German Bananas

The Deutsche Welle could give The Onion a run for its money with articles like “Bavarian Supermarket Goes Bananas Over Unexpected Snow”

A supermarket employee in Illertissen, southern Germany, was busy unloading deliveries when she came across 28 kilos of Columbian cocaine concealed in two crates of bananas.

Faced with a box of suspicious-looking substance, the 26-year-old shelf stacker in Illertissen made sure she didn’t blow it.

Ha, ha. I get it. Who knew German news could be so funny.

Diebold ATM Trojan

Sophos warns of credit card skimming malware targeting ATMs:

…rumours about compromised cash machines in Russia infected with a Trojan that captures credit card details and distributes the captured details to attackers.

I decided to check in our malware database to see if there are any samples that reference Diebold, the manufacturer of ATMs allegedly targeted and found 3 recently acquired files.

Note that the subsequent analysis points to insider and/or physical access to the systems:

By uncovering code that appears to encrypt data and a possible alternative user interface it seems to me that the stolen data is encrypted, probably to allow the attackers to use “money mules” to retrieve the data in person.

This also indicates that attackers require physical access to cash machines to install the Trojan. Overall, the malware seems to be a work of a programmer with a good knowldege of the internals of Diebold ATMs.

While this blog says it looks to be isolated, Graham Cluley of Sohpos argues that this should be no surprise. He also quotes the Diebold response, which points a finger at their customers:

Diebold continually emphasizes the customers’ role in reducing the risk of attacks by following industry-standard security procedures related to managing physical access to ATMs, password management and software updates.

If Diebold’s customers actually are to blame for the compromise, rather than a design flaw that has been patched, then I think it fair to assume that the incident will not remain isolated.

AIG’s Hack of Regulations

Rolling Stone does not mince words in their story called The Big Takeover

Cassano, by contrast, was just a greedy little turd with a knack for selective accounting who ran his scam right out in the open, thanks to Washington’s deregulation of the Wall Street casino. “It’s all about the regulatory environment,” says a government source involved with the AIG bailout. “These guys look for holes in the system, for ways they can do trades without government interference. Whatever is unregulated, all the action is going to pile into that.”

The author is clearly a fan of working within regulations, and not a fan of innovative rule-breakers. The review of the regulators is scathing first for reducing their own authority:

Cassano’s outrageous gamble wouldn’t have been possible had he not had the good fortune to take over AIGFP just as Sen. Phil Gramm — a grinning, laissez-faire ideologue from Texas — had finished engineering the most dramatic deregulation of the financial industry since Emperor Hien Tsung invented paper money in 806 A.D.

Second, he points out that they did not regulate even when they retained the right to do so:

“There’s this notion that the regulators couldn’t do anything to stop AIG,” says a government official who was present during the bailout. “That’s bullshit. What you have to understand is that these regulators have ultimate power. They can send you a letter and say, ‘You don’t exist anymore,’ and that’s basically that. They don’t even really need due process. The OTS could have said, ‘We’re going to pull your charter; we’re going to pull your license; we’re going to sue you.’ And getting sued by your primary regulator is the kiss of death.”

When AIG finally blew up, the OTS regulator ostensibly in charge of overseeing the insurance giant — a guy named C.K. Lee — basically admitted that he had blown it.

It provides a very informal and interesting perspective on the financial crisis and the challenges of regulation. Well worth reading.