Entry 22994 (Berkeley CSUA MOTD)

Berkeley CSUA MOTD:Entry 22994

WIKI \| FAQ \| Tech FAQ
`http://csua.com/feed/`

2024/11/23 [General] UID:1000 Activity:popular

11/23

2001/11/9-10 [Computer/SW/Security] UID:22994 Activity:nil

11/9    In case you though your money was safe:
        http://www.theregister.co.uk/content/55/22751.html

ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2024/11/23 [General] UID:1000 Activity:popular

11/23

You may also be interested in these entries...

2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil

9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...

2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil

6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...

2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil

8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...

2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil

8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...

2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil

8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...

2012/7/13-8/19 [Computer/SW/Security, Computer/Companies/Yahoo] UID:54436 Activity:nil

7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...

2012/7/18-8/19 [Health/Men, Computer/SW/Security] UID:54438 Activity:nil

7/18    "Largest penis record holder arouses security suspicions at airport"
        http://www.csua.org/u/x2f (in.news.yahoo.com)
        \_ I often have that same problem.
        \_ I think the headline writer had some fun with that one.
           \_ One time when I glanced over a Yahoo News headline "U.S. busts
              largest-ever identity theft ring" all I saw was "U.S. busts
	...

Cache (2486 bytes)

www.theregister.co.uk/content/55/22751.html -> www.theregister.co.uk/2001/11/09/hack_your_bank/Hack your bank for $995 By 41 Kieren McCarthy Published Friday 9th November 2001 13:54 GMT Banks all over the world can be hacked and PIN numbers seized by exploiting a flaw in a common cryptoprocessor made by IBM, researchers from Cambridge University have found. The cryptoprocessor in question, the 42 IBM 4758, sits at the end of cash machines and scrambles the PIN number that people type in, as well as the program used to verify the PIN at the other end. It uses a minimum 64-bit encryption (112-bit for keys), conforms to the US Data Encryption Standard FIPS 140-1 Level 4 and was thought to be impossible to crack, even physically. But the problem does not lie with the cryptoprocessor but the software it runs on - Common Cryptographic Architecture (CCA), which comes free with the 4758. The CCA software requires two or more people to combine their access priviledges before any security changes can be made. As such, it was thought that codes could only be cracked if there was collusion between two high-level bank employees. The Cambridge researchers - Michael Bond and Richard Clayton - 43 found however that they could persuade the 4758 to send its encryption key (stored only within the cryptoprocessor itself) to them if it was itself encrypted with a 3DES (triple DES security) key. All you need to know is the value of the "exporter key". Thus, with "a mixture of sleight-of-hand and raw processing power", you can get hold of a cryptoprocessor's key and from that point you can access to every piece of data sent through it - which could be hundreds of thousands of card numbers with their relevant PINs. The only problem then remaining is getting a high-enough level of access to a bank's computer system. Messrs Bond and Clayton reckon they need 20 minutes at a console to get the information and then two days or so to break it down. All you need is some nous and a standard $995 Altera FPGA evaluation board. The researchers posted full and extensive details of their methods on the Internet last night, stating that "our main reason for publishing this attack is to demonstrate the power of our parallel key search machine". They also allege that IBM was informed of the possibility of such an attack a year ago but has failed to fix the problem or produce any patches. That now looks very likely to happen and banks that use the 4758 will have to upgrade security immediately at huge cost. The entire business can be seen at the researchers' Web site 44 here.