Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [News] Flaw in Microsoft Wireless Keyboards or Just Another Back Door?

____/ Mark Kent on Wednesday 05 December 2007 12:38 : \____

> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> espoused:
>> ____/ Mark Kent on Tuesday 04 December 2007 11:18 : \____
>> 
>>> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> espoused:
>>>> ____/ Mark Kent on Tuesday 04 December 2007 08:38 : \____
>>>> 
>>>>> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> espoused:
>>>>>> Microsoft wireless keyboards crypto cracked
>>>>>> 
>>>>>> ,----[ Quote ]
>>>>>>| Bluetooth is increasingly becoming the de-facto standard for wireless
>>>>>>| communication in peripheral devices and is reckoned to be secure. But
>>>>>>| some manufacturers such as Logitech and Microsoft rely on 27 MHz radio
>>>>>>| technology which, it transpires, is anything but secure.
>>>>>> `----
>>>>>> 
>>>>>>
http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked/
>>>>>> 
>>>>>> Also the proprietary QuickTime for Windows should now be treated as a
>>>>>> secuirty hazard.
>>>>>> 
>>>>> 
>>>>> Nothing sent by radio is ever likely to be proof against eavesdropping.
>>>>> Perhaps using modulated lasers is one of the safe methods, but even that
>>>>> could be sniffed using partially silvered mirrors.
>>>>> 
>>>>> It's also possible to sniff signals through fibres by curving them
>>>>> around a sufficiently narrow bend radius that they leak light.  That
>>>>> light can be collected and demodulated.  Coaxial transmission systems
>>>>> all leak a little, as do twisted pairs and fixed-separation transmission
>>>>> line systems.
>>>> 
>>>> Yes, but that's why it should be encrypted properly, which in this case it
>>>> wasn't (and still isn't). Being an embedded device like this, you can't
>>>> just reflash to patch.
>>> 
>>> Quite right, you can't.  One wonders if open-source designs aren't the
>>> best way forward, since it could be possible to easily reflash with all
>>> manner of suitable encryption tailored to personal need.  I'm not sure
>>> that HMG would accept this at 27MHz, though, since inter-continental
>>> transmission is regularly possible in this part of the spectrum with
>>> relatively low power.
>>> 
>>>> 
>>>>> Not so long ago, some researcher in the UK (Cambridge?) came up with
>>>>> a method for detecting the content of CRT screens remotely by radio
>>>>> detection.  He showed his system displaying the screen of a nearby
>>>>> monitor sufficiently clearly to be easily read.
>>>>> 
>>>>> The best way to keep a secret is, well, don't tell anyone.  If secret
>>>>> data needs to be on a machine, then it should be encrypted, with strong
>>>>> encryption, and should be physically isolated, ideally within a Faraday
>>>>> cage to eliminate as far as possible eavesdropping opportunities.
>>>> 
>>>> Kind of like WEP.
>>>> 
>>>>> Even then, as HMG found out recently, people make mistakes and
>>>>> accidentally send the bank account details, names, dates of birth of
>>>>> Parents, children, NI numbers and more unencrypted on CDs through the
>>>>> post across the country.
>>>>> 
>>>>> Of course we can trust the government!
>>>> 
>>>> Well, the NHS have lost 3.6 billion pounds more than the value of this
>>>> data. People just need to change their passwords... and names... and start
>>>> a new family... and open a new bank account...
>>>> 
>>>> 
>>> 
>>> If the data really makes it into the criminal world, it's quite possible
>>> that millions of people could be defrauded and have no idea even how to
>>> check on it.
>> 
>> Worse -- it could make it into the /hands/ of millions (just potentially,
>> taking it to the extreme. so consider this a figure of speech). The nature
>> of such leaks is that once they are out there, they spread. You could soon
>> get your own copy via a torrent, for example. That's just the nature of
>> private data which is so trivial to duplicate. I bet the underground world
>> might be having a good time with those CDs if they reached the wrong hands
>> and the recipient realises the monetary value of this data.
>> 
> 
> Hopefully this has capped any further foolishness about ID cards,
> though.  Only politicians could be so naive to believe that a government
> could successfully manage such data without security compromise.

Like a toddler hiding behind a stool and thinking that if he can't see /you/,
you can't see him/her. Bruce Schneier's take on this was interesting.

How about this one?

Details of the largest breach of customer data are starting to come to light.

,----[ Quote ]
| "The people who started the breach opened up the back of those terminals and 
| used USB drives to load software onto those terminals," says the source. In a 
| March filing with the Securities and Exchange Commission,TJX acknowledged 
| finding "suspicious software" on its computer systems.   
| 
| The USB drives contained a utility program that let the intruder or intruders 
| take control of these computer kiosks and turn them into remote terminals 
| that connected into TJX's networks, according to the source. The firewalls on 
| TJX's main network weren't set to defend against malicious traffic coming 
| from the kiosks, the source says. Typically, the USB drives in the computer 
| kiosks are used to plug in mice or printers. The kiosks "shouldn't have been 
| on the corporate LAN, and the USB ports should have been disabled," the 
| source says.       
`----

http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201400171


Update -- TJX Reveals Extent Of Hacker Damage

,----[ Quote ]
| In Wednesday's filing, TJX said for the first time that it first learned 
| that there was suspicious software on its computer system on Dec. 18, 2006.
`----

http://www.forbes.com/2007/03/29/tjx-companies-fraud-markets-equity-cx_mk_0329markets35.html?partner=yahootix
http://tinyurl.com/38tyyq

-- 
                ~~ Best of wishes

Roy S. Schestowitz      |    "Mod me up and I'll mod you 'insightful'"
http://Schestowitz.com  |  GNU is Not UNIX  |     PGP-Key: 0x74572E8E
roy      pts/2        cg093a.halls.man Wed Dec  5 11:01   still logged in   
      http://iuron.com - proposing a non-profit search engine

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index