Ed Felten has described some interesting and somewhat simplistic flaws in a Dutch smartcard
based transportation payment system.

Among other foolishness, the designers used a custom cryptosystem and 48 bit keys.

The fundamental security problem with the disposable Ultralight card is that it doesn’t use cryptography, so the card cannot keep any secrets from an attacker. An attacker who can read a card (e.g., by using standard equipment to emulate a card reader) can know exactly what information is stored on the card, and therefore can make another device that will behave identically to the card. Except, of course, that the attacker’s device can always return itself to the “fully funded” state. Roel Verdult of Raboud University implemented this “cloning” attack and demonstrated it on Dutch television, leading to the recent uproar.

The Dutch have only invested $2 billion so far for this amazing system that accidentally gives away rides for free.

More detail on the hacks can be found in a presentation by Karsten Nohl and Henryk Plötz called “Mifare: Little Security, Despite Obscurity“, hosted by the 24th Chaos Communication Congress.

I have been reading about the new medical marijuana vending machines in Los Angeles that are meant to go-live today.

The security discussion has been amazingly sparse. So here is a quick review of what I have noted:

1. Anytime Vending Machines (AVM) have been deployed to meet a requirement for 24/7 secure and automated dispensaries of medical marijuana
2. AVM locations will approve a prescription, take your fingerprint, and provide a prepaid credit card loaded with dosage (3.5 or 7 grams, with a max of 1oz a week) and one of five strain options

Watching the video by a CBS station revealed many of the physical security measures, but also shows a cord running across the floor from the vending machine (look at the bottom left of the machine). That made me wonder about data transmission from this thing. Where is it going to/from and how often? Does it fail to vend if it can not connect to a database, and then what integrity controls are in place…?

That would be a more interesting attack vector than the usual tubular lock weakness. The fact that a human guard is said to be deployed at all times with the vending machine makes me think there is implicit recognition of weakness. I also wonder about the paper trail and whether video is integrated into the box.

The pin pad sure looks exposed, doesn’t it? Must be hard to hide your key-code when it’s setup in such a big spread open to plain view. Maybe only one person can be in the room at a time with the machine.

And finally, I have to say this definitely “high” security. Sorry, couldn’t resist.

The article by the Associated Press is written so well, it is hard to add much comment. I will do my best to keep the quotes brief, but I recommend reading the full article.

This highlights the ever-present insider issue. My first concern is that there is a lot of emphasis on motive, and most conclusions suggest none “rational”:

“This is a bad time for banks and the industry in general. But detecting the fraud over the weekend was problematic because world stock markets on Monday and Tuesday fell hugely around the world. When the positions had to be unwound, the bank did that in a terrible market of falling equities,” said Janine Dow, senior director at Fitch Ratings financial institution group in Paris

“In hindsight, it was this guy’s superior knowledge of the control system of every aspect of trading at the bank that allowed him to build up fraudulent positions and hide them,” she said.

The bank said the trader had misled investors in 2007 and 2008 through a “scheme of elaborate fictitious transactions.” The trader, who was not named, used his knowledge of the group’s security systems to conceal his fraudulent positions, the statement said.

The man admitted to the fraud, the bank said, and was being dismissed. Four or five of his supervisors were to leave the group. Bouton offered to resign but the board rejected that.

So motive is unclear, but method and consequences are easy to document.

Axel Pierron, senior analyst at Celent, an international financial research and consulting firm, was stunned that 13 years after the Barings collapse, something similar has happened.

“The situation reveals that banks, despite the implementation of sophisticated risk management solutions, are still under the threat that an employee with a good understanding of the risk management processes can getting round them to hide his losses,” he said.

If the controls are easy to circumvent without detection, why should we assume that they will not be circumvented without detection? Implicit in the article is that the trader was given a lot of leeway and trust, which seems the opposite of what an effective control system is meant to do. Bottom line, one introduces extreme social, cultural, and psychological (to name a few) risks/unpredictable results by basing controls on motives of users.

One might think the news of lead in toys would prompt a manufacturer to recall them immediately. Not so in Illinois, where a toy company has questioned the validity of state authority to determine safety. The disagreement seems to hinge on whether state or federal regulations should determine acceptable exposure to lead:

llinois authorities thought they had reached an amicable agreement late last year with Ty Inc. to have the company voluntarily remove its Jammin’ Jenna dolls from retailers because the toys contained high amounts of lead.

But a few days later, the state attorney general’s point person on the issue was surprised to see Jammin’ Jenna for sale in a candy store near her office. The next morning, the official spotted another one at a grocery store near her home.

When the attorney general’s office confronted Ty, best known for its Beanie Babies, the Westmont-based company said it would no longer sell new versions of Jammin’ Jenna to Illinois retailers. But it refused to recall dolls already in stores, according to the state.

Note the detection method. An official went to a store and saw the toy was still being sold. Could there be a more automated method? Will checkout tills soon have the ability to detect harmful substances? Probably too costly, compared with spot-checks, but I am reminded of airport security. If the risk is high-enough, even just from a public perception/fear perspective, then maybe toy retailers will have safety-enabled checkout scanners.

Speaking of retailers, I wonder why they could not get the retailer to refuse to sell the toy. Later in the same article, another similar story comes to light, but it does not target the manufacturer.

State authorities also are upset at national retailer Party City, which told investigators and the Tribune in the fall that it had stopped selling a pirate skull ring found by the newspaper to contain high lead levels. A spot check by the Tribune later found the ring still for sale.

The newspaper bought and tested the ring again. It exceeded safety limits for lead.

A Party City spokeswoman said the chain had instructed its 500 stores across the country to pull the rings and thought the order had been carried out. The firm said it re-issued the order earlier this month after the Tribune informed the company that the tainted product was still on some shelves.

The retailer also said it has instructed its stores to withdraw a similar pirate necklace, which the Tribune found in a follow-up test contained lead levels more than 200 times the state limit.

This story puts into perspective the hassle of chasing down NT4 and Windows 2000 servers and getting them off the network.

One last thought. Remember the robot in Buck Rogers? I think it said “Eat Lead, Suckers!” Ty should consider licensing that little guy for their beanie baby line…