Attackers Can Read Your Private SMS and Listen to Phone Calls

Security researchers have discovered a massive security flaw that could let attackers and cybercriminals listen to private phone calls and read text messages on a potentially vast scale – no matter if the cellular networks use the latest and most advanced encryption available.

The critical flaw lies in the global telecom network known as Signal System 7 that powers multiple phone carriers across the world, including AT&T and Verizon, to route calls, texts and other services to each other. The vulnerability has been discovered by the German researchers who will present their findings at a hacker conference in Hamburg later this month.

    "Experts say it's increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world's billions of cellular customers," said The Washington Post, which first uncovered flaws in the system earlier this year.

NUMBER OF SECURITY FLAWS IN SS7
SS7 or Signaling System Number 7 is a protocol suite used by most telecommunications operators throughout the world to communicate with one another when directing calls, texts and Internet data. It allows cell phone carriers to collect location information from cell phone towers and share it with each other. A United States carrier will find its customer, no matter if he or she travels to any other country.

According to the security researchers, the outdated infrastructure of the SS7 makes it very easy for attackers to hack, as it is loaded with some serious security vulnerabilities which can lead to huge invasions of privacy of the billions of cellular customers worldwide.

    "The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that attackers can repurpose for surveillance because of the lax security on the network," the report reads.

BACKDOOR OPEN FOR HACKERS
So far, the extent of flaws exploited by attackers have not been revealed, but it is believed that using the flaws attackers can locate or redirect users' calls to themselves or anywhere in the world before forwarding to the intended recipient, listen to calls as they happen, and record hundreds of encrypted calls and texts at a time for later decryption.

No matter how much strong or advanced encryption the carriers are using, for example AT&T and Verizon use 3G and 4G networks for calls, messages, and texts sent from people within the same network, but the use of that old and insecure SS7 for sending data across networks the backdoor open for attackers.

Not just this, use of SS7 protocol also makes the potential to defraud users and cellular carriers, according to the researchers.

ACLU – STOP USING TELEPHONE SERVICE, BUT WAIT!! IS THAT POSSIBLE?
The American Civil Liberties Union (ACLU) has also warned people against using their handset in light of the breaches.

    "Don't use the telephone service provided by the phone company for voice. The voice channel they offer is not secure," principle technologist Christopher Soghoian told Gizmodo. "If you want to make phone calls to loved ones or colleagues and you want them to be secure, use third-party tools. You can use FaceTime, which is built into any iPhone, or Signal, which you can download from the app store. These allow you to have secure communication on an insecure channel."

Soghoian also believes that security agencies – like the United states' NSA and British security agency GCHQ – could be using these flaws. "Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation. They've likely sat on these things and quietly exploited them," he said.

However, the poor security capabilities of SS7 protocol is not hidden from the people and its not at all a new, just three months ago we reported How a Cell Phone User Can be Secretly Tracked Across the Globe. But the era where each and every person care about privacy and security of their data, things like this really publicize exactly how big this threat really is and make many worried of its consequences.

By

Critical Flaw Hits Millions of Home Routers

Security researchers are warning of a critical vulnerability in several different home router models that could put at risk the data of millions of consumers and small businesses worldwide.

Check Point’s Malware and Vulnerability Research Group uncovered Misfortune Cookie, a flaw which could allow attackers to remotely take over an affected router with admin privileges.

CVE-2014-9222 is found in popular routers made by D-Link, Edimax, Huawei, TP-Link, ZTE, ZyXEL and others.

Specifically, it affects RomPager from AllegroSoft – web server software embedded in the firmware which comes with the above gateway devices, Check Point said.

The vendor continued:

“An attacker with administrative access to your gateway holds an alarming control over your wired and/or wireless network (local area network) infrastructure. Such control puts devices at risk of Man-in-The-Middle attacks, greatly increases the attack surface for LAN-side vulnerabilities, and gives attackers the ability to directly monitor connections and identifiers belonging to your devices.

The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes. This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.”

Although there have thus far been no reported incidents of attackers exploiting the flaw in the wild, there are at least 12 million such devices in 189 countries across the globe, the vendor added.

In some countries, as many as one in two used IP addresses are affected, it said.

Check Point urged the affected device makers to release updated firmware which addresses the problem – RomPager version 4.34 or higher.

It branded the threat “a wake-up call for the embedded device industry and consumers alike.”

UK / EMEA News Reporter , Infosecurity Magazine

Chrome devs hatch plan to mark all HTTP traffic insecure

The Chromium Project's security team has kicked off a debate on whether browser will mark all HTTP pages as insecure.

“We … propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure,” the team writes in this post.

The post says the team's goal “... is to more clearly display to users that HTTP provides no data security” because ““We all need data communication on the web to be secure (private, authenticated, untampered).”

If users aren't enjoying good security, the team suggests, browsers “... should explicitly display that, so users can make informed decisions about how to interact with an origin.”

The team also point out that HTTPS traffic usually produces a change to the user interfa,ce notification, yet insecure HTTP traffic does not.

The post proposes that browsers instead define, and inform users of, three security levels:

  • Secure (valid HTTPS, other origins like (*, localhost, *));
  • Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
  • Non-secure (broken HTTPS, HTTP).

The post's authors have thrown the topic open to debate, posting to several influential mailing lists to gather feedback. But they seem intent on the change: the post says “We intend to devise and begin deploying a transition plan for Chrome in 2015.” ®

Simon Sharwood

Quantum Encryption Makes Credit Cards Fraud-Proof

Credit card frauds are very common these days – today a data breach occurs in retailer’s shop, online shopping site or banking site and at the next moment millions of cards appears in the underground black market – how simple is that for cyber criminals nowadays.
 
But imagine if there is no possible way to hack credit cards and ID cards. Seems like next to impossible, but quantum cryptography ensures that stealing people's personal data will soon be very difficult for hackers and cyber thieves due to an extra layer of verification.
 
SECURE FRAUD-PROOF CREDIT CARDS
The research at the University of Twente in Enschede, Netherlands has suggested that "fraud-proof" credit cards are possible to develop using Quantum Physics that will protect users’ financial and personal information from hackers. Security researchers describe this extra layer of verification as Quantum-Secure Authentication (QSA) of a "classical multiple-scattering key."
 
With the help of QSA method, people will be able to create a physical "key" which is impossible to copy or create similar ones. So, this new technology will not allow any person to copy someone’s credit card and can validate the identity of any person or object, including debit and credit cards, even if the most important data has been stolen, the Optical Society reported in the Dec. 15, 2014 edition of the journal Optica.
 
However, Chip-and-Pin payment cards are opted by the major organisations to promote additional security solutions like tokenization and point-to-point encryption. Chip technology generates a unique code for every transaction, making it nearly impossible for criminals to use the card for counterfeit fraud. But we have also seen that the latest "Chip-and-PIN" technology are vulnerable to Card Cloning.
 
HOW QSA TECHNOLOGY WORKS
Now, the important thing to note is that how is it possible and how Quantum Physics works with the Credit card technology ??
This innovative technology depends on two unique quantum properties of light to create a secure and unique Question-and-Answer (Q&A) exchange that cannot be 'spoofed' or copied. As a single photon of light can occupy more than one location at the same time and because light has so many separate wavelengths that hacking a credit card would take centuries to find the right combination.
"Single photons of light have very special properties that seem to defy normal behavior," said a study lead author Pepijn Pinkse of the University of Twente's MESA and Institute for Nanotechnology. "When properly harnessed, they can encode information in such a way that prevents attackers from determining what the information is."
The "quantum credit cards" would be more secure and fraud-proof because QSA technology leverages the immutable properties of quantum mechanics to create a perfectly secure encryption system, instead of any mathematical interpretation.
 
EASY TO IMPLEMENT AND HARD TO BREAK
According to Pepijn Pinkse, such a security layer would be "straightforward to implement with current technology," used by credit cards.
 
Quantum credit cards would be outfitted with a strip of white paint containing millions of nanoparticles. Researchers could project individual photons of light onto this paint with the help of a laser that would bounce around the nanoparticles as if in a pinball machine before escaping back to the surface and forming a unique pattern.
"It would be like dropping 10 bowling balls onto the ground and creating 200 separate impacts. It's impossible to know precisely what information was sent (what pattern was created on the floor) just by collecting the 10 bowling balls," researcher said.
This new technology could help in protecting government buildings, personal bank and credit cards, and even vehicles, according to the research.
Wednesday, December 17, 2014

We believe ALL internet websites should implement SSL

We believe ALL internet websites should implement SSL. The E.F.F (Electronic Frontier Foundation) started an HTTPS campaign back in 2011. By implementing SSL (regardless if your collecting personal information on your site or not), you are helping to protect users privacy and freedom. Begin by purchasing an SSL certificate. We can assist in converting your current site over to FULL TIME SSL.

Google to give more weight to encrypted websites in search results. Google's announcement may prod more websites to adopt HTTPS connections, said Tom DeSot, chief information officer of Digital Defense, a cybersecurity company. "Google pushing it is good because of the clout they have in the industry,” DeSot said. “The people that are in charge of search engine optimization, they will pay a lot of attention to this.”

Reset the NET, start with DELETING YOUR FACEBOOK

Excellent short video on why you should start caring about your privacy and DELETING your Facebook account. After watching, take a trip over to RESET THE NET on great ways to start protecting your privacy. Also, for anyone interested, we offer/operate a service for encrypting your communcations over the net, visit ourprivacy.org.


Original DELETE YOUR FACEBOOK post at SPLOID

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed

 
NON-MANAGED=REACTIVE
MANAGED=PROACTIVE
 
 

ourprivacy.org

US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles