Kindle DRM Hacked

Amazon has implemented Digital Rights Management on its Kindle for PC product. The book you buy is supposed to only be readable on your PC. Israeli hacker Labbu has claimed to have broken this DRM. His tool is called Unswindle. The latest version is v5-rc1. The tool requires Mobidedrm from Darkreverse.

Unswindle is written in the Python programming language. It cracks the unique key that Amazon distributes per book. Previously Amazon had patched their Kindle for PC product, rendering Unswindle useless. However Labbu provided an update which got past the latest fix from Amazon.

Labbu did say that Amazon had some good security in place for their Kindle for PC. The development began in response to a challenge posted on a hacker site. This was not for illegal use of Amazon books. Some dude just wanted to open a Kindle file on a PC other than the one that was authorized through the DRM. Labbu responded in full force with Unswindle. Nice.

Let's Hack

I picked up a Hacking for Dummies book a while ago. It had an unknown date of publication. The intro was written by the dude who authored Hacking Exposed. The cheat sheet from the book had already been torn out. LOL. Owned.

The book stated that there are 23,000 professionals with the CISSP certification. An alternate certification is the Certified Ethical Hacker. There is an entire industry built around ethical hacking. This is where you conduct legal security testing. It is also called penetration testing. Another word for ethical hackers is White Hat Hackers.

Here is a cop out. The author states that he is not responsible for hacks performed by his readers. Yeah right. Let's get some terms right. A hacker is somebody who likes to tinker with stuff. A cracker, on the other hand, is someone who likes breaking into systems.

Cryptography Wrap Up

There was a whole mountain of information that I learned by reading Cryptography for Dummies. It was very insightful. I could go on and on writing about the topics I learned. However today I just want to wrap up some of the highlights I have not written about yet. Then we can move on to more existing hacking.

Be aware that the subject line for an email is not encrypted even when the contents of the email are. Here is a good recommendation. You should back up your public and private keys to different locations.

Static encryption is where the system encrypts the information before it transmits the data. The MD5 and SHA-1 algorithms do not encrypt data. They just allow the recipient to detect whether the contents of the message have been tampered with during transmission.

Finally you should not install and set up a cryptographic system if you are not 100% sure what you are doing. Good luck with your encryption exploits. Next time I think I will talk about another book I read in the past. Can you guess the title? It was Hacking for Dummies.

DECAF

Two bad boy hackers have come out with a tool called DECAF. It defends against a COFEE, which is a Microsoft tool that stands for Computer Online Forensic Evidence Extractor. DECAF will check for the presence of COFEE on your machine. It will then delete temporary files, erase logs, and disable USB ports (from which COFEE runs).

The source code for DECAF has not been released. However it is being licensed for free as long as you use it for personal and noncommercial uses. The app looks like a really simple Windows app. It does real time monitoring. And it claims to be highly configurable. You can disable all kinds of things on your machine.
In the future, the developers of DECAF intend to modify the program so that it can be remotely controlled. This sounds like some good stuff. I guess to test it out I will have to install COFEE on a memory stick and see what DECAF can do

Defense Against the Dark Arts

Suppose you wanted to make sure you could not be found. You still need to communicate with others. However you just don’t want stalkers to track you down and know where you live. I read a book that briefly went over some steps to stay invisible. Here are the highlights.

Definitely get an unlisted phone number. You can also sign up for the phone line under a misspelled or fake name. Don’t put down you address when signing up for the phone line. Use something else like a post office box.

Request that web sites take down information with your name and/or address. Use an anonymous remailer for sending out e-mail. Change you e-mail address frequently. This is easy with free e-mail services like Gmail.

Don’t use credit cards at all. And don’t use your real name for anything. This just scratches the surface of how to lay low. I am sure you could write a whole book to take the undercover living to the next level. I found this all very interesting. I myself write under a pen name so stalkers have to work hard to determine my identity. So far it has worked for me.

Net Cons

I read about a number of interesting cons in Steal This Computer Book. There was the standard fare like Multi Level Marketing (MLM) scams. You know the kind. Somebody says they will pay you to stuff envelopes at home. Yeah right.

But there were some tricky ones too. People will leave you a message. When you call back, they try to keep you on the line. That's because its a pay line like the old 900 numbers. Scammed.

Another con is a play on the chain mail letter. You get a program which enforces the chain. You have to pay the 5 or 6 people on the list. Then you get a new version of the program with your name on the list. The theory is that you will then receive cash from people who receive your program. The funny part about this is that the con software program can be hacked without you coughing up any money.

The last con was pretty interesting. You get a stock tip from a broker who says a certain stock is going up in price. Then like magic it goes up. Next the broker gives you another tip saying a different stock is going down. Like clockwork the stock price falls. Then they ask for your money to "invest". The con is that they send out a lot of e-mails, mixing up their guesses as to which stocks go up and down. For some percentage of the people they contact, their picks will be right. Go figure.

Steal This Computer Book

I checked out the latest edition of Steal This Computer Book from the library. It sounded like some type of hacking book. So I thought I would give it a read.

At home I read the back cover. I got a little scared. There was a warning on it that said the book was not to be used for illegal activities. Then the author's bio stated he was a stand up comic. Great. I may have checked out a spoof.

Luckily, when I skimmed through the interesting chapters, I found you could not judge this book by its cover. Here are some kewl facts I learned by reading it.

Hacker sites seem to appear and disappear. You got to keep up to stay current. There are sites devoted to providing links to the best sites. I have seen those before and thought they were just spam. Nope. They are the real deal.

The top conferences for hackers are DefCon, HOPE (from 2600 magazine), SummerCon and ToorCon. Next time I will go into some more gems I pulled from this book. That includes some nasty cons, and how to prevent yourself from being found.

More on Keys

The best source of information I have read on cryptographic keys was Cryptography for Dummies. Seriously. Let's start with the Key Encryption Key (KEK). This is a way to wrap a key with encryption to keep the key itself secure.

Keys are not generic. They are specific to the algorithm that uses them. Keys are set up to be generated by a key server. This server distributes new keys when necessary. The downside to this approach is that if the server becomes compromised, the whole show is bust.

A key escrow is a way to store keys and/or pass phrases in case the keys are lost. This allows them to be recovered in the future. You require the answers to some secret questions before the keys can be recovered from the escrow.

Next time I will go over some of the acronyms which usually stand for security protocols. Examples are TLS, SSH, SSML, and S/MIME.

All About Keys

Keys are a crucial part of cryptography. They are also one of the more difficult things to control. There is often confusion as to what a key actually is. The key is not a token. It is a file on the computer used by an algorithm to encrypt/decrypt. The key doesn't do any encrypting. The algorithm encrypts.

A session key is a key which is disposed of when transmission of the data is complete. Do not take the short cut of choosing options which generate keys faster. That makes them less secure. You can choose short key sizes for data that is transient. But it is best to pick long keys and pass phrases.

A key ring is a list of public keys. Since a key is a file, you would think it should be stored on a hard drive. However you should put them on removable drives that you can physically take with you. Make sure you also backup your keys.

There is a lot more to talk about with keys. Next time I plan to cover key wrappers, escrow, services, and recovery.