IT Security Blog

VoIP Going Mobile

By

the latest in the N31 seriesSeveral companies are attempting to apply Voice over Internet Protocol (VoIP) to mobile phones. T-mobile announced that they are going to launch mobile wi-fi cellular hybrids by the end of the year. Once these phones detect a Wi-fi connection they will automatically switch to the Wi-fi and connect calls through VoIP without interruptions.

Companies used VoIP technology to make calls are increasing, cutting down the cost of long-distance calls, but so far it’s been limited to office or home use. Cellular phone companies like Nokia have launched the N80 Internet Edition, their latest products with mobile phone-based VoIP. The road to this conversion has not been smooth, however. Last month major VoIP company Skype announced that there will be delays for their plans to expand their services to mobile phones due to technical difficulties and the lack of compatible handsets. But it’s certainly only a matter of time before users get a wide variety of VoIP-related services on their mobiles.

VoIP may end up being cheaper than conventional mobile calls, but the same security concerns that plague VoIP will apply to this developing technology. There are still encryption issues for the data packets sent over the Internet, and the possibility of having calls eavesdropped or even rerouted by attackers. The worst posssiblity would be a denial of service (DoS) attack that can degrade call quality or completely crash the end service. So far there has been no clear-cut solutions to these problems, and users must be aware that these security issues exist.

[tags]voip, mobile. security[/tags]

ID Cards: A Waste Of Time And Money

By

The British government are trying to introduce ID cards for the population. This is a bad idea for a variety of reasons, not least the cost � both monetary and in time.

In order to get an ID card, you would need several forms of identification document; passport, driving license, birth certificate, etc. All of these already provide proof of ID, and all of these are readily forged, or genuine documents obtained in false names.

As this is the case, requiring ID cards adds nothing to security; anyone who can get a passport or drivers license now will be able to get an ID card when they find they need one. This adds no security to the system whatsoever. Furthermore, there is always the possibility that terrorist sleeper cells are already in the country, and already have forms of identification, which means they can readily acquire ID cards if they need them.

The current plans do not propose to tie ID cards with any other system of identification. That is, the drivers database, the passport database, the births, marriages and deaths records, are all distinct and separately controlled. This new ID card would simply be yet another system, with flaws of its own. What is more, it is likely that an ID card could be used to obtain other forms of identity, such as passports, which are accepted the world over. In this situation, the introduction of ID cards would actually reduce security; not increase it.

When the cost of this system is considered, along with time spent discussing and implementing it, and the inconvenience caused to the British public, along with the reality that ID cards would be completely pointless and serve no useful purpose, this system is clearly not a good security trade-off.

The security industry deals with trade-offs all the time. There is no such thing as perfect security, and people always want convenience over security, so the trade-off is to provide the maximum security at the minimum inconvenience to the people that must use the system. ID cards, in their current state of proposal, do not provide a good security trade-off. They cost a lot to implement, cause inconvenience, and do not add to security at all.

[tags]id cards,security,terrorism,identity cards,uk politics[/tags]

Tighter ISP laws for the US?

By

The US CongressA proposal for the suggested data retention law is already in the works and may now be extended to affect Web hosting sites and domain name registries. Last week US Attorney General Alberto Gonzales urged Senate to pass the data retention law as an aid in combating online child pornography. He also stressed for a need to increase current administrative subpoena powers and tighter money laundering laws to keep track of who is financing child pornography sites.

Such a law is meant to help combat crime and terroristic activity. The proposed law does not require the content of these communications to be preserved, only the logs of e-mail, Internet, phone activity and other identifying information useful for locating a customer. This data can only be accessed by court order similar to cases involving physical searches.

Privacy and industry groups are opposed to the proposal saying existing laws are sufficient for law enforcement. A 1996 federal law requires Internet providers to retain records for up to 90 days at the request of a government entity, while another law requires child pornography sightings to be reported. Civil liberties groups oppose this move, arguing that the information can be used for other purposes. ISP providers are also pointing out the increased costs of keeping and holding this increase in data. It is not clear just who will end up shouldering this cost.

The European Union had already passed a similar data retention law in 2005 requiring all telephone and Internet traffic to be stored from a period of six months up to two years.

Browser bugs on the rise

By

The four browser logos

Mozilla’s Firefox has the most number of vulnerabilities at forty seven, followed by Microsoft Internet Explorer’s thirty eight. This is an increase from last year’s record of 17 and 25, respectively. Even Apple’s Safari doubled its vulnerabilities to twelve, but Opera’s bugs decreased from nine to seven. IE remains as the most targeted web browser, accounting for 47% of all attacks. In second place (31%) are attacks exploiting the same vulnerabilities in multiple browsers, and Firefox placed third with 20 percent.

Despite the higher number of bugs, Mozilla ranks first in issuing patches, averaging only a day after public disclosure. Opera and Safari closely follows, while IE ranks last, avering nine days per patch. As for operating system patches, Sun has the highest patch development time at 89 days, while Microsoft ties with Red Hat for the shortest at 13 days.

7 out of every 10 new vulnerabilities uncovered from January through June were bugs in Web applications, and four-fifths of these were easily exploitable. Most of the attacks targeted home users and small businesses.

Phishing has also increased, with the financial sector receiving the bulk of these attacks. Phishing targeting Internet service providers (ISP) accounts ranked second. The United States was both the source of most attacks and the target for most Denial of Service (DoS) attacks.

A copy of the report can be downloaded from Sysmantec’s here.

Mobile phone data retention issues

By

mobile phone and laptop

What happens to your old units when you buy the newest mobile phone units coming out every few months? Are you generous and give it away to a friend or relative? Or do you delete your data according to the manual and try to sell it online, earning some cash in the process? Maybe the last option appeal to you, but be warned that your erased data might not be as gone as you think.

Last month a company named Trust Digital bought ten phones from E-bay and managed to recover data from all of them. The data ranged from personal information and bank account details to company communications. They recovered all this data because smart phones today use flash memory to store information, and it’s slow to erase information from them. Such flash memory are also used in music players and digital cameras. Only a zero out reset of the device can ensure the total obliteration of data. The same issues can arise with people selling their laptops online. Software easily obtainable online can recover records of your online transactions, which can then lead to sensitive personal data.

It may seem difficult to make a profit from getting information from an old mobile phone or laptop, but seeing the rise in corporate data breaches from stolen mobile gadgets, it’s not improbable that someone would attempt to do so. The best tip in this situation is to contact your gadget manufacturer for detailed instructions on a complete data erasure. If your device has password protection, you can try to type your password incorrectly until you are notified that the action will erase all of your data.

How pharming works

By

e-bay splash page
Though we’ve recently covered a few scams about phishing and e-mail, some swindlers have graduated from targeting victims one-by-one to a large-scale scam called pharming. Pharming can reel in potentially millions of unwitting victims to their schemes without anyone realizing it.

Pharmers divert as many users as they can from legitimate commercial sites to malicious ones. These sites look exactly like the genuine site, but when users sign in with their log-in names and their passwords, this information is taken by criminals. Once they have these, they can access your account information and take credit and bank account numbers for their own nefarious use. Pharming are often targeted o auction and banking sites where financial rewards are great.

The most alarming pharming threat involves something called DNS poisoning. All the hosts in the internet are identified by numbered strings called IP addresses, and computers identify different sites using these. Because it’s difficult to remember a string of 32 numbers, the Domain Name System or DNS translates these addresses to a string of text that will serve as its directory entry. A DNS directory gets poisoned when it’s altered to hold false information leading to the bogus site. Typing in the site URL serves as no guarantee, because you will still be taken to the fake site. Even savvy net users can be caught by this technique.

Site users can protect themselves by logging onto their sites using a secure (https://) connection. If you’re suspicious, you can also check your commercial site’s security certificates to see if they are real. Some sites like yahoo offer various authentication methods such as personalized seals on their mail service page, so you can identify the real site from the fake ones.