To illustrate the points we have covered so far, I’d like to share a real-life story with you that happened to me a few months ago. We were hired by the CIO of a large bank in Texas to perform an internal and external penetration test and site assessment. What happened within the first 45 minutes will hopefully shock you. We have been talking about the first steps in building an Information Security Program that really works, and most importantly we are beginning to lay down the foundation of a “layered” security approach. This story will clearly illustrate why that is a good idea.

When I begin to perform a site assessment, I will usually arrive at the bank’s main administrative office 30 minutes before opening. While in the parking lot, I can easily check for wireless devices, and drive around the building looking for possible entrances. I especially look for employee entrances, designated smoking areas, and external telco closet doors. As the traffic begins to pick up in th ... Читать дальше »

Banks all over the world can be hacked and PIN numbers seized by exploiting a flaw in a common cryptoprocessor made by IBM, researchers from Cambridge University have found.

The cryptoprocessor in question, the IBM 4758, sits at the end of cash machines and scrambles the PIN number that people type in, as well as the program used to verify the PIN at the other end.

It uses a minimum 64-bit encryption (112-bit for keys), conforms to the US Data Encryption Standard FIPS 140-1 Level 4 and was thought to be impossible to crack, even physically. But the problem does not lie with the cryptoprocessor but the software it runs on - Common Cryptographic Architecture (CCA), which comes free with the 4758.

The CCA software requires two or more people to combine their access priviledges before any security changes can be made. As such, it was thought that codes could only be cracked if there was collusion betw ... Читать дальше »