Tag Archives: kryptering

intelligens aflytning personlige sikkerhed teknologi

RFC 6189: ZRTP er endelig en standard!

11 April 2011 - 22:54

Endelig ZRTP har fået tildelt en officiel RFC opgave, RFC6189 ZRTP: Media Path Key aftale om Unicast Secure RTP.

Det havde som en afhængighed af SRTP med AES nøglestørrelse af 256bit, som nu er blevet defineret som RFC6188 .

Det er spændende at se RFC endelig frigivet, da det er en vigtig milepæl at sætte ZRTP som den officielle standard for end-to-end kryptering meget gerne PGP har været for e-mails.

Nu enhver organisation i verden vil blive officielt i stand til at gennemføre ZRTP til end-to-end protokol stemme kryptering

I øjeblikket 3 forskellige offentlige implementeringer af ZRTP protokol eksisterer:

Hver af dem giver forskellige elementer i protokollen, men vigtigst er kendt for at være interoperable.

En ny bølge er på vej til stemmen kryptering verden, irrupting ind i en gråzone, hvor de fleste af de virksomheder, der gør telefonen krypteringssystemer er blevet gennemførelse skik kryptering.

Nu er en standard har været opsætning, og der er kun få grunde tilbage til at gennemføre noget andet.

Hurra Mr. Zimmermann og hele fællesskabet af virksomheder (som PrivateWave ) og individer (som Werner Dittmann ), der arbejdede på det!

I dag er det en stor dag, sådan form for teknologi er nu officielt og også med flere eksisterende implementering!

Philip, du gjorde det igen, mine komplimenter til din ren ånd og beslutsomhed :-)

Del
Comment (1) Tags , , , | Kommentar (1)
aflytning personlige sikkerhed

Fremskridt for GSM revner i Freiburg universitet

23 Feb 2011 - 13:32

Den spændende verden af ​​mobile protokoller GSM, GSM-R, TETRA, UMTS osv.) hacking bliver officielle forskningsaktiviteter fra universiteter.

Den investering at gøre opensource kode versioner af revner software giver mulighed for at studerende på universitetet til at arbejde på det, forbedre det og gøre en stærk forskning.

The University of Freiburg netop frigivet det papir Praktisk træning på GSM kryptering A5 / 1 sammen med en gsmframencoder støtte værktøj til at forbedre snuse, afkodning og krakningsproces.

Åbning af hardware, åbne software, åbne protokol demonstrere svaghed enhver form for proprietære metode eller proces at opbygge kommunikations-og sikkerhedsteknologier.

Det bør være målet for alle forskere at forsøge at åbne op og knække enhver form for proprietære og lukkede teknologi til at tvinge industrien til at går på kun med interoperable og åbne tilgang samtidig med at designe telekommunikation protokoller.

Del
Comment (0) Tags , , , , | Kommentar (0)
intelligens aflytning sikkerhed

TETRA hacking er på vej: OsmocomTETRA

23 Jan 2011 - 10:27

Det er meget spændende at se frigivelse af OsmocomTETRA , den første opensource SDR ( Software Defined Radio ) gennemførelse af TETRA demodulator, PHY og lavere MAC lag.

Det er TETRA version af GSM airprobe at låse adgang til data og ramme i TETRA kommunikationsprotokol, hvilket giver stor hacking chance!

Nu også TETRA teknologi er blevet åbnet, vi skal forvente i løbet af denne 2011, for at se opensource TETRA sniffere og sandsynligvis også TEA kryptering (Tetra Encryption Algorithm) revnet!

TETRA bliver brugt af politiet, redningstjenester og militær som et alternativ mobilkommunikationsnetværket, der kan arbejder selv uden adgang til nettets dækning (kun mobil-til-mobil uden en base station) og give nogle særlige høje tilgængelighed tjenester.

Jeg skrev om TETRA i min slide Major Voice Security Protocol anmeldelse .

I OsmocomBB postlister der allerede var diskussion om nogle TETRA-netværk status:

  • Belgien Politi TETRA ASTRID netværk: ukrypteret
  • Tyske politi test TETRA-netværk i Aachen: ukrypteret
  • Nogle ex-jugoslawia TETRA-netværk: ukrypteret
  • Holland C200 TETRA-netværk: TEA2 krypteret med statiske nøgler
  • Storbritannien Airwave TETRA-netværk: TEA2 krypteret med TEA2

Det vil være rigtig sjovt at se, at nye politiet og redningstjenesten hacking kommer tilbage fra gamle analoge aldre til de nye digitale radioer :-)

Del
Comment (1) Tags , , , | Kommentar (1)
Beskyttelse af personlige oplysninger

Zorg, nye C + + og Java ZRTP implementering offentlige frigivelse

12 januar 2011 - 02:01

Hej alle, i dag på PrivateWave Italia SpA, italiensk selskab beskæftiger sig med udvikling af teknologier til beskyttelse af privatlivets fred og informationssikkerhed i taletelefoni hvor jeg CTO, slipper vi Zorg, en ny open source ZRTP protokolimplementering kan downloades fra http://www. zrtp.org .

ZRTP [1] ende-til-ende nøgleudveksling med elliptisk kurve Diffie-Hellmann 384bit og AES-256 SRTP kryptering.

Zorg er oprindeligt udviklet og implementeret i PrivateWave har PrivateGSM stemme krypteringsprodukter til rådighed til følgende platforme: Blackberry, Nokia og iOS (iPhone).

Zorg C + + er blevet integreret med PJSIP open source VoIP SDK [2], og det er tilvejebragt som integration plaster mod PJSIP 1.8.5. Det er blevet testet på iPhone, Symbian, Windows, Linux og Mac OS X.

Zorg Java er blevet integreret i en speciel version af MJSIP [3] open source SDK på Blackberry platform, og det omfatter hukommelsesbrug optimeringer, der er nødvendige for at reducere på minimum skrald indsamler aktivitet.

Begge platforme har adskilt og modulopbygget kryptografisk back-enderne, således at den kryptografiske algoritmer implementeringen let kan byttes ud med andre.

. Zorg er licenseret under GNU AGPL og kildekoden er tilgængelig på GitHub på https://github.com/privatewave/ZORG .

Vi frigiver den under open source og i overensstemmelse med vores tilgang til sikkerhed [4], som vi håber virkelig, at det kan være nyttigt for open source økosystemet til at skabe nye stemme krypteringssystemer til støtte for ytringsfriheden.

Mere end 20 pjsip-baserede open source VoIP krypteringssoftware og flere er skrevet i Java kunne drage direkte fordel af Zorg udgivelse.

Vi vil være glade for at modtage forslag om samarbejde, nye integration, ny kryptografisk back-ender, bug scouting og hvad nyttigt at forbedre og lade ZRTP bekræfter som stemme kryptering standard.

Zorg er tilgængelig fra http://www.zrtp.org .

[1] ZRTP: http://en.wikipedia.org/wiki/ZRTP
[2] PJSIP: http://www.pjsip.org
[3] MJSIP: http://www.mjsip.org
[4] Sikkerhed tilgang: http://www.privatewave.com/security/approch.html

Del
Comment (0) Tags , , , , | Kommentar (0)
Beskyttelse af personlige sikkerhed teknologi

Krypteret mobil til fastnet opkald med Asterisk 1,8

25 oktober, 2010 - 12:15

Vi har lige udgivet en teknisk howto om hvordan man kan opbygge Sikker mobil til fastnet VoIP infrastruktur med:

I næste uge andre howto som denne vil komme ud ved hjælp af andre serverplatforme såsom FreeSWITCH, alle i en ånd af åbenhed og løftestangseffekt af opensource sikkerhedsteknologier.

Del
Comment (0) Tags , , , | Kommentar (0)
sikkerhed

Otte Epic Svigt i Regulering Cryptography

21 oktober 2010 - 14:59

En meget oplysende artikel om Otte Epic Svigt i regulering Cryptography og fælles misforståelse af statslige myndigheder, der ikke har en bred opfattelse af, hvordan teknologien fungerer.

Uvidende statslige lovgivere har ikke forstået, at en streng regulering ville have følgende ulemper:

  1. Det vil skabe sikkerhedsrisiko
  2. Det vil ikke stoppe de onde
  3. Det vil skade innovation
  4. Det vil skade amerikanske erhvervsliv
  5. Det vil koste forbrugerne
  6. Det vil være forfatningsstridig
  7. Det vil være en stor udgift skattemæssige dollars

Del
Comment (0) Tags , | Kommentar (0)
Beskyttelse af personlige sikkerhed teknologi

PrivateGSM: Blackberry / iPhone / Nokia mobil voice kryptering med ZRTP eller SRTP / SDES

19 oktober, 2010 - 09:10 am

Jeg er helt undgå at bruge min egen personlige blog til at gøre fremme af enhver form for produkt.

Denne gang er det ikke anderledes, men jeg vil gerne fortælle dig fakta om produkter, jeg arbejder på uden fancy markedsføring, men opholder sig teknisk.

I dag, kl PrivateWave hvor jeg er CTO og medstifter , vi udgivet offentligt mobile VoIP krypteringsprodukter til Blackberry, iPhone og Nokia:

  • Den 1. nogensinde Blackberry krypteret VoIP med ZRTP - PrivateGSM VoIP Professional
  • Den 1. nogensinde iPhone krypteret VoIP med ZRTP - PrivateGSM VoIP Professional
  • Den 1. nogensinde Blackberry krypteret VoIP-klient med SRTP med SDES nøgleudveksling løbet af SIP / TLS - PrivateGSM VoIP Enterprise

logo-privatewave-colore.png

Hos PrivateWave bruger vi en anden tilgang i forhold til de fleste stemme kryptering selskab derude, læse vores tilgang til sikkerhed .

Relevansen af ​​disse produkter i teknologi og industri landskab kan opsummeres som følger:

  • Det er den første stemme kryptering virksomhed kun bruger standarder sikkerheds protokoller (og vi forventer, at markedet vil reagere, da det er klart, at proprietære tech kommer fra arv CSD ikke kan give samme værdi)
  • Det er den første metode i stemmen kryptering til kun at bruge open source & standard kryptering motor
  • Det er den første stemme kryptering tilgang til at give forskellig sikkerhed model ved hjælp af forskellige teknologier (ende-til-ende for ZRTP og end-to-site for SRTP )

De suite af Mobile Secure klienter, der er designet til professionel sikkerhed brug kun ved hjælp af bedste tele-og sikkerhedsteknologier, giver en høj grad af beskyttelse sammen med gode resultater også i dårlige netværk betingelser:

Ansøgningerne er:

Icona-pgsm.png

De understøttede mobile enheder er:

Med hensyn til ZRTP besluttede vi at understrege og strække al den sikkerhed og paranoide træk protokollen med nogle lidt ud:

Vores strenge adressebog integration, går ud over ZRTP RFC specifikation, der kan være sårbare over for visse angreb, når der bruges på mobiltelefoner på grund af brugernes adfærd ikke at se på mobil skærm.

Vores paranoy måde at bruge ZRTP afbøde sådanne betingelser, vil vi skrive om det senere og / eller vil tilføje specifikke detaljer for RFC integration.

Nogle ord på PrivateGSM Professional med end-to-end kryptering med ZRTP

Læs tekniske ark der!

For at downloade det klik her og bare sætte dit telefonnummer

Det er resultatet af hårdt arbejde af alle mine meget dygtige medarbejdere (16 personer har arbejdet på dette 6 projekter i 3 forskellige platforme) på udfordrende teknologier (stemme kryptering) i et vanskeligt driftsmiljø (beskidte mobilnet og beskidte mobile operativsystemer) for mere end 2 år.

Jeg er meget stolt af vores medarbejdere!

Hvad bliver det næste?

I næste uger vil du se frigivelse af store sæt af dokumentationer, såsom integration med stjerner, freeswitch og anden sikkerhed aktiveret PBX, sammen med nogle spændende anden sikkerhedsteknologi nyheden om, at jeg er sikker på vil blive bemærket ;)

Det har været en hårdt arbejde og mere skal gøres, men jeg er overbevist om, at sikkerhed og opensource samfund vil gerne, at disse produkter og vores gennemsigtig fremgangsmåde også med åbne vigtige udgivelser og open source-integration, der gør en meget politisk neutral (bagdør gratis) teknologi .

Del
Comment (1) Tags , , , , | Kommentar (1)
aflytning personlige sikkerhed teknologi

Et par dejlig VPN udbyder

17 oktober 2010 - 12:39

Der er masser af grund til, hvorfor man skal have adgang til internettet via et VPN.

For eksempel, hvis du bor i et land blokere bestemte indhold (såsom anti-kommunale hjemmeside, porno, osv.) og / eller protokoller (som Skype, VoIP) ville du sikkert vil flytte din internetforbindelse uden den ubehagelige blokering landet ved hjælp af krypterede VPN tunneller.

I evaluerede flere hosted VPN server og et par af dem lyder ganske godt blandt de udbredte udbud af sådanne tjenester:

SwissVPN

Udgang til internettet fra Schweiz.

Omkostninger 6 CHF / måned

Valgfri faste offentlige IP-adresse

Nyttigt, hvis du har brug for:

  • Bare omgå lokale landets filtre med god høj båndbredde
  • Udsætter de offentlige tjenester gennem den VPN med den valgfrie faste offentlige IP-adresse.

Overspille

Udgang til internettet ved at vælge blandt 20 forskellige lande (hver gang du tilslutter).

Nyttigt, hvis du skal gøre:

  • business intelligence til konkurrent (ser ud til at komme fra land X, når du tilslutter dem)
  • se filmen / telefilm kun tilladt fra nationale IP web-rum
  • se Google-resultater blandt de forskellige lande

Del
Comment (0) Tags , | Kommentar (0)
sikkerhed teknologi

Ikke alle elliptisk kurve er den samme: trug på ECC sikkerhed

26 September 2010 - 01:05 
 Min egen ECC kurve sikkerhed og valg af analyse

 vn9jna1BdgrzDCYNBJHi09q09q.jpg 
  De fleste moderne Crypto brug elliptisk kurve Cryptographic (ECC), der, med en mindre nøglestørrelse og reducere beregning magt, giver en tilsvarende sikkerhed styrken af traditionelle krypto-system kendt som DH (Diffie-Hellman) eller RSA (Rivest, Shamir og Adleman). 
 Ikke alle ved, at ECC-kryptering er valgt for eventuelle fremtidige kryptering programmer, og at selv TLS / SSL (kryptering, der anvendes til at fastgøre nettet) flytter til ECC. 
  Jeg fandt masser af såkaldte "beskyttede krypteringsprodukter", som forladte RSA og DH til at går med ECC alternativer, der har tendens til vilkårlig brug ECC bit nøgle størrelse uden selv at angive, hvilke slags ECC crypto vænne. 
  Men der er en masse forvirring omkring elliptiske kurver, med en masse forskellige navne og nøglestørrelse gør det vanskeligt for en ikke-kryptografisk-erfarne-bruger til at lave din egen figur, når de evaluerer nogle crypto ting. 
  På grund af så spredt forvirring jeg besluttede at lave min egen analyse for at finde ud af, hvilke er de bedste ECC kryptering kurver og højre ECC nøglestørrelse at bruge. 
  Denne analyse vil gerne give en sikkerhed industri baseret valg blandt forskellige kurver og nøglestørrelser, forlader de matematiske og crypto analytiske overvejelser, der allerede er gjort i løbet af de år, der opsummerer de forskellige valg, der træffes i flere standarder og sikkerhed protokoller. 
  Først konklusionen. 
 Fra min analyse kun følgende ECC kurver skal betragtes til brug i krypteringssystemer, da er den eneste udvalgt blandt forskellige myndigheder (ANSI, NSA, SAG, NIST, ECC BrainPool), forskellige sikkerhedsprotokol standarder (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS), og den eneste matchende NSA Suite B sikkerhedsmæssige krav (de-facto standard også for NATO militær miljø): 
  •   Elliptisk Prime Curve 256 bit - P-256 
  •   Elliptisk Prime Curve 384 bit - P-384 
  med valgfri, bare for virkelig paranoid, der ønsker at få mere nøglestørrelse lidt stadig ikke anset for hensigtsmæssigt: 
  •   Elliptisk Prime Curve 521 bit - P-521 
  Jeg vil gerne sige, at Köblitz kurver bør undgås, i en vilkårlig tast størrelse (163/283/409/571), da de ikke har nok garanti på krypto analytisk aktivitet og effektivt de er: 
  •   Ikke en del af NSA Suite-B kryptografi valg 
  •   Ikke en del af ECC Brainpool valg 
  •   Ikke en del af ANSI X9.62 valg 
  •  Ikke en del af OpenPGP ECC forlængelse valg 
  •   Ikke en del af Kerberos forlængelse i ECC kurve valg 
  Jeg vil opfordre læseren til at følge trough min analyse til at forstå de grundlæggende principper, der kan misforstås, selv uden dyb teknisk baggrund, men i det mindste med en god teknisk baggrund, en nogle grundlæggende lidt af kryptografi. 
 Her går vi med analysen

  
  Mit mål er at foretage en analyse af, hvad / hvordan den åbne videnskabelige og sikkerhed samfund vælg ECC krypto-system til brug i sikkerheds protokoller og standarder er defineret af IETF RFC (dem, der definerer Internet-standarder i en åben og peer-review måde). 
  Nedenfor et sæt af RFC indføring ECC i eksisterende system, der får analyseret for at forstå, hvad er bedre at bruge, og hvad er bedre at udelukke: 
 
  •   RFC5639 : ECC Brainpool standardkurver & Kurvegenerering 
  •   RFC4869 : NSA Suite B Kryptografiske Suites for IPsec 
  •  RFC5430 : NSA Suite B profil for Transport Layer Security (TLS) 
  •   RFC5008 : NSA Suite B in Secure / Multipurpose Internet Mail Extensions (S / MIME) 
  •   RFC3766 : Bestemmelse Styrker om offentlige nøgler benyttes til at udveksle symmetriske nøgler 
  •   RFC5349 : elliptisk kurve Cryptography (ECC) Støtte til Public Key Cryptography for første godkendelse i Kerberos (PKINIT) 
  •  RFC4492 : elliptisk kurve Cryptography (ECC) kodeserier for Transport Layer Security (TLS) 
  •   ZRTP stemme kryptering af Philip Zimmermann ECC kurve 
  •   ECC i OpenPGP (udkast d tømmerflåde-jivsov-OpenPGP-ECC-06 ) 
  •   ECC Kurver udvalgt af Microsoft til Smartcard Kerberos login 
  Vi vil bruge det valg, som forsker at definere Internet Security protokoller for at gøre en del af vores vurdering. 
  Derudover er det skal forstås, at kurven, kommer fra forskellige myndigheder, der gjorde deres eget udvalg af Kurver for at fortælle til industrien, hvad de skal bruge og hvad man skal springe: 
  Vi vil bruge det valg, som videnskabsmand fastlæggelse af sikkerhedskrav i de standardiseringsorganer til at gøre en del af vores vurdering. 
  Derudover noget, som de fleste mennesker ikke kender, men at det er ekstremt relevant for vores analyse, er, at der er forskellige slags ECC kurve kryptografi og deres "størrelse" det er anderledes afhængig af typen af ​​kurven: 
  •   ECC Kurver end Prime felt (ofte omtalt som elliptisk kurve og repræsenteret ved P-keysize) 
  •   ECC Kurver end Binary felt (ofte omtalt som Koblitz Curve og repræsenteret ved K-keysize) 
  Givet en sikkerhed styrke ligestilling af elliptisk kurve og Kobliz Curve har forskellig nøgle størrelse, for eksempel når vi læser ECC 571, vi henviser til Koblitz Curve med en tilsvarende styrke som ECC 521 Prime kurve. 
  En sammenligning af styrken mellem elliptiske kurver og Kotbliz kurver er rapporteret nedenfor (fra Mikey ECC internet Udkast til ): 
 | Koblitz | ECC | DH / DSA / RSA
 | 163 | 192 | 1024
 | 283 | 256 | 3072
 | 409 | 384 | 7680
 | 571 | 521 ​​| 15360

  Nedenfor er der en sammenligning af alle valgte kurver af alle de forskellige enheder og deres respektive navn (fra IETF RFC4492 for ECC brug for TLS ): 
 Curve navne valgt af forskellige standardiseringsorganisationer
 ------------ + --------------- + -------------
 SECG | ANSI X9.62 | NIST
 ------------ + --------------- + -------------
 sect163k1 | | NIST K-163
 sect163r1 | |
 sect163r2 | | NIST B-163
 sect193r1 | |
 sect193r2 | |
 sect233k1 | | NIST K-233
 sect233r1 | | NIST B-233
 sect239k1 | |
 sect283k1 | | NIST K-283
 sect283r1 | | NIST B-283
 sect409k1 | | NIST K-409
 sect409r1 | | NIST B-409
 sect571k1 | | NIST K-571
 sect571r1 | | NIST B-571
 secp160k1 | |
 secp160r1 | |
 secp160r2 | |
 secp192k1 | |
 secp192r1 | prime192v1 | NIST P-192
 secp224k1 | |
 secp224r1 |​​ | NIST P-224
 secp256k1 | |
 secp256r1 | prime256v1 | NIST P-256
 secp384r1 | | NIST P-384
 secp521r1 | | NIST P-521
 ------------ + --------------- + -------------

  Hvad vises med det samme er, at der kun er to kurver er udvalgt af alle myndigheder, og at der er en generel dumping af Köblitz kurver ved ANSI.The kun vedtaget i fællesskab blandt de 3 myndigheder er følgende to ECC kurve: 
  •   secp192r1 / prime192v1 / NIST P-192 
  •   secp256r1 / prime256v1 / NIST P-256 
  Af dem udvalg af ECC kurven for TLS den RFC5430 springes helt Köblitz kurver og udvalgt til brug kun: 
  •   P-256, P-384, P-521 
 Den ECC Brainpool sprunget helt Köblitz kurver og udvalgt til brug følgende ECC kurver: 
  •   P-160, P-192, P-224, P-256, P-320, P-384, P-512 (det er den eneste bl.a. fordi det ikke er P-521, men P-512, den eneste nøgle-størrelse henvist af ECC brainpool. Tnx Ian Simons fra Athena SCS ) 
  Den OpenPGP Internettet udkast til ECC brug i PGP d tømmerflåde-jivsov-OpenPGP-ECC-06 springes helt Köblitz kurver og valgt følgende ECC kurver 
  •   P-256, P-384, P-521 
  Den Kerberos-protokollen udvidelse til ECC brug, der er defineret i RFC5349 og defineret af Microsoft for chipkort logon sprunget helt Köblitz kurver og valgt de følgende ECC kurver: 
  •   P-256, P-384, P-521 
  Så lyder det klart, at det rigtige valg af ECC er for P-256, P-384 og P-521, mens Koblitz kurven er sprunget over til Top Secret brug og til enhver sikkerhed følsomme protokol (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS). 
  Hvorfor jeg lavet denne analyse? 
  Jeg har gjort denne analyse efter en diskussion jeg havde med hensyn til visse stemme krypteringsprodukter, alle baseret på brugerdefinerede og proprietære protokoller, som alle bruger elliptisk kurve Diffie Hellman 571 bit / ECDH 571/571-bit ECDH / Koblitz 571 bits. 
  Alle dem med K-571, der, som beskrevet før, er blevet fjernet fra alle sikkerheds-følsomme miljø og protokoller og være mig en designer af voice kryptering ting jeg mener, at deres kryptografisk valg er absolut ikke den bedste sikkerhed valg. 
  Sandsynligvis er det blevet gjort bare for marketing formål, fordi K-571 (Koblitz kurve) virker stærkere end P-521 (elliptisk kurve baseret på Prime-nummer).  Hvis du har "mere bit" din markedsføring fyre kan hævde at være "mere sikker".  Koblitz elliptisk kurve er hurtigere end det tophemmelige aktiveret prime elliptisk kurve, og så giver produktchef en chance for at give "mere bit" i sit eget produkt og samtidig holde nøgleudveksling hurtigt. 
  Det er et spørgsmål om filosofisk valg. 
 Jeg foretrækker at følge udviklingen i videnskabelige samfund med ydmyghed ikke at overveje mig en kryptografisk ekspert, vidende mere end den generelle sikkerhed og videnskabelige samfund selv. 
  Jeg foretrækker i stedet for kun at bruge algoritmer, der er godkendt til anvendelse i meget følsomme miljøer (tophemmelige klassifikation), der er blevet udvalgt af alle de myndigheder, og arbejdsgruppen analysere krypteringsalgoritmer eksisterende ud-der, og at repræsenterer valget af næsten alle standard sikkerhed protokoller (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS, osv.). 
  Jeg foretrækker at tælle mængden af ​​hjerner arbejder på Crypto jeg bruge, at check det er virkelig sikkert, at vurdere, om der er nogle svagheder. 
  Antallet af brais arbejder på Crypto udbredte er af størrelsesorden mere end antallet af hjerner arbejder på krypto anvendes af blot få mennesker (som Koblitz kurve). 
  Så jeg er ikke dæmonisere, der bruger ECDH 571 bruger Koblitz Kurve, men for sikker på, jeg kan bekræfte, at de ikke taget det bedste valg med hensyn til sikkerhed, og at eventuelle sikkerhedsmæssige professionelle gør en sikkerhed benchmarking ville overveje det faktum, at elliptisk kurve Diffie Hellman 571 bit gøres med Koblitz Curve ikke er udbredte, er det dumpet fra standardsikkerhedsprotokoller, og det er ikke godkendt til tophemmelige brug. 
 Del 
											
  Comments (3) Tags  ,  ,  | Kommentarer (3) 

			 aflytning personlige sikkerhed teknologi 
  Talekommunikation sikkerhed værksted 
  26 August 2010 - 12:04 
  Hej, 
  Jeg lavede en snak om talekommunikation sikkerheden teknologier ved University of Trento efter en interessant udveksling af oplysninger med Crypto Lab lykkedes professor Massimiliano Sala . 
  Jeg foreslår interesserede folk til at læse den, især den anden del, da der er en innovativ kategorisering af de forskellige stemmen krypteringsteknologi, der får anvendes i flere sektorer. 
  Jeg forsøgte at forklare og komme ud fra dette meget opsplittet teknologisk sektor ved at give et bredt overblik over teknologier, der normalt er absolut uafhængige en-hver-anden, men stort set de anvender til at udtrykke kryptering efter kategorisering: 
  •   Mobile TLC Industri stemme krypteringsstandarder 
  •   Regering og Militær voice krypteringsstandarder 
  •   Offentlige sikkerhed stemme krypteringsstandarder 
  •   IETF stemme krypteringsstandarder 
  •   Misc proprietære stemme krypteringsteknologier 
  Det er en kæmpe slideware, 122 sider, vil jeg foreslå at gå læse 2. del springe aflytning teknologier overblik allerede er dækket af min præsentation af 2009. 
  Talekommunikation sikkerhed 



  Især Jeg kan godt lide konceptet Chokolade kryptering, der ønsker at give nogle innovation på Snake Oil Kryptering koncept. 
 Men jeg er nødt til at få mere i dybden om Chokolade kryptering sammenhæng, vil sandsynligvis gøre inden udgangen af året ved at give en påført kursus på forståelse og evaluering næsten reel sikkerhed sammenhæng med forskellige voice krypteringsteknologier. 
 Del 
  Comment (0) Tags  ,  ,  ,  | Kommentar (0) 
  intelligens aflytning personlige sikkerhed teknologi 
  GSM revner i penetration test metoder (OSSTMM)? 
  23 juli 2010 - 8:16 am 
  Da de fleste af denne blog læser allerede kender, i tidligere år var der en masse aktiviteter i forbindelse med den offentlige forskning for GSM revision og revner. 
  Men da der var stor mediedækning til GSM revner forskningsresultater, at de redskaber, gøre revner var virkelig tidligt stadium, og stadig meget ineffektivt. 
  Nu Frank Stevenson , norsk cryptanalyst der allerede brød Content Scrambling System af DVD-video-disk, der deltager i A51 revner projekt startet af Karsten Nohl , udgivet Kraken , en ny forbedret version af A51 revner systemet. 
  Det er interessant at bemærke, at WiFi revner havde en lignende historie, som den første WiFi WEP cracking opdagelse var temmelig langsom i tidligere teknikker, men senere Korek, en hacker arbejder på revner koden, forbedre angrebet systemet drammatically. 
  Det er historien om sikkerhed forskningssamarbejde, du starter et forskningsprojekt, nogen følge den og forbedre det, en anden følge den og forbedret det, og ved afslutningen får du resultatet. 
  Læs mere om Kraken GSM krakning software frigivelse . 
  Og stay tuned i næste uge på blackhat konference Karsten Nohl vil forklare detaljerne i den nødvendige hardware opsætning og detaljerede instruktioner om, hvordan man gør det :-) 
  Jeg vil virkelig gerne se disse værktøjer er indarbejdet i Penetration Testing Linux Distribution BackTrack med OSSTMM metode håndhæve test af GSM aflytning og manden i midten :-) 
  Hvis tingene fortsætter på den måde og Ettus Research (Producenten af USRP2 software radio anvendes til lav pris GSM signal modtagelse) ikke vil blive taget ned, kan vi stadig se det. 
 Del 
  Comments (2) Tags  ,  ,  ,  | Kommentarer (2) 

			
  business management personlige sikkerhed teknologi 
  Snake-olie sikkerhed fordringer på krypto sikkerhed produkt 
  19 juli 2010 - 21:33 
  Sikkerhed markedet vokser, flere virksomheder går til markedet, men hvor mange af dem tager alvorligt, hvad de gør? 
  Du ved, at gøre sikkerhedsteknologi betyder, at du er personligt ansvarlig for beskyttelsen af brugerens oplysninger.  Du skal gøre dem bevidste om, hvad de har brug for, præcis, hvad du gør, og hvilken form for trussel model dit produkt beskytte. 
  Et typisk problem med produktets sikkerhedsfunktioner er repræsenteret ved manglende evne til brugeren at vurdere de sikkerhedsmæssige krav selve produktet. 
  Så der er en masse selskaber, der driver en ikke-så-etisk markedsføring af sikkerhedsfunktioner, baseret på det faktum, at ingen brugere vil være i stand til at evaluere den. 
  Den tidligere forklaret situationen opholde sig i sikkerhed emnet Snake Oil kryptering, en udvikling i den videnskabelige kryptografiske miljø, så lad os i dag bruger det bedste af racen informations-teknologi til beskyttelse uden at skulle bekymre sig for meget om bagdøre eller usikkerhed. 
  Lad os tale om Snake Oil Kryptering 
  Snake Oil Kryptografi : I kryptografi , er kvaksalveri et udtryk der bruges til at beskrive kommercielle kryptografiske metoder og produkter, der anses for falske eller svigagtige.  Adskille sikker kryptografi fra usikre kryptografi kan være vanskelig set ud fra en bruger.  Mange kryptografer, såsom Bruce Schneier og Phil Zimmermann , forpligter sig til at uddanne offentligheden i, hvordan sikker kryptering er gjort, samt fokus på vildledende markedsføring af nogle kryptografiske produkter. 
  Den mest anvendte Crypto sikkerhed guru, Philip Zimmermann og Bruce Schneier, var 1. at tale om Snake Oil Kryptering: 
 Snake Oil af Philip Zimmermann 
  Snake Oil af Bruce Schneier 
  Den Michigan Telekommunikation og Teknologi Law Review også lavet en meget god analyse relateret til sikkerhedsfunktionerne i Security Products, SNAKE-OIL sikkerhedskrav "Den systematiske Forfalskning af Product Security . De fortæller om de grimme marketing tricks der bruges til at justere brugernes manglende evne til at evaluere sikkerhedsfunktioner, herunder økonomisk og juridisk ansvar for konsekvenser. 
  Very famous is the sentence of Russ Nelson : Flere slange olie sikkerhedsprodukt selskaber ikke forklare og er ikke klar over den trussel model, som produktet anvender meget berømte er punktum. Russ Nelson : 
  "Husk, Crypto uden en trussel model er som cookies uden mælk.  .....  Kryptering uden en trussel model er som moderskabet uden æbletærte.  Kan ikke sige, at nok gange.  Mere generelt sikkerhed uden trussel model definition vil mislykkes. " 
  Så, hvordan du spotter slangeolie-sikkerhedsprodukter? 
  Kontroller en retningslinje for at spotte Snake Oil krypteringsprodukter: Snake Oil advarselstegn, kryptering software for at undgå af Matt Curtin . 
  Du kan se denne meget gode Kryptografiske Snake Oil Eksempler af Emility Ratliff (IBM arkitekt på Linux Security), der forsøgte at gøre det klart eksempel på, hvordan man kan spotte Kryptografisk Snake Oil. 
  Her repræsenterede den grundlæggende vejledning fra Matt Curtin papir: 
 
  Ved at kontrollere, at punkter er det muligt at vurdere, hvor alvorlig en krypteringsteknologi eller produktet er. 
 Men alt i alt, hvordan du løser at uetisk sikkerhed tilgang? 
 
  Det er meget signifikante og det ville være virkelig nyttig for hver form for sikkerhed produktkategori for at gøre nogle stærkt og uafhængig evaluering retningslinje (som OSSTMM for Penetration test), at denne sikkerhed evalueringsproces virkelig i hænderne på brugeren. 
  Det ville også være meget rart at have nogen der laver analyse og evaluering af sikkerhedsprodukt virksomheder, offentliggøre rapporter om Snake Oil tegn. 
 Del 
  Comments (3) Tags  ,  ,  ,  ,  ,  ,  | Kommentarer (3) 
  Beskyttelse af personlige sikkerhed teknologi 
  AES algoritme udvalgt til anvendelse i rummet 
  8 juli, 2010 - 12:37 
  Jeg mødte en dejlig papir om analyser og overvejelser om hvilken kryptering algoritme det er bedst egnet til brug i rummet ved rumskibet og udstyr. 
 The paper has been done by the Consultative Committee for Space Data Systems that's a consortium of all space agency around that cumulatively handled more than 400 mission to space . 
topban.jpg
  Læs papiret Encryption Algorithm Handel Survey , som det giver interessante overvejelser og sammenligning mellem forskellige krypteringsalgoritmer. 
  Naturligvis den endeligt valgte algoritme er AES , mens Kasumi (bruges i UMTS-netværk) blev undgået. 
 Del 
  Comment (0) Tags  ,  | Kommentar (0) 
 business intelligence interception Privacy security technology 
 Blackberry Security and Encryption: Devil or Angel? 
  7 juli 2010 - 10:39 

					
  Blackberry har gode og dårlige ry med hensyn til hans sikkerhed kapacitet, afhængig af fra hvilken vinkel man ser på det. 
  Dette indlæg er det en sammenfattet sæt af oplysninger at lade læseren får billede, uden at tage meget en stilling som RIM og Blackberry kan overvejes, afhængigt af synspunkt, en meget sikker platform eller en ekstremt farlig en. 
 bblock.jpg 
  Lad os går på. 
 På den ene side Blackberry det er en platform masser af kryptering funktioner, sikkerhedsfunktioner overalt, enhed krypteret (med custom crypto), kommunikation krypteret (med brugerdefinerede proprietære protokoller som f.eks IOPP'er), meget gode Avancerede sikkerhedsindstillinger, Kryptering ramme fra Certicom ( nu ejet af RIM ). 
 On the other side they does not provide only a device but an overlay access network, called BIS ( Blackberry Internet Service ), that's a global worldwide wide area network where your blackberry enter while you browse or checkmail using blackberry.net AP. 
  Når du, eller et program, skal du bruge blackberry.net APN du ikke bare at forbinde til internettet med luftfartsselskabet internetforbindelse, men du indtaster inde i RIM netværk, der vil proxy og fungere som en gateway for at nå internettet. 
  Det samme sker, når du har en virksomhedernes brug: Både BB enheden og virksomhedernes BES forbindelse til RIM netværk, der fungerer som en slags VPN koncentration netværk . 
  Så dybest set alle de meddelelser krydser lavpunktet RIM serviceinfrastruktur i krypteret format med en række proprietære kryptering og kommunikationsprotokoller. 
 Just as a notice, think that google to provide gtalk over blackberry.net APN, made an agreement in order to offer service inside the BB network to the BB users. When you install gtalk you get added 3 service books that point to GTALKNA01 that's the name of GTALK gateway inside the RIM network to allow intra-BIS communication and act as a GTALK gateway to the internet. 
 The mobile operators usually are not even allowed to inspect the traffic between the Blackberry device and the Blackberry Network. 
 So RIM and Blackberry are somehow unique for their approach as they provide a platform, a network and a service all bundled together and you cannot just “get the device and the software” but the user and the corporate are always bound and connected to the service network. 
 That's good and that's bad, because it means that RIM provide extremely good security features and capabilities to protect information, device and access to information at various level against third party . 
 But it's always difficult to estimate the threat and risk related to RIM itself and who could make political pressure against RIM. 
 Please consider that i am not saying “RIM is looking at your data” but making an objective risk analysis: for how the platform is done RIM have authority on the device, on the information on-the-device and on the information that cross the network. (Read my Mobile Security Slides ). 
 For example let's consider the very same context for Nokia phones. 
 Once the Nokia device is sold, Nokia does not have authority on the device, nor on the information on-the-device nor on the information that cross the network. But it's also true that Nokia just provide the device and does not provide the value added services such as the Enterprise integration (The RIM VPN tunnel), the BIS access network and all the local and remote security provisioned features that Blackberry provide. 
 So it's a matter of considering the risk context in the proper way when choosing the platform, with an example very similar to choosing Microsoft Exchange Server (on your own service) or whether getting a SaaS service like Google Apps. 
 In both case you need to trust the provider, but in first example you need to trust Microsoft that does not put a backdoor on the software while in the 2nd example you need to trust Google, as a platform and service provider, that does not access your information. 
 So it's a different paradigm to be evaluated depending on your threat model. 
 If your threat model let you consider RIM as a trusted third party service provider (much like google) than it's ok. If you have a very high risk context, like top-secret one, then let's consider and evaluate carefully whether it's not better to keep the Blackberry services fully isolated from the device or use another system without interaction with manufacturer servers and services. 
 Now, let's get back to some research and some facts about blackberry and blackberry security itself. 
 First of all several governments had to deal with RIM in order to force them to provide access to the information that cross their service networks while other decided to directly ban Blackberry usage for high officials because of servers located in UK and USA, while other decided to install their own backdoors. 
 There's a lot of discussion when the topics are RIM Blackberry and Governments for various reasons. 
 Below a set of official Security related information on RIM blackberry platform: 
  Og her et sæt af uofficiel sikkerhed og Hacking relaterede oplysninger om RIM Blackberry platform: 
  Fordi det er 23,32 (GMT +1), jeg er træt, jeg tror, ​​at denne stilling vil ende her. 
  Jeg håber at have givet læseren en række nyttige oplysninger og overvejelser at gå mere i dybden med at analysere og overveje den samlede brombær sikkerhed (i det gode og det dårlige, det altid afhænger af din trussel model!). 
  Skål 
  Fabio Pietrosanti (Naif) 
  ps jeg er administrerende sikkerhed teknologisk udvikling (voice kryptering tech) på BlackBerry-platform, og jeg kan fortælle dig, at fra udviklingen synspunkt er det absolut bedre end Nokia med hensyn til kompatibilitet og hastigheden af ​​udviklingen, men kun bruge RIMOS 5,0 +! 
 Del 
  Comments (3) Tags  og  og  og  og  | Kommentarer (3) 
  Beskyttelse af personlige sikkerhed teknologi 
  Botnet til RSA revner? 
  30 juni 2010 - 02:29 
  Jeg læste en interessant artikel om at sætte 1.000.000 computere, får chancen for en alvorlig botnet ejeren til at få det, at knække RSA. 
  Resultatet er, at i en sådan sammenhæng angribe en RSA 1024bit nøgle ville kun tage 28 år, i forhold til teoretiske 19 milliarder år. 
  Læsning af denne artikel , er yderst interessant, fordi det giver vores meget vigtig overvejelse på kryptografi styrke i forhold til beregningen strøm, der kræves til at drive revner forsøg, sammen med industrien tilgang til "default security level". 
  Jeg vil sige en skal læse. 
 Del 
  Comment (0) Tags  ,  | Kommentar (0) 
  business cyberkrigsførelse intelligence personlige sikkerhed teknologi 
  Kina Kryptering forordninger 
  16 juni 2010 - 13:11 
  Hej alle, 
  Jeg fandt dette meget interessant oplæg om Kina Kryptering import / eksport / nationale bestemmelser udført af Baker & McKenzie i USA. 
 Det er stærkt forretnings-og reguleringsmæssige orienteret giver et meget godt klaret syn på, hvordan Kina regler fungerer, og hvordan den kan opføre sig i fremtiden. 
  Læs her Dekryptering Kinas Kryptering 's forordninger (formular Bakernet hjemmeside). 
 Del 
  Comment (0) Tags  ,  ,  ,  ,  | Kommentar (0) 
  cyberkrigsførelse intelligens aflytning sikkerhed 
  Den (gamle) Crypto AG tilfælde og noget at tænke over det 
  7 jun 2010 - 18:40 
  I '90, closed source og proprietær kryptografi blev regere verden. 
  Det er før open source og videnskabeligt godkendte krypterede teknologier gik ud som en bedste praksis for at gøre crypto ting. 
  Jeg vil gerne minde, når i 1992, USA sammen med Israel var, sammen med Schweiz, giver backdoored (proprietære og hemmelige), teknologier til iranske regering til at trykke deres kommunikation, snyder dem til at tro, at den anvendte løsning var sikkert, at også nogle overvejelser om denne dag i 2010. 
caq63crypto.t.jpg
  Det kaldes The Crypto AG tilfælde , en historisk kendsgerning involverer USA National Security Agency sammen med Signal Intelligence Division Israels forsvarsministerium , som er stærkt mistænkt for at havde lavet en aftale med Det Schweiziske kryptografi-producent virksomhed Crypto AG . 
  Dybest set disse enheder placeret en bagdør i den sikre krypto udstyr, de gav til Iran for at opsnappe iranske kommunikation. 
  Deres Crypto var baseret på hemmelige og proprietære krypteringsalgoritmer udviklet af Crypto AG og i sidste ende skræddersyet til den iranske regering. 
  Du kan læse nogle andre fakta om Crypto AG tilbagedatere relaterede emner: 
  Lukningen af den globale telekommunikation sikkerhed 
  NSA-Crypto AG brod 
  Breaking koder:? En umulig opgave Af BBC 
  Der Spiegel Crypto AG (tysk) artiklen 
  Nu, i 2010, vi alle kender og forstår, at hemmelige og proprietære crypto ikke virker. 
  Bare nogle reference af top på verdensplan kryptografiske eksperter nedenfor: 
  Hemmeligholdelse, sikkerhed, ubemærkethed af Bruce Schneier 
  Bare sige nej til Farmaceutiske kryptografiske algoritmer ved Network Computing (Mike Fratto) 
  Sikkerhed gennem utilgængelighed af Ceria Purdue University 
  Frigørelse af Secrets of Crypto: Cryptography, kryptering og kryptologi forklares af Symantec 
  Tid ændre den måde, tingene bliver kontaktet. 
  Jeg holder meget af den berømte Philip Zimmermann påstand: 
 "Kryptografi plejede at være en obskur videnskab, af ringe betydning for hverdagen.  Historisk, det altid haft en særlig rolle i militære og diplomatiske kommunikation.  Men i Information Age, er kryptografi om politisk magt, og især, om magtforholdet mellem en regering og dets folk.  Det handler om retten til privatlivets fred, ytringsfrihed, frihed til politisk associering, pressefrihed, frihed fra urimelig ransagning og beslaglæggelse, frihed til at være alene. " 
  Enhver videnskabsmand i dag acceptere og godkende Kerckhoffs princippet om , at i 1883 i Cryptographie Militaire papiret udtalte: 
  Sikkerheden af et kryptosystem bør ikke afhænge af at holde algoritme hemmelig, men kun på at holde numeriske tast hemmelighed. 
 
  Det er helt klart, at den bedste praksis for at gøre kryptering dag obbly enhver seriøs person at gøre åben kryptografi, til genstand for offentlig undersøgelse, og at følge Kerckhoff princippet. 
  Så, hvad vi bør tænke på closed source, proprietær kryptering, der er baseret på sikkerhedsmæssige trough ubemærkethed begreber? 
  Jeg var meget forbavset, da I DAG, i 2010, i en alder af informationssamfundet jeg læste noget papir på Crypto AG hjemmeside. 
  Jeg opfordrer alle til at læse Crypto AG sikkerhed papir kaldet avancerede sikkerheds arkitektur designet af Crypto AG , som du kan få en betydelig uddrag nedenfor: 
  Udformningen af denne arkitektur gør det muligt Crypto AG for at give et hemmeligt proprietært algoritme, der kan specificeres for hver enkelt kunde for at sikre den perfekte grad af kryptografisk sikkerhed og optimal støtte til kundens sikkerhedspolitik.  Til gengæld giver Security Architecture dig den indflydelse, du har brug for at være fuldstændig uafhængig i forbindelse med din kryptering løsning.  Du kan bestemme alle områder, der er omfattet af kryptografi og kontrollere, hvordan algoritmen virker. Den oprindelige hemmeligt proprietært algoritme af Crypto AG er grundlaget for Sikkerhed arkitektur. 
  Jeg må sige, at deres arkitektur er absolut godt fra TLC synspunkt.  Også de har gjort et godt stykke arbejde i at gøre udformningen af den overordnede arkitektur for at gøre en pillesikker resistent krypto-system ved hjælp af dedikeret crypto processor . 
  Der er dog stadig mangler noget: 
  T han samlede kryptografisk koncept er misvisende, baseret på forkerte kryptering begreber. 
  Du tror måske, at jeg er en trold fortæller dette, men da historien om Crypto AG og i betragtning af, at alle videnskabelige og sikkerhed samfund ikke godkende sikringsplaner trough dunkelhed begreber, ville det legitimt at spørge os selv: 
  Hvorfor de stadig gør sikkerhed lavpunkt ubemærkethed kryptografi med hemmelige og proprietære algoritmer? 


  Hey, jeg tror, ​​at de har meget stor viden om telekommunikation og sikkerhed, men i betragtning af, at videnskaben fortæller os ikke at følge hemmeligholdelse af algoritmer, jeg har virkelig alvorlig tvivl om, hvorfor de stadig giver proprietære kryptering og ikke flytte til standardløsninger (eventuelt med en form for brugerdefinerede ekstraudstyr). 
 
 Del 
  Comment (0) Tags  ,  ,  ,  | Kommentar (0) 
  virksomhed aflytning personlige sikkerhed teknologi 
  Mobile Security snak på WHYMCA konference 
  2 juni, 2010 - 19:56 
  Jeg vil gerne dele nogle dias jeg plejede at tale om mobil sikkerhed på whymca mobile konference i Milano. 
  Læs her mine dias på mobil sikkerhed . 
  De slides giver en bred en tilbundsgående overblik over mobile sikkerhedsrelaterede spørgsmål, skal jeg gøre noget slidecast om det sætte også lyd.  Måske vil gøre, måske ikke, det afhænger af tid, der er altid en utilstrækkelig ressource. 
 Del 
  Comment (0) Tags  ,  ,  ,  ,  ,  ,  | Kommentar (0) 
  Beskyttelse af personlige sikkerhed teknologi 
  iPhone PIN-kode: ubrugelig kryptering 
  1. juni 2010 - 02:53 
  Jeg har for nylig skiftet en af ​​mine mange mobiltelefoner, som jeg går rundt til iPhone. 
  Jeg er især bekymret for databeskyttelse i tilfælde af tyveri, og så begyndte at få et kig rundt om iPhone ydede beskyttelse system. 
  Der er en interessant sæt af iPhone Business Security Funktioner , der gør mig til at tænke, at iPhone går i den rigtige vej til sikring af telefonen, men stadig en masse ting der skal gøres, især for seriøs Enterprise og offentlige brugere. 
201006011551.jpg
  For eksempel viste det sig, at iPhone PIN-beskyttelse er ubrugelig, og den kan brydes bare at tilslutte iPhone til en Linux-maskine og få adgang til enheden som en USB-stick. 
  Det er noget forstyrre min paranoide mentalitet, der gør mig til at tænke om ikke at bruge følsomme data på min iPhone, hvis jeg ikke kan beskytte mine data. 
  Sandsynligvis en iPhone uafhængig disk kryptering produkt ville være meget nyttige for at lade markedet opretter beskyttede skemaer, der passer til de forskellige risikofaktorer sammenhænge, ​​at forskellige brugere kan have. 
  Sandsynligvis en almindelig forbruger er ikke bekymret for denne PIN-sårbarhed, men for mig, arbejder inden for meget fortrolige envirnonment såsom efterretnings-, økonomi og militær, det er noget, jeg ikke kan acceptere. 
  Jeg har brug for en stærk kryptering på min mobiltelefon. 
  Jeg gør stærk stemme kryptering for det , men det ville virkelig være rart også at have noget at beskytte hele iPhone data og ikke blot telefonopkald. 
 Del 
  Comment (0) Tags  ,  ,  ,  ,  | Kommentar (0) 
  Kudos personlige sikkerhed teknologi 
  Exploit koden mod SecurStar DriveCrypt offentliggjort 
  25 Maj 2010 - 05:00 
  Det lader til, at hacking samfund eller anden måde gerne målrette securstar produkter, måske fordi hacking samfund ikke kan lide den ofte afsløret uetisk strategi, der allerede tidligere beskrevet i denne blog ved at artikler og brugerens kommentarer. 
  I 2004 en masse anklage mod Hafner af SecurStar gik ud på grund af påståede tyveri af intellektuel ejendom om opensource-koder , såsom kryptering 4 masserne og juridiske annonce også imod Gratis og opensource TrueCrypt projekt. 
 In 2008 there was a pre-boot authentication hacking against DriveCrypt Plus posted on Full-Disclosure. 
 Early 2010 it was the time of the fake infosecurity research secretly sponsored by securstar at http://infosecurityguard.com (that now they tried to remove from the web because of embarrassing situation, but backup of the story are available, hacking community still wait for apologies) . 
 Nu midten af 2010, efter en forskning offentliggjort i december 2009 om Disk Kryptering sårbarheder i software fra Neil Kettle (mu-b), Sikkerhed forsker ved ciffer-laboratorier og Penetration tester på Konvergent Network Solutions , blev DriveCrypt sig at være sårbar og udnytte brud on-enhed systemets sikkerhed og udnytte kode er netop udgivet. 
  Exploit koden rapporteret nedenfor (tak Neil for koden release!): 
  •  Vilkårlig fil læsning / skrivning sikkerhed udnytte via ukontrollerede brugerdefinerede parametre til ZxCreateFile / ReadFile / WriteFile: drivecrypt-fopen.c 
  Den exploit-kode er blevet testet mod DriveCrypt 5,3, der i øjeblikket udgivet DriveCrypt 5,4 er rapporteret til at være sårbar for som det har kun mindre ændringer i forbindelse med Win7 kompatibilitet.  Kan man lave en dobbelt kontrol og rapportere en kommentar her? 
  Meget godt job Neil! 
  I mellemtiden Free TrueCrypt er nok det foretrukne valg for disk kryptering, eftersom det er svært at have tillid til DriveCrypt, er PGP blevet opkøbt af Symantec , og der er meget dårlige rygter om den tillid, folk har i Symantec og der er ikke mange bredt tilgængelige alternativer. 
  Rygter siger, at også PhoneCrypt binære filer er at blive analyseret, og det proprietære kryptering systemet kunne afsløre noget sjovt ... 
 Del 
  Comment (0) Tags  ,  ,  ,  | Kommentar (0) 
  aflytning personlige sikkerhed teknologi 
  Kvantekryptografi brudt 
  20 Maj 2010 - 20:15 
  Kvantekryptografi det er noget meget udfordrende, krypteringsmetoder, der udnytter loven om phisycs at sikre kommunikationen over fiber linjer. 
To oversimplify the system is based on the fact that if someone cut the fiber, put a tap in the middle, and joint together the other side of the fiber, the amount of “errors” that will be on the communications path will be higher than 20% . 
 So if QBER (Quantum Bit Error Rate) goes above 20% then it's assumed that the system is intercepted. 
 Researcher at university of toronto was able to cheat the system with a staying below the 20%, at 19.7% , thus tweaking the threshold used by the system to consider the communication channel secure vs compromised. 
 The product found vulnerable is called Cerberis Layer2 and produced by the Swiss ID Quantique . 
 Some possibile approach to detect the attack has been provided but probably, imho, such kind of systems does not have to be considered 100% reliable until the technology will be mature enough. 
 Traditional encryption has to be used together till several years, eventually bundled with quantum encryption whether applicable. 
 When we will see a quantum encryption systems on an RFC like we have seen for ZRTP , PGP and SSL ? 
 -naif 
 Del 
 Tags  ,  ,  | Comment (0) 
  Beskyttelse af personlige sikkerhed teknologi 

				
 great point of view 
 20 April 2010 – 6:50 pm 
Because security of a cryptographic system it's not a matter of “how many bits do i use” but using the right approach to do the right thing to mitigate the defined security risk in the most balanced way. 
 security.png 
 Del 
 Tags  ,  ,  | Comment (0) 
  Beskyttelse af personlige sikkerhed teknologi 
 Encryption is not scrambling: be aware of scrambler! 
 20 April 2010 – 5:50 pm 
 Most of us know about voice scrambler that can be used across almost any kind of voice based communication technology. 
 Extremely flexible approach: works everything 
 Extreme performance: very low latency 
 but unfortunately… 
 Extremely weak: Scrambling cannot be considered secure. 
 Only encryption can be considered secure under the Kerckoff's principle . 
 So please don't even consider any kind of analog scrambler if you need real security. 
 Read deeply the paper Implementation of a real-time voice encryption system ” by Markus Brandau, especially the cryptoanalysis paragraph. 
 Del 

							 Comment (0) Tags  ,  ,  ,  ,  | Kommentar (0) 

			business interception Privacy technology 
 SecurStar GmbH Phonecrypt answers on the Infosecurityguard/Notrax case: absolutely unreasonable! :-) 
 1 February 2010 – 6:04 pm 
 UPDATE 20.04.2010: http://infosecurityguard.com has been disabled. Notrax identity became known to several guys in the voice security environments (cannot tell, but you can imagine, i was right!) and so our friends decided to trow away the website because of legal responsibility under UK and USA laws. 
 UPDATE: Nice summary of the whole story (i know, it's long and complicated to read at 1st time) on SIPVicious VoIP security blog by Sandro Gauci . 
 Following my discoveries, Mr. Hafner, SecurStar chief exec, tried to ultimately defend their actions, citing absolutely unreasonable excuses to The Reg instead of publicly apologizing for what they have done: creating a fake independent security research to promote their PhoneCrypt product . 
 He tried to convince us that the person behind IP 217.7.213.59, used by the author of infosecurityguard.com and pointing to their office DSL line, was this hacker Notrax, using their anonymous surfing service and not one of their employees at their office: 
“SecurStar chief exec Wilfried Hafner denied any contact with Notrax. Notrax, he said, must have been using his firm's anonymous browsing service, SurfSolo, to produce the results reported by Pietrosanti” 
 Let's reflect a moment on this sentence… Would really an hacker looking for anonymity spend 64 EUR to buy their anonymity surfing service called surfsolo instead of using the free and much more secure TOR (the onion router) ?Then let's reflect on this other piece of information: 
  •  The IP 217.7.213.59 is SecurStar GmbH's office DSL line 
  •  On 217.7.213.59 they have installed their VoIP/Asterisk PBX and internet gateway 
  • They promote their anonymous proxy service for “Anonymous p2p use” ( http://www.securstar.com/products_ssolo.php ). Who would let users do p2p from the office dsl line where they have installed their corporate VoIP PBX ? If you do VoIP you can't let third party flood your line w/ p2p traffic, your phone calls would became obviously unreliable (yes, yes, you can do QoS, but you would not place an anonymous navigation proxy on your company office DSL line…). 
  •  Which company providing an anonymous navigation service would ever use their own office IP address? Just think how many times you would have the police knocking at your door and your employees as the prime suspects. (In past i used to run a TOR node, i know the risks…). Also think how many times you would find yourself blacklisted on google as a spyware bot. 
  •  Mr. Hafner also says “We have two million people using this product. Or he may have been an old customer of ours”. 2M users on a DSL line, really? 
  •  I don't use Surfsolo service, however their proxies are probably these ones: 
surfsolo.securstar.net – 67.225.141.74 
 surfsolo.securstar.com – 69.16.211.133 
 Frankly speaking I can easily understand that Mr. Hafner is going do whatever he can to protect his company from the scandal, but the “anonymous proxy” excuse is at the very least suspicious. 
 How does the fact that the “independent research” was semantically a product review of PhoneCrypt, along with the discovery that the author come from the SecurStar GmbH IP address offices, along with the anonymity of this Notrax guy (SecurStar calls him a “well known it security professional” in their press release..) sound to you? 
 It's possible that earth will get an attack from outer space that's going to destroy our life? 
 Statistically extremely difficult, but yes, possible. More or less like the “anonymous proxy” story told by Mr. Hafner to cover the fact that they are the ones behind the infosecurityguard.com fake “independent security review”. 
 Hey, I don't need anything else to convince myself or to let the smart person have his own thoughts on this. 
I just think that the best way for SecurStar to get out of this mess would probably be to provide public excuses to the hacking community for abusing the name and reputation of real independent security researches, for the sake of a marketing stunt. 
  Regards, 
 Fabio Pietrosanti 
 ps I am currently waiting for some other infos that will more precisely confirm that what Mr. Hafner is saying is not properly true.  Stay tuned. 
 Del 

							Tags  ,  ,  ,  ,  ,  | Comment (0) 
 business interception Privacy security 
 Evidence that infosecurityguard.com/notrax is SecurStar GmbH Phonecrypt – A fake independent research on voice crypto 
 1 February 2010 – 12:32 am 
 Below evidence that the security review made by an anonymous hacker on http://infosecurityguard.com is in facts a dishonest marketing plan by the SecurStar GmbH to promote their voice crypto product. 
 I already wrote about that voice crypto analysis that appeared to me very suspicious. 
 Now it's confirmed, it's a fake independent hacker security research by SecurStar GmbH, its just a marketing trick! 
 How do we know that Infosecurityguard.com, the fake independent security research, is a marketing trick from SecurStar GmbH? 
 1) I posted on http://infosecurityguard.com a comments to a post with a link to my blog to that article on israelian ministry of defense certification 
 2) The author of http://infosecurityguard.com went to approve the comment and read the link on my own blog http://infosecurity.ch 
 3) Reaching my blog he leaked the IP address from which he was coming 217.7.213.59 (where i just clicked on from wordpress statistic interface) 
 4) On http:// 217.7.213.59/panel there is the IP PBX interface of the SecurStar GmbH corporate PBX (openly reachable trough the internet!) 
 5) The names of the internal PBX confirm 100% that it's the SecurStar GmbH: 
 6) There is 100% evidence that the anonymous hacker of http://infosecurityguard.com is from SecurStar GmbH 
 Below the data and reference that let us discover that it's all but a dishonest marketing tips and not an independent security research. 
 Kudos to Matteo Flora for it's support and for his article in Debunking Infosecurityguard identity ! 
The http referral tricks 
 When you read a link going from a website to another one there is an HTTP protocol header, the “Referral”, that tell you from which page someone is going to another webpage. 
 The referral demonstrated that the authors of http://infosecurityguard.com read my post, because it was coming from http://infosecurityguard.com/wp-admin/edit-comments.php that's the webpage you use as a wordpress author/editor to approve/refuse comments. And here there was the link. 
 That's the log entry: 
 217.7.213.59 – - [30/Jan/2010:02:56:37 -0700] “GET /20100129/licensed-by-israel-ministry-of-defense-how-things-really-works/ HTTP/1.0″ 200 5795 “ http://infosecurityguard.com/wp-admin/edit-comments.php ” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)” 
 The PBX open on the internet tell us that's SecurStar GmbH 
 The SecurStar GmbH PBX is open on the internet, it contains all the names of their employee and confirm us that the author of http:/infosecurityguard.com is that company and is the anonymous hacker called Notrax. 
Here there is their forum post where the SecurStar GmbH guys are debugging IPCOPfirewall & Asterisk together (so we see also details of what they use) where there is the ip 217.7.213.59 . 
 SecurStarproof.png 
 
 
 That's also really fun! 
 They sell secure telephony but their company telephony system is openly vulnerable on the internet .  :-) 
 I was thinking to call the CEO, Hafner, via SIP on his internal desktop PBX to announce we discovered him tricks.. :-> 
 They measured their marketing activity 
Looking at the logs of my website i found that they was sensing the google distribution of information for the following keywords, in order to understand how effectively they was able to attack competing products. It's reasonable, if you invest money in a marketing campaign you want to see the results :-) 
 They reached my blog and i logged their search: 
 infosecurityguard+cryptophone 
 infosecurityguard+gold-lock 
 217.7.213.59 – - [30/Jan/2010:02:22:42 -0700] “GET / HTTP/1.0″ 200 31057 “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)” 
 
 217.7.213.59 – - [30/Jan/2010:04:15:07 -0700] “GET HTTP/1.0″ 200 15774 “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)” 
 
 The domain registration data 
 The domain have been registered on 1st December 2009, just two months to start preparing the dishonest marketing campaign: 
Domain Name: INFOSECURITYGUARD.COM 
 Registrar: GODADDY.COM, INC. 
 Updated Date: 01-dec-2009 
 Creation Date: 01-dec-2009 
 The domain is anonymously privacy protected trough a whois privacy service: 
 Administrative Contact: Private, Registration INFOSECURITYGUARD.COM@domainsbyproxy.com , Domains by Proxy, Inc. DomainsByProxy.com 
 Notrax hacker does not exist on google 
 As you know any hacker that get public usually have presence of it's activity on google, attending mailinglists, forum, homepage, past research, participation to conferences, etc, etc. 
 The fake hacker that they wanted us to to think was writing an independent blog does NOT have any trace on google. Only some hit about an anonymous browser called Notrax but nothing about that hacker. 
 Maybe when SecurStar provided the anonymity tool to their marketing agency, to help them protecting anonymity for the fake research, their provided them the anonymous browser notrax.So the marketing guy thinking about the nickname of this fake hackers used what? Notrax! :-) 
 
 
 The “independent review”completely oriented in publicizing PhoneCrypt 
 Of the various review don the phonecrypt review is only positive and amazing good feedback, while the other are only bad feedback and no single good point. 
 As you can imagine, in any kind of independent product evaluation, for all products there are goods and bad points. No. In this one there are only product that are good and product that are bad. 
 They missed to consider the security of the technology used by the products 
 They completely avoided to speak about cryptography and security of the products. 
 They do not evaluated basic security features that must be in that kind of products.That's in order not to let anyone see that they did not followed basic security rules in building up their PhoneCrypt. 
 The technology is closed source, no transparency on algorithms and protocols, no peer review.Read my new comparison (from the basic cryptographic requirement point of view) About the voice encryption analysis (criteria, errors and different results) . 
 The results are somehow different than their one . 
 UPDATE: Who's Wilfried Hafner (SecurStar founder) ? 
 I got a notice from a reader regarding Wilfred Hafner, SecurStar founder, CEO and security expert. 
 He was arrested in 1997 for telephony related fraud (check 2nd article on Phrack) earning from telephony fraud 254.000 USD causing damages to local telcos trough blueboxing for 1.15 Million USD. 
 He was not doing “Blueboxing” for the pleasure of phreaking and connecting with other hackers, but to earn money. 
 Hacking for profit (and not for fun) in 1997… brrr…. No hacker's ethic at all! 
 All in all, is that lawful? 
 Badmouthing a competitor amounts to an unfair competition practice in most jurisdictions, so it is arguable (to say the least) that SecurStar is right on a legally sound ground here. 
 Moreover, there are some specific statutes in certain jurisdictions which provide for a straightforward ban on the practice we are talking about. For example in the UK the British Institute of Practitioners in Advertising - in compliance with the Consumer protection from Unfair Trading regulation – ruled that: 
 ”falsely claiming or creating the impression that the trader is not acting for the purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer” is a criminal offense . 
We have no doubt that PRPR (which is the UK-based *PR company for SecurStar GmbH, led by Peter Rennison and Allie Andrews as stated in SecurStar Press Release ) did provide their client with this information. Heck, they *are* in the UK, they simply cannot ignore that! 
 
 IANAL, but I would not be surpised if someone filed a criminal complaint or start civil litigation for unfair competition against SecurStar GmbH. 
 Whether this is going to be a matter for criminal and/or civil Courts or not is not that important. However, it is clear enough that SecurStar GmbH appears to be at least ethically questionable and not really worth of trust. 
 Nice try, gentlemen… however, next time just do it right (whether “right” for them means “in a honest manner” or “in a fashion not to be caught” I will let them choose)” 
 
 Fabio Pietrosanti (naif) 
 Del 

						
 Tags  ,  ,  ,  ,  ,  | Comments (7) 
 business interception Privacy security technology 
 About the SecurStar GmbH Phonecrypt voice encryption analysis (criteria, errors and different results) 
 30 January 2010 – 2:02 am 

					
 This article want to clarify and better explain the finding at infosecurityguard.com regaring voice encryption product evaluation. 
 This article want to tell you a different point of view other than infosecurityguard.com and explaining which are the rational with extensive explaination from security point of view. 
 Today i read news saying: “PhoneCrypt: Basic Vulnerability Found in 12 out of 15 Voice Encryption Products and went to read the website infosecurityguard . 
 Initially it appeared to my like a great research activity but then i started reading deeply the read about it.I found that it's not properly a security research but there is are concrete elements that's a marketing campaign well done in order to attract public media and publicize a product. 
 Imho they was able to cheat journalists and users because the marketing campaign was absolutely well done not to be discovered on 1st read attempt. I personally considered it like a valid one on 1st ready (they cheated me initially!). 
But if you go deeply… you will understand that: 
 - it's a camouflage marketing initiative arranged by SecurStar GmbH and not a independent security research 
 - they consider a only security context where local device has been compromised (no software can be secured in that case, like saying SSL can be compromised if you have a trojan!) 
 - they do not consider any basic security and cryptographic security criteria 
 
 However a lot of important website reported it: 
 This article is quite long, if you read it you will understand better what's going on around infosecurityguard.com research and research result. 
 I want to to tell you why and how (imho) they are wrong. 
 The research missed to consider Security, Cryptography and Transparency! 
 Well, all this research sound much like being focused on the marketing goal to say that their PhoneCrypt product is the “super” product best of all the other ones. 
 Any security expert that would have as duty the “software evaluation” in order to protect the confidentiality of phone calls will evaluate other different characteristics of the product and the technology. 
 Yes, it's true that most of the product described by SecurStar in their anonymous marketing website called http://infosecurityguard.com have some weakness. 
 But the relevant weakness are others and PhoneCrypt unfortunately, like most of the described products suffer from this. 
 Let's review which characteristics are needed basic cryptography and security requirement (the best practice, the foundation and the basics!) 
 a – Security Trough Obscurity does not work 
 A basic rule in cryptography cames from 1883 by Auguste Kerckhoffs: 
 In a well-designed cryptographic system, only the key needs to be secret; there should be no secrecy in the algorithm. 
 Modern cryptographers have embraced this principle, calling anything else “security by obscurity.” 
 Read what Bruce Schneir, recognized expert and cryptographer in the world say about this 
 Any security expert will tell you that's true. Even a novice university student will tell you that's true. Simply because that's the only way to do cryptography. 
 Almost all product described in the review by SecurStar GmbH, include PhoneCrypt, does not provide precise details about their cryptographic technologies. 
 Precise details are: 
  •  Detailed specification of cryptographic algorithm (that's not just saying “we use AES “) 
  •  Detailed specification of cryptographic protocol (that's not just saying “we use Diffie Hellman ” ) 
  •  Detailed specification of measuring the cryptographic strenght (that's not just saying “we have 10000000 bit key size “) 
 Providing precise details means having extensive documentation with theoretical and practical implications documenting ANY single way of how the algorithm works, how the protocol works with precise specification to replicate it for interoperability testing. 
 It means that scientific community should be able to play with the technology, audit it, hack it. 
 If we don't know anything about the cryptographic system in details, how can we know which are the weakness and strength points? 
 Mike Fratto, Site editor of Network Computing, made a great article on “Saying NO to proprietary cryptographic systems” . 
 Cerias Purdue University tell this . 
 b – NON peer reviewed and NON scientifically approved Cryptography does not work 
In any case and in any condition you do cryptography you need to be sure that someone else will check, review, analyze, distruct and reconstract from scratch your technology and provide those information free to the public for open discussion. 
 That's exactly how AES was born and like US National Institute of Standard make crypto does (with public contest with public peer review where only the best evaluated win). 
 A public discussion with a public contest where the a lot of review by most famous and expert cryptographer in the world, hackers (with their name,surname and face, not like Notrax) provide their contribution, tell what they thinks. 
 That's called “peer review”. 
 If a cryptographic technology has an extended and important peer review, distributed in the world coming from universities, private security companies, military institutions, hackers and all coming from different part of the world (from USA to Europe to Russia to South America to Middle east to China) and all of them agree that a specific technology it's secure… 
 Well, in that case we can consider the technology secure because a lot of entities with good reputation and authority coming from a lot of different place in the world have publicly reviewed, analyzed and confirmed that a technology it's secure. 
How a private company can even think to invent on it's own a secure communication protocol when it's scientifically stated that it's not possible to do it in a “proprietary and closed way” ? 
 IBM tell you that peer review it's required for cryptography . 
 Bruce Schneier tell you that “Good cryptographers know that nothing substitutes for extensive peer review and years of analysis.” 
 Philip Zimmermann will tell you to beware of Snake Oil where the story is: “Every software engineer fancies himself a cryptographer, which has led to the proliferation of really bad crypto software.” 
 c – Closed source cryptography does not work 
 As you know any kind of “serious” and with “good reputation” cryptographic technology is implemented in opensource. 
 There are usually multiple implementation of the same cryptographic algorithm and cryptographic protocol to be able to review all the way it works and certify the interoperability. 
 Supposing to use a standard with precise and extended details on “how it works”, that has been “peer reviewed” by the scientific community BUT that has been re-implemented from scratch by a not so smart programmer and the implementation it's plenty of bugs. 
 Well, if the implementation is “opensource” this means that it can be reviewed, improved, tested, audited and the end user will certaintly have in it's own had a piece of technology “that works safely” . 
 Google release opensource crypto toolkit 
 Mozilla release opensource crypto toolkit 
 Bruce Schneier tell you that Cryptography must be opensource . 
 Another cryptographic point of view 
 I don't want to convince anyone but just provide facts related to science, related to cryptography and security in order to reduce the effect of misinformation done by security companies whose only goes is to sell you something and not to do something that make the world a better. 
 When you do secure products, if they are not done following the proper approach people could die. 
 It's absolutely something irresponsible not to use best practice to do crypto stuff. 
 To summarize let's review the infosecurityguard.com review from a security best pratice point of view. 
 Product name  Security Trough Obscurity  Public peer review  Open Source  Compromise locally? 
 Caspertec  Obscurity  No public review  Closed   Ja 
 CellCrypt  Obscurity 
 		 No public review 
 		 Closed 
 		  Ja 
 Cryptophone  Transparency  Limited public review  Public   Ja 
 Gold-Lock  Obscurity 
 		 No public review 
 		 Closed 
 		  Ja 
 Illix  Obscurity 
 		 No public review 
 		 Closed 
 		  Ja 
 No1.BC  Obscurity  No public review 
 		 Closed 
 		  Ja 
 PhoneCrypt  Obscurity 
 		 No public review 
 		 Closed 
 		  Ja 
 Rode&Swarz  Obscurity 
 		 No public review 
 		 Closed 
 		  Ja 
 Secure-Voice  Obscurity 
 		
 No public review 
 		 Closed 
 		  Ja 
 SecuSmart  Obscurity 
 		 No public review 
 		 Closed 
 		  Ja 
 SecVoice  Obscurity 
 		 No public review 
 		 Closed 
 		
  Ja 
  SegureGSM  Obscurity 
 		 No public review 
 		 Closed 
 		  Ja 
 SnapCell  Obscurity 
 		 No public review 
 		 Closed 
 		  Ja 
 Tripleton  Obscurity 
 		
 No public review 
 		 Closed 
 		  Ja 
 Zfone  Transparency  Public review 
 		 Open   Ja 
 ZRTP  Transparency  Public review 
 		 Open   Ja 
*Green means that it match basic requirement for a cryptographic secure system 
 * Red / Broken means that it does not match basic requirement for a cryptographic secure system 
 That's my analysis using a evaluation method based on cryptographic and security parameters not including the local compromise context that i consider useless. 
 However, to be clear, those are only basic parameters to be used when considering a voice encryption product (just to avoid being in a situation that appears like i am promoting other products). So it may absolutely possible that a product with good crypto ( transparency, peer reviewed and opensource) is absolutely a not secure product because of whatever reason (badly written, not usable causing user not to use it and use cleartext calls, politically compromised, etc, etc). 
 I think i will prepare a broader criteria for voice crypto technologies and voice crypto products, so it would be much easier and much practical to have a full transparent set of criterias to evaluate it. 
 But those are really the basis of security to be matched for a good voice encryption system! 
 Read some useful past slides on security protocols used in voice encryption systems (2nd part). 
 Now read below some more practical doubt about their research. 
 The security concept of the review is misleading: any hacked device can be always intercepted! 
 I think that the guys completely missed the point: ANY KIND OF SOFTWARE RUNNING ON A COMPROMISED OPERATING SYSTEM CAN BE INTERCEPTED 
 Now they are pointing out that also Zfone from Philip Zimmermann is broken (a pc software), just because they install a trojan on a PC like in a mobile phone? 
 Any security software rely on the fact that the underlying operating system is somehow trusted and preserve the integrity of the environment where the software run. 
  •  If you have a disk encryption system but your PC if infected by a trojan, the computer is already compromised. 
  •  If you have a voice encryption system but your PC is infected by a trojan, the computer is already compromised. 
  • If you have a voice encryption system but your mobile phone is infected by a trojan, the mobile phone is already compromised. 
 No matter which software you are running, in such case the security of your operating environment is compromised and in one way or another way all the information integrity and confidentiality is compromised. 
 Like i explained above how to intercept PhoneCrypt. 
 The only things that can protect you from this threat is running in a closed operating system with Trust Computing capability, implementing it properly. 
 For sure on any “Open” operating system such us Windows, Windows Mobile, Linux, iPhone or Android there's no chance to really protect a software. 
 On difficult operating system such as Symbian OS or RimOS maybe the running software can be protected (at least partially) 
 That's the reason for which the security concept that guys are leveraging to carry on their marketing campaign has no clue. 
 It's just because they control the environment, they know Flexispy software and so they adjusted their software not to be interceptable when Flexispy is installed. 
 If you develop a trojan with the other techniques i described above you will 100% intercept PhoneCrypt. 
On that subject also Dustin Tamme l, Security researcher of BreakPoint Systems , pointed on on VoIP Security Alliance mailing lists that the security analysis is based on wrong concepts . 
 The PhoneCrypt can be intercepted: it's just that they don't wanted to tell you! 
 PhoneCrypt can be intercepted with “on device spyware”. 
  Hvorfor? 
 Because Windows Mobile is an unsecure operating environment and PhoneCrypt runs on Windows Mobile. 
 Windows Mobile does not use Trusted Computing and so any software can do anything. 
 The platform choice for a secure telephony system is important. 
 How? 
 I quickly discussed with some knowledgeable windows mobile hackers about 2 different way to intercept PhoneCrypt with an on-device spyware (given the unsecure Windows Mobile Platform). 
 a) Inject a malicious DLL into the software and intercept from within the Phonecrypt itself. 
 In Windows Mobile any software can be subject to DLL code injection. 
 What an attacker can do is to inject into the PhoneCrypt software (or any software running on the phone), hooking the Audio related functions acting as a “function proxy” between the PhoneCrypt and the real API to record/play audio. 
 It's a matter of “hooking” only 2 functions, the one that record and the one that play audio. 
 Read the official Microsoft documentation on how to do DLL injection on Windows Mobile processes. or forum discussing the technique of injecting DLL on windows mobile processes. 
 That's simple, any programmer will tell you to do so. 
 They simply decided that's better not to make any notice about this. 
 b) Create a new audio driver that simply act as a proxy to the real one and intercept PhoneCrypt 
 In Windows Mobile you can create new Audio Drivers and new Audio Filters. 
 What an attacker can do is to load a new audio driver that does not do anything else than passing the real audio driver function TO/FROM the realone. In the meantime intercept everything recorded and everything played :-) 
 Here there is an example on how to do Audio driver for Windows Mobile . 
 Here a software that implement what i explain here for Windows “Virtual Audio Cable” . 
 The very same concept apply to Windows Mobile. Check the book “Mobile Malware Attack and Defense” at that link explaining techniques to play with those techniques. 
 They simply decided that's better not to make any notice to that way of intercepting phone call on PhoneCrypt . 
 Those are just 2 quick ideas, more can be probably done. 
 Sounds much like a marketing activity – Not a security research. 
 I have to tell you. I analyzed the issue very carefully and on most aspects. All this things about the voice encryption analisys sounds to me like a marketing campaign of SecurStar GmbH to sell PhoneCrypt and gain reputation. A well articulated and well prepared campaign to attract the media saying, in an indirect way cheating the media, that PhoneCrypt is the only one secure. You see the press releases of SecurStar and of the “Security researcher Notrax telling that PhoneCrypt is the only secure product” . SecurStar PhoneCrypt is the only product the anonymous hacker “Notrax” consider secure of the “software solutions”. 
 The only “software version” in competition with: 
SnapCell – No one can buy it. A security company that does not even had anymore a webpage. The company does not almost exist anymore. 
rohde-schawarz – A company that have in his list price and old outdated hardware secure phone . No one would buy it, it's not good for genera use. 
 Does it sounds strange that only those other products are considered secure along with PhoneCrypt . 
 Also… let's check the kind of multimedia content in the different reviews available of Gold-Lock, Cellcrypt and Phonecrypt in order to understand how much the marketing guys pressed to make the PhoneCrypt review the most attractive: 
 Application  Screenshots of application  Video with demonstration of interception  Network demonstration 
 PhoneCrypt   5   0   1 
 CellCrypt   0   2   0 
 GoldLock   1   2   0 
 It's clear that PhoneCrypt is reviewed showing more features explicitly shown and major security features product description than the other. 
 Too much difference between them, should we suspect it's a marketing tips? 
 But again other strange things analyzing the way it was done… 
 If it was “an impartial and neutral review” we should see good and bad things on all the products right? 
 Ok, see the table below regarding the opinion indicated in each paragraph of the different reviews available of Gold-Lock, CellCrypt and Phonecrypt (are the only available) to see if are positive or negative. 
 Application  Number of paragraphs  Positive paragraphs  Negative paragraphs  Neutral paragraphs 
 PhoneCrypt   9   9   0   0 
 CellCrypt 
  12   0   10   2 
 GoldLock   9   0   8   1 
 
 
 Detailed paragraphs opinion analysis of Phonecrypt 
 Paragraph of review  Opinion expressed 
 From their website 
 Positive Marketing feedback 
 Apple iPhone  Positive Marketing feedback 
 Disk Encryption or voice Encryption  Positive Marketing feedback 
 PBX Compatibility? Really  Positive Marketing feedback 
 Cracking <10. Not.  Positive Marketing feedback 
 Good thinking!  Positive Marketing feedback 
 A little network action  Positive Marketing feedback 
 UI  Positive Marketing feedback 

 Good Taste  Positive Marketing feedback 
 Detailed paragraphs opinion analysis of Gold-Lock 3G 
 Paragraph of review  Opinion expressed 
 From their website  Negative Marketing feedback 
 Licensed by The israeli Ministry of Denfese  Negative Marketing feedback 
 Real Company or Part Time hobby  Negative Marketing feedback 

 16.000 bit authentication  Negative Marketing feedback 

  DH 256  Negative Marketing feedback 
 Downad & Installation! 
 Neutral Marketing feedback 
 Cracking it <10  Negative Marketing feedback 
 Marketing BS101  Negative Marketing feedback 

 Cool video stuff  Negative Marketing feedback 
 Detailed paragraphs opinion analysis of CellCrypt 
 Paragraph of review  Opinion expressed 
 From their website  Neutral Marketing feedback 
 A little background about cellcrypt  Negative Marketing feedback 

 Master of Marketing  Negative Marketing feedback 
 Secure Voice calling  Negative Marketing feedback 
 Who's buying their wares  Negative Marketing feedback 
 Downad & Installation!  Neutral Marketing feedback 
 My Demo environment  Negative Marketing feedback 

 Did they forget some code  Negative Marketing feedback 
 Cracking it <5 
 Negative Marketing feedback 
 Room Monitoring w/ FlexiSpy  Negative Marketing feedback 
 Cellcrypt unique features.. Negative Marketing feedback 
 Plain old interception  Negative Marketing feedback 

 The Haters out there  Negative Marketing feedback 
 Now it's clear that from their point of view on PhoneCrypt there is no single bad point while the other are always described in a negative way. 
 No single good point. Strange? 
 All those considerations along with the next ones really let me think that's very probably a marketing review and not an independent review. 
 Other similar marketing attempt from SecurStar 
 SecurStar GmbH is known to have used in past marketing activity leveraging this kind of “technical speculations”, abusing of partial information and fake unconfirmed hacking stuff to make marketing/media coverage. 
 Imho a rare mix of unfairness in leveraging the difficult for people to really understand the complexity of security and cryptography. 
 They already used in past Marketing activities like the one about creating a trojan for Windows Mobile and saying that their software is secure from the trojan that they wrote. 
 Read about their marketing tricks of 2007 
 They developed a Trojan (RexSpy) for Windows Mobile, made a demonstration capability of the trojan and later on told that they included “Anti-Trojan” capability to their PhoneCrypt software.They never released informations on that trojan, not even proved that it exists. 
The researcher Collin Mulliner told at that time that it sounds like a marketing tips (also because he was not able to get from SecurStar CEO Hafner any information about that trojan): 
 “This makes you wonder if this is just a marketing thing.” 
 Now, let's try to make some logical reassignment. 
 It's part of the way they do marketing, an very unfriendly and unpolite approach with customers, journalist and users trying to provide wrong security concepts for a market advantage. Being sure that who read don't have all the skills to do in depth security evaluation and find the truth behind their marketing trips. 
 Who is the hacker notrax? 
 It sounds like a camouflage of a fake identity required to have an “independent hacker” that make an “independent review” that is more strong on reputation building. 
 Read about his bio: 

    ¾ Human, ¼ Android (Well that would be cool at least.) I am just an enthusiast of pretty much anything that talks binary and if it has a RS232 port even better. During the day I masquerade as an engineer working on some pretty cool projects at times, but mostly I do the fun stuff at night. I have been thinking of starting an official blog for about 4.5 years to share some of the things I come across, can't figure out, or just cross my mind. Due to my day job and my nighttime meddling, I will update this when I can. I hope some find it useful, if you don't, well you don't. 
 There are no information about this guy on google. 
 Almost any hacker that get public have articles online, post in mailing archive and/or forum or some result of their activity. 
 For notrax, nothing is available. 
 Additionally let's look at the domain… 
 The domain infosecurityguard.com is privacy protected by domainsbyproxy to prevent understanding who is the owner. 
 The domain has been created 2 months ago on 01-Dec-09 on godaddy.com registrar. 
 What's also very interesting to notice that this “unknown hacker with no trace on google about him that appeared on December 2009 on the net” is referred on SecurStar GmbH Press Release as a “An IT security expert”. 
 Maybe they “know personally” who's this anonymous notrax?  :) 
 Am i following my own conspiracy thinking or maybe there's some reasonable doubt that everything was arrange in that funny way just for a marketing activity? 
 Social consideration 
 If you are a security company you job have also a social aspects, you should also work to make the world a better place (sure to make business but “not being evil”). You cannot cheat the skills of the end users in evaluating security making fake misleading information. 
 You should do awareness on end users, to make them more conscious of security issues, giving them the tools to understand and decide themselves. 
 Hope you had fun reading this article and you made your own consideration about this. 
  Fabio Pietrosanti (Naif) 
 ps Those are my personal professional opinion, let's speak about technology and security, not marketing. 
 pps i am not that smart in web writing, so sorry for how the text is formatted and how the flow of the article is unstructured! 
 Del 
											

						

						

							Tags  ,  ,  ,  ,  ,  ,  | Comments (4) 


			
			

			cybercrime Privacy 

			
			
			

				
 Disk encryption sometimes 'works' 
9 November 2009 – 2:53 pm 

					
 I am one of the person convinced that a computer disk encryption system will not protect you from public authorities if they are convinced enough and the case is very important. 
 There are a lot of way to convince a person to release a password. 
 However there's a case in Australia where not revealing the disk password resulted in a successful way to avoid going in jail: 
 Secret code saves man who spied on flatmates 
 My opinion is just that spying flatmates is not a so relevant and particular crime and that law enforcement did not used 'convincing systems' to get the password of encrypted disk. 
 UPDATE 29.06.2010: It also worked for Daniel Dantas against FBI . 
 Del 
											

						

						

							Tags  ,  ,  | Comment (0) 


			
			

			cyberwarfare intelligence 

			
			
			

				
 Chinese Spying NSA/USA buying Cryptographic Equipment on Ebay 
12 July 2009 – 9:14 pm 

					
 It's amazing. 
 A chinese guy has been engaged within an espionage activity for the People's Republic of China buying and exporting cryptographic equipments, radio and other secure hardware on eBay. 
 It's unbelivable, read there , Chi Tong Kuok found on eBay: 
  •  1 software for a VDC-300 airborne data controller, used for secure satellite communications from the American military aircraft 
  •  1 GPS receiver with anti-spoofing defence (maybe there's interested in understanding how this know that a packet is spoofed or not? Me too!) 
  •  1 NSA developed AN/CYZ-10 crypto key management device 
  •  2 PRC-148 handheld digital military radios 
  • 1 KG-175 TACLAN, an NSA designed encryption device used to communicate with classified military computer networks, such as Defense Department's SIPRNet (Secret Internet Protocol Router Network) . 
 It's important to underline that good crypto should not require “secret methods” as the security methods should be secure even if revealed, like any cryptographic technology. 
 But chinese probably understood that this is not the approach of NSA that prefer using custom, self-made, self-analyzed cryptographic technologies that are probably a lot weaker than nowadays cryptographic standards. 
 So, why not buy some export restricted military secure technology on ebay? 
 
 
  
Del 
											

						

						

							Tags  ,  | Comment (1) 


			
			

			intelligence Privacy technology 

			
			
			

				
 Voice Security and Privacy slides 
6 July 2009 – 10:15 pm 

					
 Below my slides on voice security and privacy from Security Summit 2009 . 
 mmm, yes i am working in this area from 2005, will write again about it. 

  2009: Voice Security And Privacy (Security Summit – Milan) 
sux 
 Del 
											

						

						

							Tags  ,  ,  ,  | Comment (0)