All your (base) stations belong to us

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at deDECTed.org

Share

Cute awareness video (plus other resources)

For those into security awareness:

This security awareness video (on YouTube), made by the infosec people in the state government of the Commonwealth of Virginia, covers some good, basic tips. It’s amusing, and only 13 minutes long. Some of the advice is specific to their security policy, and probably won’t match yours, but at least it’ll get you (or your staff) thinking about some of the issues.

If you want something more, the Virginia Information Technologies Agency (VITA) (state government agency) has an Information Security Awareness Toolkit site with copies of the video (both viewable and downloadable, and with subtitles and without), as well as other links and resources.

Share

Engineering Elections

Engineering Elections

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

Share

Purolator knoweth not privacy

My wife happened to go and pick up the book parcel today.  My wife knows about security and privacy.  (Not only does she have to listen to me at the dinner table, but she does her own research.)  One of the things I found out from her, was that it’s legal, in Canada, to ask for and look at a driver’s licence as ID, but it’s illegal, in Canada, for retailers to write down and keep that information.

So when the Purolator staff asked for her driver’s licence, she gave it to them, but made a point to ask them not to write it down.  The Purolator staff member then took the licence and input the details into their computer system.  When my wife complained, the Purolator staff member’s response was insulting and sarcastic.

So, Purolator, is that corporate policy?

Or maybe your need a little more staff training?
(Oh, and Purolator also uses those boxes to collect a digitized sample of your signature.)

Share

Three good reasons why iPhone isn’t the major corporate smartphone

Time to share information about three vulnerabilities reported in Apple iPhone recently.

There is a phishing vulnerability and a spamming vulnerability, which Aviv Raff has reported this month.

The phishing flaw exist in iPhone’s Mail application. With a specially drafted link it’s possible to convince the victim that the link is trusted. Including the address bar, naturally – see Raff’s screenshot here [.jpg].

The second problem is that downloading remote images is not disabled in Mail, i.e. the Web Bug flaw exists in the application and there is no ways to disable that “feature”.
The third one is a SMS security issue found by the son of blogger Karl Kraft, described below:

Those settings block the display of incoming text messages and show an alert saying “New Text Message” if an SMS comes through while the phone is locked. However, if the phone is set to emergency call mode the incoming text messages are previewed.

And then:

“Thus all I need to do to intercept the messages from his girlfriend is to place the phone in emergency mode and wait 30 seconds for the next sickly sweet message,” Kraft writes.

That was reported (yes, by his father) in iPhone version 2.1 (5F136) – the most recent version too.

Share

My name is Elvis Presley and here is my RFID passport

The group using name The Hacker’s Choice has managed to clone a biometric passport with name Elvis Presley. Right – The King who died 31 years ago :-)
Demonstration video and some technical information here.

Share

Fedora confirms: Our servers were breached

It is more than week ago when The Fedora Project informed about “important issue” affecting to its infrastructure systems. No additional details were given.
As expected, the claims and rumors started to spread if there was a serious server breach.

The Fedora Project issued a recommendation that users will not download any packages or update their Fedora installations. There was a note to change the Fedora Project passwords (it was not reported widely for some reason) too.

Today, Mr. Paul W. Frields, Fedora Project Leader has posted an announcement about the facts:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

The Fedora Project servers are hosted at Red Hat Inc., the employee of Mr. Frields.

This is an interesting detail from hosting history section:

209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008
209.132.176.122 – Linux Apache/2.2.0 Fedora   – 16-Aug-2008
209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008

Share

That device on my work computer – was it there yesterday?

Bank robbers using remote control device to control the mouse cursor of bank employee have been jailed now, report the headlines.

We can’t expect that an ordinary worker will know if USB sticks, peripherals with Bluetooth enabled, innocent looking hardware keyloggers etc. connected to their desktop computers and even to laptops are malicious – and not installed by a local IT support.

This Swedish worker recognized an odd device connected to his workstation, but a target organization is not so lucky every time. ”Employee quickly pulled the plug, interrupting a transfer” ($7.9 million), but there was an extra cable which ended up under his desk.

It’s worth of mentioning that this remote control device had been installed to bank workstation during a previous break-in, during which nothing had been stolen from the building.

Therefore, the ways how we can protect against these threats are not so typical:

* Check the USB and PS/2 connectors of your workstations and servers several times a year
* Always check these connectors when a computer returns from being repaired
* Remember that visitors have a possibility to connect these devices often

Share

Photos and laptop crypto

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.

Share

Cisco: We know IOS rootkits can be made – harden your system

cisco has released an updated version of its cisco security response: rootkits on cisco ios devices document after the eusecwest presentation of mr. sebastian muniz (core security).

hardening, best practices etc, it appears.

thanks Sunshine. for pointing this on mailing lists.

Share

Manual Vishing

This Hebrew post in linmagazine describes what first sounds like a typical Vishing attack. The author’s mother receives a phone call telling her there’s been a terrible accident and she needs to call the hospital for the details. They give her the ER’s number but tell her to use only her land line. The number is *7200526671955. Strange, but not unusual in Israel where dialing *pizza connects you to Dominos and *mortgage to your local sub prime pusher.
So she calls and calls but there’s no answer, and she rings her son to tell him to try and call.

He rings, and gets a voicemail. Getting suspicious he dial his phone company’s information directory and finds they were conned: *720 is the code for call forwarding, and 052-667-1955 is a local cell number. It’s a clever scheme, actually. All the for-pay phone numbers (sex hotlines, etc) are opt-in which means they are blocked by default (to prevent scams like this, among other things).
However, calls to cellular phones are more expensive (in Israel the caller pays the charge and not the receiver) and so it is possible to cut a deal with the cellular company for revenue sharing and open your own ‘recipe tips’ hotline which should bring in many incoming cellular calls and make everybody (especially the mobile operator) happy. If instead of recipes you make people call because their friend’s phone lines are automatically forwarded to your number, well that doubles the fun.

So these guys figured call forwarding to international numbers won’t work, and chose the mobile option. Although it’s a bit risky (you need to be able to collect the money from the cellular operator before the cookie jar slams shut) but sounds lucrative. Now comes the final step in a Vishing scam like this; you need to convince a lot of people to do the call forwarding, and for that you usually use a Voice-over-IP line with a pre-recorded message. But not these guys: the post’s author confirmed to me that his mother spoke to a flesh-and-blood voice who actually answered her questions, had a perfect Hebrew accent (it wasn’t a Nigerian who went to Jewish Sunday school) and told her the number to call twice (and even waited until she grabbed a pen).

Calling manually is risky: people can trace back the call and find out where you were. Hiring telemarketing is typically out of the question (lets just try to imagine the brief to the telemarketing team) and manually calling hundreds of people is really not cost effective.

So why the manual call? The only thing that comes to mind is they were beta testing or watching to see the response from the cellular company or law agencies. Maybe they are even using Israel as a beta site for an international Vishing attack? When the FBI or secret Service (or Israeli Police) catch them, I hope they ask. With a bit of luck they’ll post a hint here in the comments.

Share

Remote-control device – the new gun of bank robbers

Bank robbers have found a very interesting technique.

From The Local article Police thwart remote-control bank heist:

Surprised last August to suddenly see his computer cursor moving on its own, the employee at the Knivsta branch of Swedbank, north of Stockholm, “discovered a cable connected to his computer linked to a remote control device fastened under his desk,” local police spokesman Christer Nordström told AFP.

The employee quickly pulled the plug, interrupting a transfer of several hundred million kronor, Nordström said.

And how they managed to install this remote-control device? According to the news sources during a break-in before the incident – no money had been stolen from the bank during a break-in.

A comment posted to Technocrat.net is pointing to another interesting case (from CIO Update article) confirmed as keylogger case:

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel.

Swedbank is the leading bank in Sweden, Estonia, Latvia and Lithuania with more than 21,700 employees serving 9 million private and 480,000 corporate customers.

Share

Cryptome: NSA has access to Windows Mobile smartphones

First time in history Cryptome.org has released information about the characteristics of NSA’s network surveillance.

According to the newest IP address listing

IP ranges published by Cryptome are used by NSA, by NSA’s private sector contractors, and by NSA-friendly non-US national government agencies to access both stand-alone systems and networks running Microsoft products.

The post continues:

This includes wireless wiretapping of “smart phones” running Microsoft Mobile. Microsoft remote administrative privileges allow “backdooring” into Microsoft operating systems via IP/TCP ports 1024 through 1030.

The site has published NSA-affiliated IP addresses since July ’07. It’s not known if this mysterious source ‘A’ has connections to National Security Agency.

Share

Symbian S60 3rd edition hacked – and Nokia’s October response

A blog called Symbaali.info has released information about hacking of S60 3rd edition firmware with Flash update.
According to the blog a new Nokia Software Updater prevents this Symbian hack from working.

It appears that the point in this case is the editing of swipolicy.ini file.

By adding AllFiles capability to the file it’s possible to explore the entire file system.

The author has released several screenshots confirming the access to the Sys folder too.

The previous entries released earlier this month are located at symbaali.info/2007_10_01_archive.html.The site is registered to Mr. Roger Muhmu using a contact address of local Peekpoke company. Their Web site lists a P.O. Box address in Jyväskylä, Finland.

Security professionals here in Finland have confirmed the issue and Nokia’s Corporate Security department is aware. The following devices have been verified: Nokia N73, E61 and E90.

Ron Liechty of Forum Nokia confirmed the issue on Monday 29th Oct.

Share

JFFS2 ACL security issue in OLPC project – the first one?

Let the CVE describe the vulnerability:

JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly other Linux systems, when POSIX ACL support is enabled, does not properly store permissions during (1) inode creation or (2) ACL setting, which might allow local users to access restricted files or directories after a remount of a filesystem…

The only references available are:

from Linux MTD mailing list
and
from the ticket system of Laptop.org

It appears that the CVSS score assigned last week is 4.4., i.e. Medium.

OVPC – One Vulnerability Per Child or do we have any others?

Hey, this is post #1000 ;-) and there are 925 posts in the archive.

Share

13-year old MBR virus – and shipped with Medion laptops

A German company Medion has confirmed that it has shipped laptops containing a MBR virus – public since 1994.

According to Sunbelt the virus is Stoned.Angelina.

Symantec write-up here and F-Secure write-up here (the same name in use).
It appears that the affected model is Notebook Medion MD 96290. Link to the FAQ page of the vendor (German language):
www.medion.de/?service_~u~_support/allgemeine_FAQs.html

Please check the entry ‘Wichtige Produktinformation zum Notebook MD 96290′.

Update: Or the following permalink www.medion.de/popup_md96290.htm

The number of infected laptops and how the master boot record virus can find its way to the brand new machines (without a floppy drive, I believe) is not known.
But this is not the first time.

Exactly two years ago Creative shipped several thousands Zen Neeon MP3 players containing Windows worm Wullik.B.

And back to 1995 (from F-Secure’s Angelina description):

In October 1995 [Stoned.Angelina] was found on new Seagate 5850 (850 MB) IDE hard disks.

Update #2: There is no a floppy drive included.

Share