Tag Archive for 'Security'

Mobile phones the next target for BotNet hackers, say researchers

Published
by
Stuart Houghton
on October 15, 2008
in Other stuff
. Comments

Great news, everyone! Your mobile phone may soon be helping some criminal scrote take down a Fortune 500 company!

PC owners have long been prey to virus writers and in recent years the cunning coders have been harnessing infected PCs to create ‘BotNets‘ - armies of enslaved PCs that can be used for criminal purposes without their owners ever suspecting a thing.  Now, say security researchers at Georgia Tech, the current generation of smartphones are powerful enough to take over as the hacker’s botnet platform of choice.

All that processing power, twinned with an always-on internet connection, could see deial of service attacks or even coordinated password-cracking algorithms running in your inside pocket.

Don’t get too worries straight away - this is very much at the  ‘well, it could happen’ stage, and certainly most mobiles are more locked down, app-wise, than the average WIndows PC but it is certainly food for thought.



WPA wifi encryption cracked

Published
by
Stuart Houghton
on October 13, 2008
in Mobile internet and Other stuff
. Comment

If you use WPA or WPA2 encryption on your home wifi setup, it might be time to think about using a longer keylength.

Security consultants Global Secure Systems say that a Russian team has successfully reduced the time it takes to brute-force (guess) a password by up to 10,000 times by using NVidia graphics cards to boost the calculations.

“Brute force decryption of the WPA and WPA2 systems using parallel processing has been on the theoretical possibilities horizon for some time,” said David Hobson of GCS, “but the use of the latest NVidia cards to speedup decryption on a standard PC is extremely worrying.

Neopwn - pocket penetration testing with an OpenMoko

Published
by
Stuart Houghton
on September 22, 2008
in Handsets
. Comments

The OpenMoko linux-powered mobile phone has been around for a couple of months now and, as expected, linux coders have been beavering away.

Neopwn is the first significant OpenMoko project that uses the new handset.  It is a ‘pocket pentesting’ suite - essentially a collection of hacking/cracking tools that can be carried about in a mobile phone, then unleashed on an unsuspecting network using the phone’s internet connection or the USB host conection contained within the device.

Many different security and cracking apps have been ported to the device, including the packet analyser WireSHark and several password cracking tools.



CSI Stick can suck the data out of your phone

Published
by
Stuart Houghton
on September 3, 2008
in Culture and Other stuff
. Comments

Just in case you needed a new reason to be paranoid, a security company has invented a device that can slurp all the data - photos, contacts and SMS - straight off your phone

The Paraben Cellular Seizure Investigation Stick (I’m sure the acronym is pure coincidence) is marketed as a ‘law enforcement’ tool, but is available to the public.  By plugging it into a phone, you can grab all the data in just a few minutes - leaving no trace that anything has been tampered with.

The stick supports around 300 Motorola and Samsung phones at the moment, but support for more models - including those from Nokia and RIM - is promised soon.

To be at risk, you would have to hand over your phone or leave it unattended so there are certainly ways of minimizing your exposure.  Perhaps investing in some encryption would be a good idea too?

I can see these being snapped up by tabloid hacks - particularly those attending events (e.g. film premieres) that require you to turn in your cameraphone at the door..

Can Apple remotely disable apps on your iPhone?

Published
by
Stuart Houghton
on August 11, 2008
in Biz & Tech
. Comments

iphone-in-hand3.jpgEngadget is reporting that the new iPhone 2.x firmware contains code that periodically ‘calls home’ to check for a blacklist of iPhone apps and disable any that are found on our handset.

Steve Jobs has reportedly confirmed the existence of this ‘kill switch’, claiming that it has been included in case Apple ever inadvertantly approved a malicious or harmful app for release via the App Store.  Jobs said, “hopefully we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull.”

Hmm.  As if the iPhone was not locked-down enough.  While it is nice to know that Apple are looking out for us in case of malware attack,  does anyone else feel bit creeped out by the fact that Jobs can selectively knock out apps that you have bought and paid for?  If this is such a great security feature, why was it hidden away in the darker recesses of the OS and not trumpeted as a benefit for the unwary iPhone user?

Obviously Steve is a great guy and would never use his powers for evil, but given that Apple have already yanked from the App Store both the (admittedly fatuous) I Am Rich and the (useful, but not mobile carrier-friendly) Bluetooth tethering app NetShare you have to wonder if the definition of ‘malicious’ might turn out to be rather flexible.



Sri Lanka bans phone sharing

Published
by
Stuart Houghton
on August 1, 2008
in Biz & Tech
. Comments

 srilanka.jpgOh, those pesky terrorists - always ruining things for everybody else.

First it was bottles of liquid on planes, then t-shirts with guns on them and now the Sri Lankan government is cracking down on people sharing mobile phones.  Honestly, the next thing you know they will be stopping innocent people from carrying perfectly explainable alarm clocks and bundles of wire.

The Sri Lankan government reckons that  if you lend someone your mobile phone, there is a non-trivial possibility that they might use it to organise a terrorist attack or set off a roadside bomb, before handing it back to you with a grateful smile.

To prevent these - somewhat unlikely - events the Sri Lankan Telecommunication Regulatory Authority  will require mobile users to carry certificates of ownership for their phones and to provide proof of identity before buying a new phone.

It will also be illegal to  let anyone else use your mobile, lest you enable them to

No idea how effective this be in the old War on Some Terror, but it does sound like a great way for a government to stamp out anonymous communications.

Does the iPhone encourage bad passwords?

Published
by
Stuart Houghton
on July 23, 2008
in Mobile internet
. Comments

ipasscode.jpgHmm.  Interesting thought, this.  Productivity blog 43 Folders has a bee in its bonnet about security on mobile devices.

Briefly, their contention is that the poor onscreen keyboard of the iPhone is dumbing down people’s password choices.

With so much information hidden behind passwords nowadays (electronic banking, web mail, credit card details, etc.) if someone were to obtain, crack or guess one or more of your passwords there could be serious consequences.

For years, security experts have been trying to drill into people the idea that passwords and PIN numbers should be difficult to guess or to crack.  No using your birthday or just going with ‘password01, password02. etc.’ - passwords of that nature are easily cracked by even the simplest brute-force attacks.  You may as well just write them on your forehead.

No, the key is to change your password regularly and to at least ty to incorporate numbers, capital letters, punctuation marks, etc.  Unfortunately, say 43 Folders, this is much easier if you are using a proper keyboard.  Having to use a touchscreen or other mobile data entry system will mean most people just tap a couple of characters or their PIN and forget about it.

Their article refers specifically to the  iPhone (understandable, as it is so geared to mobile web browsing) but the advice is equally applicable to any web-capable mobile device.

It’s food for thought, certainly.  The author recommends programs like 1Password for the Mac as a possible solution, although there are plenty of password managers for WinMo, S60, etc. as well.

Old RAZR phones vulnerable to ‘MMS of Death’

Published
by
Stuart Houghton
on June 9, 2008
in Handsets and Other stuff
. Comments

170px-black-razrv3-closed.jpgIf you are still rockin’ an early-model Motorola RAZR, you might want to upgrade your firmware.

Security researchers from ZeroDay Initiative have discovered a firmware bug in early RAZR models that allows specially-created JPEG images to execute arbitrary code.

The ‘poison’ JPEG can be sent to the phone via MMS.  If the MMS is accepted, a bug in the part of the image viewer that reads EXIF image metadata (the part that records the date, camera type etc.).

Although there have been reported sightings of this kind of hack in the wild, Motorola are recommending that you update your firmware via their website.

Interestingly, though, the vulnerability was reportedly discovered almost a year ago.  Why has it taken so long for the public to get to know about it?

Motorola had this to say about the problem:  “Although the possibility of this vulnerability occurring is very remote and would only occur in unique circumstances, Motorola proactively corrected it in all new device releases.”

Symbian app security hacked

Published
by
Stuart Houghton
on June 5, 2008
in Biz & Tech
. Comments

f-secure_security_b.jpgA Spanish hacker has found a way around the S60 signed-app authentication, potentially allowing harmful apps to access bits of your phone they really ought not to.

The securioty model on recent Symbian phones uses a layered,’onion skin’ approach to signing.  An app is signed and given a particular level of access to the phone- a layer on teh onion skin, if you like.

This stops any old app from doing what it likes to your phone.  Older Symbian phones used a ’single layer’ system - once an app was signed, it had freereign to touch what it liked.  The new system allows les trusted apps (e.g. random freeware) to be given restricted access to thehandset.

Or at least, that is how it should work.  Security company F-Secure has identified a Symbian app that once installed, will bypass the security layers and gain unlimited access to the phone’s entire file system.

Granted, the user still needs to install the suspect app in the first place - although this would just be a matter of social engineering  (an advanced hacking technique, also known as ‘lying’)

On the positive side, the app stops any other apps from working, so it is likely that you would soon know that something was wrong, should you become infected.

via The Register

Smartphones are bigger security risk than laptops, says survey

Published
by
Stuart Houghton
on June 4, 2008
in Biz & Tech and Other stuff
. Comments

cellphone_lock.jpgSmartphones and PDAs represent more of a security threat to IT systems than laptops, according to research carried out by data security firm Credant Technologies.

The survey found that, of the 300 senior IT staff who were consulted, 94% felt that mobile devices were a security risk as oppsed to 88% who felt the same way about laptops.

Part of the problem, says Credant, is that nine out of ten mobile devices are given access to company’s data without any security measure being taken - such as a secure password.

Over half of executives did not bother to use a password when using their phone, despite the phone containing confidential data.

“Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate,” said Peter Mitteregger, Credant Technologies’ European VP.

Does this ring true where you work?  With more and more users reading their (supposedly confidential) emails remotely bia Blackberry, iPhone or IMAP client it would be interesting to know just how open that data was.  If you use a smartphone for work, does your IT department lay down the law with regards to security, or are you left to your own devices?

« Older Entries