Archive for category Security

Six Years Ago

Six years ago I published my first novel, Counting from Zero.  Next month, on February 25, exactly six years ago to the day, the sequel, Returning to Zero, will be published.

cover

Returning to Zero continues the story of the Zed.Kicker botnet, and the efforts of white hat hacker Mick O’Malley and his friends to contain and destroy it.

A lot has changed in those six years, especially in internet security and privacy.

Six years ago, not to many people outside certain internet security areas had ever heard of a ‘botnet’, a robot network of compromised computers.  Botnets back then had tens of thousands of computers, which was why my fictional Zed.Kicker botnet with millions of devices was so powerful.  Today, there are many botnets with millions.

Six years ago, few also understood how dangerous a large botnet can be, with their distributed denial of service DDOS) attacks.  Botnets routinely launch attacks today.

Six years ago, only a paranoid few thought about pervasive surveillance, and the notion that without taking measures, all our activities online were being tracked and recorded by governments, our own and others.  In this post-Snowden era (three years ago, believe it or not), we know the extent and the invasiveness of the surveillance.  (Just for fun, here is a photo of me asking Edward Snowden a question via a WebRTC video link after a screening of CITIZEN FOUR at IETF-93).

CITIZENFOURandI.jpg

Six years ago, cybercrime was a rarity, including ransomware and  other threats.  Today is is unfortunately common.

Six years ago, many of us were concerned about our communication security: how to encrypt and authenticate or messaging and calls.  The ‘Security and Other Lies’ blog entries in Counting from Zero reflect this emphasis.  Today, privacy is a bigger concern, and how to minimize the meta-data about our communication and messaging is discussed in the ‘Privacy and Other Mirages’ blog entries in Returning to Zero.

One thing that hasn’t changed in six years is the excitement and nervous energy involved in launching a new book.  I can’t wait for Returning to Zero to be available and to get feedback and comments!

And looking forward another six years?  Who knows…

Returning to Zero, the sequel to Counting from Zero, and the second book in the Mick O’Malley series will be available on Amazon as Kindle and Paperback editions on February 25, 2017.

Leave a comment

Blackphone Disconnect Secure Wireless VPN

Blackphone LogoAfter my first look, I’m back exploring the other apps on my Blackphone. See my Full Disclosure of my friendship with the Silent Circle guys and my work on the ZRTP security protocol used in the Blackphone. Today I’m trying out the interestingly named Disconnect Secure Wireless application, basically a VPN (Virtual Private Network) service.  Given that this app is all about making connections, having it called “Disconnect” is a little odd.  The name probably makes more sense with their ad and malware blocking services.  According to their FAQ: “Secure Wireless uses AES-256 to encrypt data to or from your device. Secure Wireless also enforces Diffie-Hellman for key agreement/exchange which provides perfect forward secrecy (PFS).” which is all good. Disconnect VPN Plan Out of the box, the Disconnect Secure Wireless application takes you through a short tour of the service.  Essentially, it is a VPN service that can be easily enabled/disabled and also automatically enabled/disabled based on a preference for a given network. It seems this application is only available on Android, as the iOS version seems to not be a VPN but be an add blocker of some type. Disconnect Secure Wireless starts off with a free service of 512MB per month which you would blow through very quickly if you used it for everything.  By putting the Blackphone activation code into the Account screen, you get 2GB per month, which seems reasonable if you use it sparingly, such as WiFi hotspots or when traveling.

Disconnect VPN On/Off

Disconnect Secure Wireless on Blackphone before entering the activation code to get 2GB per month.

Using it is easy – tapping the middle of the screen starts the VPN.  When turning it on, you get two warnings:

Disconnect VPN SettingDisconnect VPN Trust

 

The first reminds you that, since this is a VPN service, all the device network packets will be routed through it.  Essentially, this app is a Man-in-the-Middle (MitM), although hopefully a trusted MitM. You must tap the “I trust this application.” in order to proceed.

The next warning tells you that once turned on, the VPN will always run for this network, until you turn it off.  This is a good warning from a usage perspective.

 

Next you get a Connecting message and the middle of the screen turns green and indicates bandwidth usage for the month to date. One interesting thing – while I did notice the bandwidth usage rise with normal web browsing, I did not notice it go up during lengthy Silent Circle voice calls.  In general, for a VoIP call such as silent circle, you can use up to 1MB per minute, depending on the codec.  Perhaps the packets from Silent Circle aren’t tallied by Disconnect against the VPN quota.  Or maybe I just got lucky…

Speed Test Results through Disconnect VPN of 6.6MB/s

Speed Test Results through Disconnect VPN of 6.6MB/s

Speed Test of underlying WiFi/Cable Modem of 24MB/s

Speed Test of underlying WiFi/Cable Modem of 24MB/s

 

 

The VPN speed seemed reasonable, although a speed test during a Saturday afternoon isn’t exactly scientific.  Compared to just my WiFi over Cable Modem, it was slower, of course.  The VPN has a location configuration for North America, Europe, or Asia. I’ll need to try it other times of the day to see how well it works.

 

 

 

The default search is also provided by Disconnect, although this can be changed.  A DNS failure in the browser automatically brings up a https://search.disconnect.me search window for the failed string.    It does show the Google “G” symbol, however, indicating that it is not an actual search engine. Instead, as described here, Disconnect Search forwards you request to the engine of your choice (Google, Bing, Yahoo, DuckDuckGo, or Blekko) and anonymizes it. You can also use it in any browser at https://search.disconnect.me/ So, Disconnect Secure Wireless does what it promises to on the Blackphone.

There’s plenty more on the Blackphone. Next time, I’ll try out Smarter Wi-Fi Manager or SpiderOak or do a proper review of the Silent Circle suite…

Your suggestions, comments and questions are most welcome!

, , ,

Leave a comment

First Look at the Blackphone

Full disclosure: I am good friends with Phil Zimmermann, co-founder of Silent Circle.  He and I worked together for many years to publish his ZRTP media security protocol as an RFC in the IETF standards body. I also helped him with his Zfone Project.  I’m also friends with Jon Callas, Travis Cross, and others at Silent Circle, who collaborated with Geeksphone to produce the Blackphone.


Blackphone Logo

 

 

After tclueconhe Blackphone was announced back in February in Barcelona, I ordered one as soon as they started taking orders, and have pretty much just been killing time ever since then.  I even had a false alarm delivery the other week when I was at the IETF conference inToronto.  Another package with an address that had “Black” in it arrived, and I jumped to the conclusion that it was my Blackphone.  Instead, my Blackphone arrived the day I was in Chicago at ClueCon, on a Security Round Table panel with Phil and Travis.

Blackphone BoxBlackphone AccsessoriesMy first impressions are quite positive: the packaging is good, the phone is nice to hold in the hand.  If anything, it feels lighter than I expected.  And it is black.  Included accessories are USB cable, charger with US and European plugs, and a headset.

Upon powering it up, you are prompted to create a pin or password, then it prompts you to encrypt the phone, which takes about 10 minutes or so.Blackphone Phone Encryption

I’ve been using Silent Circle for a while now on my iPhone, so I recognized the Silent Phone and Silent Text apps.  Silent Contacts was new to me, as were the other pre-installed security apps.

Blackphone Pre-Installed AppsIt took me a little while to get Silent Phone and Text working.  I had forgotten that I had to look up the Product Keys to get the Silent Circle Ronin code to activate the service and create my account.  The Silent Circle apps are similar to those on my iPhone although the user interface is inscrutable.  Why does it show one grey dot when I’m calling then switch to three green dots when I’m connected and ZRTP has been authenticated?  What does “Secure to server” mean?  Hopefully this is an easy fix to the UI to make it understandable.

Next, I need to try out SpiderOak and Disconnect.Me.  Also, I haven’t put a SIM in yet.  My friend James Body has given me a fantastic Truphone travel SIM that I really could have used last month during all my travels…

Look for a future post on these topics.  As always, questions & comments most welcome.

, , , ,

1 Comment

How to Communicate Securely over the Internet

Today, I published a new Internet-Draft on how to securely communicate over the Internet using a new web technology known as WebRTC and the ZRTP protocol.  Using this technique, Internet users can determine if the National Security Agency, or anyone else, is listening in to their calls placed using a web browser.  There are already a number of commercial and open source products utilizing ZRTP, including Silent CircleJitsi, and others, but this new technique opens it up for all web users.

The WebRTC Book

For those of you not involved in the VoIP or video conferencing world, WebRTC, or Web Real-Time Communications, is a new standards effort to add real-time voice and video communications capabilities to web browsers.  This allows web developers to add voice and video communications with a few standard JavaScript calls.  All the pieces needed to communicate, including codecs and the ability to traverse NAT and firewalls, are built into the browser.  Today, WebRTC is available in the Chrome and Firefox browsers, and in Chrome for Android.  I’ve written a book on WebRTC if you want to learn more about it.

With WebRTC, all media flows are encrypted and authenticated using Secure RTP or SRTP.  Unfortunately, the keying method chosen for WebRTC is DTLS-SRTP or Datagram Transport Layer Security for Secure Real-time Transport Protocol.  DTLS-SRTP on its own does not provide protection against Man-in-the-Middle (MitM) attacks, also known as eavesdropping attacks.    Today, the news is full of reasons why Internet users need such protection.  We now know the surveillance of Internet users is widespread.

The ZRTP security protocol, published as RFC 6189 back in 2011,  was invented by Phil Zimmermann to allow Internet users to communicate securely and privately over the Internet.   ZRTP was not selected as the default keying method for WebRTC, despite it being the ideal candidate.

However, ZRTP can still be used to provide MitM protection for WebRTC sessions established using DTLS-SRTP.  As described in the new Internet-Draft written by myself, Phil Zimmermann, Jon Callas, Travis Cross, and John Yoakum, ZRTP can be implemented in JavaScript and run in both browsers over the WebRTC data channel.  The ZRTP exchange is used to compare the DTLS-SRTP fingerprints used to establish the media flows.  If the fingerprints match, and the ZRTP exchange is authenticated by the users comparing the Short Authentication Strings (SAS) displayed on each browser, the WebRTC media sessions are free of MitM attackers.

Jitsi Short Authentication String

How does this work?  You’ll have to read the ZRTP specification to find out exactly how, but in simple technical terms,  it is because ZRTP uses a technique known as a Diffie-Hellman key exchange augmented with a hash commitment.  This allows the SAS, which can be two words or four hex digits, to prove that a media session has no eavesdroppers present.

We have documented this usage of ZRTP with WebRTC in the Internet-Draft document draft-johnston-webrtc-zrtp.  Hopefully soon there will be some open source ZRTP JavaScript libraries freely available for web developers.

Everyone needs privacy in their communication, and WebRTC with ZRTP finaly provides a real solution to all Internet users.

, , , , , ,

2 Comments

ZRTP at WashU ACM Hackfest 2013

On Saturday, I gave a presentation and demo of ZRTP at Hackfest 2013, organized by the Washington University in St. Louis chapter of ACM (Association of Computing Machinery) .WashU ACM

A group of about 60 undergrads had gathered in Urbauer 211 to learn about hacking and try it out. I gave a short presentation about ZRTP, the media path keying protocol for SRTP invented by Phil Zimmermann.

I was fortunate to serve as the editor of the ZRTP specification, which was published as RFC 6189 two years ago. I showed how ZRTP allows users to detect the presence of a MitM (Man in the Middle) attacker by checking the Short Authentication String.

Here is a PDF of my presentation.

Jitsi ZRTP SAS Comparison User Interface

Then I used the Jitsi open source voice, video, & chat application to demo ZRTP. Emil Ivov, founder and chief developer at Jitsi answered my ZRTP call, and we checked the SAS. The sequence of steps used to secure the voice & video session is shown in this animated GIF.

Afterwards, I gave away a copy of Counting from Zero, my technothriller that incorporates elements of ZRTP, hacking, exploits, and zero-day attacks.

We then spent the rest of the afternoon playing with Metasploit on an isolated network of virtual Windows machines. It was an interesting day.  Just like at IETF meetings, the biggest excitement of the afternoon was when the cookies arrived!

Perhaps at next year’s session, we can try out VoIP hacking tools such as SIPvicious!

Counting from Zero Book

, , , , , , ,

Leave a comment

The Other Engineering: Social Engineering

Last night I was interviewed by Jasmine Huda on St. Louis KMOV-TV Channel 4 news about a scam used to steal information from PCs.  The attackers are calling random people and claiming to be from Microsoft Technical Support.  They say they received an error report from their computer and have found a problem that they will help them fix over the phone.  Many PC users see those send error report dialog boxes after a crash, and often click to send the report.  Of course, the scammers did not see those reports – they go directly to Microsoft who treats their content confidentially.  In addition, if you think about it, does your PC know your phone number?

This seems to be a recent report of this in Denver, Colorado, although you can find variants of this scam all over the world and over a few year period, such as this one in the UK.

This is an example of the other engineering – social engineering.  Social engineering is a confidence game of tricking someone into sharing their computer password or installing malware on their computer or visiting malicious websites.  Unfortunately, it is all too easy, especially if they have a small amount of information (or a lucky guess, such as that you recently clicked on a send error report message).

For a complete analysis of social engineering, I’d recommend Kevin Mitnick’s The Art of Deception.  Or, to read his incredible real-life account of how he used social engineering to take over telephone networks, try Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.

Everyone should be aware of social engineering and how to protect themselves from it.  The most important thing is to never give out information or access to your computer to someone who calls you, even if they sound legitimate.  If you think it really is Microsoft calling you, or your bank, or your credit card company, then ask for their case number, hangup, then lookup the phone number of the business or bank and call them back at that number.  (Note that you can’t ask them for their phone number or call the number shown on Caller ID – you can’t trust that information either, and some attackers can even working have toll free numbers).

I do hope, however, that people don’t stop sending those error reports.  I’ve heard from my friends who are software developers that these reports are a goldmine for them in terms of fixing bugs and improving their software.

, , , , , , , ,

1 Comment

Stop SOPA Redux

Tomorrow is a world-wide day of protest against SOPA and PIPA, as they are being discussed in the United States Congress.  As I discussed last month, these bills must be stopped, or the Internet as we know it today will be no more.   To explain in technical terms, SOPA and PIPA are a Really Bad Idea.

My personal contribution will be to take down the site for my book, and replace it with a banner, courtesy of protestsopa.org.

If  you have a website and care about the future of the Internet, why not join in?  If you don’t but still want to participate, blog or microblog – tell your friends, family,  and acquaintances about this historic event.

We must stop SOPA and PIPA, and ensure that Chinese-style and Iranian-style Internet censorship does not happen in America.

, , , , , ,

Leave a comment

My Year – 2011

As 2011 draws to a close, I wanted to take a moment to thank everyone who has helped me this year. It has been an amazing year! Here’s a short list of my highlights:

– In January I gave a SIP Tutorial for the FCC staff in DC. It was a great event, and hopefully I will get another chance to do it again in 2012. The FCC has lots of VoIP and SIP work to do with the transition of the PSTN and E911 to all VoIP. Hopefully we can soon end the ridiculous subsidies for rural telephone service and instead use them to subsidized high speed Internet service for rural areas.  My friend Henning Schulzrinne was just appointed Chief Technology Officer, so I know the FCC is in good hands technically.  I also enjoyed giving the SIP Tutorial in Miami, Sydney, and Austin.

– In February I published my first novel, a Techno thriller about a massive attack on the Internet that gives this blog its name – Counting from Zero. Little did I know how much hacking and security stories there would be in 2011. Some have even called 2011 the Year of the Hactivist, which is hard to argue with. Overall, I couldn’t be happier with the response to the book. Thank you do much to anyone who has read, reviewed, tweeted, or blogged about it – I am very grateful. Look for more book news in early 2012…

– In February I also started blogging and using Twitter. It has been a lot of fun! Thanks to everyone who has read my blog posts or followed me on Twitter.

– In March I participated in my first robotics competition. The experience was amazing, and I look forward to the start of another build season in just over a week!

– In April, the ZRTP VoIP media security protocol was published as an RFC by the IETF, after 6 years of hard work.  Editing this document is my small contribution to making the Internet more secure.  Here’s to more adoption and deployment in 2012.

– In May the RTCWEB Working Group was chartered by the IETF. The work is progressing slowly but steadily. I expect more progress in 2012, and hope for some strong security to be built into the protocols – lets show that we have learned something over the years…

– In June, I participated in the first ever SIP Network Operators Conference or SIPNOC for short. It was a great success and really shows how SIP has grown up. I am privaleged to have another term on the Board of Directors of the SIP Forum. With the publication of SIPconnect the SIP Trunking recommendation, the business use of SIP continues to grow and expand.

– In November, I has my first experience as a cricket coach. My son started the Priory Amateur Cricket Association or PACA as a club at his school. It has been a blast so far helping the boys learn the basics of cricket. They have done a great job, although we need to reduce the number of no balls! In 2012 we plan to play a one day match against a local cricket club.

So, here’s to 2011 – it was definitely an interesting year!  I hope it was a good one for you and yours.  Here’s to 2012!

, , , , , ,

Leave a comment

Cyber Cold War?

Next month, I’m excited to be giving a public lecture sponsored by The Tuesday Women’s Association (TWA) and the American Association of University Women (AAUW).  It is part of their 2012 International Relations Lecture Series and is entitled Cyberspace: A New Cold War Front. It will be held on January 10, 2012 at 10:45am at the Ethical Society building on 9001 Clayton Rd., St. Louis, MO 63117.

I’m really looking forward to it. I’m used to lecturing at Washington University, and giving industry tutorials, and making business and standards body presentations, but a public lecture like this is is something different!

And this is a really interesting topic, too. I’ll be talking about Stuxnet, and other industrial cyber espionage. I’ll get to talk about the attacks on Google originating from China. I’ll talk about hacking as a weapon in various conflicts between Russia and former Soviet republics.

Of course, I’ll try to educate about computer and Internet security, drawing some examples from my techno thriller cyber crime mystery Counting from Zero.  While it is mainly about cyber crime for profit, the techniques and attacks are similar.

If you are in St Louis, it would be great to see you there. If not, maybe I’ll post a recording or at least my slides on this blog.

, , , , , , , ,

2 Comments

Stop SOPA!

The news coming out of Washington these days is never good, but this current techo-political issue is absolutely huge. If we don’t stop SOPA, the proposed Stop Online Piracy Act, the Internet as a place of free speech and economic innovation will be no more. While this may sound like hyperbole, I assure you it is not. Read this open letter written by many of the world’s top Internet engineers (and my colleagues at the IETF) published on the Electronic Frontier Foundation Website.

This act, if it passes, will modify the core technology of the Internet, the Domain Name System (DNS). The ability for the Internet to grow, perform well, and be free of political interference and meddling are at stake.

This bill is being pushed by Hollywood and other intellectual property holders who claim that online piracy costs billions in revenue and jobs for them. History has shown that the most successful way to stop online privacy is to make content available online at reasonable prices and terms. Remember music piracy? No longer a problem due to the current availability of online music. In fact this act would likely cost billions in lost jobs and profits for Internet startups that would never happen.

I am also a stakeholder in this debate. I hold several patents and copyrights on several books. I have used existing tools to have copyright violating content removed from websites – the current mechanisms do work and do not need replacing by draconian and sweeping approaches that have been shown to fail in (repressive) countries that have implemented them.

And finally, these changes will eliminate the engine of innovation that is the Internet. Now some will not miss this – their entrenched business models will continue. However, during this time of global economic stagnation, to kill one thing that could get us out this is ludicrous.

Stop SOPA. It is as simple as that. Contact your representative today.

, ,

2 Comments