Entries Tagged as 'Security'

BART overstepped boundaries in San Francisco Cell Service Incident

Bay Area Rapid Transit (BART) logo Apparently SF BART had shut down cell service for about three hours in the San Francisco area at a few stations where some activists were going to protest.   While I do believe this has some serious free speech implications since they’re trying to pull a whole minority report type of scenario which is against current law, I have to say that from a telecommunications standpoint, they pulled a major flaw by calling it a safety issue.   As a telecommunications professional, I have spent years of time facing countless hours trying to maintain the cellular infrastructure.  One of the biggest risks we face in telecom is the one where someone can’t make a 911 call.   That means that people’s lives could indirectly be effected by our work which is why we must be careful.

In shutting down cell service to “prevent” something from happening, the problem then becomes an issue when someone does indeed get hurt and there’s no communications inward or outward.   You can’t rely on BART officers there with their CBs since they can’t be there while maintaining lines or what not against a protest.   So from an emergency situation where someone’s life is dictated by the minutes of time that could effect life and death, cellular service is critical for response.   In this case, I believe that BART made an egregious error and whomever made that decision didn’t think about the consequences that it might follow.  On top of all of this?  BART themselves pulled the plug on the base stations and notifying the carriers after the fact (another mistake and a hard one).  Meaning, the carriers had no idea and probably saw the sites go down in the NOCs and were scrambling to get them back up.

BART said that they were well within their legal rights to turn off cell stations, but I beg to differ.  If this were the case, then all base stations are endangered by the tower leasing areas.  Of which I know for a fact, the leasing contracts do state that they can’t just willy nilly turn off power or otherwise to the leased areas since the carriers are the ones that maintain those agreements with the utilities and not BART.

Nice job, BART.   You not only wasted a lot of telecom professionals time with your crazy logic, but you didn’t go down the right legal roads to at least create a foundation that your logic could stand on.   And thus, BART’s going to get their “you know what” handed to them by all sorts of legal experts.  Do I foresee a resignation?   Maybe, but at the very least, someone is going to take the fall for this one.

Enhanced by Zemanta

Criminal Justice Department? What?

So I ran across this website running an ad on becoming a CIA agent. Amusingly, I remembered back in college days when I was accepted to be a CIA intern, but couldn’t even get in with the FBI because of my grades. I suppose computer skills were more important than grades at the time with the CIA.

In any case, so knowing that there are GPA requirements to join certain agencies, I thought it was amusing that there was a site that was offering financial aid to become one, and on top of that was basically saying that you could join in 18 to 24 months. I could be wrong, but I’m pretty sure it depends on a lot of qualifications and all sorts of things.

So I looked it up and the site happens to be off a .org TLD. I could be wrong, but I have never seen any federal government agency use a .org TLD ever. In fact, this is registered to someone that’s using a domain proxy which means that it’s probably a private individual. On top of that, they want to see if you qualify for financial aid. Someone is trying to get personal data for financial aid? Sounds awfully like a phishing scam. Now, like I said, it might be legit. But all indications seem to point to the fact that it isn’t when you get right down to it.

Scary stuff. And this is from a legitimate ad. Caveat emptor.

1984 Here We Come

Randu2

I’ve always wondered whether or not federal law enforcement management ever think about what they say before saying it.   Currently, they want to put a backdoor in every piece of software so that if given a warrant, the government can go in and snoop on sensitive cyber-information.  And their reasoning is based on the fact that CALEA has worked with telecommunications so why can’t it be done elsewhere, predominantly software.

As a telecommunications professional of over a decade of experience and having been in the security industry for a major part of my life, I have to say that they fail to actually understand how CALEA is implemented.  While it is a government mandated security act that telecommunications and internet providers have had to deal with, it’s also got something that most software doesn’t.  A physical footprint.   To actually use a CALEA backdoor, you physically have to go to a 24/7 manned switch, that has hardware to jack into to basically “eavesdrop”.   It’s more complicated than that, but that’s pretty much how it works.

However, with software, if there is a backdoor and it’s known by hackers, then hackers will try everything in their power to break in through that area.  You know how in linux, they say never to use the root user?  That’s the same principle.   Don’t give it out, don’t acknowledge, because once people know that it exists, it becomes a security risk.

And if you’re in security, you should understand the risk assessment value and how ease of use is predominantly inversely proportional to security.  Always has been, and for the most part, always will be.  On top of all of this, there is another method that people will use to get around all of this.   Bouncers and darknets.   If this law is passed, they actually make their lives a lot more difficult as enforcement since most people don’t just think about using darknets or even understand how bouncers work.  If a wiretap is in place in all areas though, then it forces the underground to come up with new ways of communications without fear of someone looking over their shoulder.  And is that what law enforcement wants?  That doesn’t sound “easier” by any means of the imagination.

At least not to me.

Enhanced by Zemanta

China Domain Scams

I have to say that it’s very amusing when you get emails like this. I had to do a little bit of digging to get the dirt on it, but fortunately when you’re not the first of these types of scams, the Internet can be a great resource. Basically, the idea is no different than the domain snail mail letters that people send in the mail that look like a bill in the US. This takes a different approach, since it makes you scared that your brand is in jeopardy and you didn’t buy up some of the other domains.

The below was a verbatim email that I got from the scammers. I had started a dialogue in my usual manners, but was fascinated when they basically said that they were doing due diligence, but then they could not deny the application by the other corporation even though they were doing due diligence.

Hmm, makes you wonder. What’s the point of doing due diligence then?

If you ask about it, then they’ll send you a cost sheet, and it’s like $60-$120 per brand and domain. Amusingly, these same domains cost somewhere around $10 to $30USD depending on what they were, and a lot of them, you have to show registration of a legitimate business within that domain. For example, in Hong Kong and Taiwan, you have to have a registered business within those regions to actually even apply for the .com.tw and .com.hk. I don’t know about China, but in all honesty, it’s not something that I would care to register as a business owner. In the end, the .com is king and anyone in the web world knows that.

This happened to come from a site called “drc-asia.org” which claims to be a domain registrar in China. Interestingly enough if you look up the domain itself, it’s owned by “shanghaifengwangwangluokejiyouxiangongsi”. Which is fine in itself, except for the fact that they have a .live.cn (Hotmail China) email registration. Crazy thing here, but legitimate businesses never have domains registered under any personal email places. No hotmail, gmail, or anything else. Much less when a domain registrar doesn’t know how to set up a CNAMEs so that drc-asia.org doesn’t point anywhere, but www.drc-asia.org actually does go to a host? Come on.

In any case, if you find yourself worried that you might be on the verge of getting taken in, fear not. Usually it’s a permutation of the email below.


(If you are not the person who is in charge of this, please forward to the right person/ department, as this is urgent, thank you!)

Dear CEO,

We are the department of registration service in China. we have something need to confirm with you. We formally received an application on Aug 16, 2010, One company which self-styled " dre&y trading ltd" are applying to register "merchantsmirror" as brand name and domain names as below :
merchantsmirror.asia
merchantsmirror.cn
merchantsmirror.com.cn
merchantsmirror.com.hk
merchantsmirror.com.tw
merchantsmirror.hk
merchantsmirror.tw
After our initial checking, we found the brand name and these domain names being applied are as same as your company's, so we need to get the confirmation from your company. If the aforesaid company is your business partner or your subsidiary company, please don't reply us, we will approve the application automatically.

If you have no any relationship with this company, please contact us within 7 workdays. If out of the deadline, we will approve the application submitted by "dre&y trading ltd" unconditionally.

Best regards,
Robert Yang

How Does TSA Take to “Paperless Boarding Passes”?

Boarding pass
Image by Simon Aughton via Flickr

Interestingly enough, there’s this new fun little thing that the TSA is pushing which really shows that they’re actually with the times.   While most people still use the paper boarding passes, you can now have it sent to your phone.   What it does, is that it actually sends you an image of a QR code I believe, of which is then scanned at the TSA checkpoint.   They use one of the red bar code scanners so it doesn’t really get effected as much by the reflective screens on smart phones.

What’s neat about this technology isn’t just because it’s “green” since there’s no paper, but the fact that the government is finally getting on board the technology train WHILE it’s going.   Not like ten years behind.  Usually you don’t see things like that except in military and advanced research labs.   I find that absolutely fascinating.

While I had the opportunity to use it more recently, I was hesitant mainly because I didn’t want to hassle with it if there were airports that had screeners that were not trained to actually deal with the passes.  Even if the airlines are pushing it, it doesn’t necessarily mean there are untrained staff out there.  So I decided to observe and see for myself.

It happened that there was one lady in front of me at Newark that used this system.  It was actually very quick and easy and definitely put my mind at ease that perhaps this is the next thing I’ll adopt while I travel.  Nothing like getting rid of the abundance of boarding passes that one has to carry these days along with all of the advertisements and the weather and what not.  In all honesty, while it seemed like a pretty good idea, I usually am annoyed that they print all my boarding passes on separate pages with a bunch of junk on them.   Just print them all on one page!

I’m actually pretty happy that so far my observation of the paperless boarding pass has been a great experience.

Enhanced by Zemanta

Quotes are the Bane of Social Media

"Graphs & Social Networks" Facebook ...
Image by sociomantic via Flickr

I don’t know who came up with using quotes. But having analyzed much of the traffic that goes across social networks, I have to say that if you use quotes, you’re asking for trouble.

Why?

Have you ever looked the twitter bot accounts and what they post? Usually, a substantial number of them use quotes. Those that filter onto Facebook also use quotes. In fact, there really isn’t any time that those bots don’t throw in the quotes section since they want some filler that could be applicable to human interaction. And thus, those of us that actually do watch and read the traffic become extremely desensitized to quotations.

This is a lose-lose situation. First, the people that read don’t feel like there’s substance there so they skip reading your information, even if you might have some fabulous stuff later on. What can I say, the attention span of Internet users is fairly short. But also, the user of the medium that has integrated quotations also gets thrown into the bucket with the spam bots. Now, I don’t know about you, but I wouldn’t want to be in the same bucket as spam bots.

If you do use quotes, I implore you to stop. It’s not helping and the filler really isn’t useful. If you intend to keep at it though, no worries. The rest of the world is probably ignoring you.

Enhanced by Zemanta

Let Me in Your iPhone

The GSM logo is used to identify compatible ha...
Image via Wikipedia

If you didn’t know already, the encryption for GSM’s antiquated algorithm has been cracked. All 64-bits of it. And guess what…. apparently most carriers haven’t upgraded to the 128-bit algorithm because… well, I’m not exactly sure. I suppose security by obscurity is probably the key reasoning behind this, but A5/1 which has been around since 1988 was replaced by the GSM Association in 2007 with A5/3 but most carriers haven’t bothered to upgrade.

It’s not anything spectacular since the 64bit keys were cracked through brute force, and with the computing power these days along with parallel computing, you can pretty much crack the smaller length algorithms through brute force easily. And this doesn’t allow you to listen in on the calls just yet, it just opens the doors to any of the communication that runs on those bands if the carriers haven’t changed the codes on you not to mention the legality of breaking those codes outside of academic research.

There are a couple ways around this problem. One is to upgrade to a larger key such as 128 bit (which is pretty standard considering many banks run SSL certs on 128 bit encryptions). Not the super-safe, but it does create a lot more combinations to guess through brute force. The other way is through the methodology similar to RADIUS with WPA for Wifi. Wifi keys are easily broken, but if you have a service that continuously rotates those keys and makes it a dynamic password, then any hacker is left with a time limit to break in. From a security standpoint, this becomes a more daunting task.

And as far as iPhones are concerned… oh… if you own one and didn’t know already…(as do most of the world’s mobile devices), they run on GSM carriers. But then again, so will Google’s Nexus One.

Reblog this post [with Zemanta]

Growing List of Hotmail Accounts Compromised Via Phishing

pirate Over the weekend, it seems that there was a compromise with Hotmail accounts. Five figures worth of accounts apparently. Now, the first thought would be that someone actually took action against Microsoft and busted through. But in this case, it was apparently ill-gotten from phishing scams. The password list was posted on Pastebin which is a place where developers share snippets of code to get more eyes on it. They have taken down the offending accounts and taken the necessary precautions.

Either way, Microsoft has identified this issue and has apparently locked down the compromised accounts. If you were compromised and are locked out, there is an email form that Microsoft Live has set up for you to reclaim your account. I took a look at it, and it asks for some serious private information.

All of this should teach you (the end user) something. Lesson here is that you don’t click on anything ever in emails or otherwise, when you can go directly to the site itself and look for it. One of the reasons I have always hated HTML emails since it stupefies the entire security aspect and makes it a more difficult problem since you go against human nature. Thus? You’ll never see me prefer text over HTML any day of the week. You can dump links there, but I can read them.

Tips and Tricks: TwitBlock

twitblock Ever wonder how to get rid of the spammers on Twitter? TwitBlock is a great way to find the ones that have followed you and whether or not they could be the same spammers.

Using a special algorithm, it calculates out whether or not a person is potentially a spammer and gives them a score. Based on whether or not TwitBlock users have marked the user as a spammer, the effect of the scoring goes up or down. It’s actually a pretty interesting method since most of the ways of detection are common sense things.

I would probably say that most people that have more than a thousand followers probably have quite a few bots and such on there, but at least there’s a way to somewhat detect these now instead of going through your followers one by one.

If you’re curious about it, definitely run this every so often on your account. It uses OAUTH so you actually never give it your password and such which is a great thing from a security standpoint of a third party application. Give it a whirl.

Twitter is Down This Morning

twitter If you’ve been wondering why Twitter won’t work this morning, just go and check their status section. I found it interesting that the entire site wouldn’t work at all and found it suspiciously like a DOS attack. That was confirmed here.

So in case you were hoping to get your tweeting in today, you might encounter some issues over there.

Reblog this post [with Zemanta]