Dragan on Security

At present time many people talk about possibility of eavesdropping their phone conversations, including voice, data transfers and SMS/MMS messages.

On the “Systems exposition” in Germany, Mr Wilfired Hafner - general manager SecurStar, demonstrated how easy it is to listen on everybody’s mobile telephone conversation and spy on every sent /received telephone message. Read articles at itwire.com, here and here.

He found and demonstrated a new cellular phone vulnerability that allows infecting any cellular phone with a Trojan horse (RexSpy). This Trojan is sent to the victim using a special SMS that automatically starts itself on the target phone. SecurStar has developed and distributes free of charge a small utility that will remove the “RexSpy” Trojan from infected phones. You can download it from download section of their Web site (requires registration, of course). In the next weeks a removal utility for Symbian, Palm and Blackberry devices will be provided, according SecurStar web site.

Also, SecurStar produces security software PhoneCrypt for mobile phones. They claim: with PhoneCrypt, SecurStar offers the ultimate security solution for mobile phones. With this software, every telephone call will be 100% encrypted and nobody will be able to listen your phone conversations. PhoneCrypt also patches the Smartphone operating system (windows mobile) and eliminates vulnerabilities such as the one used by RexSpy and others, so that your phone can no longer be infected. More information about PhoneCrypt here.

I haven’t tried SecurStar software yet, so I can’t say personal experience about this. If you did, send your opinions, please.

I had tried Windows Vista for couple of weeks when this operating system was code named Longhorn and delivered to attendants of PDC conference in Los Angeles (October 2003). As I attended PDC 2003, since then I wear T-shirt with printed “I was there at the beginning…” and Longhorn, Visual Studio “Whidbey” and SQL Server Yukon prints and logos on it… At that time, using of early Longhorn version wasn’t so pleasant experience, as it worked but with lots of bugs and glitches. I can remember that I reported dozens of problems to Microsoft as company officials asked PDC attendants to try and report. Also I didn’t like it although nice stories about WinFX, Indigo, and Avalon.

At present time, it is noticeable that Vista raises many questions that target security, licensing, price… So my three questions before I will go to switch to Vista:

• Is it secure, stable and reliable enough?
• Can I afford it?
• What is power (and price as well) of machine to install Vista expecting it to work good?

I probably will wait couple of months before I decide to use it… or switch to Linux. I don’t know yet.

According some analysts and researchers, it is very possible that Microsoft’s efforts to crack down piracy will backfire and drive customers toward other operating systems and solutions.

IDC have released their top 10 predictions for “Worldwide System Infrastructure Software, 2007”, and it doesn’t look good for Microsoft. The following prediction is of interest here:

9. Microsoft’s client operating system anti-piracy efforts will backfire. Microsoft’s anti-piracy campaign will drive customers toward Linux.

Also it is interesting to read article “A Cost Analysis of Windows Vista Content Protection” written by Peter Gutmann from Department of Computer Science, University of Auckland. In summary he says:

Executive Summary

Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called “premium content”, typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analyses the cost involved in Vista’s content protection, and the collateral damage that this incurs throughout the computer industry.

Executive Executive Summary

The Vista Content Protection specification could very well constitute the longest suicide note in history.

It is also there is interesting to read commentary on the paper here and another article here.

Let’s watch what will happen.

Bluetooth wireless technology is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost. The Bluetooth specification defines a uniform structure for a wide range of devices to connect and communicate with each other.

Bluetooth technology has achieved global acceptance such that any Bluetooth enabled device, almost everywhere in the world, can connect to other Bluetooth enabled devices in proximity. Bluetooth enabled electronic devices connect and communicate wirelessly through short-range, ad hoc networks known as piconets. Each device can simultaneously communicate with up to seven other devices within a single piconet. Each device can also belong to several piconets simultaneously. Piconets are established dynamically and automatically as Bluetooth enabled devices enter and leave radio proximity.

A fundamental Bluetooth wireless technology strength is the ability to simultaneously handle both data and voice transmissions. This enables users to enjoy variety of innovative solutions such as a hands-free headset for voice calls, printing and fax capabilities, and synchronizing PDA, laptop, and mobile phone applications to name a few.

But Bluetooth technology raised some security and privacy issues and concerns. If you want to know more about these i.e. about bluejacking, bluebugging, bluesnarfing and other related stuff, visit official Bluetooth SIG (Special Interest Group) web site and its security section (here).

That is one side of medal. There are many papers that desribe how pairing in a public location potentially introduce a security risk.

Pairing in a public place, such as a point of sale, is discouraged when using the pairing procedure from the Bluetooth Baseband specification, as there is much greater risk that a subversive unit may intercept the keys. Note that such risk only occurs if a low-entropy Bluetooth passkey value is used.

For the highest level of security when using the pairing procedure from the Bluetooth Baseband specification, random long Bluetooth passkey values must be used. The maximum (useful) length of a passkey is 128 bits. An alternative approach for secure pairing is to provide a physical serial port interface between the Audio Gateway (AG) and the Headset (HS) to transfer sufficiently strong link keys directly.

Read this and this.

As it does every year, Panda Software is publishing its annual list of those malicious codes which, although they may not have caused serious epidemics, have stood out in one way or another - read report here.

Sony BMG has settled a lawsuit with the state of California over rootkit technology that it illegally installed on computers.

Record label Sony BMG has agreed to pay a $750,000 fine and will reimburse consumers for up to $175 to offset the cost of computer repairs that were required to uninstall digital rights management software that the company bundled with several of its music CDs.

I wrote posts about Sony’s secretive digital rights management protections (here, here and here)

Read full article at vnunet (here).

A vulnerability has been found in Yahoo! Messenger, which potentially can be exploited by malicious people to compromise a user’s system.
The vulnerability is labeled as highly critical (by Secunia, Danish security company) and caused due to an unspecified error in an ActiveX control and can be exploited to cause a buffer overflow. No further information is currently available. The vulnerability is reported in versions obtained prior to Nov 2, 2006.
Solution proposed is update to the latest version, http://messenger.yahoo.com/. This problem has been reported by the vendor. Original Advisory is here.

Try to answer next simple questions:

• What is length of your passwords?
• Do you use mixed letters, digits, and special characters?
• Do you mix uppercase and lowercase letters?
• How often do you change you password?
• Can your password be found in dictionary?

See what SANS Institute Password Policy document has to recommend (here). Also, there is nice essay about real world passwords (here).

If you follow all guidelines about so called strong passwords, it is question how to memorize them. You will probably need password safe (here). However, there are tools that can recover passwords when you lose them, but they can be used to “recover” passwords that belong to another person.

I wrote couple of posts on this topic already (here and here). In E-Commerce you can read interesting article written by Terry Ramos. It says:

The newly formed PCI Security Standards Council will go a long way to further the industry’s awareness of credit card security, and help to make an excellent program even better. This will, over time, improve consumer trust in e-commerce — and everyone will benefit if it’s successful in that goal alone.

Read full article here.

Just 5 days after previous Microsoft Word Unspecified Memory Corruption Vulnerability (post), new vulnerability is discovered. Secunia assigned extremely critical level to this vulnerability. A vulnerability has been reported in Microsoft Word, which can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to an unspecified error when processing Word documents. No more information is currently available. Original Microsoft Advisory is here.

According to Microsoft, this is a different vulnerability than previous one described here.

The vulnerability is already being actively exploited.

Solution for now is: Do not open untrusted Office documents. :)