Dark Reading

The cyber security news site Dark Reading interviewed me about malware on ATMs. Link

Hit the street

I was interviewed about hacking in a financial news website called The Street. Link

R.I.P. Barnaby

Today I was profoundly saddened to learn of the passing of Barnaby Jack at the age of 35. A few years ago Barnaby attacked my ATM, and he did so with brilliance, integrity, charisma, and chutzpah. To quote from my earlier essay about Barnaby's attack, "Barnaby and I started as adversaries and ended as friends". Indeed, that is where we ultimately ended. My heartfelt condolences to his family and loved ones.

Bob Woodward, Carl Bernstein, Henry Schwarz

The Washington Post asked me for comment on a heist involving ATMs.

Published

The ATM Industry Association recently published its End-To-End Encryption Best Practices Guide, of which I served as Technical Editor, and much of which I authored. The document describes the encryption of data being exchanged between an ATM and its host. Here's the ATMIA press release.

Swipe a strip(e)

Public Service Announcement: A magnetic stripe card is manufactured by adhering a strip of magnetic tape, and one may swipe it through a card reader, but please do not get confused and call it a magnetic strip card nor a magnetic swipe card. Thank you for your attention.

Black Hat USA 2012 **versus** ATM and EFT-POS

I've just returned from the Black Hat USA 2012 infosec conference. Here are some of the presentations which may apply to the ATM and EFT-POS industry.

NIST, the National Institute of Shameful Typos

Sunbathing on an idyllic tropical vacation, I was absently skimming over NIST's 3DES encryption specification, when suddenly I was harshly jolted out of my summer daze, coughing my piƱa colada out of my nose. One of the weak keys was wrong!

OK everybody, we've finally made it from 1DES to 3DES, now let's keep on going to AES. Come on, let's go, who's with me?! Um, hello? Anyone?

AES is the symmetric crypto algorithm du jour, but AES remains largely unused by retail banking terminals, which have only recently been dragged into the 1990s by migrating from 1DES to 3DES. The journey from 3DES to its successor AES would be fraught with peril, here be dragons.

Black Hatted

At the Black Hat conference in 2010, an ATM designed and built by my employer was setup on stage, and a security researcher demonstrated an exploit which emptied out all its cash. For many months prior, I had been my employer's designated point-man in responding to this attack...

Remote key loading and the false dichotomy of certificates versus signatures

For RKL, the XFS standard defines a "scheme using certificates" and a "scheme using signatures", and the industry has taken-up this jargon. Please allow me to dispel this misnomer. The differences between the so-called certificate and signature schemes are just formatting and organisation, and they're fundamentally the same. Both methods follow the same sequence of events, both use certificates, both use signatures, and I would discourage any further use of this inaccurate terminology.

Comparing a 112 bit apple with a 2048 bit orange

I am grateful to marketers who boast that their crypto products' key lengths are 2048 bit as opposed to a mere 112 bit, for it is too rare that one has an opportunity to use the word incommensurable.

On the uselessness of self-signed SSL certificates

I have observed some hosts using "self-signed" certificates when using SSL to protect their communications with banking terminals. This is tantamount to asking a guest to tell you a password and then verifying that the guest knows this password.