Uncategorized

MWC2016 | SIM Virtual (eSIM)

Una de las grandes novedades presentes en MWC 2016 es la SIM virtual (eSIM), desde el aparecimiento de los primeros teléfonos móviles, que nos viene acompañando en la evolución de esta tecnología.

Los móviles se quedan más pequeños y las SIM también, hasta que van a desaparecer en 2017.

La eSIM estará presente en nuestro terminal móvil y será nuestra conexión con el operador, un cambio de operador no es más que un proceso burocrático ya que la SIM será la misma.

Cuando tente profundar mas este tema para identificar otras utilizaciones de la eSIM en otros ámbitos como la autenticación deparamos con alguna reticencia de los operadores, porque creo que todavía no tiene claro que la eSIM deja de ser suya e pasa a ser del usuario.

Una de las pregunta es se continuara a existir móviles bloqueado a un operador o no.

Los operadores invisten millón de euros anualmente en proteger su negocio y en I+D+I  para que sus SIM sean seguras en varios aspectos, porque no utilizar esa tecnología para autenticación en B2B.

Hablo en B2B porque es algo que el usuario utiliza y demanda y todavía existe mucha reticencias al BYOD, el estima que la compañía pasa a ter acceso a nuestras fotos o whatsapp hace que todavía tenemos dos móviles, el persona y el profesional, pero este tema se queda para otro día.

En MWC2017 analizaremos con esta de evolucionado este tema.

 

Standard
Uncategorized

Do we really need a long and complicated password for websites?

Most of websites that handle important information (Gmail, for instance) have some kind of brute force protection. Sometimes if you try more than X times it will lock the account or at least give you a captcha to solve.

Currently all the security experts keep saying the same thing: make long, mixed chars, high entropy passwords. This makes a lot of sense if you think about a RSA key, or something that could be decrypted offline, but is it really important when we talk about online account passwords?

For example, we create a password for Gmail using only 6 letters from the english alphabet. This is approximately 26^6 = 309 million combinations. If we consider that we can test 1 password per second (which I think is faster than we actually can, if you take into account the Gmail captchas), we will need up to 10 years to break and 5 years on average.

Points to consider:

  • If you use the same password on different website, another website could be hacked and you password exposed. I’m assuming that the password is unique. Used only with Gmail.
  • If somebody can grab the database they could brute force the hash of your password offline. I’m assuming that the website uses at least a salted hash (very unlikely that the hacker will try to break all passwords) and/or is very unlikely that the database will be hacked (it’s a fair assumption with Gmail)
  • I am also assuming that your password is not a dictionary word or something easy to guess. This should rule out multiple account brute force (eg. testing the same common password across multiple accounts).

Is it safe to assume that we don’t need a really long password to websites as soon as we follow the other security measures? If we suggest that people use a long password just because they normally don’t follow the other security advice (use same password across accounts, etc). Aren’t we really trying to fix the symptoms and not the cause?

Standard
Uncategorized

‘Electronic pickpocketing’ looms as next threat in credit card fraud, police, security experts say

Identity theft doubled from 2012 to 2013 and police are concerned about “electronic pickpocketing” as organised criminals get smarter and take advantage of weaknesses in Australians’ defences.

A study by financial security firm Veda shows credit application fraud is at its highest level since 2009 in Australia, and the company says the main reason is the growing technical skill and innovation of organised criminals.

Queensland fraud and cybercrime detective Brian Hay shares that view, and has warned the ABC that identity thieves may exploit contactless credit card technology in order to wirelessly pick people’s pockets.

He says all it takes is a little technical know-how and a $130 trip to an electronics store to give a potential criminal the tools to steal card details in this way.

The warnings about the rising tide of credit-card theft come after Victorian police said on Wednesday that contactless credit cards were one of the main drivers behind the rise in crime rates in the state last year.

Victoria Police Chief Commissioner Ken Lay said there were 11,600 more credit card deceptions in the 12 months to March 2014 compared with the previous year, and the issue was “chewing up an enormous amount of police resources”.

Contactless credit cards such as Mastercard’s and Visa’s Paypass, payWave and Tap&Go let people make purchases of less than $100 without needing a signature or PIN, and police say it is easy for thieves to take advantage of this.

Police around Australia have given many examples of this type of theft, such as an elderly Tasmanian man whose card was used repeatedly for five days in 2012 before he realised it had been stolen.

Detective Superintendent Brian Hay says the $100 limit means these types of theft are largely opportunistic, and he is more concerned about the potential for “electronic pickpocketing”.

Contactless cards vulnerable to hacking

The cards use radio-frequency identification (RFID) technology, which is vulnerable to hacking.

Mr Hay says while the majority of the credit-card information is encrypted, the card number and expiry date is vulnerable.

“As the card’s chip gets closer to an electronic pulse, it will emit data,” he said.

“Some of that data when it transacts with your credit card is in an encrypted format, but the number of the card and the expiry date is not encrypted so essentially it could be cloned.

“What that means is it gives potential for card cloning and identity takeover if you know your target.”

He says the technology is cheap and readily available in stores like Dick Smith, and he estimates that $127 and technical skill would be enough to buy components and build an RFID hacking device.

“If I had one of those in my pocket, satchel or briefase, and you were standing next to me on a train and your wallet was in your back pocket and I moved near enough to activate the signal on the RFID, well then I’ve got your details,” he said.

He is keen to stress that electronic pickpocketing is a potential threat rather than an existing problem, but it is a real concern for police.

“It’s not a technique that we’re seeing criminals adopt at this point in time, but it’s a vulnerability in the system,” he said.

Research by credit-security experts Veda suggests it is precisely these vulnerabilities in the system that criminals are exploiting.

The company analysed frauds on Australian banks and credit providers, finding an overall rise of 27 per cent and a 103 per cent spike in identity theft.

The increase in credit application fraud can be partly explained by growth in credit markets,” said Imelda Newton, general manager of fraud and identity solutions.

“However the real driver has been a change in the way individuals and criminal gangs are using new technologies to exploit and defraud credit providers.”

Risk of identity fraud increasing, forensic specialist says

Forensic specialist Brett Warfield says fraudsters are increasingly stealing identities rather than creating bogus identities because credit providers have gotten better at spotting fakes.

“The shift from identity fabrication to identity takeover confirms that fraudsters are adapting to improvements in identity verification and checking practices,” he said.

He says people’s identities are getting easier to steal because online traders and merchants are increasingly storing customers’ details in databases.

The Veda research draws on an extensive database of confirmed frauds, but Mr Hay says such information is lacking because so much fraud goes unreported to police.

“If you talk to someone who has had their card data compromised, the typical response is that they call the bank, the bank repays the money and issues a new card, but the person doesn’t go to the police,” he said.

“Does the bank or the card-issuing authority go to the police? No.

“So we’ve got a constant daily avalanche of these illegal card transactions taking place … and we don’t know from a law-enforcement perspective what the true situation is.”

He says he expects this to be the case with electronic pickpocketing because people will not realise their details have been stolen until a fraud occurs, and they might not even realise it then.

“You’ve got to look for the $1 or $2 transactions which means your card has been compromised,” he said.

“That means your details have been traded in the black markets globally and they’ve done a little tester to see if your card’s still active.”

He says there is no way to “turn off” the RFID chip in cards, but he has heard of people wrapping their cards or lining their wallets with aluminium to block the signal.

Ms Newton says banks and credit providers can do their bit by introducing more effective identity-checking procedures, especially “out of wallet” checks like secret questions.

“The best protection … is for credit providers to work together and and adopt a multi-layered approach to detecting fraudulent activity,” she said.

 

 

Standard
Uncategorized

ISIS’ OPSEC Manual Reveals How It Handles Cybersecurity

IN THE WAKE of the Paris attacks, US government officials have been vocal in their condemnation of encryption, suggesting that US companies like Apple and Google have blood on their hands for refusing to give intelligence and law enforcement agencies backdoors to unlock customer phones and decrypt protected communications. But news reports of the Paris attacks have revealed that at least some of the time, the terrorists behind the attacks didn’t bother to use encryption while communicating, allowing authorities to intercept and read their messages.

Reports in France say that investigators were able to locate some of the suspects’ hideout this week using data from a cellphone apparently abandoned by one of the attackers in a trashcan outside the Bataclan concert hall where Friday’s attack occurred, according to Le Monde. Authorities tracked the phone’s movements prior to the attack, which led them to a safehouse in a Paris suburb where they engaged in an hours-long shootout with the other suspects early Wednesday. These would-be attackers, most of whom were killed in the apartment, had been planning to pull off a second round of attacks this week in Paris’s La Defense business district, according to authorities.

Other reports indicate that a previous ISIS terrorist plot targeting police in Belgium was disrupted in that country last January because Abdelhamid Abaaoud—suspected mastermind of both that plot and the Paris attacks—had failed to use encryption. He also carelessly left behind a cellphone in Syria, which contained unencrypted pictures and videos, including one now-infamous video showing him smiling from a truck as he dragged bodies of victims through a street.

All of this suggests that the attackers were guilty of major OPSEC failures—that is, if it weren’t for the fact that some of them still managed to pull off the Paris attacks without prior detection. This suggests they either did use encryption during earlier planning stages of their attacks, or that authorities were so overwhelmed tracking other suspects—French investigators claim they recently thwarted six other attacks—that they overlooked the suspects who pulled off the Paris attacks. This indeed might be the case since Turkish authorities have said they tried to warn French authorities twice about one of the suspects but never got a response.

Despite this, US authorities have flooded the media this week with stories about how ISIS’ use of encryption and other anti-surveillance technologies has thwarted their ability to track the terrorists. But authorities have also slyly hinted that some of the encryption technologies the terrorists use are not as secure as they think they are, or are not being configured and used in a truly secure manner. So what exactly are ISIS attackers doing for OPSEC?

It turns out that a 34-page guide to operational security (.pdf) that ISIS members advise recruits to follow, offers some clues. Aaron Brantly and other researchers with the Combating Terrorism Center at West Point’s military academy uncovered the manual and other related documents from ISIS forums, social accounts and chat rooms. The originals are in Arabic, but the center provided WIRED with translated versions of a number of documents that had been passed through Google Translate.1

ISIS’ OPSEC manual advises to avoid using Instagram because its parent company, Facebook, has a poor track record on privacy.
The guide was originally written about a year ago by a Kuwaiti security firm known as Cyberkov to advise journalists and political activists in Gaza on how to protect their identities, the identity of their sources and the integrity of information they report. But members of ISIS have since co-opted it for their own use as well.

The guide offers a handy compilation of advice on how to keep communications and location data private, as well as links to dozens of privacy and security applications and services, including the Tor browser, the Tails operating system; Cryptocat, Wickr, and Telegram encrypted chat tools; Hushmail and ProtonMail for email; and RedPhone and Signal for encrypted phone communications. Gmail, the guide notes, is only considered secure if the account is opened using false credentials and is used with Tor or a virtual private network. Android and iOS platforms are only secure when communications are routed through Tor.

The manual advises disabling the GPS tagging feature on mobile phones to avoid leaking location data when taking photos—a mistake that a Vice reporter made in 2012 when interviewing murder suspect John McAfee who was on the lam. Alternatively, operatives and journalists can use the Mappr app can be used to falsify location data and throw intelligence agencies off their trail.

The OPSEC manual used by ISIS also advises against using Instagram because its parent company, Facebook, has a poor track record on privacy, and it warns that mobile communications can be intercepted, even though GSM networks are encrypted. It advises readers to use encrypted phones like Cryptophone or BlackPhone instead.

Dropbox is held up for special condemnation—because Edward Snowden advised against using it, and because President Bush’s former Secretary of State Condoleezza Rice is on the company’s investors board.

There are no surprises among the documents. Most of the recommendations are the same that other civil liberties and journalist groups around the world advise human rights workers, political activists, whistleblowers and reporters to use to secure their communications and obscure their identity or hide their location. The appearance of this and other OPSEC documents in ISIS forums and social media accounts indicate that the jihadis have not only studied these guides closely, but also keep pace with the news to understand the latest privacy and security vulnerabilities uncovered in apps and software that could change their status on the jihadi greatest-hits list.

‘This is about as good at OPSEC as you can get without being formally trained by a government… But there’s a difference between telling somebody how to do it and then doing it right.’
WEST POINT CYBER FELLOW AARON BRANTLY
“This is about as good at OPSEC as you can get without being formally trained by a government,” Brantly, a cyber fellow with the West Point center, told WIRED. “This is roughly [the same advice] I give to human rights activists and journalists to avoid state surveillance in other countries. If they do it right, then they can become pretty secure. [But] there’s a difference between telling somebody how to do it and then [them] doing it right.”

Intelligence agencies, of course, are hoping that ISIS jihadis don’t get it right.

The documents warn that followers should use strong passwords and avoid clicking on suspicious links, to prevent intelligence agencies and everyday hackers from breaching their systems. And there’s advice for communicating even when repressive regimes block Internet and mobile networks to thwart activists from organizing, such as during the Arab Spring. It coaches readers, for example, on how to set up their own private Wi-Fi network or use apps like FireChat to share photos and text short distances without needing internet access.

It advises users to always use a VPN online to encrypt data and prevent ISPs and spy agencies from reading their communication. But it cautions users to stay away from American providers of VPNs and encrypted chat tools and instead use ones like Telegram and Sicher, instant messaging apps made by companies based in Germany, or the Freedome, a VPN from the Finish computer security firm F-Secure. Apple’s iMessage, an end-to-end encryption service, also gets a thumbs-up for being impervious to both spying from government intelligence agencies and Apple itself.

Although US government officials have repeatedly cited WhatsApp as a tool ISIS uses to thwart surveillance, the Kuwaiti manual actually puts the chat application on a “banned” list. Although WhatsApp offers end-to-end encryption, a German security firm found problems with its implementation earlier this year.

Brantly says one thing he hasn’t seen in any documents or discussions found in ISIS forums and social media accounts is mentioned of Sony’s PlayStation 4 for protected communication. Although a Belgian official told media last week, prior to the Paris attacks, that ISIS operatives in Belgium had been using Sony’s videogame system to communicate, Brantly says he’s seen no sign of that in their research. “I’ve never seen PlayStation come up in any document,” he says.

He also says they’ve seen no sign yet that ISIS is using home-brewed encryption programs that its members created themselves. “Al Qaeda developed their own encryption platform for a while. But ISIS right now is largely using Telegram [for encrypted communication],” he says.

To help jihadis master their OPSEC, ISIS also reportedly provides a 24-hour help desk.
Documents like the Kuwaiti OPSEC manual aren’t the only aid jihadis have to protect their communications. To help them master their OPSEC, ISIS also reportedly provides a 24-hour help desk.

Brantly says the jihadis they encounter in ISIS forums and chatrooms vary greatly in their technical savviness. He also says there are signs of increased interest not only in securing their own communication but in hacking other targets as an ISIS tactic. The so-called Cyber Caliphate, a hacking group that supports ISIS, claimed responsibility for hacking the US Central Command’s Twitter and YouTube accounts earlier this year. ISIS hackers have also taken credit for hacking a number of government ministries in Iran and stealing internal communications and login credentials, some of which they posted online.

“There’s a whole section on hacking [in the ISIS forums],” Brantley says. “They’re not super-talented hackers, but they’re reasonable.”

http://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terrorist-group-security-protocols/

 

 

 

Standard
Uncategorized

TSA lost master keys set

THE TSA is learning a basic lesson of physical security in the age of 3-D printing: If you have sensitive keys—say, a set of master keys that can open locks you’ve asked millions of Americans to use—don’t post pictures of them on the Internet.

A group of lock-picking and security enthusiasts drove that lesson home Wednesday by publishing a set of CAD files to Github that anyone can use to 3-D print a precisely measured set of the TSA’s master keys for its “approved” locks—the ones the agency can open with its own keys during airport inspections. Within hours, at least one 3-D printer owner had already downloaded the files, printed one of the master keys, and published a video proving that it opened his TSA-approved luggage lock.

Those photos first began making the rounds online last month, after the Washington Post unwittingly published (and then quickly deleted) a photo of the master keys in an article about the “secret life” of baggage in the hands of the TSA. It was too late. Now those photos have been used to derive exact cuts of the master keys so that anyone can reproduce them in minutes with a 3-D printer or a computer-controlled milling machine.

“Honestly I wasn’t expecting this to work, even though I tried to be as accurate as possible from the pictures. I did this for fun and don’t even have a TSA-approved lock to test,” writes Xylitol, the Github user who published the files, in an email to WIRED. Xylitol, who noted that he was based in France, declined to reveal his real name. “But if someone reported it that my 3D models are working, well, that’s cool, and it shows…how a simple picture of a set of keys can compromise a whole system.”

Though Xylitol had warned Wednesday morning that he hadn’t tested the CAD files, Montreal-based Unix administrator Bernard Bolduc showed just hours later that the printable files worked as advertised. Bolduc says he printed one of keys in five minutes on his PrintrBot Simple Metal printer using cheap PLA plastic and immediately opened one of his TSA-approved luggage locks.

TSA002.JPG.jpg

My testing

TSA lock

Standard
Uncategorized

Samsung Galaxy S5 that allows hackers to clone fingerprints

Security researchers at FireEye have discovered a vulnerability in the Samsung Galaxy S5 that allows hackers to clone fingerprints.

Samsung Galaxy S5 and other ‘unnamed Android devices’ could leak user fingerprints to hackers that can clone them.

According to security experts at FireEye, although Samsung implements encryption mechanism to protect user fingerprints archived on the mobile phone, an attacker can steal them just before they are encrypted.

Smartphones acquire the user fingerprints in order to authenticate it, the scanned print is then compared against a copy held by the ARM TrustZone technology.

When the user presses his finger against the device, the TrustZone code accesses the sensor, checks the scanned print and then provide the result of the comparison back to the OS. The TrustZone code is the unique one that could read data from the sensor.

The attacker can then steal the fingerprints, clone and use them impersonate the victim against other authentication services that use his fingerprints.

The researchers highlighted that any hacker with user-level access that can run programs as root could steal fingerprints from the mobile device. The situation is easier for Samsung Galaxy S5 on which a malware would only require system-level access.

“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Yulong Zhang, one of the researchers, explained, to Forbes. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”

The good news it fixed for mobile devices running Android 5.0 Lollipop and higher, for this reason the experts urge users to update their mobile for the last release of the Google OS.

Samsung confirmed that is investigating on the flaw in order to protect its customers.

“Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims.” confirmed a Samsun spokesperson.

The discovery made by the experts is the last problem in order of time for  fingerprint scanner that equip popular mobile devices.

Last year a team of experts discovered that was possible to bypass the Samsung Galaxy S5 fingerprint scanner by using ‘crude fake fingerprint’ modeled from wood glue and captures with a photo.

samsung galaxy s5 fingerprint

Standard
Uncategorized

Swivel Secure OneTouch

Swivel simplifica el proceso de autenticación a través de OneTouch

Se disparará la demanda de soluciones móviles de autenticación multi-factor
Las apps de autenticación biométrica, alternativa a las contraseñas alfanuméricas
La biometría, el futuro de la autenticación en los dispositivos móviles
Swivel se prepara para el aumento del mercado de autentificación sin identificadores
OneTouch es una aplicación móvil de autenticación rápida de dos factores concebida especialmente para los sectores en los que el acceso a datos críticos empresariales es de vital importancia.

Aprovechando la creciente adopción de dispositivos móviles personales en el lugar de trabajo, Swivel Secure ha presentado OneTouch, una aplicación móvil que ofrece una autenticación de mayor velocidad, y que utilizarse para garantizar el acceso a una completa gama de entornos remotos, incluidas redes privadas virtuales (VPN), sitios web, nubes corporativas y escritorios virtuales.
OneTouch ofrece a los negocios una experiencia de autenticación de dos factores optimizada digitalmente que satisface las expectativas del usuario en cuanto a velocidad y conveniencia. El proceso de autenticación a través de OneTouch es hasta 10 segundos más veloz que los métodos convencionales, lo que le hace idóneo para su uso en entornos en los que el factor tiempo es importante, tales como los sectores de la salud, jurídicos y minoristas. En su configuración más sencilla, la autenticación se realiza contan solo tocar el dispositivo del usuario.

“Hoy en día, es muy complicado complacer a los usuarios de dispositivos móviles, que se frustran muy fácilmente con los procesos complicados”, explica Chris Russell, director general de tecnologías de Swivel Secure. “Swivel evoluciona de forma continua para adaptarse a las necesidades en constante cambio de nuestros clientes y el lanzamiento de OneTouch no es una excepción. Mientras que las empresas modernizan sus tecnologías de la información para la era móvil, sus redes corren más que nunca grandes amenazas; las violaciones de datos en 2014 batieron todos los récords y no parece que ésta dinámica vaya a cesar. OneTouch aborda perfectamente ambos problemas en una única aplicación móvil, versátil y rápida”.

La aplicación móvil de descarga gratuita es compatible con todos los sistemas operativos, incluido Windows. Además, puede integrarse con cualquier despliegue actual de Swivel para ofrecer a las organizaciones más opciones en materia de seguridad.

Standard