Tag Archives: Ross Anderson

PINballzup: chip & PIN issue links

I’ve already blogged this at ESET (3rd link down), so these are just links, but quite a few of them. The first is the actual Cambridge paper (or rather a draft thereof).

Chip and PIN is Broken (Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond), University of Cambridge Computer Laboratory

Chip and PIN is broken: http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

Has Chip & PIN Had Its Chips?: http://www.eset.com/threat-center/blog/2010/02/12/has-chip-pin-had-its-chips 

PIN check in EMV protocol for EC and credit cards bypassed: http://www.h-online.com/security/news/item/PIN-check-in-EMV-protocol-for-EC-and-credit-cards-bypassed-929784.html

Chip and PIN system on banking cards seriously flawed: http://www.net-security.org/secworld.php?id=8862&utm_source=twitterfeed&utm_medium=ping.fm&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

New flaws in chip and pin system revealed:

Chip and PIN Security Completely Broken by New Attack
http://threatpost.com/en_us/blogs/chip-and-pin-security-completely-broken-new-attack-021210?utm_source=twitterfeed&utm_medium=ping.fm

Millennium Falcon crash and burn

Ironically, we seem to be seeing more date-related issues this month than we did at the start of the noughties, unless The Register is making this all up, which doesn’t seem likely.

http://www.theregister.co.uk/2010/01/05/windows_mobe_bug/
http://www.theregister.co.uk/2010/01/04/bank_queensland/
http://www.theregister.co.uk/2010/01/05/symantec_y2k10_bug/
http://www.spamresource.com/2010/01/spamassassin-2010-bug.html

[And this one:
http://www.msnbc.msn.com/id/34706092/ns/technology_and_science-security/?ocid=twitter]

It’s not really surprising: this is a more-or-less accidental cluster of somewhat similar bugs, as far as I can see. It’s certainly not an industry-wide issue that was foreseen years in advance and therefore attracted serious proactive research and remediation.

In fact, if there’s a lesson here, it’s one for the people who dismiss the entire Y2K remediation issue as hype and wasted resources. Well, there was a great deal of hype around at that time (did anyone actually see a Y2K virus?), and a number of consultants made money out of advising IT people on the ground to do what they were already doing.

However, given the (short-term) impact of this handful of unanticipated (but fairly easily fixed) bugs, I think it’s reasonable to assume that if system administrators and support technicians all over the globe hadn’t done that proactive remediative work, the first weeks of the new millennium would have been a lot more dramatic.

Like Ross Anderson (http://www.cl.cam.ac.uk/~rja14/Papers/y2k.pdf), I doubt if the sky would have fallen, but some of the consequent issues would have been harder and more expensive to fix reactively.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com