Categorie Archieven: business

RFC 6189: ZRTP is eindelijk een standaard!

11 april 2011 - 22:54

Tot slot ZRTP is krijgt een officieel RFC opdracht, RFC6189 ZRTP: Media Path Key overeenkomst voor Unicast-Secure RTP.

Het had als een afhankelijkheid van de SRTP met AES-sleutel grootte van 256 bits die nu is gedefinieerd als RFC6188 .

Het is spannend om te zien de RFC eindelijk, want het is een belangrijke mijlpaal voor ZRTP te stellen als de officiële standaard voor end-to-end encryptie net zoals PGP is geweest voor de e-mails.

Nu elke organisatie in de wereld zal officieel in staat zijn om ZRTP implementeren voor end-to-end-protocol voice encryptie

Op dit moment 3 verschillende openbare implementaties van ZRTP-protocol bestaat:

Philip Zimmermann LibZRTP (c code)
PrivateWave's ZORG (c + + code / Java-code)
GNU Telefonie ZRTP (c + + code / Java-code)

Elk van hen te voorzien van verschillende eigenschappen van het protocol, maar het belangrijkste is bekend dat ze interoperabel zijn.

Een nieuwe golf komt naar de stem encryptie-, irrupting in een grijs gebied waar de meeste van de bedrijven die zaken doen telefoon-encryptie systemen is de uitvoering op maat encryptie.

Nu een standaard is opgezet en er zijn weinig redenen over om de uitvoering iets anders.

Hurra heer Zimmermann en al de gemeenschap van bedrijven (zoals PrivateWave ) en particulieren (zoals Werner Dittmann ) die werkte op het!

Vandaag is het een geweldige dag, een dergelijke vorm van technologie is nu officieel en ook met meerdere bestaande implementatie!

Philip, je deed het weer, mijn complimenten aan je zuivere geest en vastberadenheid :-)

Comment (1) Labels encryptie , Privacy , voicesecurity , zrtp | Reactie (1)

onderscheppen Privacy beveiliging

Vooruitgang voor de GSM-kraken in Freiburg universiteit

23 februari 2011 - 13:32

De spannende wereld van de mobiele protocollen (GSM, GSM-R, TETRA, UMTS, enz.) hacken wordt steeds officiële onderzoek van de universiteiten.

De investering om opensource-code releases van kraken van software te maken geeft de mogelijkheid aan studenten van de universiteit om te werken aan het, te verbeteren en doen sterk onderzoek.

De universiteit van Freiburg zojuist de papieren Praktische oefening op het GSM-encryptie A5 / 1 , samen met een gsmframencoder gereedschap om de snuiven, decoderen en kraken te verbeteren.

Het openen van hardware, het openen van software, het openen van het protocol aan te tonen de zwakte van elke vorm van eigen methode of werkwijze op te bouwen-up communicatie-en security-technologieën.

Het zou het doel van elke wetenschappers zijn om te proberen te openen-up en elke vorm van eigen en gesloten technologie te dwingen de sector om gaat alleen met interoperabel en open benadering bij het ontwerpen van telecommunicatie-protocollen te kraken.

Comment (0) Labels encryptie , hacking , mobiele , Privacy , voicesecurity | Comment (0)

inlichtingendiensten onderscheppen beveiliging

TETRA hacken komt eraan: OsmocomTETRA

23 januari 2011 - 10:27 am

Het is heel spannend om te zien de release van OsmocomTETRA , de eerste opensource SDR ( Software Defined Radio ) uitvoering van TETRA demodulator, PHY en MAC lager lagen.

Het is de TETRA-versie van GSM airprobe dat de toegang tot de gegevens en het frame van TETRA communicatie-protocol te ontsluiten, waardoor grote hack-kans!

Nu ook de TETRA-technologie is geopend moeten we verwachten tijdens deze 2011, aan opensource TETRA sniffers te zien en zeer waarschijnlijk ook TEA encryptie (de Tetra Encryption Algorithm) gekraakt!

TETRA wordt gebruikt door politie, hulpdiensten en Militairen als een alternatief voor mobiele communicatie netwerk dat kan werkt ook zonder de beschikbaarheid van netwerkdekking (alleen mobiel naar mobiel, zonder een basisstation) en zorgen voor een aantal speciale High Availability Services.

Ik schreef over TETRA in my slide Major Voice Security Protocol recensie .

In OsmocomBB mailinglijsten was er al discussie over een aantal TETRA-netwerk staat:

België politie TETRA ASTRID-netwerk: niet-versleutelde
Duitse politie-test TETRA-netwerk in Aken: niet-gecodeerde
Sommige ex-jugoslawia TETRA-netwerk: niet-versleutelde
Nederland C200 TETRA-netwerk: Tea2 gecodeerd met statische sleutels
Groot-Brittannië Airwave TETRA-netwerk: Tea2 versleuteld met Tea2

Het zal echt leuk om dat nieuwe politie-en reddingsdienst hacken terugkomen van oude analoge leeftijden te zien aan de nieuwe digitale radio's :-)

Comment (1) Labels encryptie , hacking , mobiel , voicesecurity | Reactie (1)

ideeën Kudos

Overheid 2.0, Open Data en WikiLeaks

15 Januari 2011 - 20:05

Het concept achter Wikileaks, OpenLeaks, GlobalLeaks, BalkanLeaks is veel meer dan alleen maar onthult geheimen voor het publiek.

Het maakt deel uit van een revolutie die er in de organisatie van overheid, transparantie en samenwerking komen met de zogenaamde 'web 2.0 / wiki' collaborative systemen.

Neem een kijkje op de regering 2.0 - Inleiding door Anke Domscheit Berg, Innovatieve regering programma leidt van Microsoft Duitsland en de vrouw van Daniel Berg, mede-oprichter van WikiLeaks en nu oprichter van OpenLeaks .

Neem een kijkje op Open Data de overheid 2,0 initiatief van de overheid transparantie, het verminderen van corruptie en verbetering van de prestaties van de overheid de organisatie af te dwingen.

Die revolutie is het gewoon meer dan een groep van anarco-libertaire funky jongens die willen chaos door het verspreiden van geheimen te creëren, het is gewoon het begin van de haast om nieuwe organisatie-model van de overheid te bereiken door gebruik te maken van volledige transparantie en een sterke samenwerking met de burger.

Comment (0) Labels civilrights | Reactie (0)

Privacy security -technologie

Gecodeerde mobiele telefoon om vaste telefoon bellen met Asterisk 1.8

25 oktober 2010 - 12:15

We hebben net een technische howto over hoe op te bouwen Beveiligde mobiele telefoon om vaste VoIP-infrastructuur met:

Asterisk 1.8 (net vrijgegeven, ondersteuning van SIP / TLS + SDES belangrijke ruil voor SRTP)
PrivateGSM Enterprise (Nokia / iPhone / Blackberry)
SNOM 300 Desktop telefoon

In de komende weken andere howto zoals deze zal komen met behulp van andere server platformen zoals FreeSWITCH, alles in de geest van transparantie en de hefboomwerking van opensource beveiligingstechnologieën.

Comment (0) Labels encryptie , mobiele , Privacy , voicesecurity | Comment (0)

veiligheid

Acht Epic Het niet met de regeling van cryptografie

21 oktober 2010 - 14:59

Een zeer verhelderend artikel over Acht Epic Het niet met de regeling van cryptografie en veel voorkomend misverstand door de overheid toezichthouders die niet over een weids uitzicht over hoe technologie werkt.

Onwetende overheidsinstanties niet begrepen dat strenge regelgeving zou de volgende nadelen hebben:

Het zal de beveiligingsrisico's
Het zal niet stoppen met de slechteriken
Het is schadelijk voor innovatie
Het is schadelijk voor Amerikaanse activiteiten
Het kost de consument
Het zal ongrondwettelijk
Het zal een enorme investering van belastinggeld zijn

Comment (0) Labels encryptie , beleid | Comment (0)

Privacy security -technologie

PrivateGSM: Blackberry / iPhone / Nokia mobiele spraak-encryptie met ZRTP of SRTP / SDES

19 oktober 2010 - 9:10 am

Ik ben het absoluut vermijden om mijn eigen persoonlijke blog te gebruiken om bevordering van elke vorm van product te maken.

Die tijd is het niet anders, maar ik wil je vertellen feiten over producten die ik te werken aan zonder fancy marketing, maar blijft technisch.

Vandaag, op PrivateWave waar ik ben CTO en mede-oprichter , brachten we het openbaar mobiele VoIP-encryptie producten voor Blackberry, iPhone en Nokia:

De 1e ooit Blackberry gecodeerd VoIP met ZRTP - PrivateGSM VoIP Professional
De 1e ooit iPhone gecodeerd VoIP met ZRTP - PrivateGSM VoIP Professional
De 1e ooit Blackberry gecodeerd VoIP-client met SRTP met SDES sleutel uitwisseling over SIP / TLS - PrivateGSM VoIP Enterprise

Bij PrivateWave gebruiken we een andere benadering ten aanzien van de meeste voice encryptie bedrijf die er zijn, lees dan onze benadering van veiligheid .

De relevantie van deze producten in de technologie en industrie landschap kunnen als volgt worden samengevat:

Het is de eerste stem encryptie bedrijf met alleen normen beveiligingsprotocollen (en we verwachten dat de markt zal reageren, want het is duidelijk dat de gepatenteerde technologie afkomstig uit de erfenis van CSD niet kan leveren dezelfde waarde)
Het is de eerste benadering in de stem van encryptie om alleen te gebruiken open source en standaard encryptie-engine
Het is de eerste stem encryptie aanpak van verschillende security model met behulp van verschillende technologieën (end-to-end voor ZRTP en end-to-site voor SRTP )

Die suite van Mobile Secure Clients, ontworpen voor professionele beveiliging alleen gebruik van de beste telecommunicatie-en beveiligingstechnologieën, bieden een hoge mate van bescherming in combinatie met goede prestaties ook in slechte netwerk condities:

Meerdere beveiligingsmodel: end-to-end encryptie met ZRTP en end-to-site -codering met SRTP
Voice-encryptie
Signalering encryptie
Digitaal certificaat strikte controle van de SIP / TLS (99% van de VoIP-clients niet doet diepgaande strikte TLS controle)
AMR 4.75kbit codec (dezelfde technologie en audio codec van standaard GSM telefoongesprekken)
Extreem geoptimaliseerd jitter buffer (Het werkt zelfs in GPRS en via WiFi op satelliet)
Automatische always-on opnieuw verbinden met behulp van Nokia Standby Technieken voor sterke batterij besparing

De toepassingen zijn:

PrivateGSM Professional - Het doet end-to-end encryptie met ZRTP met ECDH384 , strikte cache verificatie en adresboek integratie
PrivateGSM Enterprise - Het doet end-to-site -codering met SRTP met SDES sleutel uitwisseling over SIP / TLS
Enterprise VoIP Security Suite - Secure PBX-systeem op basis van Asterisk met toegevoegde VoIP Firewalls

De ondersteunde mobiele apparaten zijn:

Nokia S60
iPhone 3GS/4G met iOS 4.x
Blackberry met RIMOS 5 (verschillende GSM-modellen)

Met betrekking tot ZRTP hebben we besloten om stress en strekken de veiligheid en paranoïde kenmerk van het protocol met een aantal kleine toevoeging:

Gebruik alleen Elliptische curve Diffie Hellmann (ECDH) 384bit die deel uitmaken van NSA Suite-B ( No Koblitz ECDH-571 bochten! )
Gebruik AES256 in de CTR-modus
Heeft cache controle en belangrijke continuïteit
Strikte adresboek integratie uitgebreid ten opzichte van RFC met extra beetje overbodig is
Alle veiligheidswaarschuwing en beveiligingsfout ertoe leiden dat de oproep te verbreken, cache gewist en de gebruiker gewaarschuwd om nogmaals te controleren ZRTP beveiliging
Gebruik Random Number Generator in strikte overeenstemming met FIPS veiligheidseisen door gebruik te maken Fysische Bron van entropie (microfoon)

Onze strenge adresboek integratie, gaat verder dan ZRTP RFC -specificatie, die kunnen kwetsbaar zijn voor bepaalde aanvallen bij gebruik op mobiele telefoons als gevolg van het gedrag van gebruikers van niet om te kijken naar mobiele scherm.

Onze paranoy manier van het gebruik te beperken ZRTP dergelijke omstandigheden, zullen we later schrijven over deze en / of aangevuld met specifieke details voor RFC integratie.

Sommige woorden op PrivateGSM Professional met end-to-end encryptie met ZRTP

Gebruiker niet nodig om de applicatie te gebruiken: Het is i ntegrated in de telefoon voor het kiezen van een veilige prefix zetten +801 in de voorkant van het nummer te bellen
Het is te downloaden van het internet voor zelf onderzoek gedurende 15 dagen (de meeste voice encryptie onderneming verstrekt geen gratis download)
Receiver GRATIS is dat betekent dat alleen die bellen hebben om de toepassing te kopen, heeft de ontvanger hoeft niets te betalen
het doet Traffic Obfuscation op Bypass VoIP-blokken over 2G/3G
Het is erg smal: Gebruik zo weinig 100Kbyte/minutes

Lees technische fiche daar!

Voor het downloaden klik dan hier en zet gewoon uw telefoonnummer

Dat zijn de resultaten van het harde werk van al mijn zeer gekwalificeerd personeel (16 personen gewerkt aan deze 6 projecten voor 3 verschillende platformen) op uitdagende technologie (voice encryptie) in een moeilijke operationele omgeving (vuile mobiele netwerken en vuile mobiele besturingssystemen) voor meer dan 2 jaar.

Ik ben erg trots op onze medewerkers!

Wat nu?

In de komende weken ziet u het vrijgeven van de grote set van documentatie, zoals integratie met sterretjes, freeswitch en andere aan veiligheid Enabled PBX, samen met een aantal spannende andere beveiligingstechnologie nieuws dat weet ik zeker zal worden opgemerkt ;)

Het is een hard werken en meer moeten worden gedaan, maar ik ben ervan overtuigd dat de veiligheid en de opensource gemeenschap zal de betreffende producten en onze transparante aanpak ook graag met open belangrijke releases en open source integratie dat een zeer politiek neutraal (achterdeur gratis) technologie .

Comment (1) Labels encryptie , mobiele , Privacy , voicesecurity , zrtp | Reactie (1)

onderscheppen Privacy security -technologie

Een paar leuke VPN provider

17 oktober 2010 - 12:39

Er zijn heel wat van de rede waarom men zou moeten internet via toegang tot een VPN.

Bijvoorbeeld als je woont in een land blokkeren van bepaalde inhoud (zoals anti-local-government website, porno, etc) en / of protocollen (zoals skype, voip) zou u waarschijnlijk wilt u uw internet verbinding te verplaatsen buiten het vervelende het blokkeren van land door gebruik te maken versleutelde VPN tunnels.

I werden een aantal hosted VPN-server en een paar van hen klinkt heel goed onder de wijdverspreide aanbod van dergelijke diensten:

SwissVPN

Afsluiten om het internet uit Zwitserland.

Kosten 6 CHF / maand

Optioneel publiek vast IP-adres

Handig als je het volgende nodig:

Net voorbij de lokale land filters met een goede hoge bandbreedte
Expose openbare diensten via het VPN met de optionele vaste openbare IP-adres.

Overdreven acteren

Uitgang naar het internet door te kiezen uit 20 verschillende landen (elke keer dat u verbinding maakt).

Handig als je moet doen:

business intelligence op de concurrent (lijken te komen uit land X bij het aansluiten van hen)
zie film / telefilm alleen toegestaan bij de nationale IP webruimten
zie google resultaten tussen de verschillende landen

Comment (0) Labels encryptie , Privacy | Comment (0)

security -technologie

Niet elke elliptische kromme is hetzelfde: door op de ECC-beveiliging

26 september 2010 - 13:05

 Mijn eigen ECC-curve veiligheid en selectie-analyse

De meeste moderne crypto gebruik Elliptic Curve Cryptographic (ECC) dat, met een kleinere sleutel grootte en vermindering van rekenkracht, een equivalente beveiliging kracht van de traditionele crypto systeem dat bekend staat als DH (Diffie-Hellman) of RSA (Rivest, Shamir en Adleman).

Niet iedereen weet dat ECC-codering is geselecteerd voor eventuele toekomstige encryptie toepassingen en dat zelfs TLS / SSL (encryptie die wordt gebruikt voor het vastzetten van het web) gaat verhuizen naar ECC.

Ik vond veel van de zogenaamde "eigen encryptiesysteem producten" die RSA en DH overgeleverd aan gaat met ECC alternatieven, om willekeurige gebruik ECC bits sleutel meestal zelfs zonder te preciseren welke soort ECC crypto wennen.

Er is echter een veel verwarring rond elliptische krommen, met veel verschillende namen en belangrijke grootte, waardoor het moeilijk voor een niet-cryptografisch-ervaren-gebruiker aan je eigen figuur te maken bij de evaluatie van een aantal crypto spul.

Door zo diffuus verwarring heb ik besloten mijn eigen analyse te maken om uit te vinden welke de beste ECC encryptie bochten en rechts ECC sleutel grootte te gebruiken.

Deze analyse zou graag een security-industrie op basis van keuze te bieden tussen de verschillende bochten en de belangrijkste maten, het verlaten van de wiskundige en crypto analytische overwegingen die al is gedaan in de jaren, waarin de verschillende keuzes die in een aantal normen en beveiligingsprotocollen.

Eerst de conclusie.

Uit mijn analyse slechts de volgende ECC bochten dienen te worden beschouwd voor gebruik in encryptie systemen, omdat de enige bent die geselecteerd tussen de verschillende overheden (ANSI, NSA, SAG, NIST, ECC Brainpool), verschillende beveiligingsprotocol normen (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS) en de enige passende NSA Suite B beveiligingseisen (de-facto standaard ook voor de NAVO militaire omgeving):

Elliptische Prime Curve 256 bit - P-256
Elliptische Prime Curve 384 bit - P-384

met optionele, alleen voor echt paranoïde die meer willen weten sleutelgrootte beetje te krijgen, nog steeds niet nuttig geacht:

Elliptische Prime Curve 521 bit - P-521

Ik wil graag zeggen dat Koblitz bochten moeten worden vermeden, in een willekeurige toets grootte (163/283/409/571) omdat ze niet genoeg garantie op de crypto-analytische activiteiten en effectief ze zijn:

Geen onderdeel van de NSA Suite-B cryptografie selectie
Geen onderdeel van ECC Brainpool selectie
Geen onderdeel van ANSI X9.62 selectie
Geen onderdeel van de OpenPGP-ECC uitbreiding selectie
Geen onderdeel van Kerberos-extensie voor ECC curve selectie

Ik nodig de lezer om door te volgen mijn analyse van de fundamentals die kunnen worden begrepen, zelfs zonder diepgaande technische achtergrond, maar in ieder geval met een goede technologische achtergrond een aantal fundamentele beetje van cryptografie te begrijpen.

 Daar gaan we met de analyse

Mijn doel is om een analyse te maken op wat / hoe de open wetenschappelijke en veiligheid Community Selecteer ECC crypto-systeem voor gebruik in veiligheid protocollen en standaarden gedefinieerd door IETF RFC (degenen die het internet Normen leggen in een open en peer-reviewed manier).

Hieronder een aantal RFC introducing ECC in bestaande systeem dat krijgen geanalyseerd om te begrijpen wat is beter te gebruiken en wat beter is uit te sluiten:

RFC5639 : ECC Brainpool Standard Curves & Curve Generation
RFC4869 : NSA Suite B cryptografie Suites voor IPsec
RFC5430 : NSA Suite B-profiel voor Transport Layer Security (TLS)
RFC5008 : NSA Suite B in in Secure / Multipurpose Internet Mail Extensions (S / MIME)
RFC3766 : Het bepalen van Sterke punten voor publieke sleutels gebruikt voor het uitwisselen symmetrische sleutels
RFC5349 : Elliptische Curve Cryptography (ECC) Ondersteuning voor Public Key Cryptografie voor Initial Authentication in Kerberos (PKINIT)
RFC4492 : Elliptische Curve Cryptography (ECC) Cipher Suites voor Transport Layer Security (TLS)
ZRTP voice encryptie door Philip Zimmermann ECC-curve
ECC in OpenPGP (ontwerp-d raft-jivsov-OpenPGP-ECC-06 )
ECC Curves geselecteerd door Microsoft voor smartcard Kerberos login

We zullen gebruik maken van de keuze van wetenschapper het definiëren van Internet Security Protocols om een deel van onze evaluatie te maken.
Bovendien moet het duidelijk zijn dat de Curve selectie is afkomstig van verschillende instanties die hun eigen selectie van Curves gemaakt om te vertellen aan de industrie wat te gebruiken en wat over te slaan:

Amerikaanse NIST (US National Institute of Standards) met 186-2 (recent vervangen in 2009 door de nieuwe 186-3 )
Amerikaanse ANSI (American National Standard Institute) met X9.62
Amerikaanse NSA (National Security Agency) Suite-B cryptografie voor TOP SECRET informatie-uitwisseling
International SACG (normen voor efficiënte cryptografie-groep) met Aanbevolen Elliptische Curve Domein Parameters
Duitse ECC Brainpool withECC Brainpool met hun strikte Security Requirements
ECC Interoperability Forum gecomponeerd door Certicom, Microsoft, Redhat, Sun, NSA

We zullen gebruik maken van de keuze van wetenschapper het definiëren van security eisen in de standaardisatie organisaties om een deel van onze evaluatie te maken.
Daarnaast, iets dat de meeste mensen niet kent, maar dat is het uiterst relevant is voor onze analyse, is dat er verschillende soorten ECC curve cryptografie en hun "grootte" het is anders, afhankelijk van de aard van de curve:

ECC krommen over Prime Field (vaak aangeduid als Elliptische Curve en vertegenwoordigd door P-keysize)
ECC krommen over Binary Field (vaak aangeduid als Koblitz Curve en vertegenwoordigd door K-keysize)

Gegeven een zekerheid kracht gelijkwaardigheid van de Elliptische Curve en de Kobliz Curve hebben verschillende sleutel grootte, bijvoorbeeld wanneer we lezen ECC 571 hebben we het over Koblitz Curve met een gelijkwaardig kracht om ECC 521 Prime curve.

Een vergelijking van de sterkte tussen elliptische curve en Kotbliz Curves wordt hieronder gerapporteerd (van Mikey ECC internet ontwerp ):

 | Koblitz | ECC | DH / DSA / RSA
 | 163 | 192 | 1024
 | 283 | 256 | 3072
 | 409 | 384 | 7680
 | 571 | 521 | 15360

Hieronder is een vergelijking van alle geselecteerde bochten door de verschillende entiteiten en hun respectievelijke naam (van de IETF RFC4492 voor ECC gebruik voor TLS ):

 Curve gekozen namen van verschillende normalisatieorganisaties
 ------------ + --------------- + -------------
 SECG | ANSI X9.62 | NIST
 ------------ + --------------- + -------------
 sect163k1 | | NIST K-163
 sect163r1 | |
 sect163r2 | | NIST B-163
 sect193r1 | |
 sect193r2 | |
 sect233k1 | | NIST K-233
 sect233r1 | | NIST B-233
 sect239k1 | |
 sect283k1 | | NIST K-283
 sect283r1 | | NIST B-283
 sect409k1 | | NIST K-409
 sect409r1 | | NIST B-409
 sect571k1 | | NIST K-571
 sect571r1 | | NIST B-571
 secp160k1 | |
 secp160r1 | |
 secp160r2 | |
 secp192k1 | |
 secp192r1 | prime192v1 | NIST P-192
 secp224k1 | |
 secp224r1 | | NIST P-224
 secp256k1 | |
 secp256r1 | prime256v1 | NIST P-256
 secp384r1 | | NIST P-384
 secp521r1 | | NIST P-521
 ------------ + --------------- + -------------

Wat onmiddellijk verschijnen is dat er slechts twee bochten geselecteerd door alle autoriteiten, en dat er een algemene dumpen van Koblitz bochten door ANSI.The alleen gemeenschappelijk overeengekomen tussen de 3 autoriteiten zijn de volgende twee ECC-curve:

secp192r1 / prime192v1 / NIST P-192
secp256r1 / prime256v1 / NIST P-256

Van de selectie van de ECC-curve voor TLS de RFC5430 overgeslagen volledig Koblitz bochten en geselecteerd voor gebruik alleen:

P-256, P-384, P-521

De ECC Brainpool overgeslagen volledig Koblitz bochten en geselecteerd voor het gebruik van de volgende ECC Curves:

P-160, P-192, P-224, P-256, P-320, P-384, P-512 (dat is het enige bijzondere, want het is niet P-521, maar P-512, de enige sleutel-size doorverwezen door ECC Brainpool. Tnx Ian Simons van Athena SCS )

De OpenPGP internet ontwerp voor het ECC gebruik in PGP d raft-jivsov-OpenPGP-ECC-06 overgeslagen volledig Koblitz bochten en gekozen voor de volgende ECC curves

P-256, P-384, P-521

Het Kerberos-protocol extensie voor ECC gebruik, gedefinieerd in RFC5349 en wordt gedefinieerd door Microsoft voor smartcardaanmelding overgeslagen volledig Koblitz bochten en gekozen voor de volgende ECC curves:

P-256, P-384, P-521

Dus, klinkt het duidelijk dat de juiste keuze van ECC is voor P-256, P-384 en P-521, terwijl de Koblitz curve zijn overgeslagen voor Top Secret gebruik en voor alle veiligheid gevoelige protocol (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS).

Waarom heb ik deze analyse?

Ik heb gedaan deze analyse naar aanleiding van een discussie die ik had met betrekking tot bepaalde spraak-encryptie producten, allen gebaseerd op gewoonte en de protocollen, die zijn allemaal met Elliptische curve Diffie Hellman 571 bit / ECDH 571/571-bit ECDH / Koblitz 571 bits.
Alle hen maken gebruik van de K-571 dat, zoals eerder beschreven, is verwijderd uit alle veiligheids-gevoelige omgeving en protocollen en mezelf een ontwerper van voice encryptie dingen die ik denk dat de cryptografische keuze is absoluut niet de beste beveiliging keuze.
Waarschijnlijk is gedaan alleen voor marketing doeleinden, omdat de K-571 (Koblitz curve) lijkt sterker dan P-521 (elliptische curve op basis van Prime-nummer). Als je "meer bit" uw marketing jongens kunnen beweren dat ze "veiliger". Koblitz elliptische kromme sneller zijn dan de top secret staat prime elliptische kromme en dus geef het product manager een kans om "meer bit" in zijn eigen product aan te bieden terwijl de key exchange snel.

Het is een kwestie van filosofische keuze.

Ik geef de voorkeur om de trend van wetenschappelijke gemeenschap met de nederigheid van het niet volgen naar overweegt zelf een cryptografisch expert, knowledgable meer dan de algemene veiligheid en de wetenschappelijke gemeenschap zelf.

Ik geef de voorkeur in plaats daarvan alleen algoritmen die zijn goedgekeurd voor gebruik in uiterst gevoelige omgevingen (top secret classificatie), die zijn geselecteerd door alle autoriteiten en de werkgroep analyseren van encryptie-algoritmen bestaande buitengerechtelijke daar en dat de keuze van bijna alle standaard beveiliging vormen te gebruiken protocollen (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS, etc).
Ik geef de voorkeur om de hoeveelheid hersenen werken aan de crypto ik gebruik, dat de cheque die is echt veilig, dat na te gaan of er wat zwakte te tellen.

Het aantal Brais werken aan Crypto algemeen verspreid, zijn van de orde van grootte meer dan het aantal van de hersenen werken aan crypto gebruikt door slechts een paar mensen (zoals Koblitz curve).
Dus ik ben niet demoniseren die gebruik maken van ECDH 571 met behulp van Koblitz Curve, maar zeker ik kan bevestigen dat ze niet de beste keuze in termen van de veiligheid en dat alle security professionals het doen van een security benchmarking zou het feit dat de Elliptische curve Diffie Hellman 571 overwegen beetje gedaan met Koblitz Curve is niet op grote schaal verspreid, het is gedumpt van standaard beveiligingsprotocollen en het is niet gecertificeerd voor top secret gebruik.

Comments (3) Labels encryptie , voicesecurity , zrtp | Reacties (3)

security -technologie

ESSOR, Europese Secure Software Defined Radio (SDR)

25 september 2010 - 21:18

Ik had een blik op de Europese Defense Agency website en vond het ESSOR project, een werkend project gefinancierd voor 106mln euro aan de strategische verdediging communicatie producten op basis van nieuwe ontwikkelingen Software Defined Radio aanpak.

SDR aanpak is een revolutionair systeem dat volledig verandert de manier waarop wetenschappers en de industrie is aanpak van elke vorm van draadloze technologie.

In principe in plaats van het branden van hardware chip die het grootste deel van de radiofrequentie-protocollen en technieken toe te passen, worden ze geduwd in "software" naar gespecialiseerde radio hardware die kan werken op veel verschillende frequenties, als radio-interface voor veel verschillende radio protocollen.

Bijvoorbeeld de USRP (Universal Software Radio Peripheral) van Ettus onderzoek dat de kosten 1000-2000USD volledig geladen, via de opensource GnuRadio zijn kader, gezien opensource implementatie van:

En nog veel meer protocollen en transmissie-technologieën.

Dat soort nieuwe benadering van Radio Transmission System wordt met bestemming aan de manier waarop radio-systeem te veranderen ten uitvoer worden gelegd, het geven van nieuwe mogelijkheden, zoals de "radio protocol zelf" in de software aan te passen om "radio protocol" verbeteringen.

Op korte termijn hebben we ook gezien zeer sterke beveiliging onderzoek met behulp van SDR technologieën zoals GSM kraken en de Bluetooth-snuiven .

We kunnen verwachten dat andere technologieën, zwak door het ontwerp, maar beschermd door de beperking van de hardware-apparaten op het lage niveau protocollen te hacken, zal binnenkort krijgen worden gehackt. In de eerste lijst ik zou heel graag het hacken van TETRA, een technologie die geboren met gesloten mentaliteit en geheime encryptie-algoritmen, iets wat ik echt niet ;-) zie

Comment (0) Labels hacken , mobiele | Comment (0)

zakelijk beheer

Product management en organisatie

12 september 2010 - 20:52

Ik had een beter begrip van de concepten, taken en verantwoordelijkheden met betrekking tot product management en product marketing management in software bedrijven, waarom zijn nodig, wat zijn de verschillen en hoe ze passen binnen een organisatie structuur.

De meeste die ik ken nooit geïnteresseerd in dit specifieke gebied van werk, maar als je een product wilt onderneming (en niet een advies of oplossing bedrijf) zijn, moet je beginnen met verschillende producten op verschillende platformen voor verschillende doelgroepen klanten worden verkocht via verschillende kanalen met verschillende prijzen met een installatie / ander afleveradres proces is en dat de complexiteit moeten worden beheerd op de juiste manier.

Je realiseert je dat om te laten het product bedrijf te laten groeien in de juiste richting je nodig hebt om formeel te organiseren product management activiteiten, niet het afsluiten van uw geest in starre organisatie rollen zoals Marketing, Sales, R & D.

Wanneer we spreken over Product Management adviseer ik de lezing van het lichtdoorlatende De strategische rol van Product Management (Hoe een marktgedreven aandacht leidt ertoe dat ondernemingen op te bouwen producten die de mensen willen kopen), dat een heleboel dingen te verduidelijken, zelfs als het outlook netto scheiding van rollen in product management, iets wat t hoedje is te zwaar voor een klein bedrijf als een startup.

Toch een differentiatie van de taken tussen Product Management en Product Marketing.

Een goed begrip van het product management in verband met het opstarten i s die in het artikel Het maken van Product Management bij het opstarten opdagen andere zaak met betrekking tot de rol van het product visionair in het bedrijf.

Het introduceren de voorwaarden ceo van het product in de zin dat het product management taken rond te springen in de verschillende organisatie-functie door middel van aandacht en inspanning waar het nodig is onafhankelijk, uit het feit dat de interne functie meer inspanning nodig is voor ontwikkeling, Marketing, Sales of Communicatie. Dat is praktisch betekent het verbeteren van de product visie als het nodig is in alle grote product-gerelateerde functies maken van de visie bedrijfsbrede coherent.

Een goede weergave van product management en product marketing activiteiten is goed beschreven met het onderscheid tussen strategisch, technisch en marketing sector en is niet duidelijk gescheiden tussen management, marketing (en verkoop) en R & D:

Ik las dat product manager achtergrond en kennis zijn verschillend afhankelijk van het bedrijf focus ( waar komt product management hoort in de organisatie? ):

B2C -> Marketing ervaring
B2B -> Technische ervaring

Een verhelderend (voor mij) en heel belangrijk onderscheid ten aanzien van product management taken is het onderscheid tussen:

Product Management
Product Marketing

De specifieke taken die behoren tot Product Marketing vs management zijn sterk uitgelegd in Rol Definities Product Management en Product Marketing dat ik voorstel om te lezen, zodat u beter taken en verantwoordelijkheden te definiëren binnen uw organisatie. Het bieden ook een goede definitie van functie-eisen als u op zoek naar dat cijfer!

Tegelijkertijd is het belangrijk om te begrijpen wat er NIET product management, effectief Product management is niet alleen voorzien van prioritering .

Tegelijkertijd is het belangrijk om te begrijpen welke niet professioneel figuur is zelf een product manager:

Product manager is geen marketing manager - terwijl het product management wordt meestal gezien als een marketing discipline, marketeers zijn gericht op het marketing plan en zijn meestal niet het besturen van de totale product richting. In dat verband kan echter worden gevonden Product marketing manager is dat de armen van de afzet van het product, vooral in de kleine organisatie.

Product manager is geen sales manager - sales manager het over het vinden van hoe een product te verkopen, waarna de verkoop methodologie, techniek en kanalen en ze konden het bedrijf rijden van een marktgerichte onderneming (product) aan een klant georiënteerd bedrijf (oplossing en consulting)

Product manager is geen ontwikkelaar - Ontwikkelaars zijn gericht op de technologie en niet het totale product. Some great product managers are former developers, but it is difficult to do both at once. Er is een natuurlijke spanning tussen ontwikkelaars en productmanagers die moet worden gehandhaafd om een evenwichtig product te creëren.
Product manager is geen software manager - de software manager is een functionele manager en meestal niet gericht op het product of de klanten.
Product manager is geen project manager - project managers zijn over hoe en wanneer, terwijl het product manager is over wat. Projectmanagers werken nauw samen met productmanagers het welslagen van de verschillende fasen te garanderen in de levenscyclus van het product.

De typische product management activiteiten kunnen worden in extreme synthese samengevat als volgt:

Strategie: Het plannen van een product strategie
Technisch: toonaangevende productontwikkelingen
Marketing: providing product and technical content
Verkoop: voorzien in voorschoolse sales support en werken effectief met de verkoop

Product management so it's not precisely development, is not precisely marketing, it's not precisely sales, so typically it's difficult to identify “where it should stay” inside the organization structure (it's even difficult to understand that's needed)?

De Silicon Valley Product Group bieden een mooi zicht op Product organisatiestructuur door te wijzen op Wat zijn de voordelen en risico's van een aantal keuzes. Toch is de Cranky Product Manager zeggen dat Het maakt niet uit waar het product manager wonen in de organisatie .

Het is relevant om voorzichtig te zijn niet aan personen die te veel technische of te veel sales gericht om de kloof tussen de verschillende organisaties te vullen hebben. Te veel versnippering van toegewezen taken in de organisatie kan leiden tot bureaucratie, kan te veel taken op een persoon leiden tot een ondoeltreffende uitvoering van de taken die nodig zijn op een bepaald gebied en een interne concurrentie perceptie ten opzichte van de traditionele rollen.

Controleer of er een mooi CV van een professional met praktische ervaring in product management (het is een half techneut / half marketing jongens).

Ah! Another very common misunderstanding is to confuse marketing with communication where ai found a so good definition of Marketing that i really like and understand for strict relationship with Product Management:

Marketing is know the market so well that the product sell itself

Maar wat gebeurt er als je niet omgaan met een product management en product marketing management proces in een bepaalde manier?

Een mooi verhaal wordt weergegeven als bijvoorbeeld in De strategische rol van Product Management :

Uw stichter, een briljante technicus, startte het bedrijf jaren geleden, toen hij stoppen met zijn baan om zijn idee fulltime markt te brengen. Hij creëerde een product dat hij wist alleen dat andere mensen nodig. And he was right. Al snel leverde hij genoeg van het product en huurde zijn beste vriend van de universiteit als VP of Sales. En het bedrijf groeide. Maar het duurde niet lang, de VP van Sales klaagde: "We zijn een engineering-geleide onderneming. We moeten te worden klantgericht. "En dat klonk prima. Except… every new contract seemed to require custom work. U een tiental klanten ondertekend in een dozijn marktsegmenten en de laatste klant de stem altijd domineerde de productplannen. U concludeerde dat betekende "gedreven door de nieuwste klant" en dat niet kon kloppen "customer-driven".

If you want to be a product company it's relevant to precisely follow a strategy driven by product marketing and management and not by sales.

Verwarring tussen de taken van de product management / marketing en verkoop kan leiden tot succesvolle product bedrijf dat niet in staat zijn om door te gaan in hun strategie, simpelweg omdat ze het krijgen van kansen die drijven de business out-of-scope.

Een product bedrijf moet investeren in een eigen productontwikkeling en marketing, om te laten verkoopactiviteiten gefocust blijven en garanderen dat de organisatie iedere dag meer van kracht op de markt.

Na deze lezing, ik heb begrepen dat het relevant is om te bepalen hoe om een set van flexibele bedrijfsprocessen over de wijze waarop diverse product management en product marketing taken die hen scheidt van de verkoop gaan maken.

Comment (0) Labels bedrijf , het management , marketing | Comment (0)

onderscheppen Privacy beveiliging

Op afstand onderscheppen van snom VoIP-telefoons

10 september 2010 - 11:08 am

Ik stel voor het lezen van op afstand te tikken VoIP-telefoons "op VoIP Security Alliance Blog door Shawn Merdinger .

Een concreet voorbeeld van hoe de huidige telefonie-infrastructuur worden steeds meer kwetsbaar voor cyberaanvallen.

Comment (0) Labels hacken , Privacy , voicesecurity | Comment (0)

onderscheppen Privacy security -technologie

Spraakcommunicatie beveiliging workshop

26 augustus 2010 - 12:04

Hi,

ik heb een gesprek over gesproken communicatie beveiligingstechnologieën aan de Universiteit van Trento naar aanleiding van een interessante informatie-uitwisseling met Crypto Lab beheerd Professor Massimiliano Sala .

Ik stel voor geïnteresseerden om het te lezen, vooral het tweede deel, want er is een innovatieve indeling van de verschillende voice encryptie technologieën die wennen in diverse sectoren.

Ik probeerde uit te leggen en uit te komen van deze zeer gefragmenteerde technologische sector door te voorzien in een breed overzicht van de technologieën die meestal absoluut niets een-elk-ander, maar bijna allemaal van toepassing zijn op encryptie spraakkanaal na die indeling:

Mobile TLC Industrie voice encryptie standaarden
Regering en militaire voice encryptie standaarden
Openbare veiligheid voice encryptie standaarden
IETF voice encryptie standaarden
Diverse eigen voice encryptie-technologieën

Het is een enorme slideware, 122 dia's, stel ik voor om te gaan lezen van het 2e deel over te slaan onderscheppen technologieën overzicht al onder mijn presentatie van 2009.

Spraakcommunicatie beveiliging

Bekijk meer presentaties van Fabio Pietrosanti .

Vooral ik graag het concept van de Chocolate graad van versleuteling die willen sommige innovatie te verstrekken over de Snake Oil Encryption concept.

Maar ik nodig hebt om meer in detail over de Chocolate graad van versleuteling context zal waarschijnlijk wel voor het eind van het jaar door te voorzien in een toegepaste cursus over het begrip en de evaluatie van vrijwel de echte veiligheid context van verschillende voice encryptie-technologieën.

Comment (0) Labels encryptie , mobiele , Privacy , voicesecurity | Comment (0)

Kudos security -technologie

27C3 - CCC Congres GVB: We komen in vrede

15 augustus 2010 - 8:39 am

We komen in vrede

We komen in vrede, zei de veroveraars van de Nieuwe Wereld.

We komen in vrede, zegt de overheid, als het gaat om te koloniseren, reguleren en militariseren de nieuwe digitale wereld.

We komen in vrede, zeggen dat de natie-staat middelgrote bedrijven die hebben aangegeven op het net en de ketting van de gebruikers geld uit te drukken om hun glimmende nieuwe apparaten.

We komen in vrede, zeggen we als hackers, geeks en nerds, toen we uit de richting van de echte wereld en proberen dat te veranderen, omdat het heeft ingebroken in onze natuurlijke habitat, de cyberspace ...

Oproep voor papier voor deelname aan 27C3 CCC congres is open, en ik zag nooit een zo spannend uitbetaling :-)

Tot ziens op 30 december 2010 in Berlijn!

Comment (0) Labels hacken | Reactie (0)

inlichtingendiensten onderscheppen Privacy veiligheid technologie

GSM scheurvorming in penetratie testmethoden (OSSTMM)?

23 juli 2010 - 8:16 am

As most of this blog reader already know, in past years there was a lot of activities related to public research for GSM auditing and cracking.

However when there was huge media coverage to GSM cracking research results, the tools to make the cracking was really early stage and still very inefficient.

Now Frank Stevenson , norwegian cryptanalyst that already broke the Content Scrambling System of DVD video disc, participating to the A51 cracking project started by Karsten Nohl , released Kraken , a new improved version of the A51 cracking system.

It's interesting to notice that WiFi cracking had a similar story, as the first WiFi wep cracking discovery was quite slow in earlier techniques but later Korek, an hacker working on cracking code, improve the attack system drammatically.

That's the story of security research cooperation, you start a research, someone follow it and improve it, some other follow it and improved it and at the end you get the result.

Read more on the Kraken GSM Cracking software release .

And stay tuned as next week at Blackhat Conference Karsten Nohl will explain the details of the required hardware setup and detailed instructions on how to do it :-)

I would really like to see those tools incorporated into Penetration Testing Linux Distribution BackTrack with OSSTMM methodology enforcing the testing of GSM interception and man in the middle :-)

If things proceed that way and Ettus Research (The producer of USRP2 software radio used for low cost GSM signal receiving) will not be taken down, we can still see this.

Tags encryption , hacking , Privacy , voicesecurity | Comments (2)

business management Privacy security technology

Snake-olie beveiliging vorderingen op crypto beveiligingsproduct

19 July 2010 – 9:33 pm

Beveiliging markt te groeien, meer bedrijven gaat naar de markt, maar hoeveel van hen zijn ernstig wat ze doen nemen?

Je weet wel, doet beveiligingstechnologie betekenen dat u bent zelf verantwoordelijk voor de bescherming van informatie van de gebruiker. You must make them aware of what they need, exactly what your are doing and which kind of threat model your product protect.

Een typisch probleem beveiliging product eigenschappen wordt vertegenwoordigd door het onvermogen van de gebruiker om de beveiliging kan van het product te evalueren.

Dus er is heel veel bedrijven bezig met een niet-zo-ethische marketing van beveiligingsfuncties, op basis van de feiten die geen enkele gebruiker in staat zal zijn om het te evalueren.

The previously explained situation reside in the security topic of Snake Oil Encryption , an evolution in the scientific cryptographic environment that let us today use best of breed information protection technologies without having to worry too much about backdoors or insecurities.

Laten we het eens hebben over Snake Oil Encryption

Snake Oil Cryptography : In de cryptografie , slang olie is een term die gebruikt wordt om commerciële cryptografische methoden en producten die worden beschouwd als vals of frauduleus te beschrijven. Onderscheid veilige cryptografie van onveilige cryptografie kan moeilijk zijn vanuit het oogpunt van een gebruiker. Veel cryptografen, zoals Bruce Schneier en Phil Zimmermann , verbinden zich ertoe het publiek te informeren in hoe veilig cryptografie wordt gedaan, maar ook aandacht voor de misleidende marketing van een aantal cryptografische producten.

Het meest gerefereerde crypto beveiliging goeroe, Philip Zimmermann en Bruce Schneier, was de 1ste om te praten over Snake Oil encryptie:

Snake Oil door Philip Zimmermann

Snake Oil door Bruce Schneier

De Michigan Telecommunicatie en Technologie Law Review ook een zeer goede analyse met betrekking tot de veiligheidskenmerken van Security Products gemaakt, slang-olie beveiligingsclaims "De systematische verkeerde voorstelling van veiligheid van de producten . Ze vertellen over de nare marketing trucs gebruikt om gebruikers niet in staat te tweaken aan het evalueren beveiligingsfuncties, waaronder economische en wettelijke verantwoordelijkheid implicatie.

Very famous is the sentence of Russ Nelson : Verschillende slang olie beveiligingsproduct bedrijven niet uit te leggen en zijn niet duidelijk over de dreiging model waarin het product toe te passen Heel bekend is de zin van. Russ Nelson :

"Denk eraan, crypto zonder een bedreiging model is zoals koekjes zonder melk. ..... Cryptografie, zonder een bedreiging model is als het moederschap zonder appeltaart. Kan niet zeggen dat er genoeg tijd. More generally, security without a threat model is by definition going to fail.”

So, how to spot snake oil security products?

Controleer een richtlijn van de naar Snake Oil Encryption producten te spotten: Snake Oil Warning Signs, Encryption Software te vermijden door Matt Curtin .

U kunt dit zien zeer goede cryptografische Snake Oil Voorbeelden van Emility Ratliff (IBM Architect bij Linux Security), die probeerde duidelijk voorbeeld te maken over de manier waarop cryptografie Snake Oil te spotten.

Hier vertegenwoordigd de basis richtsnoer van Matt Curtin papier:

Companies that claim Trust Us, We Know What We're Doing'
Bedrijven die nieuwe technologie betreft uit te vinden zonder zelfs het uitleggen van de innovatie, de zogenaamde technobabbel
Product dat niet-openbare protocollen gebruiken in combinatie met eigen en geheime algoritmen
Bedrijf dat pretenderen te hebben uitgevonden nieuw type van cryptografie of een revolutionaire doorbraken
Bedrijven die te presenteren Useless Certificatie en veronderstelde Independent Evaluation zonder enige waarde aan veiligheid
Product die beweren te zijn Unbreakabl e
Bedrijven die andere producten beweren zijn onzeker met nep en kunstmatige bewijs
Bedrijven die hun systeem beweren dat militaire rang , terwijl iedereen weet dat vandaag de dag cryptografie in de civiele sector is de innovatie het rijden
Product that have Unsubstantiated bit claims (like 16384 bit or 46080 bit encryption and authentication of sessions)

By checking that points it's possible to evaluate how serious an encryption technology or product is.

Maar al met al hoe je dat onethisch beveiliging aanpak op te lossen?

Het is erg significatieve en het zou erg handig zijn voor elk soort beveiliging productcategorie om een aantal sterke en onafhankelijke evaluatie leidraad (zoals OSSTMM voor penetratie testen), tot deze beveiligingsupdate evaluatieproces echt in de handen van de gebruiker.

Het zou ook erg leuk om iemand hebben het maken van analyse en evaluatie van beveiligingsproduct bedrijven, het publiceren van rapporten over Snake Oil tekenen.

Tags business , encryption , management , marketing , policy , Privacy , voicesecurity | Comments (3)

intelligence Privacy security technology

Web2.0 privacy lek in Mobile apps

17 July 2010 – 9:02 am

You know that web2.0 world it's plenty of leak of any kind (profiling, profiling, profiling) related to Privacy and users starts being concerned about it.

Users continuously download applications without knowing the details of what they do, for example iFart just because are cool, are fun and sometime are useful.

On mobile phones users install from 1000% up to 10.000% more applications than on a PC, and those apps may contain malware or other unexpected functionalities.

Recently infobyte analyzed ubertwitter client and discovered that the client was leaking and sending to their server many personal and sensitive data such as:

- Blackberry PIN

- Phone Number

- Email Address

- Geographic positioning information

Read about UbertTwitter 'spyware' features discovery here by infoByte .

It's plenty of applications leaking private and sensitive information but just nobody have a look at it.

Should mandatory data retention and privacy policies became part of application development and submission guideline for mobile application?

Imho a users must not only be warned about the application capabilities and API usage but also what will do with which kind of information it's going to handle inside the mobile phone.

Capabilities means authorizing the application to use a certain functionalities, for example to use GeoLocation API, but what the application will do and to who will provide such information once the user have authorized it?

That's a security profiling level that mobile phone manufacturer does not provide and they should, because it focus on the information and not on the application authorization/permission respect to the usage of device capabilities.

ps yes! ok! I agree! This kind of post would require 3-4 pages long discussion as the topic is hot and quite articulated but it's saturday morning and i gotta go!

Tags hacking , mobile , policy , Privacy | Comment (0)

Privacy security -technologie

AES-algoritme geselecteerd voor gebruik in de ruimte

8 July 2010 – 12:37 pm

I encountered a nice paper regarding analysis and consideration on which encryption algorithm it's best suited for use in the space by space ship and equipments.

The paper has been done by the Consultative Committee for Space Data Systems that's a consortium of all space agency around that cumulatively handled more than 400 mission to space .

Read the paper Encryption Algorithm Trade Survey as it gives interesting consideration and comparison between different encryption algorithms.

Obviously the finally selected algorithm is AES , while KASUMI (used in UMTS networks) was avoided.

Comment (0) Labels encryptie , Privacy | Comment (0)

business intelligence interception Privacy security technology

Blackberry Security and Encryption: Devil or Angel?

7 July 2010 – 10:39 pm

Blackberry have good and bad reputation regarding his security capability, depending from which angle you look at it.

This post it's a summarized set of information to let the reader the get picture, without taking much a position as RIM and Blackberry can be considered, depending on the point of view, an extremely secure platform or an extremely dangerous one .

Let's goes on.

On one side Blackberry it's a platform plenty of encryption features, security features everywhere, device encrypted (with custom crypto), communication encrypted (with custom proprietary protocols such as IPPP), very good Advanced Security Settings, Encryption framework from Certicom ( now owned by RIM ).

On the other side they does not provide only a device but an overlay access network, called BIS ( Blackberry Internet Service ), that's a global worldwide wide area network where your blackberry enter while you browse or checkmail using blackberry.net AP.

When you, or an application, use the blackberry.net APN you are not just connecting to the internet with the carrier internet connection, but you are entering inside the RIM network that will proxy and act as a gateway to reach the internet.

The very same happen when you have a corporate use: Both the BB device and the corporate BES connect to the RIM network that act as a sort of vpn concentration network .

So basically all the communications cross trough RIM service infrastructure in encrypted format with a set proprietary encryption and communication protocols.

Just as a notice, think that google to provide gtalk over blackberry.net APN, made an agreement in order to offer service inside the BB network to the BB users. When you install gtalk you get added 3 service books that point to GTALKNA01 that's the name of GTALK gateway inside the RIM network to allow intra-BIS communication and act as a GTALK gateway to the internet.

The mobile operators usually are not even allowed to inspect the traffic between the Blackberry device and the Blackberry Network.

So RIM and Blackberry are somehow unique for their approach as they provide a platform, a network and a service all bundled together and you cannot just “get the device and the software” but the user and the corporate are always bound and connected to the service network.

That's good and that's bad, because it means that RIM provide extremely good security features and capabilities to protect information, device and access to information at various level against third party .

But it's always difficult to estimate the threat and risk related to RIM itself and who could make political pressure against RIM.

Please consider that i am not saying “RIM is looking at your data” but making an objective risk analysis: for how the platform is done RIM have authority on the device, on the information on-the-device and on the information that cross the network. (Read my Mobile Security Slides ).

For example let's consider the very same context for Nokia phones.

Once the Nokia device is sold, Nokia does not have authority on the device, nor on the information on-the-device nor on the information that cross the network. But it's also true that Nokia just provide the device and does not provide the value added services such as the Enterprise integration (The RIM VPN tunnel), the BIS access network and all the local and remote security provisioned features that Blackberry provide.

So it's a matter of considering the risk context in the proper way when choosing the platform, with an example very similar to choosing Microsoft Exchange Server (on your own service) or whether getting a SaaS service like Google Apps.

In both case you need to trust the provider, but in first example you need to trust Microsoft that does not put a backdoor on the software while in the 2nd example you need to trust Google, as a platform and service provider, that does not access your information.

So it's a different paradigm to be evaluated depending on your threat model.

If your threat model let you consider RIM as a trusted third party service provider (much like google) than it's ok. If you have a very high risk context, like top-secret one, then let's consider and evaluate carefully whether it's not better to keep the Blackberry services fully isolated from the device or use another system without interaction with manufacturer servers and services.

Now, let's get back to some research and some facts about blackberry and blackberry security itself.

First of all several governments had to deal with RIM in order to force them to provide access to the information that cross their service networks while other decided to directly ban Blackberry usage for high officials because of servers located in UK and USA, while other decided to install their own backdoors.

Russian Secret Services (FSB) reach an agreement with RIM and now FSB can eavesdrop Blackberry email and web traffic in Russia
French Government banned Blackberry for use by Government officials and also replaced the device for voice encryption use
Indian government made pressure on RIM to reduce encryption capabilities and later announced that they have cracked blackberry encryption . A summary on India-RIM story by Bruce Schneier .
United Arab Emirates (UAE) Etisalat operator tried to silently install a government spyware on all country blackberry but they got caught
USA National Security Agency initially prohibited Obama to use Blackberry for his presidential works giving him a Sectera Edge Secure Phone , after 2 years they managed to secure it with a custom encryption layer done specifically by NSA and allowed Obama to use a custom secured blackberry

There's a lot of discussion when the topics are RIM Blackberry and Governments for various reasons.

Below a set of official Security related information on RIM blackberry platform:

Official Security Knowledgebase on RIM website
Blackberry Internet Service security features
Wireless Data Security

And here a set of unofficial Security and Hacking related information on RIM Blackberry platform:

Hackish blackbox security analysis by FX of Phenoelit : Analysing Complex Systems – The Blackberry case
Accessing corporate intranets trough Blackberry BBProxy Hack
Blackberry Master Control Program little bit of hacking
How to bypass Blackberry IT Policy
Blackberry Reversing research (mostly by Dr Bolsen, however no one have ever decompiled and published the whole RIMOS)
- Bypassing Blackberry COD Signature

Because it's 23.32 (GMT+1), i am tired, i think that this post will end up here.

I hope to have provided the reader a set of useful information and consideration to go more in depth in analyzing and considering the overall blackberry security (in the good and in the bad, it always depends on your threat model!).

Proost

Fabio Pietrosanti (naif)

ps i am managing security technology development (voice encryption tech) on Blackberry platform, and i can tell you that from the development point of view it's absolutely better than Nokia in terms of compatibility and speed of development, but use only RIMOS 5.0+ !

Tags business , encryption , hacking , mobile , Privacy | Comments (3)

Kudos security

Celebrating “Hackers” after 25 years

1 July 2010 – 8:25 am

A cult book , ever green since 25 years.

It's been 25 years since “Hackers” was published. Author Steven Levy reflects on the book and the movement.

http://radar.oreilly.com/2010/06/hackers-at-25.html Steven Levy wrote a book in the mid-1980s that introduced the term "hacker" -- the positive connotation -- to a wide audience. In the ensuing 25 years, that word and its accompanying community have gone through tremendous change. The book itself became a mainstay in tech libraries.O'Reilly recently released an updated 25th anniversary edition of "Hackers," so I checked in with Levy to discuss the book's development, its influence, and the role hackers continue to play.

Comment (0) Labels hacken | Reactie (0)

Privacy security -technologie

Botnet for RSA cracking?

30 June 2010 – 2:29 pm

I read an interesting article about putting 1.000.000 computers, given the chance for a serious botnet owner to get it, to crack RSA.

The result is that in such context attacking an RSA 1024bit key would take only 28 years, compared to theoretical 19 billion of years.

Reading of this article , is extremely interesting because it gives our very important consideration on the cryptography strength respect to the computation power required to carry on cracking attempt, along with industry approach to “default security level”.

I would say a must read .

Comment (0) Labels encryptie , Privacy | Comment (0)

business cyberwarfare intelligence Privacy security technology

China Encryption Regulations

16 June 2010 – 1:11 pm

Hallo allemaal,

i found this very interesting paper on China Encryption Import/Export/Domestic Regulations done by Baker&Mckenzie in the US.

It's strongly business and regulatory oriented giving a very well done view on how china regulations works and how it may behave in future.

Read here Decrypting China Encryption's Regulations (form Bakernet website) .

Tags business , cyberwarfare , encryption , Privacy , voicesecurity | Comment (0)

veiligheid

IOScat – a Port of Netcat to Cisco IOS

13 June 2010 – 3:25 pm

A porting of famous netcat to Cisco IOS router operating system: IOSCat

The only main limit is that it does not support UDP, but that's a very cool tool!

A very good txt to read is Netcat hacker Manual .

Comment (0) Labels hacken | Reactie (0)

cyberwarfare intelligence interception security

The (old) Crypto AG case and some thinking about it

7 June 2010 – 6:40 pm

In the '90, closed source and proprietary cryptography was ruling the world.

That's before open source and scientifically approved encrypted technologies went out as a best practice to do crypto stuff.

I would like to remind when, in 1992, USA along with Israel was, together with switzerland, providing backdoored (proprietary and secret) technologies to Iranian government to tap their communications, cheating them to think that the used solution was secure , making also some consideration on this today in 2010.

caq63crypto.t.jpg

That's called The Crypto AG case , an historical fact involving the United States National Security Agency along with Signal Intelligence Division of Israel Ministry of Defense that are strongly suspected to had made an agreement with the Swiss cryptography producer company Crypto AG .

Basically those entities placed a backdoor in the secure crypto equipment that they provided to Iran to intercept Iranian communications.

Their crypto was based on secret and proprietary encryption algorithms developed by Crypto AG and eventually customized for Iranian government.

You can read some other facts about Crypto AG backdoor related issues:

The demise of global telecommunication security

The NSA-Crypto AG sting

Breaking codes: an impossible task? By BBC

Der Spiegel Crypto AG (german) article

Now, in 2010, we all know and understand that secret and proprietary crypto does not work.

Just some reference by top worldwide cryptographic experts below:

Secrecy, Security, Obscurity by Bruce Schneier

Just say No to Proprietary cryptographic Algorithms by Network Computing (Mike Fratto)

Security Through Obscurity by Ceria Purdue University

Unlocking the Secrets of Crypto: Cryptography, Encryption and Cryptology explained by Symantec

Time change the way things are approached.

I like very much the famous Philip Zimmermann assertion:

“Cryptography used to be an obscure science, of little relevance to everyday life. Historically, it always had a special role in military and diplomatic communications. But in the Information Age, cryptography is about political power, and in particular, about the power relationship between a government and its people. It is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone.”

Any scientist today accept and approve the Kerckhoffs' Principle that in 1883 in the Cryptographie Militaire paper stated:

The security of a cryptosystem should not depend on keeping the algorithm secret, but only on keeping the numeric key secret.

It's absolutely clear that the best practice for doing cryptography today obbly any serious person to do open cryptography, subject to public review and that follow the Kerckhoff principle.

So, what we should think about closed source, proprietary cryptography that's based on security trough obscurity concepts?

I was EXTREMELY astonished when TODAY, in 2010, in the age of information society i read some paper on Crypto AG website.

I invite all to read the Crypto AG security paper called Sophisticated Security Architecture designed by Crypto AG of which you can get a significant excerpt below:

The design of this architecture allows Crypto AG to provide a secret proprietary algorithm that can be specified for each customer to assure the perfect degree of cryptographic security and optimum support for the customer's security policy. In turn, the Security Architecture gives you the influence you need to be fully independent in respect of your encryption solution. You can determine all areas that are covered by cryptography and verify how the algorithm works. The original secret proprietary algorithm of Crypto AG is the foundation of the Security Architecture .

I have to say that their architecture is absolutely good from TLC point of view. Also they have done a very good job in making the design of the overall architecture in order to make a tamper-proof resistant crypto system by using dedicated crypto processor .
However there is still something missing:

T he overall cryptographic concept is misleading, based on wrong encryption concepts .

You may think that i am a troll telling this, but given the history of Crypto AG and given the fact that all the scientific and security community does not approve security trough obscurity concepts , it would legitimate to ask ourself:

Why they are still doing security trough obscurity cryptography with secret and proprietary algorithms ?

Hey, i think that they have very depth knowledge on telecommunication and security, but given that the science tell us not to follow the secrecy of algorithms, i really have serious doubt on why they are still providing proprietary encryption and does not move to standard solutions (eventually with some kind of custom enhancement).

Tags cyberwarfare , encryption , policy , voicesecurity | Comment (0)

cyberwarfare intelligence security

Missiles against cyber attacks?

7 June 2010 – 5:40 pm

The cyber conflicts are really reaching a point where war and cyberwar merge together.

NATO countries have the right to use the force against attacks on computer networks .

Tags cyberwarfare , policy | Comment (0)

business interception Privacy security technology

Mobile Security talk at WHYMCA conference

2 June 2010 – 7:56 pm

I want to share some slides i used to talk about mobile security at whymca mobile conference in Milan.

Read here my slides on mobile security .

The slides provide a wide an in-depth overview of mobile security related matters, i should be doing some slidecast about it putting also audio. Maybe will do, maybe not, it depends on time that's always a insufficient resource.

Tags business , encryption , hacking , mobile , Privacy , voicesecurity , zrtp | Comment (0)

Privacy security -technologie

iPhone PIN: useless encryption

1 June 2010 – 2:53 pm

I recently switched one of my multiple mobile phones with which i go around to iPhone.

I am particularly concerned about data protection in case of theft and so started having a look around about the iPhone provided protection system.

There is an interesting set of iPhone Business Security Features that make me think that iPhone is moving in the right path for security protection of the phone, but still a lot of things has to be done, especially for serious Enterprise and Government users.

For example it turned out that the iPhone PIN protection is useless and it can be broken just plugging the iPhone to a Linux machine and accessing the device like a USB stick.

That's something disturbing my paranoid mindset that make me think not to use sensitive data on my iPhone if i cannot protect my data.

Probably an iPhone independent disk encryption product would be very useful in order to let the market create protection schemas that fit the different risk contexts that different users may have.

Probably a general consumer is not worried about this PIN vulnerability but for me, working within highly confidential envirnonment such as intelligence, finance and military, it's something that i cannot accept.

I need strong disk encryption on my mobile phone.

I do strong voice encryption for it , but it would be really nice to have also something to protect the whole iPhone data and not just phone calls.

Comment (0) Labels encryptie , hacking , mobiele , Privacy , voicesecurity | Comment (0)

security Uncategorized

Who extract Oil in Iran? Business and UN sanction together

1 June 2010 – 9:21 am

I like geopolitic and i am following carefully iran issues.

I went to National Iranian Oil Company website and have seen “ Exploration & Production ” section where are listed all the companies and their country of origin that are allowed to make Exploration of oil in Iran.

On that list we find the list of countries along with the data of signing of exploration agreement:

Norway/Russia (2000)
Australia/Spain/Chile (2001)
India (2002)
China (2001)
Brazil (2004)
Spain (2004)
Thailand (2005)
China x 2 (2005)
Norway (2006)
Italy (2008)
Vietnam (2008)

Those countries's oil companies are allowed to do oil extraction in Iran and i would like to point out that Iran is the 2nd world Oil Reserve just after Saudi Arabia.

As you can see there's NO USA company doing extraction.

Of European Countries the only one doing business with IRAN are:

IRAN Norway Relationship

IRAN ITALY Relationship

IRAN SPAIN Relationship

While of the well known non-US-simpatizing countries, the one doing Oil business with Iran are:

IRAN RUSSIA Relationship

IRAN BRAZIL Relationship

IRAN China Relationship

Don't missing some Asian involvement.

IRAN India Relationship

IRAN Vietnam Relationship

As you can see Iran is doing Oil business with most big south America and Far Asia countries, with some little exception in Europe for what apply to Norway, Italy and Spain.

To me it sounds that those European countries are going to face serious trouble whether they will accept and subscribe UN sanction against Iran.

Or some of them, like Italy, are protected by the strenghtening cooperation they are doing with Russia on Energy matters?

Well, i don't know how things will end up, but it's possible the most hypocrit countries like the European ones doing business in Iran while applying Sanctions will be the only European winning in the international competition for Iran Oil (Unless France did not drop a nuclear bomb on theran ;) ).

Tags civilrights , policy | Comment (0)

Kudos Privacy security technology

Exploit code against SecurStar DriveCrypt published

25 May 2010 – 5:00 pm

It seems that the hacking community somehow like to target securstar products, maybe because hacking community doesn't like the often revealed unethical approach already previously described in this blog by articles and user's comments.

In 2004 a lot of accusation against Hafner of SecurStar went out because of alleged intellectual property theft regarding opensource codes such as Encryption 4 the masses and legal advert also against the Free and opensource TrueCrypt project .

In 2008 there was a pre-boot authentication hacking against DriveCrypt Plus posted on Full-Disclosure.

Early 2010 it was the time of the fake infosecurity research secretly sponsored by securstar at http://infosecurityguard.com (that now they tried to remove from the web because of embarrassing situation, but backup of the story are available, hacking community still wait for apologies) .

Now, mid 2010, following a research published in December 2009 about Disk Encryption software vulnerabilities made by Neil Kettle (mu-b), Security researcher at digit-labs and Penetration tester at Convergent Network Solutions , DriveCrypt was found to be vulnerable and exploitable breaking on-device security of the system and exploit code has been just released.

Exploit code reported below (thanks Neil for the code release!):

Arbitrary kernel code execution security exploit of DriveCrypt: drivecrypt-dcr.c

Arbitrary file reading/writing security exploit via unchecked user-definable parameters to ZxCreateFile/ReadFile/ WriteFile: drivecrypt-fopen.c

The exploit code has been tested against DriveCrypt 5.3, currently released DriveCrypt 5.4 is reported to be vulnerable too as it has just minor changes related to win7 compatibility. Can anyone make a double check and report a comment here?

Very good job Neil!

In the meantime the Free Truecrypt is probably the preferred choice for disk encryption, given the fact that it's difficult to trust DriveCrypt, PGP has been acquired by Symantec and there are very bad rumors about the trust that people have in Symantec and there are not many widely available alternatives.

Rumors say that also PhoneCrypt binaries are getting analyzed and the proprietary encryption system could reveal something fun…

Tags encryption , hacking , Privacy , voicesecurity | Comment (0)

onderscheppen Privacy security -technologie

Quantum cryptography broken

20 May 2010 – 8:15 pm

Quantum cryptography it's something very challenging, encryption methods that leverage the law of phisycs to secure communications over fiber lines.

To oversimplify the system is based on the fact that if someone cut the fiber, put a tap in the middle, and joint together the other side of the fiber, the amount of “errors” that will be on the communications path will be higher than 20% .

So if QBER (Quantum Bit Error Rate) goes above 20% then it's assumed that the system is intercepted.

Researcher at university of toronto was able to cheat the system with a staying below the 20%, at 19.7% , thus tweaking the threshold used by the system to consider the communication channel secure vs compromised.

The product found vulnerable is called Cerberis Layer2 and produced by the Swiss ID Quantique .

Some possibile approach to detect the attack has been provided but probably, imho, such kind of systems does not have to be considered 100% reliable until the technology will be mature enough.

Traditional encryption has to be used together till several years, eventually bundled with quantum encryption whether applicable.

When we will see a quantum encryption systems on an RFC like we have seen for ZRTP , PGP and SSL ?

-naif

Tags encryption , Privacy , zrtp | Comment (0)

veiligheid

FUN! Infosecurity consideration on some well known films

18 May 2010 – 8:48 pm

Please read it carefully Film that needed better infosec .

One the the review, imho the most fun one on film Star Wars :

The scene

Death star getting blown up

Infosec Analysis

Darth Vader must be heralded as the prime example of a chief executive who really didn't care about information security. The entire board was unapproachable and clearly no system testing was undertaken. The network security was so poor that it was hacked into and the designs for the death star were stolen without anyone knowing.

Even worse than that, the death star had a major design flaw where by dropping a bomb thingy into a big hole on the outside, it actually blew up the entire thing!

Darth Vader needed to employ a good Security Consultant to sit on the executive board and promise not to force choke him. Should have commissioned a full risk assessment of the death star followed by a full penetration test. Only then should the death star have been released into the production environment.

Reactie (0)

Privacy security -technologie

great point of view

20 April 2010 – 6:50 pm

Because security of a cryptographic system it's not a matter of “how many bits do i use” but using the right approach to do the right thing to mitigate the defined security risk in the most balanced way.

Tags encryption , Privacy , voicesecurity | Comment (0)

Privacy security -technologie

Encryption is not scrambling: be aware of scrambler!

20 April 2010 – 5:50 pm

Most of us know about voice scrambler that can be used across almost any kind of voice based communication technology.

Extremely flexible approach: works everything

Extreme performance: very low latency

but unfortunately…

Extremely weak: Scrambling cannot be considered secure.

Only encryption can be considered secure under the Kerckoff's principle .

So please don't even consider any kind of analog scrambler if you need real security.

Read deeply the paper Implementation of a real-time voice encryption system ” by Markus Brandau, especially the cryptoanalysis paragraph.

Tags encryption , mobile , Privacy , voicesecurity , zrtp | Comment (0)

business interception Privacy technology

SecurStar GmbH Phonecrypt answers on the Infosecurityguard/Notrax case: absolutely unreasonable! :-)

1 February 2010 – 6:04 pm

UPDATE 20.04.2010: http://infosecurityguard.com has been disabled. Notrax identity became known to several guys in the voice security environments (cannot tell, but you can imagine, i was right!) and so our friends decided to trow away the website because of legal responsibility under UK and USA laws.

UPDATE: Nice summary of the whole story (i know, it's long and complicated to read at 1st time) on SIPVicious VoIP security blog by Sandro Gauci .

Following my discoveries, Mr. Hafner, SecurStar chief exec, tried to ultimately defend their actions, citing absolutely unreasonable excuses to The Reg instead of publicly apologizing for what they have done: creating a fake independent security research to promote their PhoneCrypt product .

He tried to convince us that the person behind IP 217.7.213.59, used by the author of infosecurityguard.com and pointing to their office DSL line, was this hacker Notrax, using their anonymous surfing service and not one of their employees at their office:

“SecurStar chief exec Wilfried Hafner denied any contact with Notrax. Notrax, he said, must have been using his firm's anonymous browsing service, SurfSolo, to produce the results reported by Pietrosanti”

Let's reflect a moment on this sentence… Would really an hacker looking for anonymity spend 64 EUR to buy their anonymity surfing service called surfsolo instead of using the free and much more secure TOR (the onion router) ?Then let's reflect on this other piece of information:

The IP 217.7.213.59 is SecurStar GmbH's office DSL line
On 217.7.213.59 they have installed their VoIP/Asterisk PBX and internet gateway
They promote their anonymous proxy service for “Anonymous p2p use” ( http://www.securstar.com/products_ssolo.php ). Who would let users do p2p from the office dsl line where they have installed their corporate VoIP PBX ? If you do VoIP you can't let third party flood your line w/ p2p traffic, your phone calls would became obviously unreliable (yes, yes, you can do QoS, but you would not place an anonymous navigation proxy on your company office DSL line…).
Which company providing an anonymous navigation service would ever use their own office IP address? Just think how many times you would have the police knocking at your door and your employees as the prime suspects. (In past i used to run a TOR node, i know the risks…). Also think how many times you would find yourself blacklisted on google as a spyware bot.
Mr. Hafner also says “We have two million people using this product. Or he may have been an old customer of ours”. 2M users on a DSL line, really?
I don't use Surfsolo service, however their proxies are probably these ones:

surfsolo.securstar.net – 67.225.141.74

surfsolo.securstar.com – 69.16.211.133

Frankly speaking I can easily understand that Mr. Hafner is going do whatever he can to protect his company from the scandal, but the “anonymous proxy” excuse is at the very least suspicious.

How does the fact that the “independent research” was semantically a product review of PhoneCrypt, along with the discovery that the author come from the SecurStar GmbH IP address offices, along with the anonymity of this Notrax guy (SecurStar calls him a “well known it security professional” in their press release..) sound to you?

It's possible that earth will get an attack from outer space that's going to destroy our life?

Statistically extremely difficult, but yes, possible. More or less like the “anonymous proxy” story told by Mr. Hafner to cover the fact that they are the ones behind the infosecurityguard.com fake “independent security review”.

Hey, I don't need anything else to convince myself or to let the smart person have his own thoughts on this.

I just think that the best way for SecurStar to get out of this mess would probably be to provide public excuses to the hacking community for abusing the name and reputation of real independent security researches, for the sake of a marketing stunt.

Met vriendelijke groet,

Fabio Pietrosanti

ps I am currently waiting for some other infos that will more precisely confirm that what Mr. Hafner is saying is not properly true. Blijf op de hoogte.

Tags business , encryption , hacking , marketing , Privacy , voicesecurity | Comment (0)

business interception Privacy security

Evidence that infosecurityguard.com/notrax is SecurStar GmbH Phonecrypt – A fake independent research on voice crypto

1 February 2010 – 12:32 am

Below evidence that the security review made by an anonymous hacker on http://infosecurityguard.com is in facts a dishonest marketing plan by the SecurStar GmbH to promote their voice crypto product.

I already wrote about that voice crypto analysis that appeared to me very suspicious.

Now it's confirmed, it's a fake independent hacker security research by SecurStar GmbH, its just a marketing trick!

How do we know that Infosecurityguard.com, the fake independent security research, is a marketing trick from SecurStar GmbH?

1) I posted on http://infosecurityguard.com a comments to a post with a link to my blog to that article on israelian ministry of defense certification

2) The author of http://infosecurityguard.com went to approve the comment and read the link on my own blog http://infosecurity.ch

3) Reaching my blog he leaked the IP address from which he was coming 217.7.213.59 (where i just clicked on from wordpress statistic interface)

4) On http:// 217.7.213.59/panel there is the IP PBX interface of the SecurStar GmbH corporate PBX (openly reachable trough the internet!)

5) The names of the internal PBX confirm 100% that it's the SecurStar GmbH:

Hafner : Wilfried Hafner, CEO and founder of SecurStar GmbH (linkedin profile)
Can : Can Yavuzyilman, Country Manager at SecurStar GmbH (linkedin profile)
Markus : Markus Bensinger, System Administrator at SecurStar GmbH (linkedin profile)

6) There is 100% evidence that the anonymous hacker of http://infosecurityguard.com is from SecurStar GmbH

Below the data and reference that let us discover that it's all but a dishonest marketing tips and not an independent security research.

Kudos to Matteo Flora for it's support and for his article in Debunking Infosecurityguard identity !

The http referral tricks

When you read a link going from a website to another one there is an HTTP protocol header, the “Referral”, that tell you from which page someone is going to another webpage.

The referral demonstrated that the authors of http://infosecurityguard.com read my post, because it was coming from http://infosecurityguard.com/wp-admin/edit-comments.php that's the webpage you use as a wordpress author/editor to approve/refuse comments. And here there was the link.

That's the log entry:

217.7.213.59 – - [30/Jan/2010:02:56:37 -0700] “GET /20100129/licensed-by-israel-ministry-of-defense-how-things-really-works/ HTTP/1.0″ 200 5795 “ http://infosecurityguard.com/wp-admin/edit-comments.php ” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)”

The PBX open on the internet tell us that's SecurStar GmbH

The SecurStar GmbH PBX is open on the internet, it contains all the names of their employee and confirm us that the author of http:/infosecurityguard.com is that company and is the anonymous hacker called Notrax.

Here there is their forum post where the SecurStar GmbH guys are debugging IPCOPfirewall & Asterisk together (so we see also details of what they use) where there is the ip 217.7.213.59 .

That's also really fun!

They sell secure telephony but their company telephony system is openly vulnerable on the internet . :-)

I was thinking to call the CEO, Hafner, via SIP on his internal desktop PBX to announce we discovered him tricks.. :->

They measured their marketing activity

Looking at the logs of my website i found that they was sensing the google distribution of information for the following keywords, in order to understand how effectively they was able to attack competing products. It's reasonable, if you invest money in a marketing campaign you want to see the results :-)

They reached my blog and i logged their search:

infosecurityguard+cryptophone

infosecurityguard+gold-lock

217.7.213.59 – - [30/Jan/2010:02:22:42 -0700] “GET / HTTP/1.0″ 200 31057 “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)”

217.7.213.59 – - [30/Jan/2010:04:15:07 -0700] “GET HTTP/1.0″ 200 15774 “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)”

The domain registration data
The domain have been registered on 1st December 2009, just two months to start preparing the dishonest marketing campaign:

Domain Name: INFOSECURITYGUARD.COM

Registrar: GODADDY.COM, INC.

Updated Date: 01-dec-2009

Creation Date: 01-dec-2009

The domain is anonymously privacy protected trough a whois privacy service:

Administrative Contact: Private, Registration INFOSECURITYGUARD.COM@domainsbyproxy.com , Domains by Proxy, Inc. DomainsByProxy.com

Notrax hacker does not exist on google
As you know any hacker that get public usually have presence of it's activity on google, attending mailinglists, forum, homepage, past research, participation to conferences, etc, etc.
The fake hacker that they wanted us to to think was writing an independent blog does NOT have any trace on google. Only some hit about an anonymous browser called Notrax but nothing about that hacker.
Maybe when SecurStar provided the anonymity tool to their marketing agency, to help them protecting anonymity for the fake research, their provided them the anonymous browser notrax.So the marketing guy thinking about the nickname of this fake hackers used what? Notrax! :-)

The “independent review”completely oriented in publicizing PhoneCrypt

Of the various review don the phonecrypt review is only positive and amazing good feedback, while the other are only bad feedback and no single good point.

As you can imagine, in any kind of independent product evaluation, for all products there are goods and bad points. No. In this one there are only product that are good and product that are bad.

They missed to consider the security of the technology used by the products

They completely avoided to speak about cryptography and security of the products.

They do not evaluated basic security features that must be in that kind of products.That's in order not to let anyone see that they did not followed basic security rules in building up their PhoneCrypt.
The technology is closed source, no transparency on algorithms and protocols, no peer review.Read my new comparison (from the basic cryptographic requirement point of view) About the voice encryption analysis (criteria, errors and different results) .
The results are somehow different than their one .

UPDATE: Who's Wilfried Hafner (SecurStar founder) ?

I got a notice from a reader regarding Wilfred Hafner, SecurStar founder, CEO and security expert.

He was arrested in 1997 for telephony related fraud (check 2nd article on Phrack) earning from telephony fraud 254.000 USD causing damages to local telcos trough blueboxing for 1.15 Million USD.

He was not doing “Blueboxing” for the pleasure of phreaking and connecting with other hackers, but to earn money.

Hacking for profit (and not for fun) in 1997… brrr…. No hacker's ethic at all!

All in all, is that lawful?

Badmouthing a competitor amounts to an unfair competition practice in most jurisdictions, so it is arguable (to say the least) that SecurStar is right on a legally sound ground here.
Moreover, there are some specific statutes in certain jurisdictions which provide for a straightforward ban on the practice we are talking about. For example in the UK the British Institute of Practitioners in Advertising - in compliance with the Consumer protection from Unfair Trading regulation – ruled that:

”falsely claiming or creating the impression that the trader is not acting for the purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer” is a criminal offense .

We have no doubt that PRPR (which is the UK-based *PR company for SecurStar GmbH, led by Peter Rennison and Allie Andrews as stated in SecurStar Press Release ) did provide their client with this information. Heck, they *are* in the UK, they simply cannot ignore that!

IANAL, but I would not be surpised if someone filed a criminal complaint or start civil litigation for unfair competition against SecurStar GmbH.
Whether this is going to be a matter for criminal and/or civil Courts or not is not that important. However, it is clear enough that SecurStar GmbH appears to be at least ethically questionable and not really worth of trust.

Nice try, gentlemen… however, next time just do it right (whether “right” for them means “in a honest manner” or “in a fashion not to be caught” I will let them choose)”

Fabio Pietrosanti (naif)

Tags business , encryption , hacking , marketing , Privacy , voicesecurity | Comments (7)

business interception Privacy security

Dishonest security: The SecurStart GmbH Phonecrypt case

1 February 2010 – 12:30 am

I would like to provide considerations on the concept of ethics that a security company should have respect to the users, the media and the security environment.

SecurStar GmbH made very bad things making that infosecuriguard.com fake independent research.

It's unfair approach respect to hacking community.

It's unfair marketing to end user. They should not be tricking by creating fake independent review.

It's unfair competition in the security market.

Let's make some more important consideration on this.

Must be serious on cryptographic products. They are not toys

When you do cryptographic tools you should be really aware of what you are doing, you must be really serious.

If you do bad crypto people could die.

If you don't follow basic security rules for transparency and security for cryptography you are putting people life at risk.

You are taking the responsibility of this. (I want to sleep at night, don't think SecurStar CEO/CTO care about this…)

Security research need reference and transparency

Security research have to be public, well done, always subject to public discussion and cooperation.
Security research should not be instrumentally used for marketing purpose.Security research should be done for awareness and grow of the knowledge of the worldwide security environment.

Hacking environment is neutral, should not be used instrumentally

Hackers are considered neutral, nerds, doing what they do for their pleasure and passion.

If you work in the security market you work with hackers.

If you use hackers and hacking environment for your own marketing purposes you are making something very nasty.

Hackers give you the technology and knowledge and you use them for your own commercial purpose.

Consideration on the authority of the information online

That's something that pose serious consideration on the authority of information online.An anonymous hacker, with no reference online, made a product security review that appear like an independent one. I have to say that the fake review was very well prepared, it always posed good/bad things in an indirect way. It did not appeared to me at 1st time like a fake. But going deeply i found what's going on.

However Journalists, news media and blogger went to the TRAP and reviewed their fake research. TheRegister, NetworkWorld and a lot of blogs reported it. Even if the author was completely anonymous.

What they have done is already illegal in UK

SecurStar GmbH is lucky that they are not in the UK, where doing this kind of things is illegal .

Fabio Pietrosanti (naif)

Tags business , hacking , marketing , Privacy , voicesecurity | Comment (0)

business interception Privacy security technology

About the SecurStar GmbH Phonecrypt voice encryption analysis (criteria, errors and different results)

30 January 2010 – 2:02 am

This article want to clarify and better explain the finding at infosecurityguard.com regaring voice encryption product evaluation.
This article want to tell you a different point of view other than infosecurityguard.com and explaining which are the rational with extensive explaination from security point of view.
Today i read news saying: “PhoneCrypt: Basic Vulnerability Found in 12 out of 15 Voice Encryption Products and went to read the website infosecurityguard .

Initially it appeared to my like a great research activity but then i started reading deeply the read about it.I found that it's not properly a security research but there is are concrete elements that's a marketing campaign well done in order to attract public media and publicize a product.
Imho they was able to cheat journalists and users because the marketing campaign was absolutely well done not to be discovered on 1st read attempt. I personally considered it like a valid one on 1st ready (they cheated me initially!).

But if you go deeply… you will understand that:
- it's a camouflage marketing initiative arranged by SecurStar GmbH and not a independent security research
- they consider a only security context where local device has been compromised (no software can be secured in that case, like saying SSL can be compromised if you have a trojan!)
- they do not consider any basic security and cryptographic security criteria

However a lot of important website reported it:

This article is quite long, if you read it you will understand better what's going on around infosecurityguard.com research and research result.

I want to to tell you why and how (imho) they are wrong.

The research missed to consider Security, Cryptography and Transparency!

Well, all this research sound much like being focused on the marketing goal to say that their PhoneCrypt product is the “super” product best of all the other ones.
Any security expert that would have as duty the “software evaluation” in order to protect the confidentiality of phone calls will evaluate other different characteristics of the product and the technology.

Yes, it's true that most of the product described by SecurStar in their anonymous marketing website called http://infosecurityguard.com have some weakness.
But the relevant weakness are others and PhoneCrypt unfortunately, like most of the described products suffer from this.
Let's review which characteristics are needed basic cryptography and security requirement (the best practice, the foundation and the basics!)

a – Security Trough Obscurity does not work

A basic rule in cryptography cames from 1883 by Auguste Kerckhoffs:

In a well-designed cryptographic system, only the key needs to be secret; there should be no secrecy in the algorithm.

Modern cryptographers have embraced this principle, calling anything else “security by obscurity.”

Read what Bruce Schneir, recognized expert and cryptographer in the world say about this

Any security expert will tell you that's true. Even a novice university student will tell you that's true. Simply because that's the only way to do cryptography.

Almost all product described in the review by SecurStar GmbH, include PhoneCrypt, does not provide precise details about their cryptographic technologies.

Precise details are:

Detailed specification of cryptographic algorithm (that's not just saying “we use AES “)
Detailed specification of cryptographic protocol (that's not just saying “we use Diffie Hellman ” )
Detailed specification of measuring the cryptographic strenght (that's not just saying “we have 10000000 bit key size “)

Providing precise details means having extensive documentation with theoretical and practical implications documenting ANY single way of how the algorithm works, how the protocol works with precise specification to replicate it for interoperability testing.
It means that scientific community should be able to play with the technology, audit it, hack it.
If we don't know anything about the cryptographic system in details, how can we know which are the weakness and strength points?

Mike Fratto, Site editor of Network Computing, made a great article on “Saying NO to proprietary cryptographic systems” .
Cerias Purdue University tell this .

b – NON peer reviewed and NON scientifically approved Cryptography does not work

In any case and in any condition you do cryptography you need to be sure that someone else will check, review, analyze, distruct and reconstract from scratch your technology and provide those information free to the public for open discussion.
That's exactly how AES was born and like US National Institute of Standard make crypto does (with public contest with public peer review where only the best evaluated win).
A public discussion with a public contest where the a lot of review by most famous and expert cryptographer in the world, hackers (with their name,surname and face, not like Notrax) provide their contribution, tell what they thinks.
That's called “peer review”.

If a cryptographic technology has an extended and important peer review, distributed in the world coming from universities, private security companies, military institutions, hackers and all coming from different part of the world (from USA to Europe to Russia to South America to Middle east to China) and all of them agree that a specific technology it's secure…
Well, in that case we can consider the technology secure because a lot of entities with good reputation and authority coming from a lot of different place in the world have publicly reviewed, analyzed and confirmed that a technology it's secure.

How a private company can even think to invent on it's own a secure communication protocol when it's scientifically stated that it's not possible to do it in a “proprietary and closed way” ?
IBM tell you that peer review it's required for cryptography .
Bruce Schneier tell you that “Good cryptographers know that nothing substitutes for extensive peer review and years of analysis.”
Philip Zimmermann will tell you to beware of Snake Oil where the story is: “Every software engineer fancies himself a cryptographer, which has led to the proliferation of really bad crypto software.”

c – Closed source cryptography does not work

As you know any kind of “serious” and with “good reputation” cryptographic technology is implemented in opensource.
There are usually multiple implementation of the same cryptographic algorithm and cryptographic protocol to be able to review all the way it works and certify the interoperability.
Supposing to use a standard with precise and extended details on “how it works”, that has been “peer reviewed” by the scientific community BUT that has been re-implemented from scratch by a not so smart programmer and the implementation it's plenty of bugs.

Well, if the implementation is “opensource” this means that it can be reviewed, improved, tested, audited and the end user will certaintly have in it's own had a piece of technology “that works safely” .

Google release opensource crypto toolkit
Mozilla release opensource crypto toolkit
Bruce Schneier tell you that Cryptography must be opensource .

Another cryptographic point of view

I don't want to convince anyone but just provide facts related to science, related to cryptography and security in order to reduce the effect of misinformation done by security companies whose only goes is to sell you something and not to do something that make the world a better.

When you do secure products, if they are not done following the proper approach people could die.
It's absolutely something irresponsible not to use best practice to do crypto stuff.

To summarize let's review the infosecurityguard.com review from a security best pratice point of view.

Product name	Security Trough Obscurity	Public peer review	Open Source	Compromise locally?
Caspertec	Obscurity	No public review	Gesloten	Ja
CellCrypt	Obscurity	No public review	Gesloten	Ja
Cryptophone	Transparency	Limited public review	Public	Ja
Gold-Lock	Obscurity	No public review	Gesloten	Ja
Illix	Obscurity	No public review	Gesloten	Ja
No1.BC	Obscurity	No public review	Gesloten	Ja
PhoneCrypt	Obscurity	No public review	Gesloten	Ja
Rode&Swarz	Obscurity	No public review	Gesloten	Ja
Secure-Voice	Obscurity	No public review	Gesloten	Ja
SecuSmart	Obscurity	No public review	Gesloten	Ja
SecVoice	Obscurity	No public review	Gesloten	Ja
SegureGSM	Obscurity	No public review	Gesloten	Ja
SnapCell	Obscurity	No public review	Gesloten	Ja
Tripleton	Obscurity	No public review	Gesloten	Ja
Zfone	Transparency	Public review	Open	Ja
ZRTP	Transparency	Public review	Open	Ja

*Green means that it match basic requirement for a cryptographic secure system

* Red / Broken means that it does not match basic requirement for a cryptographic secure system

That's my analysis using a evaluation method based on cryptographic and security parameters not including the local compromise context that i consider useless.

However, to be clear, those are only basic parameters to be used when considering a voice encryption product (just to avoid being in a situation that appears like i am promoting other products). So it may absolutely possible that a product with good crypto ( transparency, peer reviewed and opensource) is absolutely a not secure product because of whatever reason (badly written, not usable causing user not to use it and use cleartext calls, politically compromised, etc, etc).
I think i will prepare a broader criteria for voice crypto technologies and voice crypto products, so it would be much easier and much practical to have a full transparent set of criterias to evaluate it.

But those are really the basis of security to be matched for a good voice encryption system!
Read some useful past slides on security protocols used in voice encryption systems (2nd part).

Now read below some more practical doubt about their research.

The security concept of the review is misleading: any hacked device can be always intercepted!

I think that the guys completely missed the point: ANY KIND OF SOFTWARE RUNNING ON A COMPROMISED OPERATING SYSTEM CAN BE INTERCEPTED

Now they are pointing out that also Zfone from Philip Zimmermann is broken (a pc software), just because they install a trojan on a PC like in a mobile phone?
Any security software rely on the fact that the underlying operating system is somehow trusted and preserve the integrity of the environment where the software run.

If you have a disk encryption system but your PC if infected by a trojan, the computer is already compromised.
If you have a voice encryption system but your PC is infected by a trojan, the computer is already compromised.
If you have a voice encryption system but your mobile phone is infected by a trojan, the mobile phone is already compromised.

No matter which software you are running, in such case the security of your operating environment is compromised and in one way or another way all the information integrity and confidentiality is compromised.

Like i explained above how to intercept PhoneCrypt.

The only things that can protect you from this threat is running in a closed operating system with Trust Computing capability, implementing it properly.
For sure on any “Open” operating system such us Windows, Windows Mobile, Linux, iPhone or Android there's no chance to really protect a software.
On difficult operating system such as Symbian OS or RimOS maybe the running software can be protected (at least partially)

That's the reason for which the security concept that guys are leveraging to carry on their marketing campaign has no clue.
It's just because they control the environment, they know Flexispy software and so they adjusted their software not to be interceptable when Flexispy is installed.
If you develop a trojan with the other techniques i described above you will 100% intercept PhoneCrypt.

On that subject also Dustin Tamme l, Security researcher of BreakPoint Systems , pointed on on VoIP Security Alliance mailing lists that the security analysis is based on wrong concepts .

The PhoneCrypt can be intercepted: it's just that they don't wanted to tell you!

PhoneCrypt can be intercepted with “on device spyware”.
Waarom?
Because Windows Mobile is an unsecure operating environment and PhoneCrypt runs on Windows Mobile.
Windows Mobile does not use Trusted Computing and so any software can do anything.
The platform choice for a secure telephony system is important.
Hoe?
I quickly discussed with some knowledgeable windows mobile hackers about 2 different way to intercept PhoneCrypt with an on-device spyware (given the unsecure Windows Mobile Platform).

a) Inject a malicious DLL into the software and intercept from within the Phonecrypt itself.

In Windows Mobile any software can be subject to DLL code injection.

What an attacker can do is to inject into the PhoneCrypt software (or any software running on the phone), hooking the Audio related functions acting as a “function proxy” between the PhoneCrypt and the real API to record/play audio.

It's a matter of “hooking” only 2 functions, the one that record and the one that play audio.

Read the official Microsoft documentation on how to do DLL injection on Windows Mobile processes. or forum discussing the technique of injecting DLL on windows mobile processes.

That's simple, any programmer will tell you to do so.

They simply decided that's better not to make any notice about this.

b) Create a new audio driver that simply act as a proxy to the real one and intercept PhoneCrypt

In Windows Mobile you can create new Audio Drivers and new Audio Filters.

What an attacker can do is to load a new audio driver that does not do anything else than passing the real audio driver function TO/FROM the realone. In the meantime intercept everything recorded and everything played :-)

Here there is an example on how to do Audio driver for Windows Mobile .

Here a software that implement what i explain here for Windows “Virtual Audio Cable” .

The very same concept apply to Windows Mobile. Check the book “Mobile Malware Attack and Defense” at that link explaining techniques to play with those techniques.

They simply decided that's better not to make any notice to that way of intercepting phone call on PhoneCrypt .

Those are just 2 quick ideas, more can be probably done.

Sounds much like a marketing activity – Not a security research.

Ik moet je vertellen. I analyzed the issue very carefully and on most aspects. All this things about the voice encryption analisys sounds to me like a marketing campaign of SecurStar GmbH to sell PhoneCrypt and gain reputation. A well articulated and well prepared campaign to attract the media saying, in an indirect way cheating the media, that PhoneCrypt is the only one secure. You see the press releases of SecurStar and of the “Security researcher Notrax telling that PhoneCrypt is the only secure product” . SecurStar PhoneCrypt is the only product the anonymous hacker “Notrax” consider secure of the “software solutions”.
The only “software version” in competition with:

– SnapCell – No one can buy it. A security company that does not even had anymore a webpage. The company does not almost exist anymore.

– rohde-schawarz – A company that have in his list price and old outdated hardware secure phone . No one would buy it, it's not good for genera use.

Does it sounds strange that only those other products are considered secure along with PhoneCrypt .

Also… let's check the kind of multimedia content in the different reviews available of Gold-Lock, Cellcrypt and Phonecrypt in order to understand how much the marketing guys pressed to make the PhoneCrypt review the most attractive:

Toepassing	Screenshots of application	Video with demonstration of interception	Network demonstration
PhoneCrypt	5	0	1
CellCrypt	0	2	0
GoldLock	1	2	0

It's clear that PhoneCrypt is reviewed showing more features explicitly shown and major security features product description than the other.

Too much difference between them, should we suspect it's a marketing tips?

But again other strange things analyzing the way it was done…
If it was “an impartial and neutral review” we should see good and bad things on all the products right?

Ok, see the table below regarding the opinion indicated in each paragraph of the different reviews available of Gold-Lock, CellCrypt and Phonecrypt (are the only available) to see if are positive or negative.

Toepassing	Number of paragraphs	Positive paragraphs	Negative paragraphs	Neutral paragraphs
PhoneCrypt	9	9	0	0
CellCrypt	12	0	10	2
GoldLock	9	0	8	1

Detailed paragraphs opinion analysis of Phonecrypt

Paragraph of review	Opinion expressed
From their website	Positive Marketing feedback
Apple iPhone	Positive Marketing feedback
Disk Encryption or voice Encryption	Positive Marketing feedback
PBX Compatibility? Really	Positive Marketing feedback
Cracking <10. Not.	Positive Marketing feedback
Good thinking!	Positive Marketing feedback
A little network action	Positive Marketing feedback
UI	Positive Marketing feedback
Good Taste	Positive Marketing feedback

Detailed paragraphs opinion analysis of Gold-Lock 3G

Paragraph of review	Opinion expressed
From their website	Negative Marketing feedback
Licensed by The israeli Ministry of Denfese	Negative Marketing feedback
Real Company or Part Time hobby	Negative Marketing feedback
16.000 bit authentication	Negative Marketing feedback
DH 256	Negative Marketing feedback
Downad & Installation!	Neutral Marketing feedback
Cracking it <10	Negative Marketing feedback
Marketing BS101	Negative Marketing feedback
Cool video stuff	Negative Marketing feedback

Detailed paragraphs opinion analysis of CellCrypt

Paragraph of review	Opinion expressed
From their website	Neutral Marketing feedback
A little background about cellcrypt	Negative Marketing feedback
Master of Marketing	Negative Marketing feedback
Secure Voice calling	Negative Marketing feedback
Who's buying their wares	Negative Marketing feedback
Downad & Installation!	Neutral Marketing feedback
My Demo environment	Negative Marketing feedback
Did they forget some code	Negative Marketing feedback
Cracking it <5	Negative Marketing feedback
Room Monitoring w/ FlexiSpy	Negative Marketing feedback
Cellcrypt unique features..	Negative Marketing feedback
Plain old interception	Negative Marketing feedback
The Haters out there	Negative Marketing feedback

Now it's clear that from their point of view on PhoneCrypt there is no single bad point while the other are always described in a negative way.
No single good point. Strange?
All those considerations along with the next ones really let me think that's very probably a marketing review and not an independent review.

Other similar marketing attempt from SecurStar

SecurStar GmbH is known to have used in past marketing activity leveraging this kind of “technical speculations”, abusing of partial information and fake unconfirmed hacking stuff to make marketing/media coverage.
Imho a rare mix of unfairness in leveraging the difficult for people to really understand the complexity of security and cryptography.

They already used in past Marketing activities like the one about creating a trojan for Windows Mobile and saying that their software is secure from the trojan that they wrote.
Read about their marketing tricks of 2007

They developed a Trojan (RexSpy) for Windows Mobile, made a demonstration capability of the trojan and later on told that they included “Anti-Trojan” capability to their PhoneCrypt software.They never released informations on that trojan, not even proved that it exists.

The researcher Collin Mulliner told at that time that it sounds like a marketing tips (also because he was not able to get from SecurStar CEO Hafner any information about that trojan):

“This makes you wonder if this is just a marketing thing.”

Now, let's try to make some logical reassignment.
It's part of the way they do marketing, an very unfriendly and unpolite approach with customers, journalist and users trying to provide wrong security concepts for a market advantage. Being sure that who read don't have all the skills to do in depth security evaluation and find the truth behind their marketing trips.

Who is the hacker notrax?

It sounds like a camouflage of a fake identity required to have an “independent hacker” that make an “independent review” that is more strong on reputation building.
Read about his bio:

¾ Human, ¼ Android (Well that would be cool at least.) I am just an enthusiast of pretty much anything that talks binary and if it has a RS232 port even better. During the day I masquerade as an engineer working on some pretty cool projects at times, but mostly I do the fun stuff at night. I have been thinking of starting an official blog for about 4.5 years to share some of the things I come across, can't figure out, or just cross my mind. Due to my day job and my nighttime meddling, I will update this when I can. I hope some find it useful, if you don't, well you don't.

There are no information about this guy on google.
Almost any hacker that get public have articles online, post in mailing archive and/or forum or some result of their activity.
For notrax, nothing is available.

Additionally let's look at the domain…
The domain infosecurityguard.com is privacy protected by domainsbyproxy to prevent understanding who is the owner.
The domain has been created 2 months ago on 01-Dec-09 on godaddy.com registrar.

What's also very interesting to notice that this “unknown hacker with no trace on google about him that appeared on December 2009 on the net” is referred on SecurStar GmbH Press Release as a “An IT security expert”.

Maybe they “know personally” who's this anonymous notrax? :)

Am i following my own conspiracy thinking or maybe there's some reasonable doubt that everything was arrange in that funny way just for a marketing activity?

Social consideration

If you are a security company you job have also a social aspects, you should also work to make the world a better place (sure to make business but “not being evil”). You cannot cheat the skills of the end users in evaluating security making fake misleading information.

You should do awareness on end users, to make them more conscious of security issues, giving them the tools to understand and decide themselves.

Hope you had fun reading this article and you made your own consideration about this.

Fabio Pietrosanti (naif)

ps Those are my personal professional opinion, let's speak about technology and security, not marketing.
pps i am not that smart in web writing, so sorry for how the text is formatted and how the flow of the article is unstructured!

Tags business , encryption , marketing , mobile , Privacy , voicesecurity , zrtp | Comments (4)

cyberwarfare intelligence interception Privacy security

Licensed by Israel Ministry of Defense? How things really works!

29 January 2010 – 10:12 am

You should know that Israel is a country where if a company need to develop encryption product they must be authorized by the government.

The government don't want that companies doing cryptography can do anything bad to them and what they can do of good for the government, so they have to first be authorized.

Companies providing interception and encryptio n m ust apply to a license because Israel law on this is so restrictive to be similar to china law .

That's because those kind of technologies are considered fundamental for the intelligence and espionage capabilities of Israel country.

To give some example of “Licensed by Israel Ministry of Defense” companies:

GSM encryption products “Licensed by Israel Ministry of Defense” – Gold-lock

Interception of communication products “Licensed by Israel Ministry of Defense” – Verint

HF encrypted Radio “Licensed by Israel Ministry of Defense” – Kavit

Surveillance services and equipment “Licensed by Israel Ministry of Defense” – Multi Tier Solutions

For example how to apply for a “License by Israel Ministry of Defense” if you do encryption technologies in Israel?

Be sure to be an israeli company, click here and fill the forms.

Someone will contact you from encryption-control@mod.gov.il and will discuss with you whether to give you or not the license to sell.

What does the department of defense will require from an israeli company in order to provide them the authorization to make and sell interception and encryption products?

Well, what they want and what they really ask nobody knows.

It's a secret dealing of Israel Ministry of Defense with each “licensed” company.

What we know for sure is that Verint, a “Licensed by Israel Ministry of Defense”, placed a backdoor to intercept companies and governments in the US and Netherland into the interception systems they was selling.

Verint, a Licensed by Israel Ministry of Defense Company, provided to Israel government eavesdropped communications of private and government users in the United States and in the Netherland .

CIA officier reported that Israel Ministry of Defense was known to pay Verint a reimbursement of 50% of their costs in order to have from Verint espionage services trough their commercial activity on selling “backdoored” interception equipment to spy foreign users.

It can be a legitimate doubt that the cooperation within the Israeli Ministry of Defense may be problematic for an Israeli company that want to sell interception and encryption product abroad.

Those companies may be forced to make the interests of Israel Ministry of Defense and not the interests of the customers (like Verint scandal is a real-world example).

So, how would a “Licensed by Israel Ministry of Defense” be a good things to promote?

It represent the risk that the “Israel Ministry of Defense”, like is publicly known that it has already have done with Verint, will interfere with what the company do.

It represent the risk that the “Israel Ministry of Defense” may reasonably provide “reimbursement” of costs paying the company and get what they would likely would like to get.

So, what does really “Israel Ministry of Defense” want from Israel companies doing encryption and interception technologies?

Should we ask ourself whether Israeli companies doing encryption and interception businesses are more interested to do business or to do “outsourced espionage services” for their always paying customer, the “Israel Ministry of Defense”.

For sure, in the age of financial crisis, the Israel Ministry of Defense is a paying customer that does not have budget problem…

Strict control, strict rules, strong government strategic and military cooperation.

Wees voorzichtig.

If you want to read more about this matters, about how technologies from certain countries is usually polluted with their governments military and secret services strategies stay tuned as i am preparing a post about this .

You will much better understand about that subjects on the “Licensed by Israel Ministry of Defense”.

Tags cyberwarfare , hacking , mobile , Privacy , voicesecurity | Comment (0)

zakelijk beheer

Index of economic freedom

21 December 2009 – 11:43 am

When looking at facts and figures about globalized world, the index of economic freedom is a nice tool to make proper considerations.

Tags business , civilrights , management , policy | Comment (0)

veiligheid

Recuva: Nice windows data recovery tool

12 November 2009 – 1:10 pm

Not a professional tool but an easy, quick and free one.

If you just accidently deleted some files on windows or your employee leave the company deleting all his data, well that you get out from trouble quickly.

It also came out in a 'portable' version to be loaded from an usb stick drive.

Check Recuva recovery tool

Comment (0) Labels hacken | Reactie (0)

Volgende pagina »