iPhone location consolidated.db to Google Earth KML
Having watched the media storm over the iPhone location database erupt in the last few days, I wonder why I didn’t release this before. First credit should go to Chris Vance and Nathan Broslawsky who discovered this in Sept 2010 – they were extremely helpful when I contacted them for advice in a forensics case. We all kept quiet in the interests of “responsible disclosure” – ah well.
Now its all out in the public domain, I release the hack script which converts an iPhone database into a Google Earth KML map.
If you like this, then contact our sales guys on sales AT lacunae.org or call us on +44 (0)845 123 5413. There are lots of other useful tricks for mobile forensics!
Your Top-Up card has been refunded
It looks like Paypal are exiting the top-up card business. I have just seen a refund of the balance on my top-up card (which to be fair, I hardly used because of the huge charges Paypal will apply, firstly to get funds into your account, and second to get them onto the card itself!)
TopUp cards are odd beasts – in one way they are very convenient, and for going on holiday where you don’t want to risk your main card. But the charges for using them can be high, and its not certain how much protection you have with a pre-paid card (and for a start, the issuer is unlikely to be the agency who sold you the card – so where’s the contractual relationship?)
Anyway, one more plastic square into the shredder (or should I keep it to see whether they support DDA or SDA EMV?)
Its a new dawn, its a new day, its a new portal
At last, we have the new site up and running. Please feel free to have a look around, there are going to be a lot more updates coming in the next few weeks!
Onward!
ICO: Time for a compliance standard?
The ICO came under some heavy fire today as it was criticised for not doing enough to enforce the penalties for information breach. But there’s a model out there that could help them right now.
In April 2010, the ICO was given the power to issue and enforce financial penalties on infringers. Since then, ViaSat has released a report listing 2,565 data compliance “issues”, 603 which are categorised as breaches, and 4 of those were actively investigated by ICO.
It strikes me that our friends at the ICO can learn a great deal from the PCI DSS compliance model – not perfect, but look at the good points:
- Standards for People, Process and Technology controls
- Simple-to-understand definitions of sensitive data, and what to do about it
- A model that allows third parties to be licensed as compliance assessors
Come on ICO – now you have teeth, how about putting in some definite rules and getting the assistance of the community in implementing them?
Startup Britain serves up Malware
StartupBritain has received a lot of press attention – some positive, some negative. The security tip here is that XSS poisoning, drive-by downloading, and all the other web nasties are frighteningly easy to succumb to. What helps in this is careful monitoring by expert resources, application and infrastructure vulnerability management, and a good incident response plan to address issues before they become crises.
Title: StartUp Britain linking malware
Author: Jennifer Scott,
Source: ITPro
Date Published: 31st March 2011
Excerpt:
‘….The StartUp Britain website has been seen linking to malware, just days after its official launch.
The website, designed to encourage and advise small businesses in the UK, got the backing of Prime Minister David Cameron on Monday.
However, late yesterday it was found to be directing visitors to sites pushing fake anti-virus software……’
To read the complete article see:
http://www.itpro.co.uk/632380/startup-britain-linking-malware
Upcoming
After many long battles with the site as it currently is, its time for a change. In the next couple of weeks, www.lacunae.org is about to have a major revamp.
Watch this space!
The PAN you are calling is busy, please hold
I read with interest that several mobile telecoms companies are applying for money broker licenses, and I hear that a couple of them are planning to expand their “value-add” payment services to include more and more
off-network products.
As we know, there are lots of premium rate services available, used for telephone phone-ins (for example premium rate support, or tv shows), specific content (for those of you who play Mafia Wars on Facebook, you know what I am referring to), and more. Some of these are paid for by calling a premium rate number, others are paid for by receving texts from a premium rate line. Phone companies quite like the money from these services, but don’t like the fact that there is an extremely high rate of chargebacks, customer complaints, and so on. Regulation of all this premium rate stuff is performed by PhonepayPlus, formerly known as ICSTIS.
In recent years, mobile telcos have tried to get away from the idea of this billing method, and are moving to services such as Pay4it – this tries to make a bit more sense of it all by putting charges on your phone bill as discrete items, rather than a sequence of rather high-priced text messages.
Now apparently an idea has been floated around that instead of using my VISA card to pay for a purchase at say, Amazon, I can use my mobile phone. Sounds good, I just enter my mobile phone number and respond “yes” to the confirmation message and my latest XBOX game is winging its way to me.
But.
There are two tensions at work here. For my phone number to be useful, I want as many people as possible to know it and if they need to call me, they can (its at the top of the page, for example). For a payment purchase, I would like to give my card number to the merchant, and then for them to forget it (or at least, store a token that is not recoverable but that they can use next time I want to make a purchase). In fact, PCI DSS is all about making sure that merchants don’t just chuck card numbers into a database.
How will phone companies handle chargebacks? How will they control the use of a phone number when effectively, anyone can have it? What happens when scammers just pick phone numbers that are unallocated (as they do right now with premium rate text fraud)?
I watch… with interest.
He said Captain! I said wot
I have been rolling up a new log management service recently and in addition to spotting attacks on my machines dotted around the internet (and even at home), it has sent me some bad news from my laptop:
One of the nice things….
The Security geek community is a widespread one, and I’ve not talked with Vaughn Cordero, the author of the frankly awesome Mobile Sync Browser before. If you are trying to recover data from a bust iPhone backup, this is probably the only thing you need.
Vaughn is a thoroughly nice guy, and when he got my email out of the blue asking a forensic question, he responded as follows:
I usually have a look-see at individuals before dispensing these licenses, but anyone who listens to ELO can’t be half-bad, right? 
Many thanks for your help, this one’s for you.
Google, let me PGP my emails please
I use Google Apps quite a bit. It works for most things pretty seamlessly, and allows me to get a nearly-as-good-as-exchange workgroup using GASMO (Google App Sync for Microsoft Outlook). It also syncs nicely with my iPhone, and in general takes the hassle out of dealing with 100′s of emails a day that come in. They even provide a nice Python-in-the-cloud service using the Google App engine. Since Lacunae is a no-servers organisation, this is all handy and appreciated.
But.
It doesn’t support PGP desktop.
Let me repeat that again. It doesn’t support PGP on the desktop.
Now we all know how important PGP is, it is one of the only ways one can not only assure that unfriendly eyes are not reading your emails by encrypting it, but by signing your emails you can prove that you sent a particular version of an email (or not), and that no one else did. There are services like HushMail that will provide this a a web/cloud/somewhere-over-there service. But there’s nothing like from-the-desktop assurance.
Conspiracy theorists may shout that Google wants to be able to index and spider your email. Grumblers will point out how this shows that Google is “not ready for the enterprise”. Naysayers will say Nay.
C’mon Google, get into the 90′s. Let me secure my email, please!