Sunday, October 31, 2010

I can spy on your mobile and read your SMSes

Yesterday, Oct 29th Google announced that a controversial application called Secret SMS replicator was pulled off the Android Market. The application secretly forwarded a copy of the SMSes received by the phone to another user. The company which developed the application marketed it as a spying tool and even gave the example of how it could be used to spy on a boyfriend. Today, there are over 500,000 applications available to mobile users. In the near future, there will be an increase in local applications providing services in the areas of social networking, sports, health, business, news, games, travel and education. Smart phones today, have become a handy tool to access mail, store contacts & documents and take pictures. They are a repository of corporate and personal data, any compromise of which may adversely affect the reputation of the user or cause financial loss. Today, the major threats are from spyware and viruses. Spyware accounts for 70% of the threat. This is set to increase as most mobile users are not security aware.

I ran a quick search and found that spying application were freely available since 2009! I inserted a copy of the spyware functionality as advertised online into my blog.

INTERCEPT SMS (TEXT) MESSAGES           
Read incoming & outgoing SMS messages sent & received from the target's iphone. This gives you the secret ability to spy on the iPhone user's entire SMS activity.
 
 
SECRETLY READ CALL LOGS
Spy on the Android phone's call history. You'll know the name (linked to the phone's address book) and number of all incoming & outgoing calls.


LOCATION TRACKING
This will enable you to spy on the Android phone's location by tracking the cell phone's ID location. This is definitely not as accurate as GPS tracking, but it will give you an approximate location.


My advice in bold letters, not rudely though is “THINK OF THE SECURITY RISK WHEN YOU DOWNLOAD. THERE IS A REASON WHY WE CALL THESE APPLICATIONS TROJANS. WHAT THE TROJAN HORSE DID TO TROY, IS WHAT THESE TROJANS DO TO YOUR MOBILE DATA AND REPUTATION”

Friday, October 29, 2010

Twitter, Firesheep and the Unsecured WIFI at Delhi Airport

Yesterday, I had a long wait in the beautiful and comfortable Delhi domestic airport terminal. It was crowded as many fliers like me rued the congestion that delayed several flights. I was surprised at the ratio of laptops per person. A laptop per head almost!

I turned on the laptop WIFI to see what connections were available. There were a few paid and free connections which were either unsecured or secured with WEP. WEP can be broken by a hacker in 10 minutes due to a design weakness in the algorithm, and is therefore considered to be weak from a security point of view. By walking around, I was able to determine that a large number of users were actually working on their web mails. Others may have been working on social networking sites like Twitter and FaceBook to name a few.

None seemed aware or concerned on the possibility of their unsecured connection being snooped on or sidejacked. Sidejacking is a method of hijacking an active connection to a website, on a unsecured network (Wired or WIFI), by another user using a normal FireFox browser with a Firesheep plug in. This enables a malicious user to take over your account, write as you, snoop on your private information, emails and so forth.

For most of us, free WIFI is a wonderful productivity tool and a great way to pass time in cafes or airports. Given this risk, safe use is important. We can use these connections for surfing and connecting to end to end ssl protected websites (you will see the lock symbol on the browser). Logging on the social networking sites or other sites where users have accounts and are not secured with SSL should be avoided in public places over unsecured WIFI.Corporate sites which do not provide SSL to their Internet sites should do so. The other way to ensure security is to use a VPN connection which is an encrypted tunnel to a remote server which then connects to the Internet.

WIFI is inherently unsecure. When used in corporate offices we need to secure the wireless link through strong authentication and encryption such as the WPA standard. Strong encryption depends on the encryption standard and the complexity of the encryption key which is a user/administrator configurable parameter. Without this the WIFI is vulnerable.

I read a shocking statistic which stated that over 60% of WIFI networks at home or in small offices were unsecured or improperly secured. It is a cause of worry.

Saturday, October 23, 2010

WikiLeaks site under attack? Whistle blowers leaking confidential info?

Yesterday, there was a report of WikiLeaks site coming under attack from skilled hackers, a few days before the release of tens of thousands of classified IRAQ war documents. More can be read from http://blogs.forbes.com/andygreenberg/2010/10/22/wikileaks-hacked-by-very-skilled-attackers/. At the time of writing this blog, the site is experiencing heavy traffic and unable to respond. Perhaps under sustained attack!

We know for certain that this damages the reputation and military interests of NATO, and may put lives of people at stake. WikiLeaks also claims to sanitise documents to the extent possible. On the other side of the equation, there may be information that people need to know to ensure that atrocities committed are not repeated or kept hidden.

We have a site that is legitimately publishing documents critical to national or business interests which have been provided to it by obviously disgruntled employees or whistleblowers.

We are faced with a situation where a whistleblower is disclosing confidential information to a public forum (via WikiLeaks)as a means to obtain redressal, as the government is the entity against which the charges are leveled.

For a data security practitioner it is against the law? For a civil rights activist it is one step towards a better world?

You decide.

Perhaps your decision will be based on whether the contents of the documents reveal a cover up of atrocities or simply are sensational publication of classified war information.

Tuesday, October 19, 2010

CA Summit in Security Risks in the Cloud 19 Oct 2010

I attended the CA Summit on Security Risks of the Cloud today at the Westin Hotel. The focus of the seminar was on Identity and Access Management Solutions in the cloud. CA latest acquisition of Arcot Systems and its flagship Siteminder IAM product suite was show cased in a short case study.  CA demonstrated that it had or were working towards end to end  solutions TO, FOR and FROM the cloud. Geoff Charron VP, Software Engineering, CA spoke at the event.

TO the cloud are solutions for a user to access cloud based solutions such as SalesForce.com aswell as federate between an enterprise and cloud based applications.

FOR the cloud were solutions for building an identity and authentication framework solution for the hypervisor layer in cloud architectures

FROM the cloud were solutions from Arcot Systems for cloud based multifactor authentication using their soft PKI certificates.

The conference was well attended with a large number of delegates, who took a keen interest in the technical aspects of cloud based authentication. There were several questions on the types of threats faced by cloud based authentication, the time taken to deploy such a solution and the contractual agreement for its use.

I was very happy to see that the IT and Security teams in Mumbai are evaluating solutions that use the cloud. As business realise the immense savings that cloud based services can bring, the IT and Security teams need to be abreast with the technical and security risks behind cloud based deployment. A secure authentication mechanism, particularly the CA, TO the cloud solution will be most useful for first stage cloud movers.

The event closed with a lovely dinner.

Sunday, October 17, 2010

Chinese and Pakistani Hackers attack CWG website

Today, competitive politics and envy have reached levels where they mar the game of sport. I read with great disheartenment, at the attempts by Pakistani and Chinese youth hackers to bring down the common wealth games website, an event designed to unite a host of countries under a theme of friendship and peace. What more the newspapers seems to suggest that these attempts where tacitly supported by the government and military establishments in these countries. Isn't it time that atleast governments act responsibly and work to actively suppress this kind of activities?


When individuals are encouraged to develop hacking skills and technology, although it may serve a short term, narrow purpose however illconcieved, the experience gained will eventually turn against the government that supported it. We have seen evidence of this time and time again, when terrorist spawned returned to conquer, the very land that created the beast.


One of the achievement of the Indian Government and people that I am proud off, is that despite our considerable expertise and knowledge on Information Technology we do not retaliate or attempt to interfere with global or other country online economies.