Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

If You Use Freelancers, Do You Need to Educate Them About Security Awareness?

InfoSec Institute Resources - 1 hodina 3 min zpět

Hopefully, your freelancers are security-aware. However, it is up to you to put policies into place to protect yourself from rogue or shoddy security practices by any employee, on-site or remote. Similarly, it is up to remote workers to protect themselves from vulnerable clients when working from home. In this article, we will look at […]

The post If You Use Freelancers, Do You Need to Educate Them About Security Awareness? appeared first on InfoSec Resources.

If You Use Freelancers, Do You Need to Educate Them About Security Awareness? was first posted on January 22, 2019 at 8:06 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Tesla v Číně svolává přes 14 tisíc Modelů S kvůli problémům s airbagy

Zive.cz - bezpečnost - 1 hodina 9 min zpět
Tesla v Číně zahájila svolávací akci, během které bude do servisů pozváno více než čtrnáct tisíc vozidel typu Model S. Důvodem jsou problémy s airbagy, v jejichž důsledku může dojít ke zranění cestujících uvnitř vozidla. Vadné airbagy již dříve vyústily v největší svolávací akci v historii ...
Kategorie: Hacking & Security

A User’s Guide: 10 Ways to Protect Your Personal Data

InfoSec Institute Resources - 1 hodina 10 min zpět

In 2018, Facebook had to contact over 50 million users who had their personal data exposed in a security breach. This was on top of the 87 million Facebook users who had data sold to Cambridge Analytica without their consent. Our personal data, the stuff that lets the world know who we are, what we […]

The post A User’s Guide: 10 Ways to Protect Your Personal Data appeared first on InfoSec Resources.

A User’s Guide: 10 Ways to Protect Your Personal Data was first posted on January 22, 2019 at 7:59 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Rogue websites can turn vulnerable browser extensions into back doors

Sophos Naked Security - 2 hodiny 22 min zpět
A researcher has found that websites can use some extensions to bypass security policies, execute code, and even install other extensions.

Bicycle-riding hitman convicted with Garmin GPS watch location data

Sophos Naked Security - 3 hodiny 40 min zpět
Location data extracted from the athletic hitman's Garmin GPS watch and TomTom sat nav led to his conviction in two gangland murders.

WhatsApp fights the spread of deadly fake news with recipient limit

Sophos Naked Security - 4 hodiny 40 min zpět
WhatsApp has capped the number of people you can forward messages to, after India was seized by rumour-inspired mob lynchings.

Rogue websites can turn vulnerable browser extensions into back doors

LinuxSecurity.com - 5 hodin 1 min zpět
LinuxSecurity.com: When was the last time you checked the permissions asked for by a browser add-on?
Kategorie: Hacking & Security

Two thirds of US consumers say Government should do more to protect data privacy

LinuxSecurity.com - 5 hodin 53 min zpět
LinuxSecurity.com: Over two thirds of US consumers think the Government should do more to protect data privacu, and say they're ready for federal regulation similar to GDPR.
Kategorie: Hacking & Security

Security researchers take down 100,000 malware sites over the last ten months

LinuxSecurity.com - 5 hodin 55 min zpět
LinuxSecurity.com: Over the last ten months, security researchers filed abuse reports with web hosting providers and have taken down nearly 100,000 URLs that were used to distribute malware, said today Abuse.ch, a non-profit cybersecurity organization.
Kategorie: Hacking & Security

Active Cyber Defence Should Be Rolled Out UK-Wide: Report

LinuxSecurity.com - 5 hodin 57 min zpět
LinuxSecurity.com: The UK government's highly successful Active Cyber Defence (ACD) program should be rolled out across other sectors to improve national cybersecurity, and could even be spurred by the government naming and shaming laggards, according to a new report.
Kategorie: Hacking & Security

DNC targeted by Russian hackers beyond 2018 midterms, it claims

Sophos Naked Security - 8 hodin 7 min zpět
The Democratic National Committee has filed a civil complaint accusing Russia of trying to hack its computers as recently as November 2018.

Google fined $57 million by France for lack of transparency and consent

The Hacker News - 21 Leden, 2019 - 19:54
The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union's new General Data Protection Regulation (GDPR) law that came into force in May last year. The fine has been levied on Google for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization," the CNIL (National Data
Kategorie: Hacking & Security

New malware found using Google Drive as its command-and-control server

The Hacker News - 21 Leden, 2019 - 18:04
Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities. Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (
Kategorie: Hacking & Security

For the Love of Money: Finding and Exploiting Vulnerabilities in Mobile Point of Sale Terminals

Positive Research Center - 21 Leden, 2019 - 15:48


Card payments are increasingly accepted everywhere. Mobile Point of Sale (mPOS) terminals have propelled this growth by lowering the barriers for small and micro-sized businesses to accept credit and debit cards. All the same, older payment technologies—such as magnetic stripe—still account for most in-person transactions. Inevitably, each new layer of technological complexity is liable to introduce weaknesses into a fragmented payment ecosystem. What are the security and fraud implications of lowering the economic barriers to accepting card payments? And what are the risks associated with continued reliance on old card standards and magnetic stripe (aka magstripe) in particular?

mPOS payments have boomed in recent years. As providers eagerly compete for merchants' business, the entry barriers to accepting card payments have fallen to effectively zero. Signing up takes less than five minutes and mPOS terminals are available for free. mPOS terminals are seemingly everywhere, and like traditional Point of Sale terminals, they sit at the endpoint of payment infrastructure. This fact makes them attractive and accessible to criminals.

Research Scope We focused on the most popular mPOS vendors on the market: PayPal, Square, iZettle, and SumUp. Some of these vendors operate in multiple regions. In such cases, we attempted to obtain accounts and readers for each region because there are important region-specific differences in processes, applications, and devices.

Figure 1. mPOS readers, manufacturers, and vendors testedFigure 2. mPOS readers testedWe selected five areas for assessment:
  1. Communication between the phone and the payment server
  2. Communication between the mPOS terminal and phone
  3. Security mechanisms within the mPOS terminal
  4. Mobile application
  5. Secondary factors affecting security, such as checks made during enrollment

Figure 3. Scope of assessment in our project
Payment ProcessWe focused on attack vectors and security issues affecting card payments because these would compromise the core functionality of an mPOS terminal. The transaction process for mPOS terminals works differently from that of a traditional Point of Sale terminal.

The key difference from the traditional engagement model is that the merchant no longer has a direct relationship with an acquiring bank. Instead, mPOS providers act as payment aggregators. These providers, in turn, add a fee to the processing value of the transaction as markup. They may or may not assess risk at the same level as an acquiring bank would. And these providers may choose to mitigate risk in other ways, for example contractually. It is important to understand that payment aggregators are themselves a merchant who has an acquiring bank.

Figure 4. Payment process for an mPOS terminal

Card RiskWhen a card transaction is made, there are standardized lists describing the methods of payment that can be made with a card. These differ depending on the card brand, issuer of the card, and country of issue. During a transaction, the method used to make the payment is negotiated between the card and the terminal. The card stores a list called Cardholder Verification Methods (CVM), which describes the types and order of cardholder verification methods that are supported. The CVM also describes what should happen in situations when one method fails. The terminal contains a configuration file that describes the types of operations supported by the terminal. It will compare the CVM on the card to its supported methods and attempt to carry out the transaction using the highest-priority method. The highest-priority method should both be supported by the card and provide a high level of assurance that the cardholder was present during the transaction.

Generally speaking, certain types of payments are more secure than others. Chip and PIN is considered most secure, because it provides a high level of assurance that the transaction has been authorized by the cardholder. Conversely, methods such as magnetic stripe are considered less secure because the Track2 data stored on the magnetic stripe can be easily cloned, and any cardholder signature can be forged. Magnetic stripe transactions do not provide a high level of assurance that the cardholder was actually present. Unlike EMV, magnetic stripe transactions do not have a cryptogram. This means that magnetic stripe transactions are potentially vulnerable to modification prior to being received by the payment provider.

EMV AdoptionGlobal uptake of EMV ("chip cards") is higher than ever, but the process of adoption has been slower in some geographic areas than others. EMV transactions account for less than half of all card transactions in the U.S. The majority of transactions made in the U.S. are still made using magnetic stripe. By comparison, in Europe, around 90 percent of all transactions are performed using EMV.

Findings 
Device Manipulation: Sending Arbitrary CommandsDevice manipulation is possible when an attacker connects directly to a Bluetooth device and forces the device to perform certain functions. To do so, an attacker must first be aware of the services running on the Bluetooth device, as well as relevant characteristics and functions. This knowledge can be obtained prior to an attack by means of reverse engineering. An attacker simply needs access to a target device, mPOS terminal, phone that supports Host Controller Interface (HCI) logging, and the mobile application. After HCI logging has been enabled, the attacker will try to capture the core functionality of the mPOS terminal. The way to do this is by performing sample transactions with different payment methods and comparing the results. Once this information has been captured, Wireshark can be used to analyze communication between the phone and mPOS terminal. This information, along with information obtained from the mobile application, makes it possible to correlate functions with their characteristics and handles. Figure 5 depicts the sending of the "Insert/swipe card" message to the display of an mPOS terminal.

Figure 5. "Insert/swipe card" sent to the reader displayInserting a card incorrectly into this terminal generates the error message "Please remove card". We can see the UUID responsible for this function of displaying text, as well as the value of the data sent, in the HCI log.

Figure 6. "Please remove card" as shown on mPOS terminalFigure 7. First Bluetooth frame responsible for sending "Please remove card"Figure 8. Second Bluetooth frame responsible for sending "Please remove card" (the message is split across two frames because Bluetooth Low Energy has a small packet size)As shown in Figure 9, the value sent to the mPOS terminal consists of five parts. In order, they are: a leading part containing a command value and counter, main text in ASCII, trailing value, checksum value (CRC), and end value.

Figure 9. Elements of two packets responsible for sending "Please remove card"In the next example, the terminal uses Bluetooth Classic to communicate with the phone. Here we can see the message "Insert/swipe card" being sent to the display of the reader.

Figure 10. "Insert/swipe card" message on mPOS terminal

Figure 11. Bluetooth frame, shown in Wireshark, responsible for sending "Insert/swipe card" to the mPOS terminalIn Figure 12, we can see that this data is made up of three parts: the leading value, message, and checksum (CRC). The leading value contains a counter, command ID, and size of the payload. The message contains the value "Insert/swipe card" in hex. The checksum is a simple XOR value.

Figure 12. Elements of packet responsible for sending "Insert/swipe card"Using this information, it is possible to calculate any value to send to the display of an mPOS terminal. Three tested devices were vulnerable to this attack vector.

Figure 13. List of terminals vulnerable to sending of arbitrary commands. Note that although the Square Contactless and Chip Card Reader (S8) does not have a display, arbitrary commands may be attempted.This attack vector can be used in conjunction with other vulnerabilities to downgrade a cardholder's transaction to a less secure payment method, such as magnetic stripe. Figures 14–16 depict this scenario. In addition, this vector could be used to display a "Payment declined" message to trick the cardholder into carrying out multiple transactions.

Figure 14. Cardholder attempting to insert card for paymentFigure 15. "Please swipe card" message sent to the terminal forces the cardholder to carry out the transaction using magnetic stripe
Figure 16. "Please sign now" message sent to mPOS terminal

Amount TamperingTraffic between the mPOS terminal and the payment server can be intercepted in a number of ways. We have already described one way: enabling HCI logging on the mobile phone and analyzing the output. If restrictions prevent enabling developer mode, interception can also be accomplished by intercepting HTTPS traffic between the mobile application and the payment server, for example. This is possible because in most cases, the payment server generates commands and sends them to the mPOS terminal. To protect the mobile application against HTTPS interception, all vendors of the tested terminals implement SSL Pinning.

Here is an example of an initialized payment. We were able to intercept HTTPS traffic (via Man-in-the-Middle) and enable debug mode. The amount for this transaction is sent in plaintext. The value "0100", as seen in the figure, represents £1.00.

Figure 17. Initialized payment for an mPOS terminal
By intercepting HTTPS traffic, we can modify the amount value for this transaction. Once the amount has been changed, the checksum will need to be recalculated. Then we can send this new value to the payment server for approval. We identified five terminals that are vulnerable to amount modification for magnetic stripe transactions.

Figure 18. mPOS terminals vulnerable to amount tamperingThis vulnerability can be used by a fraudulent merchant to trick a cardholder into approving a much higher amount than intended. During the transaction, the merchant displays one (lower) amount on the card reader but another (higher) amount is actually sent to the mPOS provider for approval. This attack is shown in Figure 19.

Figure 19. On the left: amount sent to the payment server (£1.23), on the right: amount shown to the cardholder for approval (£1.00)This vulnerability affects magnetic stripe transactions. The terminal sends only Track2 data during transactions; there is no signing of the transaction itself. This attack vector is not possible for EMV transactions because the amount is stored inside the payment cryptogram. For contactless payments (PayPass and payWave), less secure modes do not store the amount inside a cryptogram and therefore may also be affected by this vulnerability.

This issue becomes even more significant when we remember that less than 50 percent of all transactions in the U.S. are made using EMV. In addition, the limits for individual magnetic stripe transactions are incredibly high in both Europe and the U.S., at €50,000 and $50,000 per transaction, respectively.

This attack vector could be prevented by calculating a cryptographic checksum of the transaction, or else by implementing the payment amount in the magnetic stripe transaction and comparing the value of the transaction on the reader to the one initialized by the payment server. It is worth noting that the PCI-DSS standard (current version 3.2.2.1), which governs the storage, processing, and transmission of card data, does not require that these checks be implemented for magnetic stripe transactions. So long as Track2 data is transmitted, the transaction will go through.

Remote Code ExecutionWe found that two of the tested terminals were vulnerable to execution of remote code. Exploitation of this vulnerability provides full access to the terminal's operating system. After an attacker has obtained full access to the operating system, it is possible to intercept Track2 data before it is encrypted and enable plain text mode (command mode) on the terminal's PIN pad to collect PINs.

Figure 20. List of terminals vulnerable to Remote Code Execution
Figure 21. Remote Code Execution provides full access to the file system of the terminal: here, an animation of Nyan Cat is playing on the Miura M010 terminal

HardwarePhysical security mechanisms within most mPOS terminals are robust. The Square Magnetic stripe Reader (S4) does not contain the level of security or sophistication found in the other contactless and chip readers. However, this is to be expected in a device that is provided free to all merchants. All the other terminals feature a good level of physical protection, anti-tampering mechanisms, and other measures to deter would-be hardware sleuths.

Anti-Tampering MechanismsA tamper detection circuit is used to protect against opening of the terminal and use of drills and other tools. If tampering is attempted, the circuit breaks and the device stops functioning. In addition, most card readers use proprietary standards. Without access to the documentation provided by hardware manufacturers to the product vendors, it is not viable to obtain any valuable information by physically probing these devices.

Figure 22. Insides of iZettle YRWCRONEFigure 23. Tamper detection circuit within iZettle YRWCRONE

ConclusionWe found that over half of mPOS terminals were vulnerable to one or more attacks;  terminals from all four mPOS vendors were affected. The issues we identified were serious and numerous: vulnerability to arbitrary commands, amount tampering, and Remote Code Execution.

Hardware security mechanisms in the terminals are generally sophisticated. However, many other aspects of payment—such as the mobile ecosystem and enrollment processes—are far less secure.
Vendors of mPOS terminals tend to emphasize usability and enrollment. These are key elements of their business model, but this approach has not taken into account that security must be very high across the board to counteract the low entry barriers. Without a doubt, fraudulent merchant accounts are, and will be, a significant issue for mPOS providers. Mitigation of this issue will require a sophisticated approach to security that encompasses checks during the enrollment process and stringent transaction monitoring.


Authors: Banking Security Team, Positive Technologies

Top 30 Data Recovery Interview Questions and Answers for 2019

InfoSec Institute Resources - 21 Leden, 2019 - 15:17

Introduction Data recovery has become more important throughout the years as businesses and individuals have flocked to digital platforms for productivity and personal use. Because of this, there are countless documents, photos, applications and other forms of data on hard drives around the world. All of this data holds value for their owners, whether it’s […]

The post Top 30 Data Recovery Interview Questions and Answers for 2019 appeared first on InfoSec Resources.

Top 30 Data Recovery Interview Questions and Answers for 2019 was first posted on January 21, 2019 at 8:17 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Building a Security Awareness Program for Small Businesses

InfoSec Institute Resources - 21 Leden, 2019 - 15:08

InfoSec Institute is dedicated to increasing security awareness and has an enormous repository of information to help individuals, small- and mid-sized businesses and enterprises to increase their security awareness. In this article, we are going to focus on building a security awareness program for small businesses in-house and making it fun. Spend money on teaching […]

The post Building a Security Awareness Program for Small Businesses appeared first on InfoSec Resources.

Building a Security Awareness Program for Small Businesses was first posted on January 21, 2019 at 8:08 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Twitter bug exposed some Android private tweets to public view

Sophos Naked Security - 21 Leden, 2019 - 14:17
The latest privacy glitch, which went unnoticed for over four years, may trigger yet another EU privacy probe.

Attackers used a LinkedIn job ad and Skype call to breach bank’s defences

Sophos Naked Security - 21 Leden, 2019 - 14:05
A Chilean Senator has taken to Twitter with alarming news – the company running the country’s ATM network suffered a serious cyberattack.
Syndikovat obsah