Be Aware: SIM Card Hacking

According to Andrew Jaquith, CTO and SVP of Cloud Strategy at SilverSky, the most impressive presentation of Black Hat 2013 was Karsten Nohl’s SIM card hack demonstration in which he accessed SIM cards (that identify a phone’s owner and store personal data) by exploiting flaws in the encryption keys and sending a hidden SMS text message. Jaquith noted that the presentation lived up to the hype as an impressive and strong piece of research.

“Nohl found that due to flaws in the way SIM cards communicate with mobile operator networks, an attacker could recover DES-encrypted secret keys and, in theory, inject signed malware into the phone's JavaCard. That could enable decryption of all calls, recovering data from banking apps that store data on the SIM, and reading everything on the SIM card, including getting all of the information needed to clone the SIM. I watched him "clone" a SIM card in real time. Any phone that has a SIM card could be at risk. This includes iPhones and Android devices on AT&T or T-Mobile networks in the US, and every European carrier. This was a very impressive body of research, and quite scary. The mobile operators are taking this issue very proactively; that shows just how serious the threat is.” — Andrew Jaquith,

Traveler Beware: Hotel Room Card Key Hacked!

Hackers can now gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated at the Black Hat conference in Las Vegas recently. Apparently, there is no easy fix. If the hotels want to secure their guests, every single lock will have to be changed.

If you are traveling this year, do not leaving anything valuable in your hotel room. If the room has a safe, use it. If not, take your items with you, such as hard drives, thumb drives, computers, tablets, smart phones and iPods. Also, according to the Wall Street Journal, 40% of all major city robberies now involve Apple products.

More details at http://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontroller.

Change your linkedin password, now!

Earlier in June, news that more than 6.5 million passwords from LinkedIn were reported compromised. The passwords are encrypted, but the criminals who stole them, posted them and asked for help to crack the codes. Apparently they are in a format that makes them relatively easy to break.

If you haven't already done so, please update your LinkedIn password, which is even more important if you use the same password on LinkedIn as you do on other sites.

In addition, you can use a password management plugin on your browser to store and generate unique passwords and keep them safely encrypted in one place, protected by a single strong password.

Malware installed through Hotel Internet Connection

IC3 (Internet Crime Complaint Center) just released an intelligence note stating a recent discovery by the FBI of malicious actors targeting travelers abroad through pop-up windows when they attempt an Internet connection to their hotel rooms. If a traveler attempts an Internet connection, he is presented with a pop-up window notifying him to update a widely-used and legitimate software product. If installed, malware is installed on the laptop. So take your software updates right before traveling and don't install any software while on the road.

How to protect yourself from malicious QR codes

Quick Response Code (QR code) — is a type of matrix barcode (or two-dimensional code) first designed for the automotive industry. More recently, the system has become popular outside of the industry due to its fast readability and large storage capacity compared to standard UPC bar code. In many cases, they are encoded web links, intended to save users the hassle of writing down a web address or other information. A quick scan with a smartphone is all you need to use the decoded message 

Criminals have discovered that they can use QR codes to infect your smartphone with malware, trick you to visiting a phishing web site, or steal information from your mobile device. All a criminal has to do is use one of the QR code-generating tools available for free on the Internet, print out the code and affix it to an existing ad or poster, replacing the safe QR code with his risky one. You won't know you're scanning a malicious link until it's too late.

What can you do to protect yourself from Malicious QR codes?
1. Only use a QR code reader app that has built-in security features
There are many QR code readers out there. Some are more secure than others. Several vendors are aware of the possibility of malicious QR codes and have taken measures to prevent users from being duped by harmful codes. Norton Snap is a QR code reader available for both iPhone and Android. After a code is scanned by Norton Snap, it's content is shown to the user before the link is visited so that the user can decide to visit the link or not. Norton also takes the QR code and checks it against a database of malicious links to let the user know if it is a known-bad site or not.

2. Enable the QR code review prior to link opening feature in your QR Code reading application
Before installing a QR code reader app on your smartphone, check to see what security features it offers. Check to make sure that it will allow inspection of the decoded text prior to opening up the code in a browser or other targeted application. If it doesn't allow this capability, dump it and find one that does.

3. Inspect the QR code to make sure it's not a sticker
While many QR codes are found on websites, the majority of the codes that you will probably encounter will be in the real world. You might see a code on a store display or even on the side of a coffee cup, Before you scan any code you find, feel it (if possible) to make sure that it is not a sticker that has been placed over the real code. If you find a malicious QR code, report it to the owner of the business where you found it.

More details can be found at http://netsecurity.about.com.