Criminals Install Fake PIN Pads At US Retailer

Finextra reports US retailer Hancock Fabrics is warning customers that PIN pad units at several of its stores were stolen and replaced with "visually identical, but fraudulent" units last year, putting card data at risk. 

In an open letter to customers the firm warns the scam, which occurred between August and September last year, has provided crooks with access to names printed on customer payment cards, card numbers and expiration dates and PINs.


Users Rejecting Security Advice, Rational?

As seen on Slashdot, researchers have different ideas as to why people fail to use security measures.  Some believe that regardless of what happens, users will only do the minimum required.  Others believe security tasks are rejected because users consider them to be a pain.  A third group maintains user education is just not working.

Microsoft Research’s Cormac Herley offers a different viewpoint.  He contends that user rejection of security advice is based entirely on the economics of the process.  Here is Dr. Herley’s paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).

My personal theory?  -=[Caution – Unbiased Opinion may not be suitable for all audiences]=-   Users reject security advice because accepting it would also involve accepting responsibility and accountability for errors, omissions, mistakes and breaches.  Smells like liability.  The populace is like water, happily taking the path of least resistance and the most shortcuts possible to get to where they would like to go.  Fences, like rules and standards, are just obstacles to be overcome, especially if they keep the dedicated lemmings from quickly discovering the edge of the cliff and the bottom of the canyon.  Now there’s a white paper.  J

IE 9 ‘Platform Preview’ Released at MIX10

Microsoft has announced the availability of an Internet Explorer 9 "platform preview" at Tuesday’s MIX10 keynote address.  Developers and the general public can get their hands on the IE 9 platform preview as of Tuesday.

The preview of Microsoft’s newest Web browser is accessible at Microsoft’s test drive site here.

The IE 9 platform preview isn’t a fully functional browser or even an alpha version.  It lacks an address bar and many other common browser user interfaces.  Microsoft is releasing it to get feedback from developers, and the company plans to release updates of the platform every 8 weeks.  Users can run the various tests prebuilt into the platform preview and compare those results with the test performance of other browsers.


Microsoft Adobe Collaborate On Patches

Microsoft and Adobe are working together on the security patch development process, possibly leading to Adobe issuing patches via Windows Update.

Microsoft has confirmed the collaboration, saying it is "currently working with Adobe to develop solutions to improve the software update experience for our mutual customers,".  A Microsoft spokesperson was unable to specify a timeline or the nature of the collaboration.

Adobe hinted at a Microsoft collaboration in an online Q&A held in late February.  In response to a question about whether Adobe would consider working with partners for patch distribution, Adobe’s Brad Arkin said, "We are working very closely with Microsoft for SCCM/SCUP/WSUS integration, which is targeted to happen before the end of the year." 

Enterprise customers typically disable built-in update mechanisms and use their own enterprise tools for deploying updates.  It will be interesting to see if this breeds more collaboration, perhaps with Symantec’s Altiris team, or other vendors.


Fiserv to Banks: Keep Outdated Adobe Reader

Krebs On Security is reporting that one of the US’ largest money-transfer providers and online banking services to credit unions and other financial institutions is urging customers not to apply the latest security updates for Adobe Reader.  At issue is a non-public advisory issued by Fiserv.

A reader who works in security for a mid-sized credit union shared a notice posted prominently to a section of Fiserv’s site dedicated to security and IT managers at partner financial institutions. 

“NOTICE: Please do not upgrade Adobe Acrobat Reader past Version 8.1.   The following is of importance to all credit unions.

Until further notice, please do not upgrade Adobe Reader past version 8.1. We have recently found that there are potential compatibility issues with some of our Adobe-based products. If you have already upgraded past this version you can try uninstalling to a lower version. This may or may not be successful. For instructions on uninstalling, please visit

We will provide you with further information when it is available.”

Assuming that they really meant to say “Don’t migrate your systems past the latest 8.1.7 version (released in October 2009) that would still leave financial institutions exposed to the Reader flaw that criminals are actively exploiting to install data-stealing software via spam and hacked or malicious Web sites.

Krebs On Security

Fiserv Response:

We researched the client advisory mentioned in your posting. We appreciate your attention to this matter, as the advisory did not effectively explain our advice, nor was it the right approach to the underlying issue of Adobe compatibility.

The advisory was not directed or available to all of our clients, but rather to clients of a single solution within one individual product line. The advisory had been viewed by fewer than three dozen individuals at the time it was removed. We are working hard to resolve the Adobe compatibility issue, and to improve the rigor of our content management on the client collaboration site where the advisory was posted

– Alan Ulman, Fiserv Corporate Communications

Aurora Variants Still Undetected

A test of 7 commonly used anti-virus programs shows that just 1 detected malware variants that exploited the IE vulnerability used in the Aurora attacks which affected Google, Adobe and other US companies. These attacks are no longer “new” news, so one would expect that there would be signatures for these malware variants by now.

NSS Labs, the company that performed the tests, said vendors need to put more focus on the vulnerability than on exploit protection. Threat detection and mitigation need to evolve to meet the challenge of emerging attacks. Software vendors need to shoulder their share of the security burden.



OSIX Has Had A Breach

Looks like one of the Open Source Institute’s own has recently taken it upon himself to do a little rogue pen-testing.  He managed to grab the unsalted password hashes and brute force himself a couple of passwords.  He logged into a couple of accounts, and alerted the admins to a weakness.  The site admins are taking some heat, and have reported that they have fixed the problem introduced during a hosting change. 

If you have an account there, and perhaps have used the same password, (first of all shame on you!) you’d best be gettin’ on over there and changing that one before going through all of your other locales that used that same password and changing those too…