Secure Voice and Texting

I just read about tow new apps that run on Android to secure your cell phone communications. They are Red Phone and Text Secure. You will be able to view the source code for these apps. It is limited to the Android platform, and for calls in the USA only.

Red Phone is an end to end encryption solution for voice calls. It uses ZRTP encryption developed by the dude who brought you PKZIP. This is a VOIP implementation. So the calls do not use up your cell phone minutes. Instead you communicate over Wifi or 3G. It uses SMS to initiate the calls.

Text Secure uses the Off The Record protocol. All messages are stored in an encrypted database on your phone. Messages are compressed and sent via SMS. This technology is based on the NSA Suite B standard. That is the same one used for Top Secret government communications. So you know it is secure.

High Performance Graphic Card Computing

There is a hot trend out there to get high performance from your code. Run it on your graphics card hardware. Nvidia has released their CUDA architecture which let's you do this easily. You write your code in the C programming language, along with some extensions provided by Nvidia.

You need a GeForce style card to use CUDA. The card itself has a number of multiprocessor. Each multiprocessor has a bunch of cores on it. The cores handle different threads executing in parallel. This can give you 10 times the performance of your normal CPU.

Nvidia distributes both a toolkit and software development kit for the Linux platform. You also need the gcc compiler. CUDA comes with a cudart runtime. You set up what CUDA calls kernels that run in separate threads on different cores. You use the local multiprocessor memory which is faster than your main system memory.

You probably already have sunk some cash on a nice video card. If you had chosen the Nvidia card and run Linux, you can take advantage of some very high performance GPU programming.

Penetration Testers

Once you think your systems are locked down, you should probably get somebody to try to break in. Normally you imagine hackers from the outside breaking in. However the truth is that the intruder may be somebody on the inside. Or an attacker can have some help from somebody on the inside. So your security tests need to take this into account.

You are going to want the guys who disguise themselves and try to physically gain entry to your systems doing your tests. I read a funny story the other day. A guy left a bunch of USB flash drives around. More than half of them were picked up people and used. They got a surprise when the guy's software automatically ran on their machines. People are just not too careful.

Just like you have internal software test teams, you could also have an internal penetration tests team. These guys are called the Red Team. But it is best to use somebody from the outside. Just make sure you are not hiring a criminal, even if they are "reformed".

Frame Busting

I read a detailed paper on how popular web sites perform frame busting. There are web site attacks like clickjacking where the site uses frames to trick users. The attack goes like this. The site uses a frame to make you think that you are running on the real web site. Instead you are seeing the real web site, but are on the hacker's frame. Web sites try to prevent this by detecting whether you are on their site, or in an unscrupulous frame.

The frame busting technique is normally some extra JavaScript on the real site to detect the frame problem. This technique is not normally used on every single page on a web site. It is seen on login screens. Hackers are trying to bypass the frame busting techniques. For example, when they enclose their site in double frames, the prevention sometimes fails. So how can you combat such frame hacks on the Internet?

Your code can check the domain name. But that can be tricked away as well. You can play some tricks with some overlay HTML elements. However those are not fool proof either. What you really need is some support from the browser. IE8 has defenses against clickjacking. So does Mozilla. But you have to employ these defenses in your code. You also have to have users with the right browsers to take advantage of it. The paper I read recommended that you do some HTML hacks of your own to hide content if your pages are found to be framed.

Hackers Wanted

Word on the street is that the documentary "Hackers Wanted" has been leaked onto the Pirate Bay. This documentary features people such as Woz (cofounder Apple Corp), Kevin Rose (founder of Digg), and Adrian Lamo. More on Adrian later. The documentary is narrated by actor Kevin Spacey.

In case you do not know, the Pirate Bay (also know as TPB), is a web site hosted in Sweden. It is a big bit torrent site. You got to register to access the porn on it. They run Linux, Lighttpd, PHP, and MySQL to provide the site. It seems to always be in the news for controversy. The place got raided by police back in '06. And last year they got taken to court. The site is supported by ads.

The most interesting part of the documentary seems to be the coverage on Adrian Lamo. To tell the truth, I had not heard of him before this documentary. This guy used to be a grey hat hacker. He hacked big corporations, identifying security holes for free. They called him the Homeless Hacker because he roamed around. His is most known for hacking into the New York Times, adding himself as an expert source in their database. They prosecuted him for that, and he got 6 months confinement, 2 years probation, and a heft $65k fine. The dude has since gone on to college, and is now a journalist.

I will leave with a funny story about Adrian Lamo. They wanted him on the NBC Nightly News. He was asked to demonstrate his skills. So he proceeded to quickly hack the NBC Network, upon which he was escorted out the building. LMAO.

The Demo Scene

Have you ever seen those cool videos produced by computers? Well then you have experienced the demo scene. It is a type of culture where people with computers produce audio visual presentations.

The demos usually integrate a soundtrack with the graphics. They demos vary in length. However five minutes is very common. An important requirement is that the demo must run in real time on the computer. That is, you cannot preprocess the graphics, and later speed them up for presentation.

Demos are usually released as part of competitions. This happens mostly in Europe, where the demo scene is big. Many of the demos are produced by groups or crews. Personally I have been wowed by the demo scene products which are small in size. By small I mean the program that generates the demo has a very small memory footprint. I am talking as low as 256 bytes here. To put that in perspective, this blog post is probably more than 256 byes. LOL.

LifeLock CEO Ownage

Have you seen the advertisements for LifeLock? They are an identity theft protection company. Their ads have the social security number of COE Todd Davis prominently displayed. The idea is that he uses their service, and is so confident about the service that he can publicly release his SSN.

There is just one snag with this theory. Thieves are stealing the guy's identity all the time. LOL. People are opening accounts in his name all over the country. I guess LifeLock's service is not quite rock solid yet. Normally this would be a shame. However the guy was really asking for it. Publishing your SSN on ads across the nation is not a great idea.

I bet there are crooks who stick it to Todd Davis just because he is so bold and arrogant. Well the company has some work to do. The first item on the agenda is to take care of all the CEO identity theft occurrences. Oh yeah. Their web site is so slow it is not even funny. I guess they are the target of a few denial of service attacks as well. I almost feel sorry for them.

Outsourcing to Prisons

A company in India is planning to open up shop in one of their prisons. The plan is to have prisoners do some office work like data entry. This is essentially an outsourcing shop. Does anybody see there being something wrong with this setup?

I can understand the hype behind this project. They say that after the prisoners do the work, they will be able to use the skills to transition to similar work when they get out of prison.

Another proposed benefit is that the work will make the prisoners more money than the typical chain gang style work. They are hyping a 10 times better pay for prisoners doing the office work.

The only ones who might make out with this scenario are the prisoners. They get some easier work. They get access to computers where they might be able to do some online crime. And if everything goes as planned, they get office skills to boot. I don't think I want these guys processing my transactions.

Car Hackage

A couple university researchers tested out car control system vulnerabilities. They found almost all of them vulnerable to attack. The targeted the communication between the different electronic control units in the car.

They could kill the engine. They could also disable or engage the brakes. They made the instrument panels do what they commanded. These schlubs even made the horn honk. Pretty scary stuff.

The research was to demonstrate the potential risks car have from being hacked. They say that cars not being on the Internet helps thwart some attacks. However defenses need to be designed and implemented now to protect the car driving public.

Hacker Traits

I checked out a FAQ that instructs a manager on what to do if they hire a hacker. The goal is to get good work out of the hacker without disrupting the whole organization.

Let's start with some hacker traits. They are competent, especially at technical tasks. They have high ability, knowledge, and skills. They think deeply and abstractly. Hard concepts come easy to them. Their thinking is uncommon. They have ultimate concentration.

You need not worry. Your normal hacker does not want to steal from you or others. That would be the cracker, or simple script kiddie. Hacker are just very effective at what they do. They might have 10 times the performance of your normal workers.

Some roles are not well suited for hackers. Don't let them be computer operators, or anything else where they might get bored. A hacker won't respect any nonsense like job titles. However they will most likely be honest. If you need a strong tech person, the hacker is the way to go.

Silverlight Security

Web applications are hot. Microsoft has the Silverlight framework to help developers create web apps. It is important for such developers to know how to lock down these web apps. Here is some high level guidance.

First you need to make sure users are who they say they are. Next you need to check whether the authenticated users are allowed to do the operations they are requesting. Finally you should audit what actually gets done. That is security in a nutshell.

Silverlight runs in the web browser. That provides some security. You need to ensure that the web app access to your services is locked down. Encrypt any comms between client and server. Use HTTPS and SSL for that.

Beware cross domain HTTP requests. This is a security vuln. Don't put sensitive info in such requests. Obfuscate your proprietary code. And even if somebody is authenticated, don't trust them with your source code. You IIS Directory Security to lock down specific files on your server.

Games Criminals Play

I read a book review on Games Criminals Play. This is a study of how inmates in prisons use psychology to trick guards into doing their bidding. The lessons extend to any type of manipulation. If you are a prison guard, you had better get a copy of this book and study up.

The prisoners look for emotional weakness in the guards. They also target new employees, or newly transferred guards. These are the ones that can be easily manipulated. It starts with some testing of the guards' limits. Then prisoners accelerate their tactics to gain full control of the guard.

One small goal is to get a guard to depend on you. Compliment them to stroke their ego. Learn personal details about the guards. Ask guards for help. Start with an accidental touch. Then escalate to deliberate moves.

Finally you launch a rumor campaign against your target. Apply leverage. If they help you with small disgressions, you can get them to do more. It is a typical blackmail style lever. How do you avoid all this mess? Tell other guards what is happening to you. Stay above approach. Document everything that goes on. Above all be careful. If a crook invests this much energy to compromise you, then may get violent if the techniques do not work.


SysInternals has published the source code of its tools. I took a look at Secure Delete. This is an app that meets C2 compliance for truly deleting file contents on disk. Note that the filename is not fully deleted from the system. The secure delete is accomplished by an overwrite with the secure delete pattern.

All of the security requirements come from 5220.22-M, which is the standard from the Department of Defense. The specifics are that you must overwrite deleted files with (1) a character, (2) the complement of the character, and (3) a random character. This technique is not sufficient for Top Secret material. That would requires a hardware degaussing of the drive.

The source code is provided. However it is copyrighted by Mark Russinovich. The cool thing is that this secure delete works on compressed and encrypted files as well. Good apps like this are probably which Microsoft bought out SysInternals some time ago.

Computing The Natural Logarithm

I just read about a big feat. Alex Yee of Northwestern U has written a program to computer 500 billion digits of e. The digits have been computed and verified. Here is the amazing part. He did this on a PC. And the PC was not in dedicated use for the computation. It is his workstation as well for other tasks.

Alex is in the EE and CS department. His computer does have a whopping 12G of RAM. And it runs Windows. The thing is overclocked for optimal performance. He describes his PC as a great gaming PC.

To make the computation, Alex relies on the Taylor series expansion to compute e. His program needs to do a lot of huge multiplications. It is one machine. But it has support to use multiple disk drives for a single mammoth operation. His program also makes use of another program called Y-Cruncher.

Y-Cruncher is a multithreaded program whose initial purpose was to compute the digits of Pi. It first did 1 billion digits. The thing has set a bunch of records. It was first coded in Java, then ported to C, and is now written in C++. The author is still in college. This is not an open source product. But as we can see, others in the academic community are making use of it to do great things.

Cipher to Keep Eyes Out

I had some personal data that I did not want anybody to see. This was stored on my laptop, so I figured there was already a level of security applied. However I wanted to go a bit further. I also wanted to do some programming to help myself out. Therefore I decided to implement a quick Caesar cipher to do the job.

Essentially this just replaces each character in the alphabet with another. The result is that text looks jumbled. Regular words turn into meaningless information. Sure with enough data, the cipher translation can be guessed. Then my data would be cracked. However this was a fun exercise.

To map the characters form source to encrypted output, I decided to pick the mappings myself. I kind of zigzagged from one end of the alphabet to the other. For example, any letter A would be replaced by the letter X. Then any letter B would be replaced by the latter D. I kind of alternated from the lower to upper letters in the alphabet as I chose substitutes for my source text. Did this make my cipher any less secure? Who cares. This is just a mickey mouse cipher. It is still good stuff.

My next idea is to write a program to decipher a Caesar cipher. Here is my plan. My program will use brute force, making a guess for the mappings in the cipher. Then it will try to decrypt the text using the guessed mapping. It will compare the output with a dictionary of words. If the guess results in properly spelled words, it will declare victory. Perhaps I can make it faster by building some smarts to make intelligent guesses for the cipher mapping.

Jarlsberg by Google

Google has a free lab where they teach web app exploitation and the defense against it. Their latest development is a web app called Jarlsberg. If you don't know, that's also the name of a chess with a lot of holes. Just like the cheese, this sample application is full of web security holes due to bugs.

Jarlsberg is meant to be used as a poorly designed application to study. It is seriously vulnerable to attacks like cross-site scripting. You will learn about security as you go through the steps to see how you can hack the app. The app and code are being licensed for free under the Creative Commons license.

Some people are a little suspicious that Google is essentially teaching people how to be hackers. However you got to learn to hack before you can defend against it. Good job Google. It is funny that when I Google for Jarlsberg, I only get the real cheese. Maybe it is too early for this security app to be in the search engine results.

Big Brother Lives

Today I heard about this spooky web site called Spokeo. You type in a name. It gives you all kinds of personal information about the person. You can also type in an e-mail address and get the 411 on somebody.

I was surprised at home much information this web site knows about. How the hell did they get all that info? Looks like the good info requires you to pay a monthly fee. Hey if the info is all good, I am willing to shell out a few bucks for more details.

It turns out that this site is just an aggregator of publicly available information. The value add is that it ties it all together. And it presents it in a nice web site. Damn. I wish I thought about that. Now I wonder what kind of massive database they use to store all the details.