Category Archives: #iOS

Links – Application of Elliptic Curve Crypto

With the NSA/CSS’s support of RSA dwindling, they’ve adopted the public key ECC method with open arms with their Suite B. This is in part due to the fact that small sized RSA keys have been cracked to some degree and that the associated contracts with the NSA have ended (keys over 1,024 bits are still safe at the time this post was created). This post will give some information on ECC’s adoption and cellular cryptography.

Since I just started using secure voice apps on my Android, I thought I’d provide you with a list reference material regarding ECC’s increased usage in every day technology. Feel free to check out the solutions mentioned below as well (I do not endorse any of them; find a solution that works best for you and your needs).

We now find ECC used in nearly every aspect of secure computing from chat servers to cell phone voice encryption. And yet ECC’s primary goal is to utilize PKCS by providing a secure means of authentication and digital signature management as opposed to whole document encryption. The algorithm is best utilized in actual data streams flowing from one network to another in conjunction with other well established algorithms to encrypt the contents themselves.

Secure SIP providers around the globe have started producing secure VoIP tools that use ZRTP to transport data using key encryption and SRTP to actively encrypt that data. This is a really good way of thwarting cellular eavesdropping.

For example, VoIP provider S.M.A.R.T.S. Technology designed HushCrypt on Android to encrypt voice calls handset-to-handset using AES-256 based on the ZRTP utilizing the ECDH-38 elliptic curve. Their competition, RedPhone by Whisper Systems, uses ZRTP and its encrypting component, SRTP. Experiment with them as you see fit and determine which is best for you.

Similarly, my favorite secure texting app on Android (also provided by Whisper Systems), is TextSecure, as it relies on ECC in transit and AES-128. Keys are generated on a session-to-session basis and remain “alive” until either party cancels the session (this is complaint with NSA Suite B, for more information see the related link below).

Pretty heavy encryption, huh? But as Henry Kissinger once said, “Just because you’re paranoid don’t mean they’re not after you.” And in this world of increased threats: a little security goes a long way.

ECC & Cellular Crypto Resources

If you’re interested in learning more about the encryption standards used in commonly accepted technologies, please feel free to visit the links below (think I missed a cool link? feel free to share and I’ll pop it up on the list).

Also feel free to check out the WordPress recommended links throughout the post as I’ve approved some good Wikipedia entries!

NSA Suite B on the combined use of AES, ECC and SHA Hashes  (includes Whitepapers for interested Math majors)
ECC to replace RSA,” Blogspot’s In God I Trust blog
The Case for Elliptic Curve Cryptography,” NSA/CSS Homepage.
HushCrypt Secure Phone on Google Play Android Store
Whisper Systems Security Products
WhisperSystems/TextSecure Wiki on the Protocols Used
WhisperSystems/RedPhone Wiki on the Protocols Used
Voice Encryption Basics on Wikipedia
SRTP Protocol Whitepaper
NSA Watch,” Schneier, Bruce.  September 30, 2005. Schneier on Security blog. *

* Note: If you aren’t subscribed to his blog, read his articles or read his books (and you’re interested in computer security), you don’t know what you’re missing. This Schneier blog post has everything you need to know about ECC including links to some great resources that go well beyond this shallow post. Bruce Schneier is a name you can trust.

Related Posts

I mentioned using PK and ECC in my blog posts entitled “Encrypted Messaging Using OpenPGP and Psi,” “DNS Threats and Security Solutions,” and “Links – PGP Security.”

Poll – iPhone 5 Released. Will You Get It?

The specs are in for the new iPhone 5. Compare them now with a few new Androids on the market on Mashable here:

https://mashable.com/2012/09/12/iphone-5-compared/

Details on the iPhone 5 can be found on the following sites:

Mashable Review iPhone 5 Review
Tech Radar Review iPhone 5 Review
NY Times Review by David Pogue

Concerned with battery life? Check out the Cult of Mac article discussing it. Yet the truth is that, although the iPhone 5 iPhone  boasts 8 hours for 4G (LTE) web browsing (or 10 hours for video play back without web browsing, or 8 hours of just talk time), the Motorola Razr Maxx still boasts a 3,300mAh battery capable of providing up to 17.6 hours of talk time! The new Motorola Razr HD features an impressive 21 hours talk time/data use over 3G.

Court rivals can still be friends right? Check out how the iPhone 5 stacks up against its biggest rival, the Samsung Galaxy S III here.

Does the fact that the iPhone 5 still doesn’t have an SD card slot while the new Samsung Galaxy S III has a 2 TB capacity for multimedia? Any other gripes? Feel free to chime in on the poll and/or comment let me know what you think!

Access Your Virtualized Linux Box Anywhere

Have you ever wanted access to a Linux box on your mobile device? Sure, you could just SSH into secure shell but what if you wanted the entire experience on your portable computer or at a friend’s house? Virtualization + RAS = true OS freedom (or… well, for geeky fun anyway). The technique is used on a regular basis but there may be some out there that may not know how to take advantage of it.

In this blog article I’ll explain how to get access to your Linux box from any platform or device. Keep in mind that if your host is already Linux you can skip the virtualization section and head right down to configuring the remote access software.

This setup can be and should be used on a Windows host machine running a Linux Guest environment.

Remote Access on Your Mobile

There’s been a lot of advancements in the fields of virtualization and remote access software, but it never ceases to amaze me how few all-in-one packages there are for manipulating virtual environments via mobile devices. This is because writing mobile devices is often tricky and the few software options out there are kind of crappy. The software I’ll be using in this post are the iOS iPad versions of TeamViewer HD Free for iPad and VMware View (also free but the host-side software is a 60-day trial). But I’ll only be providing the in-depth setup for TeamViewer as to do both would be too exhaustive.

Downloading TV or VMware View on Your Mobile

TeamViewer For Remote Control (Android OS)

TeamViewer HD for iPad (iOS/iPad)

VMware View for Android (Android OS)

VMware View for iPad (iOS/iPad)

Your RAS software is the key to accessing your virtualized session so select RAS that is usable on the desired mobile device. The RAS determines manipulation to a “T” so select wisely or YMMV. Similarly you can opt for VNC variations and swap out the RAS selections I’ve used.

As such, you’ll probably need to review the release notes on your mobile RAS to ensure that it’ll function correctly on your specific mobile device. For example, I’ve used TeamViewer for Android on my Motorola Razor without any problems. But I wouldn’t expect speedy results on an older android without a dual-core processor.

Host Machine

Obviously it goes without saying (but I will) that your host needs to be on if you want to access your virtualized box. The critical components here are:

  • RAM
  • Bandwidth

I’ll be using ~1.5-2 gigs dedicated to the virtual sessions but keep in mind that this is the bare minimum needed for most X environments to work efficiently under pressure (and therefore in a virtual environment). Your success will be based on how much RAM you a lot the virtualization on the host machine: some operating systems X environments are resource hogs. Keeping that in mind, I’ll be using Bodhi Linux as it’s a lightweight E17 distribution. Minimalism is critical if you are tight on RAM.

(If you’re interested in Bodhi Linux you can pick up the distro here: http://www.bodhilinux.com/)

It goes without saying that 3D hardware acceleration needs to be enabled on the host but what you’ll see on the mobile client may also vary, this means having a fairly new GPU. But this is Linux we’re talking about… in all likelihood you’ll be fine so long as you aren’t doing anything too graphically intense. I’m using an XFX HD 6670 with 1 GB of DDR5 so you don’t need anything fancy (keep in mind everything on my system is bottlenecked due to an old Pentium D processor, so any modern system should be able to do well). If the virtual environment plays fine on your host you are set in that department.

Bandwidth is critical. I’m pulling 45/35 on a fiber line for the host. You don’t want your host machine to slow you down (use Wi-fi on the client-side as opposed to 3G or 4G if the network is fast enough). Let’s be honest. We’re using RAS (slow) and virtualization (potentially slow), you don’t want a bandwidth problem factored in. Nothing sucks more than remote access lag.

Host Software

This is broken up into two parts. 1) The virtual environment creator and player (can be the same in the case of VMware Workstation or VirtualBox), and 2) The RAS setup within the virtualized Linux session.

This post will be focusing on the latter. You should already know how to setup a virtual environment in VMware or Oracle VM VirtualBox. Read the documentation associated with either virtualizaton software package you decide to use (keeping in mind, of course, that VirtualBox and VMware Player are free while VMware Workstation is an expensive investment; the free former alternative is best for creating and playing environments without having to purchase VMware Workstation).

Oracle VM VirtualBox can be downloaded here: https://www.virtualbox.org/
VMware Workstation can be sampled for 30-days here: http://www.vmware.com/products/workstation/overview.html
VMware Player (not a v creator) can be downloaded here: http://www.vmware.com/products/player/

The last note here would be to use NAT as your network adapter preference to allow the host to share the IP address (my VPN configured through my host machine also worked well with this configuration).

Virtualization’s RAS

TeamViewer or VMware View 5.0 are ideal since they are well documented and exist on nearly any platform you need. You need to have created your virtual environment flawlessly for this to work which means installing and being able to use Linux as a whole.

As far as the virtualization’s RAS is concerned, if you did use Bodhi you can download the Debian archive for TeamViewer for Linux or use Synaptic to automate the process (using this method is the easiest with TeamViewer7).

Configuring Your RAS (TeamViewer Example)

Upon starting TeamViewer for the first time you’ll get a notice about software configuring Wine to run the remote desktop accordingly.

I would create an account on TeamViewer to be able to save frequently accessed computers.

Once it starts up you’ll want to copy down your 9-digit ID number. If you want to perform unattended sign in disregard the attended password on the main page (keeping in mind that your Linux guest box and TeamViewer software needs to be running).

To configure the unattended password head over to the Options/Security Tab and choose a complex password for logging in (the combination of your 9-digit ID and your unattended password will allow you remote access to your virtualized Linux session).

Then head over to your mobile TeamViewer app (or the program you are trying to connect from) and add the Linux guest’s ID and unattended password in the “Computers & Contacts” section of the client.

Then go ahead and connect resting assured the connection is secure (even if you’re connecting over an insecure wi-fi).

Closing Notes

Bodhi Linux Guest VMware / Bodhi on iPad 1

It’s highly unlikely that any RAS is going to offer stunning visuals but different software can provide different results (TeamViewer isn’t known for graphical prowess). Regardless, feel free to play around with the general concepts explored in this post to achieve a suitable result. In the end the goal was to create a decent remotely accessible Linux virtualization as opposed to accessing your Linux box through a CLI and, to that end, it worked.

Apple vs. Innovation

In the absence of Steve Jobs and any new innovative ideas, the tech giant Apple won their patent violation case against Samsung. Apple will be awarded $1 billion dollars and Samsung will be forced to cease production of smartphones which bear a resemblance to previously patented technologies found on Apple devices.

I suppose the jury of Samsung’s “peers” didn’t read the illusionary flier circling around the Earth since the 1800s stating that technology is innovated on the back of pre-existing technology. Instead the court decided that devices that contained features such as pinch-to-zoom were in violation of patents registered by Apple.

Of course all smartphones have those features (HTC included), but this is just Apple’s first step. In the case of pinch-to-zoom, it makes sense for a small device to enable zooming by pulling and pushing your fingers together and apart. Many other similar technologies can be found in the case. But the courts found that Apple’s patents were violated by introducing these features on Samsung Android-based devices. Apple hopes this will deter future smartphone makers from replicating the features in question in the future.

This is Apple’s first attempt to thwart android smartphone leader Google, a company that relies on hardware manufacturers to produce phones with their Android operating system (an open source Linux platform designed by Google to be run on mobile devices). Samsung is Google’s largest mobile hardware designer (makers of the notable Samsung Galaxy Tab and Samsung Galaxy S II). The New York Times article entitled, “Jury Gives Apple Decisive Victory In A Patents Case” by Nick Wingfield* released on 8/25 calls this a “proxy war against Google’s Android.”)

In actuality, this seems a lot like Apple is trying to stifle all forms of mobile competition so that the iPhone and other Apple mobile devices can trump the competition. This landmark decision proves that, in America today, suing is is better than innovating. Equally as unsettling, the integrity of the judicial system in the modern era is at stake as well.

By some sources, Google smartphones sold worldwide trump Apple smartphone sales considerably. As we’ve also seen, Apple has been reluctant to create any new products in recent history with the exception of the iPad 3 (which is an iPad 2 with a better screen, slimmer design and overheating problems). Apple will soon release their new iOS version as well as an a newly revamped Apple TV (much needed considering Roku sales have left the previous incarnation of Apple TV in the dust).

As an Apple customer, I’m appalled by Apple’s stance to innovation and, more specifically, Samsung. Apparently no one at Apple studied game theory and the need for innovative competition in High School economics. If you silence the competition with your complaints and fail to offer anything new you should should be ashamed of yourself. Don’t hide behind patent law as an excuse. Jobs claimed Google’s android OS is a “stolen product”* yet they seemed to have had the same complaint against Microsoft over a decade ago! I believe we’re seeing Apple’s ugly side when dealing with competition and can best be described as “blame it on the other guy.”

This case brings up a number of valid legal concerns technology producers have:

1) Is our current legal system and, specifically juries, effective when dealing with technological matters?

2) What if jurors can’t comprehend the matters at stake?

3) Is our current patent laws reasonable in an inherently innovative world?

4) What role should patent law play in technology today?

5) If you believe our legal system is incapable of dealing with new technological issues, should our legal system be fixed?

While I won’t get into those two “big picture” debates on the blog, people should be considering those questions when reading the news. As it stands, this ruling will disturb the very foundation of mobile innovation in America. Hopefully the appeals will be more successful at stopping Apple’s temper tantrums.

Sources Used Above

* Wingfield, Nick. “Jury Gives Apple Decisive Victory In A Patents Case.” The New York Times, August 25, 2012.

Apple’s Social Engineering Crisis

On 8/08 there was an interesting news article on Bloomberg’s website regarding the Apple password crisis surrounding journalist Mat Honan. Honan’s digital existence was ruined a few days ago when hackers used social engineering tactics against him (for those unfamiliar with the articles, I’ve linked them below).

Anyone who’s ever been to an Apple store knows that convenience is king.

You need help with something? There’s almost always some friendly hipster with a weird haircut to help you. You need your data migrated from one device to another? No problem for these blue shirt gurus! Want your password changed? Sure, answer just a few simple questions that anyone can get…

Wait… what?

Apple previously allowed users to change crucial account details such as one’s password over the phone. Typically most companies handle such changes online and merely talk the customer through a series of secure web pages after confirming their identity by a number of different means. (Recently I had to call Dell and was bumbarded by over 4 different identity-based questions.) Apple’s system allowed for sensitive account changes to be made with a few simple facts about a customer including the last 4 digits of the primary credit card and one’s address!

One with access to another user’s iTunes account, if cloud backups and syncs are enabled, could potentially delete data right out of the air or access important documents which could potentially allow an attacker to access other accounts the user owns.

Other security flaws included the ability to circumvent the AppleID associated with App and iTunes store purchases, compromise iCloud data and more.

That’s exactly what happened to Mat Honan of Wired Magazine. His dilemma is exactly what spawned Apple’s reaction regarding their security flaws: Honan’s entire life was ruined when a hacker – simply interested in taking his Twitter username and causing havoc – gained access to his AppleID, wiped his Apple devices remotely, accessed his other accounts on other services and more.

In response to this crisis, Apple has suspended the option of resetting one’s AppleID password over the telephone as stated in the Bloomberg article linked below. It’s unfortunate that lessons are learned on the backs of paying customers as Honan’s case also dealt with the security failings of Amazon as well as Apple (see links below for further details).

Hopefully these major tech players have learned that sometimes convenience cometh before the fall.

It really is a tragedy that these companies didn’t take security seriously. With more data being stored off-site, on cloud servers, Mat Honan’s story gives us a lot to think about going forward in the digital age.

Sources:
Satariano, Adam. Bloomberg Reporter
Giles, Tom. Bloomberg Editor
Article URL: http://www.bloomberg.com/news/2012-08-08/apple-to-beef-up-security-for-phone-password-resets-after-breach.html

Honan, Mat. Wired Magazine
Article: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/