Freshly back from a new round of security based conferences I will take a moment to point out one of the more interesting topics for me this time around.
The discussion on Cell Phone Spying (not that I made it inside the actual talk with the ungodly line). More specifically how by using a frequency flooding technique on 2G networks its possible to do a MiTM type of ease drop on conversations & data. You can read more about it Here

As mentioned in the article a workaround for this issue would be to disable 2G mode on GSM phones.

Here is the quick and dirty way to do this in Android (tested on rooted phone)
DISCLAIMER: Forcing 3G mode will use more battery life
Also if your not on GSM don’t try this @ home…duh

Open Dialer and Enter: *#*#4636*#*#
After inputing the number you will be prompted with a “Testing” menu
Choose “Phone Information”
Scroll all the way down “Set preferred network type” and change this setting to WCDMA_only
That’s it!

Droid 3G Only Mode

I take no credit for the fix above as it was posted on the android dev forums.
Also this protects you from this exploit and any targeting 2G only, but many other GSM insecurities still exist. Another related topic also discussed was using a TOR client to obfuscate your traffic and make yourself much more anonymous. I will cover this topic a bit more in some upcoming Android based posts.

Pimpin’ is Pimpin’

Posted: 2009/06/11 in Uncategorized

I must apologize for the lack of updates.
Between work and other projects my hacking research has suffered.
BUT! Rest assured the security pimp is still pimpin’
I’m just doing it in another fashion at the moment.
My first home studio album will be released next month..
Hopefully still with enough time to give my hacking skills a week or 2 to prep up for Blackhat & Defcon this year ..

Find out more about my musical project Here

With all the disease scare going on lately.
Just a reminder to clean out those Doritos chip lined keyboards every once in a while.

Keyboards Are Disgusting

Keyboards Are Disgusting

Curtis & Kenneth Wiltshire were arrested & charged with identity theft using stolden data.

A former employee at the Federal Reserve Bank of New York and his brother were arrested Friday on suspicion of obtaining loans using stolen identities.

Having seen some pretty shabby excuses for IT analysts thru the years somehow I suspect this may just be the tip of the iceberg ..

Read More Here …

RSA researcher Ari Juels sat down with SearchSecurity.com to discuss various topics. One of which was the constrained capabilities of RFID (like wireless bar codes), and how it affects the security posture needed to secure these devices.

But, in fact, it’s possible to shoehorn in capabilities for which these tags were not explicitly designed. For example, in RSA Labs, we proposed techniques to commandeer access control features on the tags — those are an optional security mechanism — and even the privacy feature on the tags, what’s called the “kill” function, a self-destruct feature that’s meant to protect consumer privacy. We’ve shown ways the tags can be commandeered for authentication.

Read More Here …

Since it is Earth Day it is a good day to review a new website which helps show how green your neighborhood is (or is not). This new website UrbanEcoMap.com will have the ability to show the carbon levels in a given zip code. Currently the city of San Francisco is the only city supporting this project, but hopefully more cities will follow suit after this project goes live in 29 days.

Read More Here …
Or find out about more IT & Carbon Reduction projects Here …

There is a cNet report on the director of the NSA stating

“We do not want to run cybersecurity for the U.S. government”

At least not for all the government agencies, just a select few. With all the latest high profile security breaches on government facilities the brutal honesty of the statement is understood. And it is promising to note some plans are in the works to fix the situation. We have more than enough skilled security experts in this nation, it’s about time we try to tap every resource possible to help strengthen our national cybersecurity posture.

As I suspect we may never really know the full impact some of these security breaches have had.

Read More Here …

On this day in history in 1943 Albert Hoffman unknowingly became the first human guinea pig to a lysergic acid compond he was conducting tests on. When he accidentally ingested it thus becoming the first person to hallucinate on lysergic acid diethylamide (LSD).

What was interesting is this was first used to treat schizophrenia?
Somehow I would figure this would have an opposite effect but then again what would I know about it ..

Watch This Day in History Clip …

Suffering the same fate as many other technology projects during our economic slowdown it appears the CommerceGuard project has had it operations suspended by GE. The CommerceGuard project was responsible for development of the CommerceGuard Container Security Device System (CSD) whose purpose was to track and secure shipment containers. The system was developed to meet the needs set forth by the Department of Homeland Security(DHS) which called for

a sophisticated security system within the electronics industry that can detect unauthorized breaches on all six sides of a standard cargo container or an intrusion through the door while also monitor and relay conditions inside the container such as humidity temperature and oxygen levels.

Put simply.
A more effective and secure way to track and audit who is accessing cargo containers shipped before it hits our shorelines.

Still early February of this year began to signal the beginning of the end for the project when it appeared that GE was not interested in further testing the technology. This was done just prior to a critical round of testing by DHS. Perhaps the reason for the hesitation in further testing was because the solution uses RFID technology. A technology proven long ago to be susceptible to hijacking & hacking attempts. The company sited a variety of reasons from developmental costs, speed of updated data, to maintenance costs.

A bit more on the CSD technology concept.
It uses 2 devices to monitor when ever a cargo container is opened or closed. The internal wall sensor & the door sensor work in unison to monitor and make a note of the date, time, and location of containers as they are accessed. It will also audit the amount of times this information has been queried and by whom. This process is kicked off by the shipper as they seal and virtually “Lock” their container using a hand held mobile device. This information can be referenced by receiving ports and either inspected or cleared based partly on this type of access audit. It can also be exported to various standardized data formats.

EDIT: This post was edited to correct inaccuracies on some of the details provided. Apologies for the Error..

The guys over at infowars.com made note of an interesting fight brewing up between a Boston College student backed by the EFF & a Legal firm vs. The Newton Courts, of Mass.

Fairly easy to note the ignorance of their technical staff with the following statement:

“Uses two different Operating systems to hide his illegal activity… and the other a black screen with a white console which he uses prompt commands on”

It may be safe to say their Criminal “Technical” investigations team are all fresh DeVry grads? If they would just pick up any used IT books from Amazon.com they may learn that pretty much every operating system used today allows some type of console (and this is usually black w/white text).
So this statement is basically stating using ANY operating system makes you a possible criminal who should have their computer system investigated?
So I have to ask do firewall’s and router’s fall under this umbrella theory as well? How about my managed switches?
Do I risk someone coming in and striping my network infrastructure in the interest of national security?
Since who knows I may be using my consoles to perform illegal activity like update wireless hardware to an unsupported customized firmware :GASP:

I suspect their next statement would be something along the lines of:

“The system had a web browser which allowed them to plan illegal activities so their criminal intent was obvious”

Sorry Guys Try Again!

Read More Here …