Share This

Thursday, 29 July 2010

Armed with exploits, ATM hacker hits the jackpot

Game over' vulns spew cash on demand

Black Hat A startling percentage of the world's automated teller machines are vulnerable to physical and remote attacks that can steal administrative passwords and personal identification numbers to say nothing of huge amounts of cash, a security researcher said Wednesday.

At the Black Hat security conference in Las Vegas, Barnaby Jack, a security researcher with IOActive, demonstrated attacks against two unpatched models from two of the world's biggest ATM makers. One exploited software that uses the internet or phone lines to remotely administer a machine made by Tranax Technologies. Once Jack was in, he was able to install a rootkit that allowed him to view administrative passwords and account PINs and to force the machine to spit out a steady stream of dollar bills, something the researcher called “jackpotting.”

“It's time to give these devices an overhaul,” Jack told a standing room-only audience during day one of the two-day conference. “There hasn't been a secure development methodology from the get go. The simple fact is companies who manufacture the devices aren't Microsoft. They haven't had 10 years of continued attacks against them.”

In a second attack against a machine from Triton Systems, Jack used a key available for sale over the internet to access the model's internal components. He was then able to use a install his rootkit by inserting a USB drive that was preloaded with the malicious program.

Both Triton and Tranax have patched the vulnerabilities that were exploited in the demos. But in a press conference immediately following his talk, Jack said he was confident he could find similarly devastating flaws – including in machines made by other manufacturers as well.

Jack said he wasn't aware of real-world attacks that used his exploits, but this foiled attack from earlier this year appears to involve many of the same techniques.

“Every ATM I've looked at, I've found a game-over vulnerability that allows me to get cash from the machine,” he said.

To streamline his work, Jack developed an exploit kit he calls Dillinger, named after the 1930s bank robber. It can be used to access ATMs that are connected to the internet or the telephone system, which Jack said is true of most machines. The researcher has developed a rootkit dubbed Scrooge, which is installed once Dillinger has successfully penetrated a machine.

Jack said vulnerable ATMs can be located by war-dialing large numbers of phone numbers or sending specific queries to IP addresses. Those connected to ATMs will send responses that hackers can easily recognize.

Jack called on manufacturers to do a better job securing their machines. Upgrades for physical locks, executable signing at the operating system kernel level and more rigorous code reviews should all be implemented, he said.

The talk came one year after a similar one was pulled last year. Jack said the cancellation came because there weren't patches in place for the vulnerabilities he planned to demonstrate.
He said he was grateful for the extra year to research the vulnerabilities.


By Dan Goodin in Las Vegas MT
Newscribe : get free news in real time

No ordinary Jho Low

World Exclusive!

Mystery man jetsets with Arabs and parties with celebs

KUALA LUMPUR: International Man of Mystery Jho Low, who parties with Paris Hilton and is reputed to chalk up hefty bills for champagne, has finally come out to talk about himself and the life he lives.

In an exclusive interview with The Star, this 28-year-old multilingual Penangite, whose full name is Low Taek Jho, reveals for the first time:


> His Arab childhood friends and investors are actually the spenders, not him;

> How he made his first million when he was just 20 and the billions in deals he had strung together so far;

> The importance of going to the right schools;

> Setting up a portfolio worth billions that will go public in October;

> He parties with Hilton, Megan Fox, Jamie Foxx, Lindsay Lohan and Usher but claims that news reports about the parties are exaggerated.

> How he grew up in Penang and his present globe-trotting life covering Los Angeles, New York, London, St Tropez, Abu Dhabi and Kuala Lumpur.

Related Stories:

A millionaire before graduating
Right place, right time, right people
Paris just part of the group
No website and no Twitter
Low dispels talk he received RM500mil airbase job

Exclusive Source: The Star, By WONG CHUN WAI, WONG SAI WAN and LESTER KONG  







Wednesday, 28 July 2010

Courts and the Constitution

REFLECTING ON THE LAW

By Prof SHAD SALEEM FARUDI

 Our basic charter needs to be interpreted creatively and dynamically. Judges should be receptive to the felt necessities of the times and their interpretations should show suppleness of adaptation to changing circumstances. 

AT the Bar Council’s Biannual Law Conference this weekend, one of the topics slotted for discussion is “Constitutional Interpretation”.

As one of the invited speakers, it is my intention to point out that interpretation is an art and not a science. Legal words do not have a self-evident meaning and the “golden rule” of interpretation is that there are no golden rules.

This is especially so when the clauses of the Constitution are deliberated. A Constitution is not just a lawyer’s document. It is the vehicle of the community’s legal, political and social life. It is the repository of the nation’s dreams and demands and its values and vulnerabilities.

It is a generic law which provides the foundation on which the superstructure of the state rests. It protects fundamental freedoms. It seeks to reconcile the irreconcilable conflict between the might of the state and the rights of the citizens.

The glittering generalities of our basic charter need to be interpreted creatively and dynamically because the Constitution was not made merely for the generation that existed at the time of drafting but for all posterity.

Being a living piece of legislation, its spirit should always be the spirit of the age. Judges should be receptive to the felt necessities of the times and their interpretations should show suppleness of adaptation to changing circumstances.

How have our judges handled our document of destiny? How have they performed their solemn duty to “preserve, protect and defend” the basic charter? Regrettably, the record is not very laudable. In many areas of social life, Malaysians can proudly count many blessings but as to the contribution of the superior courts to constitutionalism, there is not much to celebrate as we approach 53 years of independence.

Despite the principle of constitutional supremacy in Articles 4(1) and 162(6), our courts have shown extreme reluctance to invalidate parliamentary legislation or state enactments on constitutional grounds.


There have been 20 or so cases in 53 years where constitutional review succeeded at some stage of the proceedings. Sadly, eight of these rulings were reversed on appeal. Two were set aside by constitutional amendments. That leaves 10 decisions in 53 years where judicial review of a legislative measure left an impact.

However, in a host of other situations, the courts have refused opportunities to import principles of constitutionalism from abroad that would have limited unrestrained legislative or executive power.

For example, in Eng Keock Cheng, the issue was whether a law-making authority can delegate its powers to another body so broadly as to constitute abdication. The doctrine against excessive delegation, usefully employed abroad, was, however, rejected by our courts.

On the issue of constitutional amendments, the scintillating idea that the amendment process cannot be abused to destroy the “basic structure” (or core principles) of the Constitution was turned down.

A bold High Court ruling, based on Indian precedents, that the Emergency Proclamation issued in 1969 cannot last for ever and can come to an end by efflux of time was brushed aside.

The notion of implied, un-enumerated, non-textual rights has been rejected. In the Aliran case, legislation like the Printing Presses & Publications Act with blatantly unconstitutional provisions was allowed to stand.

It defies constitutional imagination how in a country with a supreme Constitution and a chapter on fundamental liberties a law can confer “absolute discretion” to grant or refuse a printing permit or “to impose any condition the Minister deems fit”.

The reasonableness, justice or morality of any legislation is not the concern of our courts. As long as a law was passed by the competent authority in the proper manner, it is valid irrespective of its content.

This is in contrast with the jurisprudence of many countries that Parliament’s power to enact “law” is circumscribed by the understanding that the term “law” does not refer to harsh or oppressive measures but to rules that are fair and just.

Obviously, the British doctrine of parliamentary sovereignty continues to command loyalty in many judicial minds even though Malaysia is blessed with a written and supreme Constitution.

In its relationship with the executive, the courts have a similar mixed record. There are some extremely bold decisions. For example, in the ISA cases of Tan Sri Raja Khalid, Jamaluddin Othman, Abdul Ghani Haroon, Abd Malek Hussin v Borhan Hj Daud and Thamilvanen a/l Kandasamy the courts issued the writ (order) of habeas corpus to free the detainees unlawfully detained.

Civil servants, workers in the private sector and detainees under various drugs legislation have a very good fighting chance of winning their gladiatorial contests in the courts.

Ouster clauses in industrial relations legislation seek to exclude any judicial scrutiny. Our courts disregard these clauses, as indeed they should, and do justice suitable to the case.

Regrettably, however, denial or delay of the right to legal representation under Article 5(3) has generally aroused indifference. We have a remarkable decision that a detainee’s right to legal representation commences from the time of arrest but cannot be exercised till police have completed their investigation.

The courts seem to have graded human rights. The right to property, protection against double jeopardy and protection against backdated criminal laws are given adequate protection. However, personal liberty, freedom of speech and equality are almost always subjected to wide executive power to restrict on grounds of public order, etc.

Freedom of religion was one of our best protected rights. In a sad reversal in the last 15 years, the courts have turned a blind eye towards many painful and tragic issues surrounding this right.

In many areas of executive power, the courts generally refrain from treading in, and the decision by the state is declared to be non-reviewable. Examples of such areas of absolute power are the subjective satisfaction of the Minister in preventive detention cases; the issuance and continuance of emergency declarations under Article 150; the power to grant mercy and the Attorney-General’s powers under Article 145 to commence or discontinue criminal proceedings or to transfer a criminal case vertically or horizontally to another court.
In many other countries, a rich jurisprudence has evolved to surround these executive domains with humanising principles of openness and accountability.

On issues of apostasy and Islamic law in general, our superior courts are happy to hand the matter over to Syariah Courts even though momentous issues of constitutionality may be at stake. We have an instance of a non-Muslim woman being advised by a superior court judge to submit herself to the jurisdiction of the Syariah Court despite the fact that Schedule 9 List II Para 1 clearly provides that Syariah Courts shall have jurisdiction only over persons professing the religion of Islam.

Despite 53 years, the Constitution has not become the chart and compass, the sail and anchor of our legal life. Its imperatives have not been transformed by the courts into the aspirations of the people.

But there is still hope. Malaysian constitutional jurisprudence has many seeds for growth. Under the leadership of Justice Datuk Seri Gopal Sri Ram and a number of other dynamic judges, public law issues are often seen in the context of constitutional safeguards.

In some cases, issues of natural justice and unreasonableness are linked with the Constitution. This elevation of administrative law issues to the pedestal of constitutional law holds much promise. But we have to wait and see. There are currents and cross currents to keep hope alive.

Prof Datuk Dr Shad Saleem Faruqi is Professor Emeritus at UITM and Visiting Professor at USM.

Tuesday, 27 July 2010

Everybody can be a game developer with Kodu

GAME ON: Some students who participated in the Microsoft's Kodu Kup competition showing off their skills at the company's launch event in Kuala Lumpur.
 
KUALA LUMPUR: Software giant Microsoft Malaysia wants to nurture fledgling game developers from as young as nine through its game design competition, known as the Kodu Kup.

According to its education director Farad Alhusaini, computer games are no longer just for entertainment; they are now also an important educational tool that can spark a culture of creativity and innovation in our youngsters.

For this reason, Microsoft is putting its resources firmly behind the Kodu Kup competition. "Kodu is a fantastic avenue to inspire students to understand the fundamentals and principles of computing and software development," Farad said.

The inaugural competition, which kicked off yesterday, pits students from six schools - Tunku Kurshiah College, SK Taman Putra Perdana, SMK Taman Bukit Maluri, SMK USJ 12, SJK (C) Ladang Harcroft and SJK (C) Chio Nan - against each other.

Participants must develop a computer game using Kodu Game Lab - a simple and visual programming language develop by Microsoft Research.

The program offers a straightforward, fun and easy to use a visual interface, where the users only need to click and string together intuitive icons that define the rules of their game world.

Then, they use a mouse and keyboard - or even better, a gamepad - to navigate the program. No complex programming language to learn and absolutely zero lines of code needed, explained Farad.

"The result is that anyone aged from seven to 70 can create a game in minutes," he said.

Connected

The Kodu Kup competition is a preliminary step to the bigger event that is Microsoft's Imagine Cup. The Imagine Cup is a global competition sponsored by the software giant to encourage university students to develop technology that helps solve the world's problems.

This year, the Imagine Cup final was held in Warsaw, Poland. The Malaysian team did the country proud by beating more than 60 other international teams to make it to the final, in the Software Design category.

"Malaysia needs to start looking among its younger generations to find talented students who will succeed even more in such competitions in the future," Farad said.

"This is where the Kodu Kup competition comes in, he said. "The primary target of most computer games are youngsters, so why not give them the chance to be in the driver's seat - i.e. to create such games, instead of merely playing them."

The Kodu Kup competition will run till Aug 20 and is also open to teachers. Student participants will be judged on creativity, game design, and the fun factor of their games.

Teachers who enter the contest, must showcase how Kodu Game Lab can be used effectively in the classroom, not only to stimulate critical thinking but also how it can help develop problem-solving and logic skills in students.

The aim here is to let teachers inspire and excite their students to learn and experiment, as well as to bring back the "cool" factor in education, according to Farad.

The prizes

Results of the Kodu Cup competition will be announced on Aug 27. The winning student and teacher will each receive a trophy, a notebook PC, an XBox 360 gaming console, as well as various Microsoft software and hardware.

The competition is supported by Yayasan Inovasi Malaysia (YIM), a foundation under the Ministry of Science, Technology and Innovation.

Prior to the launch of the competition, the participating teachers and students had to undergo two-day training sessions with Kodu Game Lab specialists from Microsoft and ideaslab. ideaslab is an organisation based in Victoria, Australia, which serves as a hub for national and international research into learning and teaching technology.

++++
www.kodukup.com

Social networks posing security threat




 
IMMINENT DANGER: According to a Sophos survey in December 2009, 60% of the respondents believed that Facebook presents the biggest security risk compared to other social networking sites - way ahead of MySpace, Twitter and LinkedIn. - AP

THE Internet is a lot more than just a means of staying informed. It has evolved into something much more than what it was originally intended to be.

For some, it is an avenue to avoid the long queues at banks and service counters. For others, it is a place where you can work collaboratively.

But for most, the Web is a communication tool that connects them with family and friends via the many social networking tools.

Most Internet security experts conclude that cyberattacks on social networking sites will increase over the years. Since 2008, Facebook, Twitter, MySpace, LinkedIn, and other such sites have been in the limelight as social networking grew and grew.

These services compete with each other to increase their user base by coming up with mobile tie-ups, applications and games.

All these efforts are worthwhile because social networking sites are the biggest thing on the Internet at the moment, and perhaps for many more years to come. Unfortunately, this trend has also been attracting all sorts of security threats.

New year, new threats

In its 2010 Threat Predictions report, McAfee Labs said it anticipates an increase in threats related to social networking sites such as Facebook.

It also said that criminal tool kits will be evolving rapidly this year to capitalise on new technologies that increase the sophistication of the attack on unsuspecting users.

And, as a result, there is a good chance of an increase in rogue services that exploit Internet users' eagerness to download and install the various and freely available Web 2.0 applications.

According to a Sophos survey in December 2009, 60% of the respondents believed that Facebook presents the biggest security risk compared to other social networking sites - way ahead of MySpace, Twitter and LinkedIn.

Cisco Systems' 2009 Annual Security Report mentioned that the Facebook user base has tripled from 100 million users in 2008 to 350 million in 2009.

There is no doubt that such a huge increase in the number of users within a year's time is phenomenal, and it is attracting cybercriminals from all over the world to migrate their attacks to Facebook
.
Mitigating threats

In order to stay safe while using social networking tools (or in fact, other Internet-based applications), users are urged to observe the following practices:

1. Never click on any URL links in unsolicited e-mail (i.e. e-mail that you are not expecting nor asked for);

2. Never log in your online credentials through pages opened up by the URL links you get from any e-mail. In order to be safe, type the URL yourself in the browser. If you have been using shared PCs, be sure not to click on the links provided by the browser bookmarks;

3. Never jot down your online login credentials in an e-mail, even if you think of it as a note to yourself. e-Mail is not the proper place to store your online login credentials. This is to minimise the risks should your e-mail system be compromised;

4. Always verify the validity of the services or links you get via e-mail, even if it appears to be sent by a social networking tool you subscribe to. Google it or better yet, e-mail the service administrators and ask them. Pay extra attention to the given URL as a slight difference would mean a different site altogether;

5. Change the passwords of your online credentials from time to time and do not use the same password for all of them. For a secure password, use a combination of uppercase and lowercase alphabets and numbers, and try to use words that do not exist in any dictionary; and

6. Do not arbitrarily download any updates for your applications. If you really need them, visit the official website and get more information.

Conclusion

It is imperative that Internet users understand that the threats and security issues which come with social networking tools aren't necessarily caused by vulnerabilities in the software or the user's PC … at least, not all the time.

Software vulnerabilities are reported from time to time and they will always be the cornerstone of cybercriminal activities. But for them to work, they have to be initiated by the users themselves in one way or another.

(Syahrir Mat Ali is senior executive of the cybermedia research department at CyberSecurity Malaysia - the national cybersecurity specialist under the Ministry of Science, Technology and Innovation. These are his personal views expressed here.)