Security

German EMV and 45% fraud decline

Leave a comment

Germany is pressing ahead with a huge EMV project, according to Die Deutsche Kreditwirtschaft

Die Deutsche Kreditwirtschaft als die Interessenvertretung der kreditwirtschaftlichen Spitzenverbände und die deutschen Acquirer haben zum Zwecke der Errichtung und des Betriebs einer EMV-fähigen Netzbetreiber-Infrastruktur und von EMV-fähigen POS-Terminals im deutschen Markt ein gemeinsames, kartenproduktübergreifendes Zulassungsverfahren vereinbart.

In other words the German banking industry, on behalf of associations and acquirers, is committed to building out an EMV infrastructure. Their latest analysis suggests a big drop in fraud can be linked to recent EMV trials.

Data theft at cash dispensers is reported to have been 45 percent down in 2011 from the previous year

History, Security

VMware Security Note: ESX Source Posted

Leave a comment

The VMware Security Response Center has just posted the following announcement

Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers

Update, April 25th: I’ve been contacted to discuss this story in more detail. Here are some general points I have made.

  • VMware is being proactive in notifying customers and the public. They will provide further details if/when necessary but you can see from the announcement that they are attentive to risk and assessing it thoroughly. There was no prior announcement.
  • The breach of the China National Electronic Import-Export Company (CEIEC) at the start of this month (Apr 2nd) is being reported as related to this announcement. The US Government imposed sanctions against CEIEC in December of 2006 (FR Doc No: E6-22630) under “Section 3 of the Iran and Syria Nonproliferation Act”.
  • Do not download files from the CEIEC breach without taking special precaution against malware and exploits

2nd Update, April 25th: The Register has posted a blurry image of the stolen code, covered in “Death Card” images. That is probably an historical reference to the “Ace of Spades,” which has been popularised as a victory taunt in American pop-culture.

The actual effect of the card, however, is far from what has been depicted in Hollywood and thus likely to be different from what was intended by those releasing the ESX code. Its history and effect is explained in detail by PsyWarrior, who includes a quote attributed to “Lieutenant Colonel William J. Beck who commanded the 4th PSYOP Group from 15 October 1967 to 7 October 1968”:

Any survey of the PSYOP program in Vietnam reveals that many psy-operators are frustrated by the lack of signs of tangible success in the PSYOP effort…Perhaps in an attempt to overcome this deficit many appear to be impressed with the values of what can only be called propaganda gimmicks. This includes the use of the ace of spades, special lighting effects, and ghostly loudspeaker broadcasts.

This aspect, unfortunately has often reduced idea formation on the part of these operators and staff to the level of “gimmicky” and more or less desperate attempts to find a quick solution and dramatic breakthrough. This is not good PSYOP.

The Ace of Spades, therefore, appears historically to be a reference to attackers who struggle from “lack of signs of tangible success”.

Security

Bait Car – Surveillance Setup Tricks

Leave a comment

Super Circuits has an amusing story of how they simplified the setup of a “bait car”

Can you visualize this? The space we were working in was 2”X5” wide, with Jake trying to squeeze his hand into this small space and attempting to attach a camera on the side of the opening with two different glues going. Although we did manage to get it to work, it took a couple of hours, two people and several attempts.

There had to be a better way.

I walked away from this situation thinking “it shouldn’t be this hard”. Obviously, there isn’t an option, nor does it make sense, to redesign vehicles around camera installations. So with that off the table, I was left trying to figure out what I could do to make it easier for people whose primary job is not installing electronic components, but is to capture the bad guy with the assistance of electronic components. Here’s what we came up with.

The answer is foam.

Sailing, Security

Low Speed Chase Memorial

Leave a comment

Earlier, I wrote about the tragedy of Low Speed Chase. A touching and beautiful memorial was held on Saturday on the water near the San Francisco Yacht Club.

Below is a brief capture I made at the memorial, as we passed by the bagpiper on Farallon.

Low Speed Chase Memorial Pipes (6MB mp4)

I’ve compressed the video significantly (from 80MB) but left the audio alone. The buzzing in the background is from a helicopter flying overhead.

Update: A Sikorsky S-64 Skycrane helicopter left Half Moon Bay Airport and reached the Farallon Islands in 15 minutes, picked up the boat and returned. This was the last week to retrieve the boat before the Islands would be closed and protected as a bird sanctuary until October.