April 2010 Archives

Time to hug a PGP employee?

| 1 Comment | No TrackBacks
| More

Very rarely do I ever get to witness the effects of a corporate takeover first hand but the acquisition of PGP by Symantec, announced lunchtime on the last day of InfoSec 2010 was to be different.

I had been through the usual InfoSec battering of interviews, key notes and random discussions which are the hallmark of this important annual event. My antenna was starting to pick up some odd behaviour chez PGP. Stranded executives unable to attend "because of the ash" (because of the cash?) coupled with a rather bizarre discussion with another very pre-occupied executive on the Thursday morning who insisted they "only had time for a 10 minute chat" and hid their laptop from view in the public display area.

Clearly something was not right.

I was sitting on the Symantec stand an hour or so later having a chat with a senior product person when I was told the news. What was to be a pleasant discussion about Symantec turned into a bit of a navel gazing exercise as we all ruminated about the ramifications of the deal.

Symantec has had an encryption sized hole in their offering that had been papered over but never properly filled. Unlike McAfee, who realised the importance of encryption and went after Safeboot in late 2007, Symantec never really took the plunge until this week. The OEM relationship that Symantec had with GuardianEdge provided them with some data protection experience which has now been confirmed with the purchase of that company for a seemingly cheap £70M. Certainly in the past I had heard good things about GuardianEdge but have been rather disappointed in their performance over the past couple of years as they seemed to retrench back to the US, neglecting EMEA. Maybe it was a BOGOF - Buy One Get One Free - and Symantec thought they may as well pay a bit more and get GuardianEdge as well.

PGP have been upping their game recently, as was demonstrated by the TrustCenter acquisition, taking them further into the security infrastructure world. The strategy appeared to resonate well and gave me cause to think that PGP had finally gotten their strategic act together and were set on a very interesting path. Clearly Symantec thought the same hence the $300M deal.

Symantec now have to turn this acquisition into something useful, and something that will prove the market wrong, many of whom consider them to be synonymous with irritating bloatwear. PGP is good, well proven technology that carries a strong brand and should not be sucked into the "borg" never to be seen again.

As for the PGP people I saw on Thursday afternoon at InfoSec. Clearly they were too junior to be counting their stock options and were actively considering their futures. I for one felt an urge to give them all a hug and tell them it will all come right in the end, my only hope is that I am right.

Nigel Stanley
Practice Leader - Security
Bloor Research

Mobile Phone Hacking for £1000

| 1 Comment | No TrackBacks
| More

History was made the other evening when the UK's three wannabe prime ministers took centre stage for a TV debate. This was the culmination of weeks of rehearsals, practice runs and body language training.

But what if I then tell you that every mobile phone call made by one of the campaign teams preparing for this TV event was secretly recorded and analysed, enabling their rival to understand everything from the campaign strategy through to the likely rebuttal to a particular question?

Illegal? Of course. Farfetched? No longer.

The past few months has seen the mobile phone industry thrown into turmoil as the computer hacking community has carried out successful attacks against mobile phone call security. I wrote an article about such a hack a while back, but at that point it remained a theory rather than a practical way to listen into mobile phone calls.

In this article I commented that the best way of getting access to mobile phone calls was to setup a fake base station, something that has historically been difficult and expensive. Little did I know that within 4 months we would have a practical mobile phone hacking kit, using off the shelf equipment and a fake base station, for around £1000. Not only that but the software needed to run the hack is available as a neatly packaged CD - free of charge.

There is even a video demonstration of the hack available here

Government agencies have had capabilities to listen into mobile phone calls for years, by tapping the insecure and unencrypted landlines that run from cellular base stations back to the exchanges and beyond. This new hack is different as it enables a criminal to set up a false mobile phone base station, capturing all phone calls within the vicinity, at very low cost.

It relies on a feature of mobile phones that forces them to automatically link into the closest base station to conserve their battery power. By setting up a false base station close to your intended target hackers can capture the victim's phone signals. This type of intercept tool, called an IMSI catcher, has been around for a number of years but only available to approved government agencies and at a cost of hundreds of thousands of pounds.

Now a standard PC running the OpenBTS software GSM base station, an Asterisk PBX to link calls into the public phone network and a software defined radio receiver black box is all you need to capture these same phone calls.

For many people the only risk of their mobile phone conversation being intercepted was when they decided to bellow into their phone on a crowded train. Now we all need to face the fact that our calls can be intercepted with little effort.

Those that use mobile phones believing they are secure should think again, be they wannabe prime ministers, captains of industry or anyone else who shares confidential information via the mobile phone.

Nigel Stanley
Practice Leader - Security
Bloor Research

Find recent content on the main index or look in the archives to find all content.

-- Advertisement --