|
 |
dimarts, 5 / desembre / 2006 |
|
|
[News.com] FBI taps cell phone mic as eavesdropping tool. El govern dels Estats Units ha aprovat un nou mètode per tal d'investigar als membres del crim organitzat: activar remotament el micro del seu telèfon mòbil per tal d'escoltar les seves converses. Sembla de novel·la... però tot apunta a que és un sistema real!
The FBI appears to have begun using a novel form of electronic surveillance in criminal investigations: remotely activating a mobile phone's microphone and using it to eavesdrop on nearby conversations
The technique is called a "roving bug," and was approved by top U.S. Department of Justice officials for use against members of a New York organized crime family who were wary of conventional surveillance techniques such as tailing a suspect or wiretapping him.
(...)
The surveillance technique came to light in an opinion published this week by U.S. District Judge Lewis Kaplan. He ruled that the "roving bug" was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect's cell phone.
Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off." Some handsets can't be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.
(...)
The U.S. Commerce Department's security office warns that "a cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone." An article in the Financial Times last year said mobile providers can "remotely install a piece of software on to any handset, without the owner's knowledge, which will activate the microphone even when its owner is not making a call."
Concretament, l'informe del Departament de Comerç del govern dels Estats Units avisa de tres vulnerabilitats de seguretat als telèfons mòbils:
Your cellular telephone has three major security vulnerabilities:
- Vulnerability to monitoring of your conversations while using the phone.
- Vulnerability of your phone being turned into a microphone to monitor conversations in the vicinity of your phone while the phone is inactive.
- Vulnerability to "cloning," or the use of your phone number by others to make calls that are charged to your account.
|
  | 13:08 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[Scanit] VoIP Security - Does it exist? Els principals problemes de seguretat que pateix VoIP i que es poden utilitzar per escoltar converses, segretar converses o redirigir les trucades amb destinació a un número per tal que els rebi un altre:
The team at Scanit R&D Labs have conducted a significant amount of research into VoIP and it’s inherent vulnerabilities. Broadly, VoIP attacks can be divided into two groups: Signalling attacks and Media stream attacks. We tested the most popular SIP routers that are being used by the majority of VoIP providers and uncovered some startling results.
Signalling attacks can be used to eavesdrop on conversations and re-route or hijack calls. Due to the fact that the SIP protocol presently does not support message integrity, it is extremely easy to re-play or re-send SIP messages to the SIP registrar or proxy and have it perform functions such as adding another client to a conversation or re-routing of a call. Since SIP messages are also sent over a clear-text channel, it becomes a trivial task for an attacker to perform ARP poisoning and inspect, intercept and modify all SIP messages on the local network.
(...)
VoIP is definitely here to stay. However, the rapid deployment of VoIP has seen it progress with little or no attention given to security. While the technological advancements of VoIP have grown by leaps and bounds, security is still left behind to catch up. The vulnerabilities listed in this article are merely a small percentage. Several more vulnerabilities have presented themselves during internal tests and a large number of Proof of Concept attacks have been developed in-house.
This does not mean that larger organizations should abandon the idea of a VoIP implementation. VoIP implementations can be secured with a little effort placed during the design and implementations phases. Being fully aware of the risks involved with VoIP implementations goes a long way into understanding how to secure it.
|
| 12:52 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[WhiteHat Security] Myth-Busting AJAX (In)Security. En diverses vegades s'ha comentat que l'adopció d'AJAX com plataforma pel desenvolupament d'aplicacions web obria unes noves vulnerabilitats, algunes explotables de forma remota i altres que obren la porta a atacs de denegació de servei. Aquest document contradiu aquesta visió, indicant que AJAX no és ni més ni menys segur que la resta de tecnologies... tot depèn de les pràctiques utilitzades i que AJAX aporta un gran benefici a la seguretat: la simplificació de les noves aplicacions web. Per tant, més simplificació, menys vulnerabilitats potencials.
Does AJAX cause a larger "Attack Surface"? No.
The term "Attack Surface" applies to a concept used to measure security by analyzing the points in a system that are open to attack. For software, these points are areas of data input and output that can be manipulated by a third-party. Obviously the smaller attack surface an application has, the easier it is to secure. What’s also obvious is that web applications, or any application, only have as much functionality (attack surface) as has been programmed in. It doesn’t matter if the user interface uses AJAX, Flash, ASCII art, or anything else. Again, AJAX is a web browser (client-side) technology. It does not execute on the server. While the coolness factor of AJAX drives developers to publicly expose more functionality - which may introduce new "server-side" vulnerabilities - this can hardly be blamed on AJAX. New code has always meant an increased risk of vulnerabilities.
Furthermore, in my experience, AJAX-enabled web applications are no more functionally complex than standard web applications. Google Maps is actually a less sophisticated application than the seemingly simple craigslist. Gmail is less complex than Outlook Web Access.
|
| 00:18 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
De l'informe de F-Secure... nombre de malware per a les diverses plataformes de telèfons mòbils durant aquests darrers anys:
Està clar quina és la plataforma a evitar: Symbian. Amb molta diferència és on hi ha més malware. La segona plataforma amb és malware és PalmOS (9), seguida de Windows Mobile (8). La plataforma amb menys malware és J2ME amb només dos especímens (això si, els dos de l'any 2006).
|
| 00:09 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
F-Secure ha realitzat un resum de l'estat de la seguretat informàtica en aquest segon semestre del 2006, del juliol al desembre. Està disponible en forma de vídeo (nombrosos formats) i també com a transcripció. Al primer semestre també van fer un vídeo semblant, que em va passar totalment desapercebut.
Els temes tractats van des del phishing a les amenaces als telèfons mòbils, passant pels principals virus i cucs, els atacs a xarxes socials, els exploits per a l'Internet Explorer, l'auge dels 0-day...
|
| 00:07 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
© Copyright 2000-2007 Xavier Caballe.  . Si no s'indica expressament el contrari, el material publicat en aquest weblog es distribueix d'acord amb la llicència Creative Commons. El contingut és responsabilitat única i exclusivament del seu autor i no té cap relació amb les seves activitats professionals.
|
|
