Monthly Archives: July 2012

Security

Visa Update to Mobile Payment Best Practices

Leave a comment

Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 2.0 has been released.

The previous version of the best practices was intended for two distinct audiences: vendors that develop Mobile Payment Acceptance Solutions and merchants that use these solutions. For purposes of this document, a vendor is any entity that develops Mobile Payment Acceptance Solutions, either in-house or on behalf of another organization. In this newer version, there is a third audience: Acquirers and Payment Service Providers (PSP).

Here’s a quick summary of best practices in the new section:

  1. Uniquely ID merchant transactions
  2. Restrict manual Key Entered transactions
  3. Carefully on-board and monitor merchants
  4. Use online processing
  5. Monitor for mobile payment acceptance fraud
Energy, History, Security

Hacking NASCAR: If You Ain’t Cheatin’…

Leave a comment

NASCAR lately has handed out some stiff penalties to competitors for infractions. Yet the Bleacher Report tells us that among the top quotes in NASCAR history there is much evidence that rule-following may be the exception for drivers:

“If you ain’t cheatin’, you ain’t tryin'” is an old NASCAR expression. Junior Johnson had this to say about his creativity when it came to building cars:

“I loved the game. Maybe I’d have four of five new things on a car that might raise a question. But I’d always leave something that was outside of the regulations in a place where the inspectors could easily find it.

“They’d tell me it was illegal, I’d plead guilty, and they’d carry it away thinking they caught me. But they didn’t check some other things that I thought were even more special.”

BR also cites driver Darrell Waltrip in 1976 after his team was caught cheating with nitrous oxide.

If you don’t cheat, you look like an idiot; if you cheat and don’t get caught, you look like a hero; if you cheat and get caught, you look like a dope. Put me where I belong.

Waltrip’s best story might be the time he was caught filling his car frame with BBs to cheat the weight test before a race. Because cars weren’t weighed afterwards he simply pulled a plug and all the weight would disappear on the track without detection. Unfortunately one day the balls jammed. The BBs sat in his car, keeping him at regulation weight, until Waltrip’s car entered the pit. Then, as he approached the other crews, the entire payload came free and pelted them.

That story comes from Popular Mechanics’ article called “The Greatest Cheats in NASCAR History,” which has many other examples:

  • Fuel capacity: Yunick inflated a basketball in the tank during tests, then deflated it before the race
  • Fuel capacity: Yunick quadrupled the 11 ft fuel line diameter to carry 5 extra gallons
  • Aerodynamics: Johnson’s crew chief Knaus altered rear window angle
  • Weight: Flock painted wood to look like metal roll bars

I especially like the fuel line cheat as Yunick argued the line was not technically part of the tank and therefore should not be included in measurement of capacity. Popular Mechanics also quotes a famous cheater who thought “stock” cars meant a challenge to make some stock “better” than others.

“It can be frustrating,” says Chad Knaus, crew chief for four-time champion Jimmie Johnson…. “But it would be more frustrating to give up trying to make our car better.”

I suppose you could excuse failure to follow a rule when a rule is first introduced. There might be confusion and not everyone would be able to interpret the same. That is especially believable when NASCAR found that almost no one passed:

To help cut down on cheating, NASCAR introduces body templates, which race cars must conform to, Prior to the Firecracker 400 at Daytona, 49 of 50 cars entered flunk initial tech inspection.

But that sad tally was decades ago in the 1960s, as reported by Something About Everything Racin’, which also retells a story of Petty’s winning engine. The cylinders apparently had wax in them before a race to pass inspection. During the race it melted so after the race the engine measured much larger than the maximum allowed; it went from just over 350 to 392 cubic inches. At the end of the race, despite all the penalties and warnings, it seems that the winners in NASCAR are cheating all the time.

The names of those caught skirting the rule book read like a “Who’s Who” in NASCAR history: Tim Flock, Smokey Yunick, Junior Johnson, David Pearson, Bobby Allison. Richard Petty, Roger Penske, Jack Roush, Ray Evernham … the list goes on and on, almost as if it’s some kind of badge of honor.

Indeed, the badge of hacking just has been bestowed to teams No. 14, No. 3 and No. 18 according to a NASCAR press release:

The No. 14 team in the Sprint Cup Series was found to be in violation of Sections 12-1 (actions detrimental to stock car racing); 12-4J (any determination by NASCAR officials that the race equipment used in the event does not conform to NASCAR rules detailed in Section 20 of the NASCAR Rule Book); and 20-2.1J (unapproved open vent hose inside of the car).

Imagine if computer security regulations had something like “Sections 12-1 (actions detrimental to stock car racing).” Actions detrimental to the industry? The FTC is probably the closest thing.

That vague catch-all 12-1 rule was really meant to help prevent fist fights and other unsportsmanlike behavior. Ironic, since some say the reason NASCAR became so popular in America was a 1979 televised fight.

Oh, and note the NASCAR typo. That should be rule 20A-2.1J. Is the fine removed if there’s no 20-2.1J?

Anyway, with all that background, I’m going to take a guess and say that the vent hose was intentionally routed inside to reduce air resistance. A fairly boring hack and the finding doesn’t seem to be an isolated instance.

The No. 3 team in the Nationwide Series was found to be in violation of Sections 12-1; 12-4J and 20A-2.1J (unapproved open vent hose inside of the car).

As fun as it is to read the infraction reports and the odd-ball excuses or theories of disobedience from the teams, it really just makes me yearn for something more meaningful in development and innovation — where’s the bump in the power to efficiency ratio we could all use?

It will be years before the IndyCar innovation trickles down into NASCAR, despite all the stories of cheating. I wish the car racing regulatory bodies would just speed up the process and let someone race a diesel again.

Now THAT was an impressive hack that translated directly to stock benefit.

History, Security

Aligning NTFS to SSD Geometry

Leave a comment

Frank Shu, Senior Program Manager for Microsoft, gave a presentation in 2008 called Windows 7 Enhancements for Solid-State Drives. The slides illustrated a set of challenges with SSD for the Microsoft Windows OS

  • Reporting non-rotating media will allow Windows 7 to set Defrag off as default; improving device endurance by reducing writes.

He meant that when the ATA8 rotation rate value of 0001h is reported to the Windows operating system, it could automatically disable de-fragmentation.

Shu’s presentation towards the end explains why it matters.

SSD endurance is equal to the safety of user’s data.

Defrag no longer is your friend; it can actually be your enemy. What does that mean for earlier versions? Windows XP is here to stay, right? Note the most recent end-of-life announcement from Microsoft:

We might therefore expect it to be updated to ensure “the safety of user’s data.” Alas, the challenges presented by Shu at Microsoft in 2008 are today still present in Windows XP.

The SSD offers an easy way to give new life to an old system since the price for a reasonable size has dropped under $100. It makes sense that every XP owner would go there and after a little research (uh, four years?) Microsoft would support them. Where do you want to go today? SSD.

Yet defrag is just the beginning. Microsoft has left other SSD problems for Windows XP unsolved as well. Here is an even better example. The presentation revealed major performance risk:

A fresh install of Windows 7 can do a proper geometry alignment but an upgrade from Windows XP would be mis-aligned and inherit a 50% performance hit. Ouch. Common symptoms are a system freezing momentarily.

This leads to a very uncomfortable user experience. You’ll know availability loss when you hit it. After seeing the first taste of SSD speed it feels like slamming on the brakes after driving on the highway.

For a more technical test, simply use Start -> Run and type msinfo32. You can see the problem by looking at the Partition Starting Offset value. Divide the number by 4096. If that number doesn’t divide evenly by 4096, then obviously the partition is not aligned with the 4096-byte sized sectors of an SSD. Here’s an example that shows a start at 32,256:

Divide by 4096 and you get 7.785. Uh-oh.

This also can happen on virtual systems as the physical layer is abstracted completely away. NTFS of a legacy OS could be mis-aligned with VMFS, which itself is not aligned with SAN LUNs. At least in large enterprise you can hope a service provider will be aware and looking for symptoms of read and write degradation as sector sizes are represented up the stack.

Microsoft however has left many users in the lurch. Fortunately there is an easy and free solution…Linux. Here’s a good example of why this actually matters today and how Linux is doing things right.

Let’s say you want to buy a sub 3 pound laptop with a full keyboard, bright screen and 10 hour battery life for under $200.

You can start with a solid machine for just $50. It’s known as the IBM Thinkpad X40 and it was one of the best form-factors ever built. No, I’m not just being nostalgic. If that were the case we’d be talking about the IBM 701c Butterfly or the Apple Duo 230. The X40 is more than a pretty face, it is a very practical and useful system for today’s needs that literally costs $50.

The X40 is perhaps best known for being the lightest laptop when it was introduced in February of 2004, weighing just 2.7 pounds (lighter than the portless Apple Air!). Although the first 1.8″ HDD was introduced in 1991 it was the Apple iPod in 2001 that brought it to mainstream. The IBM X40 then adopted it. I mention that because today buying a tiny 1.8″ SSD for an IBM laptop might feel odd. Just remember that in 2005 the thin and light tablet form-factor was mega-hyped and even helped bring perpendicular recording to market, but I digress…

SSD storage prices have come down so a 64GB 1.8″ SSD for the X40 should be less than $100. Put that with your $50 X40 and you now have a light fast laptop for $150. The official specs say Windows 7 is not supported but you can make it work if you fiddle with the drivers. Or you also could install Linux and go. Mint Maya is very nice.

But what if you want to restore life into an existing Windows XP installation (or install from factory CDs, or want to use the Windows XP license attached to the hardware)? Then you have to do some SSD geometry alignment for NTFS to address all the challenges (e.g. safety of your data) identified by Microsoft yet left for you to deal with on your own.

Linux to the rescue. You only need a 128MB or larger USB drive to boot the system with GParted Live. Creation of the USB drive with GParted is trivial. Download the Tuxboot executable. Run it and choose GParted Live from the source menu, choose the USB device from the target menu. After a few minutes you will be ready to fix your NTFS partition.

Insert your USB device into a powered down system. Next you’ll have to get the BIOS to let you boot from USB. On an X40 this means pressing power and then F12 to get to a device boot prompt. Select USB, answer the GParted setup questions and then the live environment is loaded.

You now can either fix an existing XP installation or create a new partition from the Gparted live tool. If you want to fix alignment, just select the “resize/move” option. Change the “free space preceding” value to 2. Click apply. This will take about 30 minutes on 64GB. Then select the “resize/move” option again and change the value from 2 to 1. Click apply. Wait another 30 minutes. That’s it!

Take another look with Start -> Run -> msinfo32. You now should be able to divide your number by 4096.

The move to 2 and then back to 1 by GParted re-aligns the NTFS partition to the geometry of the drive, per the Microsoft presentation above.

Don’t forget to also disable defragmentation, remove the swap file (a memory upgrade to the max on the X40 is $20)…basically you want to get rid of all the “caching” habits that were designed to help speed up old spinning disks when memory was low or expensive.

That’s how you can go from a 2008 risk presentation on NTFS to a 2012 snappy-lighter-than-air-system-with-lots-of-cool-output-ports-and-10 hour-battery-life for just $150.

Imagine if that would have been the point of the Microsoft presentation in the first place…if you don’t need/want to run a dual core i5-2520M and 8GB RAM in a magnesium skin (e.g. pay for industry-leading engineering like the sub 3 pound yet incredibly durable Panasonic Toughbooks) then why not breathe new life into a classic design by IBM? Think about it.

Security

Victim Exposure by Anti-Malware Research

Leave a comment

Let’s say malware compromises your system. Do you want a responder or a researcher to let others know that you were compromised? That’s the question that came to mind when I read a new research report.

There certainly is precedent for privacy and secrecy practices among other emergency responders, as well as researchers. Health care privacy might be a good example. One of the interesting cases I had to deal with in a hospital was related to x-rays of sports teams. In the run up to a big game we saw threats increase as gamblers tried to get in and improve their chances on bets by stealing information related to player health.

From that perspective a report of a system breach by a security responder could be analogous to a report of a bone break by a doctor. The situation may be more complicated than some realize, given the market for data, when you try to ask a simple question like who does a report serve. People betting on a company want to know the company status, just like people betting on a player want to know the team status.

Regulations help because they can sort out the decisions and attempt to make it as clear as possible when a responder or even a victim has an obligation to report. Recently an anti-malware blog report seemed to unintentionally expose more than necessary.

The start of the story called “An Inside Look into a Customized Threat” has a screenshot of “targeted” email. From the redacted sections you can almost make out the company name, as you can see at the top of this image:

FireEye Email Example

The little clues to the company name might not be enough to do anything about if the image didn’t also reveal the location.

San Diego, CA is redacted but still very easy to read. So now you know elements of the company/domain name in a specific city. And then the report emphasizes it’s a billion dollar company with the title Senior Vice President and Chief Financial Officer.

The individual points on their own are not much to think about; taken together they significantly narrow down the possibilities.

The irony is if there is anything generic to that message, which the researcher might try to argue in their own defense, it works against their argument that this is a “Customized Threat”.

Moving on to the rest of the story reveals little customization. Nothing in the technical summary mentions customization at all.

To summarize, when the malicious file—disguised as a financial report—is executed, it drops an executable file in a temporary folder and executes it. The dropped file then requests an HTML page from a server located in Taiwan and downloads a compressed executable file. This downloaded file establishes SSL communication on the compromised computer.

Perhaps they’re omitting custom elements but that sounds pretty generic. Then the researcher gives more detail on the company.

The entire exploitation was customized for a specific individual—in this case, the president of a billion dollar corporation.

The entire exploitation was customized or just the initial attack path? It seems to reveal a message could be customized while at the same time trying not to reveal how customized it is.

I wonder why they didn’t go all the way and just give the company name. Approval to discuss customized information may have been more convincing and less likely to cause accidental exposure, compared with semi-exposing the target.

Or we can hope that the email was completely fabricated by the researcher and San Diego, etc. have nothing to do with the real victim. A simple disclaimer would have been nice in that case, like the usual “identities have been changed to protect…”.

Otherwise it’s like a doctor who says they are not going to reveal which team has an injured player, but test results could be a threat to a winning streak in Manchester.