SIM Card Security Flaw Exposing 750 Million Cell Phones

SIM Card

SIM Card

Outdated encryption is to blame for a new risk on your cellular device. According to a report by SRLabs and research which will be presented at BlackHat on July 31st, the Subscriber Identity Module (SIM) card can be hacked in a few ways, including through SMS messages.

According to SRLabs, SIM cards use 56-bit DES encryption – a technology created in the 70s. Using what is called FPGA clusters, a SIM can be crackable. SRLabs is looking to make aware these issues, then recommend a better SIM card technology, SMS firewall and SMS filtering so simple hacking techniques cannot access SIM card data.

It is reported that over 750 million SIM cards are vulnerable to this hack. That is 1 in 8 SIM cards, according to Karsten Nohl of SRLabs. An improperly encrypted SMS message – along with use of a custom Java program – can open the SIM to the malware. A hacker can do anything from change your voicemail to access your personal information on the SIM card.

In some phones, most information is stored on the phone and not the SIM. In some phones, SIM data can also include bank information, passwords to websites and programs and more. However, as we move to mobile and wearable devices, more SIM cards will be used to connect people to cellular networks.

 

 

 

Rocstor Encrypted External Hard Drives

Rocstor LogoRocstor specialise in data storage and secure encryption solutions: that’s encrypted external hard drives to you and me, but it’s an increasingly important market. Andy and Scott talk to Anthony Rink from Rocstor about how their products can keep your data safe.

Rocstor offers a range of external data storage products with real-time encryption built-in as standard. The encrypted drives meet FIPS Level 2, meaning that it’s hardware-encrypted (not software) and that any tampering of the drive to get at the crypto keys is obviously apparent. To suit different circumstances, some models use tokens, others PINs and some use both with ruggedised and waterproof units also available. Depending on features, $250-$300 gets you 1 TB of secure external storage.

Interview by Andy McCaskey of SDR News and Scott Ertz of F5 Live for the TechPodcast Network.

Support our Show Sponsor:
30% off your new order @ GoDaddy: gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

 

PlayPlay

Nothing to Hide, Nothing to Fear?

Interception of Communications Commissioner“If you’ve nothing to hide then you’ve nothing to fear” is often trotted out in the debate around privacy and secrecy. Superficially it seems reasonable but even with a modicum of critical thinking, the adage becomes trite and flawed. However, even if you did believe that “nothing to hide, nothing to fear” was reasonable, then the latest report from the British 2011 Annual Report of the Interception of Communications Commissioner (.pdf) ought to give food for thought.

The report covers the Regulation of Investigatory Powers Act (RIPA) which includes the postal service, telephony and electronic forms of communication, and can be carried out for both law enforcement and national security purposes. There are two distinct areas, the first being the interception of communications and the second being the acquisition of communications data. Simplistically, the first area is about directly listening in on a communication and the second is about who, when and where a communication took place.

In 2011, the total number of lawful interception warrants for the UK was 2911, and this all seems quite reasonable, given the population of the UK (60-odd million). However, in amongst the successful security operations, we also find that the security and associated agencies made 42 mistakes (1.4%), usually through typographic errors. In all instances, the error was discovered before the intercept took place or else all the material associated with intercept was destroyed.

Communication data requests cover information about communications, mainly subscriber data, service use data and traffic data, rather than the content of the communication itself. There were 494 078 communication data requests in 2011, an 11% decrease on the previous year. As you might guess, there were a few errors there too, with 895 mistakes being reported. Although this represents an error rate of only 0.18%, I’m sure it will be of little comfort to the two wholly innocent individuals who were arrested by the police because of these mistakes. Again typographic errors in the transcriptions of phone numbers or IP addresses were largely to blame but of additional concern was that nearly 100 of the errors were identified by auditors and weren’t recognised at the time of the requests.

If you think that because you’ve nothing to hide then you’ve nothing to fear, think again. You’ve everything to fear from the transposed digit, the wrong post code look-up and the minimum-wage flunky copying and pasting from the wrong records.

Probably not what you were worried about at all.

Rocstor AES 256-bit Enctypted Hard Drive

Rocstor has unveiled a new portable external hard drive that practically guarantees that your data won’t be stolen.  The hard drive, which comes in capacities up to 1 TB, has a slot for a smart card.  Enter the card, punch in your code (which you choose), and you unlock the drive and all of the data you have stored on it.  The drives are FIP certified and ship with multiple cards.  For users that need additional cards, they can be purchased blank and inserted into a unit to be programmed to work with it.  PIN Numbers can be changed an unlimited number of times as well.

These hard drives are probably not for average consumers, but more for business and government.  They are designed to protect highly-sensitive data and eliminate those stories that are always in the news these days about stolen laptops filled with account and credit card information.  The drives retail in the $400-600 range and are available now from Rocstor.

Interview by Todd Cochrane of Geek News Central for the TechPodcast Network.

Support our Show Sponsor:
30% off your new order @ GoDaddy: gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today
PlayPlay

SurfEasy On-line Privacy Debuts at CES

Canadian firm SurfEasy will debut their eponymous USB key-based private Internet browser at CES, Las Vegas, next week. The portable USB key launches its own web browser which uses strong encryption to keep your surfing habits secret and holds all your personal information such as bookmarks, history and web passwords on the password-protected key itself. Nothing is left behind on the computer itself.

SurfEasy Secure Internet

When you stop and think about it, we use many different networks and computers to access our online lives. Whether it’s connecting from the office or using a Wi-Fi hotspot, we’re providing a lot of personal information to computers, networks and websites that are not designed with our personal privacy in mind,” said Chris Houston, founder and CEO of SurfEasy Inc. “SurfEasy lets people take control of protecting their online privacy and security by simply plugging in a USB key.

One of the biggest potential benefits is when using unsecured WiFi in places like coffee shops. As SurfEasy creates an encrypted tunnel from the SurfEasy USB key across the Internet, no-one can see any detail about your browsing. All they can see is the encrypted data and the volume of data. SurfEasy encrypts the web traffic using SSL and passes the traffic through its own servers, stripping the client IP from the data stream.  The proxy network is hosted in Canada and the US, with other international locations to come soon.

As the data stream passes through SurfEasy’s servers, SurfEasy publish a Customer Bill of Rights which is upfront about what you can expect from the company in terms of keeping your activities secret. Basically, unless you come to the attention of the legal authorities, no usage data is held.

The SurfEasy browser is powered by Mozilla and is compatible with Microsoft Windows XP, Vista and 7. Apple users needs to be on Mac OS X 10.5 or later. The SurfEasy USB key costs $60 and this includes 2 GB per month of encrypted traffic through the SurfEasy network. Additional data costs $5 per month for 25 GB and $10 for 75 GB. Product delivery is expected in February.

I can see this being very handy for backpackers and other travellers who have to use Internet cafes while travelling and are rightly concerned about security. Plug-in the SurfEasy USB key to a public computer and you’re instantly secure wherever you are.

Britain’s Greatest Codebreaker – Alan Turing

German Enigma MachineGeeks in the UK may be interested in “Britain’s Greatest Codebreaker” on Channel 4 tonight (21 Nov) at 9pm. Described as a drama documentary, the programme follows the life of Alan Turing, the mathematical genius who was instrumental in breaking the German Naval Enigma code during World War II. His achievements were overshadowed by his homosexuality and two years after being convicted for gross indecency he committed suicide in 1954 aged 41.

According to the notes, the programme will feature “contemporary experts from the world of technology and high science, including Apple co-founder Steve Wozniak.

Set your PVR now.

(The notes also say that the programme will be available on 4oD shortly after transmission, but this is usually only available if you are in the UK or Ireland. 4oD is Channel 4’s on-demand Internet streaming service.)

ToughTech Secure Q with WriteLock Review

External hard drives are a dime a dozen, so when I was give the opportunity to review a ToughTech Secure Q with WriteLock 128 Bit AES Encrypted Hard Drive Enclosure by WiebeTech I jumped on it. I consider a great deal of data that I have on my hard drives to be very sensitive. We have vendor contracts, proposals, user data that includes media statistics and a whole host of other material from running a business that would be very damaging if the data was stolen and ended up on the web or in someone possession.

The standard feature set on this drive is extensive. The unit I tested supported both windows and mac disk formats. I had mine delivered pre-formatted for a mac. The connection options included Firewire 800, 400 eSata and USB 2.0. All of the cables need to make those connections where included.  It came with a slot for a cable lock which allows you to provide another level of security to keep the drive from easily walking off.

I have used secure hard drives in the past that required a thumb print to unlock and access, but this drive is different. This drive actually come with a 128 Bit AES key. The key comes attached to a lanyard or key chain and you have to physically plug the key into the specified slot to unlock the drive “no key no access”.

The manufacture at wiebetech.com provide you with 3 encryption keys that cannot be re-keyed without additional hardware. So forewarning is in order you loose the key provided your data will no longer be accessible. For business owners one key should go in the safe/safety deposit box, and the others should only be maintained by those you trust implicitly.

One of the best features is the ability to write lock the drive. Lets say you pre-load it with forms and data and you do not want this data changed on the drive in any way. There is a write lock button that once pushed locks the drive down.  If you want to re-enable write access you have to open the enclosure to unlock the drive.

Overall this is a great solution for small business owners that are storing sensitive information that they feel may be at risk from compromise in your office setting. They do have AES 256 bit devices available but due to federal guidelines for selling FIPS approved 256bit encrypted products they are restricted in sales of 256bit products to only approved channel partners.  128bit is available on their website.

Pricing was not readily available on the web site. If your looking for hard drive encryption this is the way to go.  This is a great way to secure that sensitive data you have sitting on a unsecured hard-drive. My advice is buy two units so you also have a backed up copy stored securely.

 

British Schizophrenic Jailed for Encryption

Britain has some of the most draconian security laws of the “free” world.  Many of these laws are brought in under the guise of fighting terrorism and paedophiles (which are always guaranteed vote winners) and of course, if you’ve nothing to hide, you’ve nothing to worry about.

Unless you’re an schizophrenic amateur scientist with a distrust of the authorities and you refuse to hand over the encryption keys (passwords) to your USB memory sticks.   That’ll cost you an initial 13 months in jail followed by detention in a secure mental unit at Her Majesty’s pleasure.

Ok, so the case is slightly more complex but the heart of the matter is that this person had done nothing wrong before he was detained by police returning to the UK from France on suspicion of terrorism because he had a model rocket, though the rocket was without its explosive motor.  From that point on, it was a downward spiral.

And how many terrorists and paedophiles have been sent to prison using the same law.  Zero.

The whole sorry tale is at The Register.

Lost Hard Drive Contains 23,000 Social Security Numbers

Students, faculty, and staff at seven campuses of the California State University (CSU) system are at risk for identity theft after a hardware technician improperly disposed of a computer hard drive with unencrypted database tables that included Social Security numbers and other personal details. The CSU is required, under California law, to notify all affected parties.

The law, which went into effect last year, requires notification whenever personal data, such as Social Security numbers, driver’s license numbers or credit card numbers (with identification numbers) have been accessed without authority.

The university system’s hard drive has been missing since Friday, June 25th. The technician left the drive laying on a worktable after upgrading the computer from which it came. In a rush to start the weekend, the drive wasn’t properly secured, and come Monday, there was no sign of it. The drive was most likely picked up by the evening cleaning crew; however, the results of a police investigation was inconclusive.

Dave’s Opinion
Hard disks, like portable media, must be completely destroyed before being discarded. Using a security data deletion (wiping ) program such one that comes with the PGP data security program, would have prevented the data being recovered, even if the drive were reused.

Call for Comments
What do you think? Leave your comments below.

The Big Gorilla Project

Spam is an ever-increasing annoyance for e-mail users. Most people have some form of spam filtering application that reduces the instances of the frequently offensive unsolicited commercial messages. Many of these filters seek to identify spam based on the address from which the message is sent, but spammers are already wise to this trick, and spoofing is now commonplace. By hiding or misdirecting their transmission source, spammers make it exceedingly difficult for most users to determine from where the spam message actually came.

But there’s some hope for spammer identification. An loose alliance formed by large e-mail services (Microsoft, Yahoo, America Online, and Earthlink), the Anti-Spam Research Group (ASRG), and Intelligent Computer Solutions (ICS) is working on an e-mail sender-authentication system that’s been dubbed the Big Gorilla Project.

Using an identification system based on public key encryption, ISPs who have control over outgoing e-mail can include a piece of encrypted code in header of each outgoing message. The code snippet can be used by receiving ISPs to confirm the identity of the outgoing e-mail server and the authenticity of the e-mail message’s return address.

By confirming the identity of the transmission site, it’s a simple matter to blacklist and block known offenders.

Dave’s Opinion
I use a combination of anti-spam filtering applications, both on our incoming mail servers and our client workstations. So far I’ve been able to drop my daily spam tally from over 600 messages to about a dozen, maybe double that on a bad day. But that’s still not good enough. It’s not just receiving junk mail that bothers me, it’s the offensive content.

I’m all for proposals, both legislative and technical, that help kill off spam.

Call for Comments
What do you think? Leave your comments below.

References
Anti-Spam Research Group
Intelligent Computer Solutions