Entries Tagged "cell phones"

Page 26 of 26

Security Risks of Airplane WiFi

I’ve already written about the stupidity of worrying about cell phones on airplanes. Now the Department of Homeland Security is worried about broadband Internet.

Federal law enforcement officials, fearful that terrorists will exploit emerging in-flight broadband services to remotely activate bombs or coordinate hijackings, are asking regulators for the power to begin eavesdropping on any passenger’s internet use within 10 minutes of obtaining court authorization.

In joint comments filed with the FCC last Tuesday, the Justice Department, the FBI and the Department of Homeland Security warned that a terrorist could use on-board internet access to communicate with confederates on other planes, on the ground or in different sections of the same plane — all from the comfort of an aisle seat.

“There is a short window of opportunity in which action can be taken to thwart a suicidal terrorist hijacking or remedy other crisis situations on board an aircraft, and law enforcement needs to maximize its ability to respond to these potentially lethal situations,” the filing reads.

Terrorists never use SSH, after all. (I suppose that’s the next thing the DHS is going to try to ban.)

Posted on July 14, 2005 at 12:02 PMView Comments

Risks of Cell Phones on Airplanes

Everyone — except those who like peace and quiet — thinks it’s a good idea to allow cell phone calls on airplanes, and are working out the technical details. But the U.S. government is worried that terrorists might make telephone calls from airplanes.

If the mobile phone ban were lifted, law enforcement authorities worry an attacker could use the device to coordinate with accomplices on the ground, on another flight or seated elsewhere on the same plane.

If mobile phone calls are to be allowed during flights, the law enforcement agencies urged that users be required to register their location on a plane before placing a call and that officials have fast access to call identification data.

“There is a short window of opportunity in which action can be taken to thwart a suicidal terrorist hijacking or remedy other crisis situations on board an aircraft,” the agencies said.

This is beyond idiotic. Again and again, we hear the argument that a particular technology can be used for bad things, so we have to ban or control it. The problem is that when we ban or control a technology, we also deny ourselves some of the good things it can be used for. Security is always a trade-off. Almost all technologies can be used for both good and evil; in Beyond Fear, I call them “dual use” technologies. Most of the time, the good uses far outweigh the evil uses, and we’re much better off as a society embracing the good uses and dealing with the evil uses some other way.

We don’t ban cars because bank robbers can use them to get away faster. We don’t ban cell phones because drug dealers use them to arrange sales. We don’t ban money because kidnappers use it. And finally, we don’t ban cryptography because the bad guys it to keep their communications secret. In all of these cases, the benefit to society of having the technology is much greater than the benefit to society of controlling, crippling, or banning the technology.

And, of course, security countermeasures that force the attackers to make a minor modification in their tactics aren’t very good trade-offs. Banning cell phones on airplanes only makes sense if the terrorists are planning to use cell phones on airplanes, and will give up and not bother with their attack because they can’t. If their plan doesn’t involve air-to-ground communications, or if it doesn’t involve air travel at all, then the security measure is a waste. And even worse, we denied ourselves all the good uses of the technology in the process.

Security officials are also worried that personal phone use could increase the risk that remotely-controlled bomb will be used to down an airliner. But they acknowledged simple radio-controlled explosive devices have been used in the past on planes and the first line of defence was security checks at airports.

Still, they said that “the departments believe that the new possibilities generated by airborne passenger connectivity must be recognized.”

That last sentence got it right. New possibilities, both good and bad.

Posted on June 8, 2005 at 2:40 PMView Comments

Paris Hilton Cellphone Hack

The inside story behind the hacking of Paris Hilton’s T-Mobile cell phone.

Good paragraph:

“This was all done not by skilled ‘hackers’ but by kids who managed to ‘social’ their way into a company’s system and gain access to it within one or two phone calls,” said Hallissey, who asked that her current place of residence not be disclosed. “Major corporations have made social engineering way too easy for these kids. In their call centers they hire low-pay employees to man the phones, give them a minimum of training, most of which usually dwells on call times, canned scripts and sales. This isn’t unique to T-Mobile or AOL. This has become common practice for almost every company.

How right she is.

EDITED TO ADD (11/11): Everyone, please stop asking me for Paris Hilton’s — or anyone else’s, for that matter — cellphone number or e-mail adress. I don’t have them.

Posted on May 23, 2005 at 12:41 PM

T-Mobile Hack

For at least seven months last year, a hacker had access to T-Mobile’s customer network. He’s known to have accessed information belonging to 400 customers — names, Social Security numbers, voicemail messages, SMS messages, photos — and probably had the ability to access data belonging to any of T-Mobile’s 16.3 million U.S. customers. But in its fervor to report on the security of cell phones, and T-Mobile in particular, the media missed the most important point of the story: The security of much of our data is not under our control.

This is new. A dozen years ago, if someone wanted to look through your mail, they would have to break into your house. Now they can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your house; now it’s on a computer owned by a telephone company. Your financial data is on Websites protected only by passwords. The list of books you browse, and the books you buy, is stored in the computers of some online bookseller. Your affinity card allows your supermarket to know what food you like. Data that used to be under your direct control is now controlled by others.

We have no choice but to trust these companies with our privacy, even though the companies have little incentive to protect that privacy. T-Mobile suffered some bad press for its lousy security, nothing more. It’ll spend some money improving its security, but it’ll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers.

This loss of control over our data has other effects, too. Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as that data is held by others. The police need a warrant to read the e-mail on your computer; but they don’t need one to read it off the backup tapes at your ISP. According to the Supreme Court, that’s not a search as defined by the 4th Amendment.

This isn’t a technology problem, it’s a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don’t have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant — even though it occurred at the phone company switching office — the Supreme Court must recognize that reading e-mail at an ISP is no different.

This essay appeared in eWeek.

Posted on February 14, 2005 at 4:26 PMView Comments

Automobile Virus

SC Magazine is reporting on a virus that infects Lexus cars:

Lexus cars may be vulnerable to viruses that infect them via mobile phones. Landcruiser 100 models LX470 and LS430 have been discovered with infected operating systems that transfer within a range of 15 feet.

It seems that no one has done this yet, and the story is based on speculation that a cell phone can transfer a virus to the Lexus using Bluetooth. But it’s only a matter of time before something like this actually works.

Posted on February 2, 2005 at 8:00 AMView Comments

Phishing by Cell Phone

From an alert reader:

I don’t know whether to tell you, or RISKS, or the cops, but I just received an automated call on my cellphone that asked for the last four digits of my Social Security number. The script went:

Hello! This is not a solicitation! We have an important message for J-O-H-N DOE (my first name was spelled out, but the last name was pronounced). If this is J-O-H-N Doe, Press 1 now!

(after pressing 1:)

For your security, please enter the last four digits of your Social Security Number!

I have no idea who it was, because I’ll be — damned — if I’d give out ANY digits of my SSN to an unidentified party. My cell’s display is broken so I’m not sure whether there was any caller ID information on it, but I also know that can be forged. What company expects its customers to give up critical data like that during an unidentified, unsolicited call?

Sadly, there probably are well-meaning people writing automatic telephone scripts that ask this sort of question. But this could very well be a phishing scheme: someone trying to trick the listener into divulging personal information.

In general, my advice is to not divulge this sort of information when you are called. There’s simply no way to verify who the caller is. Far safer is for you to make the call.

For example, I regularly receive calls from the anti-fraud division of my credit card company checking up on particular charges. I always hang up on them and call them back, using the phone number on the back of my card. That gives me more confidence that I’m speaking to a legitimate representative of my credit card company.

Posted on December 7, 2004 at 1:58 PMView Comments

Two-Factor Authentication with Cell Phones

Here’s a good idea:

ASB and Bank Direct’s internet banking customers will need to have their cellphone close to hand if they want to use the net to transfer more than $2500 into another account from December.

ASB technology and operations group general manager Clayton Wakefield announced the banks would be the first in New Zealand to implement a “two factor authentication” system to shut out online fraudsters, unveiling details of the service on Friday.

After logging on to internet banking, customers who want to remit more than $2500 into a third party account will receive an eight-digit text message to their cellphone, which they will need to enter online within three minutes to complete the transaction.

It’s more secure than a simple username and password. It’s easy to implement, with no extra hardware required (assuming your customers already have cellphones). It’s easy for the customers to understand and to do. What’s not to like?

Posted on November 23, 2004 at 9:41 AMView Comments

Foiling Metal Detectors

High school kids are sneaking cell phones past metal detectors.

From the New York Post:

Savvy students are figuring out all kinds of ways to get their cell phones past metal-detectors and school-security staff at city high schools, where the devices are banned.

Kids at Martin Luther King Jr. HS on the Upper West Side put the phones behind a belt buckle — and blame the buckle for the beeping metal-detector.

Some girls hide the phones where security guards won’t look — in their bras or between their legs.

Note that they’re not fooling the metal detectors; they’re fooling the people staffing the metal detectors.

Posted on October 27, 2004 at 1:44 PMView Comments

1 24 25 26

Sidebar photo of Bruce Schneier by Joe MacInnis.