ISC StormCast for Tuesday, November 4th 2014 http://isc.sans.edu/podcastdetail.html?id=4221

20$ is 999999 Euro

Published: 2014-11-04. Last Updated: 2014-11-04 00:39:11 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

Newcastle (UK) University researchers claim to have found an exploit for the "contactless" payment feature of Visa cards. One of the fraud prevention features of these cards is that only small amounts can be charged in "touch mode", without requiring a PIN. But the researchers say that simply changing the currency seems to evade these precautions completely, and they built a fake POS terminal into a smart phone that apparently can swipe money from unsuspecting victims just by getting close enough to their wallet.

According to the press release, VISA's response was that "they believe that the results of this research could not be replicated outside a lab environment". Unfortunately, there ain't too many cases in security engineering history where such a claim held for more than a day or three. If this attack turns out to be true and usable in real life, Visa's design will go down into the annals of engineering screwups on par with NASA's "Mars Climate Orbiter", where the trajectory was computed in inches and feet, while the thruster logic expected metric information.

Needless to say that the latter episode didn't end all that well.

 

1 comment(s)

Whois someone else?

Published: 2014-11-04. Last Updated: 2014-11-04 00:07:57 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

A couple of weeks ago, I already covered the situation where a "cloud" IP address gets re-assigned, and the new owner still sees some of your traffic.  Recently, one of our clients had the opposite problem: They had changed their Internet provider, and had held on to the old address range for a decent decay time. They even confirmed with a week-long packet capture that there was no afterglow on the link, and then dismantled the setup.

Until last week, when they got an annoyed rant into their abuse@ mailbox, accusing them of hosting an active spam operation. The guy on duty in the NOC didn't notice the IP address at first  (it was still "familiar" to him), and he triggered their incident response team, who then rather quickly confirmed: "Duh, this ain't us!"

A full 18 months after the old ISP contract expired, it turns out that their entire contact information was still listed in the WHOIS record for that old netblock. After this experience, we ran a quick check on ~20 IP ranges that we knew whose owner had changed in the past two years, and it looks like this problem is kinda common: Four of them were indeed still showing old owner and contact information in whois records.

So, if you change IP's, don't just keep the "afterglow" in mind, also remember to chase your former ISP until all traces of your contact information are removed from the public records associated with that network.

If you have @!#%%%! stories to share about stale whois information, feel free to use the comments below, or our contacts form.

 

1 comment(s)

Comments


Diary Archives