This article want to clarify and better explain the finding at infosecurityguard.com regaring voice encryption product evaluation.
This article want to tell you a different point of view other than infosecurityguard.com and explaining which are the rational with extensive explaination from security point of view.
Today i read news saying: “PhoneCrypt: Basic Vulnerability Found in 12 out of 15 Voice Encryption Products and went to read the website infosecurityguard .
Sākumā tā šķita mana kā liels pētniecisko darbu, bet tad es sāku lasīt dziļi, ka lasīt par it.I konstatēja, ka tas nav pareizi drošības izpēti, bet tur ir, ir konkrēti elementi, kas ir mārketinga kampaņa labi darīts, lai piesaistītu sabiedriskos medijus un publiskot produkts.
IMHO viņi varēja mānīt žurnālistus un lietotājus, jo mārketinga kampaņa tika absolūti labi darīts nav atklāta 1. lasīt mēģinājumu. Es personīgi uzskata to kā tas ir derīgs par 1. gatavs (viņi krāpj mani sākotnēji!).
Bet, ja jūs iet dziļi ... jūs sapratīsiet, ka:
- Tas maskēšanās mārketinga iniciatīva organizē SecurStar GmbH un nav neatkarīgas drošības pētniecības
- Viņi uzskata tikai drošības kontekstā, kur vietējā ierīce ir apdraudēta (ne programmatūras var tikt nodrošināta tādā gadījumā, piemēram, sakot SSL var būt apdraudēta, ja jums ir Trojas!)
- Tās neuzskata par vispārīgu drošības un kriptogrāfijas drošības kritērijus
Tomēr svarīgas mājas partija paziņojusi, ka:
Šis raksts ir diezgan garš, ja jūs lasīt, ka jums būs labāk izprast to, kas notiek apkārt infosecurityguard.com pētniecību un pētniecības rezultātu.
Es gribu jums pastāstīt, kāpēc un kā (IMHO) tie ir nepareizi.
Pētniecības neatbildētos apsvērt drošības, šifrēšanu, kriptēšanu un pārredzamībai!
Nu, viss šis pētījums skaņu līdzīgi tiek vērsta uz tirdzniecības mērķi teikt, ka viņu PhoneCrypt produkts ir "super" produkts vislabāk no visiem pārējiem uzņēmumiem.
Jebkurš drošības eksperts, kas būtu kā muitas nodokli "Programmatūra novērtējumu", lai aizsargātu konfidencialitāti tālruņa zvaniem izvērtēs citus dažādus produkta īpašības un tehnoloģiju.
Jā, tā ir taisnība, ka lielākā daļa aprakstīto ražojumu, ko SecurStar savā anonīma tirdzniecības mājas lapā sauc http://infosecurityguard.com ir dažas nepilnības.
Bet attiecīgais trūkums ir citi un PhoneCrypt diemžēl, tāpat kā vairākums aprakstīto produktu cieš no tā.
Pieņemsim pārskatīt kuru īpašības ir nepieciešamas pamata kriptogrāfiju un drošības prasību panta labāko praksi, nodibinājumu un pamati!)
- Drošības Siles neziņa nedarbojas
Pamatnoteikums kriptogrāfija cames no 1883 Auguste Kerckhoffs:
In labi izstrādāta kriptogrāfiskās sistēmas, tikai galvenais ir jābūt noslēpums, tur vajadzētu būt noslēpuma algoritmu.
Mūsdienu cryptographers ir iekļāvušas šo principu, aicinot kaut kas cits "drošības pēc tumsa."
Lasīt ko Brūss Schneir, atzīts eksperts un cryptographer pasaulē teikt par šo Jebkurš drošības eksperts jums pateiks, ka ir taisnība. Pat iesācēju universitātes students jums pateiks, ka ir taisnība. Vienkārši tāpēc, ka tas ir vienīgais veids, kā to kriptogrāfiju.
Gandrīz viss aprakstītais produkts ir tās pārskatīšanas SecurStar GmbH, jāiekļauj PhoneCrypt, nesniedz precīzu informāciju par to kriptogrāfijas tehnoloģiju.
Precīzas ziņas ir:
- Detailed specification of cryptographic algorithm (that's not just saying “we use AES “)
- Detailed specification of cryptographic protocol (that's not just saying “we use Diffie Hellman ” )
- Detailed specification of measuring the cryptographic strenght (that's not just saying “we have 10000000 bit key size “)
Providing precise details means having extensive documentation with theoretical and practical implications documenting ANY single way of how the algorithm works, how the protocol works with precise specification to replicate it for interoperability testing.
It means that scientific community should be able to play with the technology, audit it, hack it.
If we don't know anything about the cryptographic system in details, how can we know which are the weakness and strength points?
Mike Fratto, Site editor of Network Computing, made a great article on “Saying NO to proprietary cryptographic systems” .
Cerias Purdue University tell this .
b – NON peer reviewed and NON scientifically approved Cryptography does not work
In any case and in any condition you do cryptography you need to be sure that someone else will check, review, analyze, distruct and reconstract from scratch your technology and provide those information free to the public for open discussion.
That's exactly how AES was born and like US National Institute of Standard make crypto does (with public contest with public peer review where only the best evaluated win).
A public discussion with a public contest where the a lot of review by most famous and expert cryptographer in the world, hackers (with their name,surname and face, not like Notrax) provide their contribution, tell what they thinks.
That's called “peer review”.
If a cryptographic technology has an extended and important peer review, distributed in the world coming from universities, private security companies, military institutions, hackers and all coming from different part of the world (from USA to Europe to Russia to South America to Middle east to China) and all of them agree that a specific technology it's secure…
Well, in that case we can consider the technology secure because a lot of entities with good reputation and authority coming from a lot of different place in the world have publicly reviewed, analyzed and confirmed that a technology it's secure.
How a private company can even think to invent on it's own a secure communication protocol when it's scientifically stated that it's not possible to do it in a “proprietary and closed way” ?
IBM tell you that peer review it's required for cryptography .
Bruce Schneier tell you that “Good cryptographers know that nothing substitutes for extensive peer review and years of analysis.”
Philip Zimmermann will tell you to beware of Snake Oil where the story is: “Every software engineer fancies himself a cryptographer, which has led to the proliferation of really bad crypto software.”
c – Closed source cryptography does not work
As you know any kind of “serious” and with “good reputation” cryptographic technology is implemented in opensource.
There are usually multiple implementation of the same cryptographic algorithm and cryptographic protocol to be able to review all the way it works and certify the interoperability.
Supposing to use a standard with precise and extended details on “how it works”, that has been “peer reviewed” by the scientific community BUT that has been re-implemented from scratch by a not so smart programmer and the implementation it's plenty of bugs.
Well, if the implementation is “opensource” this means that it can be reviewed, improved, tested, audited and the end user will certaintly have in it's own had a piece of technology “that works safely” .
Google release opensource crypto toolkit
Mozilla release opensource crypto toolkit
Bruce Schneier tell you that Cryptography must be opensource .
Another cryptographic point of view
I don't want to convince anyone but just provide facts related to science, related to cryptography and security in order to reduce the effect of misinformation done by security companies whose only goes is to sell you something and not to do something that make the world a better.
When you do secure products, if they are not done following the proper approach people could die.
It's absolutely something irresponsible not to use best practice to do crypto stuff.
To summarize let's review the infosecurityguard.com review from a security best pratice point of view.
| Product name | Security Trough Obscurity | Public peer review | Open Source | Compromise locally? |
| Caspertec | Obscurity | No public review | Closed | Jā |
| CellCrypt | Obscurity
| No public review
| Closed
| Jā |
| Cryptophone | Transparency | Limited public review | Public | Jā |
| Gold-Lock | Obscurity
| No public review
| Closed
| Jā |
| Illix | Obscurity
| No public review
| Closed
| Jā |
| No1.BC | Obscurity | No public review
| Closed
| Jā |
| PhoneCrypt | Obscurity
| No public review
| Closed
| Jā |
| Rode&Swarz | Obscurity
| No public review
| Closed
| Jā |
| Secure-Voice | Obscurity
| No public review
| Closed
| Jā |
| SecuSmart | Obscurity
| No public review
| Closed
| Jā |
| SecVoice | Obscurity
| No public review
| Closed
| Jā |
| SegureGSM | Obscurity
| No public review
| Closed
| Jā |
| SnapCell | Obscurity
| No public review
| Closed
| Jā |
| Tripleton | Obscurity
| No public review
| Closed
| Jā |
| Zfone | Transparency | Public review
| Open | Jā |
| ZRTP | Transparency | Public review
| Open | Jā |
*Green means that it match basic requirement for a cryptographic secure system
* Red / Broken means that it does not match basic requirement for a cryptographic secure system
That's my analysis using a evaluation method based on cryptographic and security parameters not including the local compromise context that i consider useless.
However, to be clear, those are only basic parameters to be used when considering a voice encryption product (just to avoid being in a situation that appears like i am promoting other products). So it may absolutely possible that a product with good crypto ( transparency, peer reviewed and opensource) is absolutely a not secure product because of whatever reason (badly written, not usable causing user not to use it and use cleartext calls, politically compromised, etc, etc).
I think i will prepare a broader criteria for voice crypto technologies and voice crypto products, so it would be much easier and much practical to have a full transparent set of criterias to evaluate it.
But those are really the basis of security to be matched for a good voice encryption system!
Read some useful past slides on security protocols used in voice encryption systems (2nd part).
Now read below some more practical doubt about their research.
The security concept of the review is misleading: any hacked device can be always intercepted!
I think that the guys completely missed the point: ANY KIND OF SOFTWARE RUNNING ON A COMPROMISED OPERATING SYSTEM CAN BE INTERCEPTED
Now they are pointing out that also Zfone from Philip Zimmermann is broken (a pc software), just because they install a trojan on a PC like in a mobile phone?
Any security software rely on the fact that the underlying operating system is somehow trusted and preserve the integrity of the environment where the software run.
- If you have a disk encryption system but your PC if infected by a trojan, the computer is already compromised.
- If you have a voice encryption system but your PC is infected by a trojan, the computer is already compromised.
- If you have a voice encryption system but your mobile phone is infected by a trojan, the mobile phone is already compromised.
No matter which software you are running, in such case the security of your operating environment is compromised and in one way or another way all the information integrity and confidentiality is compromised.
Like i explained above how to intercept PhoneCrypt.
The only things that can protect you from this threat is running in a closed operating system with Trust Computing capability, implementing it properly.
For sure on any “Open” operating system such us Windows, Windows Mobile, Linux, iPhone or Android there's no chance to really protect a software.
On difficult operating system such as Symbian OS or RimOS maybe the running software can be protected (at least partially)
That's the reason for which the security concept that guys are leveraging to carry on their marketing campaign has no clue.
It's just because they control the environment, they know Flexispy software and so they adjusted their software not to be interceptable when Flexispy is installed.
If you develop a trojan with the other techniques i described above you will 100% intercept PhoneCrypt.
On that subject also Dustin Tamme l, Security researcher of BreakPoint Systems , pointed on on VoIP Security Alliance mailing lists that the security analysis is based on wrong concepts .
The PhoneCrypt can be intercepted: it's just that they don't wanted to tell you!
PhoneCrypt can be intercepted with “on device spyware”.
Kāpēc?
Because Windows Mobile is an unsecure operating environment and PhoneCrypt runs on Windows Mobile.
Windows Mobile does not use Trusted Computing and so any software can do anything.
The platform choice for a secure telephony system is important.
How?
I quickly discussed with some knowledgeable windows mobile hackers about 2 different way to intercept PhoneCrypt with an on-device spyware (given the unsecure Windows Mobile Platform).
a) Inject a malicious DLL into the software and intercept from within the Phonecrypt itself.
In Windows Mobile any software can be subject to DLL code injection.
What an attacker can do is to inject into the PhoneCrypt software (or any software running on the phone), hooking the Audio related functions acting as a “function proxy” between the PhoneCrypt and the real API to record/play audio.
It's a matter of “hooking” only 2 functions, the one that record and the one that play audio.
That's simple, any programmer will tell you to do so.
They simply decided that's better not to make any notice about this.
b) Create a new audio driver that simply act as a proxy to the real one and intercept PhoneCrypt
In Windows Mobile you can create new Audio Drivers and new Audio Filters.
What an attacker can do is to load a new audio driver that does not do anything else than passing the real audio driver function TO/FROM the realone. In the meantime intercept everything recorded and everything played :-)
They simply decided that's better not to make any notice to that way of intercepting phone call on PhoneCrypt .
Those are just 2 quick ideas, more can be probably done.
Sounds much like a marketing activity – Not a security research.
I have to tell you. I analyzed the issue very carefully and on most aspects. All this things about the voice encryption analisys sounds to me like a marketing campaign of SecurStar GmbH to sell PhoneCrypt and gain reputation. A well articulated and well prepared campaign to attract the media saying, in an indirect way cheating the media, that PhoneCrypt is the only one secure. You see the press releases of SecurStar and of the “Security researcher Notrax telling that PhoneCrypt is the only secure product” . SecurStar PhoneCrypt is the only product the anonymous hacker “Notrax” consider secure of the “software solutions”.
The only “software version” in competition with:
–
SnapCell – No one can buy it. A security company that does not even had anymore a webpage. The company does not almost exist anymore.
Does it sounds strange that only those other products are considered secure along with PhoneCrypt .
Also… let's check the kind of multimedia content in the different reviews available of Gold-Lock, Cellcrypt and Phonecrypt in order to understand how much the marketing guys pressed to make the PhoneCrypt review the most attractive:
| Application | Screenshots of application | Video with demonstration of interception | Network demonstration |
| PhoneCrypt | 5 | 0 | 1 | |
| CellCrypt | 0 | 2 | 0 |
| GoldLock | 1 | 2 | 0 |
It's clear that PhoneCrypt is reviewed showing more features explicitly shown and major security features product description than the other.
Too much difference between them, should we suspect it's a marketing tips?
But again other strange things analyzing the way it was done…
If it was “an impartial and neutral review” we should see good and bad things on all the products right?
Ok, see the table below regarding the opinion indicated in each paragraph of the different reviews available of Gold-Lock, CellCrypt and Phonecrypt (are the only available) to see if are positive or negative.
| Application | Number of paragraphs | Positive paragraphs | Negative paragraphs | Neutral paragraphs |
| PhoneCrypt | 9 | 9 | 0 | 0 |
| CellCrypt | 12 | 0 | 10 | 2 |
| GoldLock | 9 | 0 | 8 | 1 |
Detailed paragraphs opinion analysis of Phonecrypt | Paragraph of review | Opinion expressed |
| From their website | Positive Marketing feedback |
| Apple iPhone | Positive Marketing feedback |
| Disk Encryption or voice Encryption | Positive Marketing feedback |
| PBX Compatibility? Really | Positive Marketing feedback |
| Cracking <10. Not. | Positive Marketing feedback |
| Good thinking! | Positive Marketing feedback |
| A little network action | Positive Marketing feedback |
| UI | Positive Marketing feedback |
| Good Taste | Positive Marketing feedback |
| Paragraph of review | Opinion expressed |
| From their website | Negative Marketing feedback |
| Licensed by The israeli Ministry of Denfese | Negative Marketing feedback |
| Real Company or Part Time hobby | Negative Marketing feedback |
| 16.000 bit authentication | Negative Marketing feedback |
| DH 256 | Negative Marketing feedback |
| Downad & Installation! | Neutral Marketing feedback |
| Cracking it <10 | Negative Marketing feedback |
| Marketing BS101 | Negative Marketing feedback |
| Cool video stuff | Negative Marketing feedback |
Detailed paragraphs opinion analysis of
CellCrypt | Paragraph of review | Opinion expressed |
| From their website | Neutral Marketing feedback |
| A little background about cellcrypt | Negative Marketing feedback |
| Master of Marketing | Negative Marketing feedback |
| Secure Voice calling | Negative Marketing feedback |
| Who's buying their wares | Negative Marketing feedback |
| Downad & Installation! | Neutral Marketing feedback |
| My Demo environment | Negative Marketing feedback |
| Did they forget some code | Negative Marketing feedback |
| Cracking it <5 | Negative Marketing feedback |
| Room Monitoring w/ FlexiSpy | Negative Marketing feedback |
| Cellcrypt unique features.. | Negative Marketing feedback |
| Plain old interception | Negative Marketing feedback |
| The Haters out there | Negative Marketing feedback |
Now it's clear that from their point of view on PhoneCrypt there is no single bad point while the other are always described in a negative way.
No single good point. Strange?
All those considerations along with the next ones really let me think that's very probably a marketing review and not an independent review.
Other similar marketing attempt from SecurStar
SecurStar GmbH is known to have used in past marketing activity leveraging this kind of “technical speculations”, abusing of partial information and fake unconfirmed hacking stuff to make marketing/media coverage.
Imho a rare mix of unfairness in leveraging the difficult for people to really understand the complexity of security and cryptography.
They already used in past Marketing activities like the one about creating a trojan for Windows Mobile and saying that their software is secure from the trojan that they wrote.
Read about their marketing tricks of 2007
They developed a Trojan (RexSpy) for Windows Mobile, made a demonstration capability of the trojan and later on told that they included “Anti-Trojan” capability to their PhoneCrypt software.They never released informations on that trojan, not even proved that it exists.
The researcher Collin Mulliner told at that time that it sounds like a marketing tips (also because he was not able to get from SecurStar CEO Hafner any information about that trojan):
"Tas padara jūs brīnums, ja tas ir tikai mārketinga lieta."
Tagad pamēģināsim izdarīt dažus loģisko zvejā.
Tā ir daļa no tā, kā tie laiž tirgū, ir ļoti nedraudzīgu un unpolite pieeju ar klientiem, žurnālists un lietotājiem, kas cenšas nodrošināt nepareizu drošības koncepcijas tirgus priekšrocības. Ir pārliecināts, ka, kas lasa nav visas prasmes darīt padziļinātu drošības novērtēšanas un atrast patiesību aiz to mārketinga braucieniem.
Kurš ir hakeris notrax?
Tas izklausās kā maskēties no viltus identitātes nepieciešams, lai būtu "neatkarīga Hacker", kas palīdzētu izdarīt "neatkarīgu pārskatu", kas ir vairāk orientēts uz reputācijas veidošanu.
Lasīt par viņa bio:
¾ Cilvēku, ¼ Android (Labi, ka būtu forši vismaz.) Es esmu vienkārši entuziasts diezgan daudz kaut kas runā bināro un ja tas ir RS232 ports pat labāk. Dienas laikā es maskēties par inženieri strādā ar dažiem diezgan atdzist projekti reizēm, bet galvenokārt es to fun stuff, naktī. Man ir bijis domāt par sākuma oficiālu blog apmēram 4,5 gadus, lai dalītos daži no lietām, ko es nāk pāri, nevar izrēķināt, vai vienkārši šķērsot manu prātu. Sakarā ar manu dienas darbu un mana nakts iejaukusies, es atjaunināt šo, kad es varu. Es ceru, ka daži noderīgi, ja jums nav, labi, jums nav.
Nav par šo puisis par google informāciju.
Gandrīz jebkurš hakeris, kas saņem valsts ir raksti internetā, pasta arhīvā pasts un / vai forums, vai kādu no to darbības rezultāts.
Par notrax, nekas nav pieejams.
Turklāt pieņemsim apskatīt domēna ...
Domēna infosecurityguard.com tiek privātums aizsargā domainsbyproxy lai novērstu izpratni, kas ir īpašnieks.
Domēns ir izveidots pirms 2 mēnešiem uz 01-Dec-09 uz godaddy.com reģistrators.
Kas ir ļoti interesanti atzīmēt, ka šis "nezināms hakeris bez pēdām par google par viņu, ka parādījās 2009.gada decembrī par net" sauc par SecurStar GmbH presei kā "IT drošības eksperts".
Varbūt viņi "zina personīgi", kas tas ir anonīms notrax? :)
Esmu es pēc mana sazvērestības domāšanu vai varbūt tur ir dažas pamatotas šaubas, ka viss ir sakārtot šādā smieklīgā veidā tikai uz tirdzniecības aktivitātes?
Sociālo atlīdzība
Ja jums ir apsardzes firma jums darbs ir arī sociālajiem aspektiem, jums ir jāstrādā, lai padarītu pasauli labāku vietu (protams veikt uzņēmējdarbību, bet "nav ļauns"). Jūs nevarat apkrāptu prasmes gala lietotājiem, novērtējot drošību veicot viltus maldinošu informāciju.
Jums vajadzētu darīt izpratni par gala lietotājiem, lai tie vairāk apzinās drošības jautājumiem, dodot viņiem instrumentus, lai saprastu un jāizlemj viņam pašam.
Ceru, ka jums bija jautri lasīt šo rakstu un jūs veicāt savu atlīdzību par to.
Fabio Pietrosanti (She)
ps Tās ir mans personīgais profesionāls viedoklis, parunāsim par tehnoloģijām un drošību, nevis mārketinga.
pps es neesmu, ka gudri web rakstiski, tāpēc atvainojamies par to, kā teksts tiek formatēts un kā raksta plūsma ir nestrukturēta!
