The Security Kitchen

So, I was asked to partake in a research project because they want to find out what impact your consumption of fruit has on how you feel. I haven’t been a healthy boy lately and since it concerns one of my favorite subjects ( FOOD ! OM NOM NOM!) I agreed. The good thing (or maybe not) is that they use ‘new media’ to follow up on their guinea pigs. We get a big fruit basket every week, for three weeks and everything is evaluated through chat sessions, we have to keep a (private, oh wait, not so much) blog and visit (and discuss) on a forum. Free fruit and even more internet time, I ain’t complaining.

The blogs however are where the problem is … They are private, you know, we have a login and a password. and that doesn’t allow us to visit other peoples blogs. I didn’t really try hard, in the top right corner there were the well known rss icons that led me to my private feed , something like http://researchsite/subject44/subject44.xml.

I’m sure you already guessed that pointing my brower to http://researchsite/subject43/subject43.xml allowed me to watch my fellow guinea pigs intimate musings on their fruit consumption, but also where they have been, where they work, who’s in their family …. I’m pretty sure anybody can pick up those RSS feeds and have a blast with that information.

Allow me to go back to my RSS reader and feed the voyeurist in me.

Have a nice and secure week !
W

Brenno De Winter touched upon the (in)security of DECT in one of his recent (Dutch) podcasts, the same exact ‘vulnerability’ was also revealed in a talk last December at 25C3 (more info regarding DECT and security here : https://dedected.org/trac).

First, Brenno makes a great podcast, I am a regular listener and I think a lot of podcasters can learn from him but this post is not about making Brenno happy. I also respect Security researchers very much, let there be no doubt about that.

Now seriously … What(‘s) the hack ? You can listen in on conversations over DECT phones because encryption is not enabled. That is hardly a problem with the technology now is it ?

Was it a slow week ?

I do get the fact that the encryption algorithm seems to be weak. Once you figure that out, you might have something to talk about. The fact that some manufacturers choose to disable encryption in low-cost handsets because, you know, we want cheap phones, is mere human stupidity and we all know that there’s no patch for that.

Good, apart from that, what did we learn :
1) if you need to procure a DECT phone system, take a good look at how encryption is handled in your system of choice if your environment requires this. Trust, but verify.
2) people choose profit over security. Nothing new, it’s a sad world.
3) the DECT encryption adheres to the old adage ‘Security through obscurity’. I’m looking forward to the real hack, maybe somewhere at a security conference near you in 2009. Now that will be news !