Online Security Basic -should I use encryption

gAto fOuNd – this -/ Basic Security Guide /- a while ago in the .onion and while I don’t agree with everything in this write-up I learned some new things. At the end of the day –/ they can’t take away what’s in your head -always be a critical thinker – gAtO oUt

Online Security Basic – link are .onionLand

Transcribed from http://g7pz322wcy6jnn4r.onion/opensource/generalguide.html on 2011-04-16.


Basic F.A.Q.

What is encryption?

Encryption is a method of encoding information in such a way that it is computationally difficult for eavesdroppers to decode, but computationally easy for the intended recipient to decode. In practical terms, encryption makes it almost impossible for you to be successfully wiretapped. Encryption can also make it essentially impossible for computer forensic teams to gather any data from your hard disk drive. Encryption is the process of making information difficult or impossible to recover with out a key. The key is either a passphrase or a huge random number protected by a passphrase. Encryption algorithms fall into two primary categories: communications and storage. If you use a program such as GPG to encrypt your E-mail messages, you are using encryption for communications. If you use a program such as Truecrypt to encrypt your hard disk drive, you are using encryption for storage.

Is there a big difference between storage and communication encryption?

Yes. Data storage encryption often uses only symmetric algorithms. Communication encryption typically uses a combination of asymmetric and symmetric algorithms. Asymmetric algorithms are generally far easier to break than symmetric algorithms. In practice this is not significant as the computing power required to break either strong asymmetric or strong symmetric algorithms is not likely in the grasp of any agency.

Should I use encryption?

Yes! If you participate in the Internet underground it is essential for your continued freedom that you learn how to use encryption programs. All communications should be encrypted as well as all stored data. For real time communication encryption we suggest either Pidgin or Adium instant messages with the OTR plug-in. For non-real time communication encryption we suggest GPG. Truecrypt does a great job of encrypting stored data and can also encrypt the OS partition if you use Windows. Various flavors of Linux and Unix also allow for the OS partition to be encrypted although the particular program used will vary. If an alternative installation CD is used Ubuntu allows for OS partition encryption during the installation process.

What is plausible deniability?

When discussing stored data encryption plausible deniability means that an encrypted container can decrypt into two different sets of data depending on the key used. Plausible deniability allows for you to pretend to cooperate with authorities with out them being able to tell you are not cooperating. For example, perhaps they demand you give up your password so they can decrypt some of your communications or stored data. If you used a system with plausible deniability you would be able to give them a password that would indeed decrypt the encrypted data. However, the decrypted data they can now see will be non-sensitive data you intentionally allowed for them to decrypt. They can not see your sensitive information and they can not prove that you didn’t cooperate.

Do I need plausible deniability?

Possibly. It really depends on where you live. In the U.K. it is a crime to refuse to give law enforcement your encryption keys on demand. Refusal to reveal encryption keys is punishable by several years in prison, but this is quite possibly a lot less time than you would get if you did reveal your encryption keys. In the U.S.A. the issue has not yet gone to the supreme court and lower judges have ruled in both directions. In general it is a good idea to use plausible deniable encryption when possible. Truecrypt supports plausible deniability for all functions under Windows. For Linux there is no current software supporting out-of-the-box plausible deniability of the OS partition. With Linux you may be able to achieve a type of plausible deniability by encrypting your entire drive and putting the bootloader on another device. Then you can argue the drive was freshly wiped with a PRNG and there is no key to decrypt.

Of course the police can break encryption, right?!

If you are using a strong encryption program (such as GPG, OTR, Truecrypt, etc) and a long and random password (or automatically generated session key, such as OTR) the police are not going to be able to directly break the encryption. This is not to say they can not get your key in other ways! For example they could install a keylogger onto your keyboard or use various transient signal attacks to capture your key while you type it. An emerging method of encryption key compromise uses application layer exploits to remotely grab keys from RAM. These ‘side channel’ attacks need to have active measures taken against them (the best of which are using a strong anonymity solution and hardened OS).

What about the NSA?

The NSA is not going to be able to break strong data storage encryption algorithms (symmetric). They are also probably not able to break strong communication encryption algorithms (asymmetric). Very powerful quantum computers can be used to greatly reduce the bit strength of an encryption algorithm. Symmetric algorithms have their bit strength cut in half. Asymmetric algorithms are easily broken by such powerful computers. If you are using AES-256 a powerful quantum computer will reduce its bit strength to the still unbreakable 128. If you are using even a 4,096 bit RSA key with GPG, a powerful quantum computer can break the encryption. However, keep two things in mind; It is not likely that the NSA or anyone else has such a computer, and anyone sane will assure you that unless you are a foreign military or major terrorist the NSA will not act on any intelligence they gather by by breaking your communication encryption.

But anything can be hacked, right? Why not encryption?

Encryption algorithms are not hacked, they are cryptanalyzed. Not every single thing done with a computer can really be considered hacking. Hackers may be able to exploit the implemented code of a program using an encryption algorithm, but even the best hackers tend to know little about encryption. Hacking and cryptography are not the same field and most hackers who think they know a lot about encryption actually know very little about it. Encryption is a field of pure mathematics and good encryption algorithms are based firmly on the laws of mathematics as they are currently understood. Unless there is some very unlikely discovery in the field of mathematics the security claims made about most encryption algorithms will stand firm even if the best hackers (or even more impressively cryptographers) in the world try and attack them.

Note: Some hackers are skilled enough to side channel your encryption with application layer exploits unless you take hardening counter measures. This is not hacking the encryption algorithm although it is using hacking to counter encryption. Following our general security guide (later on this page!) will make it much harder for hackers to do this. To hack you through Open Source the attacker will first have to compromise Open Source, we have taken many security measures to make this very difficult to do.

Using encryption programs myself is difficult, but Hushmail, Safe-Mail or (Insert name here) will manage it for me!

Fully web based services can not really offer you strong encryption. They manage your keys for you and for this reason they have access to your keys. It does not matter what the company is named or what they promise, all of them are liars and some are probably honeypots. These services will not offer you strong encryption and law enforcement will be able to gain access to your communications. If you play with fire you need to learn how to protect yourself or you will be burned. It is not overly difficult to manage your own encryption and it is the only possible way for you to maintain your security.

What exactly is anonymity?

Anonymity is the property of being indistinguishable from a given set size (number of others). In the way the term is commonly used anonymity is the inability to be traced. A trace could mean that an attacker follows your communication stream from you to the end destination you are communicating with. A trace could also mean that an attacker follows a trail of logs from the end destination you communicate with back to your location. Anonymity solutions make it difficult to trace your communications and by doing so also make it harder to map out the networks you participate in. Anonymity can also be used to prevent censorship. If a server is hosted as part of an anonymity network and its location can not be determined then an attacker is incapable of demanding the censorship of the services hosted by the server.

Why do I need anonymity?

If you are not using an anonymity solution your presence on the Internet can be trivially traced back to your presence in real life. If you are participating in activities on the Internet which you would not want to be traced to your real life identity, you need anonymity. If you are participating in a network you need anonymity to protect yourself from network analysis. If no one on your network is using anonymity solutions and the police bust one of them, they will be able to see who all they communicated with as well as who all those people communicated with etc. Very quickly and with high precision the police will be able to map out the entire network, going ‘outward’ to many degrees. This may be useful for evidence (for use in court) and it is certainly useful for intelligence (so they know where to look next).

I already use encryption so there is no need for me to be anonymous!

Although encryption and anonymity highly compliment each other they serve two different goals. Encryption is used to protect your privacy, anonymity is used to hide your location and protect you from network analysis. Strong anonymity requires encryption, and encryption is greatly benefited when combined with anonymity (after all, it is hard to install a keylogger if you don’t know where the target is located!). If you use strong encryption but no anonymity solution the feds may not be able to see what you say but they will know who you are and who you are talking with. Depending on the structure and purpose of your network, a single compromised node may very well remove all benefits of using encrypted communications. Many of the most realistic and devastating attacks on encryption systems require the attacker to gain a physical presence; if you are not using an anonymity solution this is trivial for them to do. If the feds do not know where you are, they can’t bug your keyboard with a keylogger. Anyone who says you do not need anonymity if you use encryption should be looked at with great suspicion.

Tor exit nodes can spy on my communication streams so I should not use it!

If you use Tor to connect to the open Internet (.com instead of .onion) it is true that the exit node can spy on your communications. You can reduce the risk of this by making sure you only connect to SSL websites (https:// instead of http://). You can further reduce the risk of this by always checking the fingerprint of the SSL certificate and making sure it does not change with out an adequate reason being presented by the site administrator. You can eliminate the risk of a spying exit node in some contexts. For example if you encrypt a message yourself with GPG before you send it, the exit node will not be able to break the encryption even if they are spying.

Tor is not meant for privacy (unless you only access .onions) it is meant for anonymity! If you want privacy while using Tor you will need to either only access .onions or you will need to layer it on yourself by using GPG, SSL, OTR or other encryption on top of it. Using Tor to connect to the open Internet with out using any privacy tools yourself can actually reduce your privacy from some attackers. Remember, Tor to the open Internet is for anonymity it is not for privacy. Anonymity is just as important as privacy. Also, networking tools with a larger focus on privacy than anonymity (such as VPNs), will not offer you privacy from law enforcement anymore than Tor will and they also tend to offer substantially worse anonymity!

If I use Tor can I be traced by the feds?

So far, probably not unless you get very unlucky or misconfigure something. The feds are getting better at tracing people faster than Tor is getting better at avoiding a trace. Tor is for low latency (fast) anonymity, and low latency solutions will never have the ability to be as anonymous as high latency (very slow) solutions. As recently as 2008 we have documented proof that FBI working with various other international federal agencies via Interpol could not trace high priority targets using the Tor network. There is a large amount of information indicating that this is still the case. This will not be the case forever and better solutions than Tor are going to be required at some point in the future. This does not mean you should stop using Tor! It is quite possible that no VPN solution offers better anonymity than Tor, and the only low latency network which can be compared to Tor in terms of anonymity is I2P. Freenet is an anonymous datastore which possibly offers better anonymity than Tor or I2P. In the end it is very difficult to say what the best solution is or who it will hold up to, but most people from the academic anonymity circles say Tor, I2P or Freenet are the best three options. JAP is considered worse than the three previously suggested solutions, but better than most VPN services. You should at the very least use an encrypted two hop solution if you want a chance at remaining anonymous from the feds.

Traced is a very particular term. It means that the attacker either can observe your exit traffic and follow it back to your entry point or that the attacker can see your traffic enter a network and follow it to its exit point. Tor does a good job of protecting from this sort of attack, especially if you have not pissed off any signals intelligence agencies. Tor does not protect from membership revealment attacks! It is vital that you understand this attack and take measures to counter it if you are a vendor. To learn more about how to counter this attack keep reading this document, we discuss more in the applied security advice section on this page.

If I use Tor can I be traced by the NSA?

Probably. If you want a chance of being anonymous from the NSA you should research the Mixmaster and Mixminion remailer networks. NSA usually traces people by hacking them and doing a side channel attack. They have dozens of zero day exploits for every major application. This is also how they compromise GPG and FDE. Your best bet to remain anonymous/secure from the NSA is to use ASLR with a 64 bit processor to protect from hacking + Tor + Random WiFi location.Using airgaps can protect from them stealing encryption keys. This would involve using one machine with access to the internet to receive data, transfer the encrypted data to another machine with a CD which you then destroy, and decrypt on a machine with no access to the internet. Don’t reuse transfer devices or else they can act as compromise vectors to communicate between the machine with no internet connection and the machine with internet connection. Mixminion is better than mixmaster.

If I use hacked cable modems am I untraceable?

No, the cable company can trace you and so can the police and feds. However, it will make it more difficult for them to do so. People have been busted using this technique by itself!

If I use hacked or open WiFi am I untraceable?

The degree of untraceability you get by using WiFi access points depends largely on how you are using them. If you always use your neighbors connection, the trace will go to your neighbor before it goes to you. However, if law enforcement make it to your neighbors house before you stop the pattern of behavior, they can use WiFi analysis equipment to trace the wireless signal from your neighbors router and back to you. Many people have been busted this way. Also, if you use many different WiFi access points but they fit into a modus operandi (such as always from a particular type of location, maybe coffee shop) , you can eventually be identified if law enforcement put enough effort into doing so. Some people have been busted using this technique. If you use a brand new random location (harder than it sounds) every time you make a connection your identity can still be compromised, but the amount of effort required increases tremendously (assuming you are protected from side channel attacks anyway, be they CCTV cameras or remote WPS infections). We have not heard of anyone being busted if they used a brand new randomly selected WiFi access point for every connection.

If I send a package domestic to the USA with USPS do they need a warrant to open the package?

Yes, if it is sent in such a way that it could contain communications. For example, a letter will require a warrant but perhaps a very large and heavy box will not. For the most part, they need a warrant. No other mailing company requires a warrant to open any sort of packages. International packages can be inspected by customs with no need for a warrant.

Should I use masking scents, such as perfumes etc?

No, masking scents will not prevent a dog from hitting on the package. Masking scents will however make the package seem more suspicious to humans. Vacuum seal the product and be very careful to not leave any residues.

Applied Security Guide

Step Zero: Encrypt your hosts HDD

If you use Windows this can be done with Truecrypt

If you use Linux there are various ways you can accomplish this, usually an install time option

Step One: Configure the base system, harden OS

Application layer attacks exploit programming or design flaws of the programs you use, in general the goal of such attacks is to take over your system. For a deeper look at application layer exploits please check out the this page. These attacks are very dangerous because they can circumvent a lot of the other security you use, like encryption and anonymity solutions. The good news is that Open Source acts as an application layer firewall between you and everyone you communicate with through Open Source. We have taken great care to harden our server from attack and even if you take no precautions yourself it should not be trivial for you to be hacked through our server. However it is still a good idea for you to harden your own system. You don’t know for sure if you can trust us and there is no reason to be a sitting duck if our server is indeed compromised.

The first step you should take is running the operating system you use to connect to Open Source in a Virtual Machine. We suggest that you use Virtualbox. Virtual machines like Virtualbox create virtual hardware and allow you to run an operating system on this virtual hardware. It sounds complex but you really don’t need to know a lot about the theory, Virtualbox does all the work for you. There are a few reasons why you should use a virtual machine. The primary reason is that if the browser in your virtual machine is hacked the attacker is stuck inside of the virtual machine. The only way they can get to your normal OS is if they find a vulnerability in the virtual machines hypervisor, this adds complexity to their attack. The second reason you should use a virtual machine is because it makes it easier to use Linux if you are used to Windows or Mac OSX. Linux is a lot easier to secure than those operating systems but it is also harder to use. By using a virtual machine you can use your normal OS and Linux at the same time, Linux runs as a guest OS in a window on your normal (host) OS.

It is very simple to set up a virtual machine. Download and install Virtualbox. After launching it you will need to create a new VM. It is pretty simple and the program will walk you through the steps. Make sure to create a large enough virtual drive to install an OS, I suggest around ten gigabytes. You will need an install image so you can put the OS of your choice on the VM. Download the most recent Ubuntu ISO and use this. Remember, it doesn’t really matter if you don’t know how to use Linux. All you are using this VM for is using Firefox to browse Open Source, security comes before ease of use! Now that your virtual machine has been created you need to point it to your Ubuntu install CD. You can do this by going to the machines storage tab in the Virtualbox manager and pointing the CD drive to your install ISO. You will possibly be required to configure your virtual machine to connect to the internet if the default settings do not work for you, but chances are high that they will. Now you need to boot the virtual machine and install Ubuntu. Installing Ubuntu takes a little over half an hour and is very easy, you can simply select to use the default options for almost all of the steps.

Now that Ubuntu has been installed in a virtual machine it is time to start hardening it. The first step is to make sure it is fully patched and up to date. You can do this by going to System -> Administration -> Update manager from the bar on the top of your screen. Make sure you install all new updates because the updates include important security patches. It will take a while to update your system.

Now it is time to do some more advanced hardening steps. These steps may seem to be difficult if you are not very advanced technically, but don’t worry it is all just following instructions and you only have to do it once. Go to Applications -> Accessories -> Terminal from the top bar on your screen. This will launch a command line interface. Now type in the following commands hitting enter after each:

sudo aa-enforce /etc/apparmor.d/*


This command enables every AppArmor profile that Ubuntu ships with, including one for Firefox. AppArmor is an application layer firewall and makes it a lot harder for a hacker to compromise an application configured with a profile.

sudo apt-get install bastille

This downloads a generic hardening script that will walk you through some automated steps to make your system more secure.

sudo bastille -c

This launches the bastille hardening script. It will walk you through every step, in general you should select the default option. Make sure you at least read every step, there might be some things you don’t want it to do but in general the default options are good.

Step Two: Configure Tor and GPG, harden Firefox

Follow these simply step by step guides in order

Install TorInstall GPGConfigure Firefox with Tor and Harden it

Although it is not required for customers to know how to use GPG they still should. Our system will protect your communications in some ways. Your messages are stored in encrypted containers set to dismount if an intrusion is detected. Our server is highly hardened and resistant to hackers infiltrating it and spying on your messages. We are also a Tor hidden service and therefor offer encryption from you to us and from us to the people you communicate with. Our server is still the weak point in this system, a particularly skilled hacker could compromise the server and manage to spy on your communications undetected. The server could be traced by an attacker who could then flash freeze the RAM and dump the encrypted container keys. As far as you know we could even be law enforcement, or law enforcement could compromise us at a later date (the first is not true and the second is not likely, but do you really know this?). Our system does not hide your communications from us if we are your adversary, the same is true for Hushmail and Safe-mail. You can protect your communications with high grade encryption algorithms simply by learning to use GPG and it isn’t hard so we highly suggest you do it. Vendors are required to accept GPG encrypted orders!

Step Three: Conceal your membership (VERY IMPORTANT FOR VENDORS)

Using Tor by itself is not enough to protect you, particularly if you are a vendor. Membership revealment attacks combined with rough geolocation intelligence can lead to a compromise! The gist of a membership revealment attack is easy to understand. The attacker merely determines everyone who is connecting to a particular network, even if they are incapable of determining where the traffic being sent through the network is destined for. Tor does a good job of preventing an attacker who can see exit traffic from following the stream back to your location. Unfortunately, if you ship product the attacker can determine your rough geolocation merely by determining where you ship product from. If the attacker already knows your rough geolocation and they are capable of doing a membership revealment attack to determine who all in your area is connected to Tor, they can likely narrow down your possible identity to a very small set size, possibly even a set size of one.

This is not likely to be useful for evidence but it will provide strong intelligence. Intelligence is the first step to gathering evidence. The attacker may put everyone in your area who they detect are connecting to the Tor network under meatspace surveillance looking for evidence of drug trafficking activity. For this reason it is highly important that you protect yourself from membership revealment attacks!

Membership revealment attacks are less a worry for customers (provided financiall intelligence is properly countered to avoid an attacker finding rough customer geolocations!) than they are for vendors. There are a few reasons why this is true. First of all a customer is likely to reveal more about their identity when they place an order than the attacker will be able to determine with a geolocation + membership revealment attack. Secondly, the vendors allowed to operate on Open Source have been highly screened to significantly reduce the probability that any of them are federal agents, but the customers on Open Source are not only anonymous but they are also not screened at all. Third of all, the organizational structure reduces the risk for customers; a customer may work with a few vendors but each vendor is likely to be working with hundreds or thousands of customers. Customers sourcing from Open Source are at minimal risk even if they have products delivered directly to there own residence, vendors working on Open Source at particularly vulnerable to membership revealment attacks due to the open nature of the site.

The primary concern for customers is that they load finances anonymously and the vendor decentralizes their financial network. If a vendor is using a star network (centralized) financial topology there is a risk that an attacker could map out the geographic locations where customers loaded funds. After determining where funding was loaded the attackers could do anonymizer membership revealment attacks in an area around the load point and filter out everyone who is not using an anonymizer. This will likely leave the customer and few others. The attacker may even be able to compare CCTV footage of the load to the users of anonymizers in the area and look for a facial recognition match. To counter this it is important for customers to make use of good financial counter intelligence techniques (E-currency layering being one). Customers may also choose to utilize transients by paying them a fee to load currency, this way the customer avoids being on CCTV at any point. If vendors decentralize funding points (ditch the star network topology) customers will be strongly protected from such attacks, however it is impossible for a customer to ensure that a vendor is using a 1:1 customer to account/pseudonym identification ratio.

There are several ways you can protect yourself from a membership revealment attack, if you are a vendor it would be foolish to not take one of these countermeasures. The primary way to protect from a membership revealment attack is to make sure you do not enter traffic through the same network you exit traffic through. As all traffic to Open Source ‘exits’ through the Tor network, entering your traffic through a VPN first will reduce your vulnerability to membership revealment attacks. The attacker will have to determine who all in your area uses any anonymizing technology and put all of them under meatspace surveillance, there are likely to be far more people in your area using some sort of proxy system than there are people using Tor in particular. This will substantially increase the cost of putting all ‘potential targets’ under surveillance.

Using a VPN is helpful but it is not the most ideal solution. Your crowd space against a membership revealment attack will increase but perhaps not by much depending on the particular area you work out of. Also, a particularly skilled attacker may be able to determine you are using a VPN to connect to Tor by fingerprinting traffic streams. Tor traffic is padded to 512 byte size packets, normal VPN traffic is not. By filtering for 512 byte streams, an attacker can determine who all is using Tor in a given area. VPN’s protect from IP routing based membership revealment attacks but not from traffic fingerprinting membership revealment attacks. However, it is less likely that an attacker will be able to do a traffic fingerprinting membership revealment attack. The Chinese intelligence services apparently are still using IP address based attacks to block access to the Tor network. This is not nearly as effective as traffic fingerprinting based attacks. This could be an indication that traffic fingerprinting membership revealment attacks are more difficult to carry out (likely), however it could also be due to a lack of skill on the part of Chinas intelligence services. It could also be that China is not particularly interested in blocking/detecting all Tor traffic and IP address based attacks meet their requirements.

A better option than using a VPN would be to set up a private VPS and then enter all of your Tor traffic through this. Doing this will make you much more resistant to IP address based membership revealment attacks because now the attacker will not even be able to narrow you down to all people in your area using any anonymity technology. This is still weak to traffic fingerprinting membership revealment attacks!

Perhaps the best option to avoid membership revealment attacks is to use open or cracked WiFi from a different location + Tor every single time you connect. You could even use open Wifi + VPN/VPS + Tor for very high security from membership revealment attacks. Using random (not your neighbors) open/cracked WiFi greatly increaces your resistance to a wide variety of identity revealing attacks. An attacker can still do membership revealment attacks on users of open WiFi but they can no longer gain useful intelligence from the attack. If they detect that an open WiFi connection unrelated to you is using Tor it can not be used to put you under meatspace surveillance unless they manage to identify you (facial recognition from CCTV cameras, etc).

If you are operating as part of a group you can avoid membership revealment attacks via smart organizational policy. The person responsible for communicating with customers should be different from the person shipping orders. Now the customers are incapable of determining where your actual rough geolocation is because product is sent from a different geographic area than you communicate from. Your shipper should be aware that they will potentially come under scrutiny via a geolocation + membership revealment attack, especially if they use Tor to enter traffic.

nother option is to configure Tor to use a bridge. Tor bridges are designed to allow people in nations such as China the ability to connect to the Tor network. China uses IP address based blocking to prevent users from connecting to known Tor nodes. Bridges are Tor entry guards that are not publicly listed and have a limited distribution mechanism. You can get some Tor bridge IP addresses from the Tor website. We do not suggest you use Tor bridges because they replace your entry guard and they are under crowded. This will lead to a lot less multiplexing on your Tor circuit and can hurt your anonymity in other ways, although it will indeed offer some level of protection from membership revealment attacks. China has managed to detect about 80% of Tor bridges, it is likely that NSA knows all of them. Police agencies in the West are probably not yet particularly worried about locating bridge nodes but they can probably do so with near the same accuracy as China. In our opinion it is not smart to rely on a Tor bridge to protect you from membership revealment attacks in most cases.

Step Four: Know how to do safe product transfer, handle finances safe

Note: Although customers sourcing from Open Source are encouraged to take the best security measures they can, it is not likely required for them to utilize advanced operational security regarding mail (such as fake ID boxes, tactical pick utechniques, etc). Because the vendors allowed to be listed here have been highly screened it is likely safe for customers to have product delivered directly to their homes. If you only work with highly trusted and trusted vendors your biggest concern will be a package being intercepted!



How To Spy on Mobile Devices

gAtO fOuNd – this guide it looks interesting – Have Fun boy and gilrs

How to spy on a mobile

Following the broadcast of the show Forbidden zone April 10, 2011 on M6 treating the subject of monitoring in general (domestic, employees, children …), I received many questions on my blog software presented on video or more broadly the tools to monitor anyone with a phone that is like iPhone, Blackberry, Android or other …

You must install the Flash Player Plugin

Indeed, in the first part of the show, there are two men who installed monitoring software on the phones of their respective spouses. Before I give you an overview of the software used, it is important to note that these monitoring tools for mobile (or PC as SniperSpy ) are not only used for monitoring a spouse, they can be used to monitor their children for whom it is of concern, an employee to ensure loyalty to the company or the use he makes of his professional portable … This software can also be a way to be sure of finding his personal data, secure or locate his mobile in case of loss or theft.

To return the software presented, it is software Global GSM Control (French version of the software well known Flexispy ) and Mobile Spy (also known as Flexispy).

Be aware that these programs are very powerful and work in the background and are completely invisible on the monitored cell. They are compatible with many cell phone.

Each of these two software offers a range of diverse and varied features and prices obviously depend on the number of these features but also the duration of the subscription selected. Indeed, you can choose from subscriptions of 3 months, 6 or year for Mobile Spy , Global GSM Control meanwhile offers three versions and a license valid for 12 months (no subscription. Prices for these 2 software is reasonable in the proposed monitoring capability but also the price adjustment at the user’s need in terms of usage time he wants.

To return to the features, you must know that Global GSM Control is a monitoring tool for mobile phones more complete than SPY Mobile. Depending on version, it offers as an example a very powerful feature that is listening environment or listening live telephone conversations. Mobile Spy and Global GSM Control , as mentioned earlier, offer several modules adapted to the needs of each and budget. Among the features are cited: access to Email and SMS sent and received even those that were deleted, consultation with videos and photos stored on the phones, access to call history, GPS … For more details on features, I suggest you go to articles about each program ( GSM Global Control , Mobile Spy )

Note that to use for an iPhone, you need to jailbreak (Only the iPhone).

The blog presents only the software I tested and for which I have had positive feedback from users …

Feel free to visit the other blog posts for information and more information on these two latest software, or more generally on all the tools on the market and ESPECIALLY to know the users’ comments and avoid getting scammed .

Many people often ask me what my blog is the best spyware for a mobile phone?

I must say there is a wide selection online. A Google search will show at least a half dozen companies claiming to sell the best spyware!

For those of you who really want to know and get the spyware that stands as the best spyware

market, covering a range of features, the answer is simply the Global GSM Control software, the French equivalent (with online support and well detailed manuals in French) English Flexispy Software, best known on the market.

Global GSM Control you will, with his power, to do a lot of impressive things with the multitude of features it offers. Depending on your needs, Global GSM Control offers versions with the bare minimum of features espionage until the most complete version offering an arsenal of powerful tools. For you to assess your needs and make your choice!

In general, the features offered by the versions are:
(For more details on the contents of each version of Global GSM Control, visit the official website ):

* Interception of calls in progress * Listen environmental
* Spy SMS and Email
* The GPS Location

* Location Triangulation (without GPS you can know the position of the target phone with an accuracy of 5 to 10m)
* Read the Call Logs
Relay * Email (sending reports to your email address)

* Notification of change of SIM card (In case of change of the target phone SIM card, software GGC send you the new number via SMS so you can continue your spying)
* Control and configuration remotely with SMS commands (all software functions GGC are activated / deactivated remotely via SMS commands coded invisible, the frequency of sending the captured data and also configurable via SMS)

* Export reports
* Uninstall remotely via an SMS command
* Change unlimited phone target
* Quick and easy installation (5 to 10 minutes)
* Free updates
* 100% undetectable
* Copy cats BlackBerry Messenger
* Interception and copy cats WhatsApp Messenger (New! for iPhones and Android phones)
* Support in French competent and highly reactive
* Secured Personal Web Account

In view of all these features, its performance, manuals and quality of its support in French, the software is up to investment. Moreover, like any software for which I wrote an article on the blog, my test results on my iPhone were more than satisfactory, I will not hesitate to recommend it to anyone.

Mobile Spy: the first spy iphone, Blackberry, Windows Mobile, Android, LG, Nokia, Samsung, and iPad

  1. Monitor the location of the target using the iPhone GPS thereof.
  2. Read:Text messages (incoming and outgoing)The call history (incoming and outgoing) Em ails
    The list of visited websites
    List of Contacts

    All this information … will be visible via a secure website with SSL technology.

How does it work?

Mobile Spy how it works

Dashboard: Web site whose identifiers are assigned at the purchase of Mobile Spy on which you can view all the data collected.

Once installed on an iPhone, Mobile Spy runs in invisible mode and no indication is given on the iPhone target. This SPYPhone runs in the background behind all other iPhone applications. Then all the activities of the iPhone are registered and silently sent to the user’s account. This information is viewable in real time as they are recorded including the full content of text messages, call records and GPS positions.

HOW MUCH does it cost? And where to buy?

1) annual license (12 months) for $ 99.97
2) semi-annual license (6 months) for $ 69.97 3) Quarterly License (3 months) for $ 49.97

NB: Mobile Spy is also available (with the same functionality) to:

All Windows Mobile phones
All Symbian phones (LG, Nokia, Samsung …) All Android phones
And now the brand new Apple iPad

PS: -> When you buy an annual license of Mobile Spy ($ 99.97), the PC Spy Sniper is offered. Sniper Spy is a spy software for PC that secretly records every keystroke, chat, moved to distance (you do not need access to the computer you want to spy), and control the target PC time real. (This allows you to spy on a PC in real time. Download files, view the browsing history, etc.).

iPhone Spy 4

UPDATE> November 8, 2010: The new software Global GSM Control is now compatible with iPhone 4 and with the functionality of listening environment and interception of live calls!

Mobile Spy ( www.espionnertelephone.com ) today announced the immediate availability of their iPhone spy software 4.

If you want to spy on an iPhone 4, Mobile Spy is the first software on the market today that supports the new iPhone 4. This was actually a lot of time considering the fact that the iPhone 4 was marketed about five months ago.

I know many readers have long sought an application that supports the iPhone 4. At least their wait is finally over.

So what are the features of Mobile Spy for iPhone 4?

The main features that I’ve tested:

GPS tracking – This feature allows you to secretly locate the iPhone 4 in real time. The results are then displayed on a map.

Secretly Read the SM S – With this feature you will be able to read all incoming and outgoing SMS. This works even if messages are deleted after they are read.

Secretly read emails – Mobile Spy software also allows you to read the incoming and outgoing emails. This also works even if the emails are deleted.

Secretly see the pictures – This feature allows you to view all photos taken by the iPhone 4.

View call logs – This lets you view all your call logs on the iPhone 4. Incoming, outgoing, caller name associated with the number in the address book, time and date.

See the history of web browser – see the URLs of websites visited by the user of the iPhone.

See the Contact List – This feature of Mobile Spy, you will be able to view all contacts stored on the iPhone 4.

Other points to note are:

The software operates in 100% undetectable. This means that the user of the iPhone 4 has no idea that Mobile Spy is installed.
The iPhone 4 MUST be jailbroken. To use Mobile Spy. This is now very easy to do and only takes a few minutes (see HERE how).

The iPhone 4 requires an Internet subscription. To download the information recorded.


HERE (avoid buying Mobile Spy on other sites because there are many scam right now on e t n)

HOW MUCH does it cost?
1) Annual license (12 months) => $ 99.97 (annual version includes a free copy of their most

popular monitoring software for PC – Sniper Spy )
2) License semester (6 months) => $ 69.97
3) Quarterly License (3 months) => $ 49.97
NB: Mobile Spy is also available (with the same functionality) to:

The Blackberry
All Android phone
All Windows Mobile phones

All Symbian phones (LG, Nokia, Samsung …

And the new iPad

See if Mobile Spy is compatible with your phone HERE
Mobile Spy’s competitors are: software Global GSM Control (the most powerful spy software market) and Flexispy

SniperSpy 7

How are you able to record and track all activities on a PC remotely
make screen captures, record all conversations (MSN, YAHOO, GMAIL …) or exchange with the opportunity to achieve all this in real time, so live? Now you can with SniperSpy.

Personally, what I have enjoyed in this product is being able to watch live
what happens on the pc. with this feature, I can spy on the pc of my choice in remote connecting with the secure control panel and clicking on Live Control Panel.

I can then view and display all the recent documents, scan them, see what happens on the remote pc and better than that, I can download it from this pc.

One last thing and the most brilliant, SniperSpy offers the possibility of remote installation, which means that you will be able to install SniperSpy on any PC in the world.

* Product: SniperSpy
* Compatible with: Windows (98/98SE/ME/XP/NT/2000/Vista/windows 7) + MAC * Price: from $ 39.97 (~ € 32)
* Website Official

Categories: PC Monitor Comments (3)

Spy on a laptop with SpyBubble


Here is a tested software that I wanted for some time for you to look back on its use. This is just my own assessment of the software. If you want more information or download the software, click the following link which will direct you to the official website

Through this article you will have access to the details of what can SpyBubble and answer the most important question: is it really works in comparison with the best known software market: GSM Control Globlal , Mobile Spy, or Flexispy Mobistealth. Then you will know before making your purchase if Spybubble matches your need or not.

What does Spybubble?

Spybubble is monitoring software that allows you to watch over the safety of your children, make sure you trust that you show your spouse, compliance with the commitments of your employees … or simply backing up data on your existing phone before you can retrieve them in case of loss, theft … This software monitors the activities of your phones and works automatically in a completely secure once installed. Below is a list of features offered by the software:

Call Monitoring: Whether incoming or outgoing, you’ll be able to find phone numbers, to get an idea of the frequency of these calls and to know the duration of each conversation Monitoring messages: You will be able to read all incoming and outgoing messages, even if they were deleted by the person in possession of the target phone. You can then see if your employee uses his mobile professional for personal or simply ensure the safety of your children or their surroundings

Monitor the location: SpyBubble also allows you to know and track the location of your mobile using Google Map. You will then know the exact location of the phone and then the person using it. Ideal for no longer any doubt about where your teens go …
Accessing the phone book: With this feature, you can easily inform you on the contact list stored in the phone

Undetectable software: You will benefit from these features by being certain that the software is 100% undetectable. Once installed, the software does not display an icon at the mobile.
Monitor multiple mobile: you’ll be able to monitor both unlimited mobile if you wish Spybubble is compatible with Blackberry, Android, Symbian S60, Nokia, Windows Mobile and on iPhones. It works on most smartphones on the market.

How SpyBubble?

SpyBubble uses advanced technology to record all activities of the mobile phone either text messages or phone calls. Then, the monitoring software sends this information using the internet connection of the target phone to a remote server where they are stored. You can then access them from any computer or your own mobile.

All you need to do is create your user account.

Once connected, you should install SpyBubble on the target phone by following these instructions:

Step 1: Complete your registration on the website SpyBubble. For this step, you will need to provide your IMEI number of the target phone (It occurs usually printed on a label on the phone battery. You can also post it on the screen by typing the following sequence on the keyboard : * # 06 #

Step 2: Open the Internet browser the target phone and download the software on the phone. IPhones for downloading the application is via Cydia (jailbroken iPhones need to be)
Step 3: Install the software SpyBubble by following the instructions in the Software Installation

Step 4: Restart the phone
Step 5: And connect to your personal space (the link to your personal space will be indicated in the email to purchase) to begin tracking activities.

You can also use the installation guide that will detail each step with illustrations and screen shots. This will also allow you to know exactly how to use your software.
Thus, once you have successfully installed SpyBubble on the target phone, you will be able to

monitor it.

Feature Summary SpyBubble …
• Registration of SMS sent and received
• Recording of incoming and outgoing phone calls
• Monitoring of activities on the Internet browser of the phone • GPS location to detect the location of the phone
• Access to the directory of phone contacts target
• Works anywhere in the world and 100% undetectable

To summarize the results of this test, we can say that without being as complete as Global GSM Control in terms of features offered, SpyBubble monitoring software is reliable, that works perfectly and offers the basic monitoring functionality with a good value for money.

Spyware: 5 tips before buying a GSM Spy

Posted by spy gsm · Comments (26)

If you are considering buying a spyware for mobile phones to spy on your spouse (infidelity, lies …), or keep an eye on phone use by your children or perhaps in order to monitor your employees if you have any doubts, you should make sure to follow the advice below before making your purchase.

By following the tips below, you will be able to spy on your target and achieve your goals but if you neglect any of the advice, you will end up spending much money or being noticed by the person you were hoping spy.

Tip / Council No. 1: Make sure you have access to the target phone. There is no way you can install spyware without having physical access to the target phone. This is precisely the question asked by a number most people wishing to purchase a spyware: they always want to know if it is possible to install spyware without physical access to the target phone. Unfortunately, no matter what you hear, the answer is always NO, it’s impossible. If you come across a company selling this type of software which tells you that this is possible, I strongly advise you to close your browser and do not revisit their website because you will rip.

Tip / Council No. 2: Always make sure your target phone is a compatible phone. For a complete list of phones with spyware (mobile SPY here , Flexispy here , Global GSM Control here ) . Take the time necessary to verify that the phone of your target is on the list of phones that can support spyware. If your target has a phone that just came out, you will not just be able to find it in the list of phones accepting spyware. What you can do then is to perform a quick search on Google All you have to do is perform a quick Google search on the phone in question and see its features. If you see Symbian, Windows Mobile listed as operating system, then you will be sure you do not fool yourself by buying the spyware. If you are still unsure, contact me and I will do my best to answer your questions.

Tip / Council No. 3: Always make sure your target phone has an Internet connection to the information that the spyware records can be transferred and loaded onto your online account you set when you purchase the software. However, you will not need to ask all these questions because, to install the spyware, you will need to download it to your target phone and hence to have an internet connection for this purpose. Without an internet connection, this will not be possible. The good news is that nowadays, most phones have a connection and it is likely that your phone is also the target. You can verify this by simply asking the owner of the target phone to log Internet by going to the browser or google search a site like Ebay, Amazon, etc. … and if possible, then you have nothing to fear.

Tip / Council No. 4: You should also ask: are you able or comfortable with installing a phone application?. Install spy software for mobile is not an inherently difficult task but it requires a certain familiarity in terms of installing software or applications. You must ensure that you will not hurt to download software, install it, configure it to meet your needs. This process or these tasks will ask only 10 to 15 minutes total, maybe a little more for someone who uses it for the first time. In addition, make sure you take the time to read the installation instructions before you start handling the spyware to install on your target phone. Following this advice, you can identify the elements that you do not understand or that you are not comfortable and you can seek clarification by asking for advice or information to the software vendor.

Tip / Council No. 5: Make sure you know exactly what you need to achieve your goals. One thing that comes up quite often, is that most people are generally satisfied with the information they access with their spyware. However, they demand ever more desperate to find and market a spyware offering more features espionage. Therefore it is essential to know what you really need to achieve your goals. By purchasing a spyware, you want to monitor your spouse or partner because you doubt his sincerity? If yes, what do you exactly need to prove or disprove your suspicions? Do you need to hear live conversations? Or you will be content to simply read the incoming and outgoing messages in the target phone? Only you can provide answers to these questions. So before you spend a penny, make sure you know your needs. In pursuing this thought, you do not you break head to want to install a new software version and save your money.

If you follow the tips above, you will be safe in buying the spyware to make the right choice, a choice for your needs. When you decide to buy spyware, make sure you choose software sold by market leader in the sale of spyware. The companies listed below, are the sole suppliers of spy phone software in leading position in this market. Their software works perfectly well and are satisfactory for all who have ever used. These leaders are also known for their quality of service towards clients and their availability to answer all your questions and ensure the operation of their software.

Features offered:

Interception of calls in progress, Interception of calls in progress, Environmental Listen, Reading SMS, The Email, The GPS Location, Location by Triangulation (without GPS you can know the position of the target phone with an accuracy of 5 to 10m), Read The Call Logs, Email Relay (reports are sent to your email address), Notification of SIM change, Remote control with SMS commands, Export reports, Remote Uninstall, Change unlimited target phone, Updates day free, 100% undetectable, copy cats BlackBerry Messenger, Personal Web Account Secure

Great customer service, a money back guarantee within 7 days if dissatisfied.

Functions offered: Monitoring with GPS tracking, SMS interception, and view history of calls, emails, photos 100% undetectable. …

The ability to monitor multiple phones.

A money back guarantee within 30 days (if the support of the company can not run the software on your phone)

The spyware SniperSpy PC for free (including the ability to install remote control of PC Live, and more …) if you buy an annual license of Mobile Spy software.

Price: $ 49.97 – $ 99.97 USD

Link: click here

Categories: Scams , Spy Android , Blackberry Spy , Spy HTC , iPad Spy , iPhone Spy , Spy LG , Nokia Spy , Spy samsung , SMS Spy , FAQ , Flexispy , Global GSM Control , Mobile Spy , MobiStealth
Comments (26)

Blackberry Messenger Spy

I have good news for all those who have long sought a way to monitor BlackBerry Messenger chats. The spyware Global GSM Version Control Black (www.global-gsm-black.com) now allows you to spy and secretly read chat history of BlackBerry Messenger. Before this release, it was very difficult to read secretly cats BlackBerry Messenger, but with the new Global GSM Control software, the Log Reader cats BlackBerry Messenger is now a reality.

Below is the full list of all the features available on the Global GSM Software Version Control Black:

Reading Cats BlackBerry Messenger: this feature of Global Black GSM Control allows you to secretly read all of BlackBerry Messenger conversations.

The interception of calls live: it allows you to listen quietly and live calls made and received.

Remote monitoring: with this feature you can turn your phone into a listening environment of the Blackberry phone remotely.
Reading emails: to read all incoming and outgoing emails from BlackBerry target.

GPS tracking: to track the location of the BlackBerry in real time.

Read secret SMS messages: to read all incoming and outgoing SMS from the target phone.

Viewing Call Logs: you will see the history of all call logs.

Notification of SIM change: If the BlackBerry target different SIM card, you will receive an SMS notification indicating the new number.

Spyware 100% undetectable: Global GSM Control works quietly without icons or folders on the BlackBerry visible target.

Warranty: Global GSM Control Black comes with a warranty 7 day money back guarantee HOW MUCH does it cost? € 320
URL: www.global-gsm-control.com the gsm spy Flexispy is now available for iPhone 2G 3G 4G and the new 3Gs 4Gs!

Flexispy supports the full range of iPhones. This means you can now spy on the new iPhone 4Gs but also the old iphone 2G.

Here is a list of characteristics Flexispy iPhone:

* Intercept SMS. (Secretly records all SMS sent and received from the iPhone)
* The GPS location. (Hunt for the target location by GPS. This works on the 3G models 3Gs 4 and 4s)
* Interception of Emails. (Read secretly all incoming and outgoing emails from the iPhone)
* Remote control. (You can use SMS commands to control the phone remotely)
* Quick and easy installation. (Flexispy installation is very simple. Just download the software directly spy on the iPhone. No computer or cable required)

* Notification of SIM change
* The listening environment (When GSM is connected but is not being used, you can call the iphone, one will win automatically and will let you hear around the phone without this being visible to stakeholders present around the phone.)
* Interception of live calls (When the GSM communication, will send an SMS to notify you. Then you just have to call the GSM communication to secretly listen and direct).

Cost is from $ 149 (Flexispy LIGHT)
For more information or to buy ter Flexispy click here

Competitors are Flexispy: SPY Mobile , MobiStealth , and the new software Global GSM Control (the most powerful spy software market)

NB: Flexispy is also available (with the same functionality) to:

All Windows Mobile phones
All Symbian phones (LG, Nokia, Samsung …) All Android phones

I just downloaded my own copy, so I will test this spy gsm iPhone in the coming days to follow …

Have you heard of software called by many names, including:

E-stealth Blue Stealth PhoneStealth

BlueW are Cell Spy ClubMZ Arsenal

BigDaddySpy Bluetooth Spy
The e-stealth.com and other sites selling this product scam.

Check out some of the claims of E-Stealth.

1. It is compatible with any phone.
2. They say they do not explicitly support
3. They have a zero refund policy!
4. If you request a refund of your money, they say they can sue you for $ 10,000 you 5. The screenshots of their product is actually that of another product.

1 and 5 are in fact lies, and even their own manual says that all phones are not supported. The other points are illegal because they require you to waive your rights as a consumer.

What they do not tell you: They sell all just a set of free utilities from 2003. Even if your phone run the software, the phone you want to spy * must * accept a Bluetooth connection whenever you want to spy. That will never happen.

Categories: Scams Comments (1) Next Page »


Android Spy Blackberry Spy HTC spy
Spy iPad
IPhone Spy
Spy LG
Nokia Spy
Spy samsung
Global GSM Control Mobile Spy MobiStealth SpyBubble

PC surveillance gsm spy in Global GSM Control Software Spy’s most successful market Elois in Global GSM Control Software Spy’s most successful market herve in Scam E-stealth

karine in Global GSM Control Software Spy’s most successful market Sami in How to spy on a mobile

Spy-GSM: GSM Surveillance Spy Software Reviews PC




Cyber threats the joker and the thief

gAtO FoUnD– the continued threat of vulnerabilities within Web applications, mobile applications, and outlines specific vulnerabilities with cloud-based implications.  Also an alarming trend for security professionals, in the form of continued prevalence of critical application layer vulnerabilities, such as Cross Site Scripting (XSS) and SQL Injection. Though there are existing fixes for these well-known vulnerabilities, these flaws continued to dominate with XSS climbing to a staggering 38 percent of total Web vulnerabilities, increasing slightly from the second half of 2010. SQL Injection accounted for 15 percent of the total number of Web vulnerabilities.

Web vulnerabilities —  In the first two months of 2012, 59 percent of all reported security

vulnerabilities were Web vulnerabilities

—  In 2011, Cross Site Scripting (XSS) accounted for 38 percent of total

Web vulnerabilities

“As businesses worry about the next big security threat, they fail to realize the threats that are right in front of them,” said John Weinschenk, CEO of Cenzic. “From an industry-wide perspective, the fact that the amount well-known vulnerabilities continue to persist is a signal that education, diligence, and proper coding during the development phase are a necessity in today’s cyber world. Real change can only happen by adhering to these principles.”

Mobile vulnerabilities —  A total of 89 mobile vulnerabilities were made public in 2011 and so

far in 2012 (Jan-Feb) 11 mobile vulnerabilities have been made public.

—  Sensitive Information Disclosure (28 percent) and Session

Authentication and Authorization (28 percent) make up the bulk of the


In recent report it is also details the vulnerabilities related to cloud and mobile device usage, noting a total of 89 mobile vulnerabilities were made public in 2011, while out of a set of 1201 publically reported vulnerabilities 855 had cloud-based security implications. As mobile devices continue to be used to access online cloud computing platforms, emerging hybrid vulnerabilities haved developed as well.

Cloud vulnerabilities —  In 2011, out of a set of 1201 publically reported vulnerabilities 855

had cloud based security implications

—  Specific security vulnerabilities were found in cloud-based

applications including EyeOS, OrangeHRM, The Parallels Plesk Panel,

Oracle Fusion Middleware, Batavi E Commerce, deV!ls ClanPortal, and


The growing demand for cloud applications and mobile devices that access them is creating a unique problem. Each has its own set of security issues, but when used in tandem, they can produce hybrid vulnerabilities that compound threats and increase the complexity of secure coding. By exploiting vulnerabilities in a mobile application a hacker can open up an attack vector to a preexisting vulnerability on the cloud based application -gAtO oUt



Hacking the Rail Network

gAtO ThInK – A professor at Darmstadt Technical University in Germany has warned that even unskilled hackers could paralyse a rail network by targeting railway switches with a ‘brute force’ cyber attack.

I just seen too many train action movies, and some dumb kids may try -today “if you can do it, the’ll try and do it”.

The modules ASCI Terminal TRM-3aT USB -SMS cell broadcast- are the problems. When you can send a simple SMS command to a device and actions happened, well write me a script to any crazy movie, stupid hack. Stop all trains in DC during rush hour, how about Grand Central Station and send signal switching trains to different tracks, while texting momma. And let’s not forget the good guy’s using it like as you mentioned Bart-Police. – When the train police has the power to stop free speech, I have a problem with that. Let’s kick it up a pay grade please.

The prime target in the US railway system is hump yards. The prime target in Europe is the European Train Control System (ETCS) which uses GSM-R for communications.

US railroads have a number of control systems at different levels that parallel those of a manufacturing concern. At the top level are the planning systems that track car movements, reconcile between railroads for railcars on “foreign” roads, and plan trains and consists based on customer needs.

Huawei, Nortel and Siemens Transport Systems, three leading vendors of GSM-R equipment. Huawei has ties to Chinese PLA and has been investigated by the “US Arms Service Committee” for putting in hardware backdoor into digital infrastructure systems.

The next level takes the plans and implements them. One part makes up the trains – all freight trains except for unit trains are put together at hump yards. The other part controls the movement of the trains – Centralized Traffic Control (CTC) and its successors (ETCS-like systems are gaining ground in the US). Communication between these two parts are primarily up to the next level and back down – train movements are only dependent on consist when a particular type of car is not allowed on a particular section of track.

gAtOmAlO sAy's

The next level down are the actual train controls and the track controls. Controls within individual trains are centered around the locomotive(s) but they include braking controls. Track controls include switching, safety, and traffic management (the mechanism for the CTC to manage train movements). Communication between the trains and the tracks are common – various mechanisms are used such as balises.

GSM-Rail (GSM-R)

Built on GSM-technology, GSM-R is a secure platform for voice and data communication for railway security, services and communications. It is used as a layer on which security and train tracking applications run, as well as video surveillance, passenger information systems and cargo tracking. GSM-R is the standard for wireless railway communications in Europe, Asia and North-Africa, replacing dozens of legacy standards in use prior to the development on GSM-Rail.

Positive train controls are the most advanced type of control – the train is controlled by the central management through track controls and communications. This has become a highly popular idea since the LA commuter train wreck when the engineer was texting, not driving the train. If one assumes that distracted engineers are the threat, positive train control makes sense. If one assumes that a computer adversary abusing the train control system is the threat, then PTCS is an adversaries dream.

The worrisome aspect of this is that these systems and the software structures under which they run are kept under a tight grip for “security reasons”. Hence, fewer experts and security amateurs are looking into the various possible flaws. I doubt that many companies (even Veracode) who offer code review for security issues support any kind of SCADA systems nor are they interested in supporting it, given the tight grip.

Yet, I can guarantee you that the “big players” PwC, BEA, Northrop Gruman, etc.. have somehow managed to convince government agencies of the illusionist promise that they can audit the security of these systems at some ridiculous premium.

That leaves the interest of such systems and the control of them to the diehard fans, namely: foreign governments, foreign militaries and terrorists.

We’ve done one assessment of light rail, a passenger system in an Asian country. We’ve been unsuccessful in getting interest from the AAR or any of the actual railroads. The systems are relatively standard and anyone can purchase them for RE. Like many control systems, the actual installations tend to be customized to the particular situation. I don’t see how rail systems could be harder to assess than oil refineries or such. I do agree that beltway bandits do charge a lot for superficial depth of experience.

What get’s me is that this summer Lockheed was hacked (big-time) the next thing they get a SCADA contract from the government. (unreal). Is this really the way it works in Washington? I looked into GSM and R-GSM and the hardware is pretty much of the shelf and if everyone does things any old way as Raymond mentioned without standards they are building more backdoors with every mile that’s modernized. How can a company come in and mitigate security solutions, when every company does it their own way.

There’s money to be made in doing security for the railroad.

After some interesting reading I found this out: I want to share with the class.

these are different types of GSM 900 Band.

PGSM: Primary GSM -> UL=890-915 MHz & DL=935-960 MHz
EGSM: Extended GSM -> UL=880-915 MHz & DL=925-960 MHz
RGSM: Railways GSM -> UL=876-915 MHz & DL=921-960 MHz

For more information on GSM Bands, checkout this link:

GSM uses A5/1 security cipher mechanism:
A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It was initially kept secret, but became public knowledge through leaks and reverse engineering.

A number of serious weaknesses in the A5/1-cipher have been identified.

So our normal cell phones are Primary GSM so we cannot use a normal cell phone to hack the RGSM – different frequency. But for a couple of hundred buck one can be purchased. Just when gAtO  though —-gAtO knew it all—-;>, they add this – ah well back to the drawing board –  back to work –gAtO oUt















Business Cell Phones Hacks Will Soar In 2012

gAtO sAyIn 2012 businesses information will be the main hacking victims thru their cell phones. IEEE say’s “it is likely to be C-suite executives exposing businesses to vulnerabilities” (CEO -Chief Executive Officer, CFO -Chief Financial Officer, COO -Chief Operations Officer) yes even (CTO’s) Chief Technology Officer will get their cell phones hacked and all kind of IP intellectual property- BI Business Intelligence- KM knowledge management- will go out the door. The hacked information is a treasure to cyber criminals, competition, international/national governments, hackers and scipt-kiddies. Smartphones Danger for Corporate World

GaTo sAiD bEfOrE -Why is this true, the public has been trained to recognize cyber-security threats associated with their PCs and laptops, they do not see their smart phones as computers and subject to the same threats. And in some ways those threats are even worse.

Research by IEEE Fellow Dr. Jeffrey Voas in the US has so far uncovered malware in more than 2,000 free smartphone apps. Voas says free, rogue applications like this will be the most common access-point for hackers over the next year.

Unlike on a PC, where web browsers often give plenty of warning about dodgy websites with warning lights and alerts, the screens on smart phones are too small to display this protection, These devices contain identifying information, potentially saved passwords, and authentication details, and are much more likely to be misplaced or stolen than other larger portable computing equipment.
It takes just one high or low level employee to download malware onto their phone and spread it to the organization systems.

But the fun does not end here you don’t really need to be a hacker to get information to decide who to attack, just like targeted spear phishing attacks.
Here are a few thought:

2012 Security Predictions gAtO working copy v.01-alpha - click to enlarge

  • ? spoofed caller ID –
  • ? low-tech approach of merely guessing someone’s four-digit voicemail PIN number or password
  • ? pretexting -professional imposters

Social engineering if a person uses there cell phones to update Linkedin, Facebook or twitter – “Send an enticing link via SMS, email, Twitter; if the target follows from their phone you’ve got a chance at using one of many remote exploits for iPhone and Android to install a rootkit,”

An attacker can join social media and start collecting friends I’m sure there will be a wealth of information out there. Even indirect if you can get a friend of a friend of a friend you may be able to see your subjects SMS or cell phone update.

Watch how you use your cell phones PEOPLE.

WiFi and VIOP hacking for the personal and corporate data and better still small mom & pop stores and small business, how much information does your local gas station, news stand have on you, they don’t have an IT department. VIOP can allow you to drive by phone phreaking along the back roads of suburbia near the subjects (targets) home address.
Android and iPhones re-syncs phone book data, voicemail, text message logs, browser history, or anything covertly sent to you with your computer. Even your personal computer may have business information.
“Older versions of Android are easiest to hack,” – “Recent versions of iOS [are easy to hack] too, though both Apple and Google have been quick to release patches.”
If a rogue hacker were to hack into someone’s (your) voicemail, is there any way to detect the intrusion? Unfortunately, voicemail systems from the major carriers in the U.S. leave a lot to be desired. None that I’ve encountered offer any sort of access log. The best you can determine is whether or not a message has been listened to. Even then, if a hacker were to listen to and then delete a message, you’d have little way of knowing.”
Getting a person’s personal phone number to spoof could be accomplished by finding it in publicly available documents such as student listings, or these days, on social networking sites like Facebook. A bit of social engineering with real people who know or could access the number would accomplish the same thing

Your E-Mail is the KEY to cell phone hacking. It’s the closest thing to the skeleton key of the digital world. How about if your email is hacked and your password published. How about just simple bad password, in the release of the hacked email from Stratfor there were 100 with “password” in them. How about the last four digits of your phone number, or 1-2-3-4, or publicly available information like your birthday,”

Data Breach Affects 50,000 people; 50,277 Credit Card Numbers, 44,188 Hashed Passwords, 47,680 E-Mail addresses.
personally identifiable information:
• 50,277 Unique Credit Card Numbers, of which 9,651 are NOT expired. Note: Many credit cards are re-issued, and many credit card processors do not check the expiration date. Consequently, more than 9,651 credit card holders may still be at risk.
• 86,594 Email addresses, of which 47,680 are unique.
• 27,537 Phone Numbers, of which 25,680 are unique.
• 44,188 Encrypted Passwords, of which roughly 50% could be easily cracked.
• 73.7% of decrypted passwords were weak
• 21.7% of decrypted passwords were medium strength
• 4.6% of decrypted passwords were strong
• Average decrypted password length: 7.1 Characters.
• 10% of decrypted passwords were less than 5 characters long.
• Anonymous and AntiSec Hackers??Only 4.8% of decrypted passwords were 10+ characters long.
• Presumably the remaining non-decrypted passwords were stronger than the decrypted subset.
• 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world.
Cell Phone — Password retrieval mechanisms can be exploited, most security protocols send forgotten passwords to a person’s main email address. Every service in the world typically goes back to your email address. Your primary email password should be different than anything else you use, and it should be stronger than any other password you use.”

Ubiquitous computing, of which our smartphones and tablets are but just the beginning, is going to require that we shift our paradigms of privacy and security in profound ways. This isn’t just the responsibility of the average Joe user, however.  We need to be demanding that our mobile service providers aggressively protect our privacy and keep the bar high for device security. In the meantime, to avoid becoming phone hacking victims, users should take extra precautions to regularly reset their PIN numbers to protect their data — just as we’re engrained to do with our computers and online accounts.
It’s not unreasonable to project that [phone hacking] will become more common, as more of our important data finds its way into the cloud, those seeking to exploit that data will seek the weakest point of entry. Your cell phone can talk to a cloud service so think about it. One exploit ran an application on the attacked phone that could retrieve data. The SMS came back with the attack phone’s INSI number; the phone’s unique ID. However the application could have just as easily have stolen a contact list, either personal or corporate. It is also possible in this scenario to push viruses to the device or even initiate a denial of service attack. The app could easily uncheck SSL, leaving the device vulnerable with no encryption when you login at your local coffee shop. These kinds of hacks are unique to smartphones because PCs don’t have SMS capabilities, gAto advised all smartphones that are under an organization’s control be tightly monitored, patched and updated regularly to avoid users taking matters in their own hands… – gAto oUt

IEEE Experts Predict Smartphone Hacking Will Soar in 2012




Detectives Hunting Dead Girl -Rupert Murdoch Hacked the Phones

gAtO pIsSiRupert Murdoch and son James get away with not just hacking a dead girls cell phone but it appears that they also hacked the phones of the police investigators on the case. this all happened in 2002. Chief Constable Mark Rowley reported this and when passed to Scotland Yard about the phone hacking investigation in 2006 this part of the report was missing.

gAtO sAiD– funny ha ha how Rupert Murdoch can get Scotland Yard in your pocket and the local police in London.

So Rupert, Jimmy and let’s not forget Tom Mockridge as another scumbag at News International. These are the hackers that make me sick. Here was power and influence totally disregarding any decorum of a news organization. They went out and hired crackers the web 3.0 type and then these people had great meetings about all this information. They could of deleted messages and dummied some up. The personal violation that these people committed in cyberspace and then they talk about hackers.uscyberlabs - gatomalo_at_uscyberlabs_dot_com

The Murduch cyber crewz were the best. No problem if this is illegal we got a get out of jail card with he police and Scotland Yard this was a hackers dream. gAtO aDmIt – he would like to hack without strings one time sI-nO but unless I find a rich and powerful well connected type like the Kock brothers. gAtO sent in a rEsUmE it was a zenmap report of their site –gAtOmAlO sOmEtImE

Detectives hunting Milly Dowler’s killer had phones hacked, Leveson Inquiry hears

Police officers investigating the disappearance of the schoolgirl Milly Dowler had their mobile phones hacked during the inquiry, Surrey Police has revealed.

A lawyer for the force told the Leveson inquiry that “a number of Surrey Police officers themselves were victims” of phone hacking shortly after the investigation began in March 2002.

Previously it was known that journalists at the News of the World had hacked the mobile telephone of the missing 13-year-old.

But this is the first time that it has been confirmed that detectives working on the case were also victims of phone hacking.

John Beggs QC, counsel for Surrey Police, told Lord Justice Leveson: “My instructions are that it is very likely that a number of Surrey Police officers themselves, at the time of launching the Milly Dowler investigation in March nine years ago, were themselves victims of hacking.”

Earlier this month Surrey Police admitted that they learned that Milly Dowler’s phone was hacked by the Sunday tabloid in 2002 but did not act.


Mr Beggs did not reveal whether the force also learned that their own officers had been hacked or whether this has since come to light during Operation Weeting, the Metropolitan Police’s investigation into phone hacking.

He was speaking as the Surrey Force made an application to become a core participant in the Leveson inquiry, which will look at the culture and ethics of the press.

Mr Beggs argued that the force should be allowed “core participant” status in light of the criticism the force has faced following their admission that they knew about Milly Dowler’s phone being hacked.

The force made the admission in a letter to the Home Affairs Select Committee.

The force’s then Chief Constable Mark Rowley said that officers became aware in April 2002 that someone from the News of the World had accessed the missing girl’s voicemail after someone on behalf of the Sunday newspaper phone the police operation room.

However Mr Rowley said that a formal investigation was not launched. He said: “At that time the focus and priority of the investigation was to find Milly who had then been missing for over three weeks.”

Mr Rowley’s letter said that an inquiry is looking into why no formal investigation was launched. He also revealed that the information that the News of the World had accessed Milly Dowler’s voicemail in 2002 was npot passed to the original Scotland yard phone hacking investigation in 2006. The reason for that is also being investigated.



2012 Security Predictions -Smartphone Danger for Corporate World.

gAtO hEaR- Agiliance and Cisco both predict that Smartphones (cell-Phones) will be the big news for 2012 as related to cyber security hacks and attacks. Mobile devices are the biggest seller as to terminal devices that people use to communicate via cyberspace. Look at the power it gave the “Arab Spring” and others. The problem is that smartPhones have a lot of problems as to personal and company owned, that companies need to be address. Delineation of employer-owned versus employee-owned data for the workplace will become a major step that companies do not yet understand. Who own the data on my personal smartphone if I use it to conduct business. Who makes sure that if I lose my cell phone all company data is encrypted and meets regulatory standards.

employees phone have company IP (intellectual property) BI (business intelligence) and KM (knowledge management)

Cell phone have no embedded strong authentication or secure mobile operating systems. Does my company do vulnerability scanning on my phone to find the newest viruses or is it up to the individual to make sure virus scanning is up to date. On top of all these problems are social networks that are being access via these mobile devices. In social network confidential information about a work and/or project can give the competition an edge. With all the new phone apps is it the employees job to monitor that the new “angry bird” may have access to call others and send them geo-location or how about it send out all your business contact you have in your address book that you sync with the office calendar and corporate email.

Mobile devices will make a big change as companies figure out their employees phone have company IP (intellectual property) BI (business intelligence) and KM (knowledge management) and the aspect of who owns the phone and who owns the data will become a big deal for HR departments worldwide. Smartphones need better security since they are used in business transactions everyday.

Strong authentication for mobile devices is non-existence. How about the ability to scan employee’s phones for viruses, trojan that can infect your companies data center. Remember the employee normally owns the phone so the legality of using personal mobile devices and the security of the company data may need regulatory actions to mitigate compliance. So companies need to know who uses personal mobile devices at work.

If the mobile device is personal your company may not be able to stop employee’s from using it on social media. Social media on these device can allow everyone to know confidential company information to be tweeted anywhere even the competition. Cyber criminals are cruising social networks for your company information for targeted phising attacks and mobile devices are very unsecured.

USCyberLabs.co will handle the other Big 2021 Security issues in future post.

gAtO oUt-



Cyber Global Self Interested Corporations and Governments

Global cooperation, self interested corporations and governments are the reason for the real cyber-espionage crimes that steals technology, information and financial data. It was The SUN who hacked dead people phones and made tons of money $$$. The SUN even had top UK Police and Interpol officials corrupted. You want the legal crooks guarding the outcome of the bad crooks. It’s a conflict of intrest for the legal good guys.

If your going after hacktivist that deface websites, cause cyber mayhem but if you look at their release of email and passwords and other data they released. Do you know how much money they could of made $$$ ( follow the money ), but the fact is they didn’t ( ZERO-nada-  $$$ ). The analysis of the cyber attack data shows us “hay your security is weak – fix it or else…” it also means “…people like The SUN (the real legal international corporation hackers (made BIG $$$ )” –may hack you ask Hugh Grant the actor ( News Corp empire of media mogul Rupert Murdoch-phone-hacking scandal in the UK hacked Mr. Hugh Grants Phone )

CyberSpace belong to all of US -not the powerful and influential.  Hacker Moto:-be hidden, be silent, listen and don’t get DOX. 




London Riot’s Cyberspace and Secure-Encrypted Blackberry Technology

This is were we Net-Citizens need concern. Cyberspace must be kept a free speech area for everyone. Just like in the Arab Spring people with access to cyberspace are communicating. I don’t agree with the riot’s looting and burning but, we need to get the injustice of the shooting out. The sins of the few taint the truth of the shooting and the real victims.

[2] Following a peaceful march on 6 August 2011 in relation to the police response to the fatal shooting of Mark Duggan by Metropolitan Police Service firearms officers on 4 August 2011, a riot began in TottenhamNorth London. In the following days, rioting spread to several London boroughs and districts and eventually to some other areas of England, with the most severe disturbances outside London occurring in Bristol and cities in the Midlands and North West of England. Related localised outbreaks also occurred in many smaller towns and cities in England.

As a security researcher I look at the social and the political ramifications of cyberspace and see every time people are using technology, the government starts to scream their bloody heads of. Calling the users of the technology hackers and thugs when it’s a fact that “The News Corp” (the real cyber criminals) The Sun just posted better than expected revenue because they are legal, but with the help of the police, they hacked dead people’s phones and made millions selling papers from the hacks. — That’s the sad news about technology.

“[1] According to Godwin, as riots broke out in 22 of London’s 32 boroughs last Monday and threatened to overwhelm police officers, he made the decision to begin eavesdropping and acting on encrypted BlackBerry Messenger (BBM) communications. Godwin said that by using BlackBerry smartphones seized by police, detectives were able to “break into” BBM and gain “live time monitoring,” according to the Guardian. As a result, police officers were able to secure locations before rioting broke out, as well as proactively shut down stores and businesses in areas that faced looting. Police were also monitoring Twitter and Facebook, and Godwin’s testimony suggested that police may have used confiscated BlackBerry smartphones to gain access to private Twitter feeds.” 

Update London http://www.bbc.co.uk/news/technology-14442203    Date – 8/8/2011

A number of politicians, media commentators and members of the police force have suggested that Twitter and BlackBerry Messenger, in particular, had a role to play.Undoubtedly, some of those involved chose to chronicle their exploits live – from the midst of the action – using mobile phones.

Is technology to blame for the London riots? by. Iain Mackenzie -BBC

A few were apparently even foolish enough to upload pictures of themselves posing proudly with their looted haul.Others offered suggestions for where might be good to attack next, leading the Met’s deputy assistant commissioner, Steve Kavanagh to say he would consider arresting Twitter users who appeared to incite violence.But some experts fear the extent to which technology is to blame may have been overstated.Misquoted

In its coverage, the Daily Mail quoted one tweeter, AshleysAR as follows: “Ashley AR’ tweeted: ‘I hear Tottenham’s going coco-bananas right now. Watch me roll.” However, AshleysAR’s full, unedited quote on Twitter reads: “I hear Tottenham’s going coco-bananas right now. Watch me roll up with a spud gun :|”.

Suddenly the tone of the message becomes markedly less sinister. Ashley later threatens to join in with a water pistol.

Despite the claim of Tottenham MP David Lammy that the riots were “organised on Twitter”, there is little evidence of their orchestration on the site’s public feeds.

Looking back through Saturday night’s postings, DanielNothing’s stream offers some promise of substantiating the theory with his comment: “Heading to Tottenham to join the riot! who’s with me? #ANARCHY”.

But it is followed soon after by: “Hang on, that last tweet should’ve read ‘Curling up on the sofa with an Avengers DVD and my missus, who’s with me?’ What a klutz I am!”

BlackBerry’s BBM requires users authenticate their contacts with a PIN

Buildings burn in Tottenham High Road in London Aug. 6, 2011

Another user – Official Grinz – appears to have been the first person to tweet the words “Westfield riot”, referring to the west London shopping centre. Although his message seems to be tongue in cheek and there is nothing to suggest that he was more than observer, commenting on events as they unfolded on television.

The subject of a Westfield riot became widely discussed, but ultimately failed to materialise in the real world.

So why is the ratio of apparent incitement to action so low?

Freddie Benjamin, a research manager at Mobile Youth, believes that much of the online noise is just that.

“Once someone starts posting on a BBM group or Twitter, a lot of young people try to follow the trend,” he told BBC News.

“They might not join the actual event, but they might talk about it or use the same hashtag which makes it sound like there is a lot more volume.”

Such postings build what Mr Benjamin refers to as “social currency”, elevating the messenger’s sense of belonging to a group.

Private business

Aaron Biber, 89, Assesses the damage to his Barber Shop Tottenhan High Road Aug. 7, 2011

Away from Twitter’s very visible feeds, there are perhaps more credible reports that rioters were using private communication systems to encourage others to join the disorder.

Following Saturday’s trouble in Tottenham, a number of BlackBerry users reported receiving instant messages that suggested future riot locations.

BlackBerry’s BBM system is known to be the preferred means of communication among many younger people.

Users are invited to join each other’s contacts list using a unique PIN, although once they have done so, messages can be distributed to large groups.

BBM is both private and secure, partly due to the phones’ roots as business communication devices.

For that reason it is hard to evaluate how much information was coming out of the riots or how many people were suggesting alternative targets.

But despite the closed nature of BlackBerry Messenger, police may still have a chance to examine some of the communications that took place.

Research in Motion, which makes Blackberry phones, issued a statement in which it promised to work with the authorities.

It pointed out that, like other telecoms companies, it complies with the Regulation of Investigatory Powers Act (RIPA) which allows law enforcement to gain access to private messages when they relate to the commission of a crime.

Recruiting tool

What will concern investigators most is the extent to which recipients acted on any messages sent out.

Dr Chris Greer, a senior lecturer in sociology and criminology at London’s City University believes that smartphones will have aided those involved, but are unlikely to have persuaded reluctant recruits to join the rioting.

“I don’t think it is having any impact on the motivation to protest in the first place,” he said.

“But once people have mobilised themselves and decided to take to the streets it is certainly much easier to communicate with each other.”

Dr Greer pointed to the example of the 2009 G20 riots in London.

A report into the police handling of the protests, produced by Her Majesty’s Inspector of Constabulary (HMRC) found that technology had aided the rioters more than the police, he explained.

“Their methods of communicating with each other or pointing out where the police were at any given time and therefore where the protesters shouldn’t be, and basically organising themselves was so much more sophisticated than the police.”

It may turn out, after a more careful examination of the various messages being pinged around, that this was indeed a social networking crime spree.

The Met has indicated it is ready to act on any information it finds.

But that will take time and a more methodical study.

The extent to which investigators are able to sift out genuine rioters from the internet ‘echo chamber’ and then bring real world prosecutions will provide valuable lessons, both about the use and abuse of technology, and also law enforcement’s capacity to deal with it.


[2] http://en.wikipedia.org/wiki/2011_England_riots



uscyberlabs - gatomalo_at_uscyberlabs_dot_com

All Hackers are EVIL

All Hackers are EVIL

Congressman Anthony Weiner told the world that HACKERS hacked his account and sent photo’s of his wiener to females. And we believe him. The SUN hacked dead people’s phones to make millions selling papers and we bought the papers. Now everyone blames hackers or use hacking to get the influence and power they want and need. Their sick mentality allows them to use’s hackers as a “way and means” to justify what is real and unreal and what we believe it.

We nod our heads and say “Yeah the Evil hackers did it” or we pick up The SUN and say they are great journalist, he is a great politician but they are the evil one they lied to our face.

Remember Susan Smith thru crocodile tears told us a black man stole her van and drowned her kids- we believe her too for a while. If we make the bogeyman scary enough we believe anything about them without clear critical thinking. Lately in the News China has been hacking everything in sight. But are they? Is it really China or we using the bogeyman scare tactics to make us believe it. Now we hear that hacktivist are going to shut down the electric grid. June 30, 2011 Lockheed Promises Electric-Grid Security, the company that just got hacked because of bad security is going to secure our Power Grid you got to be kidding me. I’m I the only one who thinks this is a sick joke.

The Department of Homeland Security told the world that China’s SCADA (supervisory control and data acquisition) has vulnerabilities, so now every hacker knows. America does its share of hacking and this was a political move saying to the Chinese if you mess with us we will take you down.

US Cyber Labs dot comHackers are not all evil it depends on what evil we are talking about. In the Arab Spring Arab governments wanted to stop the Internet, they were saying American were evil hackers because we used different ways for the people to communicate and inform the world about the atrocities that were happening. So this “evil hacker” stuff has to stop. Let’s be a little more intelligent about this and yes stop hackers from doing evil things but let’s keep our “Cyber Freedom”. Cyberspace has had a great impact in the world and we are becoming better people because of it. Let’s not be so quick to jump the gun and call them all evil hackers. Beauty is in the eyes of the beholder but the truth is always the truth.