O2 and its telephone number leak update

Written by Ian Nock on January 25, 2012 Leave a Comment

O2 has now posted on its blog, its own description of the problem that occurred today. It describes it pretty much as a misconfiguration that allowed a provision for ‘selected partners’ to receive the client’s phone number in the headers of the HTTP request to spread to be applicable to all sites.

Although seemingly a reasonable explanation, it is the first time that I have heard that O2 would be using this with ANYONE. Almost certainly I will find the clause buried down in my terms of use somewhere (still looking), but this is a shoddy and appalling lack of privacy and control around something that a few people (not me but I still don’t want to share it with web sites unless I choose to) keep VERY private. To not be expressly clear to the user or to provide a mechanism for blocking it is bad. I am reminded of an old Internet Explorer feature that had to be disabled very quickly in the 1990s whereby the browser would present the username of the logged in PC user to every website. The feature was useful in authenticating in a corporate environment but unfortunately they allowed presentation to every site – a horrible privacy AND security issue. The disabling came in to the user control through Security Zones but it was by default turned OFF. This is something that should be the case here.

We shall have to see how this issue progresses. Certainly I am thinking twice about having O2 as a service provider. I will also be more careful about my use of SIM cards from providers I am new to in the future, after all they could similarly do this.

Also posted in Blog, Mobile Communications | Tagged , , ,

O2 and its Telephone number leak

Written by Ian Nock on January 25, 2012 1 Comment

This morning a twitter comment alerted me to an issue with the O2 mobile phone broadband data service. In common with all broadband internet services, O2 passes its traffic from customers via a transparent proxy which can additionally do things like reduce the file size of pictures through compression. This is normally specified in the APN configuration of your phone. The ‘new information’ though was that it was making use of a feature of the Openwave WAP proxies to additionally tag a HTTP request header on to each transaction that gave away the subscriber’s mobile phone number. The HTTP request header is the very clear x-u-calling-line-id. You also need to know that this happens regardless of the client device you are using as it is built in to the Openwave proxy.

This is a serious breach of privacy for any mobile phone owner as EVERY SINGLE WEBSITE that the subscriber visits via the broadband connection will then have a copy of the subscribers mobile phone number. No opt-in or opt-out. Also it is quite likely that this has been happening for many years, in fact it could be as old as 3G Broadband from O2. To confirm if you are affected, I suggest you visit a site that displays all of your headers and look for your phone number or other personally identifiable information such as http://www.cylog.org/headers/.

Right now O2 is scrambling to deal with this PR and possible legal issue. I am personally offended that they do this as well. However you need to think wider than this. O2 is not necessarily the only company doing this, nor does it have to be via the same HTTP request header. After all, that header is something that Openwave provides which can be being used by any mobile operator in the world. Additionally other mobile operator WAP gateways manufacturers can and do use different methods of doing the same thing. The result is that privacy can be being breached worldwide, whenever you use your 3G Broadband connectivity.

This means that not only can someone personally identify you very easily, they can pair the informaton directly with the IP address that you are operating on which will also allow the identification of where you are.

If you are interested in background as to what you can be sharing when using your Mobile Broadband connectivity, please look at these two sites http://mobiforge.com/developing/blog/useful-x-headers and http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf.

Also posted in Blog, Mobile Communications | Tagged , , , , , ,

No excuses – Encrypt Now, Yesterday and Tomorrow

Written by Ian Nock on February 23, 2011 Leave a Comment

Us mobile people like all the newest gear, particularly when it either speeds things up, saves precious battery life or makes our equipment more robust. SSDs do all of that, however it is bad when they can affect our information security.

I have gone on record stating that for you and your customer’s piece of mind (as well as some laws), that you should fully encrypt your hard drives, recommending that the small business owners uses Truecrypt… a very effective solution. Now comes the (relatively) obvious news that you need to be wary of SSDs

If you’re in a business that handles sensitive information, or are just conscientious about your privacy, you might want to read this study on SSD erasure. As you know, there are ways of erasing traditional magnetic hard drives that are more or less totally irreversible. Writing all zeros, writing garbage, zeroing again, and so on. After a few cycles it’s fresh and clean.

via PSA: SSDs Are Difficult To Securely Erase.

So get the SSD encrypted as soon as you. How much this effects people who have Hybrids like my Momentus XT is probably minimal, but STILL present as you do not know exactly what data ends up on the 4GB Flash part. So Encrypt it now, and encrypt it early.

Also posted in Notebook Computing, Software/Apps | Tagged , , , , ,

There may be trouble ahead for techie travellers

Written by Ian Nock on November 10, 2010 Leave a Comment

As a traveller with a lot of tech along for the ride, the security queue even in Europe can be a little troublesome. The following article though may indicate more trouble ahead.

The Transportation Security Administration has banned ink and toner cartridges of more than 16 ounces from both carry-on bags and checked luggage on flights within the United States or in-bound to the United States. You know why: because of that incident from a few days ago where authorities found bombs hidden inside toner cartridges.

via TSA Bans Ink & Toner Cartridges From Flights. Next On The Ban List: People..

Even though we have heard about lifting the need to get the 11 inch Macbook Air out of hand luggage in the US, this has not transferred to Europe and is likely not going to. This is particularly a problem for me in future if I travel like I have this week – with both my main laptop (13 inch) and my notetaker netbook (10 inch), plus a load of cables, dongles and hard drives. Less said the better about my spare mobile phone :-) .

We shall just have to see how this all develops.

Also posted in Blog, Mobile Communications, Notebook Computing | Tagged , , ,

The Pain of Password Changes

Written by Ian Nock on April 12, 2010 1 Comment

Loved this article (click through) about the impact of regular password changes on businesses.

Big enterprises that force their workers to change their access passwords on a regular basis, and adhere to complex rules when they do, might be their own worst enemy.

via Mandatory Password Changes Costs Billions in Lost Productivity – Security – Lifehacker.

The presumption of most security policies is that changing passwords increases security, which is not strictly the case in my view. Most of the time, forced password changes result in written down passwords or easily guessed repeat passwords, or even trying to beat the strict rules that are required (like ‘must contain a number, a letter and at least one upper case letter). All this does this is give a crib to breaking the system. The other thing to say is that password changes like this assume that the password is guessable, you have been overlooked or that the system is insecure (like when you used telnet which sends passwords in the clear). Now with strong encryption, good personal security/awareness and a good sound none-word password, then the need for changes should be more based on education of staff to understand password changing in response to insecure behaviour instead. Like being overlooked, a security weakness being identified etc.

At least that is my view, what is yours?

Also posted in Blog | Tagged

Cost of the Loss of a Laptop

Written by Ian Nock on May 3, 2009 Leave a Comment

A new report by the Ponemon Institute in conjunction with Intel claims that the average cost to the enterprise of a stolen or lost laptop is $49,246, once you factor in not just replacement but intellectual property loss, lost productivity, forensics, and other downsides.

Report: average stolen laptop cost is $50K; Intel: buy vPro – Ars Technica.

This is an interesting report, but it is interesting to think about the impact of full disk encryption and full data synchronisation back to base on a continuous basis on the cost. The headings that they used are:

  1. Laptop replacement cost: $1,582
  2. Detection & escalation cost: $262
  3. Forensics & investigation cost: $814
  4. Data breach cost: $39,297
  5. Intellectual property loss: $5,871
  6. Lost productivity cost: $283
  7. Other legal and regulatory costs: $1,117

Now with the disk encryption and data synchronisation, you can see a different picture:

  1. Laptop replacement cost: $1,582 (or less than $500 for a netbook!)
  2. Detection & escalation cost: $262 – probably the same
  3. Forensics & investigation cost: $0, what forensics or investigation do you need when the machine is a dead weight without a valid logon
  4. Data breach cost: $0 as there would be no data breach
  5. Intellectual property loss: $0 as there is little or nothing lost through the data sync to base
  6. Lost productivity cost: $283 (probably the same)
  7. Other legal and regulatory costs: $0 as there is no loss, so no legal or regulatory costs

Now this is a simplistic view, but you can see that with using low cost laptops/netbooks, good full disk encryption and well implemented file sync, you can reduce the ‘cost’ of a laptop loss from $49,226 to $1,045. Even allowing for some error, the cost benefits are good in a loss situation.

Also posted in Blog | Tagged , , , ,

Laptop Security

Written by Ian Nock on April 20, 2009 Leave a Comment

Try thinking of your notebook or mini-note not as a computer but as a pile of cash. Would you leave $800 lying around on a library table or the front seat of your car? How about $300? Chances are you wouldn’t, and that’s because we instinctively realize that’s tantamount to inviting unscrupulous types to help themselves.

Mobile PC Security Tips: Part I

This article offers some straightforward security tips, but the best one is unsaid.

Make it so you do not care whether your laptop is stolen. Take the normal physical security precautions, but make best use of the Cloud to ensure that if the laptop is lost or destroyed, that you do not lose any data. This is done via file sync systems such as Mesh, Live Sync or others, or by using Gladinet to give folder level access to online storage mechanisms like Google Docs, Amazon S3, or Skydrive. What about security of the data – well make sure you use full disk encyption for the laptop so nothing on the disk is recoverable without the password.

And then we come to the cost… well use low cost laptops or netbooks at less than €400/£400 or much less, so the biggest cost is actually the installation of a new machine.

These are what I can recommend, think about it.

Also posted in Blog, Mobile Communications | Tagged , , , , ,

Whole Disk Encryption Update

Written by Ian Nock on March 12, 2009 Leave a Comment

lock It has been a whole week since I moved my main machine over to using whole disk encryption through Truecrypt. I though it was timely just to give a short update on experiences.

Firstly, it has not crashed :-) .

Everything is working fine exactly the same as my experience immediately after the installation.

Secondly, the performance also has continued to match what I reported – about a 10-15% slowdown on disk access. The worst impact is on standard boot or restart from hibernation, but I have slightly altered my behaviour to account for this. The change is that I am using suspend a whole lot more, and I am lucky that the MSI Wind U100 clone I have has an interesting feature that is almost like a neat feature I have in my Vista machines – the move to hibernation after a period of time in suspend. Let me explain further, if I suspend my laptop on mains then it will stay suspended until I press the magic power button and almost immediately go into the Windows logon screen. If I am suspended on battery however, after a period of time the machine will enter hibernation mode to save battery life. This means I use suspend as the first option (getting around the slow restart from hibernation) always.

Thirdly, have I noticed any other long term effects? Well I have noted that the auto defrag tool of choice does not auto defrag as often as it used to. I believe this is a tuning matter, a property of how I have been using the machine which I will watch over time to see if I can confirm what is going on. Secondly (and related to why I noticed the defrag), the encryption of the HD is (as expected to be honest) is playing funny buggers with the level of fragmentation – the machine does seem to be tending towards getting a higher level of fragmentation.

So all in all, this has been a successful implementation with some areas to watch. I will give an update on a longer term basis of course, so watch out for that in the future. Also are you using disk encryption? What are your experiences?

Also posted in Blog, Software/Apps | Tagged ,

Whole Disk Encryption – The Holy Grail

Written by Ian Nock on March 4, 2009 1 Comment

You have your nice laptop for running around the world with, you are on a business trip to Warsaw and then suddenly after getting off the plane and on your way to your meeting you find that you do not have it. Doh! you remember that you put it in the little pocket of the seat in front of you just before you landed but you forgot to get it out. You frantically get in touch with the airline who tell you that nothing has been handed in, and then you start to worry about the commercial secrets that you have on the disk and that copy of the spreadsheet that contains all your banking details. It is lost and available to whoever has the machine. Oh, but you say that you have the OS logon to protect you… wrong, that is easy to bypass when you have physical access, just remove the disk. Oh yes, the Bios password – same issue and anyway you can normally get past that with some secret key presses found in many places on the Internet. What about the 40 bit encryption put in place by Excel on the spreadsheet? – nope that will be gone too with a couple of utilities, and anyway that data is spread all over the disk in temp and page files for the half skilled hacker to get.

So you are screwed. What now?

Well there is something that you could of done that is really easy to have implemented and that would have protected you from all but the most serious of attackers – whole disk encryption. Historically tricky outside of certain quarters, it certainly has been available but only in the last 12 months has it really become simple to implement and use. You could use Bitlocker from Microsoft of course, if you have Vista. Then again you are almost certainly not running Vista and anyway Bitlocker is a little tricky to implement and only available on some versions of Vista – definitely not the one you probably have. So what are the alternatives? Well I will not go into the whole bunch, but I will focus on one which is freely available and simple to implement – Truecrypt, in particular version 6.1 which has largely resolved some critical problems for operation with laptops that earlier versions suffered from. The problems that it used to have was that it would not let you suspend or hibernate, but that is now resolved.

truecryptSo how do we get it? Just go to Truecrypt’s website and download it, make sure that you have read the installation guidance off their website, backed up your important data (because it could go wrong!) and just run the installer and set your passphrase well. In my instance I found a big problem during the installation – I was installing on a netbook without an optical drive and the installation routing REQUIRES that you create a recovery boot cd. It is irritating that a bypass mechanism is not available for this, but this is sort of for your own protection. Anyway, out came the USB CD/DVD writer and a boot CD was dutifully created and installation completed. The installation is pretty simple and includes a test boot but the most interesting fact is that at the end of installation, your disk is still not encrypted. It actually does this as a first step after install completion, and it allows you to continue to run the machine as normal as it churns through all the disk encryption, and allows you to pause the process and/or shut down the machine at any time, for it to continue when you startup again. This is a very nice touch.

The encryption process takes a nice length of time dependent upon disk size but at the end, you have a high level of disk encryption that just happens all the time without you doing anything more. In operation you do not notice a difference at all apart from some performance loss. Now on my Atom based 1.6GHz processor, I reckon that the performance hit in normal operation is about 10-15% where disk access is required (I have not measured it) but there is a much greater effect on the hibernation process – both going into and coming out. Certainly a doubling of the time to do the process and I can only guess that during that phase the disk writing/reading capability is hamstrung in some way but the overall impact is acceptable considering that if I lost the laptop, all my corporate secrets are still secret – as long as I picked a suitably strong pass phrase and logon passwords. Note that for suspend operation, the encryption boot block does not come into operation so your logon password is all that protects you there.

Truecrypt does offer other facilities as well, as it offers multi-layers of encryption and data hiding but for the standard business use a single disk encrypt is almost certainly enough. Truecrypt also offers the more mundane folder encryption particularly for external drives but I will go through that in another post.

All in all then, this is a must both to protect your data and your clients data, and a simple addition to your portable business armoury. If you or your company wants further advice about deployment of software like Truecrypt and security principles that are advisable, then please feel free to contact Blackarrow Consulting via our website for that service.

Also posted in Blog, Software/Apps | Tagged , , ,

Corporate USB Flash Drives – The new era in Mobile Data Security?

Written by Ross Bale on March 3, 2009 Leave a Comment

pic1

With equipment loss and theft at increasingly high levels, according to a recent survey commissioned by Dell, “up to 12,000 Laptop Computers were lost weekly and up to 600,000 lost annually in U.S. Airports with 53 percent of mobile professionals carrying confidential company information”, the decision of where to store data is a common one, especially for the mobile worker.

Whilst independent self employed people and smaller business are choosing to store data either within Cloud Applications such as Google Docs, or online file storage services such as Mozy, users in larger organizations traditionally store their data either on their laptop or a USB Flash Drive.

USB Flash Drives have had a bad press, and one can find any number of stories in the press of storage devices being lost or left in public places with vital data on, however, that landscape has now changed with the introduction of the Sandisk Cruzer Enterprise USB Flash Drive.

The device is a self-contained security powerhouse, incorporating independent 256Bit AES encryption, mandatory access control, complex password requirements and a lockdown mode preventing the device from being used after a set number of incorrect passwords.

The real power, however comes when you couple the USB Flash Drive with the Sandisk CMC Management Software. This software integrates with Active Directory, requires no client software, and provides central backup and restore of data on each device once connected to an authorised computer within the corporate network.

Remote termination technology allows an administrator to remotely deactivate and erase a lost device when connected to a computer with internet connectivity. Once the user associated with the lost device is issued with a new flash drive, the new device automatically restores all data from the previous device stored on a server within the organization.  The software can also generate audit logs showing all files copied onto or off of a device for regulatory compliance purposes.

Also posted in Blog | Tagged , ,