Mobile Payment Device Square Shows It's Not In Shape Yet

The tech world has been buzzing for the last year about the mobile payment device Square. Its inventor, Jack Dorsey, who also founded Twitter, has been marketing it as a boon for small businesses and independent vendors.

But it could be cyber criminals who profit the most, stealing credit card data from the device's easily hacked audio recognition software. Tech blog Mashable reports:

Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that due to a lack of encryption in the current Square app and free dongle for swiping cards, the mobile payment system can be used to steal credit card information, without even having the physical credit card.

Square works by converting credit card data into an audio file that is then transmitted to the credit card issuer for authorization.

In order to bypass the need to swipe a card, Laurie wrote a simple program — in fewer than 100 lines of code — that enables him and Franken to feed magnetic strip data from stolen cards into a microphone and convert that data into an audio file. Once that is played into the Square device via a $10 stereo cable, the data is sent directly to the Square app for processing.

Through a combination of proprietary knowledge and cutting edge tools and technology sets, Razorpoint helps security-minded organizations repel potentially lethal cyber threats that often elude mainstream network security providers. Contact us today to learn more about our security services.

US House of Representatives committee approves cybersecurity standards bill

The U.S. House of Represenatives is getting more serious with cyber security by pushing a new bill through the Senate. According to Computer Weekly:

The US House of Representatives has passed a bill designed to increase education, research and development to counteract cyberthreats.

The House Science, Space and Technology Committee last week approved the Cybersecurity Enhancement Act of 2011, which mirrors legislation passed last year by the House, but that never made it to the Senate, according to US reports.

With technology developing at faster rate than ever, Razorpoint Security, along with members of the U.S. Government, are working harder than ever in increasing cyber security.

Sony Continues To Be Threatened By Cyber Criminals

The Sony Corporation, after suffering a cyber attack on its Playstation Network of 70 million users in late April, is still receiving formative threats.

A group of cyber criminals who have taken responsibility for breaking into PBS' site last week, calling themselves LulzSec, are upping the ante with the technology company.

From CNET:

The group...has been promising Sony attacks since this past weekend when it posted to its Twitter account that it is engaged in an operation it calls "Sownage," shorthand for Sony Ownage. The group stated at the time that it was working on hatching a plan that would be the "beginning of the end" for Sony. It has yet to reveal what it has planned. But yesterday the group said that the attack was already under way, seemingly without Sony's knowledge.

We at Razorpoint Security continue to take a serious interest in this story. If you feel your company needs tighter network security in defending against cyber-criminality, reach out to us.

Security Provider Finds Vulnarabilities In Cisco System's Devices

At Razorpoint Security, we always stress that gadgets are not always the answer to finding holes in network security. But when it's the devices themselves that are allowing this breach, the network could at times be more complex to monitor. Such is the case with Cisco Systems, who recently found out their equipment has vulnerabilities they've been trying to patch up since 2010.

According to PC World's Business Center,

"The findings hint at two apparently contradictory themes, that of uniformity and complexity.

"The uniformity derives from the commoditization of IT equipment over the last decade, which has left companies of all sizes, in all countries and in all business sectors using similar families of products which are therefore open to the same vulnerabilities, including PSIRT 109444.

"As networks have become more uniform around standards and more commoditized, vendors have responded by competing in terms of features and development, which has created more complexity within the product families of dominant vendors such as Cisco. As complexity rises, so do the problems associated with management. Dimension also found that many network devices looked at in its assessments suffered from a range of configuration and policy violation issues in ways connected to this theme."

Cloud Computing Security

The next rush into creating complex networks for corporations and personal computing has been to store personal data on a cloud. The cloud uses a large network instead of localization to run applications and devices.

With so many people investing in the cloud to bring server costs down, it would seem obvious that the more people working on the same network, the more vulnerable it becomes.

Many service providers understand this, but have put the burden on their customers to keep information secured.

From The Wall Street Journal:

"The majority of cloud service providers do not consider security as one of their most important responsibilities according to a surprising survey released yesterday.

"The survey of 127 cloud service providers, 24 in six European countries, the others in the U.S., by the U.S.-based Ponemon Institute found that a majority of providers believe it is their customer’s responsibility to secure data."

Experts: Web Generation Clueless About Online Privacy

Last April Fool's Day, the online game store Gamestation.co.uk created a customer license agreement that asked gamers for their immortal souls. About 7,500 gamers unthinkingly clicked the "agree" button without reading the devilishly fine print.

The gamers kept their souls, but plenty of netizens have clicked "I agree" to download a new music service, software update or game demo without realizing that they had agreed to let the service provider access their personal information. Many more don't bother to figure out how to update their ever-changing privacy settings on social networks such as Facebook.

Thoughtless users don't deserve all the blame for giving up their personal privacy so easily. Online privacy safeguards have been deliberately designed to be irrelevant or annoying to the online experience, said Bruce Schneier, a security consultant who works with British Telecom.

The challenge is whether new generations that have never known a world without the Internet can adapt their online habits to better secure their privacy.

"The business of social networking sites is to invade privacy, because they want more users who lead to more revenue," Schneier explained. "The [user settings] are deliberately designed to be difficult to navigate and opaque."

Schneier spoke as a member of a panel at a symposium titled "Promoting Security and Sustaining Privacy: How Do We Find the Right Balance?" at the American Association for the Advancement of Science conference in Washington, D.C. on Feb. 19.

The Internet generation gap

Some of those who inherit the digital age often don't realize just how much information is being gathered about them all the time when they surf the Web. Others have simply become used to trading away personal information in exchange for Internet-based services that they find useful.

Either way, sometimes it seems the "kids don't give a damn," according to Stephan Lechner of the European Commission's Joint Research Centre Institute for Protection and Security of the Citizen.

But Lechner, who sat on the panel, also pointed to the clunky legal language of long customer license agreements by bringing up the April Fool's example.

Schneier put a slightly different spin on the problem.

"The Internet generation cares very much about privacy," Schneier said. "They might be terrible at it, but they care about it."

Many young netizens have "social fluency" when it comes to navigating the Internet, but they lack the technical knowledge of "where the computer ends and the Internet begins," Schneier pointed out.

They may not know that much of the information which they disclose to social networking websites and consumer websites is no longer as "private" in any strong sense of the word.

But teaching people to better safeguard their privacy can prove tricky as people spend more and more of their time doing computer-related tasks and storing data purely online – the huge trend known as cloud computing.

Other issues come up because of shifting privacy safeguards, such as Facebook's habit of regularly changing its privacy policies.

"This is a problem if you are educating the young and the unknowledgeable; how would you educate them if the info you tell them is outdated in a very short time?" Lechner said.

Forever playing catch-up

The panel experts mostly agreed that humans may never catch up if they hope to adjust social noms and behaviors to the rapid pace of new technological advances.

"I'm wondering if we can't educate users," Schneier said. "I'm not sure we can. I think things are moving too fast."

But a more hopeful view came from Katharina Zweig, a computer science researcher at the University of Heidelberg in Germany, who attended the symposium as an audience member.

The problem is that people fail to realize how the software behind social networks or consumer websites can easily dig up personal information online without direct consent of the human user, Zweig said. She suggested teaching people the difference between the capabilities of a computer and a human.

"I think we can educate people about the fundamental difference between computer thinking and human thinking," Zweig told LiveScience.

If successful, such an approach could help young generationsbetter appreciate the faceless programs behind the Internet websites and services.

After all, "the Internet never forgets," said Jeremy Pitt at the Institute for Security, Science and Technology of the Imperial College in London, and the third member of the panel.

"One question my five-year-old daughter asked, which completely floored me, was 'Does the Internet know who I am?'" Pitt said. "This question was wrong on so many levels."

Schneier jumped in before Pitt had finished.

"It's easy -- the answer is yes," Schneier said.

Facebook Phishing Scam Uses Fake Login Page

A new phishing scam currently spreading through Facebook is proving how important it is to read the fine print.

The scam uses chat messages and wall posts on friends’ pages to trick users into thinking they are being directed to a Facebook application, according to the security firm F-Secure.

Instead of landing on the app page, users instead find themselves on a genuine-looking Facebook login page, where they are asked to re-authenticate their account by entering their e-mail address and password.

But if users look carefully at the login page, they realize the URL in the browser’s menu bar includes “.ru” after the regular Facebook.com address, meaning it’s not a legitimate Facebook site, and any information entered can be easily swiped by the cybercriminals perpetrating the phishing scam.

F-Secure says that although this particular Facebook scam hasn’t spread quickly, Facebook users should always be careful when asked to enter any information, and to be especially wary of links, even if they appear to come from friends.

Defend and protect your identity with Razorpoint Security Services!