16 November 2016

161116 Major security hole at Swedish mobile operator Comviq

Major security hole at Swedish mobile operator Comviq may reveal personal data of any subscriber.
The backdoor was discovered today 161116.
Despite logging in with a certain subscriber identity, you can access under certain conditions the personal data of any other subscriber.
Comviq company and its mother company Tele2 have been informed.
The backdoor was documented with screenshots sent to Comviq/Tele2.
For obvious security reasons no details are given here.

23 September 2016

Byepass login security and total scan on Swedish State Railways SJ WiFi

On 2016-09-22 I was travelling with a fast train X2000 belonging Swedish State Railways SJ from Linköping to Stockholm.
What I discovered... no need to authenticate or login for accessing the SJ WiFi network used by most passengers.
I atach a screendump.

All devices belonging to travellers: laptops, tablets, smartphones, became totally accessible.
No services or ports were blocked.
SSH, RDP, Telnet, Samba Shares, SMB, all were open and I could do anything on any remote device.
Over 50 devices were vulnerable.

I informed the responsible at SJ for my discovery.
No technical details will be disclosed for obvious security reasons.

30 July 2016

How secure are in fact VPN or Red Phone

How secure are in fact VPN or Red Phone
Article inspired by a PM received on XDA forum.

Hello there! Finally someone who cares about security.
Originally Posted by iunlock

Greetings, I've been reading some of your posts and all that info is right up my alley. It's hard to find someone who actually cares about this stuff like I do. Anyhow, I have some questions that you may be able to answer for me. A lot of people I've tried to run this by doesn't have any passion for security so I've only received half "" answers, which is not what I'm seeking.
What do you think about this set up.
1. I use a VPN that claims they don't keep logs on my phone. But who knows...better than nothing? Or are these companies compromised? See if I was the big bad wolf, I'd either create VPN companies to give people options to trick them into thinking they have security with a VPN (illusions) and/or pay VPN companies a dollar amount that they can't refuse for a backdoor...ie...easy access any time to the traffic and data. So what if VPN companies lie about their claims...who's going to tell right? $win-$win situation for big bad wolf and the VPN company that couldn't refuse the $ offered. Interesting eh?
2. Tor/Orweb. Hmm....slow as a dead turtle, but does it really work like they claim? I do see some truth to this though with its concept, but going back to what I said above. $ talks?
3. Password managers like last password, 1 Password etc... again if I was the big bad wolf, would I not be able to make $ talk? Make you think.
4. Secure apps...like jitsi, xabber, encrypted stuff...etc. ..
On the flip side of the coin, there are true security nuts who hate the big bad wolf and a lot of these people are the founders of some of these VPN companies and alike. So there's some comfort in knowing that I assume....also open source stuff is good because they are transparent. No messing around there. Anything funny or fishy would be known for any vulnerability in the app etc....
With all that stuff aside, assuming you did trust the VPN, tor etc....what's the best we can do security wise for our phones?
Well I think using a VPN is a must. Next using gpg to encrypt all emails along with encrypted chat clients. Then the use of tor to proxy your connections like mail, chat, fb, twitter etc....
What are your thoughts?
BTW, I don't use Facebook (Cia / prism) buffet....
I think gpg is the only sure way of true security.
In the real world, having the convenience for non important things makes the use of Gmail and other Google apps convenient.
Never do I ever use any real info for any of these accounts lol.
So the question is....will using a VPN, encrypted email, encrypted chat client, and tor do the trick?
How about the use of redphone app with Google voice on VPN since it uses data and not voice tunnel?
A lot of cool stuff....would love to hear your thoughts.

Hi sorry for so late answer.
Please read my posts on my security blog.
As a guide line:
There is no secure VPN or provider, all depends on your "enemies" or whom are you afraid of. It all depends on who "don't care about you".
And what you want to do.
Everything located on US territory will report in case to US authorities. Same goes for Germany, Russia, China.
Also for smaller countries: Canada, New Zealand, Australia - all will report to UK and USA.
Same for Austria, Finland, Sweden - all will report to USA, UK, Germany.
The closed ties in SIGINT cooperation are 100% same in so-called VPN providers/software.
IMHO it's money waste to pay for VPN. If you want to do something against law.
Respect the laws and ignore VPN.
All above is for private persons.
If enterprise, own physically the VPN server and never trust any 3rd part.
With kind regards
Zeno Sloim

Part 2

Red Phone - bogus for naive people
Any product (hardware or software) produced on German territory HAVE backdoor for German state authorities and Germany SIGINT close partners: USA, UK
Any product made on USA territory has back doors for US state authorities.
The whole Apple FBI encryption scandal was bogus for big public, all Apple products have backdoor.
It's a matter of time for how quickly will authorities know and decrypt your private data "travelling on internet".
Best solution is to try to keep it LOCALLY, as much as possible, by controlling anything going out of your phone.
It's not easy for a normal user.
But use only verified by you, apps.

With regards
Zeno Sloim

28 February 2016

IT-services Outsourcing - Between cutting costs and major security risks

Outsourcing is a widespread practice nowadays in major corporations and state organizations.
Most directors and leaders see it only as a marvel key solution for cutting costs.
True, but very naive vision.

The hidden dark other side is often ignored: major security risks.


Outsource is done by another company which has other economical interests and is more preoccupied by own image and prestige than by being a fair partner.
In case of major problems, top priority is hiding to the customer and keeping secret the real scale of events.
If all is solved in reasonable  time, a "filtered" version is presented and billed to the customer.
In case of non-solved events, all remain highly secretive and almost 100% customer will never ever know.

Hence major security risks and headaches for future.

The aspect becomes more critical when outsourcing is done via nested intermediary providers or foreign companies.
The economical and juridical aspects become very diffuse in case of incidents and disputes.
It becomes impossible to control and track high-sensitive internal information.

And when outsourcing is done by a foreign company, it's only one single step to economical/technical espionage and catastrophe.

IMHO it is a fundamental mistake to choose such solutions in critical key sectors of the state or corporations.
In such situations, ISO27000, ITIL and Common Criteria, remain only simple obsolete words.

Solution: think wider in the future, short-term cutting costs via outsourcing might be your next step to disaster.

Want outsourcing? Use only national companies which are easy to control, check and verify.

Ancient expression: "Never trust a stranger" is still very actual in IT-Security.