Tag Archives: hacking

Hacker Finds Security Flaws in nokia S40 Series Handsets

A security researcher has discovered a couple of major flaws with Nokia?s mid-rage handsets, which allow him to remotely install malicious application with unprecedented capabilities. He?s keeping the details to himself though unless someone is willing to give him EUR20, 000.

The issues are apparently with Nokia?s series 40 platform, which is the proprietary OS and application stack used in the majority of Nokia?s mid-range handsets. The flaw allows an attacker to install Java applications on to the handset remotely before permitting those apps to access phone functions that should be secured by the Java sandbox.

The flaws have been discovered by Adam Gowdiak. His website doesn?t give away much, but it has been established that the initial installation is performed using a silent WAP-Push command, one that bypasses the usual user interaction, in a process that also executes the newly-downloaded application As well as this, Gowdiak has discovered a way to trick the Java Virtual Machine in to thinking his apps have authorisation to every API on the handset, including native Series 40 functions.

Gowdiak believes the hack may be applicable to other handsets using Sun’s Java reference implementation, though it’s hard to know how widespread the problem is. At worst the problem could affect hundreds of millions of devices, and given that a malicious app can be installed with just a phone number, the risk is huge. A good hacker could infect a few million phones within hours.

As of yet, Nokia have not batted an eyelid (publicly that is) but Gowdiak has spoke to both Nkia and Sun, but as of yet neither company is willing to part with EUR20, 000 for the details. The problem for Gowdiak is that Nokia or Sun won?t pay that kind of money without knowing what they are buying, which leaves Gowdiak with a choice: He needs to either sit on the information and forget about it, hoping that no-one else figures it out, or he could sell the knowledge to the dark side of the net?

UFO Hacker to be Extradited to US

?

The House of Lords in the UK has decided to extradite Gary McKinnon, the British hacker who got in to several US military, defence and NASA computers, to stand trial in the United States.

?

McKinnon has been fighting extradition since 2002, since it was discovered hat he?d hacked his way in to one of the US?s most sensitive networks ? reportedly from a friend?s aunt?s house ? between 2001 and 2002. He is alleged to have caused US$900,000 in damages to computers located in 14 states.

?

Amazingly McKinnon did all this without being an expert at high-level hacking, and even more amazingly, he didn?t look at military secrets or sensitive design plans ? instead he tried to unlock the mysteries of the universe and find out if UFO?s and aliens were real. Since his case started he ha revealed that his search was successful and that he uncovered photographs of alien spacecraft and the names and ranks of ?non-terrestrial officers?.

?

However, the US government has rubbished his claims and said that he left a note on an Army computer criticising US foreign policy as government sponsored terrorism.

?

In the indictment against him, the U.S. government accuses McKinnon of handicapping it in the aftermath of September 11.

?

“The entire network of 300 computers at NWS Earle, located in Colts Neck, N.J., was effectively shut down for an entire week. … [F]or another three weeks afterward, military personnel and government civilian employees at NWSE were only able to send and receive internal e-mail. It was only approximately a month after McKinnon’s last intrusion into the network that NWS Earle was able to automatically route Naval message traffic and access the Internet,” according to the indictment.

?

The reason for McKinnon wanting a trial in the UK is because he believes the US will trial him as a terrorist. The House of Lords rejected this argument, but he still has the right to appeal to the European Court of Human Rights.

?

?That McKinnon was able to access secure government information using basic hacking software is not all that remarkable,? said Matt Shanahan, SVP of marketing and strategy for AdmitOne Security.

?

“In most cases, when people hack into a system — the vast majority of the time — they are able to get in because reasonable controls were not in place,” he said. “In the case of McKinnon, there were a number of devices the systems administrator had not set.”

?

?A highly fragmented systems administration environment, together with the fact that a lot of controls are manual, usually results in some vulnerability,? Shanahan said. “People usually forget to set something, or they are using a virtual machine that might not have been set up correctly and then copies the same mistake 100 times,” he explained.

?

“McKinnon was able to find, and then take advantage of, these vulnerabilities.”

?

?What is worrisome is that high-level professional hackers still have ways to access these systems if they want to,? said Bill Johnson, CEO of TDI. “We have become a big proponent of securing the computer baseboard manager controller, or BMC.?

?

?The BMC is network-accessible once a hacker can get past the firewall, and it allows command and control of the main motherboard. Even systems in NASA would be vulnerable to this method of attack,” noted Johnson.