General – Page 10 – Fraudo.com

GSM Encryption

Most mobile phones in the world (also called cell phones, or hand phones) use the GSM network, and GSM generally uses an encryption protocol called A5.

phone booths A5 encryption was always a weak design but the equipment to decode it used to cost between US$70,000 and US$500,000 so it wasn’t very common.

Now some new research shows it can be cracked with around US$1000 of equipment. This makes it accessible to most businesses and individuals. It’s still theoretical though it won’t be long until anyone can download the software required to do it.

What does this mean to phone users?

Conversations carried out over mobile phones should not be considered secure. If the technology exists for competitors to sit outside an office and listen in on calls then you should change how you carry out business.

Apart from this new research on cracking the encryption there’s another method that has existed since phone networks began operation. All mobile phone carriers have the ability to record conversations for law enforcement purposes. They just have to press some buttons on their computer and your conversations get recorded. So you shouldn’t be sharing trade secrets on the phone anyway.

And now’s a good time to mention that SMS messages have never been secure. Most GSM networks keep a log of all SMS messages and this information is available to law enforcement agencies (or to anyone corrupt at the phone companies or to anyone that hacks into a phone company’s network).

Some articles to read if you need more information: here, here and here.

Has your email been hacked?

If you suspect someone else is reading your emails you normally change your password immediately and figure out how they were able to access your account.

If you’re curious then the following information could interest you 😉

There’s a free online service called OneStatFree that can be used as a tripwire to detect access to your emails. It will tell the time and day your email was opened (by someone other than you), the country it was access from, the IP address and possibly more information (such as city) depending on the actual network used.

The way it works is you create a special email and send it to yourself. You never open this email yourself and if someone else does it will instantly send some information to the OneStatFree service, which you then check at a later date.

Full instructions are provided here, it should be fairly easy for most people to follow.

Just keep in mind that if someone is indeed reading your emails this trick won’t stop them. So think carefully if you want to continue compromising your email while you investigate the culprit, or take immediate action and change your password.

Trust Encryption Device (TED)

Australia’s CSIRO has developed a security device for online banking. It’s like a flash drive and contains a virtual computer environment which makes applications like online banking more secure.

However there’s a lot of doubt in the security world. You still need to plug it into a computer for it to start up, and you don’t always know what’s on the computer. Malware could still take screenshots and send them off to some unknown person on the other side of the world, and there’s little explanation on how it’s meant to avoid being tampered with.

It’s a technology to keep a watch on for the future. Full article here.

Online Tax Returns In The UK

Doing your income tax returns online is fairly common these days. In the UK there are more than 3 million people that file their tax return online.

UK’s tax department, HM Revenue and Customs, is a little unclear on how secure this is. They’re providing an online service that be default should be secure.

dollar sign But they’ve recently barred high profile people, including MPs, celebrities and the Royal Family, from using the same online system for security reasons.

If the system’s security isn’t good enough for high profile people then it shouldn’t be good enough for anybody. This can be taken as an admission that their security isn’t quite good enough to use.

Whole Disk Encryption

briefcase lock If you carry a notebook outside of your home or office then Whole Disk Encryption is a technology you should be interested in. It’s also called Full Disk Encryption. First let’s identify the problem.

Most people who carry notebook computers (laptops) keep sensitive files on the machine’s drive. Business documents, business databases, contact lists, emails, chat logs, password lists, etc. The most common situation is someone carrying confidential documents on the computer.

If the notebook is lost or stolen then whoever holds the notebook computer has access to the files. Login passwords aren’t enough to protect the documents, they’re easily recovered by anyone.

A more worrying trend is for international business travellers who carry confidential data on their notebooks. passport There have been many instances of airport customs staff not only inspecting the notebook for banned items but they’re now looking in the notebook’s hard drive and looking through any documents stored there. Their excuse is that they have to search for anything that’s a threat to national security. Irrespective of why they’re doing this the point is that someone else can gain access to your files at airports. Read this article for an example. And for examples of lost or stolen notebooks see here.

Most large companies are now telling their staff to wipe all documents off notebook computers before travelling. This is excellent advice.

Another solution is to use whole disk encryption. This is a software technology that encodes the entire drive so that it’s unreadable without a password. At present this technology is rarely used on notebooks.

Advantages:

It’s not possible for someone to extract files from a lost or stolen notebook computer
You don’t have to remember to turn it on or to prepare anything before you leave home or the office. It’s always enabled

Disadvantages:

Not all encryption programs are free (read below for some good news on free software)
It slows down the computer
You have to enter another password before using the computer
It doesn’t protect you from malware (trojans etc). You still need a good antivirus system
You must have a backup of all your data at home or at the office. If something goes wrong with the computer then there’s no way to recover the data without a backup
Security is only as good as your password. If you use your car number plate or some other easy to guess password then it’s not really secure. You need to use a good password.

notebook in the park So with more disadvantages than advantages you’re probably put off. It depends how valuable your files are. If you’re a lawyer carrying around all your client’s documents then your files are probably quite valuable, and you should be doing everything in your power to stop strangers getting at them.

How does it work?

The technical explanations are beyond the scope of this article. It’s enough to know that it encrypts all of the drive. Older encryption programs encrypt some files only and smart hackers can usually recover all or part of documents. Therefore the “whole disk” part of the encryption program is important. The disk is completely unreadable and unusable without the password.

What whole disk encryption programs are available?

Recently there has been some progress on this and there are now good free versions including ones for Mac notebooks, as well as commercial solutions.

Free Windows Solutions:

There are quite a few solutions, below are the more popular ones available today.

BitLocker – it comes with Windows Vista Enterprise, Windows Vista Ultimate, and Windows Server 2008
TrueCrypt – a popular open source solution (see notes below). Available for Windows, Mac and Linux.

Commercial Solutions:

Below are low cost commercial solutions. There are many expensive enterprise level solutions not listed here.

PGP – This program has been around for a very long time and is trusted by many people and companies. On the 13th Feb 2008 a version was also made for Apple Macs.

Summary

If you take your computer outside of a secure environment (home, office, etc) and you have anything on there you wouldn’t like others to have then whole disk encryption is a must.

As for airport customs and other law enforcement agencies, a lot of countries have laws making it possible for them to demand your password. So while you can keep random strangers from reading your data it’s really up to you how you comply with legal requests to hand over data. At least you have a choice.

Notes:

Open Source: in security it’s often a good thing to make programs or algorithms open source. It enables the programming community or security community to review the code and find any possible bugs as quickly as possible. It’s also a form of full disclosure. With commercial solutions you have to trust a company that they didn’t include a backdoor for whatever reason. With open source solutions everything’s exposed for public review.

Extreme Protection – Disabling ActiveX

Quite a few problems with malware come from malicious bits of code hidden in what’s known as ActiveX controls. Some web sites use this feature to add functionality. Other web sites hide malicious code inside ActiveX controls that can take control of your computer. You can’t really tell good ActiveX controls from bad ones.

One way to deal with suspicious ActiveX controls and to increase the security of your computer is to completely disable ActiveX for all sites. It’s an extreme measure and the downside is that some websites will no longer work.

To disable ActiveX:

Start up Internet Explorer (if you haven’t already)
Look on the bottom right corner for the word Internet, double click on it
Highlight "Internet"
Set the security level to High
Click OK
See this screenshot:

Some web sites this will affect are Facebook and MySpace. This is a good thing because Facebook and MySpace will publish ActiveX code written by unknown people. Even if you lose some functionality it’s a good thing to block code from people you don’t trust (and that the Facebook or MySpace companies don’t really trust).

If you come across a legitimate web site that no longer works because of this change, such as your bank’s web site, you need to decide if you trust them. In the case of a bank then you most probably do trust them and you can add them as an exemption.

Follow these steps (after the previous steps) to exempt an important web site that you trust:

Open the web page you want to allow to allow ActiveX code
Highlight the address and copy it (Control C, or right click and select Copy).
E.g.
On the bottom right corner of Internet Explorer you’ll see the word "Internet". Double click on this.
Click on the "Trusted Sites" icon (large green tick)
Click on the Sites button
Paste the address you copied (it might already be here)
Uncheck the option called "Require server verification (https:)"
Click Add
Click Close, then OK again

Be wary of what pages or sites you’re exempting. What you’re in effect doing is trusting the author of any code found on that sites. Social sites such as Facebook and MySpace allow anyone to publish code, and this makes it a playground for writers of malicious code.

As stated at the beginning of this article, it’s an extreme measure that will increase the security of Internet Explorer. Increasing security always decreases convenience and these days with so many talented people out there trying to steal money online it’s definitely worth considering.

.com.au.com

Any web address that ends with .com.au.com should be treated with caution. At the moment these pages are redirecting to a fake anti spyware page, tricking people into downloading malicious software.

For example an address such as importantcompany.com.au.com

is not the same as importantcompany.com.au
is not the same as importantcompany.com

Because the last few letters are different it takes users to a completely different site. Even having one different letter or the dot in a slightly different position is enough for your computer to go to a different site, one owned and operated by an individual with questionable intentions.

In this example importantcompany could be any company or web site you’re familiar with (eg Google).

This is a problem because people are good at recognising patterns and the addresses look similar. However they are in fact different. Care should always be taken with deceptive addresses.

Digital Picture Frames with malware

Now you also have to be careful when you buy digital picture frames. There have been numerous reports of some of these devices being infected with a virus. When you put in a photo memory card it installs a trojan onto the card. Then later, if you put the card into your computer it can install the trojan onto the computer.

old photo It then tries to stop any anti-virus system the computer may have and then starts stealing passwords. Pretty serious stuff.

And it seems the digital picture frames came from the factory with this already installed. No one had tampered with the devices beforehand. This has been happening to quite a few digital gadgets such as MP3 players.

A good anti-virus system will detect this and prevent itself to be disabled, so if you haven’t already done so invest in one. And if you come across such a device have a chat to the store you bought it from, it’s possible they have no idea it’s happening.

Update (26 Jan 08): Best Buy were selling these devices with the brand name Insignia. They’ve just realised and have taken the off the shelf and are trying to contact customers who bought them.

MySpace Pages Can Carry Viruses

There have been some pages on MySpace that cause a window to popup telling used to install a Microsoft Security Update. And instead of installing a security update it installs some malicious code.

The last one to make the news involves requests coming from a user called "Rita". This is just an arbitrary name that someone has setup, and it won’t be the last.

So if websites like MySpace or Facebook ask you to install programs on your computer you should generally ignore or deny them.