Posts from August 2009.

GSM Encryption DOOMED! Your iPhone is DOOOOOOMED! Or not. Maybe.

While going through my backlog of RSS entries that have piled up over the past week, I came across this story from Byron Achohido (via Threatpost, which I highly recommend) who talks about the moral ambiguity of the release of tools that can allow rainbow tables made for cracking the A5/1 GSM encryption cipher. First, let’s get this out of the way: Attacks like this against A5/1 have been around sine at least October 2007. The big deal with these new tools is that they provide the basis of taking the computation time down from days or hours to seconds. These tools are rainbow table generators. They do not do any kind of sniffing or cracking, just a boat load of computations.

This aside, I find the story interesting for a number of reasons: First I like how the iPhone is specifically mentioned. Byron mentions that:

Hackers could go after sensitive information exchanged while using Web apps for phone banking and stock trading; or they could eavesdrop on sensitive conversations, discussion about medical histories, for instance.

Actually, in cases where you are on a 3G network, you’re safe from this attack on the data side, as 3G networks use the A5/3 cipher. The problem is that, at least in AT&Ts case, even if you are on a 3G network, any voice calls are routed over regular GSM channels, which use the faulty A5/1 cipher. I believe T-Mobile is in the same boat. Fixing this is rather simple from a technical standpoint, just flip the voice side over to 3G as well. Of course, we know that in real life it’s almost never that simple. Both carriers’ 3G network is nowhere near the size of their GSM networks, and who knows what kind of capacity they have on the 3G side. However, the decision here is completely on the carrier: What do they value more, their customers security and privacy or their profit margin?

Plus, I think the larger question here is when did mobile phones become secure? I think any person with a background in Information Security or Radio that was around in the early 1990s either monitored cell phones or knew of someone that did. While with the introduction of digital phones the monitoring became more difficult by your simple geek, given a sizable sum of money, it is still possible. The creation of devices such as Cryptophone proves this. Even before these tools were released, there are attacks on GSM in the wild which are “active” attacks, such as spoofing cell towers and then telling the phone to go sans encryption.

Next, regarding the question of releasing these tools; Byron calls the release taking the “morally debatable high ground.” I think his logic is really flawed, and he shows why in his article:

As this timeline depicting the emergence of the Conficker worm shows, the bad guys pay big bucks to black hat researchers adept at finding vulnerabilities, which can be immediately exploited for profit — before anyone issues a patch.

And now grey hat researchers,  like Moore and Nohl,  build careers out of concocting campaigns to embarrass vendors under the banner of compelling vendors to resolve security flaws in popular products – usually highly profitable cash cows — in a timely manner.

It’s been shown that attackers pay large sums of money for attacks that aren’t patched, making a market for enterprising attackers with questionable morals to develop them. With the existence of this market, why are we assuming that the bad guys don’t have rainbow tables for A5/1 already computed and are actively recording calls from high value targets? Cons It’s silly. Releasing these tools essentially destroys the already tattered blanket of ignorance people have been wrapping themselves up in since people started shouting that A5/1 was insecure and once again shows us that mobile phones are, by their very definition, insecure devices.

Is it an endpoint or is it a computer? Plain speaking or vagueness?

This article just was posted to my Twitter stream (Hat Tip: Chris Boyd). Graham Cluely from Sophos calls for people to stop using the word “endpoint” and replace it with “computer” as it confuses users. On it’s face, it makes sense. My wife would have no idea what I was talking about if I started bandying about “endpoints” in conversation instead of “computers”. I also completely agree that the term “endpoint” is incredibly overused by marketing departments. However, if we start trying to fit our nomenclature into simpler terms rather then continue to use our existing ones, are we hurting ourselves in the long term?

Allow me to babble about my childhood. I have always had a deep love of radios. My dad would have the police scanner on almost every evening and one of the channels he had crystaled in was “North Shore CMED.” For the 99.9% of you who have no idea what CMED was, it allowed ambulances to brief hospitals about inbound patients being delivered to their ER. For those of you familar with the 1970s era TV Show Emergency, the radio traffic was similar to the calls between Squad 51 and Rampart. Now, what does this have to do with endpoints? Well, back when I first started listening, there would be patients that were involved in “car accidents”. Then, a few years later, “car accidents” started being replaced with “motor vehicle accident” or “MVA”, makes sense, right? Person could be in a truck, bus, dune buggy, etc. Now, apparently, the new term is no longer “MVA”, it is now a “MVC” or “Motor Vehicle Collision”, that makes sense too, right? Person could have decided to ram someone off the road or is suicidal. These terms do a better job of encompassing all possible scenarios, despite most people possibly not understanding the difference between a “car accident” and a “motor vehicle collision”.

This reasoning is exactly why we use the term endpoint. While the public might not understand the difference between a “computer” and an “endpoint” there are key differences between the two.  For example: I currently have five endpoints on my desk, but only two computers, the other three are an embedded device, an IP phone, and my mobile phone. While all are endpoints and you could make the case that all five are indeed “computers”, they do not fit what the general public thinks a computer is. When you’re talking about endpoint security, you need to keep in mind anything that is a destination for information is an endpoint and they all need to be protected. Yes, in 90% of the cases it is a computer, but this is rapidly changing. Language is a very powerful tool. By switching to “endpoints” instead of “computers” we as professionals are being more specific to whats affected. If we say that computers are affected by a certain issue, do we mean only computers? Or do we mean computers along with other devices? As a side benefit, it’s also the first step to start convincing people that they need to start looking at any kind of device needs to be secure.

While we’re not going to be changing any thinking overnight, nor are we going to enjoy answering the endless questions of “What’s an endpoint? Oh, you mean a computer…” its one of those painful things that we’re going to need to do. Keeping ourselves to old definitions keeps us from talking about evolving threats accurately and that’s just a bad idea.

Goodnight Crash, Goodnight Burn

Goodbye Crash, Goodbye Burn. You have been faithful lab servers for the past two-plus years, but I must send you into that big beowulf cluster in the sky. I still remember when you were the only two servers we had, jammed full of VMWare images, utilities, and malware for analysis. But your age has finally caught up to you and your Pentium III processors and limited RAM are showing their age.

Good night you princes of the rack, you kings of the lab!

Replies and Mentions on Twitter

First off, let me thank Jeff, KE9V, for bringing this to the front burner in my mind. It’s been simmering in the back for a while but I’ve never sat down and wrote about it. Jeff shot me a message today telling me that I should write and entry about it as the “lead Twitter-Ham” (Mental note: Get that on a business card.)

The problem is simple. On twitter there are two ways to reference another twit, a reply and a mention. The difference is subtle, but it’s kind of important. First, if I start off my message with an @ and a username, it’s a reply. Twitiquette states that replies are usually used when addressing someone directly or replying to something they said via the reply feature on Twitter. For example:

@kd0bik Loved this week’s Practical Radio Amateur podcast!

A mention on the other hand is usually just a reference to someone inside a mention, not a message directly to them, but something that they may wish to know about:

Received an interesting e-mail from @ke9v discussing Twitter replies versus mentions.

Now, why are replies an mentions important? By mentioning someone in a message, that message gets displayed on their replies page or depending on if they’re using a 3rd party client, highlighted someway. For example, I use twhirl, and when someone does a reply or mention, it alerts me with a different sound and it highlights the tweet.

Now, why are replies and mentions different? Simple. Twitter has certain rules when displaying replies for your followers. If I do a reply to @ke9v, it will only show up in the stream, aka that list of tweets on your homepage of twitter, of people who follow @ke9v. If people aren’t following Jeff, it won’t show up. No big deal right? Well, for the most part, yes. However, this has interesting implications consider the following tweets:

@ke9v @ka3ddr @kd0bik #followfriday

@kd0bik has a great podcast! Everyone interested in Ham Radio should listen to it!

What’s wrong with those? Normally, I would want both these messages to go out to everyone that follows me. However, because I prefixed it with a @ and a username, it will only show up to people who are already following that user. Whoops. However, these are both simple to fix:

#followfriday @ke9v @ka3ddr @kd0bik

Wow! @kd0bik has a great podcast! Everyone interested in Ham Radio should listen to it!

These are just two examples, however, it’s a good rule to be mindful of when tweeting: If you’re not replying to someone, you should try to stay away from starting your message with a @ and a username, otherwise, it may not reach as many people as you want it to.

One week in: Life with a Palm Pre

Last week I made the jump from a T-Mobile MDA  (aka a HTC Wizard) to a Palm Pre from Sprint. I loved my MDA and had been a loyal T-Mobile customer since 2003 (When I got my first SmartPhone a Color SideKick), however, their selection of phones was quite lacking so I decided to jump ship. When asking around, everyone said “Apple iPhone” almost instantly and while I did give it a hard look, I tested a 3G last year for work and was decidedly unimpressed with it’s soft keyboard and battery life. With the iPhone out of the running I looked around, decided to suck it up and deal with Sprint, and went with a Palm Pre. Since in the course of my research I didn’t find a lot of “hands on” reviews besides the “It sucks!” or “It is amazing!” ones, I decided to toss a someone independent review of the device overall.

Hardware: B-, Sleek, great size, and a nice form factor. However, the device can feel rather flimsy at times. I am afraid that the device will fall with the keyboard open and my Pre will do some kind of morbid Oreo Twist to itself. Also, when shut, the device has some give where the two halves meet. In addition to this, Palm: MicroUSB port? Come on. Doesn’t every geek have a ton of accessories for Mini USB connectors? Are we seeing the connector conspiracy rear it’s ugly head again? Finally, the little gasket over the connector is annoying to get off, makes charging it annoying.

Battery Life: C+, I’m pleased how long it lasts, but considering my MDA could last about 2 days under fairly heavy use and how I can blow through about 1/5th my Pre battery in an hour under similar conditions? Not good. I think a car charger and a MicroUSB cable for USB charging are required accessories for any Pre user.

WebOS: A-, Wow. WebOS is nice. That’s not to say it has some very rough spots: Want to have one notification sound for an SMS message and another for an e-Mail? Tough noogies.  Navigate to a specific spot in a text field? We may be here for a while. However, all the rough spots can be buffed out in future updates. Overall, it’s zippy, the app store is filling up with goodies regularly, and the UI is great. Multitasking is awesome too, the lack of which is one of the things that turned me off about the iPhone. Overall, you can tell that WebOS is still a 1.X operating system, but with a little work by Palm it can easily take over the iPhone OS.

Network coverage: D, In a word: Bleh. THIS is the one drawback to the device: Sprint ‘Now” network. I think the “now” means that “You’ll be checking if you have coverage now.” I’ve heard mixed reports that it’s a Pre problem versus that it’s a Sprint problem, but I have seen it fluctuate between 1 and 5 bars in specific spots while staying stationary. I also seem to flip over to “roaming” (thankfully, free) at random spots, which means while I can still get voice, I can’t get a data connection. While T-Mobile was not without dead spots, I seemed to get better coverage with them. I’m hoping this is more of a problem with WebOS then Sprint as I can probably wait for Palm to work the kinks out of it’s transceiver rather then wait for Sprint to add additional cell sites.

Accessories: C, Come on, no holster? Just a stupid pouch? Geez. Also, the fact that the USB cable also doubles as the charging cable by plugging into the wall adapter? Lame. Palm, come on, give me two cables so I can keep one around in case I need to do an emergency charge off a USB port. It can’t be that expensive. As a side not, while I make no endorsement of it, the web store over at Treonauts seems to have lower prices for Pre accessories then Sprint.

Overall: B/B-, I am pleased and the Pre is a great device. I keep finding myself pleasantly surprised that it does something with ease that my old Windows Mobile device couldn’t (Like… say… delete e-mail messages from my mail server! Amazing!).  That’s not to say that there are some chinks in its armor, but I think it’s a worthy competitor to the iPhone. It’s still very much a 1st generation device and has the issues thereof, however if you’re looking for an iPhone alternative, I’d recommend giving the Pre more then a casual look.