30 Million Credit/Debit Cards Info For Sale

From the Wawa data breach. Wawa Breach May Have Compromised More Than 30 Million Payment Cards.

Wawa announced the breach in December and tried to reach impacted customers. If you haven’t gotten a new card by now, well, what are you waiting for?

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

Joker’s Stash has started to sell the card information stolen from Wawa.

This is the kind of thing that happens when chip readers for cards are not active. Chips are not 100 percent safe, but they are much better than the magnetic stripe.

Bets on Whether the Swamp Will Restrain the NSA?

Still, it should be interesting to see the politicos explain why privacy is such an outmoded concept. Bipartisan Coalition Bill Introduced to Reform NSA Surveillance.

The reforms this bill wants to impose are quite extensive and here is a shortlist of the highlights:

  • It would permanently end the flawed phone surveillance program, which secretly scooped up Americans’ telephone records for years.

  • It would close loopholes and prohibit secret interpretation of the law, like those that led to unconstitutional warrantless surveillance programs.
  • It would prohibit warrantless collection of geolocation information by intelligence agencies.
  • It would respond to issues raised by the Inspector General’s office by ensuring independent attorneys, known as amici, have access to all documents, records and proceedings of Foreign Intelligence Surveillance Court, to provide more oversight and transparency.

It’s beginning to feel like we live in the Soviet Union, or East Germany, where the .gov can do pretty much what it wants, and it will destroy anyone who gets in the way.

So What Happens When Engineers Get It Wrong?

Folsom Dam Spillway-gate Failure – 17 July 1995. The design for the gate didn’t account for corrosion over time. Folsom Dam (California, 1995). And it doesn’t help matters that they dropped the ball on maintenance. (The dam looked fine right up until the point of failure.)

Actually this is more a case engineers not taking time and the elements into account. Steel rusts.

The reservoir was at full capacity on the day in question, and so one of the spillway gates was opened to draw down the water levels. Should have been just another day…

As the radial gate was raised water began flowing down the spillway chute as designed. It was not until the gate opening reached approximately 2.4 feet that the operator felt an “unusual vibration” accompanied by harsh grinding noises. No more than five seconds passed between the time the vibrations and sounds began and when the operator turned to look at the gate. The radial gate swung completely open releasing approximately 40,000 cfs.

While 40,000 cubic-feet per second is a lot of water, it is only about 1/3 of the amount of flow that the Folsom Dam spillway and downstream dams were engineered to handle. So proper setting of other spillway gates in the downstream dams avoided over-topping of those dams. It could have been so much worse.

So. What happened to the gate that failed?

The forensic report documenting the failure of the Folsom Dam gate revealed the cause of the malfunction to be excessive friction at the 32-inch diameter trunnion pin, or pivoting mechanism. Unaccounted for in the gate design, this friction was caused by the corrosion of the pin over time. Due to the additional friction forces, the loads experienced by the trunnion pin caused increased loading in the gate struts and braces of the gate.

It caused enough increase in the loads to cause a failure of one of the diagonal braces. If you look at the photos that accompany the link above, it appears that one whole side of the gate tore free from its pivot resulting in uncontrolled release of water. About 40 percent of the reservoir was drained before the water level was below that of the gate in question.

Repairs cost 20 million dollars.

So the design of a steel dam-gate was done in by corrosion that wasn’t accounted for in the initial design. (“Rust never sleeps.”) The truly sad thing is that they seem to acknowledge that they were ignoring maintenance, because everything “looked fine.”

A renewed focus was placed on maintenance and monitoring of radial gates, many of which were retrofitted to strengthen struts and bracing and ensure sufficient lubrication.

In other words, this was probably avoidable, had they been managing the infrastructure.

Stuff needs maintenance. When 2 bits of metal are supposed to move relative to one another, like this trunnion pin, lubrication is required. And when you are designing something with a life-span that is expected to be decades, you should consider the impacts of the elements. Why is it that time again, this stuff gets ignored? Because the the dam looked fine, right up until the point that if failed.

A part of me doesn’t want to include this video, but hey… “Rust never sleeps,” was a saying around the docks that got repeated a lot. Because it’s true. “Water always wins,” was another.

That is the “Out of the Blue” version of “My My, Hey Hey” by Canadian singer-songwriter Neil Young and the American band Crazy Horse from the album Rust Never Sleeps. For a harder-edged version see the “Into the Black” version. I’m not sure I ever liked either version. One is too clean, and one is too distorted. Needs some middle ground.

Will Someone Please Hold Tesla Accountable

It will probably be Germany that does anything. Tesla needs to fix Autopilot safety flaws, demands Senator Markey.

Tesla’s Autosteer INCREASED crashes by 59 percent.

In 2016, the German transport minister told the company “to no longer use the misleading term for the driver-assistance system of the car.” In 2018, two US consumer safety groups asked the Federal Trade Commission to address Autopilot’s “deceptive and misleading” branding. In 2019, we discovered that the National Highway Traffic Safety Administration told the company to stop making “misleading statements” when it comes to safety, and the company repeatedly made claims about the safety of Autopilot that were not supported by fact. (The data showed that Autosteer—a component of the Autopilot suite of assists—actually increased crashes by 59 percent.)

Not that anyone will say boo to Tesla.

Health Care Hacks

Because security is expensive. Critical MDhex Vulnerabilities Shake the Healthcare Sector.

Critical vulnerabilities have been discovered in popular medical devices from GE Healthcare that could allow attackers to alter the way they function or render them unusable.

So far the vulnerabilities only impact monitors and servers. (Not that servers aren’t a cause for concern.) But no medical devices have been impacted.

GE Healthcare says that it is not aware of reported incidents as a result of exploiting these vulnerabilities.

Want a Smartphone for $150?

You will need to do a bit of work. The PinePhone starts shipping—a Linux-powered smartphone for $150.

This initial “Braveheart” batch of devices is meant for “developer and early adopter” users, according to the Pine64 Store. The phone doesn’t come with an end-user OS pre-installed and instead only comes with a factory test image that allows for easy verification that the hardware works. Users are expected to flash their own OS to the device. There are several available, from Ubuntu Touch to Sailfish OS, but they are all currently in an unfinished alpha state. Pine64 says that only enthusiasts with “extensive Linux experience” are the intended customers here—this isn’t (yet?) a mainstream product.

This looks like it might be a more reasonable phone than the Purism Librem 5, which is crazy thick at 16mm. The Pine Phone is more like a normal smartphone.

The Pine Phone also has “kill switches” to let you physically disconnect GPS, WiFi/Blutooth, the cameras, even the microphone so no one can eavesdrop on you or track you.

Look for PineTab tablet in the near future, a Linux tablet. That is actually more interesting to me, though maybe when they get the phone on a more production footing…

Censorship in the Age of Big Tech

F*c*book alone will decide what you can know. Eric Ciaramella Is the ‘Whistleblower’ and Other Things You’re Not Allowed to Say.

Three weeks ago, I posted to Facebook a link to a post by Instapundit, and discovered that it is “coordinating harm and promoting crime” to name Eric Ciaramella, despite the fact that he is allegedly the man responsible for the current impeachment of President Trump. And of course, as I said, his identity is by no means a secret (although some of us have trouble trying to get the spelling right).

What ever happened to antitrust laws?

Not-so-smart Homes

Facepalm X 2Or why you should buy products that support an open architecture. Smart homes will turn dumb overnight as Charter kills security service. The end of service date is February 5th, so you have a little more than 2 weeks, if you’re a customer, to find an alternative.

Charter is also known as Spectrum cable.

The impending shutdown and customers’ anger at Charter—a cable company also known by the brand name “Spectrum”—has been widely reported over the past month. Over the years, some customers have spent large sums on products that will no longer work.

Refunds? Don’t expect any.

So open standards… Charter uses Zigbee communication. Why doesn’t that count as open? Why not connect Charter devices to another Zigbee hub? Turns out, Zigbee isn’t as open as one might think.

Why can’t Charter customers connect their security devices to a Zigbee-enabled smart-home hub or use them with another alarm-monitoring service that supports Zigbee? One user on DSLReports pointed out that years ago, Spectrum devices “were firmware coded to prevent them from being seen and usable within the normal universe of Zigbee devices.” But could Charter issue a software update that lets these products work with other Zigbee systems?

We haven’t gotten a definitive answer, but it seems that a Zigbee hub alone isn’t enough to ensure that Charter’s security products work with alarm-monitoring systems offered by other vendors.

This isn’t just a Charter/Spectrum issue; it is part and parcel of a lot of Zigbee infrastructure. The Zigbee Alliance (the standard-setting body) has a “new initiative” called the All Hubs Initiative to solve what is an outstanding problem.

[Ars IT Editor Sean] Gallagher also noted that “Zigbee is famously nonstandard as a standard.”

So these companies get to advertise that they are using an open standard, and get all the monopolistic benefits of having proprietary design. I keep hearing the phrase Caveat Emptor in the back of my head while typing this. Oh, and don’t believe the marketing hype. Ever.

Anita Dam, Montana: An Infrastructure Failure Near Miss

So what happens when engineers get it wrong? Bad things can happen.

Usually we think of failing infrastructure as being old, and poorly maintained. But that isn’t the only kind of failure. Case Study: Anita Dam (Montana, 1997). The photos tab on that page is particularly interesting.

The Anita Dam in Montana was built in 1996. It failed in the spring of 1997 mostly because it hadn’t included lessons learned from other dams that had been published in the 1980s. It is 36-ft high and impounds 979,384 cubic meters of water.

Anita Dam is (was?) an earthen embankment dam. It was built to provide water storage and control flooding. (It is currently listed in at least one place as a concrete gravity dam, but photos and video seem to show it is still mostly an earthen dam.)

For a more detailed view of the incident, refer to A Review of the Anita Dam Incident: Internal Erosion Caused by a Buried Conduit and Lessons Learned.

Conduits are one of the very common parts of embankment dams and almost any kind of hydraulic structures. Primarily, conduits convey the water from the reservoir in a controlled manner for various purposes, such as releasing water to meet the downstream requirements

The conduit was supplied with anti-seepage collars, but included no filters. The conduit also didn’t have a continuous support cradle. This resulted in the spring of 1997 of something called piping. Water flowed through the conduit, but also began to flow around the outside of the conduit causing rapid erosion. And increasing the amount of water released downstream. The entire reservoir was emptied in 4 days.

The statistics show that 28% to 46% of dam failures were caused by piping.

Though in this case the dam itself didn’t collapse, it had to be extensively rebuilt to correct the problems that caused this incident. No life was lost, but there was some downstream damage due to the rate of water flow.

What follows is a 2-minute video about the current management of the dam. In the spring of 1997, they didn’t even have an emergency management plan for the dam. (What could go wrong? It is brand new!) And yes, like most things produced by the .gov, that video is fairly self-serving. “See what great things we are doing for the American family!” At lest they are doing something, which seems to be more than they were doing in 1997.

Electronics Form Part of Your Infrastructure

And anyone who purchased a smartphone in the past 5 years knows that technology isn’t cheap. Public safety committee considering new Hawkins Co. emergency communication equipment after major malfunctions.

As Miller explained, Hawkins Co.’s radio communication equipment, which is used by law enforcement, EMS and fire departments within the county, has been malfunctioning off and on since the beginning of November and has been completely offline since Dec. 18.

Nothing lasts forever, and that includes electronic communications gear. In this case, however, while they talk about recent outages, it isn’t clear that the radio system deployed ever really lived up to what the county needed.

Areas around Clinch and Slate Hill had poor to no service even when the communication was properly functioning.

Replacing the radio system will cost hundreds of thousands of dollars.

When you call 911 for a crime situation, you are counting on police to come and save your ass, but if officers can’t communicate with each other, or the 911 dispatch center, there are so many more opportunities for things to go wrong. They will move slow, and they may not have all the messages you’ve given the dispatcher. You don’t have to imagine all the ways that can go bad, all you have to do is read the news.

Doctor’s Ignore Security, Expose Patient Data

I’m shocked that doctors refuse to listen to anyone. A billion medical images are exposed online, as doctors ignore warnings. Okay, I’m not that shocked.

It isn’t just the 35 million patients and the images of X-rays, ultrasounds and CT scans. Patient info is also exposed.

These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient’s name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient’s Social Security number to identify patients in these systems.

Privacy is such a 20th Century concept. And the issue has been seriously ignored by the medical profession, because doing something would involve money, and listening to someone who is not an MD.

About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.

Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors’ offices to the problem, many have ignored their warnings and continue to expose their patients’ private health information.

You mean we can’t just keep doing things the way we’ve always done them?

The I-35W Bridge Collapse in 2007

If I’m going to have a series on infrastructure fails, it has to include one that was in the news for weeks or months. Lessons learned from the 35W bridge collapse. In case you were sleeping in the summer of 2007, this happened in Minneapolis.

Why did the bridge collapse? The short answer comes in 2 parts.

  • Parts of the bridge were under-designed. (But it had stood for 50 years as built.)
  • Construction crews getting ready to do work on the bridge placed some of their equipment and supplies on the bridge, exceeding the design-load by a factor of 4

And the only reason they could overload the bridge like that, was because there was no communication with anyone about known problems. So let’s review…

On August 1, 2007, at 6:01 PM, right during rush hour, a span of I-35 through Minneapolis collapsed. 13 people died, and 145 were injured.

I remember reading at the time that bridge inspectors in Minneapolis were constantly harassed by the driving public. Because “Why are you blocking lanes of traffic to inspect the bridge? There is obviously nothing wrong with it.” I wonder if any of the people who died, harassed any of the inspectors. Probably not. (There isn’t that much Justice in the universe.)

“We knew early on that this was a design error,” said Dorgan. “One of our people put it best — in the days after I-35 with the terrible event that happened, that something good has to come out of this. And I think people proceeded on that basis with, let’s take a look at everything we do and see where we can improve.”

The National Transportation Safety Board ruled that the 35W bridge collapsed because of under-designed gusset plates. But it also pointed to contributing factors, like too much weight from construction materials on the bridge.

Tyler Ley is a professor at Oklahoma State University, and he has a video on the collapse, which is short, at just over 8 minutes, and to the point.

The gusset plates were undersized by about a factor of 2. The gusset plate that failed was showing signs of deformation, or bending, which is an early indication of failure. And a construction crew parked a bunch of weight on the bridge. How much construction materials and vehicles? Estimates are that 580,000 pounds were placed in a 12ft by 115ft section of the bridge. That is 4 times the design load of the bridge. Of course it failed.

Everything needs repair. Everything needs maintenance.

This bridge failed at a place that was KNOWN to be a problem. When a structure starts to bend it is LITERALLY starting to fail. The construction crew overloaded the bridge in that exact spot, because no one reviewed what they were going to do, or at least no one with knowledge of the identified problems. (The bridge had been listed as “structurally deficient” for a long time.)

Breakdowns in communication have a long history, though you usually study them with respect to military defeats. But they are a breakdown of management, and we are refusing to manage our infrastructure. It needs to be repaired. Eventually, it will all need to be replaced.

Blogroll Changes

I was sorry to see Kenn Blanchard announce his retirement and closing (or whatever the word is) of the Black Man With a Gun podcast. But I understand his feelings.

Also, Claire Wolfe at Living Freedom said she had been “demonetized” by Amazon or whoever. So there’s that.

I will keep checking on both, from time to time, in case minds change…

Baldilocks (Juliette Ochieng) while mostly posting at Da Tech Guy’s blog, is still using her blog for some stuff. Even if only cross-posting. And A Geek With a Gun has reemerged with infrastructure hosted out of his house. Mostly, he also has a virtual private server to handle the static IP problem.

The blogroll has grown fairly large lately, but as more and more people were banned from Twitter, F*c*book, YouTube, whatever, I thought we should encourage the old-school methods of connecting with one another. I hope it helps.

Infrastructure and Military Readiness

I don’t think most people know that the Interstate Highway System was started as a project by the federal .gov to help the military. Highway Bridge Deterioration from Climate Change Will Affect U.S. Military Mobility and Deployments.

This article was published before Christmas, but I thought I would wait before drawing attention to it. I thought it deserves attention, and I didn’t want to try to compete, with Santa, Family and general holiday insanity.

In an order different from that in the article, first we have the highway system and its strategic importance.

The National Highway System (NHS) “consists of roadways important to the nation’s economy, defense, and mobility.” The NHS has several subsystems including (1) the Dwight D. Eisenhower Interstate System; (2) other principal arterials that connect an arterial with a port, an airport, or other intermodal transportation facility; (3) the Strategic Highway Network are highways “important to the United States strategic defense policy and which provide defense access, continuity and emergency capabilities for defense purposes”; (4) major strategic highway network connectors “provide access between major military installations and highways which are part of the Strategic Highway Network,” and (5) intermodal connectors.

And the state of the infrastructure, which probably won’t surprise too many people in this audience.

The U.S. has over 615,000 bridges with an average age of 43 years. As of 2018, almost 8 percent of bridges were rated as structurally deficient, i.e., in poor condition, with an average age of 60 years. Regardless of their present condition, bridges are an integral part of the U.S.’ national highway system and its’ component sub-systems. Without functioning bridges alternative routes must be identified leading to lengthened trips and opportunity costs.

As they say, go read the whole thing. Though fair warning, they talk too much about Global Warming. (Not sure how that is supposed to be an issue for bridges in most of the country, but there you go.

“This is why planes are falling out of the sky”

Because saying that “anyone can code” is BS. And everyone who’s ever tried to debug a C program knows it. Joe Biden: Anyone Who Can Mine Coal Can Learn to Code.

So Joe Biden is back on the “Learn to Code” meme. I thought all the laid-off journalists determined that it was mean to tell people to Learn to Code. I guess that when Democrats do that it is OK.

There was an old Dilbert cartoon, where the pointy-headed manager says, “I drew up the schedule for your project. I started with the assumption that anything I don’t understand is easy to do.” Cue Joe Biden.

And then there is the reason planes are falling out of the sky. Boeing’s 737 Max Software Outsourced to $9-an-Hour Engineers.

Increasingly, the iconic American planemaker and its subcontractors have relied on temporary workers making as little as $9 an hour to develop and test software, often from countries lacking a deep background in aerospace — notably India.

Then there is this: 95% engineers in India unfit for software development jobs, claims report.

Over 36,000 engineering students form IT related branches of over 500 colleges took Automata — a Machine Learning based assessment of software development skills – and over 2/3 could not even write code that compiles.

It is one thing if you are writing code for “Candy Crush,” and another if you are writing flight-control software for Boeing, or self-driving car software for Toyota. And even the Candy Crush software needs to work. (At least it won’t kill anyone.)

As for Biden and his BS about teaching anyone to code. I would really love to see him learn. Or try to.

Oh, and it is SO easy to write code, that Zerodium is currently paying $2,500,000 for a new zero-click Android exploit chain. (They only pay $500,000 for iOS exploit chains). The payouts go down as a click is required, and whether the takeover is persistent or transient. Why are the gray markets paying so much? Because pretty much EVERY piece of software in your life is broken. Because management never wants to pay for full design, and full testing. And because you can’t hire programmers that can actually design/write decent code. And so planes are falling out of the sky. HakerOne pays less, but if you sell to Zerodium, you are feeding the beast.

267 Million Users’ Data Stolen From F*c*book

Are we surprised? Data Leak Exposes 267 Million Facebook Users.

A database of 267 million Facebook user IDs, phone numbers, and names was left exposed online for a fortnight thanks to another cloud misconfiguration, according to researchers.

At this point we don’t know if the data came from a breach at FB, or was a left-over from when their developer API allowed people access to the phone number, or if it was scraped from public profiles.

The researchers warned that such a large database of sensitive information could be used in major spam, phishing and smishing campaigns.
[SNIP]
This is just the latest in a long line of data leaks stemming from unsecured cloud databases. In November personal data on over one billion individuals harvested by data enrichment companies was found exposed.

Privacy is such a 20th Century concept.

Health Care Attacks During the Christmas Season

‘Tis the Season. Or something. Criminals Pull Hard Before Xmas, Attack U.S. Health Industry.

Seems there was a big effort to hit health care before the holidays.

Colorado Department of Human Services, Sinai Health System, Cheyenne Regional Medical Center, Children’s Hope Alliance, and RiverKids Pediatric Home Health are a handful of the total number of healthcare providers impacted by data breaches just during December.

Tens of thousands of people had their data stolen.

For the year there were more than 750 attacks on health care providers.

Alconétar Viaduct

Alconétar ViaductSo when I started looking into infrastructure, I was finding a lot on the failures of the same. But that is mostly in the US – where I’ve been looking. It turns out a lot of the world (including the US) is continuing to build and maintain infrastructure. Today we have The Alconétar Viaduct, which is an arch bridge in Spain that carries a motorway.

[The image is from WikiMedia Commons, by Chemasanco. Click on the image for a larger view and more info.]

This photo gallery is fascinating. The images are great, but they allow no use. (And while this might be “fair use” …) The first few photos are of the completed structure, but if you scroll down, you can see some images taken during construction. All the fins welded to the span of the bridge (visible above and in the first few photos at the link) are there to disrupt the wind, and eliminate wind resonance. A problem that should have been fixed in the 1940s, and not been an issue in the 21st Century. (So this probably counts as a “near miss” in terms of infrastructure failure.)

Next up is a video of “wind resonance” and this bridge (while under construction). This is the same effect that destroyed the Tacoma Narrows Bridge in Washington State. That disaster was supposed to inform the design of all follow on bridges. Apparently something was missed. Alconétar Arc Bridge Wind Resonance Effect. It is a short video of less than 4 minutes. At least they found the problem during construction, and were able to take measures to mitigate it.

And finally, to understand what those construction photos in the Gallery linked the top are telling you, the video below is 15 minutes of incredibly dry information on how this bridge was built. Alconétar Viaduct Construction. It is all animation, but still has some decent info. And you can see why this style of bridge can be used to cross very deep caverns. (Where building temporary supports in the center of the structure are not practical.) At a guess, I would say that this animation was produced when the bridge was initially proposed, to explain to the powers-that-be how it would be built. And the photos from the gallery back it up.

Tis The Season for Data Stealing

One Day, Three Credit Card Data Breach Notifications.

  • Wawa store, food market, coffee shop, gas pump
  • Islands restaurants (Most are in California, with rest mostly in Hawaii, Arizona and Nevada)
  • Champagne French Bakery Cafe

In all three cases, malware designed to collect magnetic stripe data was discovered on payment processing servers for card transactions.

If you’ve been to any of these businesses, you might need a new credit card.

First World Problems

Cash? Kroger credit card machines working after being down; upset shoppers share experiences.

OK, so maybe I would have been a little pissed off as well, but I do usually carry some cash, because occasionally stuff like this happens.

According to online users, all registers were down and could not accept card payments. Customers had to pay in cash until the issue was resolved. Shoppers also could not purchase gift cards even with cash.

Because nothing says “I really thought about your gift” like buying a gift card on the day before Christmas.

Some of the twitter reactions were hysterical.