A security researcher created a $1,500 cell phone base station kit (including a laptop and two RF antennas) that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls (non Gold Lock) in the clear. Most of the price is for the laptop he used to operate the system. The device tricks the phones into disabling encryption and records call details and content before they are routed on their proper way through voice-over-IP. The low-cost, home-brewed device mimics more expensive devices already used by intelligence and law enforcement agencies — called IMSI catchers — that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that’s stronger than legitimate towers in the area. Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed.

A software developer who designed a way to tap and record calls made on Skype and other VoIP networks has made the source code of the spying program public, a move he said will allow other programmers to build workarounds to the potential threat. The programmer, Ruben Unteregger, was tasked by his former company ERA IT Solutions to write a Trojan horse program that could tap VoIP calls for the Swiss government.

Apparently, the program bypassed Skype’s heralded encryption process, one that has vexed security officials in Europe multiple times.

In a translated interview, Untregger discussed his rationale for releasing the code.

“The code will be published, it will get analyzed as soon as the binaries got uploaded, signature patterns will be created by anti-virus companies, the malware will be detected, blocked and deleted, if it tries to infect a system,” Untregger said.

Untregger’s motives appear to be genuinely in the interest of private citizens and enterprises that use VoIP services like Skype, as the publicizing of the code makes its use by security agencies redundant, according to a Computer World report. However, making this code available could have negative repercussions if hackers can use it to build even more powerful tapping programs. Other instances of Skype hacking, such as China’s purported monitoring of dissident communication via VoIP programs, gives one pause when considering the public availability of such information.

The state of Virginia has recently came under the international spotlight after it apparently became under attack by an anonymous hacker who claims to have stolen around 35 million prescription records of those residing in the state.

This supposed vulnerability has still not been identified, and state information security professionals are still dumbfounded as to whether or not this ‘hacker’ is the genuine article. Other than a ransom demand for over $10 million dollars, they have received little in the way of evidence other than the claims that the hacker has managed to delete certain files and create an encrypted backup.
Whilst the state remains uncertain as to the hackers’ authenticity, the fact remains that they are neither confirming nor denying the threat. Perhaps this is the biggest point of confusion as at this point any organization with appropriate security measures in place would be able to at least partially refute the claims.

So far, the only evidence that this ‘hacker’ may be a fake is because they claim to have social security numbers. The state of Virginia has made an announcement that states that the information they held had no such information, and that the hacker ‘may’ be a fraud.

Whilst we allude to the fact that this may be a fraudulent attempt to extort money, the state of Virginia cannot be certain. In this age of cyber-privacy and information security, the state of Virginia should be more accountable for the information they are holding. What is concerning is their incompetence in dealing with this threat and the clear fact that their security policies are inadequate to be able to ‘check’ the records and ensure that data is secure.

It is ironic that the hacker in this example apparently used encryption against the state. If the state happened to be using encryption against the hacker then perhaps this would never have happened.