Posts Tagged security
Full disclosure: I am good friends with Phil Zimmermann, co-founder of Silent Circle. He and I worked together for many years to publish his ZRTP media security protocol as an RFC in the IETF standards body. I also helped him with his Zfone Project. I’m also friends with Jon Callas, Travis Cross, and others at Silent Circle, who collaborated with Geeksphone to produce the Blackphone.
After the Blackphone was announced back in February in Barcelona, I ordered one as soon as they started taking orders, and have pretty much just been killing time ever since then. I even had a false alarm delivery the other week when I was at the IETF conference inToronto. Another package with an address that had “Black” in it arrived, and I jumped to the conclusion that it was my Blackphone. Instead, my Blackphone arrived the day I was in Chicago at ClueCon, on a Security Round Table panel with Phil and Travis.
My first impressions are quite positive: the packaging is good, the phone is nice to hold in the hand. If anything, it feels lighter than I expected. And it is black. Included accessories are USB cable, charger with US and European plugs, and a headset.
I’ve been using Silent Circle for a while now on my iPhone, so I recognized the Silent Phone and Silent Text apps. Silent Contacts was new to me, as were the other pre-installed security apps.
It took me a little while to get Silent Phone and Text working. I had forgotten that I had to look up the Product Keys to get the Silent Circle Ronin code to activate the service and create my account. The Silent Circle apps are similar to those on my iPhone although the user interface is inscrutable. Why does it show one grey dot when I’m calling then switch to three green dots when I’m connected and ZRTP has been authenticated? What does “Secure to server” mean? Hopefully this is an easy fix to the UI to make it understandable.
Next, I need to try out SpiderOak and Disconnect.Me. Also, I haven’t put a SIM in yet. My friend James Body has given me a fantastic Truphone travel SIM that I really could have used last month during all my travels…
Look for a future post on these topics. As always, questions & comments most welcome.
Today, I published a new Internet-Draft on how to securely communicate over the Internet using a new web technology known as WebRTC and the ZRTP protocol. Using this technique, Internet users can determine if the National Security Agency, or anyone else, is listening in to their calls placed using a web browser. There are already a number of commercial and open source products utilizing ZRTP, including Silent Circle, Jitsi, and others, but this new technique opens it up for all web users.
With WebRTC, all media flows are encrypted and authenticated using Secure RTP or SRTP. Unfortunately, the keying method chosen for WebRTC is DTLS-SRTP or Datagram Transport Layer Security for Secure Real-time Transport Protocol. DTLS-SRTP on its own does not provide protection against Man-in-the-Middle (MitM) attacks, also known as eavesdropping attacks. Today, the news is full of reasons why Internet users need such protection. We now know the surveillance of Internet users is widespread.
The ZRTP security protocol, published as RFC 6189 back in 2011, was invented by Phil Zimmermann to allow Internet users to communicate securely and privately over the Internet. ZRTP was not selected as the default keying method for WebRTC, despite it being the ideal candidate.
How does this work? You’ll have to read the ZRTP specification to find out exactly how, but in simple technical terms, it is because ZRTP uses a technique known as a Diffie-Hellman key exchange augmented with a hash commitment. This allows the SAS, which can be two words or four hex digits, to prove that a media session has no eavesdroppers present.
Everyone needs privacy in their communication, and WebRTC with ZRTP finaly provides a real solution to all Internet users.
On Saturday, I gave a presentation and demo of ZRTP at Hackfest 2013, organized by the Washington University in St. Louis chapter of ACM (Association of Computing Machinery) .
A group of about 60 undergrads had gathered in Urbauer 211 to learn about hacking and try it out. I gave a short presentation about ZRTP, the media path keying protocol for SRTP invented by Phil Zimmermann.
I was fortunate to serve as the editor of the ZRTP specification, which was published as RFC 6189 two years ago. I showed how ZRTP allows users to detect the presence of a MitM (Man in the Middle) attacker by checking the Short Authentication String.
Here is a PDF of my presentation.
Then I used the Jitsi open source voice, video, & chat application to demo ZRTP. Emil Ivov, founder and chief developer at Jitsi answered my ZRTP call, and we checked the SAS. The sequence of steps used to secure the voice & video session is shown in this animated GIF.
Afterwards, I gave away a copy of Counting from Zero, my technothriller that incorporates elements of ZRTP, hacking, exploits, and zero-day attacks.
We then spent the rest of the afternoon playing with Metasploit on an isolated network of virtual Windows machines. It was an interesting day. Just like at IETF meetings, the biggest excitement of the afternoon was when the cookies arrived!
Perhaps at next year’s session, we can try out VoIP hacking tools such as SIPvicious!
Tomorrow is a world-wide day of protest against SOPA and PIPA, as they are being discussed in the United States Congress. As I discussed last month, these bills must be stopped, or the Internet as we know it today will be no more. To explain in technical terms, SOPA and PIPA are a Really Bad Idea.
If you have a website and care about the future of the Internet, why not join in? If you don’t but still want to participate, blog or microblog – tell your friends, family, and acquaintances about this historic event.
We must stop SOPA and PIPA, and ensure that Chinese-style and Iranian-style Internet censorship does not happen in America.
I came across this article the other day thanks to my friend Olle, who’s blog “VoIP Forum – Open Source and Open Standards in IP Communications” is often filled with interesting information about my industry.
It is entitled “A Distributed Cracker for VoIP” and it is a real life example of how some of my interests are coming together. The article mentions a botnet (short for a robot network – a collection of ‘zombie’ computers that have been taken over by someone), P2P (peer-to-peer) message routing, and VoIP (Voice over Internet Protocol – putting voice and phone calls over the Internet). And BTW, “cracker” doesn’t refer to the food, it means a password cracker or breaker.
If you have read or heard about my new techno thriller Counting from Zero, all these topics will be familiar, as they all form part of the plot in the book! The additional thing this article adds is a mention of SIP or Session Initiation Protocol, which really brings it all together for me! For a hint why, check out my Author Page at Amazon…
My professional life over the past 13 years or so has revolved around SIP. SIP is an Internet protocol – a way that computers establish voice, video, or other sessions over the Internet for communication. It has been widely adopted in Voice over IP (VoIP) and also in video conferencing services. Most telephone companies today are deploying Internet Protocol (IP) networks and running SIP over it to carry phone calls. For the past 10 years or so, my home has never been without a “SIP Phone” on my desk. A SIP Phone looks like a normal telephone, with a handset, a keypad, and a ringer, but instead of plugging into a telephone jack, it has an Ethernet jack and plugs into the Internet! Wherever on the Internet I plug in the phone, it has my identity and I can place and receive phone calls.
Above is a picture of a SIP phone made by my employer, Avaya, which is used in corporate offices. Many of you will recognize the Cisco phones that have become the staple telephone prop in television and movies – these phones are all VoIP phones, and many are also SIP phones.
The blog post “A Distributed Cracker for VoIP” is about a botnet with P2P routing that uses zombie computers to discover and attack SIP VoIP phones and systems (known as a PBX or Private Branch Exchange) by trying to guess the passwords. And the results are sent back to a shadowy command and control center for the botnet. I’m sure there will be more and more of this in the future.
Interesting how various interests can come together like this – something that happens a lot with the Internet.
I started writing Counting from Zero about a year ago on a high speed train heading out of Tokyo – sound familiar?
The book was really born much earlier. I had previously written four technical books and enjoyed the experience greatly. But the subject matter, Session Initiation Protocol or SIP, was extremely narrow and technical, and so not of interest to very many people. I had been thinking for a while about writing a book for a wider audience, and I was thinking along the lines of Internet security. Then I got the idea of trying to incorporate some useful technical information into a work of fiction.
I had written various pieces of fiction over the years, but just for my family and friends. (There are a few Star Trek fanfic stories out there that hopefully will never find their way to the Internet!) Instead of thinking about the plot, I first thought about the characters. This was a lot of fun! Once I felt like I knew Mick, Kat, Lars, Gunter, and Liz, I started getting ideas about situations I wanted to put them in, and the plot began to take shape. I re-read some of my favorite authors such as Jane Austen, Neal Stephenson, and Mark Twain for inspiration. At the suggestion of my best friend from high school, Steve George, I added the Security and Other Lies blog chapter interludes. The book slowly took shape.
I wrote most of the book while traveling: on airplanes, in hotel rooms, in airports, and on trains. I have spent time in nearly every setting of the book.
Then, I reached that place of decision: what to do with the Counting from Zero manuscript once I had a draft complete. Next time I’ll talk about how I became an eBook publisher.