Monthly Archives: February 2011

Diminishing Returns in Cryptography

The invention of the Diffie-Hellman key exchange, the first public asymmetric-key cryptosystem, transformed information security in 1976, allowing ciphered communications without a secure initial key exchange and becoming the basic building block that enabled ecommerce on the Internet. In this video, Whitfield Diffie talks about his protocol and all the surrounding events the lead to the paper New Directions in Cryptography, conjointly written with Martin Hellman.

Unfortunately, there has never been another breakthrough like that one, even though the field of cryptography research has grown by multiple orders of magnitude since them. It seems that imaginative ways to restrict access to information that enable latent markets in information are very hard to come by. Even so, my bets are on the almost current practical schemes to perform Secure Multi-Party Computation, Zero-Knowledge Proofs, Fully Homomorphic Cryptography and Private Information Retrieval, with direct applications to finance.

Presentations about Smartphone Security

Leave a reply

A list of the best presentations about smartphone security all over the net:

Smartphone In(Security). Android/iPhone multi-platform shellcode.
Post Exploitation Bliss: Meterpreter for iPhone. iPhone shellcode development.
The Smart-Phones Nightmare. iPhone shellcode development.
ARM Exploitation ROPMAP. ROP automation for ARM.
Antid0te 2.0 — ASLR in iOS. Perfecting the ASLR protection of iOS.
Overcoming iOS Data Protection to Re-enable iPhone Forensic. A summary on iOS protections.
Targeting the iOS kernel. Advanced security-related debugging techniques.
iOS 6 Security. New iOS security features.
Evolution of iPhone Baseband and Unlocks.
iOS Kernel Heap Armageddon Revisited.
Popping Shell on A(ndroid)RM Devices. Android shellcode development.
Beating up on Android. Android exploit recap and development.
Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. SSL is hard for developers, mobile or not.
Hacking Android for fun & profit. In-depth view of the Android security system.
APK Infection on Android. Easy virii for Android install files.
Android Forensic Deep Dive.
Android Reverse Engineering Tools.
Bypassing the Android Permission Model.
Into the Droid: Gaining Access to Android User Data.
The Heavy Metal That Poisoned the Droid. Reduce the attack surface of Android applications.
Inside Apple’s MDM Black Box. Just an overview of Apple’s Mobile Device Management system.
These aren’t the permissions you’re looking for. Weak permissions on the Android file system and applications.
Exploiting Symbian. Symbian shellcode development.
iPhone Rootkit? There’s an App for That!. How to make iPhone rootkits from jailbreaks.
Secure Development in iOS. The point of view of a pentester.
Introducing the Smartphone Pentesting Framework. Very useful, albeit basic, set of pentesting tools.
This is not the droid you’re looking for. Android rootkit development.
iPhone Privacy. Handset data privacy and the SpyPhone app.
App Attack. Android/iPhone apps security analysis.
A Study of Android Application Security. Mass-scale Android app decompilation.
Reversing Android Apps. Good overview of tools for decompilation.
Windows Pwn 7 OEM – Owned Every Mobile? Always easy hacks on new OSes.
Windows Phone 7 Internals and Exploitability.
Detecting Mobile Phone Spy Tools. FlexiSpy and its spawn.
Mobile App Moolah: Profit taking with Mobile Malware. An overview of frequent malware.
Mobile Malware Madness and How to Cap the Mad Hatters. On behavioural detection of mobile malware.
Transparent Botnet Control for Smartphones over SMS. Basic Android botnet with SMS C&C.
Rise of the iBots: 0wning a telco network. Botnet architecture with SMS/P2P C&C.
Exploratory Android Surgery. Android Intent fuzzing and sniffing.
Blackbox Android. Breaking “Enterprise Class” Applications and Secure Containers.
Pwning a 4G Device for the Lulz. Multiple attack recombination.
Advanced Attacks Against PocketPC Phones. PocketPC MMS User Agent attack.
Analyzing Complex Systems: The Blackberry Case. General Blackberry security.
Smartphone Backdoors: An Analysis of Blackberry and Other Mobile Device Spyware. On the Blackberry TXSBBSpy backdoor.
Symbian Phone Security. General Symbian security.
Symbian Malware. Basics on Symbian malware.
Attacking NFC Mobile Phones. Simple DoS and authentication issues on S40 phones.
Hacking NFC and NDEF. Revisiting the previous slides.
NFC for Free Rides and Rooms. How to UltraReset the transit cards.
Binary Instrumentation Framework for Android. Binary instrumentation for NFC/RFID tag reading.
Intercepting GSM traffic. A5/1 cracking.
GSM — SRSLY?. More on A5/1 cracking and A5/3 cracking.
GPRS Intercept: Wardriving your country. Old attacks, not going fast.

Defending mobile phones. On the predictable padding of the GSM protocol.
Open source 4G radio. A WiMAX scanner in Matlab.
All Your Baseband Are Belong To Us. An exploration on remote baseband exploitation.
Vulnerabilities in Dual-mode/Wi-Fi phones. VoIP vulnerabilities.
Telecom Signaling Attacks on 3G and LTE networks. Advanced scanning in telco networks.
A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications. GPRS/EDGE connection hijacking via a rogue base station attack.
GPRS Intercept: Wardriving your country.
An OpenBTS GSM Replication Jail for Mobile Malware. DIY network cell.
Attacking 3G and 4G mobile telecommunications networks. An exploration on network scanning 3G/4G networks.
Attacking GRX. Attacking The GPRS Roaming eXchange.
Playing with the GSM RF interface. Random Access Channel bursts (RACH) flooding.
Base Jumping. GSM DoS (RACH, IMSI Flood, IMSI Detach).
SIM Toolkit Attack. SIM-playing made easy.
The blackbox in your phone. An easier overview on the functionalities of the SIM.
Machine-to-machine (M2M) security. Easy attacks on common setups.
Fuzzing your GSM phone using OpenBSC and scapy. GSM protocol introduction with some details on how to fuzz the GSM stack (no particular attack is discussed).
Extending Scapy by a GSM Air Interface. Advanced toolkit for GSM DoS.
Fuzzing the Phone in Your Phone. Discovering DoS attacks and remote exploits with fuzzed SMSs on iPhone/Android/WinMo.
The Carmen-San Diego Project. Tricks of the trade to geolocate any mobile phone.
Locating Mobile Phones using Signalling System #7. A different way to explain mobile phone geolocation.
Android geolocation using GSM network. How to extract geolocation information from an Android smartphone.
Attacking SMS. It’s No Longer Your BFF. Mail2SMS and IM2SMS abuses.
Hijacking Mobile Data Connections. WAP-provisioning spoofing to hijack mobile connections.
Attacking Mobile Phone Messaging. MMS spoofing, fingerprinting and various attacks.
Random tales from a mobile phone hacker. On the MSISDN disclosure in HTTP headers by web proxies and other curiosities.
A Million Little Tracking Devices. Zoombak in-depth analysis.
Mobile and Contactless Payment Security. Introduction to protocols, formats and attacks.
Probing Mobile Operator Networks. What would you find by network scanning the mobile telcos?
Why Telcos Keep Getting Hacked. Interesting research on the history of telco security.
Satellite Telephony Security. Introduction to protocols and call interception.
Don’t Trust Satellite Phone — an Analysis of the GMR‑1 and GMR‑2 Standards. Not even satellite phones are safe!
Intelligent Bluetooth Fuzzing. The ignored but omnipresent protocol.
Femtocells: a Poisonous Needle in the Operator’s Hay Stack. Interceptions, injections and invading the operator network. Also Hacking Femtocell, Immature Femtocells and Security challenges for Femtocell communication architecture from the same author.
How many bricks does it take to crack a microcell?

Note: this post will be expanded in the future.

What I’ve Been Reading

Leave a reply

[amazon_link id=“1849681627” target=“_blank” ]Microsoft Forefront Unified Access Gateway 2010 Administrator’s Handbook[/amazon_link] and [amazon_link id=“0735626383” target=“_blank” ]Microsoft Forefront Threat Management Gateway Administrator’s Companion.[/amazon_link] Detailed tech-guides and reference books about two of the most all-encompassing security solutions. It’s good to know that Microsoft keeps on producing some great tools even if they aren’t going after a billion-dollar market.
[amazon_link id=“849280811X” target=“_blank” ]Oráculo Manual y Arte de Prudencia (Spanish Edition), Baltasar Gracián[/amazon_link]. An eternal collection of 300 commented aphorisms and maxims, distilled from his previous works, free from argumemtum ad verecundiam, ad antiquitatem & ex silentio. So great that its style inspired later works from Schopenhauer and Nietzsche.

The Making of Python

Leave a reply

The Python programming language, Guido van Rossum’s Magnum Opus, is the only surviving and successful programming language not backed by a company. Started in the late 1980s, the discipline of van Rossum was the major factor for its existence through the early years. Its popularity exploded with the 2.0 release, featuring garbage collection and a revamped development process using Sourceforge that provided a significant increase of write accesses to more people than were before allowed with CVS. In this video, we appreciate the deep impact of those decisions starting at 2:50.

Traitor Tracing: Theory vs Practice

Leave a reply

An efficient public key traitor tracing scheme

We construct a public key encryption scheme in which there is one public encryption key, and many private decryption keys. If a broadcaster encrypts once with the public key, then each legitimate receiver can decrypt with a different private key. If a coalition of receivers collude to create a new decryption key then there is an efficient algorithm to trace the new key to its creators. Hence, our system provides a simple and efficient solution to the “traitor tracing problem”. Our tracing algorithm is deterministic, and catches all active traitors while never accusing innocent users, although it is only partially “black box”. A minor modification to the scheme enables it to resist an adaptive chosen ciphertext attack. Our techniques apply error correcting codes to the discrete log representation problem.

The most cited traitor tracing crypto-scheme versus… the Black Sunday hack:

Among the countermeasures he says he created was one known among pirates as the “Black Sunday” kill — an elaborate scheme that destroyed tens of thousands of pirate DirecTV cards a week before Super Bowl Sunday in 2001.

Instead of being delivered all at once like other measures, the Black Sunday attack code was sent to pirate cards in about five dozen parts over the course of two months, like a tank transported piece by piece to a battlefield to be assembled in the field. “They never expected us to do this,” Tarnovsky says.

Why stop at tracing traitors when you can wipe them out? Very clever.

Adnostic: Privacy Preserving Targeted Advertising

Leave a reply

Online behavioral advertising (OBA) refers to the practice of tracking users across web sites in order to infer user interests and preferences. These interests and preferences are then used for selecting ads to present to the user. There is great concern that behavioral advertising in its present form infringes on user privacy. The resulting public debate — which includes consumer advocacy organizations, professional associations, and government agencies — is premised on the notion that OBA and privacy are inherently in conflict.

Adnostic is a practical architecture that enables targeting without compromising user privacy. Behavioral profiling and targeting in Adnostic takes place in the user’s browser. The ad network remains agnostic to the user’s interests.

Our technical paper discusses the effectiveness of the system as well as potential social engineering and web-based attacks on the architecture. One complication is billing; ad-networks must bill the correct advertiser without knowing which ad was displayed to the user. We describe a cryptographic billing system that directly solves the problem. We implemented the core targeting system as a Firefox extension and report on its effectiveness.

If only Google were to implement this crypto-scheme…

All-in Blind: Stop-Loss Considered Harmful

Leave a reply

In the investing world, stop-loss orders are the most used risk management device: so simple and intuitive that they confuse reason and common sense. But the hidden costs of stop-losses alter the shape of expected future return distributions, resulting in no inherent edge to be had in using neither stop-losses nor profit-taking stops, or any combination of them; and as volatility of the underlying asset’s returns is increased, the impact of stop-losses increase as well, generating higher portfolio volatility. Precisely, the opposite of what is intended: the perceived benefits of the stop-loss are largely balanced out by the hidden costs.

Note: Trading desks may profit from large quantities of sell orders from client’s stop-loss/profit-taking orders known in advance, so don’t expect them to disappear anytime soon.

Telco Market Distortions

Leave a reply

The FCC allowed small and rural telcos (local exchange carriers, LECs) in the USA to charge higher access fees to long distance and wireless companies (AT&T, Sprint, Verizon) to subsidize them, under the auspices of the Telecommunications Act of 1996. Abusing the prerogative, they partnered with conference call providers and providers of other shady services, giving birth to traffic pumping: generate high volume of incoming calls above typical rural usage to charge millions of dollars of fees to long distance and wireless companies and split the revenues with the service providers. Fast-forward to the present, technological advances and new business models are having a hard time to operate under this old set of rules, hampering new innovative services like Google Voice.

Every distortion introduced by regulators in the free market and the natural state of technology, however well-intended, sows the seeds of its own self-destruction.

Samsung: Advantages from Vertical Integration

Leave a reply

The mobile industry is not like the PC industry, populated by manufacturers that are just component assemblers of the various parts (memory, CPU, HD, …). In the mobile industry, the more vertical integrated mobile manufacturer is Samsung, a market leader in displays, memory and CPUs for mobile phones that also sells its quality components to other OEMs and ODMs (Apple To Buy Components Worth $7.8 Bln From Samsung Electronics This Year).

As shown in the graph above of a typical bill of materials of a mobile phone, those parts are the costlier and more important of a mobile phone: from this point of view, Samsung looks like a vertical mainframe manufacturer from the 60–70s, but with much of its software developed by an external provider (Android). So not only they have an obvious cost advantage on the low end of the smartphone market, they are also the leaders managing component droughts and bullwhip effects, which are very profit destroying in the mobile industry. Finally, note that the first reason Nokia has decided to go the Microsoft’s route is to differentiate enough from Samsung’s Android offerings, the second biggest mobile manufacturer after Nokia.

Addictive Number Theory

Leave a reply

Addictive Number Theory

In 1996, just after Springer-Verlag published my books Additive Number Theory: The Classical Bases [34] and Additive Number Theory: Inverse Problems and the Geometry of Sumsets [35], I went into my local Barnes and Noble superstore on Route 22 in Springfield, New Jersey, and looked for them on the shelves. Suburban bookstores do not usually stock technical mathematical books, and, of course, the books were not there. As an experiment, I asked if they could be ordered. The person at the information desk typed in the titles, and told me that his computer search reported that the books did not exist. However, when I gave him the ISBN numbers, he did find them in the Barnes and Noble database. The problem was that the book titles had been cataloged incorrectly. The data entry person had written Addictive Number Theory.

Automatic Exploit Generation

1 Reply

The automatic exploit generation challenge is given a program, automatically find vulnerabilities and generate exploits for them. In this paper we present AEG, the first end-to-end system for fully automatic exploit generation. We used AEG to analyze 14 open-source projects and successfully generated 16 control flow hijacking exploits. Two of the generated exploits (expect‑5.43 and htget‑0.93) are zero-day exploits against unknown vulnerabilities. Our contributions are: 1) we show how exploit generation for control flow hijack attacks can be modeled as a formal verification problem, 2) we propose preconditioned symbolic execution, a novel technique for targeting symbolic execution, 3) we present a general approach for generating working exploits once a bug is found, and 4) we build the first end-to-end system that automatically finds vulnerabilities and generates exploits that produce a shell.

The first step to automatically search for and exploit the most basic vulnerabilities is done, and incremental improvements will surely follow. While this won’t have a deep impact on the computer security industry, since it’s already full of people exploiting software for free, it will surely have a real impact on the programming world: right now, all coders not acquainted with secure code-writing skills should be fired. For more information, visit the following link: Automatic Exploit Generation.