Wednesday, October 14, 2015

New season of credit cards fraud

Holiday season is coming and with it a new credit card fraud season. You might say I'm exaggerating, but I'm not. Experts are expecting it. Everyone might argue that, after what happened at Target, vendors are ready, you would be wrong.What is the problem with credit cards in US? Infrastructure and the credit card it self. Why? Well is the same as with the Internet infrastructure. In the US you can pay lots of money for a modest Internet connection compared with other countries, which implemented the network in the last 15 years, and offer greater speeds for less money. The explanation is simple: those countries implemented new technologies to begin with and upgraded them regularly due to fierce competition or government regulations.The same thing applies to credit card technology, which was implemented in US and still uses outdated systems. I remember when I received my first bank card over 10 years ago, it only have a magnetic stripe and PIN. We have always used PIN in Europe, which is a code you input to accept a transaction. After four years I received a new card, a chip card. This was done automatically by the bank in accordance with EU regulations.Why did US waited for such a long time to impose chip cards?

Monday, October 5, 2015

What is best open security VS security through obscurity?

For a long time it was believed that security through obscurity is the answer. Security through obscurity means that as long as you keep the details of a system or algorithm secret, that system is secure because the attackers don't know the details. Open security on the other hand implies disclosing an algorithm or a system and let the people test it and report the problems.

Because it was proven that security through obscurity is not good at all, many people argue that open security is the answer. This approach is not desirable either. Every method has it's flaws.
Security through obscurity major issue is that the security bugs will exist and a very skilled attacker will find them, plus a major security flaw can be overlooked for many years. Open security relies on the honesty of the ones reviewing the algorithm to report their findings.

Sunday, October 4, 2015

Smart everything a security risk

There is a new trend nowadays: turn everything into a smart device. Everyone is doing it from car, planes to home appliance manufactures. The big question is: is it safe? The latest news show not so much.  A computer system bug, even a zero day exploit, can be damaging for the end user, but not life threatening. What about a bug in your car or plane, which allows a person to remotely take control of it?
Samy Kamkar has created a box valued at 100$ called Onstar which allows an attacker to locate, unlock and start a general motor's car by intercepting the user's  smartphone commands send to the car. More details about this hack can be found here. This problem was reported as being solved by GM.
Another exploit on smart car's was on Jeep and other hundreds of Chrysler vehicles. The hackers were able to take full control of the car, by this I mean drive it. They could steer it, control the transmission and breaks. This problem was solved by the manufacturer, which had to recall over 1 million cars.
Another example of hacking smart devices is hacking the passenger WiFi on planes.

Thursday, October 1, 2015

Biometric databases breaches shouldn't be a problem

Recently there were a lot of news regarding breaches regarding stolen fingerprints. According to Hacked 5.6 fingerprint records were stolen from US government. With existing advancements in biometric template a breach like this shouldn't pose a problem.
Let me explain the biometric authentication process. The first step is enrollment which consists in acquiring the desired biometric trait, let's say fingerprint, by using the required sensor. Then a biometric template is created. Based on that biometric template the authentication is done. A long time ago, when biometrics were first introduced, this template was represented by the images of the fingers - I'm referring to fingerprint usage by law enforcement.
Ratha, Connell and Bolle introduced the concept of cancelable biometrics. According to the same authors classic biometric information storing has the following issues:

Wednesday, September 30, 2015

Create anonymous accounts for certain sites

Ashley Madison disaster it's allover the news. A few hours ago Dailymail published an article detailing how 40000 woman on the site had only 6 email addresses. This is clear evidence of account forgery by the site owners and dishonesty to their legitimate users. According to the same source, the Ashley Madison site was using these accounts to generate fake conversations and the vast majority of the new users spoke with persons who didn't exist.
I know most users are prejudiced and say that the men and women on that site had it coming. Putting aside the site "theme", if we can call it that, the user's had all the right to their privacy and good business practices. If the same thing happened to a dating and not cheating site most of the public will disapprove these practices.
What I want to discuss using this example is how our privacy and trust is being disregarded by these companies and why the affected users must act. Ashley Madison users could opt out of the site, remove their account, but if they wanted their data completely removed they had to pay a fee. Most of them paid that fee and their data should have completely been erased, not anonymized or whatever. They paid for a service, which in honesty, should have been offered for free by the website. This service hasn't been delivered.