What Information Can Be Pulled Off A Mobile Device SIM Card?

I recently taught a mobile forensics course and asked my students to identify what kind of information that can be retrieved from a mobile device SIM card.  Here’s a list of some of the retrievable information students listed:

 Integrated Circuit Card Identifier (ICCID) – this is the number that is printed on the SIM card itself.  It is nineteen or twenty digits long.

International Mobile Subscriber Identity (IMSI) – this is the number that identifies a SIM card user on a GSM network.  It is stored in the EF(IMSI).  It is a fifteen-digit number.  Three components that make up the IMSI are:

• Mobile Country Code (MCC) – the first three digits identify the country.
• Mobile Network Code (MNC) – the next two digits identifies the cell provider mobile unit in a GSM network.
• Mobile Subscriber Identity Number (MSIN) – the next nine digits identifies the mobile unit in a GSM network.

Service Provider Name (SPN) – the mobile provider’s name.  This can be found from the ICCID.

Mobile Station International Subscriber Directory Number (MSISDN) – basically, the SIM card’s telephone number.  This number can vary from fifteen to sixteen digits long.  The MSISDN is stored in EF(MSISDN).  It is made up of three components:

• Country Code (CC) – up to three digits
• National Destination Code (NDC) – two or three digits
• Subscriber Number (SN) – up to a max. of ten digits

Abbreviated Dialing Numbers (AND) – These numbers are shortcuts on the phone of the most frequently dialed phone numbers.  These are generated by the subscriber.  They are stored in the EF(AND) file.

Last Number Dialed (LND) – This is a listing of the most recent calls and can be found in the EF(LND).

Short Message Service (SMS) – Short messages sent to other phones with a maximum length of either 160 or 70 characters.  These messages can be found in the EF(SMS) file.  These messages show not only the message but also the time the message was sent, the sender and receiver’s phone number, etc.

Language Preference (LP) – the preferred language of the subscriber.

Card Holder Verification (CHV1 and CHV2) – allows access to files after the user’s verification of PIN 1(CHV1) or PIN 2(CHV2).

Ciphering Key (Kc) – a 64-bit ciphering key used for encryption and decryption of data on an over-the-air channel.  It is generated by the Mobile Station from a random challenge by the GSM network.

Fixed Dialing Numbers (FDN) – phone numbers added to a list and the SIM restricts outgoing calls only to those numbers listed.

Location Area Identity (LAI) – The LAI will be stored on the SIM card so that a phone knows what location it is in and able to receive service.  If a phone changes areas, then the new LAI is stored in the SIM.  This is great for investigators to be able to read a list of where the SIM card has been geographically.

Temporary Mobile Subscriber Identity (TMSI) – the SIM is assigned a TMSI by the Mobile Switching Center (MSC) whenever a phone is in the vicinity of a new MSC.  Information about the phone is stored in the Visitor Location Register (VLR) and the phone is given a TMSI which allows the subscriber to be uniquely identified.

Service Dialing Numbers (SDN) – Numbers that are installed by the service provider which cannot be changed or deleted by the user.  The SDNs are usually hidden.

Thanks to my Mobile Forensics class students!

Image source: https://www.quora.com/What-are-the-different-parts-of-a-SIM-card#

Apple Pay – How Printed Store Receipts are Handled

Diane and I had an interesting couple of transactions. Around the holidays, Diane and I went to one of the big box retail stores and bought her Mom a couple of boxes of disposable heating pads for a sore shoulder. I used the Apple Pay app on my watch to pay for the pads. Last week her Mom let us know she did not need the second box so Diane brought that box back today with the original receipt.

There was some confusion at the store about the credit card number on the original receipt because it did not match either of the two cards Diane and I have. We were concerned the original transaction may have gone on someone else’s card and, with us returning the heating pads and getting credit on one of our cards, we may have gotten ourselves in some kind of trouble.

When Diane got home we looked at our credit card detail and sure enough – the $77.85 we spent on December 27 was listed. So, why was the last four unknown (to us) digits wrong on the original receipt? A little more digging found similar receipts with the same unknown four digit number for Apple Pay purchases.

With a little investigating, we were able to figure out what happened.  When you use Apple pay the card number on the receipt reflects your device ID, not the last 4 digits of your credit card. There is also no name on the receipt – it will be listed as “Contactless”. This way if you drop a receipt and someone picks it up there is no way you can be identified. It has no personal information on it. If you use Apple Pay check it out the next time you buy something using it.

Not having to take may card out of my wallet, no Personally Identifiable Information (PII) on the receipt...... added privacy and security – good stuff!

What is Bitcoin and how does it work?

You may have heard last week that a single Bitcoin unit reached a value of $1000. Lots of people have been asking lately about them. So.... what are they and how do they work? Here's some details snagged from www.bitcoins.com, a site that was put together and went up last week from Mt. Gox.

What is Bitcoin? Bitcoin is a digital currency you can use for personal transactions or business at high speed and low cost. 

How are Bitcoins created?
Instead of being made on a printing press or by a central authority, Bitcoins are created through software available to anyone. Individuals and groups willing to dedicate computer processing power to support the Bitcoin network are rewarded with Bitcoins for their work. This process is known as mining. Most Bitcoin users do not mine, but purchase or trade for their Bitcoins. Mining doesn't affect the average Bitcoin user much, but is still a very important part of the Bitcoin ecosystem.

How are Bitcoins secured?All newly mined Bitcoins, along with every transaction, are publicly recorded. This record is known as the blockchain. While the blockchain records transaction details, it does not record any personal identifying information about the senders or recipients. The blockchain is a critical feature to maintain the transparency of the Bitcoin system, and make counterfeiting or double spending impossible.   

How do you use Bitcoins?Let's look at a step-by-step example. Say you want to give some Bitcoins to a friend to pay for gas on a roadtrip. You’ve both got the bitcoin app on your mobile devices and have internet connectivity. 

1. Find out your friends wallet address by typing, pasting, or scanning it. You can then save the address to use later if you want. 
2. Convert your desired currency amount into Bitcoin.Verify the desired payment amount and send.  
3. The amount in Bitcoin is now deducted from your balance, and entered into the blockchain as a transaction so they cannot be spent twice.  
4. Your friend immediately sees the unverified transaction. 
5. The transaction is verified on the network, and then deposited into your friends wallet.

Be sure to check out the www.bitcoins.com along with the Mt Gox site for more details.

DOJ Rejects Transparency Request by Microsoft, Google, Facebook, LinkedIn

Last week the U.S. Department of Justice (DOJ), the primary federal criminal investigation and enforcement agency in the U.S., rejected a request made by Microsoft, Google, Facebook and LinkedIn to be allowed to share more details on what data the companies are providing to the U.S. government. The rejection was made in the name of national security and filed with the Foreign Intelligence Surveillance Act Court (FISCA).

The DOJ's petition to FISCA claims:

The companies’ contemplated disclosures risk significant harm to national security by revealing the nature and scope of the government’s intelligence collection on a company-by-company basis throughout the country. 

Such information would be invaluable to our adversaries, who could thereby derive a clear picture of where the government’s surveillance efforts are directed and how its surveillance activities change over time. If our adversaries know which platforms the government does not surveil, they can communicate over those platforms when, for example, planning a terrorist attack or the theft of state secrets.

FISCA now needs to rule on this.

There is more - other tech people (Twitter, Apple, Tumblr, Yahoo, etc) are getting involved with 72 companies and non-profit organizations signing a letter on September 20, 2013 to the U.S. Senate and House Judiciary Committee chairs supporting two surveillance bills (S. 1452 and H.R. 3035) currently moving though the Senate and the House of Representatives. Here's the full titles of those bills:

S.1452 - To permit periodic public reporting by electronic communications providers and remote computer service providers of certain estimates pertaining to requests or demands by Federal agencies under the provisions of certain surveillance laws where disclosure of such estimates is, or may be, otherwise prohibited by law. 

H.R. 3035 - To permit periodic public reporting by electronic communications providers and remote computer service providers of certain estimates pertaining to requests or demands by Federal agencies under the provisions of certain surveillance laws where disclosure of such estimates is, or may be, otherwise prohibited by law.

Open WiFi Networks and (Lack Of) Security

I get asked about open WiFi hotspots and if they are secure lots these days. Examples would be certain hotels, restaurants, etc. My short answer - these days many are not secure and.... regardless.... you should always avoid using them. Here's why. 

Most public WiFi hotspots do not encrypt information going back and forth in the air and are not secure. There's lots of free hacking tools that just about anybody can quickly learn to use to get any information you send back and forth when connected to these networks. Here's some good guidelines originally published by the Federal Trade Commission:

Use these tips to tell if a Wi-Fi network is secure:

• If a hotspot doesn’t require a password, it’s not secure.
• If a hotspot asks for a password through the browser simply to grant access, or asks for a password for WEP (wired equivalent privacy) encryption, it’s best to proceed as if it were unsecured.
• A hotspot is secure only if it asks the user to provide a WPA (wifi protected access) password. WPA2 is even more secure than WPA.

Use these tips for a safer Wi-Fi experience:

• When using a Wi-Fi hotspot, only log in or send personal information to websites that you know are fully encrypted. The entire visit to each site should be encrypted – from log in until log out. 
• To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure), and a lock icon at the top or bottom of the browser window. Some websites use encryption only on the sign-in page, but if any part of the session isn’t encrypted, the entire account could be vulnerable. Look for https and the lock icon throughout the site, not just at sign in.
• If you think you’re logged in to an encrypted site but find yourself on an unencrypted page, log out right away.
• Don’t stay permanently signed in to accounts. After using an account, log out.
• Do not use the same password on different websites. It could give someone who gains access to one account access to many accounts.

As a general rule of thumb, an encrypted website protects only the information sent to and from that site. A secure wireless network encrypts all the information sent over it. 

How do you get around the connectivity problem? I recommend using a personal WiFi hotspot with security implemented. You can get yourself a dedicated device like the one I have or most smartphones can be used as a hotspot if you pay an additional monthly fee. Here's more information from AT&T on different personal WiFi hotspot options.

Carrier IQ - are You Being Tracked?

Last month, security researcher Trevor Eckhart published a report accusing CarrierIQ of installing malware on more than 140 million devices worldwide. Eckhart also published a video showing CIQ's software secretly running in the background and monitoring a variety of handset activity on an HTC device including key presses, browsing history, SMS logs, and location data. If you have not seen it, here's Part 2 of Trevor's video: 



Yesterday Senator Al Franken from Minnesota "reached out" to AT&T, HTC, Samsung, and Sprint Nextel after they acknowledged their use of Carrier IQ’s diagnostic software to request that they explain (within the next 12 days) what they do with the information they receive from the software.
Also yesterday, Carrier IQ released a statement saying:

We measure and summarize performance of the device to assist Operators in delivering better service. While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.

In addition, the following updates have been posted by The Huffington Post:

Grant Paul, a well-known iPhone hacker who goes by the screenname "chpwn",wrote on his blog that Apple has included Carrier IQ on the iPhone, but the software's default is disabled.  

Want to find out if your phone is secretly tracking you? Check out our comprehensive list of the devices and carriers known to use Carrier IQ.

Valencia College Homeland Security Forum 2011

On May 8, 2011 John Reynolds and I went to Valencia College in Orlando, FL to interview participants at a Homeland Security Forum. The forum was built around a partnership between the local Transportation Security Administration (TSA), Valencia College and the Department of Homeland Security. The program has been setup  to provide TSA employees with college level classes about homeland security.

It was an incredibly fascinating day - we got to interview about 30 people, all with different roles in homeland security. Here's a short 5 minute and 54 second video that includes some of those interviews.



Thanks Valencia College for an excellent forum!

Sony Playstation Network Breach

In an environment where it's difficult to turn a profit on hardware, Sony has pushed for the integration of hardware, software and the network to make money. To have this happen now is really unfavorable.

That's a quote that appears in today's Wall Street Journal from Nobuo Kurahashi, corporate research analyst at Mizuho Investors Securities in Tokyo. It's with reference to recent hacker penetration of  Sony Corp.'s online PlayStation videogame service. The Playstation Network has an estimated 77 million accounts and allows users connect online, play games against each other, chat and download televisin shows and movies. As I write this, it is not know whether hackers got users credit card information.

Sony, like most hardware companies has been following the Apple online store model and it appears to be working. According to the Wall Street Journal piece, under a mid-term business plan announced in late 2009, Sony said it aims to have a user base of 350 million network-connected devices while generating revenue of 300 billion yen ($3.65 billion) from the services business.

Yesterday, Sony said the company will stay on  track with current strategy. "This incident doesn't change Sony's fundamental strategy of networking products and providing services to our customers," said spokesman Shiro Kambe to the Wall Street Journal.

As more and more services and content goes up into the cloud, mobile and connected devices developed, and broadband bandwidths continue to rise we're going to see more of these kinds of attacks. You could easily substitute a number of other companies in place of Sony in the quote - just pick one with an online store.

Anonymous, Barr, Stuxnet and Soliciting Hackers Podcast [29:20]

Today, Mike Q and I recorded another podcast with Sam Bowne from City College of San Francisco about how Aaron Barr tracked down Anonymous and paid a heavy price, Stuxnet, The Jester and how U.S. Chamber lobbyists solicited and used hackers. 

You can listen to the 29 minute and 20 second podcast in your browser by clicking the play button below:

Here's the links we refer to in the show:

How one man tracked down Anonymous—and paid a heavy price

http://goo.gl/5Gkyy 

US Chamber's Lobbyists Solicited Hackers To Sabotage Unions, Smear Chamber's Political Opponents

http://goo.gl/zI9gp 

US Chamber's Lobbyists Solicited Firm To Investigate Opponents' Families, Children

http://goo.gl/uyWB8

If you have iTunes installed you can listen to and subscribe to our podcasts by clicking here.

Students Hacking Campus Networks

I teach a telecommunications course to Verizon technicians one morning a semester. On the last day of class in December we were finishing up the final exam and some group presentations. During a break one of the Verizon students went out in the hall to make a phone call and noticed what looked like a guy sitting outside the door trying to hack into the classroom wireless network. He came in and told me so I went out (with a couple of Verizon guys following me) and took a look - sure enough - the guy was sitting outside the door running BackTrack, trying to hack the Verizon classroom wireless access point password.

I asked him what he was doing and he was honest, telling me what he was up to. The odd thing was his attitude - I think he thought I would be impressed. I told him it was against campus policy and could get him kicked out of the college. I also said if he did not stop I would call campus police. And, I told him he was hacking into an access point that was part of a corporate (Verizon) sponsored program and may be breaking the law. He packed up and left quickly.

So - what could happen to students that do this kind of stuff? This is from the Information Technology Resources Unacceptable Uses section of our College Student Handbook:

The following uses of STCC’s Information Technology Resources are unacceptable uses. This list of unacceptable uses is not exhaustive. It is unacceptable to use STCC Information Technology Resources (I’ve only selected a couple that apply in this case):

• to gain, or attempt to gain, unauthorized access to any computer or network;
• to intercept communications intended for other persons;

Here’s a piece from the User Responsibilities section of the handbook:

Users must comply with all applicable College policies and procedures and state and federal law. The use of STCC Information Technology Resources is a privilege, not a right, and failure to observe this policy may subject individuals to disciplinary action, including, but not limited to, loss of access rights, expulsion from the College and/or termination of employment. Further, failure to observe this policy may result in violation of civil and/or criminal laws.

Technically, if he was a student, it looks like he could have been kicked out of the college. Was he also breaking any laws? The National Conference of State Legislatures has a section of their website with Computer Hacking and Unauthorized Access Laws listed. Here’s a piece from their site:

"Unauthorized access" entails approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent. These laws relate to either or both, or any other actions that interfere with computers, systems, programs or networks.

In Massachusetts, Gen. Laws Ann. ch. 266, § 33A states:

Whoever, with intent to defraud, obtains, or attempts to obtain, or aids or abets another in obtaining, any commercial computer service by false representation, false statement, unauthorized charging to the account of another, by installing or tampering with any facilities or equipment or by any other means, shall be punished by imprisonment in the house of correction for not more than two and one-half years or by a fine of not more than three thousand dollars, or both. As used in this section, the words “commercial computer service” shall mean the use of computers, computer systems, computer programs or computer networks, or the access to or copying of the data, where such use, access or copying is offered by the proprietor or operator of the computer, system, program, network or data to others on a subscription or other basis for monetary consideration.

So many of us are using tools like BackTrack in our classes. It is critical we let our students know this stuff, if used the wrong way, can get them in a lot of trouble.

I think the guy trying to hack the Verizon classroom network learned a lesson. Three Verizon students ended up following him out of the building (without me knowing), not saying a word. They said when he got out the door he was sprinting across the campus.

WikiLeaks Update with Sam Bowne

Last week at the Convergence Technology Center's Winter Retreat at Collin College in Frisco, Texas Sam Bowne from City College of San Francisco gave a brief description and update on the WikiLeaks "situation" thus far. Here's Sam's excellent 16 minute and 51 second presentation.

Enjoy!

**********

This video is also available as a podcast. If you have iTunes installed you can listen to and subscribe to our podcasts by clicking here.

WikiLeaks and DNS

[Notes: Click images for higher resolution. This post was originally published on 12/3/10, then edited and repost-ed on 12/7/10.]

We all probably have some idea and opinion (depending on particular sources) about what is going on with WikiLeaks and the exposing of hundreds of thousands of classified US state documents. I'll keep my personal opinions private here. Technically it has been interesting to watch the cat and mouse game and I thought it would be good to diagram how DNS works.

EveryDNS.net, a U.S. DNS provider pulled WikiLeaks from it's database, claiming constant denial of service took the controversial site offline earlier today, claiming that the constant hacking attacks were so powerful that they were damaging its other customers.

What's DNS and why is it so important? I always describe DNS as basically an internet telephone book - it keeps track of site names (URLs) and the IP addresses of the servers hosting those sites. It is something that is not required to access websites but makes it a lot easier because users only have to remember site names and don't have to remember long IP addresses. You get access to DNS with a web connection from your provider. There are also some good alternative DNS providers you can access as long as you have an internet connection. Here's a diagram I made up showing how it works.
Is DNS required to access websites? No. You can still get to a site by typing in the IP address of the site.

I've got an earlier post on DNS linked here that you may also find interesting.

Network Security Update Podcast with Sam Bowne

On Tuesday, Mike Q and I did our second network security podcast with Sam Bowne, Professor of Computer Networking and Information Technology from City College of San Francisco. We had a nice discussion with Sam sharing his thoughts on security and providing us with a snapshot of some of the latest and greatest developments in the field of network security.

Here’s some of the questions we asked Sam:

In our last conversation you mentioned that you got a BS and PhD without ever graduating high school. A number of listeners were amazed that you were able to do this and wanted more details – for example did you get a GED? Did you take the SATs?

Mike sent over an article on password cracking – did you see anything interesting in that article?

It’s been over a month since we last spoke. You had mentioned the PWN 2 OWN contest and were also planning to attend some training. Could you tell us the outcome of the contest and anything interesting you learned in your training?

Any interesting news in network security exploits or defenses in the last month?

Sam discusses a number of things in the podcast including:

• Lifehacker password-guessing
• Web of Trust Firefox (and Chrome)Extension
• NoScript Firefox Extension
• IPv4 Address Exhaustion
• Wikileaks

Sam's class content, email and lots of other great stuff can be found at http://samsclass.info/ Check him out - one of the best!

Here's how to listen:

To access show notes and audio of our 30 minute audio podcast with Sam titled Network Security Update with Sam Bowne click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.

U.S. Needs More Cyber Security Training and Education

Richard Marshall, director of global cyber-security management at the Department of Homeland Security made some interesting comments yesterday at the FOSE government IT show in Washington, DC. FOSE is a conference focused on cyber-security issues facing the public sector and what it means for protection against threats, cloud computing and new open government directives.

Here's a few quotes Marshall made at the conference taken from a post over at esecurityplanet.com

Working in concert with the government, the private sector has made significant strides in improving software security and ferreting out vulnerabilities in the supply chain, but the flow of cyber-security experts graduating from the nation's universities with advanced degrees remains anemic.

One of the most important steps policymakers can take is to nourish the education and training of a new crop of security expert.

No matter how successful we are in those two elements, we are going to fail if we don't invest more money, time, attention and rewards to educate the workforce. That's our legacy-to-be.

"The IT industry provides a one trillion -- with a 'T' -- dollar contribution to the U.S. gross domestic product. If you're looking for a metric for cyber-security, money is a good metric.

And my favorite quote from the piece which I'll probably catch some flack for posting:

Look at all the great football and basketball programs. They're all on scholarships. They're not playing for fun -- they're playing for money. We need to do the same thing with our computer science students.

Nicely said.

Network Security – With a Little Help from Our Friends Podcast

A couple of days ago Mike Qaissaunee and I had the chance to talk with Dr Sam Bowne, Professor of Computer Networking and Information Technology at City College of San Francisco. Mike and I have known Sam since 2004. He's one of the best in the country - a tremendous classroom instructor who brings his extensive expertise and passion for networking and network security to his students and his colleagues. Sam is also generous with his knowledge, making his lectures and classroom materials available to anyone who wants to learn. In what we hope will be a recurring role, Sam joined us in a podcast to share his thoughts on security and provide us with a snapshot of the latest and greatest developments in the field of network security.

Here's some of the questions Sam answers:

1. Sam, you have a BS and a PhD in Physics – how did you end up in networking and security?
2. You’ve been at CCSF since 2000 – what classes do you teach?
3. Ethical hacking? Sounds like an oxymoron – what do you mean by ethical hacking?
4. I know you’ve taken some of your students to DEFCON in Las Vegas. This conference of hackers is probably unlike anything our listeners have ever attended. Could you tell us a little about it?
5. Are most of the attendees self-taught or do they attend formal classes?
6. In terms of recent developments (threats, security solutions, and research), what’s been on your radar screen lately?
7. Sam, how do you keep up with all of this information?
8. What about your own skills and knowledge? How do you keep these up-to-date?
9. If a student is interested in learning more about networking – in particular securing a network, how would you advise them to get started? What sort of characteristics – in a student – would make them a good candidate for this type of work?
10. Now for something from a chat session with a student:

• my twitter account was hacked :( -- maybe i should hop on that security course just for some personal safety
• do you, yourself actually keep different passwords for everything?
• i'm freaked out and want to differentiate all my passwords
• but, that's crazy!

What advice can you give my student?

Sam's class content, email and lots of other great stuff can be found at http://samsclass.info/ Check him out - one of the best!

Here's how to listen:

To access show notes and audio of our 28 minute audio podcast with Sam titled Network Security – With a Little Help from Our Friends click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.

Steganography Podcast - Embedding Secret Messages in Online Conversations

On February 15, 2010, Mike Qaissaunee and I recorded a podcast titled Vice over IP: Embedding Secret Messages in Online Conversations. In the podcast Mike discusses embedding secret messages in images and Voice over IP sessions using a technology called steganography. The podcast is based on an excellent article in this months IEEE Spectrum titled Vice Over IP: The VoIP Steganography Threat. Here's a list of some of the questions Mike answers:

Before we delve into this new topic, lets provide the audience with a little background. First what is steganography - sounds like a dinosaur?
Can you give us some examples?
How does steganography work?
How do we stop it? Can we?
How would spectrum analysis help detect these messages?
What is network steganography and how does it work?
What are the three methods or flavors of network steganography that researchers have developed? Can you describe each?
Should we be worried?

Fascinating and interesting stuff. Here's how to listen:

To access show notes and audio of Mike Q and my 24 minute and 5 second podcast titled Vice over IP: Embedding Secret Messages in Online Conversations, click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.

Cookies, AT&T, Facebook And Your Privacy

This post is based on a question received via Twitter from @mmurfsurf. I apologize for the delay in my reply.

Last month, you may have seen a story or two about an AT&T Wireless / Facebook security problem. Some AT&T mobile Facebook users were being logged into other Facebook users accounts. The Associated Press ran an interesting story about a Georgia mother and her two daughters that logged onto Facebook from mobile phones and wound up in a startling place: strangers' accounts with full access to troves of private information. That AP article said the glitch was the result of a "routing problem" at the family's wireless carrier, AT&T -- revealing a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users. In each case, the Internet lost track of who was who, putting the women into the wrong accounts.

Both AT&T and Facebook claim this particular problem has been fixed but, it's brought to the front some major security issues with sites that require authentication. Iljitsch van Beijnu in an excellent post titled Facebook, AT&T play fast and loose with user authentication over at ars technica claims 99% of all sites implement user authentication themselves with some doing it right and others not doing it right. Here's more from Beijnu:

Putting a password in a normal text box means it's transmitted in the clear. To avoid this, it's necessary to use an encrypted HTTPS session, at least to transmit the password. Some sites do this, others simply send it in the clear where it can be intercepted relatively easily, especially—but not exclusively—on unencrypted Wi-Fi networks, such as Wi-Fi hotspots.

The second problem with home-grown user authentication is that it really only secures a single page. If the user later loads the page again, or loads another page, she would have to type the password again to really be secure. The solution to this problem is for the server to store some information in the form of a "cookie" on the user's system. Cookies for a certain site are automatically transmitted along with every HTTP request made to that site, so the server can recognize the user by the information in the cookie. So far so good. (Ignoring the fact that cookies can also easily be intercepted if sessions are unencrypted.)

Beijnu lists a couple of cookie related possibilities for the AT&T/Facebook snafu:

Possibility One

When mobile phones first gained the ability to access the Web, a lot of work was done to optimize the experience on slow, memory-starved devices with a slow connection. Much of that magic involves Web proxies. One way for this particular Facebook user authentication issue to come up on AT&T's mobile network would be if there is a caching proxy in between the server and the user that doesn't pay attention to cookies. So if user A with cookie X visits Facebook, the proxy caches the page user A gets. Then, when user B comes along with cookie Y, the proxy simply sends the cached page to user B, which is of course the page that only user A is supposed to see.

Possibility Two

Another possibility is that AT&T uses proxy cookies. WAP, a protocol that was used to create a Web-like experience for phones not capable enough to show the real Web, doesn't support cookies. This makes life hard, so proxies that let WAP clients talk to Web servers often implement "proxy cookies," where the proxy stores the cookies on behalf of the client. However, in that case it's essential that the proxy knows which user it's proxying for at any given moment, otherwise it sends the wrong cookie to the server and the user is logged in as someone else.

It's not clear exactly what was fixed and what happened - at least from the information I have access to. However, it looks like both AT&T and Facebook were at fault - AT&T for mixing up cookies and Facebook for using clear text cookies. It's important to understand it is not just an AT&T/Facebook problem.

How can user information and privacy be better protected? The solution is simple and Beijnu says it well - encrypting all sessions would solve these problems: passwords and cookies can't be intercepted and proxies can't get to the data.

Reader Question: Is Someone Jamming My WiFi?

I recently received the following email message from a reader:

Hello,

I read some of the information you provided regarding Internet signals getting jammed intentionally and otherwise. Perhaps you can shed light on an issue. When our neighbors are NOT home, I can use a PC with wireless internet (set up in a room of my home facing their home) without ever getting knocked off the internet. When they ARE home, the signal repeatedly is lost. However, A laptop in another part of the home is rarely affected.

So I set up the laptop in the PC room and lost signals (when neighbor was home) on both machines (Provider rep. suggested I do this). Neighbor walks dog or otherwise is not on their property and there is no issue with signals. AND it is random. Usually neighbor comes in for lunch break and the Inet signal is lost.

Home from work and it is lost. I unplug wireless and it comes back. On and off. This is a new development (maybe two months. After the local police informed said neighbors to stop calling 911 to report bogus complaints on us, the signals began to drop. So we believe after police warned them to stop wasting 911 resources, they got a jammer and jam our signals at every opportunity to harass us. (Honestly, this is our first and hopefully last neighbor war. We don't know why they hate us so much but have been informed they hate everyone so we try not to feel too special.)

Question 1 - How can we test or otherwise determine the signals are being jammed (we are sure they are but need proof) and pin point the source? Prove or show great reason why the source is illegal.

Question 2 - How can we protect the signal from getting jammed?

Thanks for your insight.

I've written here in the past about the jamming of cell phone, GPS and Wi-Fi signals. Here's some ideas and possible answers to the reader's two questions.

Question 1 - How can we test or otherwise determine the signals are being jammed (we are sure they are but need proof) and pin point the source? Prove or show great reason why the source is illegal.

The best way to confirm someone is jamming is to use something called a spectrum analyzer. Wireless frequency spectrum analyzers are commonly used measure signals and interference. You could spend thousands of dollars on a full blown analyzer from a company like Agilent or use a 2.4 GHz USB spectrum analyzer from a company like MetaGeek. The company sells a 2.4 GHz analyzer for $99 that comes with software that will run on both PCs and Macs. According to MetaGeek, this analyzer will track all radio activity from any 2.4GHz device including WiFi, cordless phones, microwave ovens, Zigbee and Bluetooth. The software that comes with the device also graphically shows which channels to use and which ones to avoid. Here's more of when you would want to use a device like this from the MetaGeek website:

• If you install, maintain, or troubleshoot access points, find the open channel and minimize the interference.
• If you work with consumers, avoid a revisit by using a Wi-Spy in case they own a microwave or cordless phone.
• If you experience WiFi interference on a regular basis, discover competing access points.
• Conduct site surveys.

You could purchase one of these and, attached to your laptop running on battery, walk around your home looking for jamming/interference signals. If you want to get up unto the higher frequencies where the 802.11n devices have the option of operating (802.11n can use both 2.4 GHz and 5 GHz frequencies.), it will cost you quite a bit more money to measure interference. MetaGeek sells something called the Wi-Spy DBx, a 5GHz analyzer, for $599 that also comes with software.

You may also want to first try KisMac or iStumbler on an Apple machine or NetStumbler on a PC. These applications run on the computer and give you access point information including channels being used. Sometimes just swapping a channel can fix interference problems. For example, if your neighbor is using channel 6 you may want to change your access point to use channel 11.

Question 2 - How can we protect the signal from getting jammed?

If your neighbors are jamming your signal with a well designed jamming device, determining and using an open channel on your wireless access point won't work. If the jamming has been going on for a while chances are the jammer they are using functions only at 2.4 GHz. I'm I think the best thing to try (if you are currently running a 802.11g network) initially would be to switch over to an 802.11n access point and upgrade to 802.11n on your computers. If you have newer computers that may have 802.11n support built in.

You could run the 802.11n network at the higher 5GHz frequency which would be immune to the lower 2.4GHz jamming signals. This would be an inexpensive attempt that would also give you the bonus of much better network bandwidth and immunity from other interference sources (e.g some cordless phones, microwave ovens, etc) in you home.

I'm looking forward to hearing if this works.

WPA - Give It A Crack [Podcast Recorded Today]

German graduate students Erik Tews and Martin Beck have discovered an exploitable hole in WPA, a popular wireless encryption protocol. This week, Tews will present a paper on the topic at the PacSec conference in Tokyo. In this 32 minute and 50 second podcast Mike Qaissaunee and I discuss wireless network security and the newly discovered WPA hole.

Here's a list of questions asked during the podcast:

Where is the information for this podcast coming from?

Why is this important?

So, we've now got a security issue with WPA encryption! Before we get to WPA - can you give us a little background on wireless encryption?

So, the first attempt was WEP. Most devices still support it - why should we not use it?

So, that's not good. What did the IEEE do?

What else did the 802.11i group do - what was the second solution?

So, let me make sure I understand. Older wireless devices can be updated to support WPA which includes TKIP. Now, I've heard of WPA2 - what is that?

So, the new products support both but old products only support WPA. I think I've got it! What did Tews and Beck actually crack?

So the problem is with old devices that only support WPA and TKIP and not WPA and AES?

What is the problem with TKIP?

Now, didn't WEP use checksums this way?

The ars technica piece mentioned short packets are ideal - especially ARP broadcasts. Why?

Let me see if I understand, an attacker sniffs a packet, makes minor
modifications to affect the checksum, and checks the results by sending
the packet back to the access point.

So it is not something we should be worried about?

What can we do to protect our networks?

Can you describe rekeying?

Now, I've heard of this - you need to be careful. You don't want to enable rapid rekeying unless ALL of your clients support IEEE 802.1x and an authentication method (e.g. EAP-TLS) that supports key distribution.

So, let's get to the point here - WPA really is not broken?

Here's how you can get the answers:

To read show notes and listen to Mike Q and my 32 minute and 50 second podcast (Sept 2006) titled WPA - Give It A Crack , click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.

*****

Podcast Reference from ars technica: Battered, but not broken: understanding the WPA crack

China and TOM-Skype Podcast Recorded Today

Today, Mike Qaissaunee and I recorded a podcast on TOM-Skype. Last month I blogged about a report titled BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform. The report was published on Oct 1, 2008 Nart Villeneuve and the Information Warfare Monitor. Villeneuve is CTO of psiphon inc and the psiphon research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto. In this 25 minute and 21 second podcast we discuss the report, confidentiality and security issues with TOM-Skype, the Chinese version of Skype.

Here's a list of questions asked during the podcast:

Can you tell us a little more about this report?

How about some background on Skype in China?

How about some details from the report?

You said these are publically accessible servers - can others besides the Chinese access these servers?

Can you review the major findings from the report?

What kinds of questions has the report raised?

How does the report say the sensorship actually works?

How about some detail on those servers?

The report claims it may be possbile to map users social networks using the logged information. Can you explain?

How has Skype responded?

Here's how you can get the answers:

To read show notes and listen to Mike Q and my 25 minute and 21 second podcast (Sept 2006) titled China and TOM-Skype, click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.