Insecurity in Finnish parlament (computers)

[Markus Jansson <markus.jansson () hushmail com>]

Short version:
-------------

http://www.markusjansson.net/erecent.html#comments
"The laptop computers used by members of parlament and their assistants 
in here Finland have severe security holes. These laptop computers dont 
have firewalls, file encryption and wiping tools, automatic update is 
not turned on, operating system (WindowsXP) is on its default settings 
for most, computers only support 802.11b WLAN which is insecure, etc. 
etc. As a bonus, they use TeliaSonera GSM:s which are totally insecure 
because they use COMP-128-1 and A5/1 for security. I contacted them 
months ago but they havent bothered to answer me, nor to reporters I 
have contacted later. Oh dear..."



Long version:
-------------

1. The computers do not have firewall, not even ICF enabled. Users 
cannot even enable it themselfes, since they dont have administrative 
permissions on the computers. Any remote-exploit vulnerability or bad 
passphrase and BUM! The computers is hacked.

2. The computers are mainly on default settings. They are WindowsXP. Do 
I really need to say more about this issue and what happens from it?

3. The computers have support for Bluetooth and it is enabled by 
default. This leaves many attack vectors inplace that are pretty 
numerous for me to tell you. Also, they have firewire enabled, which 
means that as in iPod:s case, anyone with such device can walk to one of 
these laptops and download everything inside it. Ouch.

4. Laptops have WLAN, but it only supports the totally insecure 802.11b 
standard.

5. Computers do not have any kind of encryption programs. All files and 
folders are unencrypted. Even the EFS is turned off. There is no way to 
secure personal or sensitive documents in the computer.

6. There are no wiping tools in the computers to wipe off sensitive or 
personal files from them.

7. Computers do not have "Clear pagefile on shutdown" enabled, meaning 
that sensitive data can be recovered from unwashed swapfile later on.

8. Users do not have administrator permissions on computer so they could 
install neccessary security programs to them. Ofcourse, there is the 
plus side that this *should* limit the damage to the systems 
to...well..the user (= the member of parlament or their assistants). Ouch.

9. There are VPN connections in the computers, but it is unclear are 
they protected against man-in-the-middle-attacks or not. My educated 
guess is that they arent, meaning again...

10. Its unclear are the computers set on "automatic updates" or not. My 
educated guess is that they arent, meaning again (especially if you look 
at the point 1 again)...ouch.

11. Default browser is Internet Explorer, with default settings 
ofcourse. Now, I dont have to tell you how serious security risk this 
is, especially if you concider point 10...

12. MEP:s etc. use TeliaSonera GSM:s. The security that TeliaSonera uses 
is COMP-128-1 and A5/1, which are all totally insecure and can easily be 
broken with a laptop computer etc. meaning that their conversations can 
easily be eavesdropped. They should use COMP-128-3 and A5/3 to make it 
secure...

13. At TeliaSonera GSM networks, there is no protection against 
"false-basestation" techique, which easy bypass of crypto by simply 
turning it off from the "basestation". For example, Elisa uses 
COMP-128-3 and A5/3 and does not allow phones to turn off crypto even 
basestation orders them to do so.

I have contacted about this issue months ago to security personel in our 
parlament. They havent even bothered to answer me, not to mention that 
they would have fixed the computers security problems. So, here is it, 
maybe they'll listen now.



--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html