Physical Security

Fences, alarms, but also TEMPEST and side channels

All your (base) stations belong to us

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at deDECTed.org

Cute awareness video (plus other resources)

For those into security awareness:

This security awareness video (on YouTube), made by the infosec people in the state government of the Commonwealth of Virginia, covers some good, basic tips. It’s amusing, and only 13 minutes long. Some of the advice is specific to their security policy, and probably won’t match yours, but at least it’ll get you (or your staff) thinking about some of the issues.

If you want something more, the Virginia Information Technologies Agency (VITA) (state government agency) has an Information Security Awareness Toolkit site with copies of the video (both viewable and downloadable, and with subtitles and without), as well as other links and resources.

Engineering Elections

Engineering Elections

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

Three good reasons why iPhone isn’t the major corporate smartphone

Time to share information about three vulnerabilities reported in Apple iPhone recently.

There is a phishing vulnerability and a spamming vulnerability, which Aviv Raff has reported this month.

The phishing flaw exist in iPhone’s Mail application. With a specially drafted link it’s possible to convince the victim that the link is trusted. Including the address bar, naturally – see Raff’s screenshot here [.jpg].

The second problem is that downloading remote images is not disabled in Mail, i.e. the Web Bug flaw exists in the application and there is no ways to disable that “feature”.
The third one is a SMS security issue found by the son of blogger Karl Kraft, described below:

Those settings block the display of incoming text messages and show an alert saying “New Text Message” if an SMS comes through while the phone is locked. However, if the phone is set to emergency call mode the incoming text messages are previewed.

And then:

“Thus all I need to do to intercept the messages from his girlfriend is to place the phone in emergency mode and wait 30 seconds for the next sickly sweet message,” Kraft writes.

That was reported (yes, by his father) in iPhone version 2.1 (5F136) – the most recent version too.

Fedora confirms: Our servers were breached

It is more than week ago when The Fedora Project informed about “important issue” affecting to its infrastructure systems. No additional details were given.
As expected, the claims and rumors started to spread if there was a serious server breach.

The Fedora Project issued a recommendation that users will not download any packages or update their Fedora installations. There was a note to change the Fedora Project passwords (it was not reported widely for some reason) too.

Today, Mr. Paul W. Frields, Fedora Project Leader has posted an announcement about the facts:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

The Fedora Project servers are hosted at Red Hat Inc., the employee of Mr. Frields.

This is an interesting detail from hosting history section:

209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008
209.132.176.122 – Linux Apache/2.2.0 Fedora   – 16-Aug-2008
209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008

That device on my work computer – was it there yesterday?

Bank robbers using remote control device to control the mouse cursor of bank employee have been jailed now, report the headlines.

We can’t expect that an ordinary worker will know if USB sticks, peripherals with Bluetooth enabled, innocent looking hardware keyloggers etc. connected to their desktop computers and even to laptops are malicious – and not installed by a local IT support.

This Swedish worker recognized an odd device connected to his workstation, but a target organization is not so lucky every time. ”Employee quickly pulled the plug, interrupting a transfer” ($7.9 million), but there was an extra cable which ended up under his desk.

It’s worth of mentioning that this remote control device had been installed to bank workstation during a previous break-in, during which nothing had been stolen from the building.

Therefore, the ways how we can protect against these threats are not so typical:

* Check the USB and PS/2 connectors of your workstations and servers several times a year
* Always check these connectors when a computer returns from being repaired
* Remember that visitors have a possibility to connect these devices often