Category Archives: Security

Remote office on demand via web 2.0

Ok, let’s say you left home this morning for an important meeting and, when you got there, you discovered that you have left the presentation file and the whole USB stick plugged on the PC back home. What do you do?

Most people would prefer a typical solution for remote access, like the Remote Desktop service on Windows or a VNC server on Linux. Usually, these server applications are configured to start on system boot and stay up, regardless if you need them or not. In the worst case, you may even forget all about them after some time, creating yet another security vulnerability for your system. Ideally, we would prefer the option of turning these servers on and off on demand, but the problem is that you’re not in front of your desktop PC to do so.

We have not yet found a way to “wake up” a server that it is not even running, so that you can connect to it and start it. Nevertheless, a combination of tools and web services can enable just that. I was wondering if it is possible to signal my home computer to start a server on demand, via a telephone (modem) or something, but I ended up in a much different and much more efficient way.

It seems that web 2.0 is becoming much more than a social thing. It can also be used a public “bulletin board”, accessed through various means and devices, making it a perfect “triggering” platform for web-enabled applications. Likewise, VNC is now becoming a standard practice for home and small-scale remote accessing, something like a mini-cloud architecture, for individual users for their own private needs. A combination of all these technologies can build up into a seamless service that can be characterized as a true “remote office via web 2.0” – definitely science fiction for those who have witnessed the birth of World Wide Web, only two decades ago.

Read the full article in my homepage >>

Advertisements

Old Nokia 1100 mobiles sold for 25.000 euros, firmware exploit for e-banking fraud

The news is a bit old by now, yet it still hasn’t gotten the proper attention by the mainstream media. Of course, for security experts, it’s no news at all. Everybody knows that cellular networks today are far from secure when it come to proper user/device authentication and firmware protection against tampering.

This incident proves two facts. First, the security in an ICT system is as string as its weakest link. And second, the public is totally unaware and uninformed about how security affects everyday life now, it’s not something that only freaks and scientists think about.

In short, the situation is this: The company (Nokia in this case) has used weak keys and/or encryption to its proprietary firmware on, very deprecated by now, Nokia 1100 mobile phones, or the keys have somehow leaked to the “public”. As a result, someone could read, decrypt, modify, re-encrypt and re-embed the firmware into the device’s EEROM. As all mobiles can be reprogrammed to recognize any phone ID in the network they’re connected (similarly to re-configuring a MAC address in an Ethernet card), a malicious user can reprogram such a mobile to “listen” to data packets sent to another person’s mobile.

In this case, it’s not just eavesdropping. If that person uses mobile banking services, he’s at great risk. Typically, banks use TAN codes (transaction authentication number) from a one-time pad or a similar random number generator device, commonly referred to as TAN generator. In case of mobile banking, the bank simply sends such a code called “mTAN” to its client’s mobile via a SMS (text) message that the user can enter in order to complete a transaction. In theory, this works perfect, unless someone else gets that mTAN message too and uses it first to do a large money transfer to an off-shore account…

The discovery was made by Ultrascan-AGI last April (2008), a securty analysis consulting company, when it detected that the eBay prices of that particular mobile phone when from 100 euros to 1.000, then to 7.500, then to 10000, reaching 25.000 euros in late April 2008. The firmware hacking was tested and confirmed, but Nokia never admitted any key leaks for the firmware.

More on this subject: