Tag Archives: Security

Preparing for the cybercrime of the future

My friend Frank helped organise what looked like a great event at the Computer Lab recently – called Cambridge2Cambridge, it’s a joint initiative between us and MIT, and they’ve done a splendid video about it.

More information here.

Always look on the dark side of life

I love these nihilistic security questions from Soheil Rezayazdi…

nihilisticsecurity

Thanks to Rory C-J for the link.

Not as secure as it SIMs

simIf you knew, or cared, anything about the way your mobile phone communicates with the mobile network, you may have believed that your calls were secure and private, at least as far as the core of your provider’s network. They should be, too, if you’re on a 3G or 4G network: the SIM in your phone includes encryption keys known only to it and the mobile provider, and these are used to encode the voice and text traffic so that anyone snooping on the radio signal, or on the backhaul network between the base station and the provider’s headquarters, would not be able to make head or tail of the stream of bytes flowing by. To do so on any scale would need vast amounts of computing power.

However, if this article in The Intercept, The Great SIM Heist, is correct, the NSA and GCHQ have a much better approach. To quote the article:

Adi Shamir famously asserted: “Cryptography is typically bypassed, not penetrated.” In other words, it is much easier (and sneakier) to open a locked door when you have the key than it is to break down the door using brute force.

So that’s what they allegedly did, according to the latest revelations from Ed Snowden: they hacked into the networks of the SIM card manufacturers, most notably Gemalto, the largest in this field and a supplier to 450 mobile providers around the world, and just stole copies of the keys before they were shipped to the mobile providers. They focused on the activities of employees who used email encryption and those exploring more secure methods of file transfer, since they were more likely to have valuable information to hide.

Perhaps the most shocking thing about these thoroughly illegal activities is that the companies and individuals targeted were not in any way assumed to be engaged in illicit activities. They were innocents going about their daily business, but they just had information that was of potential use to the authorities.

Snowden’s information is from 2009/10, so it is to be presumed that this has been going on for some time. Meanwhile, this is what it did to poor old Gemalto’s stock price when the news came out a couple of days ago:

gemalto

Learning from the disaster

Most of you have probably heard by now about how the technology reporter Mat Honan’s accounts were hacked and how he lost his Google Mail, his Apple and Amazon account, his Twitter account and the contents of his iPhone and laptop. All in under one hour.

What’s fascinating about this story is that we know how it was done: there was no heavy brute-force attack on weakly-encypted passwords, no SQL injections on his company’s website. The hackers had no animosity towards him; they didn’t know who he was, they just liked his three-letter @mat Twitter ID. In other words, this could easily happen to you too!

If you haven’t heard the story, then I recommend listening to episode 364 of Security Now, which you can get from here or here. The discussion starts 30 mins into the programme.

You should probably listen to this if you, say, use the Internet…

Brand confusion

An elderly colleague turned to me at lunch yesterday.

“Tell me”, he said. “you’re a computer expert… All of these leaks must mean that nobody in government will be able to use email ever again. Just what are the political motivations of an organisation like Wikipedia?”

© Copyright Quentin Stafford-Fraser