Posts Tagged hacking

ZRTP at WashU ACM Hackfest 2013

On Saturday, I gave a presentation and demo of ZRTP at Hackfest 2013, organized by the Washington University in St. Louis chapter of ACM (Association of Computing Machinery) .WashU ACM

A group of about 60 undergrads had gathered in Urbauer 211 to learn about hacking and try it out. I gave a short presentation about ZRTP, the media path keying protocol for SRTP invented by Phil Zimmermann.

I was fortunate to serve as the editor of the ZRTP specification, which was published as RFC 6189 two years ago. I showed how ZRTP allows users to detect the presence of a MitM (Man in the Middle) attacker by checking the Short Authentication String.

Here is a PDF of my presentation.

Jitsi ZRTP SAS Comparison User Interface

Then I used the Jitsi open source voice, video, & chat application to demo ZRTP. Emil Ivov, founder and chief developer at Jitsi answered my ZRTP call, and we checked the SAS. The sequence of steps used to secure the voice & video session is shown in this animated GIF.

Afterwards, I gave away a copy of Counting from Zero, my technothriller that incorporates elements of ZRTP, hacking, exploits, and zero-day attacks.

We then spent the rest of the afternoon playing with Metasploit on an isolated network of virtual Windows machines. It was an interesting day.  Just like at IETF meetings, the biggest excitement of the afternoon was when the cookies arrived!

Perhaps at next year’s session, we can try out VoIP hacking tools such as SIPvicious!

Counting from Zero Book

Advertisements

, , , , , , ,

Leave a comment

The Other Engineering: Social Engineering

Last night I was interviewed by Jasmine Huda on St. Louis KMOV-TV Channel 4 news about a scam used to steal information from PCs.  The attackers are calling random people and claiming to be from Microsoft Technical Support.  They say they received an error report from their computer and have found a problem that they will help them fix over the phone.  Many PC users see those send error report dialog boxes after a crash, and often click to send the report.  Of course, the scammers did not see those reports – they go directly to Microsoft who treats their content confidentially.  In addition, if you think about it, does your PC know your phone number?

This seems to be a recent report of this in Denver, Colorado, although you can find variants of this scam all over the world and over a few year period, such as this one in the UK.

This is an example of the other engineering – social engineering.  Social engineering is a confidence game of tricking someone into sharing their computer password or installing malware on their computer or visiting malicious websites.  Unfortunately, it is all too easy, especially if they have a small amount of information (or a lucky guess, such as that you recently clicked on a send error report message).

For a complete analysis of social engineering, I’d recommend Kevin Mitnick’s The Art of Deception.  Or, to read his incredible real-life account of how he used social engineering to take over telephone networks, try Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.

Everyone should be aware of social engineering and how to protect themselves from it.  The most important thing is to never give out information or access to your computer to someone who calls you, even if they sound legitimate.  If you think it really is Microsoft calling you, or your bank, or your credit card company, then ask for their case number, hangup, then lookup the phone number of the business or bank and call them back at that number.  (Note that you can’t ask them for their phone number or call the number shown on Caller ID – you can’t trust that information either, and some attackers can even working have toll free numbers).

I do hope, however, that people don’t stop sending those error reports.  I’ve heard from my friends who are software developers that these reports are a goldmine for them in terms of fixing bugs and improving their software.

, , , , , , , ,

1 Comment

Cyber Cold War?

Next month, I’m excited to be giving a public lecture sponsored by The Tuesday Women’s Association (TWA) and the American Association of University Women (AAUW).  It is part of their 2012 International Relations Lecture Series and is entitled Cyberspace: A New Cold War Front. It will be held on January 10, 2012 at 10:45am at the Ethical Society building on 9001 Clayton Rd., St. Louis, MO 63117.

I’m really looking forward to it. I’m used to lecturing at Washington University, and giving industry tutorials, and making business and standards body presentations, but a public lecture like this is is something different!

And this is a really interesting topic, too. I’ll be talking about Stuxnet, and other industrial cyber espionage. I’ll get to talk about the attacks on Google originating from China. I’ll talk about hacking as a weapon in various conflicts between Russia and former Soviet republics.

Of course, I’ll try to educate about computer and Internet security, drawing some examples from my techno thriller cyber crime mystery Counting from Zero.  While it is mainly about cyber crime for profit, the techniques and attacks are similar.

If you are in St Louis, it would be great to see you there. If not, maybe I’ll post a recording or at least my slides on this blog.

, , , , , , , ,

2 Comments

Smartphone Hacking

Alan B. Johnston interview on KMOV-TV on Smartphone Hacking

Last night I was interviewed on KMOV-TV Channel 4 in St. Louis about smartphone hacking.  I was asked by Jasmine Huda to comment about an article in USA Today “Hackers prey on smartphone use at work during holidays” and about the general issue of smartphone hacking.

The USA Today article is primarily about users whose smartphone connects to both their corporate accounts and their personal accounts.  The angle was that the smartphone becomes a new attack vector to penetrate corporate networks via the personal accounts on these devices.  While this attack seems plausible in theory and will no doubt happen, it is hardly widespread today.  I commented that smartphone hacking is definitely on the rise, with Android devices and their open ecosystem most common, while at the other end of the spectrum is the iPhone with its closed ecosystem and minimal hacking reported.  However, there is still the potential for iPhone hacking as demonstrated recently by Charlie Miller who got his application accepted in the App Store despite having malware in it.

Jasmine Huda, KMOV-TV, story on Smartphone Hacking

Besides paying attention to what apps you run and what links you follow, you also need to pay attention to the physical security of your smartphone.  With so much personal information stored in it, having a smartphone password protected is a must, as is the ability to remotely wipe the phone if lost. In my technothriller novel Counting from Zero, the main character Mick O’Malley temporarily loses possession of his smartphone.  Being the overly paranoid type, he immediately discards the phone hardware, replaces it, then reinstalls all his information on it.

Today, a bigger concern than smartphone hacking is smartphone privacy, and the personal information that apps are routinely sharing without really informing the user, but this is a topic for another day.

, , , , , ,

Leave a comment