Disabling GSM Phones With SMS

March 11, 2011

Researchers at CanSecWest gave a presentation this week on disabling various GSM phones using only SMS messaging. OpenBSC, an open source toolkit, was used to build a custom GSM network and the SMS messages were generated using it. Phones could be frozen, rebooted, locked, even completely bricked.

From one of the comments on the article:

It’s actually pretty well known –has been known for a while, too– that handsets are mostly tested against the few types of base stations Out There and, er, that’s it. Malicious input checking? Never needed; all the base stations are made by just a few manufacturers, right? Right?

Well, that’s what OpenBSC changed. Phones are still back where computers were back in the eighties. And now we can poke at them. There’s more where this came from. Far more.


Autorun Update

March 3, 2011

Microsoft is now pushing out Autorun Update from their Automatic Updates repository. This means that home and SOHO users who are patching their machines from Microsoft, without benefit of WSUS or other management platforms, will have their Autoplay restricted to CDs and DVDs. Since the autoplay of USB keys and other volumes was being badly abused by malware, this is a good thing – just keep it in mind for when your less computer savvy friends call to ask why they aren’t getting that neat popup menu any more when they put in the SD card from their camera.

This update affects WinXP and newer systems.


Speculation on Thunderbolt

March 1, 2011

Thunderbolt, a new I/O interface, was introduced last week on the latest line of Macbook Pro portable computers. Physically, it uses a DisplayPort connector – and, if you like, it can be used as a simple DisplayPort interface to connect a monitor or projector to the computer. But it is also a successor to Firewire, capable of daisy-chaining up to five devices with a shared bus bandwidth of 10Gb/s.

It is also a successor to Firewire in that it is an unauthenticated peer-to-peer bus protocol (as distinct from a master-slave protocol like USB). This characteristic has been exploited in Firewire to forensically read the contents of RAM or attached disks from a live machine. While the details on Thunderbolt are rather sketchy right now, it’s easy to imagine that an adversary could rig a display device to surreptitiously harvest data from a client machine, while appearing to function normally.

Physical security is tricky to enforce. Most people are smart enough to avoid plugging a random USB drive or Ethernet cable into a machine that holds sensitive data – but they won’t think twice about using a projector in a classroom or at a conference. Thunderbolt adds a whole new class of peripherals into the “untrusted” group. Watching the professionals take a crack at this will be very interesting.


Back to Basics

February 24, 2011

An article on Threatpost makes a compelling point: despite the amount of press lavished upon attacks like Stuxnet or Aurora, most companies don’t need to be worried about the latest and greatest targeted attacks. They need to worry about the basics – SQL injection attacks, phishing, social engineering, and other “boring” threats.

For the vast majority of companies, especially ones outside of the Fortune 100, there is simply no present threat from something like Aurora. Complex, expensive security infrastructures aren’t what you need. You need properly hardened servers, trained employees, and developers who know how to write secure application code.


OddJob

February 22, 2011

A new trojan, named OddJob, has been discovered. It surreptitiously hijacks a web banking session, cutting off “logoff” attempts and allowing the criminals who operate the trojan remotely to access victims’ accounts.

This is a nasty one.


Android Trojan

February 18, 2011

Another trojan for the Android smartphone platform was discovered earlier this week. This is apparently being included in repackaged wallpaper packages and used in the Chinese market. It essentially uses the phone’s data connection in the background to perform search engine queries and click on results; I imagine that click fraud revenue is a motivator.


Unsecured IP Cameras

February 17, 2011

Here is an interesting article over at Ars Technica about the prevalence of Internet-accessible cameras that you can find with a simple Google query. Some of them are intended for public consumption, like the aquarium cam he posts a picture from. Some of them are not, like the jewelry store security cam. But all of them are available to anyone who can find the URL in a search engine.

Why is this so?

Well, security cameras used to be a dedicated product with specialized cabling and deployment techniques. But like so many things (voice telephones, printers, POS terminals, etc.), someone had the innovative idea to just put cameras onto an IP network instead. This meant that the cameras no longer needed runs of special analog cabling back to a VCR or monitor – instead, you could just access the video feed with a web browser.

Well, this is an excellent advancement. But moving things into the IP world means that you now have to be familiar with how to secure things in that world. And clearly, many people are not. They don’t think to change default passwords, or close firewall holes, or whitelist allowable addresses. And their cameras show up in this article.

Cameras aren’t the only culprit. Here’s a list of common IP devices; are you sure that they’re all properly secured on your network?

  • Printers
  • Vending Machines
  • Cash Registers
  • Card Swipe Readers
  • Handheld Scanners
  • Smartphones
  • Tablets
  • Administration Interfaces (like HP’s ILO)

Securing an IP network means securing everything on that network, not just what we traditionally think of as “computers”. Because everything on that network is a potential target and a potential beachhead for an attacker.


Robotic Safe Cracking

February 16, 2011

So, what do you do when you get your hands on an old safe with an unknown combination?

Build a robotic safe cracker, of course! It’s either that or die of curiosity – the Magic Safe could contain anything!


Java Updates

February 15, 2011

It’s that time of month again – Oracle has released another patchset for Java, including fixes for 21 different security issues.

Write once, hack everywhere, I guess.


iPhone Password Disclosure

February 10, 2011

Apple’s iPhone product line doesn’t exactly have the most secure reputation – and this new attack certainly won’t help.

Researchers from Fraunhofer SIT have found a way to download all of the usernames and passwords stored in the iPhone’s keychain in a matter of minutes. A jailbreaking tool is used to install an SSH server on the phone, and then the SSH protocol is used to run a keychain access script and pull all of the credentials out. Even a “locked” phone is susceptible.