armb: Dog jumping in water (Default)
http://www.autosec.org/pubs/cars-oakland2010.pdf
"Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input —
including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on."

If I'd seen some of the possible attacks on a TV show or in a film, I'd have thought it was implausible that so few safeguards were built into the system. In real life there almost certainly isn't someone wanting to compromise your car in this way, and they could use cruder and easier to detect physical methods anyway, but the way some of the protocol specifications have safety or security features that the actual implementations ignore is still worrying.
armb: Dog jumping in water (Default)
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf
"In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card's PIN, and to remain undetected even when the merchant has an online connection to the banking network."

http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/
armb: Dog jumping in water (Default)
The possibility of interception attacks on isn't new
http://www.lightbluetouchpaper.org/2006/03/15/chip-and-skim/

However, not only is it possible to tamper with readers large numbers have been tampered with "either during the manufacturing process at a factory in China, or shortly after they came off the production line":
http://www.schneier.com/blog/archives/2008/10/new_chip-and-pi.html
armb: Dog jumping in water (Default)
http://www.lightbluetouchpaper.org/2007/11/20/government-security-failure/
"HM Revenue and Customs has lost the data of 15 million child benefit recipients, and that the head of HMRC has resigned."

http://www.theregister.co.uk/2007/11/20/database_bad_say_docs/
"three-quarters [of GPs] say records will be less secure once they are made available to NHS and social service staff on the central database."

http://www.theregister.co.uk/2007/11/21/hmarc_ebay_auction/
Spoof eBay sale of the missing disks.
armb: Dog jumping in water (Default)
http://www.theregister.co.uk/2007/11/14/ripa_encryption_key_notice/
"An animal rights activist has been ordered to hand over her encryption keys to the authorities."
"The woman says that any encrypted data put on the PC must have been put there by somebody else."

Possibly now would be a good time to point out that, having a professional interest in security and cryptography, it's entirely possible that I will have encrypted random test files that I have no idea at all of the password for. (There's at least one such file in the revision control system at work, though we do now have the decrypted version too, and I know who probably still has the piece of paper from the envelope we got to open when we paid the fee for access to the escrow version.)
See also http://www.lightbluetouchpaper.org/2007/09/30/time-to-forget/
armb: Dog jumping in water (Default)
[livejournal.com profile] bruce_schneier has an interesting method for getting your expensive camera looked after on a plane if you can't carry it as hand luggage - check it in the same bag as a weapon. Starting pistols count as weapons for this purpose.
armb: Dog jumping in water (Default)
The university security research group have a website, http://www.chipandspin.co.uk, about why Chip and PIN isn't the unalloyed wonderfulness the banks tend to present it as. Via Light Blue Touchpaper, reporting that they've built a working interceptor.
(An earlier post on the subject of Chip and PIN)
armb: Dog jumping in water (Default)
I've been asked for a PIN number a few times recently while using a Switch card, so this explanation of why it might not be a good idea is timely. Key point:
"The intention is to reduce losses from banks and merchants resulting from fraud. [...] There are two ways that losses to fraud can be reduced:
1. by reducing the amount of fraud which takes place; and,
2. by not paying compensation to people who are defrauded."
Past experience suggests that banks might concentrate on the second.

January 2014

S M T W T F S
    1234
567891011
12131415161718
19202122232425
262728293031 

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags