Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×

Comment Re:Why are they storing this data anyway? (Score 4, Insightful) 213

by snowraver1 (#45802489) Attached to: Encrypted PIN Data Taken In Target Breach
I have been doing card processing for a living for 7 years now. The pin, of course, has to go over the wire along with the track2 data. How exactly that happens can differ greatly though. Larger merchants are more likely to use some sort of middleware processing software, and that introduces weaknesses. In many cases communication between the POS and middleware is plaintext. Scooping this data up would be trivial, but PCI mandates that unencrypted data has to be segregated off the network from non-PCI stuff. This makes things a bit trickier for an attacker.

As for Target, here's my take: This is the only information in the press release:

The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.

If they were using "true" end-to-end encryption, there are no known attacks other than card skimmer magic*. If that was the case, there wouldn't be much of an investigation, as the facts (and scope) would be pretty clear.

That leaves a network packet monitor attack, a database related breach/attack, log file snarfing (depending on the vendor, log files can contain a LOT of data.), or something I'm not thinking of.

I find it odd that they say that pins have been pilfered, but not the card numbers. That, to me, suggests a DB related attack, and the attackers only got the pin table/columns. A list of pin numbers though, of course, is completely useless (8374 - Here's a free one) on it's own. Decrypting them should be trivial, given the limited number of possible pin numbers, even if the table was salted. But again, what would be the point. I'm guessing that the next release will say that card numbers were compromised as well.

As for the 3des part, It just doesn't make any sense. As other people have already said, 3des is symmetrical, so saying they don't have the key is impossible. My guess is that they are actually using SSL (which could then in turn negotiate a 3des key). If that is the case, then each session key would be unique, and target would never have "access" to it as it would only exist in RAM.

To my knowledge. I'd be happy/interested if someone could prove me wrong here.
Security

TSA Screening Barely Working Better Than Chance 337

Posted by samzenpus from the am-I-safe-now? dept.
rwise2112 writes "The General Accounting Office (GAO) has completed a study of the TSAs SPOT (Screening of Passengers by Observation Techniques) program and found the program is only slightly better than chance at finding criminals. Given that the TSA has spent almost a billion dollars on the program, that's a pretty poor record. As a result, the GAO is requesting that both Congress and the president withhold funding from the program until the TSA can demonstrate its effectiveness."

Comment Re:I do this (Score 2, Informative) 365

by snowraver1 (#45419129) Attached to: Nearly 1 In 4 Adults Surf the Web While Driving

set it to a collision that's double the actual speed they were driving while caught texting. (In other words, head-on collision with another vehicle doing the same speed

Actually, that is false. A head on collision with a vehicle of the same mass would be no different than the indestructible brick wall. Yes, when you add a second vehicle to the mix, you are doubling the amount of moving mass, but the absolute speed remains constant. In the end, the delta V is the same in both scenarios: X to 0. Now that we know that the delta V is the same, we just have to account for the deceleration rate, which is basically the same as the duration of the impact (crumple zones and all that). Since we have identical cars, they will deform at the same rate, acting as each others' brick wall. Once they collide, they would be exerting identical force on each other, so the front bumpers would remain in the same location, just like the brick wall. Since the front of your car can no longer move forward, the collision happens, and the body of your car absorbs the energy required to decelerate to 0. The energy released when two cars collide is doubled, but it is also spread over twice the area (ie, now you have 2 wrecked cars).

Submission + - How Broken Is The Internet?

Submitted by rueger
rueger writes: The NSA ( or your local variant) can capture or watch everything that you do on-line. Hacker/hacktivist/script kiddie groups shut down or deface large websites on a regular basis. Large companies attain market dominance then arbitrarily change terms and conditions, eliminate features and tools that millions of people use, and then sell your private information to the highest bidder. Companies as big as Adobe and as small as the town that I live next to get hacked, with customer data disappearing into places unknown. And we, the end users, are forced into computational gymnastics trying to satisfy password, user ID, captcha, and multi level authentication requirements that offer more of an obstacle than a protection.

There are now web sites that I don't use because of pop-ups; because I can never manage to actually remember the obscure password that I had to create, because they're paywalled, or because they've totally ruined their interface in the name of progress. Or that haven't bothered to update their code so that it functions on a mobile device. Or that bury real content under a deluge of advertising.

And of course there's The Cloud, a non-existent place where data floats around under the control of some other corporation, and where there's always a more than minimal chance that one morning the company, or just your data, will disappear. As in, what happens when the imps that hacked Adobe, or a government web site, manage to get into Amazon or Microsoft's cloud operations?

So, I ask. just how broken is the Internet today? And what can be done to fix it?

Slashdot Top Deals

Congratulations! You are the one-millionth user to log into our system. If there's anything special we can do for you, anything at all, don't hesitate to ask!

Close