Twitter has just announced they will be opening the technology from Whisper Systems they just acquired. This is good news for Android users, and Google. Their technology allows text messages to be encrypted as well as providing full disk encryption, the later will only be made available, well, later!
This has the potential to bring security enhancement to the Android’s mass.
The source code is now available here: GitHub
I have just attended the SANS 660 course in London, it is one of the most advanced course SANS has to offer and it did not disappoint!
Its bootcamp format means you will start your day at 9am and finish it at 7pm! The last two hours being called a “bootcamp”, basically 2 hours of exercises linked to the content of the day that really helps understanding the different techniques that were discussed.
Speaking about content, although they state that previous programming experience is “recommended”, it is not, is it mandatory!
And for the last 2 days you really need some understanding of x86 assembly to get a chance to follow the fast pace. I have to admit that the last day I was lost after lunch!
But what do you get if you buckle up and go on the ride? You get an incredible amount of information as it goes into a great level of details on how to identify and write your own exploits. But it also allows you to get a better appreciation of what to look for when reviewing the security of a network, an application, a website or a system. This is not just a “hacking” course, and the “ethical” at the end of the full course name is there for a reason.
The lecturer, Stephen Sims, is quite inspiring. Of all the lecturers I have met in the different courses I have taken those last 15 years, he is probably the one who knew his subject the most! It is also great that he is always willing to help his students understand what they are doing wrong during exercises. And it is apparently not just computer hacking that he is good at, being a core member of a signed music band going by the name of a modern hard-disk.
The highlights of the course for me were:
Although at the end it will feel like you need a larger brain and many more weeks to assimilate this new information, you will also get a sense that you have only barely touched the surface of all those techniques…
Then of course, after each of those hard days working you can relax at the next door pub… and if you didn’t have enough, this is where you can take part in a hacking challenge, the Hex Factor challenge. It is basically a “capture the flag” contest where you setup a team, or go at it solo, and are faced with a number of different challenges:
This is really a great environment, not only to meet like minded people (although some may say it is a bad thing! ;), but also to actually practise your newly acquired skills. It is also good that each of those challenges have different level, allowing anyone to participate, from the manager to the engineer! This event takes place in a number of conferences and is organised by volunteers. So I’d like to congratulate everyone who was involved to make it such an entertaining event!
Finally, this year there was the Netwars challenge. It has a similar format as the HexFactor one and ran for 2 days (after the Hexfactor was finished). It is an individual hacking contest with increasingly more difficult challenges. The fact you see the top 10 scores on a big screen live, the buzz of having a large room full of people hacking away, the organisers making sure everything is going smoothly and that everyone feels confortable really made those 2 nights special.
To conclude I will say that, again, SANS did not disappoint. It was a top quality course part of a great conference with huge opportunities to network and practice your skills. So I can happily recommend for anyone to attend the 660 class, and also, if you really want to make the most of it you have to stay in a close by hotel, be ready not to sleep too much and embrace the geekiness around you :)
SANS, Stephen, Thank you very much!
It all started with some findings published by Trevor Exkhart on his website a few weeks ago.
He found that a Californian based company called Carrier IQ (CIQ) had develop a software that was acting as a *key logger* and was installed by default on many different mobile devices: Android, Blackberry, Nokia Phones, iPhones (iOS 3.x to 5.x), and also tablets.
The important point here, is that this software is intentionally installed/provided by the devices manufacturers or network carriers. It is quite amazing how widespread the use of that spying software is (the BBC reported 140 Million devices). This is not limited to only one type of device or provider. What they collect might be different (apparently much less on iOS than Android), but it shows a systemic desire from companies who make and sell those devices to gather usage and user information.
This is what I would call, the Facebook syndrome!
The official stance from CIQ was that their software was only used for improving the “network experience” by providing some information back to carrier and phone manufacturer such as signal strength, network information, etc.
They explicitly stated that they “do not and cannot look at the contents of messages, photos, videos, etc., using this tool”.
This is not what you would say from a software that logs all the key pressed on your device…
Again, it is important to note that by default their software is not hidden (there is a visible check-mark in the status bar) but this can be modified by 3rd parties. And it is being modified!
One example given by Trevor is Verizon in the US, although you can opt out, by default the phones they sell will record and transmit (?) the following personal user information: any URL accessed, including potential search queries and the location of the device. This is what could be considered as a significant personal privacy invasion.
So how did CIQ reacted to Trevor’s post?
By sending him a Cease and Desist letter on the 16th of November!
They claimed Trevor was in copyright infringement (because of some of their publicly available training material having been referenced) and making false allegations.
As reported on The Register on the 24th of November, they eventually withdrew their legal threats thanks to the legal help of the EFF, who nicely summarizes the case on their website, and also to a new post showing exactly what Trevor meant by calling CIQ software a “root kit” (I called it a “key logger earlier”, but root kit is more accurate and also has wider security implications).
Trevor’s second CIQ article, goes into details as to why CIQ software is indeed a root-kit. With a video showing the different steps required to reproduce his tests. It also describes how the data is collected even if you are off the network and, at least on an HTC phone, the data is not really anonymised.
Since then, another mobile phone hacker has published some findings about CIQ, this time confirming that Apple has included CIQ software in all its iOS version from iOS3 to the latest iOS5. However, it seems that the information logged on the Apple devices is much less than what is logged on Androids’: no URL nor SMS and the location is only sent if you have allowed for it to be, furthermore, that information is not transmitted by default but only if the user manually choose to send diagnostic information to Apple.
All this has generated an increasing level of noise and attention:
As pointed out in a ViaForensics article, it is not clear when and if the data CIQ logs on the phone is always transmitted or just remains on it. And if transmitted, to where? But if it is being transmitted, I have a little story for you…
A few years ago I went on holiday and decided to take an international data plan, I had an iPhone 3G at the time, and I did monitor my data consumption every day with the built-in iOS bandwidth statistics. I stopped using data on my phone when I reached 90% of my allowed and pre paid consumption.
I was therefore very surprised when I was charged for going over my data allowance by a good margin! How could I have miscalculated my data consumption by so much!? After complaining to my provider they eventually claimed that the built-in iOS bandwidth statistics were only showing average figures and were not accurate. I also read in some forum at the time, that Apple claimed their figures should be taken as an estimate only. With that in mind, I decided not to pursue further, accepted to pay the extra fee and promised myself never to use data roaming again.
Now, it would be interesting to know if all the network data generated by CIQ is counted in those mobile OS network bandwidth statistics or if, like the information it gathers, they are also hidden from view.
After all, if the provider goes at length to hide the data they collect from you, they probably don’t want you to see that sealed fat envelop leaving your phone!
If that’s that case, how legal is this?! not only spying/gathering user information is questionable but doing so could be at the expense of the user! Couldn’t it be considered as a hidden cost to their service? could it explain the unexplainable extra fee I had to pay?
So I have three final comments to make:
If you ever wanted to work for a UK secret intelligence organisation, GCHQ, they are running a contest until the 11th of December, where you need to decipher some code to get a password. Once submitted, that password will redirect you to their recruitment website.
The password is probably “ifyoudon’twanttoworkforuswewillfindyou”…
If you fancy your chances, here is the site: http://www.canyoucrackit.co.uk/
There is a good article on TECHNET on Next Generation Firewall (NGF) and the fact that most, if not all, companies accept port 80 in/out meaning traditional F/W are less and less effective against malware using this port as a mean to call home or come in.
The Article nicely summerize the need to look for more than IP/PORT/PROTOCOL but also for the type of Payload going through.
Although not a new technology, the evolution of Malware is a growing issue which makes that technology more and more relevant.
Two vulnerabilities in iOS5 have recently been discovered, one is affecting the iPad2 and the other the new iPhone 4S. In both cases it allows anyone to bypass any lock/passcode to gain unauthorised access to the device.
1) iPad 2 + iOS5 + SmartCover = Anyone can unlock your iPAD
This only affects iPad2 with iOS5 and the smart cover set to automatically lock the device.
With a locked iPad2, keep pressing the power button until you see the screen telling you to swipe to turn off, close the smart cover, reopen it and push the CANCEL button.
This will give you access to the latest application that was used. It means that if you were on the application listing screen you will be able to see all the applications installed on the iPad, but you will not be able to open any other applications. This is because you are in the “finder”/”Explorer” application.
But it also means that if before you closed your smart cover to lock your device you were in the mail application, using this technique would give you full access to the mail app and your emails.
To fix the issue you need to disable the smartcover autolock feature, until Apple fixes this bug.
2) iPhone 4S + SIRI
With SIRI enabled, even if you have locked your phone with a passcode, you can hold the HOME button and SIRI will be activated allowing you to speak commands such as call someone, send a text or an email, etc.
Although you cannot open applications this way, you can still do unauthorised actions as mentioned above.
To fix this issue you need to disable SIRI, until Apple fixes this bug.
What is somewhat surprising is that it is taking so long for Apple to fix these issues, They have been know for more than a week…
I used to have one password. It was the password to my Unix student account and it was in the mid nineties!
Since then, I must have dozens of passwords for work/home computers, websites, files, etc. Having a truly different password each time is almost impossible unless you use some kind of password safe application. Or you could use some kind of clever formula, I do emphasise on the “clever” because if your formula is to generate the same password with a simple variant at the end of it, a hacker who has access to more than one of your password could find out what that formula is quite easily.
Another issue is the username. Most security warnings are related to users having the same password, although it is indeed true, there is also an issue with using the same username everywhere. I would argue it is more important to start with a known username than a known password.
The recent attack against Sony shows that credentials stolen from other companies/websites can be re-used to mount generic brute force attacks. This is echoed in another recent article about the increasing danger of consoles and their online credentials that can sometimes be the same as those used for corporate use, especially with Windows live ID. I would again argue that it isn’t just an issue with consoles as many people when registering to new websites re-use the username they use the most, their work or home username.
There is however the need for a tradeoff between the highest level security of having a random username and password for each of your login, and something you can use without having to think/consult for/every 5 minutes.
I would start with a different password for every login… and to change them from time to time.
The Inquirer recently ran a story about a group targeting Facebook and their use of your personal information. This group called “Europe Vs Facebook” claims that Facebook not only stores information about you even after you have deleted it, in other words it never really get deleted, but that they also create ghost profile of users who opted not to be on Facebook in the first place.
I find this very interesting because technically it is quite possible… Even if someone is not on Facebook their photo can be uploaded and their name tagged to it. It would require much more intelligence though to be able to correlate some information about that person discussed in Facebook mails/messages but it is in theory possible.
Although many people have warned in the past about Facebook big brother attitude, its deletion policy emphasizes the fact they were right!
The Europe Vs Facebook website explains how to request Facebook for all the data they have on you.
The best advise regarding Facebook is to consider all the information in it as public, even if you are restricting your information to a selected few friends. Once you have told a story or shared a photo online, you do not control it any more.
Now the question really is, what about other social media sites? Twitter and co?
This is a bit of an unusual post for this site because it is not directly related to IT Security, but I have recently watched a video of a lecture by Rearden CEO Steve Perlman that I found truly inspiring!
Steve Perlman is the Steve Job of Engineering.
He has participated/invented/funded many different cutting edge technologies and gave an overview of 3 of them in his lecture. What strikes me is how all those technologies are linked together even if isn’t necessarily obvious. It would be tempting to say it is all driven by his apparent interest in gaming but that would be too simplistic, it is driven by a desire to invent new technologies and not being afraid of rewriting the rules!
1. The first technology he spoke about is MOVA, which apparently rewrote the rules on how computer generated 3D characters were done (and more if you look at his last example about Batman). It is impressive to see the list of films that are now using that technology, from “The curious case of Benjamin Button” to the latest “Pirates of the Caribbean”. I actually thought they were using real actors and a mask for Benjamin Button…
It was also interesting to see that studies show the human brain doesn’t like “almost perfect” images of human. In fact, we prefer a cartoon face over a very good but still not quite real 3D face. Something I believe we all sensed when watching some animated movies a few years ago which although technically impressive were just not quite right.
2. Then he spoke about ONLIVE, a technology which is primarily aimed at streaming HD and power hungry gaming experience to terminals such as TV, tablets, phone, etc…
Basically this is gaming in the cloud, but really, it is so much more!
I liked his analogy that today’s cloud solutions are more hybrids than complete solutions. You have a range of applications that are hosted in different “clouds” and some online storage stored in some other “clouds”, etc.
What they have designed is a huge power backend that “just” stream video/audio to a terminal.
But for this to be usable they invented a new video compression technology which is very performant. Apparently the requirements are 3 to 5 Mb/s (soon to be 2Mb/s) for HD video and 0.5 to 2Mb/s for phones/tablets quality, which can be obtained on 3G!
You also need to be within 1,000 miles of one of their datacenters: 3 in the USA and only 1 in Europe (Autumn 2011).
Not only do their gaming offering is already impressive and has been running for a year in the USA but he also demonstrated the use of MAYA directly from an iPad.
So you could always question how useful that can be to use such a complex application on such a small device which does not necessarily has the right human interface to interact efficiently… but that technology also works on MAC or PC and not everyone has a computer fast enough to handle such type of applications.
The great thing about their technology is that you do not need to upgrade your device to catchup on the latest CPU or GPU requirements in future applications.
It would be interesting to find out more about how they handle file sharing among applications and what security they can offer to protect your hosted data.
3. Finally, he presented a new wireless technology which sounds pretty impressive. One that apparently breaks Shannon’s law in regards of the shared spectrum capacity as it could offer 10x to 1000x times what is available today. Furthermore, it has a wider coverage than TV, with at least 30 miles coverage. It is also much faster than 4G with much less latency, consumes less power, costs less, etc…
It does sound too good to be true, but with Steve Perlman’s track record I am happy to believe him.
This is apparently possible because we should not be considering airwaves like strings or wireless telephone lines, he made an analogy with a cell bubble around a telephone which I didn’t really understand, but then I don’t think anyone in the audience did! There is a white paper HERE.
It is called DIDO for Distributed Input Distributed Output
According to Steve this is a completely new way to look (I should really say listen ;) at airwaves propagation and if you were to look for DIDO traffic with standard radio equipment you would not see anything but noise.
This got me thinking, if this technology is so new, has such a huge and yet unknown coverage, cannot be detected with today’s radio technology… shouldn’t someone speak to SETI so they can listen to this “advanced” communication method ;)
Seriously though, this is all very impressive. It is a long video, about 1h30, but as I said at the start of this post Steve is an amazing source of inspiration. What a great attitude and great achievements!
He created a technology to produce life like animations, a technology to provide those graphics and more to everyone and finally a transport medium which could deliver all this almost anywhere in the world. This may be a loose link between all those inventions but a link nonetheless!
I am looking forward to see those new technologies hopefully blossom and to his future inventions!
