[S_J]

Just published my new guide on Securing Leopard (updated for Snow Leopard). Hope some of you find it useful!

Securing Leopard | Security Generation

[Big Mac]

I like it; nice job with your site. You don't post much, do you?

[S_J]

Definitely not enough. Will have to hang around here more often

[Big Mac]

Slightly off topic, but regarding a security topic I'm wondering what you think about this report:

How Do Smartphone Stalkers Target You? | FOX 11 News

Fox 11 Los Angeles likes to sensationalize news and often gets a lot of things wrong with their tech reporting, but I was wondering what other informed people think about a story like this. They seem to imply that someone can do a whois on a phone number and get the GPS coordinates from it. Is this generally credible information?

[S_J]

The last company I worked for did a lot of research into smartphone stalking. To some extent it's a real issue, as smartphones don't yet have the level of security that exists on computers. That said, the iPhone and the Blackberry are currently more resilient to those types of attacks than Androis and the very vulnerable webOS.

[Big Mac]

The security researcher implied that you didn't even need to compromise the handset and that all you need is a phone number to get GPS coordinates for the phone - that it was a network information vulnerability rather than security problems with the handsets. That's what I found compelling about the story.

[S_J]

In the case of the report you mentioned, it's a completely different matter. It has nothing to do with mobile phone security, or what type of phone it is. That 'attack' simply takes advantage of the way the telephone network is designed, and essentially performs a massive brute-force/data mining attack.

By default the phone networks pass each other caller ID information. What these guys have done is set themselves up with their own PBX, and then spoof calls to themselves FROM your number. They are then able to obtain the caller ID information, and they can also do a reverse phone number lookup. They also receive the MSC (Mobile Switching Center) ID for a large amount of phone numbers. Although the MSC doesn't provide an actual location, they're able to deduce which MSCs refer to which areas. By correlating a user's original address information (obtained from reverse lookups), together with deduced locations based on the MSC, they're able to track where you go as you move between MSCs.

Service providers will need to make a few changes (eg. masking the MSC), in order to prevent this kind of data mining from happening.

If you want full details on how this is done, check out this white paper: http://www.thecarmensandiegoproject....go_Project.pdf

[cgc]

I used the advice from the National Security Agency (NSA) for securing OSX. They also have same info for Windows and a couple Linux distros.

Of course, this a US Governmental organization we're talking so they probably left one backdoor open for their sole use

[S_J]

FYI, I've launched some security-specific forums for Mac OS X/iOS for anyone interested in those topics: Forums | Security Generation