You are currently browsing the category archive for the 'Information Security' category.
A presentation and paper on Reverse engineering JTAG at the 26th Chaos Communication Congress is now available to download here:
http://events.ccc.de/congress/2009/Fahrplan/track/Hacking/3670.en.html
Other Hacking and reverse engineering papers and talks from the conference can be found here:
http://events.ccc.de/congress/2009/Fahrplan/index.en.html
The hacking track is here:
http://events.ccc.de/congress/2009/Fahrplan/track/Hacking/index.en.html
Hackers claim to have stolen all T-Mobile US’s corporate data, customer accounts and network infrastructure. More information from the Register can be found below:
The research team, which included Edith Cowan University of Australia and BT, revealed some early results yesterday in news reports by the BBC and British television affiliates.
To read more about the research go here:
http://news.bbc.co.uk/2/hi/uk_news/wales/8036324.stm
and here:
http://www.darkreading.com/security/storage/showArticle.jhtml?articleID=217400054&cid=nl_DR_DAILY_H
The video talks about a couple of people who’s lives are ruled by harrasing calls and threats. They claim that their phones are tapped with special software.
Rick Mislan talks about the software and how easy it is to be placed on mobile phones.
Software such as:
- http://www.mobile-spy.com/
- http://www.world-tracker.com/
- http://www.flexispy.com/
- http://www.e-stealth.com/
- http://www.fonefunshop.co.uk/spyphone/
- http://www.thespyphone.com/allinone.html
Link to Video on YouTube:
http://www.youtube.com/watch?v=uCyKcoDaofg
It looks and functions like a Blackberry 8830 but it sure is NOT a regular Blackberry. It is locked down by NSA. I am not really sure if it is a good idea at all. NSA is installing the SecurVoice software on it for both voice and messaging as one of the ways to secure the phone. I am sure that there is a whole infrastructure that is required to run his handset services. Even considering all that, I Still believe that a mobile-phone-carrying president opens so many doors for hackers.
Can NSA and Obama get away with using a (persumably) secure mobile phone service and handset? That is the question of the day!
Read more here:
http://blog.wired.com/gadgets/2009/04/obama-to-get-ba.html
It might not be because they are secure, but simply because the ROI is just a mere phone handset! Add to that the device, OS, and carrier variations.
Read more here:
http://mobile.slashdot.org/article.pl?sid=09/03/25/1238246&from=rss
and here:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Mobile+and+Wireless&articleId=9130346&taxonomyId=15&pageNumber=1
I don’t know if this is true or not yet but here it goes! There seems to be a vulnerability that affects Nokia Series 60 phones, including N95 and N73 handsets that blocks all SMS and MMS from reaching the phone, hense the name “Curse of Silence”. attacker in this case sends a specially designed SMS message to the target phone. What’s worrying is that the recipient will receive no indication that they got the message.
The only way to get the target phone to recieve messages again is to factory reset it. Even after the factory recet, the phone still remains vulnerable to future silent curses. The attack will only work on phones running version 2.6, 2.8, 3.0 or 3.1 of Symbian S60.
The LayerOne 2008 talk by David Hulton titled: Intercepting Mobile Phone/GSM
Visit the GSM Hakcing WIKI at:
http://wiki.thc.org/gsm
The USRP is available at: http://www.ettus.com
Learn more about the GNU RADIO project at: http://www.gnu.org/software/gnuradio
David is the Chairman of Toorcon
An interesting news article about the work of BT (formerly British Telecom), Glamorgan University, Australia’s Edith Cowan University and Sim Lifecycle Services where researchers recovered data from handsets from mobile phone recycling companies:
Mobile phones can never be totally wiped clean of data
To get more information on the research at Edith Cowan University and its upcoming conferences please visit SECAU Security Research Centre’s website:
Here are some published refereed journal and conference papers to give you an idea of what to expect for the Edith Cowan University conferences in December:
- Valli, C. and A. Jones (2008). A study of 2nd Hand Blackberry for sale - World class security foiled by humans. Proceedings of the 2008 World Congress in Computer Science, Computer Engineering, and Applied Computing - SAM 2008 - The 2008 International Conference on Security & Management., Las Vegas, USA.
- Al-Zarouni, M. (2007, 3rd December, 2007). Introduction to Mobile Phone Flasher Devices and Considerations for their Use in Mobile Phone Forensics. Paper presented at the The 5th Australian Digital Forensics Conference, Edith Cowan University, Mount Lawley Campus, Western Australia.
- Yap, L. F., & Jones, A. (2007, 3rd December, 2007). Profiling Through a Digital Mobile Device. Paper presented at the The 5th Australian Digital Forensics Conference, Edith Cowan University, Mount Lawley Campus, Western Australia.
- Yap, L. F., & Jones, A. (2007). Deleted Mobile Device’s Evidence Recovery:. Paper presented at the Media and Information-War Conference 2007, Kaula Lumpur, Malaysia.
You can register to attend Edith Cowan University’s conferences here:
http://conferences.scis.ecu.edu.au/
Hope to see you there 
According to Jonathan Zdziarski:
A detective from the Oregon State Police notified me this afternoon that an out-of-the-box refurbished iPhone he purchased contained recoverable personal data including email, personal photos, and even financial information which he was able to recover using my forensic toolkit.
So, if you have to return your iPhone to an Apple or AT&T store and they offer to replace it with a new one, make sure that you wipe your data properly first. A proper bit level wipe is needed here and NOT a system restore!
For dates, times and availability information on the workshops in UAE and Qatar visit link below:
http://www.oissg.org/certification-training-new-/index.php
http://www.oissg.org/certification-training-new-/index.php
Download the official brochure for the Dubai workshops here:
These certification workshops fund the Open Information Systems Security Group (OISSG) research and development of the ISSAF.
You can also download ISSAF for free! (9.59MB, 1264 pages)
It is like a SecureID token but for your Mobile Phone. It is based on Java and provides 1024bit RSA encryption and GrIDsure’s ID technology. Want to learn more, then head to:
http://www.itsecurityportal.com/itsecurity_news.asp?articleid=260033
I have to admit, I thought this is like CommonWealth Bank’s NetCode SMS but it is clearly nothing like it. For more information on that go to:
Do you live in the United Arab Emirates? Are you a hacker? Then this site is made for you! Get the latest hacking news, exploits, links, pod casts and more through this easy to use website.
Feel like you want to contribute to the site? Then drop us a line at: (hackers) at {marwan} dot [com].
A simple idea that resulted in big fireworks! Just take the IP address information from wiki posts and cross it with DNS information from IP range owners and walla!
Still don’t know what this means? It means you can now find out if someone is editing their own wiki information (like deleting the bad stuff!… For shame!).
Good on you Virgil Griffith. I hope that you don’t edit your own wiki entry either 
Here are the links:
- An MP3 interview with Virgil: http://www.abc.net.au/melbourne/stories/s2017196.htm?backyard
- http://virgil.gr/ his website
- WikiScanner http://wikiscanner.virgil.gr/
This tool answers the question: who really edits wikis? Now you know!
Here is something to get your appetite going. WIRED Magazine’s list of salacious edits:
Download and read it! It is not small though about 8-10MB. News, articles, intreviews, book releases, software walk-throughs, and more.
The software detects installed software and categorises them as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Sounds good to you? Then head to:
On Demand Webcast “Compliance in the Mobile Enterprise” by James Wilcox CISSP. This session will include detailed information about:
- Security considerations for mobile devices, including laptops and handhelds
- An overview of key government regulations and how they apply to mobile deployments
- Strategies to achieve mobile compliance
You can watch the webcast by going here: http://viavid.net/dce.aspx?sid=00003DD7 and filling up your details.
Matt’s Blog is not frequently updated but his site crypto.com is an excelent resource for all kinds of information. Make sure you check it out.
News, exploits, papers, views, and releases from information security enthusiasts. Has links to major hacker related security events as well. http://www.thc.org/
Read the full article at
The site provides a unique insight and commentary on the information security marketplace. It brings together some of the top minds from a variety of risk-based disciplines. Please visit the site for more information.
Just when you thought mobile phones, USB storage devices, wireless access, and ADSL modems were a threat to your corporate data, here comes a story to make you even more paranoid!
A researcher released a paper describing a way to hide malicious code (rootkits) on graphics and network cards. The paper basically shows how to use Advanced Configuration and Power Interface (ACPI) functions available on almost all motherboards to store and run a rootkit. Sceptical? read the full story and download the PDF here.
Two weeks ago I have been in Cambridge at XI ICCRP symposium were we had a speech on network centric principles and world cargo security. With Barbara Torell, who is an expert on advanced risk management, we wrote a paper on network centric principles and world cago security. Paper and presentation on the web site are not updated but are useful to have a clue of what we did. The title of the document is misleading, because the paper got an unexpect direction ending up to exposures of maritime supply chain but also on how complex adaptive systems manage their inner force (you can find more useful the presentation on this topic) and reasons for which law agencies at all levels (from upper military down to city bodies) should improve efforts for information sharing .
The good news for all aussie friends is that the best paper was the one written by Celina Pascoe and Irena Ali from DSTO “Network Centric Warfare and the New Command and Control: An Australian Perspective”.
All papers are available at CCRP web site in the Events section.
It was also my pleasure to meet Dr. Alberts - CCRP director, Dr. E. Smith (author of the EBO book on which I loosed more than one night to prepare exams on information warfare) with which we talked about boundaries and complexity, Dr. Hayes from EBR and Anne-Marie Grisogono still form DTSO author of very interesting papers I read during the research.
Well, all in all it was a very intersting conference and a great opportunity to meet some of best minds arounds.
I wish once again thank ECU professor Mr. Bill Hutchinson (my previous lecturer when I was a Perth student) who gave some interesting hints on which we worked during the writing.
See you next year in Newport, Rhode Island.
The solution to online banking sucurity, according to the report is two factor authintication utilizing security tokens.
Link:
http://ninemsn.video.msn.com/v/en-au/v.htm?g=949680da-9ced-4cf5-a92e-10a8a45b5e7d&f=39&fg=copy
Just like Hard Disks, selling your used mobile phone can be dangerous. It can reveal potentially unsafe and secretive information about you or your business. Sometimes, following manufacturers’ data erase instructions is not enough as the article below shows.
Links:
Sydney Morning Herald Article 1
Sydney Morning Herald Article 2
A post I published on Marwan.com in 2004:
http://www.marwan.com/2004/09/think-twice-before-selling-your-mobile.php
Sorry, the link to the Khaleej Times article is outdated.
UPDATE:
Hard Disks Still Discarded
Organizations and individuals are still leaving critical data on disks later sold on through online auctions and computer fairs, according to a new study. The research carried out by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia found payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, financial details including bank and credit card accounts on hard drives purchased from a number of sources.
To read full article please click on the following link:
http://www.scmagazine.com/uk/news/article/577355/critical-data-found-second-
hand-hard-drives
Another article
http://www.btplc.com/News/Articles/Showarticle.cfm?ArticleID=5e5ce27a-ce88-4
8d7-8ebc-ace912050674
And the Guardian…
http://technology.guardian.co.uk/weekly/story/0,,1840396,00.html
While searching for “Mobile Phone Forensics”, I came across the “Security & Forensics wiki” site. I was pleasantly surprised. It was inline with what I was already doing in my research. I was sad though at the fact that no site that I knew of linked to them! I know that Wiki is not considered by many as a good source for information but so aren’t blogs, are they… We still consider blogs as legitimate sources of information and always link to them. We even link to forum posts too, and ‘ahum… bugtraq posts’… so why not wikis? Links:
SecuriWiki Main Page:
http://polya.computing.dcu.ie/wiki/index.php/Main_Page
Mobile Phone Forensics Page:
http://polya.computing.dcu.ie/wiki/index.php?title=Mobile_Phone_Forensics
Email Analysis Page:
http://polya.computing.dcu.ie/wiki/index.php/Email_Analysis
Yeah, this is another post on sensemaking. The reason I’m stressing the area is because think it will be the next field of confrontation. Professionals working in infowarfare, infosec or knowledge management will soon or later have to deal with complexity and how knowledge spreads over networks. The paper, by C. F. Kurtz and D. J. Snowden, “The new dynamics of strategy: Sense-making in a complex and complicated world” is interesting also because will introduce you to the Cynefin project.
The conferences official website is http://scissec.scis.ecu.edu.au/conferences. The conferences will run concurrently and will be held on the ECU Mount Lawley Campus in Perth, Western Australia on 4th and 5th December 2006. The conferences are:
- 4th Australian Digital Forensics Conference
- 7th Australian Information Warfare Conference
- 4th Australian Information Security Management Conference
Important Dates (All Conferences)
Papers Due 1st October, 2006
Feedback 1st November, 2006
Final Papers Due 15th November,2006
