Vodaphone SureSignal appliance rooted by THC

• Vodaphone sells a 3G Signal Boosting appliance for home users to boost mobile reception in their homes. The device sells for 160GBP ($260 USD)
• The FemtoCell or SureSignal appliance connects to the VodaPhone network via your home internet connections, and relays mobile phone signals
• The Hackers Choice (THC, developers of the well known hacking tool Hydra) managed to reserve engineer the device and brute force the root password. THC has been actively working on exploiting various devices of this nature since 2009
• Once compromised, the device can be turned in to a full blown 3G/UMTC/WCDMA call interception device.
• The FemtoCell uses the internet connection to retrieve the private key of the handset that is attempting to use the cell, in order to create an encrypted connection.
• In it’s intended mode of operation, the FemtoCell can only be used by the person who purchased it
• The FemtoCell has a limited range of about 50 meters (165 feet)
• With a rooted device, an attacker can get the secret key of any Vodaphone Subscriber
• With a users secret key, you can decrypt their phone calls (if they are within range), but also masquerade as their phone, and make calls at the victims expense.
• This attack also grants you access to the victims voicemail
• The root password on the Vodaphone device was ‘newsys’
• Some question whether Vodaphone should be held liable for not protecting their customers
• Quote from THC “Who is liable if the brakes on my car malfunction? The drive or the manufacture? Or the guys who tell us how insecure they are?”
  THC Wiki page on the Vodaphone device, includes Diagrams

Fake Facebook App promises invites to Google+ to steal your info

• When you visit the unofficial page for Google+ on Facebook, you are invited to allow the 3rd party app to access your facebook account (common requirement to use any facebook app)
• Specifically, this app requests access to post on your wall, allowing it to spam all of your friends, inviting them to join as well. It also requests access to all of your personal data
• You are then requested to ‘Like’ the app, and then invite all of your friends (Again, this is common with many Facebook apps, especially games, where inviting your friends can offer in-game rewards)
• Your friends then accept the invite, assuming it is legitimate because it came from you
• Now this application has managed to spread wildly and has complete access to your facebook profile, allowing it to scrape all of your personal information, as well as use your account to promote further fake and malicious applications.
• You need to watch what applications you are allowing access to your profile, and specifically which rights they are requesting. Does that game really need ‘access to your data at any time’, rather than only when you are using it? Do you trust it with access to post to your wall?
• This trend has been dubbed TrendJacking

Feedback

Q: (Peter) While investigating different data centers to house our application, one of them mentioned that we should use physical servers to host our database, rather than hosting the database in virtualization like vmware. This this true?

A: There are a number of reasons that a physical server is better for a database. The first is pure I/O. In virtualization, there is always some level of overhead in accessing the physical storage medium, compared to doing it natively. There is also an overhead even with hardware virtualization for CPU cycles, Disk Access, Network Access, etc. In it generally considered best practise to keep your database on physical hardware. That doesn’t mean you can’t virtualize it, but if you are worried about performance, I wouldn’t.

Q: (nikkor_f64) In the recent ‘usage based billing’ legal battles in Canada, the smaller ISPs are proposing to use 95th Percentile Billing, what is that?
A: 95th Percentile billing is the way most carrier grade Internet connections have been billed for as long as I have been in the business. The concept is quite simple, rather then charging the subscriber for the amount of bandwidth that they use, such as pricing per gigabyte, the billing is based on peak usage. Typically, the rate of data up and down the link is measured every 5 minutes (routers count every bit as it goes though, but looking at that counter every 5 minutes, and subtracting the value from 5 minutes ago, you can determine the average speed for the last 5 minutes). Then, as the name suggests, you take the 95th percentile of those values. This is done by sorting the list of measurements, then deleting the top 5%, the highest measurement left, is the 95th percentile, and you pay for that much bandwidth. Some might argue, but that is more than I actually used, my average was far less than that. The key to why this system works, is that it charges the subscriber for the peak amount of bandwidth they used, save for a small grace. This allows the ISP to properly budget for the capacity they need to serve that customer. Normally, your contract will be something like: a 5 megabit/second commitment, with 100megabit burstable. This means you have a full 100/100 megabit connection, and you will pay for 5 megabits/second minimum at a fixed price. You will also be quoted a price for ‘overage’. If your 95th percentile is over 5 megabits, you pay the overage rate per megabit that you are over. You get a lower per megabit rate on your commitment level, but that is a minimum, you have to buy at least that much each month, even if you don’t use it, but the more you buy, the cheaper it is. So, this means that during peak periods, you can use the full 100 megabits, without having to pay extra, as long as your 95th percentile stays below 5 megabits. (5% of a month is about 36 hours, meaning you get the busiest 1 hour of each day, for free)

Q: (Justin) What would be the weaknesses of using GPG to encrypt my files before storing them in the cloud.
A: There are a few issues:
1. Key Security – You need to keep the keys safe, if they fall in to the wrong hands, then your data is no longer secure.
2. Key Management – You also have to have access to the key, where ever you are, in order to access your data. Unlike data that is protected with a simple passphrase, in order to access your data, you need the key. So if you are on your mobile, and you need access to your data, how do you get access to your key? If you store a copy of your key on the mobile, is it secure? Also, if your key is lost or destroyed, then there is no way to access your data, so you have to safely back it up.
3. Key Lifecycle – How often should you change your key? How many different keys should you use? If you use multiple keys, less data is compromised in the event that one of your keys is exposed, but it also complicates Key Security and Key Management.
4. Speed – Asymmetric encryption, such as GPG is far slower than symmetric encryption algorithms like AES. This is especially true with the newer Intel i7 processors having a specific AES instruction set that increases performance by about 8 times. This is way sometimes, you will see a system, where the data is encrypted with AES, and then the key for the AES is then encrypted with GPG. Giving you a hybrid, the strength of GPG with the speed of AES.
5. Incremental Changes –

Round-Up:

• After 4 Years… New PuTTY update released!
• The fanless spinning heatsink: more efficient and immune to dust
• Follow-Up: More on Stuxnet
• “Artist” adds spyware to apple store computers to photograph customers
• Follow-Up: “Artist” Gets Secret Service Visit Over Apple Store Webcam Spying

Bitcoin Blaster:

• Silk Road is still kickin, here’s a review
• Bitcoin Mining Update: Power Usage Costs Across the US
• Canadian Bitcoin Exchange, Buy BTC via Electronic Bill Payment
• Chris’ bitcoin linkroll on Pinboard

Download & Comment: