What I’ve Been Reading

[amazon_link id=“0981678017” target=“_blank” ]The Busy Coder’s Guide to Advanced Android Development[/amazon_link]. Book for a quick start on Android development, full of examples and straight to the point, it’s also worth mentioning for their innovative Books-as-a-Subscription service (BaaS) that provides updates and new titles for $40 per year.
[amazon_link id=“0470697164” target=“_blank” ]LTE, The UMTS Long Term Evolution: From Theory to Practice[/amazon_link]. An extensive, comprehensive and in-depth tour-de-force on the LTE standard by some of the contributors of its standardization. An invaluable tool for anyone LTE-related, it will be the most authoritative source for the years to come: it has reminded me the [amazon_link id=“0201633469” target=“_blank” ]TCP/IP Illustrated series[/amazon_link] while reading it. The best: the parts describing the physical layer (OFDM and MIMO), the most innovative part of the standard and its real lifeblood. Every standard should have a book like this one written for it.
[amazon_link id=“1598220616” target=“_blank” ]The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System[/amazon_link]. In the last decade, there has been an explosion of computer security related books. From time a time, a title really stands up from the rest, and this must be it for 2009: Stuxnet developers should have read this one before coding their second-rate worm. Caveat: no source code available for download.

The ROI Fallacy in CompSec

The script is always the same: first, an estimation of the expected loss from an intrusion or attack is provided; then, a proposal of countermeasures that are some orders of magnitude cheaper that the expected loss is suggested; in conclusion, the solution being offered features such a high ROI that only a fool will discard it, so runs the argument. Repeat for every antivirus, IDS, firewall or whatever security product being sold.

This myth is based on a loaded use of language that equals the notion of expending on security with that of an investment, a misleading and self-serving broken framework of economics that isn’t taking into consideration other variables like opportunity and hidden costs. As in the parable of the broken window, disregarding the ideal world in which nothing gets broken and the resources could be better put into use for other much more productive purposes leads to very misguided conclusions. That is, security is not an investment, and insecure programs don’t carry debts.

Computer security is a tax.

Different operating systems carry different levels of taxes: desktop Window carry a higher level of computer security taxes due to malware. And programming languages also differ: the tax bracket for ColdFusion is higher than the one for C, which is higher than the one for Java/C#.

And since software vendors aren’t liable for their insecure products, they have no incentive to internalize the hidden costs of security breaches and transfer them to customers, who must spend resources to protect their real assets, like the taxes citizens pay to governments to provide for security services.

Perfecting the Dreaded Software Company Acquisition

Leave a reply

Microsoft, Google (Tracking Google’s Acquisitions), IBM and many others software company acquirers have colluded an empirical law that sets the fate of acquirees: their ex-post discount rate runs very high, at 80%.

Leaving out all-talent and all-users acquisitions, we hit upon the dreaded code rewrite, which is always a disaster waiting to happen: since developers, always running away from legacy code and its technical debt in the search of the promised land of unbuggy software, throw themselves into the abyss of the unknown taking advantage of the recently shaken power structure.

Fortunately, a well-conceived Memorandum of Understanding benefitting from the accumulated wisdom of corporate and software archeology should solve this issue including the following rules:

1. New functionality should be written using the new tools, languages and software platforms of the acquirer (under the assumption that these new tools will improve the scalability, availability, costs or any other metrics)
2. A new API encapsulating and exposing functionality between languages and platforms should be preferred (Façade, Front-Controller patterns)
3. Legacy code should not be rewritten, except when:
  1. The benefits, measured by the KPIs of the business, are quantifiably higher than the cost of the rewrite itself, on a module-by-module basis
  2. In case of doubt, it’s the acquirer the one having to rewrite the acquiree code, not the other way around

iPhone Decompilation & Obfuscation

Leave a reply

The tools to decompile iPhone apps are quite well-known:

Otx, an advanced disassembler based on otool
class_dump_z, an updated version of the old class-dump for the iPhoneOS, to extract Objective‑C class interfaces
Hex-Rays, the most advanced decompiler ever, also supports ARM binaries (based on Datarescue’s IDA Pro)

Unfortunately, there’s no easy way to obfuscate iPhone apps, even if the iPhone is 4 years old. The easiest approach would be to take advantage of the LLVM source-to-source feature to recompile the mobile apps to an intermediate high level-language and transform the source code using a specialized tool like TXL to modify the control flow before generating the final binaries. Delving into the LLVM route, it would be ideal for using more sophisticated obfuscation techniques to bring the superb DynInst into play, but it doesn’t support the ARM instruction set. As a final point, there is a commercial tool to obfuscate Objective‑C, Morpher, although there are not outside reviews about its value.

Baumol’s Cost Disease in Computer Security

Leave a reply

The most creative parts of computer security are undecidable or NP-hard problems, a fact that creates a big divide in the computer security field: on the one hand, bug finding, exploit writing, secure code auditing and cryptographic protocol design are the most difficult tasks in the field to apprehend and resolve; but on the other hand, the pentesting process is largely better left to be done by software than by humans. The key insight is that no capital-labor substitution will ever take place in the first kind of activities, therefore productivity gains will never be achieved on them no matter what amount of innovation will ever be carried out in the next decades: that is, the same man-hours will be needed to produce the same amount of work in the future, if not more so, taking into account the exponentially rising number of computer systems and software components and their interactions.

And that is the depiction of the archetypal setting in which Baumol’s Cost Disease arises: tasks with no labor productivity improvements for decades, but with raising labor costs nonetheless, to keep up with the rising salaries in other jobs which did experience such labor productivity growth. The side effect of the disease, which makes it so nefarious to the computer security field, is that the best talent is lost to other tasks in this process of constant readjustment.

Diminishing Returns in Cryptography

Leave a reply

The invention of the Diffie-Hellman key exchange, the first public asymmetric-key cryptosystem, transformed information security in 1976, allowing ciphered communications without a secure initial key exchange and becoming the basic building block that enabled ecommerce on the Internet. In this video, Whitfield Diffie talks about his protocol and all the surrounding events the lead to the paper New Directions in Cryptography, conjointly written with Martin Hellman.

Unfortunately, there has never been another breakthrough like that one, even though the field of cryptography research has grown by multiple orders of magnitude since them. It seems that imaginative ways to restrict access to information that enable latent markets in information are very hard to come by. Even so, my bets are on the almost current practical schemes to perform Secure Multi-Party Computation, Zero-Knowledge Proofs, Fully Homomorphic Cryptography and Private Information Retrieval, with direct applications to finance.

Presentations about Smartphone Security

Leave a reply

A list of the best presentations about smartphone security all over the net:

Smartphone In(Security). Android/iPhone multi-platform shellcode.
Post Exploitation Bliss: Meterpreter for iPhone. iPhone shellcode development.
The Smart-Phones Nightmare. iPhone shellcode development.
ARM Exploitation ROPMAP. ROP automation for ARM.
Antid0te 2.0 — ASLR in iOS. Perfecting the ASLR protection of iOS.
Overcoming iOS Data Protection to Re-enable iPhone Forensic. A summary on iOS protections.
Targeting the iOS kernel. Advanced security-related debugging techniques.
iOS 6 Security. New iOS security features.
Evolution of iPhone Baseband and Unlocks.
iOS Kernel Heap Armageddon Revisited.
Popping Shell on A(ndroid)RM Devices. Android shellcode development.
Beating up on Android. Android exploit recap and development.
Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. SSL is hard for developers, mobile or not.
Hacking Android for fun & profit. In-depth view of the Android security system.
APK Infection on Android. Easy virii for Android install files.
Android Forensic Deep Dive.
Android Reverse Engineering Tools.
Bypassing the Android Permission Model.
Into the Droid: Gaining Access to Android User Data.
The Heavy Metal That Poisoned the Droid. Reduce the attack surface of Android applications.
Inside Apple’s MDM Black Box. Just an overview of Apple’s Mobile Device Management system.
These aren’t the permissions you’re looking for. Weak permissions on the Android file system and applications.
Exploiting Symbian. Symbian shellcode development.
iPhone Rootkit? There’s an App for That!. How to make iPhone rootkits from jailbreaks.
Secure Development in iOS. The point of view of a pentester.
Introducing the Smartphone Pentesting Framework. Very useful, albeit basic, set of pentesting tools.
This is not the droid you’re looking for. Android rootkit development.
iPhone Privacy. Handset data privacy and the SpyPhone app.
App Attack. Android/iPhone apps security analysis.
A Study of Android Application Security. Mass-scale Android app decompilation.
Reversing Android Apps. Good overview of tools for decompilation.
Windows Pwn 7 OEM – Owned Every Mobile? Always easy hacks on new OSes.
Windows Phone 7 Internals and Exploitability.
Detecting Mobile Phone Spy Tools. FlexiSpy and its spawn.
Mobile App Moolah: Profit taking with Mobile Malware. An overview of frequent malware.
Mobile Malware Madness and How to Cap the Mad Hatters. On behavioural detection of mobile malware.
Transparent Botnet Control for Smartphones over SMS. Basic Android botnet with SMS C&C.
Rise of the iBots: 0wning a telco network. Botnet architecture with SMS/P2P C&C.
Exploratory Android Surgery. Android Intent fuzzing and sniffing.
Blackbox Android. Breaking “Enterprise Class” Applications and Secure Containers.
Pwning a 4G Device for the Lulz. Multiple attack recombination.
Advanced Attacks Against PocketPC Phones. PocketPC MMS User Agent attack.
Analyzing Complex Systems: The Blackberry Case. General Blackberry security.
Smartphone Backdoors: An Analysis of Blackberry and Other Mobile Device Spyware. On the Blackberry TXSBBSpy backdoor.
Symbian Phone Security. General Symbian security.
Symbian Malware. Basics on Symbian malware.
Attacking NFC Mobile Phones. Simple DoS and authentication issues on S40 phones.
Hacking NFC and NDEF. Revisiting the previous slides.
NFC for Free Rides and Rooms. How to UltraReset the transit cards.
Binary Instrumentation Framework for Android. Binary instrumentation for NFC/RFID tag reading.
Intercepting GSM traffic. A5/1 cracking.
GSM — SRSLY?. More on A5/1 cracking and A5/3 cracking.
GPRS Intercept: Wardriving your country. Old attacks, not going fast.

Defending mobile phones. On the predictable padding of the GSM protocol.
Open source 4G radio. A WiMAX scanner in Matlab.
All Your Baseband Are Belong To Us. An exploration on remote baseband exploitation.
Vulnerabilities in Dual-mode/Wi-Fi phones. VoIP vulnerabilities.
Telecom Signaling Attacks on 3G and LTE networks. Advanced scanning in telco networks.
A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications. GPRS/EDGE connection hijacking via a rogue base station attack.
GPRS Intercept: Wardriving your country.
An OpenBTS GSM Replication Jail for Mobile Malware. DIY network cell.
Attacking 3G and 4G mobile telecommunications networks. An exploration on network scanning 3G/4G networks.
Attacking GRX. Attacking The GPRS Roaming eXchange.
Playing with the GSM RF interface. Random Access Channel bursts (RACH) flooding.
Base Jumping. GSM DoS (RACH, IMSI Flood, IMSI Detach).
SIM Toolkit Attack. SIM-playing made easy.
The blackbox in your phone. An easier overview on the functionalities of the SIM.
Machine-to-machine (M2M) security. Easy attacks on common setups.
Fuzzing your GSM phone using OpenBSC and scapy. GSM protocol introduction with some details on how to fuzz the GSM stack (no particular attack is discussed).
Extending Scapy by a GSM Air Interface. Advanced toolkit for GSM DoS.
Fuzzing the Phone in Your Phone. Discovering DoS attacks and remote exploits with fuzzed SMSs on iPhone/Android/WinMo.
The Carmen-San Diego Project. Tricks of the trade to geolocate any mobile phone.
Locating Mobile Phones using Signalling System #7. A different way to explain mobile phone geolocation.
Android geolocation using GSM network. How to extract geolocation information from an Android smartphone.
Attacking SMS. It’s No Longer Your BFF. Mail2SMS and IM2SMS abuses.
Hijacking Mobile Data Connections. WAP-provisioning spoofing to hijack mobile connections.
Attacking Mobile Phone Messaging. MMS spoofing, fingerprinting and various attacks.
Random tales from a mobile phone hacker. On the MSISDN disclosure in HTTP headers by web proxies and other curiosities.
A Million Little Tracking Devices. Zoombak in-depth analysis.
Mobile and Contactless Payment Security. Introduction to protocols, formats and attacks.
Probing Mobile Operator Networks. What would you find by network scanning the mobile telcos?
Why Telcos Keep Getting Hacked. Interesting research on the history of telco security.
Satellite Telephony Security. Introduction to protocols and call interception.
Don’t Trust Satellite Phone — an Analysis of the GMR‑1 and GMR‑2 Standards. Not even satellite phones are safe!
Intelligent Bluetooth Fuzzing. The ignored but omnipresent protocol.
Femtocells: a Poisonous Needle in the Operator’s Hay Stack. Interceptions, injections and invading the operator network. Also Hacking Femtocell, Immature Femtocells and Security challenges for Femtocell communication architecture from the same author.
How many bricks does it take to crack a microcell?

Note: this post will be expanded in the future.

What I’ve Been Reading

Leave a reply

[amazon_link id=“1849681627” target=“_blank” ]Microsoft Forefront Unified Access Gateway 2010 Administrator’s Handbook[/amazon_link] and [amazon_link id=“0735626383” target=“_blank” ]Microsoft Forefront Threat Management Gateway Administrator’s Companion.[/amazon_link] Detailed tech-guides and reference books about two of the most all-encompassing security solutions. It’s good to know that Microsoft keeps on producing some great tools even if they aren’t going after a billion-dollar market.
[amazon_link id=“849280811X” target=“_blank” ]Oráculo Manual y Arte de Prudencia (Spanish Edition), Baltasar Gracián[/amazon_link]. An eternal collection of 300 commented aphorisms and maxims, distilled from his previous works, free from argumemtum ad verecundiam, ad antiquitatem & ex silentio. So great that its style inspired later works from Schopenhauer and Nietzsche.

The Making of Python

Leave a reply

The Python programming language, Guido van Rossum’s Magnum Opus, is the only surviving and successful programming language not backed by a company. Started in the late 1980s, the discipline of van Rossum was the major factor for its existence through the early years. Its popularity exploded with the 2.0 release, featuring garbage collection and a revamped development process using Sourceforge that provided a significant increase of write accesses to more people than were before allowed with CVS. In this video, we appreciate the deep impact of those decisions starting at 2:50.

Traitor Tracing: Theory vs Practice

Leave a reply

An efficient public key traitor tracing scheme

We construct a public key encryption scheme in which there is one public encryption key, and many private decryption keys. If a broadcaster encrypts once with the public key, then each legitimate receiver can decrypt with a different private key. If a coalition of receivers collude to create a new decryption key then there is an efficient algorithm to trace the new key to its creators. Hence, our system provides a simple and efficient solution to the “traitor tracing problem”. Our tracing algorithm is deterministic, and catches all active traitors while never accusing innocent users, although it is only partially “black box”. A minor modification to the scheme enables it to resist an adaptive chosen ciphertext attack. Our techniques apply error correcting codes to the discrete log representation problem.

The most cited traitor tracing crypto-scheme versus… the Black Sunday hack:

Among the countermeasures he says he created was one known among pirates as the “Black Sunday” kill — an elaborate scheme that destroyed tens of thousands of pirate DirecTV cards a week before Super Bowl Sunday in 2001.

Instead of being delivered all at once like other measures, the Black Sunday attack code was sent to pirate cards in about five dozen parts over the course of two months, like a tank transported piece by piece to a battlefield to be assembled in the field. “They never expected us to do this,” Tarnovsky says.

Why stop at tracing traitors when you can wipe them out? Very clever.

Adnostic: Privacy Preserving Targeted Advertising

Leave a reply

Online behavioral advertising (OBA) refers to the practice of tracking users across web sites in order to infer user interests and preferences. These interests and preferences are then used for selecting ads to present to the user. There is great concern that behavioral advertising in its present form infringes on user privacy. The resulting public debate — which includes consumer advocacy organizations, professional associations, and government agencies — is premised on the notion that OBA and privacy are inherently in conflict.

Adnostic is a practical architecture that enables targeting without compromising user privacy. Behavioral profiling and targeting in Adnostic takes place in the user’s browser. The ad network remains agnostic to the user’s interests.

Our technical paper discusses the effectiveness of the system as well as potential social engineering and web-based attacks on the architecture. One complication is billing; ad-networks must bill the correct advertiser without knowing which ad was displayed to the user. We describe a cryptographic billing system that directly solves the problem. We implemented the core targeting system as a Firefox extension and report on its effectiveness.

If only Google were to implement this crypto-scheme…