Risque Management : Telecoms

Motorola's Ed Zander reinvents SIM

Slav — Mon, 10 Dec 2007 08:09:00 GMT

With all the buzz around major US wireless operators opening their networks to devices bought by the users, one may wonder if those businesspeople understand what they're talking about. There's no need to open anything at all in GSM and 3G (UMTS etc) worlds. CDMA was trickier but you usually could talk support person on the phone into connecting anything, provided you pay accounts. So opening up varies from symbolic act to... symbolic act. There's no need to reinvent the concept of openness.

Motorola CEO Ed Zander reinvents another concept - SIM, the Subscriber Information Module. here's what he said in a recent magazine interview:

Eventually, you'll have one SIM card for your mobile devices, and when you plug that card in, it will recognize the device and shut off all your other devices.

Some news for Mr. Zander: this is exactly how SIM always worked.

"Business intelligence" is category of software packages that helps organisations - and the execs - understand their business. Mr. Zander needs some, or Motorola is in big trouble.

Tracing phone communications: mission expensive and impossible

Slav — Sun, 06 May 2007 04:32:00 GMT

Herald Sun, a local tabloid, reports:

VICTORIANS will be surprised to learn that the major telecommunications companies, including Telstra, charge the police when they check on calls by criminals.

This year Victoria Police's total bill will be about $800,000.

The service is provided at cost, but Chief Commissioner Christine Nixon wants it to be free.

Telstra said it received more than 300,000 requests a year nationally from police.

I'm not surprised. But these are interesting details. Looks like every call list costs the police tens of dollars - while same information is provided for free to the criminals in question (as they are Telstra's, Vodafone's and Optus' customers for the telephone service). Which is not fair.

And while the number of requests on their cost grows every year, criminals are getting smarter:

Police are increasingly worried crooks are using false identification to buy bulk pre-paid SIM cards so their calls stay anonymous.

Opportunities for anonymous communivations today are endless. The premise is free connection to the Internet that is available in many locations in Australia and elsewhere in the world. You can then sign up for any of services that give you free calls (Live Messenger, Skype, Wengo, you name it). One bit that is a little difficult is anonymous payment. Opportunities are in prepaid/gift credit cards as well as alternative payment systems. But payment is only required for interfacing with the legacy telephone system. It is interesting to see how availability of free and anonymous communications will transform crime - but there's little doubt that it will.

Forbes on public Wi-Fi: You Get What You Pay For

Slav — Sun, 18 Mar 2007 17:24:00 GMT

Forbes, a respectable business magazine, writes about wireless security in the issue of 26 March 2007:

Computer security firm Authentium in Palm Beach Gardens, Fla. warns about an emerging Wi-Fi fraud aimed at air passengers. What road warriors sitting in a departure lounge think is a free authorized Internet connection turns out to be an "ad hoc" network broadcasting from the laptop of a scamster sitting nearby. Besides collecting passwords and credit card numbers, the crook might even install software that will later forward other private data. One tip-off: The wireless connection window the unwary traveler often sees labels the tainted free site a "computer-to-computer network".

Threats from rogue wireless access points aren't new - I wrote about disabling Windows firewall and exploiting Intranet zone using those a while ago. However, this Forbes article highlights two important problems with communicating technology issues to the businesspeople: wrong assessment and wrong advisory. I am under strong impression that by using executive summary language, consultancies, research companies and the press fail communicating real issues to the decision makers. That's because they often those translating the original information into executive summaries and press releases, often are saying what their audience want them to say - and without much understanding of the information in question. And if quality of the original research is substandard (which I think is the case with Authentium's Wi-Fi alert), the things only get worse.

Another evidence - IDG's PC World's take on the same Wi-Fi issue:

The next time you're at an airport looking for a wireless hot spot, and you see one called "Free Wi-Fi" or a similar name, beware -- you may end up being victimized by the latest hot-spot scam hitting airports across the country.

You could end up being the target of a "man in the middle" attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen, end up with a spyware-infested PC and have your PC turned into a spam-spewing zombie. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge.

If you're a Windows Vista user, you're especially susceptible to this attack because of the difficulty in identifying it when using Vista...

The problem is that it's not really a hot spot. Instead, it's an ad hoc, peer-to-peer network, possibly set up as a trap by someone with a laptop nearby. You can use the Internet, because the attacker has set up his PC to let you browse the Internet via his connection. But because you're using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other Web sites.

In addition, because you've directly connected to the attack PC on a peer-to-peer basis, if you've set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.

Such a pile of rubbish - as usually, with a twist of Vista-bashing.

Now, let's analyse:

Positioning the rogue AP attack as happening mostly in airports is wrong. We get those rogue access points everywhere now, the last one I saw in the lobby of Westin hotel in Seattle. Municipal Wi-Fi projects will set expectation for wireless service being available not just in select spots, but in entire business districts;
Name of the service/access point, or the fact that the service is free, is irrelevant. Title of the article in Forbes - You Get What You Pay For - falsely attributes the attack to free services. In fact, paying customers of T-Mobile access points (found in Starbucks all over the States - I'm using one in SFO airport right now), and other commercial operators, are perfectly susceptible to the attack;
It's not only computer-to-computer networks that may exploit unsuspecting users - access points are equally dangerous;
There is no "free authorized Internet connection" that is mentioned by Forbes. The word "authorized" doesn't make sense here.

Keeping your system locked down, and using SSL or VPN for sending credentials and accessing private information will make the man-in-the-middle attack much harder if possible at all - and Vista does help here. I challenge black and white hats of the world to compromise my laptop using a rogue wireless connection. I'm afraid, fixing communications around information security issues will be at least as difficult.

A vision for IPv6 enterprise

Slav — Mon, 26 Feb 2007 07:54:00 GMT

Without much fanfare, stock exchange opening bells and stuff like that, IPv6 protocol stack made it to all major computing platforms. In Windows XP Service Pack 1, fully supported IPv6 stack replaced previous experimental version (which is also available...(read more)

Do you still need PSTN?

Slav — Fri, 16 Feb 2007 04:10:00 GMT

Why old technologies are bad for security? Because they aren't flexible enough. Almost everyone is using Internet banking and takes SSL encryption of the session for granted. But most banks also offer telephone banking, where you manage your account using telephone line. Usually you put your account number (or its equivalent), PIN and then you can transfer money etc. Phone line wiretapping is a trivial thing - I've done that back in school. Phone banking is inherently insecure in that regard.

Now, a business story. Telstra is Australia's almost-monopoly telco. Think of AT&T not broken up, or Ukrtelecom. In early 2006, Telstra's then-new CEO Sol Trujillo was worried about something:

PSTN decline had accelerated slightly faster than expected.

Later that year, he was more optimistic:

The shift in revenue from traditional higher margin products and services to new and emerging products and services with lower margins has continued. However, we are tackling this hard and have slowed the PSTN decline by integrating services, bundling initiatives and customer winback programs.

And most recently Mr. Trujillo sounds upbeat:

We have slowed the PSTN decline.

Apparently, PSTN decline is a ongoing thing, and Telstra is trying to slow it - successfully, according to Mr. Trujillo. I wonder if the intention is to stop customer migration to new technologies and eventually start growing PSTN customer base.

This is exactly what I don't need. All the goodness of new telecoms aside. When new technologies become secure, legacy technologies are targeted by criminals. Enable strong authentication for Internet banking - and check fraud will grow (and yes, we don't need the whole check payments thing today). Besides, many people are concerned about govenments eavesdropping on the citizens' phone calls - but your neighbor can do same, because technology allows them to.

Meanwhile, I cannot get rid of my PSTN service. And there are people who don't want me to.