. And remote code execution can give the attacker access to the memory of the device which then becomes a mobile skimmer for the purpose of stealing credit card account information from customers.

It’s important, Galloway and Yunusov said, to remember that the MPOS devices are part of an overall financial ecosystem, and that different companies protect devices and transactions in different ways. “We did find some really good examples of anti-fraud protection,” Galloway said in the interview. “Some vendors were carrying out very sophisticated anti-fraud detection using forms of correlation to identify bad devices and readers,” she explained. The researchers also found a wide variety of anti-fraud activities taking place during the device and merchant enrollment process, with some vetting potential merchants much more heavily than others.

In the test results, Galloway and Yunusov found that Square and PayPal had the most active anti-fraud and security checks during the transaction process, with iZettle monitoring less actively. They also found that the Miura devices used in some instances by Square and PayPal were susceptible to arbitrary commands and amount tampering via remote code execution.

In general, though, “We were impressed by the level of physical security mechanisms in place generally,” Galloway said. “Most of the readers that we looked at have good internal protection from tampering. It was very good for a product that retails at that price and we were surprised by that, actually.”

The researchers did have suggestions for merchants using MPOS devices. The suggestions included controlling physical access to devices, moving as quickly as possible to EMV transactions, and choosing a vendor with a robust, secure total payment infrastructure.

Related Content:

• SmartMetric, Report Reveals More Than 32% of Americans Affected by Credit Card Fraud While United States ID Theft Cost More Than $17 Billion
• Adidas US Website Hit by Data Breach
• Four Faces of Fraud: Identity, ‘Fake’ Identity, Ransomware Digital
• Author of TreasureHunter PoS Malware Releases Its Source Code

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/risk/flaws-in-mobile-point-of-sale-readers-displayed-at-black-hat/d/d-id/1332555?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State’s website within 15 minutes, altering vote count reports on the site.

Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters.

“He got to the secure file server but didn’t know how to write the query to pull the data out,” says Alon Nachmany, solution engineer with Cyberbit, which ran the voter registration database simulation. That he got as close to the data as he did was no small feat, however.

“He got very far, but he didn’t have the skill needed to pull the file itself,” Nachmany says.

The setup, using Cyberbit’s training and simulation platform for cyber ranges, was designed to mimic a typical county election system — with a web application server on a DMZ behind a firewall and a secure file server sitting behind its own firewall — but was created more for a red-team training scenario, says Bash Kazi, a Cyberbit partner who built it. “We used a more sophisticated network and attack scenario that somebody would have to much more trained to hack,” he says.

While the election-office simulation challenge proved to be too much of one for most takers at the voting system hacking event, security experts say that these and other web-based systems, such as states’ election-reporting websites and candidate websites, are the most likely (and easy) targets of attackers for the fall midterms.

That’s not to say voting machines are not easy marks: hackers successfully cracked into at least nine different machines in the Village this year, including voting machines, tablets, and e-pollbooks, with buffer overflows, stored passwords, and a lack of encryption, for example. It’s just simpler for a remote hacker such as a nation-state to penetrate a public-facing website to DDoS it, deface it, alter information (such as changing vote count data or polling place information), or access sensitive data stored on its back-end servers than to tamper with a voting machine.

DEF CON and Black Hat founder Jeff Moss says this year’s Village represented an evolution from pure voting machine hacking in 2017 to moving toward election systems and infrastructure. “We’re working from the edges,” Moss says.

“Last year was the big splash. We’re hoping now the that the ‘oohs’ and ‘aahs’ are over, we can now start digging into” other more serious security flaws in election systems, he says. “There’s still work to be done.”

Jake Braun, co-founder and organizer of the DEF CON Voting Village, says including the kids’ portion of DEF CON, R00tz Asylum, in the voting and election hacking events wasn’t meant to be a “gotcha” moment. “The most vulnerable part [of the election system] are these websites,” he says. “The ultimate fake news is changing election results.”

Emmett Brewer, aka @p0wnyb0y, gave himself all of the vote counts, and then tweeted: “I think I won the Florida midterms.” He was first to crack the site, in 10 minutes, followed five minutes later by Audrey, who was able to trip the vote counts on the Florida Division of Elections replica site. Brewer, Audrey, and other kid hackers in R00tz were given a handout on SQL injection and how to use it. 

The replica Secretary of State websites and software were set up by Aries Security, whose founder and CEO, Brian Markus, previously converted his Capture the Flag simulator for the US Department of Defense’s cybersecurity training operations.

DEF CON Drama
But DEF CON wouldn’t be DEF CON without a bit of controversy: as the world’s largest hacker conference kicked off last week, the National Association of Secretaries of State (NASS) issued a public statement panning the Voting Village. “Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security. Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day,” NASS said in its statement.

NASS also said allowing hackers to hack “mock” election office networks and voter registration databases isn’t realistic. “It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” the association said.

But NASS didn’t dispute potential website weaknesses, however, adding that those sites only provide unofficial and “preliminary” results and have no physical or virtual link to vote-counting systems, so they can’t alter actual vote-count results.

Even so, experts say malicious hackers could wreak chaos and confusion and instill distrust of the election outcomes if they tamper with election-related websites in the run-up to the elections or on Election Day.

Website security analyst Jessica Ortega of SiteLock says website hacking is getting missed amid the wave of voting machine vulnerabilities. “People don’t realize what a weapon it can be,” she says. “It’s almost impossible to impact a legitimate vote count at scale, but you can sow distrust and chaos by defacing a polling place and associated websites, changing the address or phone number of polling places, and the unofficial results that get reported to the media. It’s easy to change a 3 to a 6” in a tally, for example, she says.

Ortega says few local municipalities have DDoS mitigation protections in place. “They don’t even have proper infrastructure for legitimate traffic,” she says, pointing to a recent special election where a county website went down for two hours merely due to high and legitimate traffic, not a DDoS attack.

Paul Gagliardi, former contractor for a US intelligence agency and currently a principal threat researcher at Security ScoreCard, says the entire election ecosystem must be secured, not just voting machines. Funding for state and local IT elections for the most part is relatively low and all about functionality first and security “as an afterthought,” he says. “Hopefully, that changes.”

But DEF CON organizer Braun and others concur that efforts to uncover and address security issues with the election infrastructure overall as well as more intersection between the security community and federal, state, and local officials, didn’t come soon enough for the midterms. “It’s going to be hard to do much for 2018. The goal is before 2020,” Braun says, including more federal funding for election security.

Cyberattacks in Progress
Meantime, Russian nation-state hackers and other potential attackers already have been targeting systems. California Secretary of State Alex Padilla, who headlined a panel at DEF CON, told Dark Reading attempts to attack state election systems “continues” and goes “up and down.”

Padilla said in his opening remarks that while he understood where his colleagues “were coming from” in the NASS statement given the pressures on them to uphold election integrity and security, the first he heard about the statement was when he was contacted about it upon his arrival in Vegas. “We’re trying to strike the right balance of cybersecurity and integrity with confidence in the systems,” he said. “I’m here to listen and learn” from experts at DEF CON, he added.

Also on the panel with Padilla were Jeanette Manfra, US Department of Homeland Security assistant secretary of cybersecurity and communications; Noah Praetz, director of elections in Cook County, Ill.; Neal Kelley, chief of elections and registrar of voters for Orange County, Calif.; and Amber McReynolds, director of elections for the city and county of Denver, Colo.

Orange County’s Kelley reported activity similar to that in 2016. “We’re constantly seeing hits against our firewall: scans. So that level of activity continues like it was in 2016. We haven’t seen that decline,” he told Dark Reading. “Just the same level of standing as we were seeing” in 2016, he said.

Security experts say Russia and other attackers likely have been quietly attacking election systems for some time as part of their campaign to attempt to disrupt the US elections in some way. “I assume most of these things are already in progress,” says Gagliardi. “They don’t happen overnight. I’m confident we’ll see more” activity, he says.

DEF CON plans to publish a final report on all of the Voting Hacking Village findings.

Related Content:

• The ABCs of Hacking a Voting Machine
• DEF CON Invites Kids to ‘Hack the Election’
• 8 Steps Toward Safer Elections
• DEF CON Rocks the Vote with Live Machine Hacking

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/election-websites-backend-systems-most-at-risk-of-cyberattack-in-midterms/d/d-id/1332554?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Oracle this week urged organizations to immediately patch a critical vulnerability in multiple versions of Oracle database that gives attackers a way to completely compromise the technology and gain root access to the underlying server.

The flaw [CVE-2018-3110] exists in the Java VM component of Oracle’s Database Server and affects versions 11.2.0.4 and 12.2.0.1 on Windows. It also impacts Oracle Database version 12.1.0.2 on Windows and Oracle Database on Linux and Unix. However, patches for these particular versions of the database were issued with Oracle’s July 2018 monthly patch update.

In an out-of-band security advisory Monday, the enterprise software giant described the vulnerability as an issue that can be remotely exploited only by fully authenticated users who are able to create a session with the database. Even so, it urged customers to take immediate action to address the issue. “Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay,” the advisory noted.

The National Vulnerability Database categorized the threat as easily exploitable. “[It] allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM.”

While the flaw exists in the Java VM component, an attacker can exploit the vulnerability to attack other technologies as well. “Successful attacks of this vulnerability can result in takeover of Java VM,” the NVD cautioned.

Todd Schell, product manager of security at Ivanti, says the ease with which an attacker can exploit the flaw makes it imperative for organizations using Oracle’s database to address the issue immediately. “This out-of-band vulnerability and fix should not be overlooked and delayed until Oracle’s next patch update in October,” he warned.

Though an attacker does require valid access credentials to exploit the flaw, even a basic user set of credentials — obtained via methods like phishing – would work, he says.

Oracle, like other major security vendors, typically releases security patches and updates on a fixed, publicly available schedule. While companies like Microsoft follow a monthly schedule, Oracle releases its patch updates in a quarterly cycle— in January, April, July, and October. Because of the complexities involved in applying patches to running databases, even that pace is often too hard to keep up with for many organizations.

“Organizations can take ages,” to apply patches, even if they are as critical as the one announced this week, says John Holt, founder and chief technology officer at Waratek. “Oracle themselves claim that their average customer runs nearly a year beyond in applying critical patches. Other third-party software testing vendors claim that 86% of even the most serious flaws take more than 30 days to fix.”

What makes those numbers especially troubling is the fact that attackers using automated scanners can identify and launch attacks against just announced vulnerabilities within hours of disclosure, Holt says.

With this particular vulnerability though, delay would be inadvisable. Organizations need to realize that vulnerabilities don’t get any easier to exploit, he says. “When someone pushes an exploit script into the wild, any two-penny script kiddie will be able to take hostage one of the most popular and widespread database systems in-use by companies and governments in a single click,” Holt notes.

For most organizations, the principal risk group for this particular vulnerability is internal actors such as rogue employees. External attackers who have compromised lateral systems in an internal corporate network are another major risk group, Holt says.

“A simple static script will be all that is required,” he predicts. “As soon as one is released, then anyone can wield this vulnerability in a single click.”

Related Content:

• Vulnerability Disclosures in 2018 So Far Outpacing Previous Years’
• The Problem With Patching: 7 Top Complaints
• Vulnerability Management: The Most Important Security Issue the CISO Doesn’t Own
• The 6 Worst Insider Attacks of 2018 – So Far

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/oracle-apply-out-of-band-patch-for-database-flaw-asap/d/d-id/1332556?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Equifax made headlines around the world in 2017 with a massive data breach of more than 143 million records worldwide. It waited 40 days before notifying consumers of the breach, exposing customers to further risk. And that’s not all.

Things went downhill from there, with the CEO, CISO, and CIO retiring or resigning and multiple executives charged with insider trading related to the breach.

All this as the internal processes that led to the breach showed significant failures and a lack of basic awareness of why basic information security practices are in place. Although the company has been working to overhaul its approach to security, critical questions remain.

Why Do They Have My Data?
In the backlash, many customers — especially those in the EU and Canada, where strong privacy laws exist — wondered why a company they had never agreed to do business with was holding all of this personally identifiable information. This naturally leads to a larger question of what role, if any, data brokers should play and how they should be regulated and monitored.

In late June, it was announced that US consumers — the majority of those affected in the breach — would finally see the consequences of Equifax’s (in)action.

The result: nothing.

Nothing?
Well, technically, not “nothing,” but close enough. Reuters details the consent decree approved by regulators in eight states, including New York, Texas, and California. The required action by Equifax was to complete a detailed assessment of cyber threats, increase board oversight, and improve patching processes for known security vulnerabilities. In essence, security 101.

With the exception of “board” oversight — but not oversight in general — these are all common security basics. They are part of the PCI standard that must be adhered to by any company processing credit card information. However, the data broker that maintains a huge piece of the credit rating marker only now has to step “up” to this level of cybersecurity?

Alternatives
Let’s work through a few “what-if” scenarios to explore the potential penalties that Equifax would have to face under various regulations.

1. If the Equifax breach happened under GDPR in the EU (which took effect May 25, 2018), it’s likely that they would be hit with two major fines. The first for failure to adequately notify affected individuals, and the second for a failure to secure the data in the first place.

Failing to notify would cost Equifax up to 2% of its global revenue, and failure to secure would cost up to another 4%. In 2017, Equifax had global revenues of $3.36 billion. That means Equifax would have been fined about $201 million under GDPR for this breach.

2. If the Equifax breach happened under the new California Consumer Privacy Act of 2018 (which comes into effect in 2020), it could face financial penalties. The penalties for data theft under this act range from $100 to $750 per California resident, or actual damages.

We know from the initial data breach report that Equifax had records on 143 million Americans. That’s about 56.9% of the eligible population. If we use that percentage for California, we have about 17.2 million affected California residents. That means that Equifax could have been fined between $1.7 billion and $12.75 billion for this breach.

Both penalties are a far cry from the $0.00 fine it received.

Frustration
The biggest challenge with the Equifax breach is the inability for any affected user to take reasonable actions to prevent any abuse of their information.

All of the recommendations (monitor your credit, carefully check your bank transactions, look out for identity theft, etc.) are all reactive. They will only help highlight something that has already happened. Legislation like GDPR in the EU and the California Consumer Privacy Act are designed to shift the balance of power back to the owner on the information.

Make no mistake: Your information is yours. You only entrust it to others. Part of that trust is that they will do their best to protect it.

That’s the real issue at the heart of the Equifax breach from the consumer point of view. At no point was that information explicitly entrusted to Equifax. The company simply acquired it and started to monetize it.

This is a case where strong individual rights for privacy and control over our data make sense.

Enough?
Thankfully — as reported by the New York Times — Equifax is still under investigation by a number of agencies, including the Federal Trade Commission, Consumer Finance Protection Bureau, and the Securities and Exchange Commission. That means there is still hope that Equifax will face further punishment for a breach that never should have happened.

Hopefully, something will come of it. Cybersecurity as it is currently practiced is a constant and near overwhelming challenge. Companies need to develop and maintain a culture of security. A culture that respects data privacy. With that in place, cybersecurity becomes far easier.

Cybersecurity is everyone’s responsibility. That needs to be acknowledged and practiced before we can move forward.

Related Content:

• 7 Takeaways from the Equifax Data Breach
• Equifax Data Breach Prompts Calls for Tougher Security Requirements on Data Aggregators
• Equifax Gets Slammed, Removes Forced Arbitration Clause from Credit Monitoring Offer
• Yahoo, Equifax Serve as Cautionary Tales in Discerning Data Breach Scope

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info. 

Mark Nunnikhoven explores the impact of technology on individuals, organizations, and communities through the lens of privacy and security. Asking the question “How can we better protect our information?,” Mark studies the world of cybercrime to better understand the risks … View Full Bio

Article source: https://www.darkreading.com/equifax-avoided-fines-but-what-if-/a/d-id/1332487?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Cybersecurity Election Protection Toolkit, released today by Thycotic, aims to protect US election candidates and their employees during campaigns for federal, state, and local office.

Thycotic specializes in privileged access management, and its goal with this tool is to prevent credential theft. Its free kit addresses common means to target elections: getting unsuspecting people to download malware, cracking weak passwords, and stealing confidential information.

What’s inside: a digital edition of Cybersecurity for Dummies, an incident response template to help plan for an attack, and a poster template to hang in campaign offices to educate staffers on how to stay safe online and protect their credentials. The kit also provides access to a free password strength checker and strong password checker, both available online.

Read more details here.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/election-protection-aims-to-secure-candidates-running-for-office/d/d-id/1332549?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A federal judge has sentenced a Maple Valley, Wash. man to 18 months in prison for his role in a scheme based on Reveton ransomware. Raymond Odigie Uadiale, 41, a former employee of Microsoft, was sentenced following his June 4 guilty plea.

Reveton displayed a splash screen with the logo of a law enforcement organization. The screen included a message alerting the victim that the law enforcement organization had found illegal material on the infected computer and required the payment of a “fine” to regain access to the computer and its data.

The victim was instructed to purchase a GreenDot MoneyPak and enter the account number into a form on the splash screen. Using the information from these cards, Uadiale transformed the MoneyPak funds into cash, kept a portion for himself, and sent a portion back to Reveton’s distributor in the United Kingdom.

Indicted on one count of conspiracy to commit money laundering and one count of substantive money laundering, Uadiale pled guilty to the conspiracy charge while the government dismissed the substantive count. In addition to his prison sentence, Uadiale was sentenced to three years of supervised release. 

According to court documents, while a graduate student at Florida International University, Uadiale used Liberty Reserve (a digital currency platform) to transfer approximately $93,640 in Liberty Reserve dollars to his co-conspirator as part of the scheme.

For more, read here.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/washington-man-sentenced-in-ransomware-conspiracy/d/d-id/1332551?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple