How to Spot Ingenico Self-Checkout Skimmers

The overlay skimming devices pictured here include their own tiny magnetic read heads to snarf card data from the magnetic stripe when customers swipe their cards. Consequently, those tiny readers often interfere with the legitimate magnetic card reader on the underlying device, meaning compromised self-checkout lines may move a bit slower than others.

Source: How to Spot Ingenico Self-Checkout Skimmers — Krebs on Security

Stop Trying to Fix the User

We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users’ security goals without­ — as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ — “stress of mind, or knowledge of a long series of rules.”

Source: Security Design: Stop Trying to Fix the User – Schneier on Security

75 Percent of Bluetooth Smart Locks Can Be Hacked

Twelve out of 16 Bluetooth smart locks examined could be unlocked by a remote attacker, a researcher said at the DEF CON hacker conference.

Source: 75 Percent of Bluetooth Smart Locks Can Be Hacked

The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.


Americans abandoning wired home Internet, study shows

In plain English, they’re abandoning their wired Internet for a mobile-data-only diet — and if the trend continues, it could reflect a huge shift in the way we experience the Web.

Source: Americans abandoning wired home Internet, study shows | The Seattle Times

Seventeen percent of households making between $75,000 and $100,000 are mobile-only now, compared with 8 percent two years ago. And 15 percent of households earning more than $100,000 are mobile-only, versus 6 percent in 2013.

HDMI Cable Overview

HDMI is a horrid format; it was badly thought out and badly designed, and the failures of its design are so apparent that they could have been addressed and resolved with very little fuss. Why they weren’t, exactly, is really anyone’s guess, but the key has to be that the standard was not intended to provide a benefit to the consumer, but to such content providers as movie studios and the like. It would have been in the consumer’s best interests to develop a standard that was robust and reliable over distance, that could be switched, amplified, and distributed economically, and that connects securely to devices; but the consumer’s interests were, sadly, not really a priority for the developers of the HDMI standard.

Source: HDMI Cable Overview — Blue Jeans Cable

Interfaces last longer than code

How do you recognize a good API? It’s tough, but one thing is sure, a good interface allows easy swapping of components. If it doesn’t allow easy swapping of components, it’s not a good interface.

Source: 9 – systemD: Interfaces last longer than code – Slashdot

Throughout systemd there is a lack of understanding of proper interfaces. Making the GUI depend on a particular init system is a particularly obvious example of poor design, but the code was written from a ‘code first’ perspective rather than an ‘interface first’ perspective.

IoT Hubs Expose Connected Homes to Hackers

Many of the most serious flaws revealed a kind of sloppiness in the design and production of the devices, Brandon Creighton, Veracode’s research architect, told The Security Ledger. For example: both the Ubi and Wink Relay devices left debugging interfaces exposed and unsecured in their shipped product.  That could provide an avenue for attackers who had access to the same network as the device to steal information or bypass other security controls.

Exposed debugging interfaces are useful during product testing, but have little or no utility to consumers. That suggests that the companies merely forgot to restrict access to them before shipping, Creighton said.

via Research: IoT Hubs Expose Connected Homes to Hackers | The Security Ledger.

Why aren’t we using SSH for everything?

A few weeks ago, I wrote ssh-chat.

The idea is simple: You open your terminal and type,

$ ssh

Unlike many others, you might stop yourself before typing “ls” and notice — that’s no shell, it’s a chat room!

via Why aren’t we using SSH for everything? — Medium.

I was just thinking about how useful and simple ssh is for doing end to end encryption for various services before being notified of this post.  On a linux box you can ssh -X remotehost and bring up any X-windowed app from a terminal command.  Very simple.  Very useful. Very secure.  For copying files there’s the scp command.  And one final shout out to the sshfs command for mounting remote filesystems.

Dan Farmer Presents Research on IPMI Vulnerabilities

IPMI runs regardless of the underlying operating system and operates on UDP port 623 through a server’s network port or its own Ethernet port. It runs continuously, Farmer said, unless the plug is literally pulled. Moore’s scan pulled up 230,000 responses over port 623, an admittedly tiny slice of the overall number of implementations. Yet Farmer concludes that 90 percent of BMCs running IPMI could be compromised because of default or weak passwords or weaknesses in the protocol, not only implicating the host server but others in the same management group because, as he discovered, some vendors share common passwords.

via Dan Farmer Presents Research on IPMI Vulnerabilities | Threatpost | The first stop for security news.

BMC = Baseboard Management Controller, a separate device attached to motherboards for management purposes.  This isn’t the first article to point out vulnerabilities in IPMI.  It has been noted that IPMI should run on its own intranet and not the public internet.  Providing another layer of security to this interface may mitigate any problems.  IPMI can’t be any less secure than SNMP.