|
 |
dilluns, 27 / novembre / 2006 |
|
|
[TechWorld] Devastating mobile attack under spotlight. Un investigador alemany avisa que la xarxa de missatges SMS pot ser utilitzada per realitzar atacs. Concretament s'utilitza un SMS de servei, com els utilitzats pels operadors per modificar la configuració; aquesta mena de missatges no tenen cap mena d'autenticació; senzillament s'executen al moment de rebre'ls. Aixň permet una completa manipulació de telčfon per tasques com la interceptació de converses (totes les trucades són desviades, de forma oculta, a l'atacant)... o qualsevol altra cosa que permeti la imaginació de l'atacant.
All mobile phones may be open to a simple but devastating attack that enables a third-party to eavesdrop on any phone conversation, receive any and all SMS messages, and download the phone's address book.
The attack, outlined by a German security expert, would amount to the largest ever breach of privacy for billions of mobile phone users across the world. But it remains uncertain exactly how easy and how widespread the problem could be thanks to a concerted effort by mobile operators to muddy the issue while they assess its extent.
(...)
Wilfried Hafner of SecurStar claims he can reprogram a phone using a "service SMS" or "binary SMS" message, similar to those used by the phone operators to update software on the phone. He demonstrated a Trojan which appears to use this method at the Systems show in Munich last month - a performance which can be seen in a German-language video.
"I found this on a very old Siemens C45 phone, and then tried it on a Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of them authenticated the sender of the service SMS. We could not believe no one had found this possibility before us."
On all these phones, Hafner was able to launch an example Trojan called "Rexspy", which he says ran undetected. Rexspy copies all SMS messages to the attacker, and allows the attacker to eavesdrop on any phone conversation by instructing the phone to silently conference the attacker into every call.
|
19:11 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
Microsoft ha publicat la versió final de la Windows Vista Security Guide, documentació sobre els diversos parŕmetres de seguretat existents a la nova versió de Windows i com enfortir-ne la configuració:
This guide builds on the Windows XP Security Guide, which provides specific recommendations about how to harden computers running Windows XP with SP2. The Windows Vista Security Guide provides recommendations to harden computers that use specific security baselines for the following two environments:
| • |
Enterprise Client (EC). Client computers in this environment are located in a domain that uses Active Directory and only need to communicate with systems running Windows Server 2003. The client computers in this environment include a mixture: some run Windows Vista whereas others run Windows XP. For instructions about how to test and deploy the EC environment, see Chapter 1, "Implementing the Security Baseline." And for information about the baseline security settings that this environment uses, see Appendix A, "Security Group Policy Settings."
|
| • |
Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. The client computers in this environment run only Windows Vista. For instructions about how to test and deploy the SSLF environment, see Chapter 5, "Specialized Security – Limited Functionality." | Podeu obtenir la guia, de forma gratuďta, a la web de Microsoft.
|
00:13 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
© Copyright 2000-2006 Xavier Caballe.  . Si no s'indica expressament el contrari, el material publicat en aquest weblog es distribueix d'acord amb la llicčncia Creative Commons. El contingut és responsabilitat única i exclusivament del seu autor i no té cap relació amb les seves activitats professionals.
|
|
