No Pay? No Patch! | TechSNAP 58

No Pay? No Patch! | TechSNAP 58

Adobe tells customers to upgrade to get the latest security fixes, Kickstarter has an embarrassing security lapse.

PLUS: Self-destructing SSDs, and Mirroring vs a CDN, what’s the difference and when are they used. We answer that, and so much more in this week’s TechSNAP!

Thanks to: Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer:

New customers 25% off your entire order, code: 25MAY7
Expires: May 31, 2012


Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | Torrent File

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Support the Show:

Show Notes:

Credit Card Processor Breach led to prepaid card fraud

  • Global Payments, a very large credit card processing firm, was breached some time before March of this year, and as many as 1.5 million cards were leaked. Some industry analysts place the number closer to 7 million
  • It was originally believed that the breach occurred sometime in January or February of 2012, but now it appears as if it might have been as far back as June of 2011
  • Global Payments claims that they self-discovered and self-reported the compromise, however some banks had detected the fraud earlier, and alerted Visa that the commonality between all of the compromised accounts were purchases at Merchants that use Global Payments
  • Some of the cards that were compromised were apparently debit cards, rather than credit cards
  • Some of these debit cards appear to have been sold to criminals, who then used them to defraud stores
  • The offenders would buy low denomination prepaid cards (usually $10 or $20), then go away and reprogram the magnetic strips on the cards with the data from stolen debit cards
  • The offenders would then return to the stores and purchase high denomination prepaid cards
  • The high value prepaid cards would then be used to purchase expensive electronics and other goods with high resale values
  • One of the reasons that such scams are not more common is that stored value instruments, such as prepaid cards, gift cards and money orders can not be purchased with a credit card, due to the fact that credit card transactions can be reversed. Debit card transactions are usually considered irreversible and more secure
  • Global Payments claimed that only Track 2 data from the cards are compromise, and that Track 1 data, which contains the account holder’s name and other information, was not compromised
  • This successful attack shows how even just Track 2 data can be exploited

Adobe discloses security flaw in Photoshop CS5, solution? Buy CS6

  • A vulnerability has been discovered in the way Photoshop CS5.1 (version 12.1) parses .TIFF files
  • The vulnerability appears to affect every version of Photoshop prior of CS6
  • The vulnerability can be used to execute attacker supplied code as the user who is running photoshop
  • The vulnerability was reported to Adobe in September of 2011
  • After 180 days without a patch, researchers publicly disclosed the vulnerability
  • Adobe’s vulnerability announcement recommends users upgrade to CS6 (a paid upgrade)
  • Adobe claims a patch for CS 5.1 is forthcoming, but does not provide any timeline or details
  • Additional Advisory Link
  • Proof of Concept Exploit Code
  • CVE–2012–2027
  • CVE–2012–2028

Kickstarter Security Lapse leaks details of 70000 unpublished projects

  • The revelation was made by the Wall Street Journal that roughly 70,000 yet-to-be-launched project ideas had been left exposed for more than two weeks.
  • “The information that could be seen didn’t include credit-card numbers or other sensitive personal details, but it could make users more wary of Kickstarter’s data practices and lower their expectations of privacy on the site.”
  • On Friday one of our engineers uncovered a bug involving Kickstarter’s private API
  • This bug allowed some data from unlaunched projects to be made accessible via the API
  • It was immediately fixed upon discovering the error. No account or financial data of any kind was made accessible.
  • The bug was introduced when we launched the API in conjunction with our new homepage on April 24 and was live until it was discovered and fixed on Friday,
  • Based on our research (Kickstarter’s internal team), the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us.
  • Official Announcement


Jungle Boogie asks… What’s the diff between a mirror & CDN?

Round Up:

Question? Comments? Contact us here!