Posts Tagged security

First Look at the Blackphone

Full disclosure: I am good friends with Phil Zimmermann, co-founder of Silent Circle.  He and I worked together for many years to publish his ZRTP media security protocol as an RFC in the IETF standards body. I also helped him with his Zfone Project.  I’m also friends with Jon Callas, Travis Cross, and others at Silent Circle, who collaborated with Geeksphone to produce the Blackphone.

Blackphone Logo



After tclueconhe Blackphone was announced back in February in Barcelona, I ordered one as soon as they started taking orders, and have pretty much just been killing time ever since then.  I even had a false alarm delivery the other week when I was at the IETF conference inToronto.  Another package with an address that had “Black” in it arrived, and I jumped to the conclusion that it was my Blackphone.  Instead, my Blackphone arrived the day I was in Chicago at ClueCon, on a Security Round Table panel with Phil and Travis.

Blackphone BoxBlackphone AccsessoriesMy first impressions are quite positive: the packaging is good, the phone is nice to hold in the hand.  If anything, it feels lighter than I expected.  And it is black.  Included accessories are USB cable, charger with US and European plugs, and a headset.

Upon powering it up, you are prompted to create a pin or password, then it prompts you to encrypt the phone, which takes about 10 minutes or so.Blackphone Phone Encryption

I’ve been using Silent Circle for a while now on my iPhone, so I recognized the Silent Phone and Silent Text apps.  Silent Contacts was new to me, as were the other pre-installed security apps.

Blackphone Pre-Installed AppsIt took me a little while to get Silent Phone and Text working.  I had forgotten that I had to look up the Product Keys to get the Silent Circle Ronin code to activate the service and create my account.  The Silent Circle apps are similar to those on my iPhone although the user interface is inscrutable.  Why does it show one grey dot when I’m calling then switch to three green dots when I’m connected and ZRTP has been authenticated?  What does “Secure to server” mean?  Hopefully this is an easy fix to the UI to make it understandable.

Next, I need to try out SpiderOak and Disconnect.Me.  Also, I haven’t put a SIM in yet.  My friend James Body has given me a fantastic Truphone travel SIM that I really could have used last month during all my travels…

Look for a future post on these topics.  As always, questions & comments most welcome.

, , , ,

1 Comment

How to Communicate Securely over the Internet

Today, I published a new Internet-Draft on how to securely communicate over the Internet using a new web technology known as WebRTC and the ZRTP protocol.  Using this technique, Internet users can determine if the National Security Agency, or anyone else, is listening in to their calls placed using a web browser.  There are already a number of commercial and open source products utilizing ZRTP, including Silent CircleJitsi, and others, but this new technique opens it up for all web users.

The WebRTC Book

For those of you not involved in the VoIP or video conferencing world, WebRTC, or Web Real-Time Communications, is a new standards effort to add real-time voice and video communications capabilities to web browsers.  This allows web developers to add voice and video communications with a few standard JavaScript calls.  All the pieces needed to communicate, including codecs and the ability to traverse NAT and firewalls, are built into the browser.  Today, WebRTC is available in the Chrome and Firefox browsers, and in Chrome for Android.  I’ve written a book on WebRTC if you want to learn more about it.

With WebRTC, all media flows are encrypted and authenticated using Secure RTP or SRTP.  Unfortunately, the keying method chosen for WebRTC is DTLS-SRTP or Datagram Transport Layer Security for Secure Real-time Transport Protocol.  DTLS-SRTP on its own does not provide protection against Man-in-the-Middle (MitM) attacks, also known as eavesdropping attacks.    Today, the news is full of reasons why Internet users need such protection.  We now know the surveillance of Internet users is widespread.

The ZRTP security protocol, published as RFC 6189 back in 2011,  was invented by Phil Zimmermann to allow Internet users to communicate securely and privately over the Internet.   ZRTP was not selected as the default keying method for WebRTC, despite it being the ideal candidate.

However, ZRTP can still be used to provide MitM protection for WebRTC sessions established using DTLS-SRTP.  As described in the new Internet-Draft written by myself, Phil Zimmermann, Jon Callas, Travis Cross, and John Yoakum, ZRTP can be implemented in JavaScript and run in both browsers over the WebRTC data channel.  The ZRTP exchange is used to compare the DTLS-SRTP fingerprints used to establish the media flows.  If the fingerprints match, and the ZRTP exchange is authenticated by the users comparing the Short Authentication Strings (SAS) displayed on each browser, the WebRTC media sessions are free of MitM attackers.

Jitsi Short Authentication String

How does this work?  You’ll have to read the ZRTP specification to find out exactly how, but in simple technical terms,  it is because ZRTP uses a technique known as a Diffie-Hellman key exchange augmented with a hash commitment.  This allows the SAS, which can be two words or four hex digits, to prove that a media session has no eavesdroppers present.

We have documented this usage of ZRTP with WebRTC in the Internet-Draft document draft-johnston-webrtc-zrtp.  Hopefully soon there will be some open source ZRTP JavaScript libraries freely available for web developers.

Everyone needs privacy in their communication, and WebRTC with ZRTP finaly provides a real solution to all Internet users.

, , , , , ,


ZRTP at WashU ACM Hackfest 2013

On Saturday, I gave a presentation and demo of ZRTP at Hackfest 2013, organized by the Washington University in St. Louis chapter of ACM (Association of Computing Machinery) .WashU ACM

A group of about 60 undergrads had gathered in Urbauer 211 to learn about hacking and try it out. I gave a short presentation about ZRTP, the media path keying protocol for SRTP invented by Phil Zimmermann.

I was fortunate to serve as the editor of the ZRTP specification, which was published as RFC 6189 two years ago. I showed how ZRTP allows users to detect the presence of a MitM (Man in the Middle) attacker by checking the Short Authentication String.

Here is a PDF of my presentation.

Jitsi ZRTP SAS Comparison User Interface

Then I used the Jitsi open source voice, video, & chat application to demo ZRTP. Emil Ivov, founder and chief developer at Jitsi answered my ZRTP call, and we checked the SAS. The sequence of steps used to secure the voice & video session is shown in this animated GIF.

Afterwards, I gave away a copy of Counting from Zero, my technothriller that incorporates elements of ZRTP, hacking, exploits, and zero-day attacks.

We then spent the rest of the afternoon playing with Metasploit on an isolated network of virtual Windows machines. It was an interesting day.  Just like at IETF meetings, the biggest excitement of the afternoon was when the cookies arrived!

Perhaps at next year’s session, we can try out VoIP hacking tools such as SIPvicious!

Counting from Zero Book

, , , , , , ,

Leave a comment

The Other Engineering: Social Engineering

Last night I was interviewed by Jasmine Huda on St. Louis KMOV-TV Channel 4 news about a scam used to steal information from PCs.  The attackers are calling random people and claiming to be from Microsoft Technical Support.  They say they received an error report from their computer and have found a problem that they will help them fix over the phone.  Many PC users see those send error report dialog boxes after a crash, and often click to send the report.  Of course, the scammers did not see those reports – they go directly to Microsoft who treats their content confidentially.  In addition, if you think about it, does your PC know your phone number?

This seems to be a recent report of this in Denver, Colorado, although you can find variants of this scam all over the world and over a few year period, such as this one in the UK.

This is an example of the other engineering – social engineering.  Social engineering is a confidence game of tricking someone into sharing their computer password or installing malware on their computer or visiting malicious websites.  Unfortunately, it is all too easy, especially if they have a small amount of information (or a lucky guess, such as that you recently clicked on a send error report message).

For a complete analysis of social engineering, I’d recommend Kevin Mitnick’s The Art of Deception.  Or, to read his incredible real-life account of how he used social engineering to take over telephone networks, try Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.

Everyone should be aware of social engineering and how to protect themselves from it.  The most important thing is to never give out information or access to your computer to someone who calls you, even if they sound legitimate.  If you think it really is Microsoft calling you, or your bank, or your credit card company, then ask for their case number, hangup, then lookup the phone number of the business or bank and call them back at that number.  (Note that you can’t ask them for their phone number or call the number shown on Caller ID – you can’t trust that information either, and some attackers can even working have toll free numbers).

I do hope, however, that people don’t stop sending those error reports.  I’ve heard from my friends who are software developers that these reports are a goldmine for them in terms of fixing bugs and improving their software.

, , , , , , , ,

1 Comment

Stop SOPA Redux

Tomorrow is a world-wide day of protest against SOPA and PIPA, as they are being discussed in the United States Congress.  As I discussed last month, these bills must be stopped, or the Internet as we know it today will be no more.   To explain in technical terms, SOPA and PIPA are a Really Bad Idea.

My personal contribution will be to take down the site for my book, and replace it with a banner, courtesy of

If  you have a website and care about the future of the Internet, why not join in?  If you don’t but still want to participate, blog or microblog – tell your friends, family,  and acquaintances about this historic event.

We must stop SOPA and PIPA, and ensure that Chinese-style and Iranian-style Internet censorship does not happen in America.

, , , , , ,

Leave a comment

Botnets and SIP Phones

I came across this article the other day thanks to my friend Olle, who’s blog “VoIP Forum – Open Source and Open Standards in IP Communications” is often filled with interesting information about my industry.

Avaya SIP Phone

It is entitled “A Distributed Cracker for VoIP” and it is a real life example of how some of my interests are coming together.  The article mentions a botnet (short for a robot network – a collection of ‘zombie’ computers that have been taken over by someone), P2P (peer-to-peer) message routing, and VoIP (Voice over Internet Protocol – putting voice and phone calls over the Internet).  And BTW, “cracker” doesn’t refer to the food, it means a password cracker or breaker.

If you have read or heard about my new techno thriller Counting from Zero, all these topics will be familiar, as they all form part of the plot in the book!  The additional thing this article adds is a mention of SIP or Session Initiation Protocol, which really brings it all together for me!  For a hint why, check out my Author Page at Amazon…

My professional life over the past 13 years or so has revolved around SIP.  SIP is an Internet protocol – a way that computers establish voice, video, or other sessions over the Internet for communication.  It has been widely adopted in Voice over IP (VoIP) and also in video conferencing services.  Most telephone companies today are deploying Internet Protocol (IP) networks and running SIP over it to carry phone calls.  For the past 10 years or so, my home has never been without a “SIP Phone” on my desk.  A SIP Phone looks like a normal telephone, with a handset, a keypad, and a ringer, but instead of plugging into a telephone jack, it has an Ethernet jack and plugs into the Internet!  Wherever on the Internet I plug in the phone, it has my identity and I can place and receive phone calls.

Above is a picture of a SIP phone made by my employer, Avaya, which is used in corporate offices.  Many of you will recognize the Cisco phones that have become the staple telephone prop in television and movies – these phones are all VoIP phones, and many are also SIP phones.

The blog post “A Distributed Cracker for VoIP” is about a botnet with P2P routing that uses zombie computers to discover and attack SIP VoIP phones and systems (known as a PBX or Private Branch Exchange) by trying to guess the passwords.  And the results are sent back to a shadowy command and control center for the botnet.  I’m sure there will be more and more of this in the future.

Interesting how various interests can come together like this – something that happens a lot with the Internet.

, , , , ,

Leave a comment

My First Foray into Fiction

I started writing Counting from Zero about a year ago on a high speed train heading out of Tokyo – sound familiar?

The book was really born much earlier.  I had previously written four technical books and enjoyed the experience greatly.  But the subject matter, Session Initiation Protocol or SIP, was extremely narrow and technical, and so not of interest to very many people.  I had been thinking for a while about writing a book for a wider audience, and I was thinking along the lines of Internet security.  Then I got the idea of trying to incorporate some useful technical information into a work of fiction.

I had written various pieces of fiction over the years, but just for my family and friends.  (There are a few Star Trek fanfic stories out there that hopefully will never find their way to the Internet!)  Instead of thinking about the plot, I first thought about the characters.  This was a lot of fun!  Once I felt like I knew Mick, Kat, Lars, Gunter, and Liz, I started getting ideas about situations I wanted to put them in, and the plot began to take shape.  I re-read some of my favorite authors such as Jane Austen, Neal Stephenson, and Mark Twain for inspiration.  At the suggestion of my best friend from high school, Steve George, I added the Security and Other Lies blog chapter interludes.  The book slowly took shape.

I wrote most of the book while traveling: on airplanes, in hotel rooms, in airports, and on trains.  I have spent time in nearly every setting of the book.

Then, I reached that place of decision: what to do with the Counting from Zero manuscript once I had a draft complete.  Next time I’ll talk about how I became an eBook publisher.

, , , , , , ,