Category Archives: intelligence

RFC 6189: ZRTP is finally a standard!

Finally ZRTP has been assigned an official RFC assignment, RFC6189 ZRTP: Media Path Key Agreement for Unicast Secure RTP.

It had as a dependency the SRTP with AES key size of 256bit that now has been defined as RFC6188.

It’s exciting to see the RFC finally released, as it’s an important milestone to set ZRTP as the official standard for end-to-end encryption much like PGP has been for emails.

Now any organization in the world will be officially able to implement ZRTP for end-to-end protocol voice encryption

Currently 3 different public implementations of ZRTP protocol exists:

Each of them provide different features of the protocol, but most important are known to be interoperable.

A new wave is coming to the voice encryption world, irrupting into a gray area where most of the companies doing phone encryption systems has been implementing custom encryption.

Now a standard has been setup and there are few reasons left to implementing something different.

Hurra Mr. Zimmermann and all the community of companies (like PrivateWave) and individuals (like Werner Dittmann) that worked on it!

Today it’s a great day, such kind of technology is now official and also with multiple existing implementation!

Philip, you did it again, my compliments to your pure spirit and determination :-)

TETRA hacking is coming: OsmocomTETRA

It’s very exciting to see the release of OsmocomTETRA, the first opensource SDR (Software Defined Radio) implementation of TETRA demodulator, PHY and lower MAC layers.

It’s the TETRA version of GSM airprobe that unlock access to the data and frame of TETRA communication protocol, thus giving great hacking opportunity!

Now that also TETRA technology has been opened we should expect, during this 2011, to see opensource TETRA sniffers and most probably also TEA encryption (the Tetra Encryption Algorithm) cracked!

TETRA is used by Police, Emergency Services and Militaries as an alternative mobile communication network that can works even without the availability of network coverage (only mobile-to-mobile without a base station) and provide some special high availability services.

I wrote about TETRA in my slide Major Voice Security Protocol Review .

In OsmocomBB mailing lists there was already discussion about some TETRA network status:

  • Belgium Police TETRA ASTRID network: unencrypted
  • German Police test TETRA network in Aachen: unencrypted
  • Some ex-jugoslawia TETRA network: unencrypted
  • Netherland C200 TETRA network: TEA2 encrypted with static keys
  • UK Airwave TETRA network: TEA2 encrypted with TEA2

It will be really fun to see that new Police and rescue service hacking coming back from old analog ages to the new digital radios :-)

GSM cracking in penetration test methodologies (OSSTMM) ?

As most of this blog reader already know, in past years there was a lot of activities related to public research for GSM auditing and cracking.

However when there was huge media coverage to GSM cracking research results, the tools to make the cracking was really early stage and still very inefficient.

Now Frank Stevenson , norwegian cryptanalyst that already broke the Content Scrambling System of DVD video disc, participating to the A51 cracking project started by Karsten Nohl, released Kraken , a new improved version of the A51 cracking system.

It’s interesting to notice that WiFi cracking had a similar story, as the first WiFi wep cracking discovery was quite slow in earlier techniques but later Korek, an hacker working on cracking code, improve the attack system drammatically.

That’s the story of security research cooperation, you start a research, someone follow it and improve it, some other follow it and improved it and at the end you get the result.

Read more on the Kraken GSM Cracking software release.

And stay tuned as next week at Blackhat Conference Karsten Nohl will explain the details of the required hardware setup and detailed instructions on how to do it :-)

I would really like to see those tools incorporated into Penetration Testing Linux Distribution BackTrack with OSSTMM methodology enforcing the testing of GSM interception and man in the middle :-)

If things proceed that way and Ettus Research (The producer of USRP2 software radio used for low cost GSM signal receiving) will not be taken down, we can still see this.

Web2.0 privacy leak in Mobile apps

You know that web2.0 world it’s plenty of leak of any kind (profiling, profiling, profiling) related to Privacy and users starts being concerned about it.

Users continuously download applications without knowing the details of what they do, for example iFart just because are cool, are fun and sometime are useful.

thumb.php.jpg

On mobile phones users install from 1000% up to 10.000% more applications than on a PC, and those apps may contain malware or other unexpected functionalities.

Recently infobyte analyzed ubertwitter client and discovered that the client was leaking and sending to their server many personal and sensitive data such as:

– Blackberry PIN

– Phone Number

– Email Address

– Geographic positioning information

Read about UbertTwitter ‘spyware’ features discovery here by infoByte .

It’s plenty of applications leaking private and sensitive information but just nobody have a look at it.

Should mandatory data retention and privacy policies became part of application development and submission guideline for mobile application?

Imho a users must not only be warned about the application capabilities and API usage but also what will do with which kind of information it’s going to handle inside the mobile phone.

Capabilities means authorizing the application to use a certain functionalities, for example to use GeoLocation API, but what the application will do and to who will provide such information once the user have authorized it?

That’s a security profiling level that mobile phone manufacturer does not provide and they should, because it focus on the information and not on the application authorization/permission respect to the usage of device capabilities.

p.s. yes! ok! I agree! This kind of post would require 3-4 pages long discussion as the topic is hot and quite articulated but it’s saturday morning and i gotta go!

Blackberry Security and Encryption: Devil or Angel?

Blackberry have good and bad reputation regarding his security capability, depending from which angle you look at it.

This post it’s a summarized set of information to let the reader the get picture, without taking much a position as RIM and Blackberry can be considered, depending on the point of view, an extremely secure platform or an extremely dangerous one .

bblock.jpg

Let’s goes on.

On one side Blackberry it’s a platform plenty of encryption features, security features everywhere, device encrypted (with custom crypto), communication encrypted (with custom proprietary protocols such as IPPP), very good Advanced Security Settings, Encryption framework from Certicom (now owned by RIM).

On the other side they does not provide only a device but an overlay access network, called BIS (Blackberry Internet Service), that’s a global worldwide wide area network where your blackberry enter while you browse or checkmail using blackberry.net AP.

When you, or an application, use the blackberry.net APN you are not just connecting to the internet with the carrier internet connection, but you are entering inside the RIM network that will proxy and act as a gateway to reach the internet.

The very same happen when you have a corporate use: Both the BB device and the corporate BES connect to the RIM network that act as a sort of vpn concentration network.

So basically all the communications cross trough RIM service infrastructure in encrypted format with a set proprietary encryption and communication protocols.

Just as a notice, think that google to provide gtalk over blackberry.net APN, made an agreement in order to offer service inside the BB network to the BB users. When you install gtalk you get added 3 service books that point to GTALKNA01 that’s the name of GTALK gateway inside the RIM network to allow intra-BIS communication and act as a GTALK gateway to the internet.

The mobile operators usually are not even allowed to inspect the traffic between the Blackberry device and the Blackberry Network.

So RIM and Blackberry are somehow unique for their approach as they provide a platform, a network and a service all bundled together and you cannot just “get the device and the software” but the user and the corporate are always bound and connected to the service network.

That’s good and that’s bad, because it means that RIM provide extremely good security features and capabilities to protect information, device and access to information at various level against third party.

But it’s always difficult to estimate the threat and risk related to RIM itself and who could make political pressure against RIM.

Please consider that i am not saying “RIM is looking at your data” but making an objective risk analysis: for how the platform is done RIM have authority on the device, on the information on-the-device and on the information that cross the network. (Read my Mobile Security Slides).

For example let’s consider the very same context for Nokia phones.

Once the Nokia device is sold, Nokia does not have authority on the device, nor on the information on-the-device nor on the information that cross the network. But it’s also true that Nokia just provide the device and does not provide the value added services such as the Enterprise integration (The RIM VPN tunnel), the BIS access network and all the local and remote security provisioned features that Blackberry provide.

So it’s a matter of considering the risk context in the proper way when choosing the platform, with an example very similar to choosing Microsoft Exchange Server (on your own service) or whether getting a SaaS service like Google Apps.

In both case you need to trust the provider, but in first example you need to trust Microsoft that does not put a backdoor on the software while in the 2nd example you need to trust Google, as a platform and service provider, that does not access your information.

So it’s a different paradigm to be evaluated depending on your threat model.

If your threat model let you consider RIM as a trusted third party service provider (much like google) than it’s ok. If you have a very high risk context, like top-secret one, then let’s consider and evaluate carefully whether it’s not better to keep the Blackberry services fully isolated from the device or use another system without interaction with manufacturer servers and services.

Now, let’s get back to some research and some facts about blackberry and blackberry security itself.

First of all several governments had to deal with RIM in order to force them to provide access to the information that cross their service networks while other decided to directly ban Blackberry usage for high officials because of servers located in UK and USA, while other decided to install their own backdoors.

There’s a lot of discussion when the topics are RIM Blackberry and Governments for various reasons.

Below a set of official Security related information on RIM blackberry platform:

And here a set of unofficial Security and Hacking related information on RIM Blackberry platform:

Because it’s 23.32 (GMT+1), i am tired, i think that this post will end up here.

I hope to have provided the reader a set of useful information and consideration to go more in depth in analyzing and considering the overall blackberry security (in the good and in the bad, it always depends on your threat model!).

Cheers

Fabio Pietrosanti (naif)

p.s. i am managing security technology development (voice encryption tech) on Blackberry platform, and i can tell you that from the development point of view it’s absolutely better than Nokia in terms of compatibility and speed of development, but use only RIMOS 5.0+ !

China Encryption Regulations

Hi all,

i found this very interesting paper on China Encryption Import/Export/Domestic Regulations done by Baker&Mckenzie in the US.

It’s strongly business and regulatory oriented giving a very well done view on how china regulations works and how it may behave in future.

Read here Decrypting China Encryption’s Regulations (form Bakernet website) .

The (old) Crypto AG case and some thinking about it

In the ’90, closed source and proprietary cryptography was ruling the world.

That’s before open source and scientifically approved encrypted technologies went out as a best practice to do crypto stuff.

I would like to remind when, in 1992, USA along with Israel was, together with switzerland, providing backdoored (proprietary and secret) technologies to Iranian government to tap their communications, cheating them to think that the used solution was secure, making also some consideration on this today in 2010.

caq63crypto.t.jpg

That’s called The Crypto AG case, an historical fact involving the United States National Security Agency along with Signal Intelligence Division of Israel Ministry of Defense that are strongly suspected to had made an agreement with the Swiss cryptography producer company Crypto AG.

Basically those entities placed a backdoor in the secure crypto equipment that they provided to Iran to intercept Iranian communications.

Their crypto was based on secret and proprietary encryption algorithms developed by Crypto AG and eventually customized for Iranian government.

You can read some other facts about Crypto AG backdoor related issues:

The demise of global telecommunication security

The NSA-Crypto AG sting

Breaking codes: an impossible task? By BBC

Der Spiegel Crypto AG (german) article

Now, in 2010, we all know and understand that secret and proprietary crypto does not work.

Just some reference by top worldwide cryptographic experts below:

Secrecy, Security, Obscurity by Bruce Schneier

Just say No to Proprietary cryptographic Algorithms by Network Computing (Mike Fratto)

Security Through Obscurity by Ceria Purdue University

Unlocking the Secrets of Crypto: Cryptography, Encryption and Cryptology explained by Symantec

Time change the way things are approached.

I like very much the famous Philip Zimmermann assertion:

“Cryptography used to be an obscure science, of little relevance to everyday life. Historically, it always had a special role in military and diplomatic communications. But in the Information Age, cryptography is about political power, and in particular, about the power relationship between a government and its people. It is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone.”

Any scientist today accept and approve the Kerckhoffs’ Principle that in 1883 in the Cryptographie Militaire paper stated:

The security of a cryptosystem should not depend on keeping the algorithm secret, but only on keeping the numeric key secret.

It’s absolutely clear that the best practice for doing cryptography today obbly any serious person to do open cryptography, subject to public review and that follow the Kerckhoff principle.

So, what we should think about closed source, proprietary cryptography that’s based on security trough obscurity concepts?

I was EXTREMELY astonished when TODAY, in 2010, in the age of information society i read some paper on Crypto AG website.

I invite all to read the Crypto AG security paper called Sophisticated Security Architecture designed by Crypto AG of which you can get a significant excerpt below:

The design of this architecture allows Crypto AG to provide a secret proprietary algorithm that can be specified for each customer to assure the perfect degree of cryptographic security and optimum support for the customer’s security policy. In turn, the Security Architecture gives you the influence you need to be fully independent in respect of your encryption solution. You can determine all areas that are covered by cryptography and verify how the algorithm works.The original secret proprietary algorithm of Crypto AG is the foundation of the Security Architecture.

I have to say that their architecture is absolutely good from TLC point of view. Also they have done a very good job in making the design of the overall architecture in order to make a tamper-proof resistant crypto system by using dedicated crypto processor.
However there is still something missing:

The overall cryptographic concept is misleading, based on wrong encryption concepts.

You may think that i am a troll telling this, but given the history of Crypto AG and given the fact that all the scientific and security community does not approve security trough obscurity concepts, it would legitimate to ask ourself:  

Why they are still doing security trough obscurity cryptography with secret and proprietary algorithms?



Hey, i think that they have very depth knowledge on telecommunication and security, but given that the science tell us not to follow the secrecy of algorithms, i really have serious doubt on why they are still providing proprietary encryption and does not move to standard solutions (eventually with some kind of custom enhancement).

Missiles against cyber attacks?

The cyber conflicts are really reaching a point where war and cyberwar merge together.

NATO countries have the right to use the force against attacks on computer networks.

Licensed by Israel Ministry of Defense? How things really works!

You should know that Israel is a country where if a company need to develop encryption product they must be authorized by the government.

The government don’t want that companies doing cryptography can do anything bad to them and what they can do of good for the government, so they have to first be authorized.

Companies providing interception and encryption must apply to a license because Israel law on this is so restrictive to be similar to china law.

That’s because those kind of technologies are considered fundamental for the intelligence and espionage capabilities of Israel country.

To give some example of “Licensed by Israel Ministry of Defense” companies:

GSM encryption products “Licensed by Israel Ministry of Defense” – Gold-lock

Interception of communication products “Licensed by Israel Ministry of Defense” – Verint

HF encrypted Radio “Licensed by Israel Ministry of Defense” – Kavit

Surveillance services and equipment “Licensed by Israel Ministry of Defense” – Multi Tier Solutions

For example how to apply for a “License by Israel Ministry of Defense” if you do encryption technologies in Israel?

Be sure to be an israeli company, click here and fill the forms.

Someone will contact you from encryption-control@mod.gov.il and will discuss with you whether to give you or not the license to sell.

What does the department of defense will require from an israeli company in order to provide them the authorization to make and sell interception and encryption products?

Well, what they want and what they really ask nobody knows.

It’s a secret dealing of Israel Ministry of Defense with each “licensed” company.

What we know for sure is that Verint, a “Licensed by Israel Ministry of Defense”, placed a backdoor to intercept companies and governments in the US and Netherland into the interception systems they was selling.

Verint, a Licensed by Israel Ministry of Defense Company, provided to Israel government eavesdropped communications of private and government users in the United States and in the Netherland .

CIA officier reported that Israel Ministry of Defense was known to pay Verint a reimbursement of 50% of their costs in order to have from Verint espionage services trough their commercial activity on selling “backdoored” interception equipment to spy foreign users.

It can be a legitimate doubt that the cooperation within the Israeli Ministry of Defense may be problematic for an Israeli company that want to sell interception and encryption product abroad.

Those companies may be forced to make the interests of Israel Ministry of Defense and not the interests of the customers (like Verint scandal is a real-world example).

So, how would a “Licensed by Israel Ministry of Defense” be a good things to promote?

It represent the risk that the “Israel Ministry of Defense”, like is publicly known that it has already have done with Verint, will interfere with what the company do.

It represent the risk that the “Israel Ministry of Defense” may reasonably provide “reimbursement” of costs paying the company and get what they would likely would like to get.

So, what does really “Israel Ministry of Defense” want from Israel companies doing encryption and interception technologies?

Should we ask ourself whether Israeli companies doing encryption and interception businesses are more interested to do business or to do “outsourced espionage services” for their always paying customer, the “Israel Ministry of Defense”.

For sure, in the age of financial crisis, the Israel Ministry of Defense is a paying customer that does not have budget problem…

Strict control, strict rules, strong government strategic and military cooperation.

Be careful.

If you want to read more about this matters, about how technologies from certain countries is usually polluted with their governments military and secret services strategies stay tuned as i am preparing a post about this .

You will much better understand about that subjects on the “Licensed by Israel Ministry of Defense”.

Location Based Services: the big brother thanks you ;-)

Do you use your iphone, google phone, blackberry or nokia smartphone with cool built-in GPS?

Well law enforcement can now know even better where you are, at any time, even with historical data and much better than BTS based location systems.

Sprint has given 8 million times customer’s GPS information to law enforcement (sound something like a semi-automatic request).

Read here.

Nice extract is:

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The informations was provided at wiretapping and interception industry conference ISS WASH in Washingtown.

If you want see directly the video:

Sprint: 50 million customers, 8 million law enforcement GPS requests in 1 year from Christopher Soghoian on Vimeo.


Then you know that “big brother” is watching you only because you let him to watch you.

Gold-Lock Security Encryption Contest: be careful!

This post is to talk about the “unfair” marketing approach of Gold-Lock, an israeli company doing mobile voice encryption authorized by Israeli Ministry of Defence .

Following an announcement seen on Linkedin “Information Security Community” group:

GoldLock is offering US$ 100.000 and a job for an unencryption

GoldLock, an israeli encryption and security company is offering US$ 100.000 and a job to anyone capable to decrypt a cellular conversation contained in a file provided in their site ( https://www.gold-lock.com/app/en/?wicket:interface=:8 ::::).
The transcription must be sent back to GoldLock until February 1st, 2010.
The contest is open to all and any tools or technology may be used.
Good luck to all!!!

I commented:

Not having a public protocol specification is not even scientifically serious to make a marketing tricks like this.
I would say to gold-lock, let’s release the source code and let anyone compile the cryptographic engine if you trust not to to have something nasty inside… ;)

Toni Koivunen from F-secure said:

So… They will pay $100k if you get through the AES and the hassle with keys.
If someone would pull it off they would certainly make a truckload more money elsewhere. Plus they would retain the rights to the code/technology that they created, which isn’t the case if they go for the $100k since the License pretty clearly says that:
# An assignment letter to Gold Line, in a form satisfactory to Gold Line of your technology and the Work Plan (the “Technology”). Such assignment form shall enable Gold Line to transfer the rights on the Technology to Gold Line, including the right to register patents and all other rights.
# A release and waiver form, in a form satisfactory to Gold Line, duly executed by you and any other participant of any rights to the Technology.
Plus of course Gold Line retains the right to change the rules of the game with prior notice. Or needing to notify afterwards either.
Sounds fair :)

Michel Scovetta from Computer Associates said:

It sounds like the purpose of this is to get some cheap testing out of it, and to be able to say something like, “The best crypto experts in the world tried to break it, and were unable to.”

According to some of the docs on Gold Lock’s website, they use ECC-256 and a “modified DH key exchange” (which tingles my spidey senses), SHA-256, and then XOR for the actual data encryption. They use practically blasphemous language like, “Each component of the Gold Lock Enterprise solution is tested and proven secure against any conceivable attack.”

*Proven* secure? *Any conceivable* attack? Yikes!

In another doc on their site, they talk about their first layer relying on 1024-bit RSA. GoDaddy doesn’t even allow 1024-bit keys to be used anymore when generating $20 SSL certificates. They quote 300 billion MIPS-years to break, but if my math is correct, that comes down to about 52 days on the top supercomputer right now. Not trivial, but this is an offline attack, so time is on the side of the attacker.

The description then talks about the device generating 16k keys when you register the device. If the protocol is “secure”, then it should be “secure” with only a single key. If it’s not secure with a single key, then generating 16k keys could only make it 16k times more secure, which is far off from a proof of security.

I agree with Fabio – a fair contest would be to include source code and the cryptographic specification. Also, as other contests have proven (e.g. SecureWebMail), the weakest point isn’t usually the cryptography. It’s all of the other stuff, and it doesn’t look like any of it is being disclosed for the contest.

http://xkcd.com/538/

Mike

I would say that all those considerations from security experts from well known and established security companies bring us to consider that:

  • Gold-lock is not transparent on their encryption at all and they work trough bad practice of Security Trough Obscurity (no one know what’s inside the product)
  • Gold-lock is not playing a fair game by proposing this ‘security contest’
  • Gold-lock being certified by Israeli ministry of defence may raise doubt related to possible relationship with the intelligence… Read by post Certified by Israeli MInistry of Defense.

Voice security is a sensible matters and lacks of transparency and governmental relationship for cryptographic choices usually does not provide anything good…

Think about it…

Disk encryption sometimes ‘works’

I am one of the person convinced that a computer disk encryption system will not protect you from public authorities if they are convinced enough and the case is very important.

There are a lot of way to convince a person to release a password.

However there’s a case in Australia where not revealing the disk password resulted in a successful way to avoid going in jail:

Secret code saves man who spied on flatmates

My opinion is just that spying flatmates is not a so relevant and particular crime and that law enforcement did not used ‘convincing systems’ to get the password of encrypted disk.

UPDATE 29.06.2010: It also worked for Daniel Dantas against FBI .

Brazilian Electrical Blackout: preview of cyberwar

In 2005 and 2007 in Brazil million of people was targetted by a blackout.

Initially it appeared like an accident.

Now it’s known that was caused by a cyber attack against electricity control systems.

That was just a preview of what a cyber attack in a cyberwar means.

In near future we’ll probably see something like ‘virtual custom offices’ at internet borders, defining what get in and what get out like several “not so democratic” countries are doing.

Does the cyberwar will affect digital rights? Probably yes, even i hope not.

Political conflict in Turkey between Prosecutors and Wiretappers

It seems that in Turkey the Telecommunication Directorate (TIB), in charge of managing the wiretapping, intercepted the president of the Judge and Prosecutors Associations.

Prosecutors and Judge usually does not like being tapped, and so the 1st High Criminal Court ordered an audit of all the recording done by the TIB since 2006.

Read more here.

Conventionality is not morality.

During my daily RSS OCD reading I had to deal with this article: it has been written by a “senior anti-virus researcher at Kaspersky Lab’s“. Talk about personal interest.

I wont comment on the practical implications of useless signature based AV’s and how cyber criminals will never need amateur-ish projects to carry on their malicious tactics.

But what is always interesting is watching the very same people who use billion dollar scare tactics to sell you a perfectly useless piece of software (which will give you a false sense of security, hence will make you more insecure), talking about ethics.

This is big business, this is the American way

43 years old “UFO eccentric” hacker Gary McKinnon just loses appeal against his extradition to the States for computer crimes he committed 7 years ago.

If you’ve lived under a rock during the last few years what this dude did was basically break into .gov computers looking for UFO related material.

Probably the last case of recreational hacking I’ve heard about.

So his case is obviously going to be a classical “Strike one to educate one hundred” kind of message to every hacker attacking american computer systems: we can reach you everywhere you live and have you extradited to our country where we will sentence you to life in prison.

Unless you are a multi millionaire cyber criminal living in Russia or a chinese spy, of course.

Russia: the best worldwide place for cybercrime business

Russia is a very beautiful place for any committed cybercrime business owner.

FBI and Mcafee are trying to do something, do they will ever succeed?

I don’t think so, it’s a political issue as russia is not going to extradite any cybercriminal and is not going to provide strong international cooperations.

Always remember that in Russia Business Network has been strongly suspected to had done cooperations with Russian government that leveraged in different occasion their power and skills.

Are russian politicians more interested to protect their cyber-warriors skills and activities or to provide international cooperation?

Quite easy to answer…

chinese espionage: the worst and more silent threat for western countries

Hi all,

in the past few years i saw an incredible increase in the amount of “public” news about espionage against different western countries and usually coming from far-east, typically china.

China want to be the largest economic power within 2020 and it’s following a grow rate of 8% per year. Their “controlled” capitalism without the inefficiency of the democracy it’s something that’s beating the western countries, less efficient because democratic.

China, in order to quickly grow it’s R&D capacity make an extensive use of espionage, it’s estimated that Chinese government have more than 1.000.000 intelligence agents worldwide.

And they know how to do espionage, their “spy” does not cost that much like western countries’ spy, less guarantee, less payments.

Also they are using cyber espionage as an important source of information and competitiveness against western countries companies and government R&D results. China is so un-cooperative that now also western countries spying each other, or even Russian, use chinese internet space as the “start base” for their internet based espionage activities.

I knew of a USA phisher that used to build it’s own trojan with a chinese version of Windows Xp with a chinese version of the Microsoft Visual Studio development suite. Why? For information deception, in order to tweak the forensics effort of the FBI analyst and have them think that it’s own attacks was coming from China!

Any investigators that see an attack coming from china typically think “oh shit, it comes from china, we’re lost”, and now even cybercrime use China like a far-west, untouchable base for cyber attacks.

Back tracing attacks coming from china it’s like trying to find out what’s inside a black hole, it’s a one-way trip and no information comes back.

To give better an idea of what i am speaking about just get the following list of reference:

Germany accuses China of industrial espionage

Chinese trainee goes on trial as French industry fears espionage

U.S. Vulnerable to Chinese Cyber Espionage

Massive Chinese Espionage Network

Cyber Spy Network Also Targetting Finland

How do the western countries defend themself?

That’s a nice points to speak about because there’s no simple way to defend against espionage other than considering it like a serious and concrete threat.

Governments should be able to get more understanding that their approach to informations systems and information security policy must not only exists on paper but also be applied everywhere in order to be effective. Governments are complex organizations and only a few are enough smart to be able to quickly and efficiently make security policies really be implemented organization-wide. But they are trying to, especially the most competitive ones like USA, UK and Germany .

Companies instead should acquire awareness of the problem that is present, available, concrete as concrete is the chance that someone enter into the offices to steal good (not for espionage). For that reason companies place alarm systems, access control with badge, camera monitoring systems.

But espionage does not mean fighting and protecting against poor thieves but instead against more sophisticated, either technically and socially, attacker that can use old school intelligence techniques always effective. Getting employed and stealing information while working. Simulate to be customers to establish a link trust with a salesman and then find a reason to let him execute some malicious software “hey, but my modellization software demostrate that your model used to measure the performance of your product it’s not the one you advertised. Check it out, see your self with the software we used!”. What do you think the salesman will do in order to catch the prospect customer?

Only awareness, knowledge about the issues can make such risk to be considered seriously.

Governments should provide financing to industrial associations, chamber of commerces and similar agencies in order to make such awareness national wide and let entrepreneurs became conscious and became prepared to recognize, identify and stop espionage activities.

The law perspective

Governments should strenghten their laws in order to be able have the required rights tools to enforce the protection from espionage.

Look at the analysis made by my smart cousin Angelo Pietrosanti on espionage “Is the European R&D Equally protected from espionage as in the US R&D?”

Country Civil Sanction against trade secret threat Criminal Sanction against trade secret threat Year of last modificationg
USA 5 mln $ up to 10(for domenistic) or 15 (for foreigners) Years of Jail 1996 (Economic Espionage Act)
Germany YES up to 3 Years of Jail 1986
France 0.03 mln $ up to 2 Years of Jail 1992
UK YES NO 1984
Italy YES up to 2 Years of Jail 1942
Switzerland YES up to 3 Years of Jail 1986
Finland YES up to 3 Years of Jail 1990
Sweden YES up to 6 Years of Jail 1990
The Netherlands YES up to 4 Years of Jail 1992

What this table show?

  • Outdated law (except USA)
  • Not so serious sanctions against espionage activities. (except USA)

Maybe some european policy on this could help.

In conclusion

We are in an economic war where the winner is not the one having more forces, but the one being more technologically advanced, and economically clever.

Chinese are demonstrating to be enough aggressive and clever, will the western countries be able to react both on the defense and the attack in this war?

Criminal business model: Somali pirate case study

Hi all,

this blog post is to have a nice economical point of view on somali pirates business model, something nice as also crime is a business and need it’s business evaluation:

An economic Analysis of Somali Pirates Business Model

It sounds much like a great deal, check it out the details:

The attack model and costs

The negotiation phase (Offer and Counter offer)

The resolution

And for the pleasure of home gamer, Cuttrhouat Capitalism: the game

1st august 2009: Switzerland start realtime internet interception

The intelligence strength is increasing everywhere… also in Switzerland that had a well known privacy protection approach!

Read the WikiLeaks Article

UAE government placing backdoors into Blackberry devices

Nice attempt to place backdoors inside Blackberry devices.

It seems that UAE government wanted to do something nasty placing backdoors trough software upgrades in Etilsat (local mobile operator) blackberry devices, obviously with the cooperation of the mobile operator itself.

Fortunately, the power of the security community discovered and unveiled the facts. Check it out.

Etisat patch designed for surveillance

Wired magazine: Blackberry spies

Security exists only with transparency.

Chinese Spying NSA/USA buying Cryptographic Equipment on Ebay

It’s amazing.

A chinese guy has been engaged within an espionage activity for the People’s Republic of China buying and exporting cryptographic equipments, radio and other secure hardware on eBay.

It’s unbelivable, read there, Chi Tong Kuok found on eBay:

  • 1 software for a VDC-300 airborne data controller, used for secure satellite communications from the American military aircraft
  • 1 GPS receiver with anti-spoofing defence (maybe there’s interested in understanding how this know that a packet is spoofed or not? Me too!)
  • 1 NSA developed AN/CYZ-10 crypto key management device
  • 2 PRC-148 handheld digital military radios
  • 1 KG-175 TACLAN, an NSA designed encryption device used to communicate with classified military computer networks, such as Defense Department’s SIPRNet (Secret Internet Protocol Router Network) .

It’s important to underline that good crypto should not require “secret methods” as the security methods should be secure even if revealed, like any cryptographic technology.

But chinese probably understood that this is not the approach of NSA that prefer using custom, self-made, self-analyzed cryptographic technologies that are probably a lot weaker than nowadays cryptographic standards.

So, why not buy some export restricted military secure technology on ebay?


Voice encryption in government sectors

I will make some in depth articles about how voice encryption really works in government environments.

The open standards and open source still have to reach the military and government environments for what’s related to secure speech.

To give you an idea of the complexity and kind of particular issues that exists, look at the USA 3G Wireless Security: A Government Perspective and the A Waveform Architecture to Support Security and Interoperability in Multi-National Wireless Networks for Tactical Communication .

They are using so-custom protocols like Secure Communications Interoperability Protocol that require the use of patented MELPe ultra-narrowband codec that there’s not a real market of application and equipment using this. Only a small elite of government controlled companies from few countries manage this de-facto lobby.

Should we change this bringing open standards also to government sectors?

Women as agents of future geopolitical changes

Nice to read about Global Trends 2025 from United States National Intelligence Council.

Hackers hired from UK Office of Cyber Security

It seems that in UK the management became illuminated, they discovered that the most efficient way to fight a cyber war is to hire soldier that play in the battlefield everyday, only for passion.

U.K. Employs ‘Naughty Boys’ to Battle Other Hackers U.K. Employs ‘Naughty Boys’ to Battle Other Hackers

Voice Security and Privacy slides

Below my slides on voice security and privacy from Security Summit 2009.

mmm, yes i am working in this area from 2005, will write again about it.

sux