funsec mailing list archives
Re: ram scraper
From: Michael Collins <mcollins () aleae com>
Date: Thu, 10 Dec 2009 16:23:10 -0500
<Shrug> Why should a company opt for good, usable secure design when it's going to delay them to market? After all, nothing truly horrible has happened to them yet, certainly not as horrible as their competitor getting a shoddy design out first? Seriously, next you're going to tell me you expect developers to actually know and use libraries with well-vetted cryptography, rather than reinventing everything each time because the documentation is too long. On Dec 10, 2009, at 1:04 PM, The Security Community wrote:
The last time I rented a car (August, Enterprise) the ass-end of the POS terminal I was served at presented me (the customer) with two USB sockets. The counter people were in and out of the office constantly and although there was video surveillance it wouldn't have been difficult to plug a thumb drive in on the off chance autorun wasn't disabled. Also, why on Earth do POS terminals have enough Internet/Web access to upload files to anywhere? So the help can watch hulu between customers? On Thu, Dec 10, 2009 at 11:57 AM, <Valdis.Kletnieks () vt edu> wrote:On Thu, 10 Dec 2009 10:17:58 CST, RandallM said:what is the types of processes to protect from RAM pilfering? I have to admit I never thought this one. http://www.theregister.co.uk/2009/12/09/ram_scraper_credit_card_theft/"So-called RAM scrapers scour the random access memory of POS, or point-of-sale, terminals, where PINs and other credit card data must be stored in the clear so it can be processed. When valuable information passes through, it is uploaded to servers controlled by credit card thieves." So tell me - why is a POS terminal at all vulnerable to easy infection by malware? Let me restate it: 'POS Terminal' == 'network-connected cash register'. These need to be easily reprogrammed (by owner or miscreant), why, exactly? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list._______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Mike Collins mcollins () aleae com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- ram scraper RandallM (Dec 10)
- Re: ram scraper Valdis . Kletnieks (Dec 10)
- Re: ram scraper Larry Seltzer (Dec 10)
- Re: ram scraper RandallM (Dec 10)
- Re: ram scraper The Security Community (Dec 10)
- Re: ram scraper Michael Collins (Dec 10)
- Re: ram scraper Larry Seltzer (Dec 10)
- Re: ram scraper The Security Community (Dec 10)
- Re: ram scraper Young, Keith (Dec 10)
- Re: ram scraper Valdis . Kletnieks (Dec 10)