Erik`s InfoSec Blog

Of course people found a way around it...

2008-08-28T15:16:00.003-04:00

This may be old news for some of you by now, but Wired (Dave Demerjian) has an interesting blog entry on the (unforseen?) impact of having Wifi access on planes. The airlines industry seems to think that Wifi is fine as long as people don't use it to VOIP.

Apparently, phone conversations are a big no-no on an airplanes. Why exactly?

Wired also looks at this in their last issue:

http://www.wired.com/gadgets/gadgetreviews/magazine/16-09/ts_burningquestion

But instead of creating a rule and enforcing it in-flight (it should be pretty easy to notice somebody holding a converation with their computer), airlines actually thought that they could *block* people from VOIP.

Come on, do airlines really want to play the cat and mouse game that companies have been playing with staff for a while now?

Block -> Workaround -> Patch/Block -> WorkAround...

The *hack* (workaround sounds better) that they talk about involves a twitter plug-in. But I can think of at least a dozen ways to do this on the fly without much more than a Linux laptop or a Windows XP machine with a few security tools.

And to think that the company set this up seems surprised by all this...

http://blog.wired.com/cars/2008/08/despite-airline.html

How to Avoid Ethical and Legal Issues In Wireless Network Discovery

2008-07-25T12:59:00.001-04:00

Author: Erik Montcalm

1.0 Executive Summary
A very important subject with any new technology is deciding how current laws deal with new issues that this new generation of products might raise. Several actions that we used to take for granted now could possibly be perceived as illegal. This paper deals with the legal gray area that is specific to wireless network analysis and discovery tools. These tools are very useful for security networking experts, wireless network enthusiasts and malicious hackers alike.

This paper takes the position that wireless network discovery tools are similar in nature to port scanners. Therefore, the same criteria should be applied to both when deciding what is ethical or legal. Using both these types of tools in a completely legal manner usually requires a combination of honorable intentions, making sure not to adversely affect the networks we are probing and taking necessary configuration and procedural steps to stay on the good side of the law.

This paper provides basic background information about wireless network security, explains the legal and ethical issues that might arise, categorizes the type of people that might use these discovery tools and attempts to give recommendations for each category

2.0 Introduction
The market for wireless applications and hardware is growing at a phenomenal rate. As with most new technologies that gains market acceptance, the deployment phase is usually followed by the discovery of security issues and subsequent “tweaking”. A good example of this pattern is Internet transactions. In the early nineties, most people didn’t even know what the Internet was. By the end of the 90’s, the Internet was quite the rage and online transactions were booming. But unfortunately, it is estimated that “in the period from 1998-2000, 50% of non-bank online banking had existing vulnerabilities.” [2]

Read Complete Article

Are You Secure? : A Guide to Personal Security

2008-07-25T12:30:00.000-04:00

Author: Mitchell Choiniere

ABSTRACT

Within the last ten years, the advent of the “Information Age” has created a need for a sense of greater personal security. In the time it takes for someone to press “enter”, access to our personal information such as credit history, medical records, and insurance information, to name a few, can be acquired with great ease. This leaves most of the population, uneducated and uninformed as to how to protect themselves, vulnerable to the real threat of identity violation.

People have always placed much importance on the security and protection of their monetary and tangible assets. We know how to acquire insurance for our belongings, how to provide physical protection for our belongings with alarm systems, and even how to defend our physical person if need be. However, the majority of the population, security professionals included, tend to overlook the most basic principles of these things we build a false sense of security around.

This is because people do not understand how they are at risk. If they do not understand how they are at risk how can they possibly prevent the real threats against them. Some forms of violation are obvious and leave the victims without a doubt that they have indeed been under attack: theft of personal belongings, physical attacks and harassment are examples of such violation. However, in many cases, people don’t even know that they’ve been compromised. Not only do they not know they’ve been compromised, but they do not have the skills to respond appropriately to the situation.

I have broken down the concept of personal security into the following fields: Identity Theft, Home Computing Security, and Personal Physical Security. This paper seeks to serve as a resource to help the average person understand specifically how they are at risk. It will then explain how to prevent attacks within these three areas, and finally, to inform them how to respond in cases where violation has already occurred.

Read Complete Article