Game over' vulns spew cash on demand
Black Hat A startling percentage of the world's automated teller machines are vulnerable to physical and remote attacks that can steal administrative passwords and personal identification numbers to say nothing of huge amounts of cash, a security researcher said Wednesday.
At the Black Hat security conference in Las Vegas, Barnaby Jack, a security researcher with IOActive, demonstrated attacks against two unpatched models from two of the world's biggest ATM makers. One exploited software that uses the internet or phone lines to remotely administer a machine made by Tranax Technologies. Once Jack was in, he was able to install a rootkit that allowed him to view administrative passwords and account PINs and to force the machine to spit out a steady stream of dollar bills, something the researcher called “jackpotting.”
“It's time to give these devices an overhaul,” Jack told a standing room-only audience during day one of the two-day conference. “There hasn't been a secure development methodology from the get go. The simple fact is companies who manufacture the devices aren't Microsoft. They haven't had 10 years of continued attacks against them.”
In a second attack against a machine from Triton Systems, Jack used a key available for sale over the internet to access the model's internal components. He was then able to use a install his rootkit by inserting a USB drive that was preloaded with the malicious program.
Both Triton and Tranax have patched the vulnerabilities that were exploited in the demos. But in a press conference immediately following his talk, Jack said he was confident he could find similarly devastating flaws – including in machines made by other manufacturers as well.
Jack said he wasn't aware of real-world attacks that used his exploits, but this foiled attack from earlier this year appears to involve many of the same techniques.
“Every ATM I've looked at, I've found a game-over vulnerability that allows me to get cash from the machine,” he said.
To streamline his work, Jack developed an exploit kit he calls Dillinger, named after the 1930s bank robber. It can be used to access ATMs that are connected to the internet or the telephone system, which Jack said is true of most machines. The researcher has developed a rootkit dubbed Scrooge, which is installed once Dillinger has successfully penetrated a machine.
Jack said vulnerable ATMs can be located by war-dialing large numbers of phone numbers or sending specific queries to IP addresses. Those connected to ATMs will send responses that hackers can easily recognize.
Jack called on manufacturers to do a better job securing their machines. Upgrades for physical locks, executable signing at the operating system kernel level and more rigorous code reviews should all be implemented, he said.
The talk came one year after a similar one was pulled last year. Jack said the cancellation came because there weren't patches in place for the vulnerabilities he planned to demonstrate.
He said he was grateful for the extra year to research the vulnerabilities.
By Dan Goodin in Las Vegas MT
Newscribe : get free news in real time
Share This
Thursday, July 29, 2010
No ordinary Jho Low
World Exclusive!
Mystery man jetsets with Arabs and parties with celebs
KUALA LUMPUR: International Man of Mystery Jho Low, who parties with Paris Hilton and is reputed to chalk up hefty bills for champagne, has finally come out to talk about himself and the life he lives.
In an exclusive interview with The Star, this 28-year-old multilingual Penangite, whose full name is Low Taek Jho, reveals for the first time:
> His Arab childhood friends and investors are actually the spenders, not him;
> How he made his first million when he was just 20 and the billions in deals he had strung together so far;
> The importance of going to the right schools;
> Setting up a portfolio worth billions that will go public in October;
> He parties with Hilton, Megan Fox, Jamie Foxx, Lindsay Lohan and Usher but claims that news reports about the parties are exaggerated.
> How he grew up in Penang and his present globe-trotting life covering Los Angeles, New York, London, St Tropez, Abu Dhabi and Kuala Lumpur.
Related Stories:
A millionaire before graduating
Right place, right time, right people
Paris just part of the group
No website and no Twitter
Low dispels talk he received RM500mil airbase job
Exclusive Source: The Star, By WONG CHUN WAI, WONG SAI WAN and LESTER KONG
Mystery man jetsets with Arabs and parties with celebs
KUALA LUMPUR: International Man of Mystery Jho Low, who parties with Paris Hilton and is reputed to chalk up hefty bills for champagne, has finally come out to talk about himself and the life he lives.
In an exclusive interview with The Star, this 28-year-old multilingual Penangite, whose full name is Low Taek Jho, reveals for the first time:
> His Arab childhood friends and investors are actually the spenders, not him;
> How he made his first million when he was just 20 and the billions in deals he had strung together so far;
> The importance of going to the right schools;
> Setting up a portfolio worth billions that will go public in October;
> He parties with Hilton, Megan Fox, Jamie Foxx, Lindsay Lohan and Usher but claims that news reports about the parties are exaggerated.
> How he grew up in Penang and his present globe-trotting life covering Los Angeles, New York, London, St Tropez, Abu Dhabi and Kuala Lumpur.
Related Stories:
A millionaire before graduating
Right place, right time, right people
Paris just part of the group
No website and no Twitter
Low dispels talk he received RM500mil airbase job
Exclusive Source: The Star, By WONG CHUN WAI, WONG SAI WAN and LESTER KONG
Wednesday, July 28, 2010
Courts and the Constitution
REFLECTING ON THE LAW
By Prof SHAD SALEEM FARUDI
Our basic charter needs to be interpreted creatively and dynamically. Judges should be receptive to the felt necessities of the times and their interpretations should show suppleness of adaptation to changing circumstances.AT the Bar Council’s Biannual Law Conference this weekend, one of the topics slotted for discussion is “Constitutional Interpretation”.
As one of the invited speakers, it is my intention to point out that interpretation is an art and not a science. Legal words do not have a self-evident meaning and the “golden rule” of interpretation is that there are no golden rules.
This is especially so when the clauses of the Constitution are deliberated. A Constitution is not just a lawyer’s document. It is the vehicle of the community’s legal, political and social life. It is the repository of the nation’s dreams and demands and its values and vulnerabilities.
It is a generic law which provides the foundation on which the superstructure of the state rests. It protects fundamental freedoms. It seeks to reconcile the irreconcilable conflict between the might of the state and the rights of the citizens.
The glittering generalities of our basic charter need to be interpreted creatively and dynamically because the Constitution was not made merely for the generation that existed at the time of drafting but for all posterity.
Being a living piece of legislation, its spirit should always be the spirit of the age. Judges should be receptive to the felt necessities of the times and their interpretations should show suppleness of adaptation to changing circumstances.
How have our judges handled our document of destiny? How have they performed their solemn duty to “preserve, protect and defend” the basic charter? Regrettably, the record is not very laudable. In many areas of social life, Malaysians can proudly count many blessings but as to the contribution of the superior courts to constitutionalism, there is not much to celebrate as we approach 53 years of independence.
Despite the principle of constitutional supremacy in Articles 4(1) and 162(6), our courts have shown extreme reluctance to invalidate parliamentary legislation or state enactments on constitutional grounds.
There have been 20 or so cases in 53 years where constitutional review succeeded at some stage of the proceedings. Sadly, eight of these rulings were reversed on appeal. Two were set aside by constitutional amendments. That leaves 10 decisions in 53 years where judicial review of a legislative measure left an impact.
However, in a host of other situations, the courts have refused opportunities to import principles of constitutionalism from abroad that would have limited unrestrained legislative or executive power.
For example, in Eng Keock Cheng, the issue was whether a law-making authority can delegate its powers to another body so broadly as to constitute abdication. The doctrine against excessive delegation, usefully employed abroad, was, however, rejected by our courts.
On the issue of constitutional amendments, the scintillating idea that the amendment process cannot be abused to destroy the “basic structure” (or core principles) of the Constitution was turned down.
A bold High Court ruling, based on Indian precedents, that the Emergency Proclamation issued in 1969 cannot last for ever and can come to an end by efflux of time was brushed aside.
The notion of implied, un-enumerated, non-textual rights has been rejected. In the Aliran case, legislation like the Printing Presses & Publications Act with blatantly unconstitutional provisions was allowed to stand.
It defies constitutional imagination how in a country with a supreme Constitution and a chapter on fundamental liberties a law can confer “absolute discretion” to grant or refuse a printing permit or “to impose any condition the Minister deems fit”.
The reasonableness, justice or morality of any legislation is not the concern of our courts. As long as a law was passed by the competent authority in the proper manner, it is valid irrespective of its content.
This is in contrast with the jurisprudence of many countries that Parliament’s power to enact “law” is circumscribed by the understanding that the term “law” does not refer to harsh or oppressive measures but to rules that are fair and just.
Obviously, the British doctrine of parliamentary sovereignty continues to command loyalty in many judicial minds even though Malaysia is blessed with a written and supreme Constitution.
In its relationship with the executive, the courts have a similar mixed record. There are some extremely bold decisions. For example, in the ISA cases of Tan Sri Raja Khalid, Jamaluddin Othman, Abdul Ghani Haroon, Abd Malek Hussin v Borhan Hj Daud and Thamilvanen a/l Kandasamy the courts issued the writ (order) of habeas corpus to free the detainees unlawfully detained.
Civil servants, workers in the private sector and detainees under various drugs legislation have a very good fighting chance of winning their gladiatorial contests in the courts.
Ouster clauses in industrial relations legislation seek to exclude any judicial scrutiny. Our courts disregard these clauses, as indeed they should, and do justice suitable to the case.
Regrettably, however, denial or delay of the right to legal representation under Article 5(3) has generally aroused indifference. We have a remarkable decision that a detainee’s right to legal representation commences from the time of arrest but cannot be exercised till police have completed their investigation.
The courts seem to have graded human rights. The right to property, protection against double jeopardy and protection against backdated criminal laws are given adequate protection. However, personal liberty, freedom of speech and equality are almost always subjected to wide executive power to restrict on grounds of public order, etc.
Freedom of religion was one of our best protected rights. In a sad reversal in the last 15 years, the courts have turned a blind eye towards many painful and tragic issues surrounding this right.
In many areas of executive power, the courts generally refrain from treading in, and the decision by the state is declared to be non-reviewable. Examples of such areas of absolute power are the subjective satisfaction of the Minister in preventive detention cases; the issuance and continuance of emergency declarations under Article 150; the power to grant mercy and the Attorney-General’s powers under Article 145 to commence or discontinue criminal proceedings or to transfer a criminal case vertically or horizontally to another court.
In many other countries, a rich jurisprudence has evolved to surround these executive domains with humanising principles of openness and accountability.
On issues of apostasy and Islamic law in general, our superior courts are happy to hand the matter over to Syariah Courts even though momentous issues of constitutionality may be at stake. We have an instance of a non-Muslim woman being advised by a superior court judge to submit herself to the jurisdiction of the Syariah Court despite the fact that Schedule 9 List II Para 1 clearly provides that Syariah Courts shall have jurisdiction only over persons professing the religion of Islam.
Despite 53 years, the Constitution has not become the chart and compass, the sail and anchor of our legal life. Its imperatives have not been transformed by the courts into the aspirations of the people.
But there is still hope. Malaysian constitutional jurisprudence has many seeds for growth. Under the leadership of Justice Datuk Seri Gopal Sri Ram and a number of other dynamic judges, public law issues are often seen in the context of constitutional safeguards.
In some cases, issues of natural justice and unreasonableness are linked with the Constitution. This elevation of administrative law issues to the pedestal of constitutional law holds much promise. But we have to wait and see. There are currents and cross currents to keep hope alive.
Prof Datuk Dr Shad Saleem Faruqi is Professor Emeritus at UITM and Visiting Professor at USM.
Subscribe to:
Posts (Atom)