InfoSec Philippines

Information Security, Technology News and Opinions

Posts Tagged ‘27001:2005 A.11.7.1’

Curse of Silence Update 2

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 29, 2009

If you have a Nokia S60 3rd Edition phone, which doesn’t seem to be accepting messages, or just accepts some but not all messages, your phone may have been attacked by what’s been called as the “Curse of Silence“. Nokia Europe has just released their SMS Cleaner which can clean Nokia S60 3rd Edition (Initial or Feature Pack 1) based devices. Nokia doesn’t say if it will erase anything from the affected phone aside from the “Curse of Silence” messages.

S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

No word yet on software that can undo the problem for devices with S60 2nd edition with Feature Pack 2 and 3.

You can also check out this site to find out if your handset is running S60 and what Feature Pack it has.


A few days after this post, Nokia released SMS Cleaner for Feature Pack 2 and 3.

Posted in DOS, ISMS, malware | Tagged: , , , , , | Leave a Comment »

Curse of Silence Update

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 9, 2009

F-Secure apparently has a solution for this, but you would have to pay for it after 15 days. I’ve also confirmed that this attack works on at least one of the major local networks. No word yet if they have changed their settings to what was suggested to stop the attack. Sony Ericsson UiQ devices were found by F-Secure to also be vulnerable to the attack.

Nokia isn’t very worried about it since it is a denial of service attack and doesn’t allow an attacker to leach information from your cellphone. I still think it would be very annoying if I would have to do a factory reset of my phone, losing all my contacts, settings and messages. I also wouldn’t like it if my competitor knows my company uses the vulnerable phones and starts shutting down SMS capabilities until we notice it. That could potentially hit productivity and the bottom line.

I have no details of the local test done except that it exists and it was possible. If one watches the video, the victim wouldn’t even know who sent the message. The phone just stops receiving messages… in other words, Nokia’s advice in the Heise Security article is pretty useless.

Nokia which got the demo around a month before the public release and which recently acquired Symbian, is currently working on a remedy for the vulnerability. I will post it here as soon as I get word of it.

Posted in vulnerability | Tagged: , , , | Leave a Comment »

Happy New Year to All :)

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 6, 2009

A lot of people in the Philippines are probably still hungover from the long vacation from Dec 25 to Jan 4, unless of course they were part of sales, or a BPO… anyway, on to the news:

OpenVAS 2.0 was released around two weeks ago, and a respected security expert (who wishes to remain anonymous) thinks it is, “fast approaching the maturity level needed to truly compete with Nessus in the vulnerability assessment area.”

The OpenVas 2.0 press release states that:
OpenVAS is a fork of the Nessus security scanner which has continued development under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0 in October 2007, the OpenVAS developers continued the auditing of the code inherited from Nessus and have added a variety of useful features for OpenVAS users, for server administrators and for developers of Network Vulnerability Tests (NVTs).

Some of the Philippines’ high ranking government officials may want to look into cellphone voice encryption (as mentioned in this SecurityPark.net article) before calling some other high ranking government official so that they wouldn’t need to give a televised public apology (wink).

Speaking of mobile phone security, there was a DOS vulnerability found in Nokia Series 60 cellphones just before new year’s eve called the “Curse of Silence”, which either stops the cellphone from receiving SMS until a factory reset is done (Series 60 2.6 and 3.0 devices) or not all SMS’s are received (Series 60 2.8 and 3.1).

This is done via the following steps (check out the demo video link below):
For Series 60 phones v2.2, 2.3, 3.0 and 3.1 attack target phones
1. create an email that has an e-mail address with more than 32 characters followed by a space.
2. set TP Protocol Identifier of SMS Message to Internet Electronic Mail
3. send message to target (eleven times to Series 60 v 3.1, only one message is needed for all other versions)

There are currently no client side workarounds published as of the moment. If ever you work for Smart Communications, Globe Telecom or Sun Cellular maybe your network team can take heed of the suggestion in the document that “network operators should filter messages with TP-PID ‘Internet Electronic Mail’ and an email address of more than 32 characters or reset the TP-PID of these messages to 0″. I also do not have a Series 60 phone mentioned in the list so I cannot test if it can affect cell phones here in the Philippines. Kindly drop me a line in case you were able to test this.

Phones affected:
S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

More details can be found in a must see video (21 MB) and a document (6.8 KB) on the website of Tobias Engel, who is a member of the Chaos Computer Club.

Microblogging site Twitter had a major breach and has phishing problems reports HeiseSecurity, SCMagazineUS, and SecurityFocus. Apparently, US President elect Barack Obama’s and Britney Spears’ accounts were compromised.

In related news, (The Register) Bogus LinkedIn profiles punt malware to fools.

A security update for the popular email client Mozilla Thunderbird was recently released. (Heise Security report, SCMagazineUS report)

The recently found MD5 vulnerability links:
(SCMagazineUS) MD5 insecurity affects all internet users
(SCMagazineUS) Hackers find hole to create rogue digital certificates
(Heise Security) Verisign/RapidSSL close 25C3 MD5 vulnerability
(SecurityFocus) Survey: One in seven SSL certificates are weak

Posted in News, Social Networking, social engineering, vulnerability, vulnerability assessment | Tagged: , , , , , , , , , , , , , , , , | 1 Comment »

Now its Firefox’s and Opera’s turn (Updated)

Posted by Jaime Raphael Licauco, CISSP, GSEC on December 19, 2008

Firefox and Opera both patched their software this week after new critical vulnerabilities were found in both.

Firefox
Mozilla Foundation Security Advisory 2008-60
Security Focus BID

Opera Security Advisories
http://www.opera.com/support/kb/view/921/
http://www.opera.com/support/kb/view/924/
http://www.opera.com/support/kb/view/920/
http://www.opera.com/support/kb/view/923/

IE Bug Update
(Computerworld) Hackers exploit IE bug with ‘insidious’ Word docs – ActiveX control in Word file downloads malware to unpatched PCs, says McAfee

MS08-078 and the SDL – The MSDN blog has released an analysis of the recent zero day bug of IE. In the end, the author states, “I think this bug is a great example of ‘you will never get the code 100% right, so multiple defenses are critical.’”

⌘+⇧+L and other useful OS X hidden features – Not Security related but I thought that some Mac heads might find this useful.

(Security Park) 44 per cent of EU SMBs have been attacked by cyber criminals
Adobe Flash Player for Linux Security Bulletin and Update
(Heise Security) Keyloggers under the microscope – A team assembled by honeynet specialist Thorsten Holz from the University of Mannheim has published a case study of banking trojans, keyloggers and their dropzones. “Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones” is available for download here.
(Security Park) Mobile Phone Security Tips

Posted in ISMS, Whitepapers, vulnerability | Tagged: , , , , | Leave a Comment »

Info Sec News: Nov 18, 2008

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 18, 2008

BBC Click on Biometrics

A few weeks ago BBC News Click published How biometrics could change security. The week after, they then published, “The pitfalls of biometric systems“.

Since its somewhat related to physical security, A UK fingerprint developer can read a letter from its envelope.

More news about the keyboard electromagnetic sniffing that was making the news last month:

  • From The Register Swiss boffins sniff passwords from (wired) keyboards 65 feet away
  • From BBC Keyboard sniffers to steal data
  • Video on keyboard sniffing from the very people that did the experiment can be found at COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED KEYBOARDS.
    • The Register gives a tutorial on encrypting e-mails in, “Still sending naked email? Get your protection here“.

    Pretty sad that a UK Anti-Fraud site has crashed due to DDOS attack.

    The popular and free AVG Anti-virus has once again identified a trojan that isn’t one.

    A Vulnerability has also been discovered in the SSH Specification.

    The New York Times reports that Privacy Laws Trip Up Google’s Expansion in Parts of Europe

    The Federation of American Scientists (FAS) Secrecy blog, reports that terrorists can presumably use twitter, instant messaging, etc. The article Spy Fears: Twitter Terrorists, Cell Phone Jihadists by Noah Shachtman on Wired talks about it more.

    If you’re interested on the pdf exploit (also see below in other news), Didier Steven’s Blog, talks about Shoulder Surfing a Malicious PDF Author.

    Other News:

  • Email ruse uses Federal Reserve Bank name to drop PDF exploit
  • Cybercrime expected to ramp during holiday season
  • New attack targeting Windows Mobile phones
  • Apple issues 11 security updates for Safari browser
  • How Outsourced Call Centers Are Costing Millions In Identity Theft
  • Although somewhat unrelated, InfoSec Professionals might also be interested in this article on airport security, The Things He Carried
    • White paper on Designing and implementing malicious hardware presented at the LEET ‘08

    White Hat World Webinar on 10 Reasons your Existing SIEM Sucks! This will be held on Thursday, November 20, 2008 4:00 am Philippine time.

    Posted in ISMS, News | Tagged: , , , , , , , , , , , , , , , , , | Leave a Comment »