Home, sweet home, an ideal target for industrial spying?

Je considère la sécurité informatique (et la sécurité des informations en général) comme un secteur à très fort potentiel. Que ce soit d’un côté ou de l’autre… Innovation’s coming. Voilà un article intéressant de Spectrum sur le sujet :

Who Might Be Spying On You?

There were three interesting inter-related stories today, one appearing in the Wall Street Journal, one in the USA Today, and the third one in the LA Times. The USA Today story is about the warning being given by national security agencies to business executives and federal officials planning to attend the Beijing Olympic Games on the need for securing their laptops and other electronic devices. These unnamed agencies, it is claimed, are warning that Chinese agents are likely to attempt to steal secrets or plant malware in US visitors electronic devices in order to be able to hack into US computer networks.

As I noted a short time ago, this is thought to have happened to Commerce Secretary Carlos M. Gutierrez’s laptop on a trip to China last year.

The Chinese state that the accusations are baseless fabrications.

The Wall Street Journal’s story is about the increasing demand for counter-spy technology. It says that in April of this year, “car maker Porsche AG disclosed it had found a baby-monitoring device concealed behind the hotel sofa of its president and chief executive Wendelin Wiedeking, last fall during his trip to Wolfsburg, Germany, for meetings with executives at Volkswagen AG.”

By one account, demands for counter-spy sweeps have increased by 25% per annum over the past two years, and that about 10% of the time, something is found.

In addition, as told in the story,

“Companies also are increasingly worried about economic and industrial espionage by foreign governments and companies. Kroll Inc., a risk-control consulting company that is a unit of insurance brokerage Marsh & McLennan Cos. Inc., says inquiries in Japan have doubled in the past year. Associate Managing Director David Nagata, who is based in Tokyo, counsels visitors to have their hotel rooms swept for listening devices prior to check-in and make sure they’re secured from unauthorized entry. For super-secret matters, he suggests closed-circuit cameras to monitor hallway traffic and an alarm that beeps when someone approaches the room.”

The story also notes that in spite of all these elaborate precautions, they’re often “undone by executives chatting on unsecured cellphones with Bluetooth headsets and tapping on unencrypted laptops.”

The best laid plans … which brings me to the LA Times story. This one is about a study released today by Verizon Communications Inc. claiming that two-thirds of the “thefts of sensitive information from corporations occur when the victimized companies don’t know what data they have, where they have it or who has access to it.”

The study also claims that “criminal gangs are targeting individuals inside call centers, because they have access to hundreds or thousands of companies.”

Dans un registre plus prosaïque par exemple, que penser de la protection WEP par défaut des routeurs Infinitum (service ADSL de Telmex) ? N’importe qui peut trouver la clef en moins de 15 minutes (et je parle bien du délai pratique, en théorie cela peut être beaucoup plus rapide). Au menu :

  • Longueur de clef de 40 bits
  • Pas de stratégie d’authentification réelle, puisqu’on peut exécuter une attaque aireplay -1 sans même qu’une station soit connectée
  • Des frames beacons envoyées à tour de bras
  • Un mot de passe du routeur égal au numéro de téléphone de l’abonné

A côté, la “sécurité” offerte par défaut avec toutes les Livebox vendues en France est extraordinaire : rendez-vous compte, il faudra tout de même une petite heure de dur labeur pour trouver la clef WEP par défaut, et accéder ensuite via le simple couple admin/password à l’administration du routeur, et pire, sur http://www.orange.fr, accéder sans même se logguer au compte du détenteur de l’accès Internet.

La sécurité en entreprise c’est bien, mais pourquoi se prendre la tête s’il suffit d’aller sniffer du paquet à la porte de la villa d’un innocent PDG.

Be the first to comment this post!

Leave a comment