Bluesnarfing: A first person's perspective...

I've heard a lot of bluejacking, bluesnarfing and bluebugging. Bluejacking is pretty harmless, because it consists of sending messages via bluetooth. But bluesnarfing (discreetly copying data from a mobile phone trhough bluetooth) and bluebugging (initiating phone calls from another bt-enabled phone, again discreetly) is really sisnister. There are a lot of papers available that discuss these attacks, but until now all I had was an audience's perspective. I had never seen what it really looks like. Until now.
I have a Nokia 6600 smartphone, and I'm used to downloading odd apps and trying them out. I saw an app called Blooover, and thought it's pretty interesting so I loaded it up. The home page says:

"Blooover is a proof-of-concept tool that is intended to run on J2ME-enabled cell phones that appear to be comparably seamless. Blooover is a tool that is intended to serve as an audit tool that people can use to check whether their phones and phones of friends and employees are vulnerable."

Pretty interesting stuff! I tried it on my sister's Nokia 3660, and friend's 3650's and 6600's, but it didn't work. Kept saying that the phones are not vulnerable to this attack. I promptly forgot all about the app. Yesterday, I was at a canference at a local 5-star hotel, and just happened to do a bluetooth scan to find out what phones in my vicinity have bluetooth enabled. I saw a few T610's, T630's and K700i's, alongwith a few 6600's, a 3650, and 2 6310i's. The 6310's are really old bluetooth-enabled mobiles from Nokia, and I happened to remember reading that they were vulnerable to bluesnarfing. So I decided to fire up Blooover and give it a whirl. Imagine my surprise when Blooover started giving me visual cues that the bluesnarf was proceeding successfully! It managed to get all the contacts in phone memory, all the contacts in the SIM card, all call logs (missed, dialled and received calls), all SMS (some were garbled with weird characters, but some of them even had his bank name, branch, account number and balance!). Blooover also managed to add a phone-entry of my own choosing, set the call forward to a default number, and initiated a call to another default number. Now that was amazing! I have all the logs with me. Blooover doesn't provide a way to save the log, but I turned on the screenshot feature of FExplorer, and took screenshots to save the whole data. I'm not willing to reveal it, as it contains personal information, but I felt scared and elated at the same time. I tried it on another Nokia 6310i, with the same results!
As I said in my last post about Google's revealing webcam searches, everything is inherently insecure. Any person with enough knowledge (or as in my case, little knowledge, but the right tools) can get in. Data that you think is safe and secret may not be so.

52 books in 52 weeks! Let the saga begin...

This post, for me, was food for thought. A guy just finished 52 books in 52 weeks, i.e. the year 2004. Why can't I do the same in 2005? I'm on my way. It's a coincidence that I just finished one book, and am about to finish one tonight. Let's see how far I can take this. I'm going to track my progress on this blog, and if anyone has any good recommendations, I'd welcome them (the hard- or soft-copy of the book would also be appreciated ;)). The books I've finsihed (or almost finished) are:

• 2001: A Space Odyssey (Arthur C. Clarke)
• I, Robot (Isaac Asimov)

I guess most of what I'll be reading is probably going to be fiction, because it's:

• Entertaining
• Cheap
• Easily Available

The Pudding Guy

Some "unbelievable" and "too-good-to-be-true" deals really are so. Here's a story about "pudding guy", a Californian civil engineer named David Phillips, who spent $3140 on pudding, and as a result got 1,253,000 frequent flyer miles. The articel says:

"In the end, David and his family collected 1, 253,000 miles from his puddings and soups. He split 216,000 of the miles among Delta, United, and Northwest airlines. The remaining 1,037,000 miles were posted to his American Airlines account. And since he topped the million mile mark, he automatically became a lifelong member of American Airlines AAdvantage Gold club. David now has lifetime access to a priority reservation number, priority boarding, and additional perks. "

Unbelievable? Yes!

Update on Google's revealing searches...

Regarding my last entry about unsecured webcams, I just googled around a bit, and discovered that there are lots of such URL's, and they're also listed on some websites. Here's a good website which shows a lot of such 'Google Hacks'. And here's an ebook in PDF format which explains the methodology behind such attacks. No doubt about it, Google is all-powerful in the internet world!

Unsecured webcams via Google!

Got this interesting tidbit from BoingBoing:

Use this search string below with Google, and you will find dozens (hundreds?) of unsecured webcam feeds (most seem to be security cams).

inurl:"ViewerFrame?Mode="

Click here for the Google search.
Click here for a forum discussion regarding this topic.

I was able to find some security cams for warehouses, some in people's homes, some in daycares, factories, labs, classrooms. The possibilities are endless, and Google is awesome!

On a further note, here's another interesting query on Google. It returns the unsecured Admin page for phpMyAdmin, which is sort of like Enterprise Manager for SQL Server, meaning that you can add tables, create databases, delete rows, and what not.

The lesson here is that you shouldn't leave anything unsecured on the web. Google is so powerful it can find all that. There are cases where financial documents have been indexed, corporate data has been found lying open. Just because the document doesn't have any external or internal link doesn't mean it can't be found. Beware the power of Google! I love it!

Quotes...

Here are some nice quotes I found:

Personality can open doors, but only character can keep them open.
Elmer G. Letterman

Many of life's failures are people who did not realize how close they were to success when they gave up.
Thomas A. Edison

Do not pray for easy lives. Pray to be stronger men. Do not pray for tasks equal to your powers. Pray for powers equal to your tasks. Then the doing of your work shall be no miracle, but you shall be the miracle.
Phillips Brooks

Mistrust the man who finds everything good, the man who finds everything evil and still more the man who is indifferent to everything.
Johann K. Lavater

Success is to be measured not so much by the position that one has reached in life as by the obstacles which he has overcome.
Booker T. Washington

The real voyage of discovery consists not in seeking new landscapes but in having new eyes.
Marcel Proust

It's not the hours you put in your work that counts, it's the work you put in the hours.
Sam Ewing

Better a diamond with a flaw than a pebble without.
Confucius

The only reason for time is so that everything doesn't happen at once.
Albert Einstein

By three methods we may learn wisdom. First, by reflection, which is noblest; second, by imitation, which is easiest; and third, by experience, which is the bitterest.
Confucius

The Nature of Pricing

Joel Spolsky has another amazing article, this time on pricing and economic theory. I know all this may be old stuff for you MicroEconomics buffs, but I found it interesting and very well written.

"I'm going to start with a little economic theory, then I'm going to tear the theory to bits, and when I'm finished, you'll know a lot more about pricing and you still won't know how much to charge for your software, but that's just the nature of pricing."

You can read the whole article here.

If you have time, I would recommend going through all the articles (it may take a while). But believe me when I say it's worth it.