Fatma Bazargan’s blog


عيدكــــم مبـــــارك
September 30, 2008, 9:24 pm
Filed under: General

أطيب التمنيات وأصدق التهاني بحلول عيد الفطر السعيد

أعاده الله علينا وعليكم بالخير واليمن والبركات

وتقبل الله قيامكم وطاعاتكم

 

كل عـام وأنتــم بخــير

 

الصورة من إبداع: الأنسة م. المهيري – (مشكورة عزيزتي)

 تحياتي: فاطمة بازاركان



UAE: ATM and Credit Card Fraud and Identity Theft
September 13, 2008, 10:40 am
Filed under: Security

Everyone has been talking lately about the ATM and Credit Card Fraud that took place last week; this security breach was not limited to one specific bank but various other banks in the UAE were affected too such as: NBAD, Emirates NBD, DIB, ADCB, HSBC, LIoyds, Mashreq, etc.

What happened was that fraudsters used counterfeit/cloned cards to make fraudulent transactions both from within and outside the country. The attack affected both the debit cards and the credit cards.  

 

The temporary measure taken by all banks to mitigate this threat was similar and simple. They all warned their customers as to 1. change the PIN numbers of their debit and credit card accounts; and some who failed to change their PIN numbers within a given period of time got into the hassle that all their debit card and credit card transactions where deactivated and were advised to approach the nearest branch to issue a new one. 2. Have blocked/limited international use of its ATM transactions in some overseas location. So the countries where the fraudulent transactions took place were: Malaysia, Philippines, UK, USA, etc.

 

The alarming question here is: there wasn’t a single bank that was not affected with this security breach? And the unanswered question is why?

 

Another point to notice is: this is not the first time in the UAE history of ATM fraud that such a security breach occurred. If we go past in the history in an attempt to search the Internet we would find that every year and precisely the same time of the year (i.e. after summer) we get the ATM fraud coverage in the UAE newspapers. The reason: almost everyone goes on a summer vacation to International countries exposing their debit and credit cards to stores/kiosks that do not practice due diligence in protecting the cards and there it goes “once it’s known it’s abused.”

 

So what about the debits cards? Well, debit card details can be stolen using the ATM fraud machines and card skimming/jamming techniques. These ATM fronts are installed in a way on ATM Machines that it just looks so original. But the best way to defeat against card skimming is to always mask/cover your PIN when entering it at the ATM or while making a transaction (mask it with your hand or a paper or a wallet; whatever it takes to mask your PIN) and always watch out for the Man in the Middle Attack (movie threat plot) (someone who stands anywhere close to you just to peak into the digits you are entering on the ATM Machine). Another way can be, if you notice that the ATM machine you are standing at has any signs that it has been tampered with, then it is better that you just notify the bank and try using other ATM machines for money withdrawals.

 

So what can a solution be? Keep using the magnetic stripe cards that can be counterfeited easily? Turn to Biometrics or Smart Cards? Shall we say RSA tokens for a change?

 

As for me; I believe the key is: Awareness, being aware about the best/safe practices for card usage, withdrawals and transactions and having a bank that practices due diligence in return is the key. Until the technology takes a heap and comes up with something better that could replace the existing banking technology all together.

 

-till my next post, safe banking!

Bazargan



Google Chrome Vulnerability again, again and again…
September 9, 2008, 9:08 pm
Filed under: Security

 

In the world of security, the one problem that constantly hunts us like a nightmare is when programmers come up with applications and forget to integrate security into it. Yet another application as such was released couple of days back called Google Chrome it was so attractive to lure everyone and anyone to download and give it a try not until hours later when the Researcher Aviv Raff found it vulnerable and others followed.

 

If you have looked keenly into the source code of Google Chrome I’m sure by now you know that it uses the WebKit engine. Remember the vulnerability found in Safari v3.1 (Safari also used the source code from WebKit) known as the carpet-bombing flaw which then got rectified in the newer version of Apple Safari v3.1.2. Exactly, it seems Google used the vulnerable version of WebKit and deployed it into Chrome without doing some background checks on security issues that existed ever since.

 

Carpet-Bombing Flaw or the blended threat: a combination of different flaws one that was found in WebKit and the other is the Java Security Bug (the one discussed earlier this year at Black Hat by Petko); this is what happens any Windows user can be tricked into launching executable files right onto their desktop without user-interaction. The problem is what if the executable file is malicious!

 

That is not it; Google has also taken a feature from the Mozilla Project, where an ActiveX plug-in is loaded by Chrome, where it shows that the browser has capabilities to execute ActiveX controls.

 

You can read about other bugs that were also found in Chrome here. 

 

The actual problem resides when you borrow different codes from different open source browsers; then get into the hassle of being updated with the different flaws that has been reported and cross fingers for those which are not reported and yet you need to discover and rectify.

 

But the important question remains unanswered: why would Google enter the browser market? (hmmmm…)

 

All I can say.. Welcome Chrome! You are neat and sleek after all.  

 

-cheerz

  Bazargan



NMAP 4.75 Released…
September 9, 2008, 8:08 am
Filed under: Security

 

Yes, you heard me right; NMAP 4.75 is released with significant improvements since 4.68. Some of the great improvements are:

  • It draws a map of the network using the Zenmap Scan Topology System (now you can proudly call it a “Network Mapper” =);
  • Zenmap Scan Aggregation feature; 
  • Expanded nmap-services;
  • Hundreds of new OS detection fingerprints (now it is also works like a charm with Windows 2000);
  • Many new Scripting Engine Scripts and Libraries;
  • Many bugs fixes and performance improvements; and many more.

Give it a try, to download click here. If you come across any bugs you can report it.

 

Enjoy;

Bazargan 



Fyodor’s: NMAP Network Scanning Book
September 2, 2008, 4:47 pm
Filed under: Security

 

 

I’m sure you all know Fyodor the author of the famous and widely used network security scanner “NMAP”. A free and open source tool used mainly for network exploration/inventory, port scanning and security audits.

 

The latest book by Fyodor has is the NMAP Network Scanning (NNS) which is an official guide for the Network Security Scanner. It was pre-released at DEFCON this year. Till it gets released officially; I guess I can only wait for it.  

 

It is one of those books that I have a great urge to read and have. I’ll for sure post a review of the book once I’m over with it.

 

Cheerz

Bazargan