(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Further to the recent story on Memory Trolling for PCI data, I was able to spend one more day fishing in memory, I dug a bit deeper and come up with more fun Credit Card / Memory goodness with our friend the Point of Sale application.

First of all, just searching for credit card numbers returns a lot of duplicates, as indicated in yesterday's story.  In the station and POS application I was working with, it turns out that if you search for the card number string plus the word "Approved", a single line was returned per transaction, with the credit card and PIN.  For instance, to find all Visa card transactions (one record per transaction):

strings memdump.img | grep VISA | grep -i APPROVED  | wc -l         

In addition, I was able to find several hundred debit card numbers, simply by using those same search concept, but using the term "INTERAC" instead.  Note that this search gets you both the approved and not approved transactions.

strings memdump.img | grep INTERAC | grep -i APPROVED | wc -l

With that done, I started looking at the duplicate data, and realized that some of the duplicate "records" I was tossing out looked interesting - sort of XML-like.   Upon closer inspection, it turns out that they were fully formed MS SQL posts (and no, just as the credit card numbers themselves, I won't be sharing the text of any of those)

Interestingly, the SQL post formatted the credit card numbers as 123456******1234, such that the first 6 and last 4 digits are in clear text,but the middle digits are masked out.  

This lines right up with the PCI 2.0 spec, section 3.3, which indicates that if you mask a PAN (Primary Account Number) that way, it is no longer considered sensitive. (https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf).  I'm not sure how keen I am on 3.3 -  - I can see that storing this info allows the merchant to use that as a "pseudo customer number", so that they can track repeat purchases and so on, but I'm not sure that the benefits outweigh the risks in this case.   I'd much prefer encrypting on the reader itself, so that the merchant and POS software never sees the card number at all - it's encrypted right from the reader to the payment processor (or gateway).

As I said when I started this, I'm not the expert memory carver that some of our readers are - please, use our comment section and tell us what interesting things you've found in a memory image!

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
You may already be dorking.

In a restricted intelligence document distributed to police, public safety, and security organizations in July, the Department of Homeland Security warned of a “malicious activity” that could expose secrets and security vulnerabilities in organizations’ information systems. The name of that activity: “Google dorking.”

“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks,” the for-official-use-only Roll Call Release warned. “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.”

That’s right, if you’re using advanced operators for search on Google, such as “site:arstechnica.com” or “filetype:xls,” you’re behaving like a “malicious cyber actor.” Some organizations will react to you accessing information they thought was hidden as if you were a cybercriminal, as reporters at Scripps found out last year. Those individuals were accused of “hacking” the website of free cellphone provider TerraCom after discovering sensitive customer data openly accessible from the Internet via a Google search and an “automated “ hacking tool: GNU’s Wget.

Read 8 remaining paragraphs | Comments


Posted by InfoSec News on Aug 27


By Ira Winkler
Aug 26, 2014

When the Black Hat conference moved to the Mandalay Bay hotel, I was
curious as to what would be different. Over the years, Black Hat has
evolved into something very different than how it started. Whether it has
been a good or bad evolution depends on your perspective.

As background, I have the honor of being the first...
IBM Eclipse Help System CVE-2014-0917 Cross Site Scripting Vulnerability
IBM Eclipse Help System CVE-2014-0918 Directory Traversal Vulnerability

Posted by InfoSec News on Aug 27


By Erin McCann
Associate Editor
Healthcare IT News
August 26, 2014

Cedars-Sinai Health System is notifying its patients of a HIPAA breach,
after an unencrypted hospital laptop containing patient medical data and
Social Security numbers was stolen from an employee's home.

Despite saying they were mailing breach notification letters this week,
hospital officials...
Juniper Network and Security Manager CVE-2014-3411 Remote Code Execution Vulnerability
Transport Gateway for Smart Call Home CVE-2014-3344 Multiple Cross Site Scripting Vulnerabilities
CSWorks LiveData Service CVE-2014-2351 SQL Injection Vulnerability

Posted by InfoSec News on Aug 27


By Jaikumar Vijayan
Aug 26, 2014

Electric carmaker Tesla Motors wants security researchers to hack its
vehicles. In coming months, the Silicon Valley based high-tech carmaker
will hire up to 30 full-time hackers whose job will be to find and close
vulnerabilities in the sophisticated firmware that controls its cars....

Posted by InfoSec News on Aug 27


By Kim Zetter
Threat Level

As the acting cybersecurity chief of a federal agency, Timothy DeFoggi
should have been well versed in the digital footprints users leave behind
online when they visit web sites and download images.

But DeFoggi—convicted today in Maryland on three child porn charges
including conspiracy to solicit and...

Posted by InfoSec News on Aug 27


By Queena Kim
August 25, 2014

I wanted to talk to people who are learning how to become cybersecurity
professionals. With all the security break-ins that we've seen recently, I
thought they would be easy to find. At a Silicon Valley university, maybe?
Or in a Bay Area tech school?

Nope! In the end I had to go to Vegas, of all places, to a hacker...
Huawei Campus Series Switches User Enumeration Weakness

Why physical security (and InfoSec!) still matter
CSO Online
In the current era of mega-(should I say giga-?) breaches with tens to hundreds of millions of lost customer records and the hacking-of-everything, it is safe to assume that the logical security of devices becomes almost more important than the ...

Linux Kernel 'ISOFS' Stack-Based Buffer Overflow Vulnerability
Django CVE-2014-0481 Denial of Service Vulnerability

More than a year after former National Security Agency contractor Edward Snowden leaked secret documents describing the breadth and depth of US surveillance, policy makers continue to debate the legal framework for such monitoring.

Yet a number of technology startups are blazing ahead to create a range of products that promise to restore people's privacy online. Silent Circle, WhisperSystems, and Wickr offer a variety of services, from private instant messaging to secure data storage to encrypted phone calls. Other companies, such as Blackphone, have focused on creating a secure smartphone for the privacy-conscious.

And even newer ideas are in the offing. A small Silicon Valley technology firm, for example, has designed a plug-in black box for smartphones that can encrypt a voice call on the fly and is seeking funding on Kickstarter. Called JackPair, the box can be connected between a smartphone and the user's headphones and encrypt conversations with another JackPair user, said Jeffrey Chang, founder of AWIT Systems, the firm behind the product.

Read 11 remaining paragraphs | Comments

Synchronizing Key Server CVE-2014-3207 Unspecified Cross Site Scripting Vulnerability
Lua 'ldo.c' Remote Code Execution Vulnerability
PHP Pear '/tmp/' Directory Insecure Temporary File Creation Vulnerability
Last CFP: ICETC2014 - IEEE - Poland (Deadline: Aug. 30)
[SECURITY] [DSA 3012-1] eglibc security update
Encore Discovery Solution Multiple Vulnerability Disclosure
MediaWiki 'jsonp callbacks' Unspecified Security Vulnerability
SaaS Marketing platform Hubspot export vulnerability
Fwd: RFC 7359 on Layer 3 Virtual Private Network (VPN) Tunnel Traffic Leakages in Dual-Stack Hosts/Networks
Mathematica10.0.0 on Linux /tmp/MathLink vulnerability
Internet Storm Center Infocon Status