[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ProgSoc] triv question



On 25/11/2004, at 01:14, Christian Kent wrote:
On Wed, 24 Nov 2004, jedd wrote:

 Imagine, for a moment, that you ran a mobile phone network.

 And you started to notice lots of WAP traffic being sent that had a
 destination address of 1.1.1.1.

 Imagine you first saw this stuff coming only from Symbian devices.

 But then it started appearing on other kit (eg. Nokia's).

What kinds of things would you guess might be going on?

You mean besides, you're in a job interview and this is a test question?


That destination's only going to be useful to the owners, or a subsersive
underling. Unless the other devices can packet sniff -- and the packets
even come by their way in the first place? Which I doubt. So the first
place I'd be looking is a staff member who is performing some testing --
maybe first on Symbian devices, then on some other ones.


Anyhoo you're going to want a careful look at your phone network's IP
layer routing configuration, to see where 1.1.1.1 really leads to; also
try and find if the payload means anything, whether it has enough bulk to
be carrying code, whether it's always unique; and try and track down one
of these senders in the wild.


I suppose blocking the address in question wouldn't actually be relevant
since it's reserved; I'm not sure what sort of reaction I'd expect to
look for if I blocked it anyway.


CK.



http://www.f-secure.com/v-descs/skulls.shtml

? The only thing that I've noticed recently was this. Could is be a variant thats mor advance & doesn't require user interaction for installation, and that actually contains a malicious payload (which the one described above doesn't.

Just the timing made me think it was funny is all.

And isn't 1.1.1.1 a common default IP address used by a lot of phone peripherals and devices (or like 127.0.0.1 but for phones)?

Enough speculation from me.

-Andi.




- You are subscribed to the progsoc mailing list. To unsubscribe, send a message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.