Wednesday, October 21, 2015

How to falsify a chip card? Putting on another one

They can call it the "astonishing trick" or a clear-cut “hack”. The question is that many security researchers were amazed when they've known how some French criminals achieved to steal almost 700.000 euros using stolen chip cards without knowing the PIN. We’ll talk about this, as well as serious failures discovered in encryption hard drives, the progress of the most popular certification and an interesting report about the 0day vulnerabilities world. 

While around us we already feel the saturation of jokes, news and other things about the day Marty McFly came back to the future (today), we travel to 2010, when researchers of the Cambridge University discovered a failure which allows criminals to use chip cards without knowing the PIN, through a man-in-the-middle attack. In the following years a group who used this trick with stolen chip cards in France and “drained off” in Belgium was detected. The trick consists on putting a chip just on top of the legitimate one. The second chip will accept any PIN introduced. By the way, if anyone thought in using the failure: it has been already fixed.

Defects in encryption disks

Another important failure has been detected in My Passport auto-encrypted hard disks, by Western Digital. A team of researchers decided to analyze if these disks really were so secure as the advertising announced and they don’t. Even more: the researchers ensure that they are full of vulnerabilities and that's not very difficult for an attacker to access the saved information. It will be better to put this brand on quarantine until they fix it…

Let’s Encrypt goes on

And we follow with the positive news of the day: the Let’s Encrypt initiative, which offers free certifications and open encryption tools to securize webs, has obtained the support of the most important browsers, which have given it their public and official confidence. Let’s Encrypt is an authority in certifications created by the Electronic Frontier Foundation, Mozilla, Cisco Systems and Akamai, attempting that anybody with a domain name could have a free certificate, as a way to help the expansion of the safe protocol HTTPS on the network.

Laws against 0days

We finish with a text to read calmly, not for its complexity but because is a quite complete report about the world of 0days vulnerabilities. Right now in USA and Europe are discussing laws which, among other topics, want to put order in the market of the 0days: from the legality of the hacking tools which discover a 0day until the rules for its exportation. Report which is worth to make us a clear idea about this tough topic.

And we finish this way the day where more articles have been written about “Back to the Future”. On our part we tried to follow the “meme” but without mortgaging the quality of our information. We hope we've achieved it.


Post a Comment