Protect Your New Mobile Devices

Laptops, cellphones, PDA’s, they can all be stolen from your home.  You want to prevent thieves from making off with your expensive portable devices if possible, but if they’re stolen despite your best efforts, you still want to protect that data.  You certainly don’t want to lose access to the data yourself, but you don’t want the thieves to gain access to confidential information that could do you harm either.  I am pretty sure that you also want to increase the chances of getting the devices that you’ve paid for back.  These 4 statements will make up our goals and objectives for this exercise in securing these often targeted gadgets. 


Protect the data.

Objectives Required To Meet The Primary Goal: 

  1. Prevent the theft of portable devices.
  2. Prevent unauthorized access to data stored on portable devices.
  3. Maintain authorized access to the data stored on portable devices.
  4. Increase the chances of recovery and expedited return of the stolen portable devices.

Continue reading

Well, There Goes The e-Neighborhood!

Nearly 15% of the world’s Internet traffic — including data from the Pentagon, the office of Defense Secretary Robert Gates and other US government websites — was redirected through computer servers in China last April, according to a congressional commission report obtained by

According to a draft report, a state-owned Chinese telco, China Telecom, hijacked” massive volumes of Internet traffic during the 18-minute incident.  It affected traffic to and from .gov and .mil websites in the United States, as well as websites for the Senate, all four military services, the office of the Secretary of Defense, the National Oceanic and Atmospheric Administration and “many others,” including websites for firms like Dell, Yahoo, IBM and Microsoft.

I hope the report is released publicly, as I would like to understand how we can start building IP’s replacement protocol suite, since the baby AND the bathwater are tainted, FUBAR.  I’ve said it for over 10 years, IP is crap, build a new suite with security at its heart!  I hope the governments and big corporations regularly super encrypt their really sensitive stuff…



Increasing Canadian Internet Monitoring

Earlier this month I blogged about the government tabling its latest proposal for increasing Internet surveillance capabilities with 3 little bills (C-50, C-51, C-52).  So far, they have received limited attention despite their potential to completely change the way the Internet is used in Canada.

I am not a lawyer; however, the bills appear to focus on required information disclosure, mandating surveillance technologies, and providing new police powers:  

  • ISPs currently may voluntarily disclose customer information, but are not required to do so.  Under the new rules, Internet Service Providers (ISPs) must provide customer information to law enforcement without court oversight.  The new system would require the disclosure of customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers.

    The decision to require disclosure of personally identifying information (PII) without any oversight should immediately raise Canadian privacy community concerns.  The ability to link PII with other data will open the door to creating detailed profiles for individuals. 

  • ISPs will be forced to introduce deep-packet inspection technologies that will allow real-time surveillance.  The bill sets out detailed capability requirements that will eventually apply to all Canadian ISPs, including intercepting communications, and isolating the communications of a particular individual.

    The bills also establish reporting requirements including the disclosure of all ISP technical surveillance capabilities within 6 months of the law being enacted.  Follow-up reports are required when providers acquire new technical capabilities. 

  • New police powers will be provided allowing law enforcement to gain access to surveillance data.   These include new data transmission warrants granting real-time access to all information generated during the creation, transmission or reception of a communication, including the type, direction, time, duration, origin, and destination of the communication.  Preservation orders could then be obtained, requiring ISPs to preserve subscriber information for 90 days.  Having preserved the data, production orders can be issued to require the disclosure of the information and data.  

Of course I believe that it is important to provide law enforcement with the necessary tools to address online crime issues, but I fail to see clear evidence that the current legal framework has impeded important police work, and big brother does NOT need to see what we google or how we spend our personal time.  Proposals to alter the fundamental protections afforded to, and privacy expectations of, individuals in Canada come at an enormous financial and personal cost.  If one is suspected of serious wrong-doing, and sufficient evidence can be produced to demonstrate probable cause to a judge, then by all means, phone calls, Internet use, and other communications can be legally intercepted after a warrant is issued. 

Arguments that “those who have nothing to hide have nothing to fear” are clearly misguided.  Under this new legislation, anyone with a wireless access point setup at home or experiencing a malware infection could potentially find themselves languishing in jail.  Cops trolling through logs looking for anyone that might have done something wrong at some point could scoop them up in the broadest of nets. 

I suspect that ISPs are going to see a marked increase in the volume of encrypted traffic on their networks.

Blackberry B/U Encryption Cracked

Think your BlackBerry data’s safe because it’s encrypted on the phone, in the air, and on backup?   Unh-unh-unh, there goes the neighborhood!

Competitive Russian software developers ElcomSoft and AccentSoft together have developed effective password-cracking programs for most common desktop encryption formats and have targeted the BlackBerry with a Phone Password Breaker that was previously limited to Apple mobile devices.  Because the device itself can wipe itself if attacked directly, they developed a tool that works on the backups that the phone and its software can create on your desktop.

Like all password-cracking programs, this tool is a double-edged sword.  It can save your behind if you really need to get at the data backed up from a phone that’s been stolen or remotely wiped.  On the other hand, criminals who get their hands on your backup now have a way to read your business data. 

In testing, It takes much less time to brute force a password if the password is all one case, subject to a dictionary attack, or is partially known.  It only takes 3 days to break a 7-letter mixed-case password.  A little longer if there are numbers and special characters in the password, or the password is longer.  


Researcher Spoofs Cellphone Tower

Kim Zetter reports on Wired that a security researcher created a cell phone base station at DefCon in Las Vegas that tricks cell phones into routing their outbound calls through his device, allowing the interception of calls, even encrypted calls, in the clear. 

The low-cost, home-brewed device, developed by researcher Chris Paget, tricks phones into disabling encryption and records call details and content before they are routed on their proper way through voice-over-IP.  This device mimics more expensive devices already used by intelligence and law enforcement agencies, called IMSI catchers, that can capture phone ID data and content.  The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that’s stronger than legitimate towers in the area.

Paget’s system costs only about $1,500, as opposed to several hundreds of thousands for professional products.  Most of the cost is for the laptop used to operate the system.


Royal London Mutual Insurance Society Security Breached – Action Taken

The UK’s Information Commissioner’s Office (ICO) has found that after 8 laptops were stolen from the company’s Edinburgh offices, the Royal London Mutual Insurance Society was in breach of the Data Protection Act (DPA).  2 of the laptops contained the personal details of 2,135 people.  Those affected were employees of firms which had sought pension scheme illustrations.

The laptops containing personal information were unencrypted but were password protected.  This is a common mistake made by management and IT folks alike.  Password protection can be easily circumvented.  Usually moving the hard disk into another computer is enough, but there are also TOOLS available to those who have their minds set on accessing your PII.  An internal report showed that the company was uncertain about the precise location of the laptops at times, and that physical security measures were inadequate.  Managers were not aware that personal information was stored on any of the laptops, meaning no additional precautions secure the data had been taken.

The CEO has signed an Official Undertaking to ensure that portable and mobile devices are encrypted going forward.  The Undertaking also requires appropriate physical security measures to be put in place.  Learn a lesson from the mistakes of others.  Learn to sleep at night, adopt encryption on all mobile devices, and consider it for ALL electronic devices, PERIOD.  It is not a silver bullet for all of your security concerns, but it is definitely high-caliber ammunition!

ICO Enforcement