[Full-Disclosure] Insecurity in Finnish parlament (computers)

[Markus Jansson]

Juha-Matti Laurio:
 >http://blogs.securiteam.com/index.php/archives/299
 >entitled as "Cell phone operator sent 7000-large government account
 >information with unprotected e-mail".

Good article, but it lacks one important aspect of the fiasco:
TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, which 
made it possible to eavesdrop on its/goverments GSM:s. This was a the 
"big" fuzz.

OK, basically whether or not you are using A5/1 or A5/0 makes no 
difference, since A5/1 is so easily cracked that any serious attacker 
can do it anyway (or crack COMP-128-1 or COMP-128-2). If you have the 
tools to capture/listen GSM calls, you can relatively easily get the 
stuff to attack A5/1 and COMP-128-1 or 2 anyway. But ofcourse it was 
nice to "hype" about the fact that TeliaSonera disabled crypto too. And 
maybe some folks dont still understand that A5/1 is broken and think 
that it offers some protection. LOL.

Anyway, only sensible way to secure govermental cellurar phones would be 
use strong crypto/suitable GMS:s, like http://www.cryptophone.de/ so 
that every member of goverment/parlament could talk securely with any 
other member of govermenet/parlament and some officials too. Ofcourse if 
people in Finnish parlament or infosec/compsec sections would know a 
drek about crypto and security, they would have already done it. ;) 
Putting all their eggs again in one basket (Elisa) and without strong 
end-to-end-crypto does not help much.

BTW. How long would you think it would take them to spot 
false-base-station type of attacks near our parlament house? ;)

-- 
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.