lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue Feb 21 10:00:19 2006
From: markus.jansson at hushmail.com (Markus Jansson)
Subject: Insecurity in Finnish parlament (computers)

Juha-Matti Laurio:
 >http://blogs.securiteam.com/index.php/archives/299
 >entitled as "Cell phone operator sent 7000-large government account
 >information with unprotected e-mail".

Good article, but it lacks one important aspect of the fiasco:
TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, which 
made it possible to eavesdrop on its/goverments GSM:s. This was a the 
"big" fuzz.

OK, basically whether or not you are using A5/1 or A5/0 makes no 
difference, since A5/1 is so easily cracked that any serious attacker 
can do it anyway (or crack COMP-128-1 or COMP-128-2). If you have the 
tools to capture/listen GSM calls, you can relatively easily get the 
stuff to attack A5/1 and COMP-128-1 or 2 anyway. But ofcourse it was 
nice to "hype" about the fact that TeliaSonera disabled crypto too. And 
maybe some folks dont still understand that A5/1 is broken and think 
that it offers some protection. LOL.

Anyway, only sensible way to secure govermental cellurar phones would be 
use strong crypto/suitable GMS:s, like http://www.cryptophone.de/ so 
that every member of goverment/parlament could talk securely with any 
other member of govermenet/parlament and some officials too. Ofcourse if 
people in Finnish parlament or infosec/compsec sections would know a 
drek about crypto and security, they would have already done it. ;) 
Putting all their eggs again in one basket (Elisa) and without strong 
end-to-end-crypto does not help much.

BTW. How long would you think it would take them to spot 
false-base-station type of attacks near our parlament house? ;)

-- 
???My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ