Linix demand for support

If you talk to the Mobile operators they don’t support Linux. They say there is no demand. Well the interesting case in point is giffgaff. This MVNO network relies on the public to crowd source their support information on their network.

So with a bit of Goolge hacking we can see the number of support pages that mention Linix on the various networks:

• giffgaff About 2,970
• O2 8 results Global sites
• Vodafone About 1,630 results vodafone.com Global Sites
• Three About 60 results
• T-Mobile About 1,350 results T-Mobile.com Global sites

So the level of Linux support provided by a small UK MVNO beats the mighty giants of the world mobile.

Internet Survey

You may have heard of this elsewhere. This is a Grey Hat report from a anonymous individual, that has used a botnet to survey the entire IPV4 address space and perform a port scan on every one of those IP addresses.

In summary he delivered his scanning software to 30 thousand machines that provided a telnet port (23) that accepted a logon of either root/root root/(blank) admin/admin admin/(blank) or even (blank)/(blank). There were many more of these devices, but this was sufficient to his requirement to scan the entire IPv4 range in about 3 hours.

The main implication from this is the availability of these hosts could be used for DDoS and other botnet activities. One would speculate that they may be an increase in this type of activity going forward.

http://internetcensus2012.bitbucket.org/paper.html

The Nexus 7 and Open Street Maps

So with the launch of the mini iPad that is a lot of comparisons between this and the Goggle Nexus 7. I don’t have a iPad of any size and so don’t have any way of offering any sort of objective comparison. But what I do have is a Nexus 7 and the experience of using this while traveling around Europe.

We recently drove through Europe for a 2 week holiday. We skipped through France, Belgium, and Germany fairly quickly, as we wanted to visit Prague, and then go on down through Austria to Hungary. So Maps were very important for this.

We have a TomTom, not sure of the model, but has all of Europe in it. I have tried to update the maps in this but am not able to keep both sides of Europe as the size of the maps has expanded. TomTom only allow broad groups of countries to be loaded, so western Europe (UK, Germany, France, Spain, Portugal,…) or Eastern Europe (Czech Republic, Poland, Hungary,…). Not much use to us as we Live in the UK and often visit Hungary.

We also had paper map book, Michilln whole of Europe, OK for motorways, and getting a sense of the general direction, useless in cities and towns.

I also had the OSMAnd application on my Nexus 7. This is an open source application for viewing maps from Openstreetmap.org The crucial feature needed when traveling is offline maps. OSMAND allows maps from each individual country to be downloaded, and can operate completely with no data connection.

Given the expense of GSM roaming in Europe, this is a feature that makes all the competition unusable. Goggle maps dose now allow downloaded data, but to use this feature you need to be in the location and then save the map tiles for that location. No pre-loading by country, and no offline searching, or route finding.

Here are a couple of scenarios where OSMAnd proved invaluable. First find the hotel we had booked. We had the address, and were in the approximate place, just needed to find the place. Putting the street name into Tom Tom showed a number of entries for the same street name, in different districts. This had no indication as to how far away and our limited knowledge of the city meant we didn’t know the districts. Searching for a street name in OSMAnd the matches are listed ordered by distance, either from the current location, or a location can be set. There is also a arrow giving an indication of direction.

Remember where we parked the car, not always easy if you are exploring. OK so I had a favorite location called Car, that I updated when we parked in a back street. Just get the nexus to get a fix, long tap on the current location, and save as a favorite. Then it was easy to find our way back to the backstreet where we parked.

Fancy a coffee? search from the current location for restaurants, add a filter “cafe”. This gives a nice list, showing direction and distance. Tap the map icon and the locations are highlighted on the map display. We found some wonderful breakfast cafes this way.

Traveling on some back roads we came to a line of traffic, it transpired that there was a major crash up ahead and we were not going to get through for quite a while. OSMAnd came out to find an alternative route, by taking some even more back road roads, that didn’t have any useful roadsigns.

This all relies on the quality and freshness of the data. generally this seemed to be pretty good. The listings of shops and businesses are pretty good in the larger towns, but small villages generally only had the street data there. The street data however was remarkably accurate.

USSD Code dialling exploits

The recent disclosure of the finding that many phones respond to USSD dial strings in a tel: html markup without requiring any user input has recently been demonstrated.

The issue comes from the tel: html markup, that the phone will automatically execute a USSD command embedded in a tel link.

The Samsung S series has some powerful hidden codes, including one that will reset the phone to factory default *2767*3855#

The html string <iframe src=”tel:*%2306%23″/>  will display the IMEI, but if the code above is used this resets the phone. My experience suggests that most phones have secret codes that perform these sorts of actions. It only remains for these to be discovered for much wider exploitation.

Normally when a tel: prompt is encountered this just populates the dial number field and the user would then need to hit call to initiate the call. Some USSD codes do not require this, all phones should respond to the *#06# string with the IMEI of the phone.

Video of the presentation: http://www.youtube.com/watch?v=Q2-0B04HPhs

There is a test page: http://mobilephonesecurity.org/tel/ This is safe to go to as it only has the code to display your IMEI. If you visit this page on a phone browser, this page should open the dialler and pre-fill the dial string with *#06# ready for you to hit send. If your phone is vulnerable you will just see the IMEI displayed, that is the phone has immediately dialled this string.

Password databases and Salts

I responded to a question on Stack Exchange

The purpose of a per record salt is to make the task of reversing the hashes much harder. So if a password database is exposed he effort required to break the passwords is increased. So assuming that the attacker knows exactly how you perform the hash, rather than constructing a single rainbow table for the entire database they need to do this for every entry in the database.

There is a separate issue with a database wide salt. This is a sort of key, and protects against the attacker using existing rainbow tables to crack the passwords. The database wide salt should be stored separately so that if the database is compromised then it is unlikely that the attacker will get this value as well.

The last area where many fail, is that there must be a way to change these salt values. If a security incident occurs we want to be able to change the salt values easily. So the database should have a salt version and the code will use the version to identify which salts to use and in what combination. When this is changed then a background task can update the database without taking the system off-line.

Internet Blocking

There has been a proposal for ISPs to implementing blocking by default on connections, here is my response sent as part of the ORG campaign.

Firstly as a parent bringing up children in the newly connected world, I can state from my own experience that a default filter will not work. The first thing will be that parents will feel they have absolved of the need to educate their children on Internet safety. Second that the filter will not work, in that it will block perfectly reasonable sites and fail to block highly objectionable content.

As a Security Expert in the internet age I have more exposure that most to these issues, while some things are best solved with technology, there are many security issues that are far better solved by humans taking a critical look at the content and evaluating it.

Take for example the recent Facebook meam on Bananas and tumor necrosis factor. On the face of it many have been convinced that there is a benefit here, but in fact the truth is that this linkage in the science is extremely tenuous, and based on implanting banana rather than eating it.

I use this innocuous example to show that no technological firewall would be able to block this message, and that we are better off teaching skills in critical evaluation of information than trying to get into the arms race of attempting to block content.

The Music and Video industries have been trying for years to block music and video sharing on the internet using all of the resources of that industry and by any reasonable measure they have failed miserably. Are you really prepared to invest many times more effort in blocking content on the internet.

What has worked well is the operation of the Internet Watch Foundation, in terms of providing a central reporting point, and coordinating take down activities of content that we, as a society, find highly objectionable. But if you read their reports you will see that their attempts to block sites has not been as successful.

This point is at the route of the problem of the proposals, if the material is highly objectionable then it needs to be taken down at source, not blocked. Blocks can always be bypassed. If we are taking down material that is a legal process, with appropriate appeals processes. What you are proposing would be arbitrary and secret, without a transparency on the blocked sites so how would a site owner know they were being blocked, how would they appeal against that, how would we know that the process of blocking sites was fair and reasonable and not being used for political ends.

Default settings for devices

I have had a Sansa clip music player for a couple of years, and find it pretty amazing little device, but I have always struggled with the volume levels.

Mostly I just set it to the maximum, and some podcasts I listen to I had to edit the mp3 file to increase the volume in the file before it was usable.

Then in some random searches on the internet I stumbled across some discussions that said that setting the country to something other than europe, sorted out the volume problem. A simple matter of resetting this to the “Rest of the World” and the volume is much better.

The point here seems to be that for europe the maximum volume has to be limited because otherwise its citizens will all have their hearing damaged due to excessive volume on their mp3 players.

Now I have the usable device that is as was designed by the engineers.

The next was a thermostatic shower tap, fitted to the bath. Again we struggled to get the tap to provide a mix at a reasonable temperature. The tap was supposed to have be calibrated with a mid-point of 38°C.

Practical use meant turning this up close to the limit of the red end. When it got to the point that the hottest setting produced a luke warm show at best it was time for action. So some googling later, it turns out that these taps need to be calibrated, which is a simple case of removing the temperature control tap cover and setting the water temperature to 38°C and re attaching the control.

Again it appears that the factory setting is such that it is somewhat conservative in the temperature presenting. Presumably so that they don’t want scalded customers complaints, or just erring on the side of caution.

The moral of these stories is either, it is your responsibility to hack, and calibrate your world to make sure it functions correctly. And that the institutions of our society have conspired to keep us so safe that we struggle to hear our MP3 players, and have luke warm showers, unless we take control.