In a recent case cited by Sophos as reported by the Birmingham News it is worse than that.  Ernst & Young auditors lost a USB fob.   Fortunately the information was encrypted.   Unfortunately the password was with the fob.   Obviously that defeats the purpose.  Some people are just destined to be examples for others.

Like the virtual pickpocketing of credit cards, and bad guy can also clone proximity cards.   As some buildings, outside work hours you need a badge and PIN to enter the premises.   But during work hours, you could just walk right in and use a cloned card.

ProxmarkIII allows the researcher to read and emulate any RFID tag.   Badges are typically sequentially numbered.   If the cloned badge doesn’t have the access you need, you could brute force the badge reader.   It would take two years to test the entire card space at the rate of one per second.  But if you already have the company code and one of the badge numbers, that narrows things significantly.

Brad’s experience is people wont challenge you even as you stand at the badge reader for multiple minutes trying badge numbers, even with the reader beeping at each attempt.

Side note, employees are told not to let other people piggyback, but at best they hold the door and ask people to swipe a badge.   The beep doesn’t indicate success.   Only that something was read.

Unless the physical access logs are sent to a SIEM, many proxcard systems will not alert you natively to the brute force attack.   There is one hilarious drawback Brad mentioned.   Security may not react to the brute force attack, but one time they had flagged a particular account so when the bruteforce tried accessing as it, security responded fast.

In addition to clone/playback attacks there can be attacks against the badge reader itself.   Communication between the reader and the controller are serial.   Physical taps may allow recording of a range of badge numbers and PINs.   You only need one badge to access so this is a bit of piling on.

The HID controllers also were found to have security issues.   I am wondering why the controller would be addressable on the network, but  this is what he found.   Default passwords, undocumented accounts, passwords that can’t be changed from default.    The database had default passwords and was vulnerable to SQL injection.

With all this access he was able to send commands like “unlock all”.

I enjoyed this talk and felt the demonstrations were very effective.   Proxcard spoofing seems very James Bond and unlikely to be used in real life.   The problem is, how many times has attack been deemed unrealistic by management until management reads about it in the Wall Street Journal.

It is important then to add monitoring for bruteforce attacks where it does not exist.   Monitor for unusual access activity, or impossible access activity (being at two locations simultaneously).   While we can only pressure the vender to remove default accounts and allow passwords to be changed, be should make sure these devices are not accessible on the network where possible.

 ’full disclosure is dead’   Whether you believe in “responsible” disclosure or not, the people in the bug bounty programs believe in it, so the choice is really get paid or not.   As a side effect people aren’t dropping oh-days all over conferences, which sucks as a conference organizer.

Credit Card companies are quietly deploying new cards that have a RFID chip to allow for contactless payment at terminals that can take such.   When it is talked about, Credit Card companies present it as more secure and similar to the pin and chip system used in Europe.   The issue is that it is actually less secure.

The card is ready to respond to any reader whether in the grocery store or while walking down the street.   A bad guy could have a reader and “clone” your card with you being completely unaware.   With previous card thefts, a bunch of people would have a fraudulent charge, and an investigator would notice that all of the cards were used at a specific company.   It was easy to find a credit card skimmer installed at the location to collect card data.   If the bad guy is collecting data from people who walk by on the street, a virtual pickpocket if you will, there isn’t a way to determine the malicious source.

We’ve all ordered items on line and had to provide the CVV number off the back of the credit card.   The credit card actually has three CVV codes.   One encoded in the magstripe, one you can read off the back and a variable number given when the contactless payment is used.   If I made a contactless payment at the store, and the number were harvested they wouldn’t be able to reuse that CVV.   The issue is that a bad guy with his own reader could ask my card multiple times for a CVV.   He can then attempt as many transactions as he collected numbers.   If I made a charge before the attacker attempted to use the stolen credentials, the other numbers are not valid.   It is like trying to use the wrong securID token.   You’ll get locked out.

While CVV offers some protection, the bad guy will likely be able to get single transactions performed against a wide number of victims.   Many if not most people don’t monitor their credit cards activity so there is a likelihood of success.

So what can you do about it?

Accepting the risk is always one way to deal with it.   American credit card laws make it pretty easy to dispute charges.   If occurences are rare than this could be a rational choice.

Protective sleeves, tin foil, and passively shielded wallets have been a proposed solution.  This is generally laughed at by anyone not going to Defcon because it seems like overkill or paranoia.   Hopefully this report on Chris’ talk will convince you it isn’t paranoia.   Unfortunately Chris’ research shows that a determined attacker most likely wouldn’t be working with a low powered receiver like you’d find in a store.   Those are designed to read cards from two to four inches away.  An attacker would be using a higher powered right from up to 25-30 feet away.   He tested the various common shields and found them lacking.   Some might be ok against specific wavelengths.   But they sounded like a waste of time and money.

Chris’ company is working on GuardBunny, an active shield to protect against this sort of thing.   Until then you can microwave your card to kill the RFID chip and still have it work with the traditional swipe method.   3 seconds kills the chip, 5 seconds sets it on fire.   Given the wide range of Microwave power, I’d recommend not doing that.

I think for now, I’ll stick to aluminum foil when on trips to hacker cons, while their the card stays in the safe away from the convention floor.

On The Finder, a new show on Fox, Michael Clarke Duncan’s character, finds a character logged into the computer as him.   He asks in his booming voice, “How do you know my password?”

The answer, “you say it to yourself as you type it in.”

I’ve caught myself doing that a few times.   The worse is when the password is a phrase from a song.

Back in August, BlueCoat implemented some changes to the BlueCoat WebFilter.  It introduced some new categories and renamed some other categories.   On the ProxySG, no change was necessary for the renamed categories.   However for ProxyClient (the client side install that provides protection when off the corporate network), you needed to manually update the config.

Unfortunately for us, no one bothered to update that config.   While reviewing some BlueCoat best practices, I doublechecked our existing settings and found that we still had the old categories selected in ProxyClient.  I made the required changes and saved to server.   On my client, ran the updater and got an error back, “Received status 400 from server”.   I received the same error testing directly from my browser.

Opening a case with support they directed me to a Technical Alert – ProxyClient Installation is Failing with HTTP 400 response from server.   I’d seen that before running into this problem, but hadn’t read it since I wasn’t installing ProxyClient.   Didn’t remember the error 400 tiein.   It turns out, the problem occurs when making the SSL connection from the client to the server to pick up the configuration.   This is true of a new install or an updated configuration.

The cause of the problem is MS12-006.   Since this contains SSL fixes for the BEAST vulnerability, I’m going to have to ignore BlueCoat’s suggested workaround of uninstalling the Microsoft security update.   Not sure if this can be fixed with a new ProxyClient version or if I’ll be waiting for a ProxySG release which would involve much more testing.

That is what my immediate reaction was to DreamHost announcing it has detected an intrusion.   I love that.

How many companies would even notice before all their customers were calling asking why they were owned?compan

How many companies would refuse to talk about security incidents or blame the customer?

How many would take the PR hit to preëmptively perform password resets immediately instead of waiting until the investigation was complete.   A week, or a month from now we could know that the passwords were’t gotten, but in an abundance of caution action is taken now to prevent damange.

Maybe I’ve drunk on the koolaid, but I think DreamHost did the right things from the reports I’ve seen.

Fast forward to today,  and I find my RSS reader suddenly has a ton of posts from the Masked Scheduler blog.   Instead of the TV commentary, I find spamish gadget/electronic posts.  I’m guessing it is trying to take advantage of the link love the former blog enjoyed.

When you decide to terminate a  social media account whether a blog or twitter, you should consider taking down the content but holding on to the name.  This is true particularly for free sites.   You’ve built a brand, you have thousands of inbound links.   According to Google Reader there are 200 of us on Reader that got this unintended content because the Masked Scheduler apparently deleted the account and then it was available for reuse after a period.   Now I’m guessing here based on the archive.org crawl from last year showing the account is gone, so it doesn’t appear to be a compromised account.   Just the case of a username being abandoned and picked up by someone else.

Reminded me of the default theme in WordPress.   The top image on many screen resolutions wastes so much space you have to scroll down to see anything.    Probably not who they are targeting.

This post largely exists as a test post to verify posting, at least, still works.   If you see anything else broken, please let me know.

I use Incapsula to protect the site.   SQL Injection protection is included in their free protections.   Nevertheless, I finally decided the risk was worth the limited reward.