LUX.ET.UMBRA

Image via Wikipedia

If you didn’t know already, the encryption for GSM’s antiquated algorithm has been cracked. All 64-bits of it. And guess what…. apparently most carriers haven’t upgraded to the 128-bit algorithm because… well, I’m not exactly sure. I suppose security by obscurity is probably the key reasoning behind this, but A5/1 which has been around since 1988 was replaced by the GSM Association in 2007 with A5/3 but most carriers haven’t bothered to upgrade.

It’s not anything spectacular since the 64bit keys were cracked through brute force, and with the computing power these days along with parallel computing, you can pretty much crack the smaller length algorithms through brute force easily. And this doesn’t allow you to listen in on the calls just yet, it just opens the doors to any of the communication that runs on those bands if the carriers haven’t changed the codes on you not to mention the legality of breaking those codes outside of academic research.

There are a couple ways around this problem. One is to upgrade to a larger key such as 128 bit (which is pretty standard considering many banks run SSL certs on 128 bit encryptions). Not the super-safe, but it does create a lot more combinations to guess through brute force. The other way is through the methodology similar to RADIUS with WPA for Wifi. Wifi keys are easily broken, but if you have a service that continuously rotates those keys and makes it a dynamic password, then any hacker is left with a time limit to break in. From a security standpoint, this becomes a more daunting task.

And as far as iPhones are concerned… oh… if you own one and didn’t know already…(as do most of the world’s mobile devices), they run on GSM carriers. But then again, so will Google’s Nexus One.

Tags: Cellular, Hacking, Observation, Opinion, Security, Wireless by darkmoon
View Comments

Over the weekend, it seems that there was a compromise with Hotmail accounts. Five figures worth of accounts apparently. Now, the first thought would be that someone actually took action against Microsoft and busted through. But in this case, it was apparently ill-gotten from phishing scams. The password list was posted on Pastebin which is a place where developers share snippets of code to get more eyes on it. They have taken down the offending accounts and taken the necessary precautions.

Either way, Microsoft has identified this issue and has apparently locked down the compromised accounts. If you were compromised and are locked out, there is an email form that Microsoft Live has set up for you to reclaim your account. I took a look at it, and it asks for some serious private information.

All of this should teach you (the end user) something. Lesson here is that you don’t click on anything ever in emails or otherwise, when you can go directly to the site itself and look for it. One of the reasons I have always hated HTML emails since it stupefies the entire security aspect and makes it a more difficult problem since you go against human nature. Thus? You’ll never see me prefer text over HTML any day of the week. You can dump links there, but I can read them.

Tags: Email, Microsoft, Security, phishing by darkmoon
View Comments

Ever wonder how to get rid of the spammers on Twitter? TwitBlock is a great way to find the ones that have followed you and whether or not they could be the same spammers.

Using a special algorithm, it calculates out whether or not a person is potentially a spammer and gives them a score. Based on whether or not TwitBlock users have marked the user as a spammer, the effect of the scoring goes up or down. It’s actually a pretty interesting method since most of the ways of detection are common sense things.

I would probably say that most people that have more than a thousand followers probably have quite a few bots and such on there, but at least there’s a way to somewhat detect these now instead of going through your followers one by one.

If you’re curious about it, definitely run this every so often on your account. It uses OAUTH so you actually never give it your password and such which is a great thing from a security standpoint of a third party application. Give it a whirl.

Tags: Tips and Tricks, Twitter, spam by darkmoon
View Comments

If you’ve been wondering why Twitter won’t work this morning, just go and check their status section. I found it interesting that the entire site wouldn’t work at all and found it suspiciously like a DOS attack. That was confirmed here.

So in case you were hoping to get your tweeting in today, you might encounter some issues over there.

Tags: Internet, Security, Twitter by darkmoon
View Comments

Sometimes, I find spam absolutely hilarious.

I mean, check this one out that came through our small business accounting software site. What really got me was the fact that it was sent from a gmail address and the reply to: field was the same gmail address. What’s even more interesting is that the actual address has always been a gmail if you do a search for this fellow, and the addresses just change. Seems rather “phishy” to me. Here’s the actual content of the spam email:

We would like to get your website on first page of Google.
All of our processes use the most ethical “white hat” Search Engine Optimization techniques that will not get your website banned or penalized.
Please reply and I would be happy to send you a proposal.

By now, if you haven’t junked it or laughed at it and then junked it, you would need to realize a couple things. First is that while white hat SEO is a great term, it doesn’t really fly in the face of those that have no inkling of what it is. The second is that spamming someone’s forms really isn’t considered “ethical” by any means so it doesn’t give credence to your SEO tactics. Last of all? Really. If you expect people to take you seriously for SEO, then you need to get a real website, with a real company name and be able to show up on the first page of Google for “best SEO company“. Let’s face it. If you’re truly good at what you do, you’d be there wouldn’t you?

Tags: spam by darkmoon
View Comments

If you’re one of the many that are searching for positions on the Internet and probably sending your resume along on those job sites, be wary. One of the latest scams that has been broadcast in the past six months through security firms has been an increase in identity theft through job postings.

Think about it. You’re desperate to become employed again, you hand over your social security number, name, address, and all sorts of other identification materials to a “potential” employer just to realize that they don’t exist. My suggestion? Do your homework.

While you might not stop every sort of theft, providing due diligence will greatly decrease the risk of being taken for a ride. See if that person actually represents the company that they claim they are. Are they overseas and using a local number to contact you? Do they represent a placement agency? Perhaps you’ve never even heard of this business that they claim is several miles from your house and it’s not in the phone book. There are always signs to these sorts of scams.

If you don’t, you take a great risk. If you do, you minimize that risk. And best of luck on your search.

Tags: Identity Theft, Internet, Security, Society by darkmoon
View Comments

I never did understand why direct mail never came under as much scrutiny as spam. Everyone has an issue with spammers, but most actually just suck it in and deal with direct mailers.

Now let’s be honest, if you look at both sides, they operate under the same concept but just in different mediums. Direct mail uses the postal service, while spammers use the Internet. You have no say in either thing on whether or not you get it, and both are trying to sell you something. And just like having an inbox, if you have a mailing address, you will get some regardless of how hard you try to keep it completely hidden.

So my question is… why isn’t direct mailing under similar rules as the CAN-SPAM Act? Why is it that we have to suck it up and deal with this type of marketing tactic and not the other? It seems like they would fall under similar regulation rules since the difference really only being that one being electronic and the other is physical. In fact, now that I think about it, I’ve even taught the concept of emailing with the analogies of home addresses.

I suppose it’ll never be changed, but one can always wonder since both are annoyances in most people’s lives.

Tags: Opinion, spam by darkmoon
View Comments

I love it when companies send you spam in the form of “no, it’s not really spam, and we really know that you had clicked this, but we want you to click it off so we can send you more spam” type of spam.

I mean, seriously. Do they think that you opt-out of the marketing and promotional materials because you’ll want to be reminded that you had opted out? Uhh. No. Sorry, Microsoft. That’s definitely a spam-fail on your end. Reminding me, that I opted out of your spam, means that you basically did not abide by my preferences of not bothering me with promotional offerings. And yes, I consider the fact that administrative type emails of promotional offerings to be under promotional offerings and not under critical administrative messages.

I wonder what brilliant person came up with that one. Hey! Let’s spam all the people that don’t really want spam with a message that says… hey, we wanna send you spam, but we can’t because of your preference! To add insult to injury, they add on a note that talks about how they respect your privacy and have a link to their privacy statement.

Sometimes, it definitely makes you shake your head and wonder what goes on in those ivory towers.

Tags: Opinion, spam by darkmoon
View Comments

The United States Sentencing Commission has voted but I haven’t found anything on what they’ve actually decided.

Basically, there was legislation put out there that was written in too broad of a format where it said that any sort of proxy server use could increase jail time up to 25%. Now, in essence, the way it’s worded would mean that proxy server use seems to be a secondary offense if you use it for means of hiding yourself to do illegal deeds. And knowing that there are things such as bouncers, and darknets, there’s definitely a reason for this from a law enforcement perspective. But on the flip side, if you strictly say that there is jail time in direct relationship with proxy server use, then that’s completely incorrect and then you render the that argument invalid since there are many uses of proxy servers including those of privacy concerns.

From my perspective, I believe that there’s more to it than meets the eye. It’s not just privacy that I would worry about for your average Net surfer but the fact that translation servers like the one used by Google, is technically a proxy server since it can translate websites and redirect. This means that as a proxy, the host website sees Google instead of your IP address and thus is in a “proxied” fashion. Would you jail those that use translations? What about other means of redirection that are legitimate? Thus, I believe that using the terminology as proxy servers by itself would be too broad. There has to be some sort of offense tied to the use to cover illegal means.

That being said, there are darknets and hosted vpns that you can use for privacy use. TOR is just one of the many. But I think that both sides have to be weighed and find the correct wording choice that doesn’t interfere with privacy, or legal use versus prevention of law enforcement to chase down those that use proxies for unethical behavior.

Tags: Internet, Law, Observation, Opinion, Security by darkmoon
View Comments

Image by ggee via Flickr

At this year’s CanSecWest, researchers were demonstrating with eight dollars of equipment, they could basically read your keystrokes through the vibrations through different keystrokes and that through the same electrical grid, you could actually detect keystrokes through a D/A converter and oscilloscope.
What’s interesting is that the article talks about the NSA project coined TEMPEST, which is something that I learned about back in the 1980s. There’s a lot of different stories about how this is supposedly come to be but the point of the story was that with sensitive enough equipment, you could actually sniff out conversation pieces coming from the distortions from monitors and other types of displays. Now, from a physics perspective this actually does make some sort of sense since there are fields that would be slightly distorted from sound waves. This does change with the shift in display technologies from CRT to LCDs and plasmas. But I digress.
Now what would definitely be interesting is actually using the minute magnetic fields generated by electrical grids to track movement. That’s actually a lot easier in my opinion since the distortion pattern would be a wave running against a field as it displaces it like in water. If there is enough motion, then you could technically seek out individuals based on their electrical wiring. Theoretically anyways.
What can I say, the real information gathering stuff has always been a close second to my heart.

Tags: Security by darkmoon
View Comments