07 June 2017

170607 Swedish Digital Identification System BankID from Finansiell ID-Teknik BID AB byepassed on Android

 170607 Swedish Digital Identification System BankID from Finansiell ID-Teknik BID AB byepassed on Android

Quote from:
https://www.bankid.com/en/om-bankid/detta-ar-bankid

"BankID is the leading electronic identification in Sweden.
Many services are provided where citizens can use their BankID for digital identification as well as signing transactions and documents.
The services vary from online and mobile banking, e-trade to tax declaration and are provided by government, municipality, banks and companies.
BankID is used both for identification as well as signing.
According to Swedish law, and within the European Union, BankID is an advanced signature and a signature made with a BankID is legally binding.
The customer’s identification is guaranteed by the bank issuing the BankID.
Authorities, companies and other organizations must check the validity of the customer’s identity and signature.
BankID is available on smart card, soft certificate as well as mobile phones, iPads and other tablet devices."

Android app:
Google Play:
https://play.google.com/store/apps/details?id=com.bankid.bus

Quote from:
https://www.swedbank.se/privat/digitala-tjanster/mobilt-bankid/?contentid=CID_378591

"Jag har skaffat en ny smartphone. Kan jag flytta över mitt Mobilt BankID till den?

Nej, det går av säkerhetsskäl inte att flytta ett Mobilt BankID men har du fortfarande tillgång till din gamla smartphone så kan du använda den för hämta ett nytt Mobilt BankID.

    Ladda ner BankID säkerhetsapp från Google Play eller App Store till din nya smartphone.
    Tänk på att telefonen behöver vara ansluten till internet via antingen wifi eller 3G.
    Logga in i internetbanken med din gamla smartphone och beställ ett nytt Mobilt BankID under Tillval – BankID
    Starta BankID säkerhetsapp och skapa en säkerhetskod ange aktiveringskoden som du fick i internetbanken.

Vi rekommenderar också att du spärrar ditt Mobilt BankID som var kopplat till din gamla smartphone. Detta gör du internetbanken under Tillval – BankID"

Unfortunately, I discovered a way to copy and restore Mobilt BankID on a device after full system restore.
And have it completely functional with all services using it.
No longer reauthentication with bank and create a new Mobilt BankID, as they say for security reasons.
That means the whole authentication system based on Mobilt BankID from Finansiell ID-Teknik BID AB is byepassed.
Tested with Swedbank.

Further escalation would be to test recreate the Mobilt BankID on an other device.

I informed Finansiell ID-Teknik BID AB and Swedbank about the critical security flaw which byepasses the leading electronic identification in Sweden.

No technical details are given publicly.
Only directly (no phone/email/other internet based communication) to implied authorities.

17 May 2017

170517 Swedish National Forensic Center NFC needs to instruct their personal more in IT Security awareness

Swedish National Forensic Center NFC needs to instruct their personal more in IT Security awareness

Today I travelled back from Stockholm where I have been for an interview at Defence Ministry as Chief Engineer for IT Security.

Near me was a higher employee from Swedish National Forensic Center.
He was accompanied by several other persons from same authority.
He started to read some job related mails and talk with his mates about them.
I concluded they were on a job related matter travel at Stockholm and returned back.
The fact they were discussing openly job matters made me curious to check their security awareness.
Using a special modified Bluetooth scanner and promiscuous sniffer, 
I noticed they had mobile phones, tablet and smart watch widely open to Bluetooth attacks.
Well, I made a sign to their chief and asked to follow me few meters away to discuss a private matter.
He followed me, then I informed him about the risks he is exposing himself and confidential information from his workplace.
He replied he was aware.. but all the devices he used were ...his private..not official from NFC.
Strange... personal smartphone but from same phone he read official mails and messages to his job comrades.
I'll just to my duty and inform NFC about the events and that they need to rise awareness of their employees when it comes to IT Security.

16 May 2017

Finalist as Cyber Security analyst at Swedish Secret Service

Finalist i rekryteringen som:
Analytiker med inriktning cyber till enheten för taktisk säkerhetsanalys vid säkerhetsavdelningen för centrala stats ledningen.

Finalist in recruitment as:
Cyber Security analyst at the Unit for Tactical Security Analysis belonging Security Department of Swedish Secret Service under the leading of Swedish Prime Minister.

10 May 2017

Physical isolation - last step in securing own internal IT-infrastructure

Physical isolation - last step in securing own internal IT-infrastructure

I wrote 4 years ago in my analysis of how Iran got Stuxnet:
http://zenosloim.blogspot.com/2013/09/how-stuxnet-hit-iran-inside-story.html
and in insecurity of Cloud services:
http://zenosloim.blogspot.com/2013/09/cloud-services-and-politics-new-cold-war.html

that only way to total security is complete physical separation of national/internal IT-infrastructure from rest of the world.

Now my advice is confirmed and applied.
"Russia’s Communications Ministry has developed a program that would allow the isolation of all internal internet traffic on servers located within the country, thus minimizing the risk of foreign hackers meddling with sensitive data."

Quote from:
https://www.rt.com/politics/387835-communications-ministry-proposes-isolation-of/

And those naives still thinking that software solutions from "neutral" small countries is "secure" or "efficient" should think twice.
Being "small" increases the risk for "planting" backdoors ordered by US authorities.

19 April 2017

SWIFT.net penetration

Few days ago a Russian hackers group made public the info that US authorities had secret access to SWIFT.net network via until now secret kept backdoors in software.
Now, that this information is no longer a secret,
I can disclose that as early as 2010 April,  US authorities had direct hidden access in the French bankgroup BNP Paribas in Europe.
By using a special syntax and backdoor in Google servers and Google Bot, someone could access bank internal SWIFT.net data traffic intercepted and retransmitted to US located servers.
Similar backdoor was available in 2011-2012 for intercepting of data traffic from servers belonging Romanian Government and Finance Department regarding state contracts and aquisitions.

15 March 2017

170314 Social network VKontakte backdoor giving access to any personal files of any user without login


Never used VKontakte, but being curious of Russian representant to Eurovision 2017- Юлия САМОЙЛОВА  Julia SAMOYLOVA - I "visited" VKontakte.
So I discovered a "way" to access any file of any user, without login.
BURP Suite was used for traffic analysis.

14 February 2017

Critical security flaws with router ASUS RT-AC68U

Just tested a brand new router ASUS RT-AC68U with latest firmware, here in Sweden.
Looking inside the log, discovered interesting things, which ASUS must answer.
A lot of unknown IP-addresses appeared during booting of router.
IP's addressed  by router firmware.
I tested them.
Seems that router.asus.com leads to unauthorised access to other owners of Asus routerswho authorised WAN access to their routers.
I attach more screendumps.

Something is for sure WRONG!

And ASUS engineers must answer and correct these critical security flaws.
Not naming that trying to connect a network printer via LAN, it gets an IP address for about 20 seconds, then gets disconnected.

Waiting for ASUS to address these problems!