[ISN] Crafts website hacked by terrorists
http://www.boston.com/news/local/massachusetts/articles/2006/05/07/crafts_website_hacked_by_terrorists/ By Michael Levenson Globe Staff May 7, 2006 A plumber who loves glass etching, Andrew Roberge had crafts to sell. His son, Mike, knew Web design. Carriage House Glass is the marriage of their talents, an online catalog of sandblasted vases and goblets that ''caters to those who love beautiful and unique gifts, the site proclaims. But the website, which they started four years ago, offered more than just beautiful baubles, specialists in terrorism say. The site contained hidden files filled with the radical writings of a top aide to Osama bin Laden, including ''The International Islamic Resistance Call, Abu Musab al-Suri's 1,600-page manifesto advocating jihad. The website was hacked a year ago by followers of Suri, a Syrian-born Al Qaeda leader, who turned the Roberge's labor of love into an online reading room for aspiring mujahadeen, the specialists said. The revelation came as a shock to the Roberges, who said they had no idea that Islamic extremists had intruded on their website. ''We got hacked! Unbelievable! exclaimed Mike Roberge, when told last week of the hidden content on his site. His startled father added, ''Believe me, I wouldn't let this [expletive] get on my site. I don't need that. I don't need none of that. I'm a firm believer in minding my own business. The father and son from Lawrence vowed to delete the postings and replace them with images of eagles and American flags, ''something wicked patriotic, Mike Roberge said. A link to the hidden files on the website was circulated on bulletin boards frequented by Muslim extremists for a year, said Jarret Brachman, director of research at the Combating Terrorism Center at the US Military Academy in West Point, N.Y. Regular visitors to www.carriagehouseglass.com could never see the hidden material, specialists said. Only visitors who knew the address of the pages inside could access the cache of downloadable Arabic writings, and see the flash animation featuring the Kaaba, the black stone cube that Muslims face when they pray in Mecca. Brachman and other researchers had been aware of the files, but said the intrusion onto the site was not unusual in the burgeoning world of online Islamic extremism. ''This is a very tangential, very peripheral site that only those who are actively following this sort of literature would be accessing, Brachman said. ''It doesn't cause me alarm: these guys are pests in terms of this stuff, he said. ''This is standard procedure for these guys to post this kind of material. FBI spokeswoman Gail A. Marcinkiewicz declined to comment on whether the agency knew of the website or was monitoring it. She said the FBI would investigate a website only if it directly advocated violence. Specialists said Suri's writings advocate violence, but Marcinkiewicz said, ''unless . . . there's something very urgent in that paper, it's not that we wouldn't take a look at it, it's just that we have to prioritize. There's no quick and easy answer here. ''Without knowing what it's saying, it may go the bottom of the pile of all the 101 things we have to do over here, she added. Piggybacking on Carriage House Glass, which is password-protected, allowed extremists to avoid using a credit card or other traceable data needed to start a new website, said Rita Katz, director of the Search for International Terrorist Entities in New York. ''Of course, it's a disturbing phenomenon, but we know that Al Qaeda and the jihadist online community is quite sophisticated, and they use our own techniques against us, Katz said. ''It's disturbing because it could happen to anyone. As more terrorist training grounds shut down globally, more extremists are going online, said Steven R. Corman, an Arizona State University professor who has studied the shift. Michael Levenson can be reached at mlevenson (at) globe.com. © Copyright 2006 The New York Times Company _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Gone in 60 seconds -- the high-tech version
http://news.com.com/Gone+in+60+seconds--the+high-tech+version/2100-7349_3-6069287.html By Robert Vamosi Special to CNET News.com May 6, 2006 Let's say you just bought a Mercedes S550--a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system. After you pull into a Starbucks to celebrate with a grande latte and a scone, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: Is that the S550? How do you like it so far? Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later, you look up to discover your new Mercedes is gone as well. Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care. Wireless or contactless devices in cars are not new. Remote keyless entry systems--those black fobs we all have dangling next to our car keys--have been around for years. While the owner is still a few feet away from a car, the fobs can disengage the auto alarm and unlock the doors; they can even activate the car's panic alarm in an emergency. First introduced in the 1980s, modern remote keyless entry systems use a circuit board, a coded radio-frequency identification (RFID) technology chip, a battery and a small antenna. The last two are designed so that the fob can broadcast to a car while it's still several feet away. The RFID chip in the key fob contains a select set of codes designed to work with a given car. These codes are rolling 40-bit strings: With each use, the code changes slightly, creating about 1 trillion possible combinations in total. When you push the unlock button, the keyfob sends a 40-bit code, along with an instruction to unlock the car doors. If the synced-up receiver gets the 40-bit code it is expecting, the vehicle performs the instruction. If not, the car does not respond. A second antitheft use of RFID is for remote vehicle immobilizers. These tiny chips, embedded inside the plastic head of the ignition keys, are used with more than 150 million vehicles today. Improper use prevents the car's fuel pump from operating correctly. Unless the driver has the correct key chip installed, the car will run out of fuel a few blocks from the attempted theft. (That's why valet keys don't have the chips installed; valets need to drive the car only short distances.) One estimate suggests that since their introduction in the late 1990s, vehicle immobilizers have resulted in a 90 percent decrease in auto thefts nationwide. But can this system be defeated? Yes. Keyless ignition systems allow you the convenience of starting your car with the touch of a button, without removing the chip from your pocket or purse or backpack. Like vehicle immobilizers, keyless ignition systems work only in the presence of the proper chip. Unlike remote keyless entry systems, they are passive, don't require a battery and have much shorter ranges (usually six feet or less). And instead of sending a signal, they rely on a signal being emitted from the car itself. Given that the car is more or less broadcasting its code and looking for a response, it seems possible that a thief could try different codes and see what the responses are. Last fall, the authors of a study from Johns Hopkins University and the security company RSA carried out an experiment using a laptop equipped with a microreader. They were able to capture and decrypt the code sequence, then disengage the alarm and unlock and start a 2005 Ford Escape SUV without the key. They even provided an online video of their car theft. But if you think that such a hack might occur only in a pristine academic environment, with the right equipment, you're wrong. Real-world examples Meet Radko Soucek, a 32-year-old car thief from the Czech Republic. He's alleged to have stolen several expensive cars in and around Prague using a laptop and a reader. Soucek is not new to auto theft--he has been stealing cars since he was 11 years old. But he recently turned high-tech when he realized how easily it could be done. Ironically, what led to his downfall was his own laptop, which held evidence of all his past encryption attempts. With a database of successful encryption strings already stored on his hard drive, he had the ability to crack cars he'd never seen before in a relatively short amount of time. And Soucek isn't an isolated example. Recently, soccer player David Beckham had not one, but two, antitheft-engineered BMW S5 SUVs stolen. The most recent theft occurred in Madrid, Spain. Police believe an auto theft gang using software instead of hardware pinched both of Beckham's BMWs. How a
[ISN] SCADA on thin ice - Industrial control systems pose little-noticed security threat
http://www.fcw.com/article94273-05-08-06-Print By Michael Arnone May 8, 2006 The electronic control systems that act as the nervous system for all critical infrastructures are insecure and pose disastrous risks to national security, cybersecurity experts warn. Supervisory control and data acquisition (SCADA) and process control systems are two common types of industrial control systems that oversee the operations of everything from nuclear power plants to traffic lights. Their need for a combination of physical security and cybersecurity has largely been ignored, said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent research group funded by the Homeland Security Department. Control systems security is one of six areas of critical vulnerabilities Borg included in a new cybersecurity checklist released in April by the research group. The private-sector owners of critical infrastructure refuse to release data and deny that their aging, inherently insecure systems pose any security risk, said Dragos Ruiu, an information technology security consultant to the U.S. government who runs several hacker conferences. Control systems security has been a hot topic in the past year at those conferences. It's one of those issues that is so big, you just don't want to see it because any solutions will be expensive, awkward and prohibitive, Ruiu added. Average hackers can break into the systems, said Robert Graham, chief scientist at Internet Security Systems (ISS). He, Borg and other experts fear that major cyberattacks on control systems could have socioeconomic effects as severe and far-reaching as Hurricane Katrina or even the 1986 Chernobyl nuclear disaster in Ukraine. Most experts agree that measuring the risk from cyberattacks on critical infrastructure is difficult. Attacks are rare because control systems are still complex and individualized enough to make cracking them difficult, although a hacker who knows a particular system well can break into it easily, said Jason Larson, senior cybersecurity researcher at the Idaho National Laboratory, which leads federal efforts into critical infrastructure cybersecurity. Even if a facility has not been attacked, that doesn't mean it's secure or the threat isn't real, said Michael Assante, senior manager of critical infrastructure protection at the laboratory. The idea that the technology is obscure and not well-understood by a potential aggressor is dangerous thinking, he wrote in an e-mail message. Government and industry have known for years that critical infrastructures offer ripe targets for attack. In 2002, the FBI's National Infrastructure Protection Center found that al Qaeda members had sought information on control systems for water supply and wastewater management facilities. Open-heart surgery Control systems are built to run around the clock for decades without interruption or human intervention. A single critical infrastructure facility can have thousands of SCADA devices spread over hundreds of miles. Because of the systems' structure and management, standard IT security practices don't work for them, experts say. It's more like open-heart surgery, said William Rush, a physicist at the Gas Technology Institute, a nonprofit research organization for the natural gas industry. The systems have proprietary operating systems and applications that run on 20- to 30-year-old hardware built before security became a major IT issue, leaving them riddled with vulnerabilities. According to conventional wisdom, critical infrastructure owners can't upgrade or patch systems because any jitter or delay caused by IT security features could lead to catastrophic breakdowns costing millions of dollars. Any mistakes in IT implementation could affect the processes the systems control, leading to product alterations, chemical interactions, explosions or worse. The situation got even more complicated in late 2001 when infrastructure owners started connecting their control systems to Internet-enabled corporate networks to maximize the use of their sophisticated equipment, said Eric Byres, research leader at the Internet Engineering Lab at the British Columbia Institute of Technology, a leading industrial cybersecurity research facility. That introduced new vulnerabilities on top of existing ones and created complex connections that opened new backdoors, Byres said. The result is a smorgasbord for would-be attackers. It's open season, he said. 'The stories here are terrifying' Utility owners say they realize cyberattacks pose a risk but don't see it as a huge problem, Rush said. The federal government says industry is responsible for protecting critical infrastructure and has told both industry and vendors to get moving. Vendors, however, are waiting for sufficient demand for security products to make them, while industry is waiting for an ample supply of products to buy them. It's a chicken-and-egg situation, Rush
[ISN] Antispam firm says it was victim of sophisticated attack
http://computerworld.com/action/article.do?command=viewArticleBasicarticleId=111208 By Jaikumar Vijayan May 05, 2006 Computerworld The CEO of an antispam firm whose service was knocked off-line by a spammer earlier this week claimed that his company was the victim of a sophisticated attack carried out, in part, with the help of someone at a top-tier Internet service provider (ISP). But some security experts expressed doubts abut the company's claims and said they appear to be an attempt to deflect attention from the criticism it has recived for the way in which it handled the attacks. Eran Reshef, CEO of Blue Security Inc., an Israeli antispam firm, said his company was attacked by a major spammer named PharmaMaster who used a combination of methods to knock out the company's Web site and the servers hosting its services. Blue Security, which has its U.S. headquarters in Menlo Park, Calif., operates an antispam service designed to deter junk-mailers by spamming them back. Blue Security's Do Not Intrude program allows individuals to register their e-mail addresses with the company and essentially flood spammers who send them e-mail with automated opt-out requests. The attacks that crippled Blue Service were preceded by PharmaMaster sending out threatening e-mails to subscribers of the Do Not Intrude Registry, warning them of even more spam if they did not withdraw their subscriptions. PharmaMaster then appears to have gotten someone at a major ISP to block Blue Security's IP address on the Internet's backbone routers, most probably via a process called black-holing, Reshef claimed. With black-holing, an ISP essentially removes the advertised path to a particular Web site or IP address -- making it completely inaccessible to the outside world. According to Reshef, PharmaMaster informed Blue Security that he had gotten an ISP to agree to black-hole the company before the attacks started. Immediately, we started seeing our IP address getting blacklisted by other ISPs, Reshef said. As a result, traffic to the company's main Web site dropped from the usual 100 hits per minute to about two per minute in less than an hour -- and nothing at all from outside of Israel. At almost the same time, massive distributed denial-of-service (DDoS) attacks were launched against the dedicated servers that provide Blue Security's antispam service. The servers, located at five separate hosting provider sites, were bombarded with up to 2GB of traffic per second, rendering them inaccessible. In what Reshef said was a bid to tell subscribers what was happening, Blue Security pointed the company's corporate Web server URL to its blog, which is hosted by Six Apart Ltd. in San Francisco. PharmaMaster then launched a DDoS attack against the server hosting Blue Security's blog. That caused thousands of other blogs hosted by Six Apart to be knocked off-line. The DDoS attacks against the company's dedicated servers meanwhile resulted in service disruptions to five hosting providers as well as major Domain Name System service provider Tucows Inc., he said. Pointing the company's main URL to the Blue Security blog site on Six Apart when it was under attack may not have been the best idea, Reshef said. But at the time, the company had little idea that the attacker would launch a separate DoS attack on the blog site as well. But Todd Underwood, chief operations and security officer at Renesys Inc., a Manchester, N.H.-based Internet monitoring company, said that based on traffic analysis, Blue Security's main Web site appears to have been under a DDoS attack for at least two days before it redirected its URL to the blog. I do think if you are under attack, it is your duty not to redirect it against someone else, Underwood said. It is not a fair or an ethical decision, he said, adding that it is hard to imagine that Blue Security didn't know it was being hit with a DDoS attack when it pointed its URL to the blog site. Underwood also said that it was unlikely that a spammer would have been able to get an individual at a major ISP to install a no route to Blue Security, as Reshef claimed. These are not the kind of networks where people can sneak in and make routing configuration changes without logging that change or discussing it with others, he said. The suggestion that some Russian spammer could bribe someone to install a no-route is hard to believe, he said. John Levine, chairman of the Internet Anti-Spam Research Group, said that other antispam efforts have been similarly targeted as well. But they did not involve an ISP. And neither did those who were attacked respond like Blue Security did, he said. If you know you are under a DoS attack, pointing your DNS at other parties is irresponsible, he said. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Malaysia welcomes the world in fight against cyber-terrorism
http://thestar.com.my/news/story.asp?file=/2006/5/7/nation/14173729 BY JOHAN FERNANDEZ May 7, 2006 IMPACT is its name, and making an impact in the battle against cyber-terrorism is its mission. Unveiled in Austin, Texas, the Malaysian initiative seeks to bring together governments and the international private sector to deal with increasing threats in cyberspace. Known as the International multilateral partnership against cyber-terrorism or IMPACT it will serve as a pioneer platform to allow governments of the world to exchange notes and ideas, as well as to facilitate the sharing of skills and best practices, with the ultimate objective of combating these constantly evolving threats. Prime Minister Datuk Seri Abdullah Ahmad Badawi who made this announcement at the closing ceremony of the 15th World Congress on IT (WCIT 2006) here on Friday said that IMPACT was not just a Malaysian concern. IMPACT is conceived as a partnership - between governments, as well as between governments of the world and the international private sector. Given that some of the best skills and technologies in cyber-security reside in the private sector, it is only natural that all governments need to work closely with businesses to effectively combat cyber-terrorism, he said. He said the potential to wreak havoc and cause disruption to people, firms, governments and entire global systems have increased as the world became more globalised and dependent on information and communications technology (ICT). Today, governments across the world must be prepared to deal with threats in cyberspace. Even if one were to exclude the risks to life and limb, the economic loss caused by the disruption of a cyber-attack can be truly severe - for example, a nationwide blackout, collapse of trading systems or perhaps the crippling of a central bank cheque clearing system, he said. He said the threats posed by cyber-terrorism were something that modern societies and their governments could no longer ignore. No country can manage this problem in isolation and to effectively overcome this global threat and it is imperative that countries throughout the world work in concert to wipe out this danger. IMPACT has got off to a good start with some leading names lending their support. America's Symantec Corporation, Japan's Trend Micro, and Russia's KaperskyLlab have already agreed to be key partners and to serve on IMPACT's international advisory board to be established soon, he said. The Prime Minister said he was encouraged that the private sector, globally, has given its strong support and expected more of such world-class companies following suit. For a start, IMPACT would focus its activities in three key areas - security certification, research and development; as well as establishing a global emergency response centre. IMPACT will be sited in Cyberjaya, at the heart of MSC Malaysia, with access to world-class ICT infrastructure. I am confident that IMPACT, with the co-operation of governments and the global private sector, will be able to find effective solutions to the global threat of cyber-terrorism, Abdullah said. I would like to invite all governments and the global private sector to partner with us in this worthy cause, he added. On the WCIT, the Prime Minister said Malaysia was honoured and excited about hosting the next congress in 2008. Apart from expanding our partnerships with global technology leaders, we see our hosting of WCIT 2008 as an opportunity to stimulate further discussion on technology and technology-related policy development, Abdullah said. He also thanked former US secretary of state Colin Powell, who was one of the keynote speakers on Friday, for his kind words about Malaysia. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Wells Fargo computer missing
http://www.twincities.com/mld/pioneerpress/14513672.htm BY SHERYL JEAN Pioneer Press May. 06, 2006 Wells Fargo Co., the largest bank in Minnesota and the nation's fifth largest, said Friday that a computer containing sensitive data for some of its mortgage customers is missing and might have been stolen. It's not known whether the computer contained Minnesota customers' information. The computer, which was being transported by an unidentified global shipping company between Wells Fargo locations, had names, addresses, Social Security numbers and mortgage loan account numbers of some Wells Fargo mortgage customers and potential customers. It did not contain other types of customer account numbers. Wells Fargo spokeswoman Peggy Gunn wouldn't estimate the number of individuals who could be affected, citing an ongoing law enforcement investigation. She added, The event affects a relatively small percentage of Wells Fargo's customers. San Francisco-based Wells Fargo said it had no indication that the customer information has been accessed or misused. Gunn said the computer has two layers of security, but she declined to elaborate. She also declined to describe the type of computer or how and when it disappeared. Wells Fargo will notify by mail individuals whose information was stored on the computer by May 30. The bank is offering those affected a free one-year credit monitoring service. Wells Fargo has reported two other computer security breaches, in 2003 and 2004. The bank has had no indication that the information was accessed or misused in either case, Gunn said. Also Friday, Union Pacific Corp., the nation's largest railroad, said it's investigating the theft of a computer containing the names and Social Security numbers of 30,000 current and retired employees. The computer was stolen April 29 from a human resources employee. Nationally, more than 160 security breaches have occurred in the past 15 months, affecting more than 55 million accounts, according to Privacy Rights Clearinghouse, a nonprofit privacy advocacy group based in San Diego. Those breaches included more than 40 cases of stolen or missing computers or laptops. The general population is waking up to the fact that personal data is not well secured, said Beth Givens, director of the Privacy Rights Clearinghouse. New federal and state laws require companies to notify customers when personal information is lost or stolen, which makes them vulnerable to identity theft. Online: Privacy Rights Clearinghouse, www.privacyrights.org _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Universities given security guidelines for foreign students
http://www.abc.net.au/pm/content/2006/s1632039.htm This is a transcript from PM. The program is broadcast around Australia at 5:10pm on Radio National and 6:10pm on ABC Local Radio. Reporter: Sabra Lane 5 May, 2006 MARK COLVIN: The fight against terrorism is shifting to Australian university campuses and research institutions. The Departments of Defence and Foreign Affairs want academics to report foreign students enrolled in particular subjects. The Government also want to broaden export controls, forcing lecturers to apply for licences if they're going to share their knowledge abroad. Sabra Lane reports. SABRA LANE: It's not a so much a crackdown on students recruiting for extremist causes, rather an attempt to detect spies in our midst and stop them from getting their hands on research at conferences. Last month, the Departments of Defence and Foreign Affairs sent the document called Export Controls, Your Responsibilities to universities and research institutions. It says universities must inform the Government if suspicious parties are trying to get their hands on material or research that could be used in weapons of mass destruction programs. President of the National Tertiary Education Union Carolyn Allport acknowledges the need for national security measures, but says academics weren't consulted. (to Carolyn Allport) Are your members comfortable with dobbing in students? CAROLYN ALLPORT: I don't think they will be. I certainly don't think they will be. So I think they're going to be very concerned about this paper. We recognise it's an important strategic objective of the Government, but at the same time, universities aren't there to be the secret police. SABRA LANE: Former senior intelligence analyst David Wright-Neville, who now heads up the Global Terrorism Research Unit at Monash University, says it's off the mark. DAVID WRIGHT-NEVILLE: I think it's a little clumsy in the sorts of obligations it places on academics. Academics certainly are aware of the sorts of risks that we confront in the contemporary environment. I don't think they need to reminded of that. It's unreasonable to expect that academics can identify terrorist activities. Trained intelligence officers with many years of experience often find it very difficult to identify terrorists, so how an academic with experience in fairly esoteric areas sometime, can do the jobs of people who are trained to do it, is really beyond me. SABRA LANE: With universities expanding offshore, the document says the likelihood countries will exploit Australian expertise for WMD programs is increasing. While short on details, it also reveals export control laws are under review, with the Government keen to include intangible technology transfer. Carolyn Allport explains. CAROLYN ALLPORT: Research, papers produced by academics in universities, or working papers, you know, seminar papers, seminars themselves, conferences, this is what's listed in the paper. They also suggest that people who are making requests from certain designated countries to come to a conference here are also seen to be risky. If there was a conference on, I don't know, some sort of chemical conference here, for example, and someone from Iran or North Korea or China made a request to come to that conference, I'm assuming from what I read here that the Government automatically sees these people as potential terrorists. SABRA LANE: A 2004 report to the United States Congress on economic and industrial espionage found some foreigners deliberately sought jobs at universities and research houses to acquire secrets for their home countries. An intelligence analyst who declined to be interviewed by PM says the guidelines are needed as America's enemies are targeting allies like Australia and Canada. Countries he claims have underestimated espionage. David Wright-Neville disagrees. DAVID WRIGHT-NEVILLE: It suggests that we're still in the stage of sort of knee jerk panic reactions, and I really think we need to have a Bex and have a good lie down for a while, that really none of this sort of stuff is going to address the long-term threat posed by terrorism and in fact I think it runs the risk of being counter-productive. MARK COLVIN: David Wright-Neville ending that report by Sabra Lane. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Petrol firm suspends chip-and-pin
http://news.bbc.co.uk/1/hi/england/4980190.stm BBC News 6 May 2006 Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than £1m was siphoned out of customers' accounts. Eight people, including one from Guildford, Surrey, and another from Portsmouth, Hants, have been arrested in connection with the fraud inquiry. The Association of Payment Clearing Services (Apacs) said the fraud related to just one petrol chain. Shell said it hoped to reintroduce chip-and-pin as soon as possible. Plastic crime The fraud is being investigated by the Metropolitan Police cheque and plastic crime unit. These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed, said Apacs spokeswoman Sandra Quinn. She said Apacs was confident the problem was specific to Shell and not a systemic issue. A Shell spokeswoman said: Shell's chip-and-pin solution is fully accredited and complies with all relevant industry standards. We have temporarily suspended chip-and-pin availability in our UK company-owned service stations. This is a precautionary measure to protect the security of our customers' transactions. You can still pay for your fuel, goods or services with your card by swipe and signature. We will reintroduce chip-and-pin as soon as it is possible, following consultation with the terminal manufacturer, card companies and the relevant authorities. Shell has nearly 1,000 outlets in the UK, 400 of which are run by franchisees who will continue to use chip-and-pin. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com