All Top Banking

Sorry Charlie...The Cat's Outta the Bag

Posted by John B. Frank Monday, August 18, 2008

Last week I wrote in a post entitled "Sorry Charlie...You've Been Hacked" I talked about the two MIT engineering students who were hit with a restraining order which prevented them from delivering their talk on vulnerabilities that they found in Boston’s subway fare card system.

The Massachusetts Bay Transit Authority took legal action just before the students were going to discuss generating fare cards, reverse-engineering magnetic stripes, and hacking the RFID technology in the cards.

Ironically,
the very same presentation, including the sordid details of their hack ended up leaking (in a prime example of how things sometimes don't work out the way you envision them)...through the very same public court filings the MBTA submitted in an effort to keep them sequestered. Here are the presentation slides

Now, I'm no techie/tekkie? (see I don't even know how to spell it) but I know a little bit about magnetic stripes and RFID, and I found the presentation to be most interesting, so take a look if you wish. I don't know how long they'll be up there.

In a related matter, now that Defcon 16 has come and gone, I thought I'd share this story from DarkReading.com talking a little bit about the event:


All it takes is one look at the Defcon 16 hackable attendee badge to understand the difference between the world’s largest hacker convention and other security conferences.

The hard plastic badge includes its own microprocessor, SD card slot, USB ports, and an LED that can remotely turn off a TV. Defcon attendees could use their badge to hack other peoples’ badges or just wear it as bling. It’s such a hot item that on the first day of the Las Vegas show, the conference session rooms nearly emptied when it was announced that the badges had finally arrived at the registration desk after a shipment delay that morning.

While Defcon and its sister conference Black Hat USA share some of the same organizers, themes, and research hacks, Defcon's emphasis on hands-on hacking and its hardcore hacker culture set it apart. Defcon 16 featured multiple hacking contests, including one run by seasoned hackers who set traps and challenges for the masses trying to infiltrate a server, phone phreaking, and a $5,000 prize for being the last person left awake (and aware) after sitting through 30 hours of vendor pitches.


Interestingly, one of the more compelling research presentations never saw the light of day at Defcon: The MIT Charlie Card, Massachusetts Bay Transit Authority WarCarting Presentation) (see picture on right for what it takes to "warcart")


And for hackers or penetration testers who were feeling a little stagnated in their work, or who are operating on more of a shoestring budget these days, researchers from Errata Security shared some tricks of the trade they have come up with for doing more (hacking) with less. (See 'Bringing Sexy Back' to Hacking.)

Errata’s Robert Graham and David Maynor outfitted an Apple iPhone with WiFi-sniffing tools that they FedEx to their clients’ sites to conduct remote WiFi security audits. They may even up the ante by adding fuzzing and the Metasploit hacking tool to the iPhone as well for more advanced remote penetration tests.

A former Federal Trade Commission (FTC) official gave Defcon attendees tips for what to do (and not to do) after suffering a security breach, as well as how to make nice with law enforcement, which can smooth the way for that day when you have to go public about a breach your organization has suffered. (See What to Do After a Breach.)

Kelly Jackson Higgins, Senior Editor, Dark Reading

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio