General Protection Fault indeed.

Ok, so ATMs are computing devices and ergo they’re vulnerable to attack. Why is this attack interesting? Why is it worth a post? Well, let’s start here:

“This is not something the average hacker on the street would have access to,” he adds. “They need physical access to the ATM — they need to have someone on the inside or involved with the manufacture of these devices to gain access and install the software. ”

Even the outsider attacks are insider attacks. You know, with the technological advancements in virtualization, I can’t help wondering if the attackers didn’t just develop against a virtual machine. Heck, I can’t imagine that Diebold doesn’t have a way to virtualize their own ATMs for development and testing. So, conclusion #1: just because you are an ‘appliance’ doesn’t mean you can’t be copied and hacked.

“The Trojan collected PINs and the so-called Track 2 encrypted data stored on magnetic stripes on ATM cards, he says, which allowed the attackers to clone real ATM cards. They would then insert their own specially crafted card into the Trojan-infected ATM machine to gain access, and the machine would then spit out the stolen information via the machine’s printer.”

So they went to the trouble of hacking ATMs, but the only method they developed of delivering the data was for someone to walk up to the ATM and print out the info that’s been collected? Seems to me that if they’re skilled enough to pull off this hack, then they’re skilled enough to find a way to bulk deliver the data. Of course, sometimes low-tech is the most successful route, but it wouldn’t surprise me if this wasn’t a proof of concept or if this ATM malware doesn’t have a longer life in some unexpected way.

Senator(?) Norm Coleman

Here’s a post over at the nCircle blog about the Coleman campaign and a leak of donor data, including credit card information.

“You have your Internet persona, and you have what you actually do on the street,” Officer Ettienne said on Tuesday. “What you say on the Internet is all bravado talk, like what you say in a locker room.”

This is a very normal thing for human beings to do. In fact, culturally, we’re all about analysis by analogy. When you don’t understand a situation, you look for analogous situations from which you can glean rules of behavior. The problem is that social networking sites like Facebook and MySpace don’t fit. The lines between public and private are hard, and not always dependent on your perception (if you post a staus on Facebook and no one reads it, is it public?). Let’s all pay attention to Officer Ettienne and learn the lesson. Unless you’re very sure, better treat the forum as public information.

Heads up criminals with technical skills: Oracle products are wide open in most places! While 32% of these survey respondents are doing their cost-benefit analysis on patching their Oracle DBs, you could be stealing their data. A full 11% haven’t ever installed an Oracle patch. So get on the ball and get cracking…oh, you already have.

” ‘I think the feeling in those organizations is that since databases are a little more isolated than the desktop, there’s less of a [security] concern,’ said [Ian] Abramson, director of the enterprise data group at Thoughtcorp, an IT services firm in Toronto.”

No, Ian Abramson, it’s actually not the enterprises’ fault for mis-calculating the risk. They may have done so, but that’s not why these patches aren’t applied. Your aptly named cohort at the IOUG has it right:

“Patching databases in particular is a complex task that can require months of lab or and significant system downtime.” said Ian Abramson, the Independent Oracle Users Group’s president.

To recap, patches aren’t applied because it’s really hard to do so. Who makes it hard to apply the patches? The vendor does. Best thing Oracle could do for security would be to make applying patches easy…really easy.

This list really should be called “six things you should have been doing all along that tough economic times remind you about,” but that’s not a very catchy title. This list makes me mad, really. Why? At the risk of being overly verbose, let’s take them one by one:

1. Get out of the deployment business.

Why are you in the deployment business in the first place? Did you ask for responsibility for full disk encryption and web application firewalls? If you did, then, well, you asked for it. Pulling an ‘oh nevermind’ and giving it back isn’t going to make running information security any easier. If you didn’t ask for responsibility for these things, then you’ll have a tough time getting rid of them anyway.

2. Spread the cost of security with other groups.

Yes yes yes! But doing this in the midst of tough economic times is a recipe for disaster. You’re effectively trying to sell services into groups who have just as little money in their proverbial wallets as you do. Do you think they’ll want to buy? No. What happens when they don’t? You either continue to offer the service and manage the cost yourself (“if I don’t pay for this, what happens? Nothing…oh…”) or you don’t provide the service and security gets thrown under the economic bus.

3. Get more out of your existing security tools and systems.

Can’t argue with this one. Should be doing this all the time, of course. Just like the government, gotta cut expensive programs that don’t work.

4. Tie a security purchase to your compliance mandates.

Again, if you weren’t doing this before…

5. Outsource or automate some security functions.

As long as you’re not outsourcing your own job, that’s cool. Of course, outsourcing is addictive when successful, and expensive when it’s not. Taking new risks isn’t always a recipe for economic success.

6. Take advantage of a security buyer’s market.

“Reasonable security vendors will be flexible on pricing and payment terms, especially when they know you are well-informed about competing solutions,” WhiteHat’s Grossman says. “Ask for additional discounts if purchasing decisions are made quickly, or by committing to multiyear contracts. Then once you’ve selected a solution you really love, forge close relationships and help the vendor evangelize by serving as or reference or case study.”

Quick, everyone call Whitehat and tell them Jerimiah told you to ask for a discount! Really, it is a vendor’s dream that the customer will trade discounts for public endorsement of product. I suggest a tattoo with the vendor’s name, priced based on bodily location. It worked for this guy, I’m sure.