New Podcast: Home PC Malware (Virus) Protection

I released my "monthly" Podcast, yes it's officially a monthly Podcast now. Although I cheated and used a recent radio interview for the content.

The Podcast is about basic Home PC Malware (Virus, Worm, Trojan, Keylogger) Protection, and where to obtain decent Windows Anti-Virus Protection for Free.This podcast is aimed at day to day people outside the security industry.
Podcast: Home PC Malware (Virus) Protection

ITSecurityExpert on iTunes

To go with this Podcast I have the following links and recommendations.
Microsoft Windows Security Essentials
Anti-Virus & Anti-Spyware
https://support.microsoft.com/en-us/help/14210/security-essentials-download.
Requires licensed copy of Windows
Requires Windows XP, Vista and Windows 7
Windows XP, a PC with a CPU clock speed of 500 MHz or higher, and 256 MB RAM or higher.

AVG
Anti-Virus
www.AVG.com/FREE

AVAST
Anti-Virus
http://www.avast.com/

Spybot Search & Destroy
Anti-Spyware/Anti Adware Protection & Spyware/Adware Removal
http://www.safer-networking.org/en/download/

FURTHER INFORMATION & HELP
For more information read my blog posts Anti-Virus: Completely Free as it should be and Does Apple Mac need Anti-Virus

Does the Apple Mac need Anti-Virus Protection?

If you are running on the latest Mac OS X at home and you allow Apple to automatically update Mac OS X on demand, then my advice is No, you don’t need anti-virus protection on your Mac at home, well not at the moment anyway. Apple themselves go out of their way to state Mac OS X is not effected by viruses and protects itself from other malicious applications - "The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box" - Apple.

A word of caution with my view, which will be highly controversial to some, the Mac malware situation could change in the future should the bad guys decide to target the Mac OS in anger. Theoretically this may happen if the bad guys started to find they aren’t getting any joy out of attacking Microsoft Windows PCs, however this is currently not the case, there are no significant shifts in the malware OS attack vector occurring. In my view, I feel the bad guys will actually move onto targeting the smart phone market in the future, of course this is a market which is well occupied by Apple. In the meantime Mac users should guard against complacency, especially when considering all software will have it faults and therefore will have vulnerabilities to be exploited. Where we have an operating system, we are talking hundreds of thousands lines of code, which is ultimately written by human beings, so it can never be perfect, while operating systems by their nature are a highly complicated pieces of software. So it is safe to conclude no operating system can never be regarded as being ‘secure’ and therefore cannot never be guaranteed to be vulnerability free; there is just no such thing as 100% security. The answer to this problem is to continually fix (patch) the operating systems as vulnerabilities become known, hence the importance of ensuring your Mac OS is automatically updated. Going back to the lead question, today if I was a ‘home’ or mobile Mac user running OS X, I personally wouldn’t bother with deploying anti-virus protection, as the risk is currently extremely low, while Mac OS X itself does have good malware protection built in. I certainly wouldn't criticise anyone who wants to deploy anti virus on your home Mac as matter of precaution, of course the trade off in doing this is an impact on system performance and the cost of purchasing an anti-virus product.

Why aren’t Macs at the same risk of Windows
The fact is the vast majority of malware (including viruses) are written specifically to exploit the world’s most popular operating systems, namely the Microsoft Windows range. There are well over a million documented* “viruses” which specifically target the Windows operating system, while there is only a handful of known viruses which targets the Apple Mac operating system range, and of these, some are actually concept malware produced by good guys, but to my knowledge none currently work against the latest version of Mac OS X. The folk behind writing and deploying malware target the largest market share and the lowest hanging fruit, namely the easiest OS they know is the easiest to exploit from. Microsoft Windows operating systems are by far the most used operating system on this planet and has arguably been one of the weakest for security in comparison to other operating systems like Mac OS.

A third point often raised in this debate, is Windows users are less technologically savvy than Mac users (in other words more stupid!) and therefore are more easier to be "conned" into clicking links which execute and install malware. I think this might have been true in the past, but today I note that many non-techies are using Macs, many people are simply choosing a Mac over a PC as a status or even fashion symbol, so I no longer buy the PC users on average are more stupid than Mac users argument.

Anti Virus Protection is no Guarantee
Anti virus does not guarantee complete protection against all known viruses and malware, AV protection is only as good as AV's latest update, and even then may not be able stop all of the latest malware. So you could well have anti virus installed on your Mac which is bang up-to-date, but if a new type of virus suddenly appears on the scene, the anti virus may not detect the virus anyway, the truth of how ineffective some anti-virus products on Windows PCs is actually quite alarming, but I'll save that one for another post.

Do business Macs need Anti-Virus Protection?
The short answer in my opinion is Yes. Medium to large businesses which have Apple Macs deployed in a mixed Microsoft Windows environment, may well want to consider deploying and running anti-virus protection on their Mac estate.

Why? Macs have been known to harbour Windows based malware, malware which could make its way from the Mac via file sharing on to Windows PCs. Just because Windows malware does not work on the Mac, it does not mean it cannot be stored on a Mac drive, and if that Mac has no anti-virus protection, then the malware files on the Mac drive are never checked for Windows malware, which in turn means the malware files are never removed, and leaving any Windows malware present and dormant on the Mac drive. Should that malware data file make its way onto out of the Mac drive, perhaps via a network share, USB memory device, or server storage, and then onto Microsoft PCs, then there can be real issues in store for the PC estate.

Also there are information security regulations and standards which insist on the deployment of anti-virus protection regardless of the operating system and your perceived risk.

Where can I get Mac Anti-Virus Protection
If you feel you need anti-virus protection on your Mac at home, or within your business environment, most of the usual big commercial anti-virus vendors provide a Mac OS anti-virus client, personally I'm independent of security vendors, which is important, as I try to keep my advice independent and objective, so I'm not going to be suggesting any vendors here. But there is a free home Mac anti-virus client called ClamXav - http://www.clamxav.com/, as I said in my blog post last week, I believe anti-virus protection should be free for all home users and provided out of the box by the OS vendor - http://blog.itsecurityexpert.co.uk/2010/04/home-anti-virus-is-completely-free-as.html

The Biggest Threat to Mac Users
Finally home Mac users should be still be wary of attacks made through their web browser and their email client. For instance phishing attack is just as likely to be successful against a Mac user as it is a Windows user, always remember many online fraudsters are targeting your personal information, your credit card details and your online bank account login details, which are often obtained through attacks through web sites (the web browser) or through the Email client, either way by conning the person into sending the details. Some third party applications on Mac can also provide a way in for malware, such as file sharing apps, to be wary about what you agree to install.

This is an interesting topic, and has been hotly contested in the security industry for years, especially between AV vendors with Mac anti virus products to pendle, and Apple enthusiasts (BTW I'm neither!), so if anyone has any different views whether in agreement or not, or indeed recommendations, please post in the comments - Thanks.

* April 2008, the BBC News reported Symantec now claimed "their anti-virus programs detect to 1,122,311 http://news.bbc.co.uk/2/hi/technology/7340315.stm

Home Anti-Virus is Completely Free, as it should be

It's a real travesty that many home users are for paying for anti-virus protection on subscription, not realising they can obtain solid anti-virus protection for free. Commercial anti-virus vendors have been snaring home users for years by providing their commercial AV applications with new PCs, often pre-installing their anti-virus application onto the PC operating system itself as a free trial. Once the free trial has finished, home users end up signing up to the AV on subscription through fear, not believing they have any other free alternatives for anti-virus protection. However home anti-virus protection should be completely free, and it is completely free.

For many years it has been long my personal belief home anti-virus protection should be provided completely free of charge, and in the case of Windows Operating System (OS); the OS most plagued by viruses, worms, spyware and other malicious software (malware), it should be built into the operating system itself.

Malware: A term which is short for Malicious Software, the collective term for describing Viruses, Worms, Trojans, Keyloggers, Spyware, and Adware.

I believe free and built in anti-virus is a necessity to protect the individual PCs of non-security savvy home user, and to protect everyone else on the Internet as well. As 100,000s of PCs infected by malware affects and impacts everyone online. Malware infected PCs are used for everything bad, from sending spam Email messaging on mass, to the mass propagation of malware, to highly intricate network based attacks. It has been a long personal criticism I had of Microsoft, in that they didn’t provide built in anti-malware (anti-virus) protection right out of the box, well until now.

Yes the good news is at last Microsoft has finally got around to providing free anti-virus and anti-spyware with their Windows operation systems for home and small business users, the only proviso is you actually own a licensed copy. Over the last six months I have been trying the Microsoft anti-virus protection on a multiple of Windows operating systems and different hardware, and I have to say I have found it to be up to the job, and indeed I would say it’s on par with most home commercial anti-virus applications, in fact in one test I found it scans much faster than some of the commercial AV products. Now commercial anti-virus vendors will claim their specific product is better than everybody else’s anti-virus application, and that their product provides extra security protection, has won awards etc. However the truth of the matter is no anti-virus application can ever guarantee 100% protection, and it is a dangerous game to play to assume one anti-virus application protects better than another, given the fluid nature of malware threats which changes by the hour.

It is true many anti-virus products come packaged with additional security protection for your money, some are more useful than others. Many of these additional services such as web filtering and anti-spam can be obtained for free elsewhere. For instance home users should be aware Microsoft Windows 7 provides web filtering out of the box while email providers such as Google's Gmail have pretty good anti-spam built in these days. And as for operating system firewall protection, well that's already built into the Windows operating systems. Some of these extras can actually unnecessarily slow your PC operation down for very little security benefit, especially on older PCs.

Free Anti Virus: Microsoft Security Essentials

Aside from the Microsoft offering, there are several other good free Windows based anti-virus applications available, which have been around for a number of years, such as AVG and AVAST. However for home users I would recommend installing and trying out the Microsoft anti-virus application first, which known as Security Essentials. But that’s my personal opinion, the important thing is you install and use an anti-virus application on your Windows PC, regardless of who provides it, as it’s a vital component of home PC security.

My recommended Free Anti-Virus\Anti-malware Products are:

Microsoft Windows Security Essentials
Anti-Virus & Anti-Spyware
www.microsoft.com/security_essentials
Requires licensed copy of  Windows
Requires Windows XP, Vista and Windows 7
Windows XP, a PC with a CPU clock speed of 500 MHz or higher, and 256 MB RAM or higher.

AVG
Anti Virus Protection
www.AVG.com/FREE

AVAST
Anti-Virus Protection
http://www.avast.com/

Spybot Search & Destroy
Anti-Spyware/Anti-Adware Protection & Spyware/Adware Removal
http://www.safer-networking.org/en/download/

Microsoft Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.aspx

Finally I would like to stress the importance of ensuring your anti-virus application receives updates automatically, without automatically updating enable with your anti-virus application, your PC won't be protected against the latest threats.  And equally the important, is to check Microsoft security updates (patches) are automatically downloaded and updated upon their release, these updates tend to be released on at least monthly basis.

New Podcast: Removing Viruses, Worms & Spyware

This podcast is aimed at day to day people outside the IT security industry using Microsoft Windows. This podcast gives a quick over view on the types of malware (Virus, Worms & Spyware), describes how to prevent malware infection on your PC, and how to remove malware from your PC following infection.

IT Security Expert Podcast - Mar2010 : Removing Viruses, Worms & Spyware

ITSecurityExpert on iTunes

Free Malware Removal Tools Recommended in this Podcast
Microsoft Windows Malicious Software Removal Tool
Spybot - Search & Destroy
AVG Rescue CD

There are other free malware removal tools out there, including those which run online in the web browser. If anyone wants to recommend any they have used, please go ahead and make your recommendation in this post's comments - Thanks

Notes
1. "Malware" is a collective term which includes Viruses, Worms, Keyloggers, Trojans, Spyware, Adware, and apps referred to as Crimeware
2. I recommend running these tools frequently, even if your Anti Virus application is not reporting any malware infections. AV doesn't detect all malware!
3. Windows Defender is always worth installing and protects mainly against spyware and adware, and is free.
4. Beware some malware removal tools are actually malware themselves, and actually add further infections to your PC. Therefore I recommend sticking with removal tools listed on this post and provided by reputable security companies and organisations.
5. After running a malware removal tool, I recommend rebooting your PC and running the tool a second time, to ensure all malware has been permanently removed from your PC.

UK Shops with Minimum Spend OR Charges for Accepting Card Payments

I really love those new Visa World Cup Football TV and the Barclaycard Contactless Card commercials (see below).





These ads depict using Visa and Barclaycard plastic to pay for small transaction amounts, such as using your credit card to pay for your lunch, and paying by card for a haircut. But these TV commercials representation does not quite match the reality on the ground in the UK, where many cardholders appear to be continually taken advantage of and are becoming frustrated by small merchants shops who either apply a surcharge, or insist on the minimum spend for payments by card. This reality is in direct conflict with Visa, MasterCard and Barclaycard's overall strategy, namely for card payments to replace all cash payments, hence the recent introduction of contactless payments in the UK. Contactless cards are not just designed for your convenience but to allow the card brands to soak up the small payment transaction space.

Can Merchants Apply a Minimum Spend or a Surcharge in the UK?
I have been speaking with Visa, MasterCard and Barclaycard about this, and to be honest the answer is not clear cut as I thought it would be, mainly thanks to complicated European Laws and UK Laws, and even local area laws comes into the equation.

What I do know is the likes of Visa and MasterCard do have strict regulations which they say apply to all merchants (retail shops) which accept their card payments. These regulations clearly state merchants are not allowed to apply any surcharge or require a minimum spend amount as detailed below.

VISA
5.1.C Prohibitions
A Merchant must not:
• Add any surcharges to Transactions, unless local law expressly requires that a Merchant be permitted to impose a surcharge.

MasterCard
A Merchant must not directly or indirectly require any Cardholder to pay a surcharge or any part of any Merchant discount or any contemporaneous finance charge in connection with a Transaction. A Merchant may provide a discount to its customers for cash payments. A Merchant is permitted to charge a fee (such as a bona fide commission, postage, expedited service or convenience fees, and the like) if the fee is imposed on all like transactions regardless of the form of payment used, or as the Corporation has expressly permitted in writing. For purposes of this Rule:
1. A surcharge is any fee charged in connection with a Transaction that is not charged if another payment method is used.
2. The Merchant discount fee is any fee a Merchant pays to an Acquirer so that the Acquirer will acquire the Transactions of the Merchant

However these regulations are trumped by law, EU, UK and even local laws. For example airlines, holiday companies and large concert ticket providers cite legalise to get around these regulations, applying surcharges to their card payments.  Sometimes they hide the surcharge as an administration fee, which is fine for a business which don’t offer a cash payment alternative. I thought this could be a key point, as small shops obviously are accepting cash payments along side card payments.

I have been reading up on the legal side of this issue, as I understand it, it appears merchants are not allowed to profit from surcharging. However going back to the strict card scheme regulations, lets take the scenario where we have a small shop which has been provided with the equipment to accept card payments, as provided by the likes of HSBC and Streamline. From my conversations it came across surcharging and applying a minimum spend in this type of scenario is highly frowned upon by the card schemes (Visa & MasterCard). In fact during my discussions with these card brands, they both offered a method to file a complaint about small merchants doing this.

MERCHANT COMPLAINT FILING

Visa: Notify your Visa card-issuing bank. Visa Member financial institutions have access to the appropriate Visa rules and regulations. Your card-issuing bank can best answer your questions about surcharges. They also have access to the Notification of Customer Complaint forms that should be used by the financial institution to document and file this type of complaint. You can contact them directly, using the address or telephone number on your Visa statement or on the back of your card.

MasterCard: File a merchant violation by Email consumer_advocate@mastercard.com . We do contact the merchant's bank when we see repeated violations and they are requested to maintain appropriate controls over the merchants.

Now my legal eagle brother likes to point out shops can always refuse your card payment transaction and kick you out of their premises without providing any reason, true. However I argue that most small merchants sign an agreement to abide by these regulations as part of the package in being provided with the means to accept the card payments. Therefore it seems pretty clear to me most smaller merchants are not permitted to surcharge or require a minimum spend at all. Banks which provide the payment devices have the power to disable the payment devices from any merchant which doesn't comply, so would act if a card scheme or customers highlighted a merchant wasn't complying with these regulations.

UK local legislation allows surcharging on credit cards which takes precedence over Visa rules and regulations - Visa Europe

So after doing further digging on the legal side, it appears merchants are indeed allowed to make charges under law, remember the card schemes state law trumps their regulations, however I found another angle on legal side, in that merchants need to clearly advertise their surcharges.

 Since the 28th February 1991, in accordance with the Credit Cards (Price Discrimination) Order 1990, retailers have been allowed to apply these charges to the cardholder.

It may help you to know that customers are protected under the Consumer Protection Act 1987, which states that is a criminal offence to mislead the customer regarding the cost/charges of a purchase. Retailers are therefore required to clearly advertise and advise their intentions to the customer before applying this charge.

My conclusion on minimum spending and surcharges; because of the legal situation, unfortunately I cannot state UK merchants are not allowed to add surcharges or require customers make a minimum spend for payment card transactions. But if you feel strongly about this you can raise a complaint against any merchant indulging with these practices with the card schemes and acquiring banks, namely the providers of payment equipment e.g. Streamline, HSBC. I will continue to research this situation, I am very interested if anyone else has any further information or views on this one.
Now I do feel the merchant’s pain in that the cost (transaction charge imposed on them) in taking small transactions really hits their profit margins, but hey this is the price of having the ability to accept card payments at your business, no one is forces any business to offer the acceptance of card payments.

Here’s the thing that really bugs me about this. There are too many merchants in the UK which are running a muck with these charges, some are ignorant of these requirements, and some are actually sticking two fingers up at the regulations they sign up to, I know because shop owners get very nervous when I ask question their surcharging. So what do you think merchants are doing about the Payment Card Security regulations, specifically Payment Card Industry Data Security Standard (PCI DSS)? The next time you have fraudulent transactions on your credit card and don’t understand how your card details were stolen. Know it is more than likely than not, that your details were stolen from a merchant which held your card details, because the merchant was not following card security regulations and adequately protecting your card details while in their care. By the way merchants certainly cannot hide behind law when comes to their compliance with card payment security regulations, and specifically PCI DSS compliance.

It is worth noting that we do not have any breach disclosure laws in the UK, it is never in the interest of merchants, banks and card brands to publicly disclosure payment card breaches. But I can tell you card payment breaches of UK cards in significant numbers are occurring due to UK merchant security negligence, it's happening behind closed doors, and it's happening far too often.

The Vulnerability Management Game

I have been asked to speak about IT Security Vulnerability Management at a Security Conference, and it got me thinking. Vulnerability Management is the good practice of finding security weaknesses, which bad guys may exploit (hack) and then fixing them. It’s an endless cycle of finding and fixing, Why? Because software code is extremely complicated and tends to be highly rushed by developers these days. Some code can even be millions of lines long, code is never perfect and so never can be bullet proof secure, it’s just a question of discovering the vulnerabilities which are present. This is the reason why Microsoft release security patches on at least a monthly basis and why Microsoft will continue to release security patches as long as they have software to support.

An interesting vulnerability management game is played by security vulnerability management vendors and security researchers, as it these vendors and security researchers which tend to find the vast majority of the most threatening vulnerabilities. Finding high risk vulnerabilities is good, however they usually announce their findings to the world; what exactly the vulnerability is, and how it could be exploited, so telling the bad guys along with the good guys. There is clear evidence the bad guys wait for these announcements and act on them before the good guys have chance to apply fixes. I'm not sure if anything can be done about this part of game, while it is plain old bad security to assume bad guys do not known about vulnerabilities which the security vendors have to yet to discover. However with mass vulnerability exploitation, more often than not, I am seeing an “IT Security Industry” vulnerability announcement and media coverage which has started the ball rolling.

Worst yet are “zero day” vulnerabilities, which is the term to describe the announcement of a vulnerability which has yet to have a fix available. Remember it can take time to code and test vulnerability fixes. The worst case scenario is to have a vulnerability activity exploited by bad guys without the software provider having a fix ready.  A recent example of a “Zero Day” vulnerability was with Microsoft Internet Explorer - http://news.bbc.co.uk/1/hi/technology/7784908.stm  Announcement of "zero day" vulnerabilities which aren't being actively exploited on mass is particularly shaky ground, why not wait until a patch is ready for release? I know there has been issues in companies not listening to security vulnerability researchers, even threatening to sue them, but I can't see how it can be right to publish a vulnerability which doesn't have a fix.

So let us switch this around another way, last week I took a couple of flights, and despite all security checking at the airports, I thought of several ways I could of successfully bypassed the airport security to get “banned” items onto the plane. So these are airport security vulnerabilities, just like IT vulnerabilities, remember no system can ever be 100% secure. As a society we are all very sensitive about airport security, mainly thanks to media led risk assessment of terrorism- I’ll save that one for another blog post.

My main point is this, I am not going to announce to the world how to bypass airport security, because:

(A) I don’t think it is ethical

(B) I don’t think it would reduce risk and make flying safer, even should someone from the airport security industry be actually willing to listen, I think they would accept the risk (the vulnerabilities)

(C) Just saying them could get me arrested thanks to the UK’s strict anti-terrorism laws

(D) This is the most important reason. I really don’t want to tell bad guys how to bypass airport security.

Again I do not assume terrorists don't already know about weaknesses in airport security, I'm sure airport security authorities know their security weaknesses as well. But even though some terrorist may know about vulnerabilities in the systems, it serves no purpose in telling them all about all possible weakness in our airport's security, it by nature can never be 100% secure, is a question of risk management, so why is the security industry chomping at the bit to tell world about all weaknesses in our IT systems?

New Podcast: Safe Social Networking (Feb2010) Released

I thought it was about time I resurrected the IT Security Expert Podcast, so I dusted off my podcast mic and put together a podcast on using Social Networking safely. This podcast is aimed at day to day people outside the security industry.

http://itsecurityexpert.co.uk/index.php?module=podcaster&PODCASTS_MAN_OP=viewPodcast&PHPWS_MAN_ITEMS[]=6

ITSecurityExpert on iTunes

To go with this Podcast I have a “Parent Child Facebook Safety Guide” which I put together following my appearance on BBC Radio 5 earlier in the year.

http://itsecurityexpert.co.uk/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=36&MMN_position=53:53


And I have a couple of relevant blog entries to this Podcast

http://blog.itsecurityexpert.co.uk/2009/12/facebook-privacy-settings-change.html

http://blog.itsecurityexpert.co.uk/2009/11/child-facebook-safety.html


I’m considering a couple things with this Podcast, initially doing a new release once a month, and I am also considering Podcast Security topics aimed at UK industries and professions, coving subjects such as PCI DSS (retailer credit card payments compliance) and Government Code of Connection.

Chip & Pin Weakness Smoke Screen for Real UK Card Fraud

The Chip & Pin man-in-the-middle weakness highlighted by the Cambridge academics last week is important to raise and to have addressed, but I’m afraid to say this weakness in Chip & Pin is nothing new, this vulnerability has been known about for years, the Cambridge boffins are right in that Chip & Pin isn't as secure as it should be. However no system ever gives 100% security, the aim of the game is about reducing risk. Chip & Pin reduces card fraud risk significantly when compared to other non-cash payment methods, such as payments by just signing and payments bycheques, even with this vulnerability. The fact is Chip & Pin drastically cut cardholder present fraud in the UK when it was introduced in 2005.

The real important thing to understand here, is for the Cambridge Chip & Pin fraud to work, the fraudster needs to have possession of the original debit/credit card (which has yet to be cancelled), and seemingly a laptop.

Now I have researched card fraudsters for years, and I can tell you they always tend to go with simplest methods of committing card fraud with poses the least risk of being caught, and as any security professional knows, bad guys always tend to go for the lowest hanging fruit.

So here's my main point, why would a card fraudster who is in possession of stolen card bother with the sophisticated technique as highlighted by the Cambridge boffins, when it is far easier and less risky to just damage the chip on card, forcing a magnetic swipe and signature payment, perhaps if needed requiring a bit social engineering against the cashier. Still it would be far easier and less risky to the card fraudster to use the stolen card with online transactions or even get away with small contactless payments which also don’t require any PIN knowledge.

Secondly I find card fraudsters tend to use stolen card details where the actual cardholder has no awareness of their card details being compromised. When the physical card is stolen, it tends to be reported by cardholder, so it quickly is cancelled preventing transactions from working on it, remember the Cambridge attack is all about the physical possession of the stolen plastic card, not stolen payment card details, which is where the bulk of card fraud occurs.

Just to prove how easy it is to get around Chip and Pin without having a PHD, I performed a demonstration yesterday at a “birthday card” retailer in a UK City. I used one of my own credit cards as opposed to a stolen credit card, the credit card I used just happened to have a damaged chip.

To be crystal clear, I did nothing illegal and unethical, and I certainly didn’t perform any social engineering or anything dodgy like that. All I did was place my credit card in the card reader as instructed by cashier, the card reader displayed invalid, and the cashier said this happens now and again and took my credit card out, swiped through a magnetic reader, then asked me to sign, I followed the cashier's instructions, so completing a transacton without using a PIN number.

Here's the receipt, note "Date" and transaction type "Swiped" and "Signature Verifed"

My final point is the majority of payment card fraud committed in the UK, is card not present transactions, such as payments made over the Internet or by phone. This type of fraud does not require that the fraudster has physical possession of the plastic card. Often payment card details not the physical plastic card are stolen, often on mass from poorly secured retailer. These stolen card details are then brokered up and sold online to individual fraudsters, who go on to commit the actual fraudulent transactions againt them. Typically fraudulent transactions with UK cards are made against websites which don't have the 3D secure (online password required), typical websites at the moment tend to be online gambling websites, which are an easy way for an international card fraudster to cash out against a stolen UK card.

I personally reckon at least £1 Billion is stolen on British payment cards every year, and to my knowledge on how UK card fraudsters operate, I would say the Cambridge Chip & Pin attack could be responsible for just few percent of that fraud spend presently. I have not come across any fraudsters nor have I heard of any fraudulent incidents using this technique, however you can never rule out that the bad guys aren’t taking advantage of a known vulnerability (a golden rule in security). But I am very confident the vast majority of payment card fraud in the UK is not being made against this particular vulnerability at present, and I don’t see that changing in the future, as there are still far easier methods to commit fraud against UK payment cards.

If the payment card industry was serious about preventing payment card fraud, they should be looking into the types of things I mentioned in this blog posting.
http://blog.itsecurityexpert.co.uk/2009/10/how-payment-card-industry-could-stop.html

A Cyberwarfare Warning: Greater Manchester Police & Conficker

In the information age our Police forces increasingly relies on their IT systems to help them perform their duties, these IT systems hold citizen’s most personal sensitive information. Given the nature of “Police Business” you would think Her Majesty’s finest would be pretty good at IT Security, but apparently not. One of the largest Police forces in the UK, Greater Manchester Police (GMP), were forced to disconnect their IT systems from the national Police systems, after their IT systems had been discovered to be riddled with the Conficker WORM. This nasty piece of malware has been around since 2008, however all the anti-virus systems I know of, has been protecting IT systems against it since just after Conficker’s release.

From School Children and to Silver Surfers, most people realise and understand the importance of having Anti-Virus software installed on their PCs, and the importance of keeping their Anti-Virus up to date. Installing Anti-Virus protection onto all Windows based operating systems and keeping it up to date is a very basic of best practices. Clearly this was not being achieved by the GMP, it was reported that much of their IT systems were infected with Conficker on Friday 29 January 2010, to such an extent they had to disconnected all their systems from the national police systems for several days, rendering GMP less effective. For instance GMP officers had to request checks on names and vehicles from neighbouring policy forces.

What I find particularly concerning about this successful attack, aside from the possible breach of highly sensitive information, which is a real risk of Conficker; is just how simple it is to take out key IT Systems leading to a direct impact on a pillar stone of our society’s infrastructure.

Previously Conficker also hit IT Systems at the Houses of Parliament, Hospitals in Sheffield and cost Manchester City Council £1.5 Million, although some might say preventing Manchester City Council from issuing hundreds of motoring penalty notices in time due to Conficker knocking out it's IT systems was a bit of a blessing.

In this day and age we tend to take for granted our increasing reliance on IT systems, in terms of cyber attacks against our national infrastructure, this is a very real and increasing risk, and there has already been several examples of international cyber attacks. This latest Conficker outbreak at the GMP should serve as a real warning to the UK Government. Whether it’s our national power grid, banking infrastructure, telecoms, air traffic control, or even key online servers and websites, cyber attacks can really hurt us and our economy.

It is more than feasible that cyber terrorists could make the next "Conficker" type WORM, to specifically target key infrastructure IT systems. The damage could be done before Anti-Virus and OS vendors can respond with a solution. At the end of the day Anti-Virus is reactionary and a "stick on a plaster" approach to security, meanwhile tens of thousands of new vulnerabilities are found in Operating Systems and Applications on a yearly basis. This increasingly vulnerability trend which will continue to rise despite the usual vendor hype of "this is our most secure platform ever". We saw this just two weeks ago with the actively exploited vulnerability in the latest version of Internet Explorer, indeed this took several days to be patched, or is that plastered.

The UK Government are responsible for protecting the country's key infrastructure, however I’m afraid to say the UK Government is doing very little to address this threat at present, unlike across the pond where Barak Obama recently appointed Howard Schmidt as their Cyber Tsar, to help tackle these types of risks. Just a few months ago I was speaking with Howard about this very subject; he didn’t disagree with me when I stated that I believe it’s just a matter of time before we see a Cyber 911.