I just noted that the sad story about the investment trader gone bad has been distilled down to a case of weak password/user controls:

Societe Generale might have been able to prevent a year-long binge of fraudulent transactions by one of its mid-level traders – which the French banking giant confirmed this week has cost it more than $7 billion in losses – simply by instituting stricter password controls and applying available software that tracks transactions to individual workstations, analysts told SCMagazineUS.com today.

They do not mention clear-text passwords as one of the gaps, but I bet stronger passwords would have only helped a little. The article suggests that administrators should not have access to users passwords, but few systems actually allow this by design. Two-factor would have definitely been better, but it still begs a few simple control questions.

Ed Felten has described some interesting and somewhat simplistic flaws in a Dutch smartcard
based transportation payment system.

Among other foolishness, the designers used a custom cryptosystem and 48 bit keys.

The fundamental security problem with the disposable Ultralight card is that it doesn’t use cryptography, so the card cannot keep any secrets from an attacker. An attacker who can read a card (e.g., by using standard equipment to emulate a card reader) can know exactly what information is stored on the card, and therefore can make another device that will behave identically to the card. Except, of course, that the attacker’s device can always return itself to the “fully funded” state. Roel Verdult of Raboud University implemented this “cloning” attack and demonstrated it on Dutch television, leading to the recent uproar.

The Dutch have only invested $2 billion so far for this amazing system that accidentally gives away rides for free.

More detail on the hacks can be found in a presentation by Karsten Nohl and Henryk Plötz called “Mifare: Little Security, Despite Obscurity“, hosted by the 24th Chaos Communication Congress.

I have been reading about the new medical marijuana vending machines in Los Angeles that are meant to go-live today.

The security discussion has been amazingly sparse. So here is a quick review of what I have noted:

1. Anytime Vending Machines (AVM) have been deployed to meet a requirement for 24/7 secure and automated dispensaries of medical marijuana
2. AVM locations will approve a prescription, take your fingerprint, and provide a prepaid credit card loaded with dosage (3.5 or 7 grams, with a max of 1oz a week) and one of five strain options

Watching the video by a CBS station revealed many of the physical security measures, but also shows a cord running across the floor from the vending machine (look at the bottom left of the machine). That made me wonder about data transmission from this thing. Where is it going to/from and how often? Does it fail to vend if it can not connect to a database, and then what integrity controls are in place…?

That would be a more interesting attack vector than the usual tubular lock weakness. The fact that a human guard is said to be deployed at all times with the vending machine makes me think there is implicit recognition of weakness. I also wonder about the paper trail and whether video is integrated into the box.

The pin pad sure looks exposed, doesn’t it? Must be hard to hide your key-code when it’s setup in such a big spread open to plain view. Maybe only one person can be in the room at a time with the machine.

And finally, I have to say this definitely “high” security. Sorry, couldn’t resist.