One thing that’s difficult when I teach course 468, System and Network Security Introduction, or anything else, for that matter, is to follow up on topics we’ve discussed in the past. The format of a blog, however, makes this quite easy. Here a few follow-ups from earlier posts.
In Real Keylogging Threats I talked about point-of-sale credit/debit card skimmers. Gizmodo ran a story, complete with video, about just such skimmers. It references an article from Krebs On Security. What’s interesting about the skimmer is that it places an overlay on the terminal. That overlay is just ever so slightly larger than the terminal itself, making it seem as though it wasn’t there. Only someone with a ruler or very keen eyes would notice it.
The overlay does seem to have some of its own keys, so its possible that a clerk might notice that the keys looked cleaner or less worn than those on the real terminal. However, it’s the holiday season and clerks might be just a bit busy with the extra traffic. I suppose one defense for this specific attack might be to mark the keys in some noticeable way (a blue “5” key, for instance) and try to get the clerks to check each time, but the marking would have to be different for each terminal (or at least there’d need to be a substantial mix) so it would be difficult for attackers to know how to modify the “replacement skins”.
On another front, Ars Technica reports on the discovery of yet another large database of stolen passwords. These are from facebook, twitter and others. Of the 1.5 million entries in the database only .1% came from the US. Of course, the article goes on to report on the quality of the passwords, with entries such as “123456” continuing to show up. Sigh.
I’ve only touched briefly on guessed PIN numbers, but there is a new tool on the internet: Telepathwords. The tool claims to help prevent weak passwords by “reading your mind”. It doesn’t, of course, use your PC’s mind interface to do that. Instead it uses probability, word lists from security breaches and some other common-sense ideas to try to decide what character you’ll type next. I didn’t try them all, but I could not find a first character it didn’t predict. It even said it predicted the “=&$” I tried as a start for a password. Play with this and let us know what kind of results you get, but, of course, don’t try a real password…