cybergibbons Posted November 8, 2015 Posted November 8, 2015 On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible. http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/ If you would like to know if your company was one of the listed ones, I can check for you. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
datadiffusion Posted November 8, 2015 Posted November 8, 2015 I have been sent a free sample sim - I didn't register though, so I wonder if the same database is used for internal purposes (unlikely, but possible) Have a look for 'Casa Security'... Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands
cybergibbons Posted November 8, 2015 Author Posted November 8, 2015 I have been sent a free sample sim - I didn't register though, so I wonder if the same database is used for internal purposes (unlikely, but possible) Have a look for 'Casa Security'... Number 25, Bristol area? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
MrHappy Posted November 8, 2015 Posted November 8, 2015 Should you wish to register... IIRC it asks you if your co is already registered, I clicked yes & select postcode of a local co. & it shows you who at that co, is already signed up Quote Mr Veritas God
cybergibbons Posted November 8, 2015 Author Posted November 8, 2015 Should you wish to register... IIRC it asks you if your co is already registered, I clicked yes & select postcode of a local co. & it shows you who at that co, is already signed up Yes - IMO it still leaks data that it shouldn't. The problem was before it used to send the client all of the data in the background. You couldn't see it in the plain, but it was sent. There's only a few options here: 1. They haven't been pentested. You'd kind of think the biggest signalling provider in the UK would do it. 2. They have been pentested by someone incompetent. If they gave money to the people who developed apprentices4fs.com, this is plausible. 3. They have been pentested and ignored all of the findings. Who knows? FYI, on the 23rd November, the CSL Dualcom CS2300 report is being published. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
PeterJames Posted November 8, 2015 Posted November 8, 2015 How about Alarming Company or Wakefield Security? Quote
james.wilson Posted November 8, 2015 Posted November 8, 2015 CG what is pentested? and whats the report on? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
petrolhead Posted November 8, 2015 Posted November 8, 2015 (edited) He taps it with his pen to see what happens. It uses science and lasers and stuff. Edited November 8, 2015 by petrolhead Quote
cybergibbons Posted November 8, 2015 Author Posted November 8, 2015 How about Alarming Company or Wakefield Security? Fareham and Worthing? Both there. CG what is pentested? and whats the report on? Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested. The report is about the encryption and general security of the CSL CS2300 signalling units. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
datadiffusion Posted November 8, 2015 Posted November 8, 2015 Number 25, Bristol area? Marvellus innit? Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.