Category Archives: #security - Page 2

Links- Ophcrack for Windows Password Extraction

With forensics in mind, there’s literally a ton of ways to gain access to Windows. From clear text password exploits that dump the password in plaintext to your screen to bootable CDs that reset the Windows password outright (just search Google for “Windows Password Recovery” to see what I mean). This post isn’t meant to cover all password recovery bases, just briefly explain why reset tools may not be forensically sound and provide some links that may be of value to you if you need a good tool (my current favorite method is utilizing tool known as Ophcrack).

For those that don’t know, 0phcrack is a free but powerful utility that makes use of rainbow tables to crack NT HASH and LM passwords. It utilizes a method known as Time-Memory Tradeoff (discussed earlier on the blog). The best tables that support different types of characters for use in password extraction (and for different OS types) can be rather large. Cracking passwords can also be time consuming.

Distributions like the now-defunct free version of e-fense’s Helix 3 (no longer supported in favor of a paid pro version), and DEFT Linux, made/makes use of 0phcrack and provided access to basic rainbow tables for this purpose. If you don’t have Helix or 0phcrack as part of your forensic tool-set, you should. If you are interested in expanding your tables and have access to a large enough medium, feel free to check FreeRainBowTables.com to get more tables generated using distributed computing methods). The basic tables can also be found on 0phcrack’s Sourceforge and are suitable for basic use, but they also have paid tables as well.

0phcrack can be used during the analysis of a target’s SAM and SYSTEM Hivehive. It can be run as an executable from within Windows or in a bootable environment. Such information could provide forensically invaluable in accessing EFS-protected files on the system. From what I know, using methods like chntpw in Backtrack do reset Windows passwords but do then make accessing EFS encrypted files impossible.

Check this video created and posted by TechnologyCrazy to see how to setup 0phcrack (completely unaffiliated with this site).

As I always state, this site does not condone illegal activity. Link posts are links to pre-existing content (I’m actually considering making my own informational videos at some point when I have the time. Maybe even a step-by-step guide).

For links to computer security related tools or resources, feel free to check this Neuralhub post.

If you have access to any related instructional video please post it in the comments! If they are any good (and they are publicly accessible), I’ll share them.

Edit: This post is fairly old and I’ve used some really great programs since then. Here are some further notes to help you decide which encryption auditing tool you should use and when:

Ophcrack Project Homepage

This tool is good for LM and NT hash; quick and easy SAM hive cracking which is ideal if you don’t happen to have a license for PRTK but do for FTK and wish to crack EFS; uses rainbow tables for speed (pre-calculated hashes), for brute force see l0phtcrack below.

l0phtcrack Password Auditor

Offers excellent brute force, support for rainbow tables and dictionary attacks. Some that are coming from PRTK may note l0phtcrack seems to be missing PRTK’s biographical dictionary attack… one of my favorite tools. But that’s not necessarily true: you can accomplish this by loading biographical information in by creating your own dictionaries. Also one of the coolest features of l0phtcrack is the network sniffer which pulls password hashes transmitted across a network… but fair warning: it doesn’t always work, if in doubt, read the documentation).

** Note: thanks to my nameless friend for letting me try his l0phtcrack. Much appreciated.

AccessData’s PRTK

One of my all time favorite tools. Although brute forcing and standard dictionary attacks may take a long time and be resource intensive, PRTK also includes some pretty powerful dictionaries straight off the bat. Also nothing beats the simple and straight forward interface. I’m a huge fan of the biographical dictionary attack in which you can import string data from FTK and FTKi to accomplish a user-specific attack (that is to say, things like directory listings, FTK dtIndex’d results, etc. can all be imported to speed up attacks).  I used PRTK extensively in my AccessData Certified Examiner studies and found it to be one of the best tools to date.

Interesting side note regarding EFS cracking if you have a license to FTK but not to PRTK:

If you are running FTK4+, you can first crack the Windows user password in Ophcrack (SAM & SYSTEM hives) and then, after selecting the EFS encrypted file, allow FTK to decrypt it with the password you’ve discovered. FTK also includes allows you to list multiple passwords if you’re unsure of which it may be. If PRTK is installed on the same system, it’ll use PRTK in the background and decrypt the file. Of course, as an ACE, I advocate getting a license to PRTK if you can, but thankfully PRTK can be used for this at the back-end with little trouble.

CyberCity Wargames Looks Great

Hacker wargames are nothing new: from the epic Pull The Plug to a number of off-shoot sites still in existence, simulated hacking environments are used to help train individuals to develop sound computer security problem solving skills. A few of these sites such as hackthissite.org and OverTheWire teach practical software exploitation and network penetration skills through game-like hands-on challenges. While organizations like Offensive Security and the SANS Institute feature full fledged certification paths involving penetration challenges (see SANS NetWars).

Now the United States Air Force has established one of their newest Cyber Ranges, CyberCity. The new simulation trains both military and government personnel in the proper way to safeguard systems from penetration in real world scenarios. The simulation contains bank-type systems, public wifi networks as in the sort that coffee houses and internet cafes have, social networking site-simulations and more. Even more interesting? The man behind SANS NetWars, Ed Skoudis (noteworthy SANS Metasploit teacher), designed Cyber City himself!

Although some (including myself) have been critical of Director Panetta’s use of “Pearl Harbor” as a metaphor for “cyber war” (see “Cyber Terrorism and the Election” @ Neuralhub), I can’t deny the importance of adopting sound IT security solutions to prevent against new emergent threats both domestic and abroad. I’m glad to see my government adopting them. Penetration testing and defending simulations are ideal learning opportunities.  If you haven’t had the opportunity to attend a con where CTF was being played, I highly recommend attending one of the conventions in New York or Vegas (my first was HOPE 2K!).

Safeguarding such systems in light of specific exploits, malware and viruses such as Stuxnet and Flame is of great importance of to government officials. Whereas some in the news have criticized the U.S. as being behind on cyber defense (especially so with the Chinese attack against White House computer network), the public and private sector have been trying to step up their game and continue to work together to train our future front-line defenders.

From all the articles I’m reading in regards to CyberCity, I’m most impressed with the idea of real world consequences the simulation portrays. If someone botches up, it’ll have “real world” ramifications illustrated in physical models of U.S. cities (sounds a bit like War Hammer+Uplink). The simulations are even complete with statistical information regarding people affected by events occurring in game.

A similar but more expensive project is DARPA’s National Cyber Range (Lockheed won the $30m contract to help design it with DARPA back in 2010). For more information on the NCR, click here. Although my opinion is strictly that of an enthusiast/lay person, from everything that I’m reading, CyberCity looks even more promising!

Lastly, I apologize my infrequent posts as of late. I’ve been taking a DFIR class that’s been taking up much of my time. So be sure to subscribe to fork() to keep up-to-date with all the latest blog postings delivered right to your email!

Sources

O’Harrow, Robert, Jr. “CyberCity allows government hackers to train for attacks.” Washington Post, 11/26/2012.  Note: If you’re interested in learning more about the CyberCity simulation, Robert O’Harrow Jr.’s coverage of it is full of great details and covers CyberCity much more detail.

For some free computer security training videos be sure to check out Security Tube or the fork() post entitled “Computer Security Resources” for more interesting sites.

Link/Article – Memory Forensics & Encrypted Data Extraction

I’d like to post a link to a very neat paper I found which discusses the ability analyze RAM in hopes of targeting encrypted drives, volumes, files or folders (cited below). A forensic investigator can recover encryption keys and even acquire passphrases with no hash cracking needed. Once a key and/or passphrase is obtained, any encrypted medium on the hard drive using the same credentials may be compromised.

Brian Kaplan’s RAM is Key – Extracting Disk Encryption Keys From Volatile Memory, Carnegie Mellon University (May 2007).

The paper is somewhat dated as it was released in 2007. But what’s cool about it is that such analysis wasn’t as common then as it is now (live acquisition was frowned upon). While it doesn’t highlight anything new (and, indeed, shows its age at times), the paper does make for some interesting reading.

While I’m still relatively new to forensics and currently studying DFIR, I figured that this paper may be of interest to some (I found it interesting from a historical aspect). Plus this article is a good way of introducing more forensic posts to the blog.

Feel free to share similar (or more timely) articles using the comments field below!

Related Tools

Volatility by Volatile Systems

Memoryze/AuditViewer & Redline by Mandiant

Finding Encrypted Drives/Volumes on Hard Drive

EDD and, I hear, TCHunt are both excellent tools. I’ve only played around with EDD but I plan on exploring other forms of encrypted drive/volume discovery and decryption in the future.

Privacy Concerns Over New ICE Intel Database

The Department of Homeland Security has just released information concerning a new intelligence database which may impact individual privacy online. For readers concerned with online privacy issues, the FALCON-SA (Search & Analysis) System may be of great importance. While inter-agency cooperation is nothing new, inter-agency databases bring up important privacy concerns.

New ICE database enables federal agents from multiple agencies controlled by Homeland Security to upload information on individuals both domestic and abroad that is or may become a threat to national security. ICE agents can then use the data in FALCON to enforce customs and immigration law more effectively, putting them “in the know.”Combating terrorism by monitoring new immigrants seems to be a primary focus of FALCON. This may even serve to assist in the prosecution of narco-terrorists further down the line.

FALCON can also aggregate data from the public internet as well, populating its database with information gleaned by a seemingly unrelated source. This ability to quickly corolate data ensures that ICE makes informed enforcement decisions based on all available information. It is important to note that the Privacy Impact Assessments released by the DHS and mentioned here were supplied on the DHS mailing list to help mitigate concern among citizens.

Depending on your opinions regarding online safety, databases like FALCON may make you feel uneasy. Information is collected in an “ad hoc” way, as stated by the privacy DHS privacy documents. No information is collected directly from any one individual.

It is my opinion that FALCON is an achievement worthy of note because it could potentially be used to warn ICE of impending threats previously assessed by other government agencies. Of course, the potential for abuse is always present. I’ll reserve the right to pass judgment on the system since I don’t actually know how information gleaned from FALCON-SA will be used.

A positive note is that DHS has actually anticipated problems arising from the dissemination of classified information to unauthorized ICE personnel:

Privacy Risk: Because FALCON-SA aggregates data from multiple data systems, it is possible that its users may be able access records in FALCON-SA that they otherwise could not view in the source system and are inappropriate for them to access.
Mitigation: For data sets routinely ingested into FALCON-SA, ICE has established technical rules to ensure that the user privileges of the source system carry forward and apply to that user in FALCON-SA. As a result, a user’s access privileges to the data stored in FALCON-SA are identical to their access privileges to that same data in the source system. This prevents FALCON-SA from being used, intentionally or unintentionally, to undermine or defeat the role-based access controls established by the source system.”

(Taken from assessment titled “DHS/ICE/PIA-032(a).”)

Furthermore it foresees many concerns that individuals may have with their own privacy being violated. All database queries are logged and inspected routinely. ICE users are also limited to what they see by access controls imposed by ICE (DHS/ICE/PIA-032(a)). As to what “public information” is aggregated, FALCON’s Privacy Impact Assessments remain vague (presumably to adapt with the growing technological climate).

It should be noted that DHS does not need to inform individuals that their previously (legally) obtained information is accessible to ICE via FALCON:

“Because FALCON-SA is a data aggregation system that operates for law enforcement purposes, it is not feasible or advisable to provide notice to all individuals at the time their information is collected or input into FALCON-SA. With respect to information obtained from individuals through federal government forms or other means, such as information collected pursuant to seizures of property, notices on any such forms state that their information may be shared with law enforcement entities.”

(Taken from assessment titled “DHS/ICE/PIA-032(a).”)

Many other privacy concerns are brought up by the new DHS/ICE system. Such concerns are outlined in the DHS Privacy Impact Assessments linked below.  Whenever there are advancements in security there are always privacy issues being raised. Undoubtedly, We will hear more of FALCON in the days to come.

DHS Privacy Impact Assessments

DHS/ICE/PIA-032(a) (FALCON-SA Privacy Issues In-Depth)

DHS/ICE/PIA-033: Falcon Tipline

Related fork() Articles

Cyber Terrorism and the Election @ fork()

National Cyber Security Awareness Month (October)

Janet Napolitano on Cybersecurity @ ASIS 2012

Cyber Terrorism and the Election

Leon Panetta, Secretary of Defense, recently stated that the United States could be facing Pearl Harbor if it doesn’t revamp its security. This time the threat doesn’t come from physical fire fights with opponents overseas, instead it stems from the Internet. Panetta’s goal is to help pass the new Cyber Security bill, H.R. 3623 (“Cyber Intelligence Sharing and Protection Act”).

https://www.youtube.com/watch?v=QVzgPDXJisI

Summed up briefly, the new bill hopes to enable federal law enforcement with the ability to be able to access corporate computer systems in times of need. CISPA’s opposition claims that the resolution hurts individual privacy online. We’ll let you – the reader – decide on whether or not the pros outweigh the cons. To read the resolution in full please click here.

Many feel that Panetta’s comments are an over-exaggeration of a very real problem. As security expert Bruce Schneier stated on October 19th, “[t]here’s an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations. As long as cyber remains a prefix that scares, it’ll continue to be used as a bugaboo.” (Schneier on Security, 10/19/2012)

Similarly, I feel as Bruce Schneier does: although there’s a very real security threat (APTs), comparisons to Pearl Harbor or 9/11 serve only to incite fear. They aren’t based on any rational understanding of how actual computer networks work. That being said, I do believe industry control systems are at risk by forces from within as well as from without.

Over 2,000 lives were lost during the Japanese assault on Pearl Harbor. To compare a future cyber-assault to Pearl Harbor is a bit of a stretch. Despite the Secretary of Defense’s claims to the contrary, computer systems worldwide are NOT all integrated in a Terminator-style way. They may be in the distant future, but they aren’t now.

Can you DDoS systems on a network? Yes. The problem is that not all industry control systems are online or interconnected. And if they are, they must have something exploitable in order to be compromised. On top of that it is worth reminding readers that a DDoS isn’t “hacking into” anything, it is the flood of bogus traffic to an open and receptive server. Actually hacking “into” something requires systems-specific exploitation.

Panetta points to DDoS assaults such as the latest JP Morgan-Anonymous attack, but those attacks against a web server aren’t going to result in the inability for that bank to do business. E-commerce sites face greater risk from this form of attack.

Air traffic control and power grid monitoring systems are typically closed and separate from the internet. While these systems are sometimes networked on intranets or by secure other means, they aren’t actually accessible to us or an attacker. Panetta’s claims are lumping industry control systems in one big category when they should be understood on an individual basis (SCADA security is an excellent topic that well exceeds the scope of this post).

Do similar assaults pose a problem for corporate interests and cost companies revenue? Absolutely.

If the CISPA was designed to protect corporate interests alone, it would go a long way to easing the public’s opinions of the bill. The source of contention comes from CISPA giving the government power over corporate computers (in the mind’s of many citizens, anyway). Keep in mind companies like Google store your search queries in their database for a certain amount of time, identifying marks such as an IP address are removed eventually).

There probably are important systems that are connected to the Internet and need safeguarding. But to say the exploitation and disruption of such systems would cause an apocalyptic scenario is downright ludicrous. Such systems are the exception not the rule.

Proponents make mention of Stuxnet and yet rumors that Stuxnet was designed by a super power have been prevalent. Many point to the U.S. working in concert with the Israeli government to disrupt specific Siemens industrial equipment (after all, it clearly targets one ‘type’ of system). This is similar to one of the new incident Panetta mentions, a virus that targeted a very specific oil system. With Stuxnet, the rootkit is absolutely useless outside of the environment it was created to exploit: for more information see Operation Olympic Games.

You better believe the new CISPA bill is being pushed for political reasons. That doesn’t necessarily mean it’s bad either, it’s just unfortunate that the only time people “need protection” is during an election year. Positive future legislation will assist companies and stress importance of securing key infrastructure while, at the same time, ensuring that such systems aren’t accessible to the public.

Corporate espionage and enemy penetration from within a company’s own network is a very real danger but it’s beyond the scope of CISPA. Such issues are still not as prevalent as Secretary Panetta is making them out to be. Keep what Bruce Schneier says in mind when reading the news:

“But while scare stories are more movie-plot than actual threat, there are real risks. The government is continually poked and probed in cyberspace, from attackers ranging from kids playing politics to sophisticated national intelligence gathering operations. Hackers can do damage, although nothing like the cyber-terrorism rhetoric would lead you to believe.”

Schneier on Security, 10/19/2012

I’m not a politician and I don’t care how you vote. I only care about the facts. I don’t like when people are “scared” into action especially if they aren’t given all the facts. Cyber security and safety online is an issue which transcends political parties: stay informed is important and I urge everyone to read multiple news sources online for information.

Again, while cyber-threats are real, they’ve been portrayed in the news recently in a slightly over-dramatic way. With proper insight and understanding we can safeguard necessary systems without spreading unnecessary fear.

Sources

Video: BBC News. “Leon Panetta warns of cyber Pearl Harbour” (posted by BBC24News on YouTube), October 12, 2012.

Aitel, Dave. “The The Cybersecurity Act of 2012: Are We Smarter Than a Fifth Grader?.” Huffington Post, August 3, 2012.

Schneier, Bruce. “Stoking Cyber Fears.” Schneier on Security blog. October 19, 2012. Note: As always, Schneier has links to multiple sites/essays of interest concerning this matter.

H.R. 3523: Cyber Intelligence Sharing and Protection Act (CISPA)

Related Neuralhub Posts

LOIC DDoS & The Nature of Anonymous Attacks“, October 2, 2012.

Link – In the News: Chinese Attackers Hit White House“, October 2, 2012.

National Cybersecurity Awareness Month” @ Neuralhub, October 2, 2012.

Edit: A friend asked me for clarification a while after I wrote this. He asked if I was suggesting that Advanced Persistent Threats do not exist. I positively do not believe that. I was disagreeing with likening cyber attacks to Pearl Harbor (even as a metaphor for something extremely tragic). As technologies advance so too will the risks: this assessment can change with time. Advanced threats pose a very real problem to industry and national security and I personally agree with efforts to combat them.

Link – In the News: Chinese Attackers Hit White House

Darknet recently covered an interesting article written by The Register (UK) involving a phishing attack conducted against the White House on the 1st of this month. Since it’s National Cyber Awareness Month, I figured this issue is timely and relevant. The pieces can be found here:

Hackers break onto White House military network @ The Register

Hackers Break Into White House Military Network @ Darknet.co.uk

A spear phishing attack is like any phishing attack but executed through the use of email. The attacker poses as a trusted party and obtains credentials from his/her victims in order to exploit them and the systems they have control over. As mentioned in the Neuralhub piece entitled “DNS Threats and Security Solutions,” one can can also employ other forms of social engineering attacks, such as a Credential Harvester attack, to gain sensitive information in this manner.

Another form of credential-stealing attack mentioned on the blog would be Session Hijacking which I mentioned in mentioned in this neuralhub piece.

This spear phishing attack, conducted via a Chinese network, was successful in accessing a highly sensitive network (the White House Military Office) which does everything from arrange hospitality services to “send and authenticate nuclear strike commands” (The Register, not me, I can’t claim to know whether or not this is true but it sounds unrealistic since they also mention that the network is “unclassified”). Apparently some form of attachment and/or malware was used to prep the system in question for the attacker.

Apparently no sensitive information was obtained by the attacker and that attack was halted before anything of note was accomplished.

As always with posted links, I highly encourage you to read about the issue directly from the sources cited above for greater depth.

National Cyber Security Awareness Month

Did you know that October is the National Cyber Security Awareness Month? Well you may not have known prior to this September but, due to the heavy press coverage of the event this year, you do now!

The National Cyber Security Awareness Month is celebrating its 9th year of existence with online talks and lectures to help spread public awareness of online safety issues. The event is hosted by the Department of Homeland Security (DHS), National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC; an organization that exists to provide governments worldwide in an advisory role).

MS-ISAC and their parent organization, the Center for Internet Security, is also offering a large number of IT security jobs covering project management, analysis and tech work. They also feature a pretty neat dashboard for sharing information gleaned from cyber attacks including common ports and IP addresses under attack, check the MS-ISAC Dashboard App for more information (while it doesn’t seem very extensive at the moment, it may be updated as time goes on).

NCSAM events are being hosted by a number of organizations and companies across the globe. Already we’ve seen some cool Facebook activity in the form of interactive lectures. For more official evvents check out the NCSAM calender here (note that many of the online events aren’t listed. For those be sure to check Twitter #NCSAM or watch related hashtags and tweets on Twitterfall).

For more information from the Department of Homeland Security please visit this website:

http://www.dhs.gov/national-cyber-security-awareness-month

In the spirit of NCSAM, security & compliance firm InfoSight Inc. just posted a link to one of their interesting YouTube videos on their Twitter account. The video debunks popular computer safety myths. Feel free to check out that video below:

https://www.youtube.com/watch?v=V2rBbmQOCTI

(All rights for the video belong to InfoSight Inc. and were provided for your viewing pleasure by embedding as is allowed by the Standard YouTube License regarding published public videos. I highly recommend checking InfoSight’s other Youtube videos if you’re new to internet security.)

As always you can check the Neuralhub’s navigation system or the blog’s tag cloud to find topics of interest to you. Also visit the Neuralhub post entitled “Computer Security Resources” for a list of security links to sites I find interesting.

World is Too Slow to Adopt Two-Factor Authentication

Here’s the deal: you do a lot of business online. Amazon purchases, you check your X-Box account, access social networking sites and so on. And as I’ve said time and again, man in the middle attacks are at an all time high. So you needed a way of securing your online accounts beside using just a password.

While some sites like Facebook, Google and Dropbox have implemented forms of two-factor authentication, many sites do not (to my knowledge Apple and  Amazon have not implemented TFA security). SSL alone doesn’t protect customers from online threats.  Amazon AWS does support multi-factor authentication but, at the time of writing this, their user accounts do not have this feature (upon asking their technical support why they didn’t use TFA, I was told “SSL was secure” and not to worry).

For those left out of the loop, TFA relies on either texting you an ever changing security key or displaying one using a token generator (such as the great Google Authenticator for Android). Logging into a website from an unknown computer (one where a former cached login could not be found) results in a page asking you to confirm a key displayed on your token generator.

The way it works now if you don’t remember your password? A reset email can be mailed to you… not such great security. It sends an email to the account you registered with. If your email account is compromised to begin with, your other accounts can be too. All the SSL in the world doesn’t amount to a hill of beans if you don’t have better security practices for users that want to make use of them.

Social engineering attacks can also be used to get companies to change your passwords by phone. Apple and Amazon have already been caught doing this. For more information see my post entitled “Apple’s Social Engineering Crisis.

So why don’t sites adopt TFA? They don’t want to be bothered implementing it. Really. That’s the only excuse I can think of since, if companies follow Google’s example, you have to manually opt in to using it in the first place.

So enough is enough. Start telling the companies that you do business with online to enact TFA now.

Related Articles (Better than this rant)

Please Turn on Two-Factor Authentication.” Curts, Matt @ Lifehacker.

Two-Factor Authentication: The Big List Of Everywhere You Should Enable It Right Now.” Gordon, Whitson @ Lifehacker Australia.

“XBox GM Talks Xbox Live Security.” Frederiksen, Eric. July 19,2012. See: http://www.technobuffalo.com/gaming/platform-gaming/xbox-upgrading-security/

Products of Note

Google Authenticator for Android

Google Authenticator for iOS

SolidPass Two-Factor Authentication Token (Used in many places)

Related Blog Posts

Public Wi-Fi? Be Mindful of Session Hijacking

Links – Application of Elliptic Curve Crypto

With the NSA/CSS’s support of RSA dwindling, they’ve adopted the public key ECC method with open arms with their Suite B. This is in part due to the fact that small sized RSA keys have been cracked to some degree and that the associated contracts with the NSA have ended (keys over 1,024 bits are still safe at the time this post was created). This post will give some information on ECC’s adoption and cellular cryptography.

Since I just started using secure voice apps on my Android, I thought I’d provide you with a list reference material regarding ECC’s increased usage in every day technology. Feel free to check out the solutions mentioned below as well (I do not endorse any of them; find a solution that works best for you and your needs).

We now find ECC used in nearly every aspect of secure computing from chat servers to cell phone voice encryption. And yet ECC’s primary goal is to utilize PKCS by providing a secure means of authentication and digital signature management as opposed to whole document encryption. The algorithm is best utilized in actual data streams flowing from one network to another in conjunction with other well established algorithms to encrypt the contents themselves.

Secure SIP providers around the globe have started producing secure VoIP tools that use ZRTP to transport data using key encryption and SRTP to actively encrypt that data. This is a really good way of thwarting cellular eavesdropping.

For example, VoIP provider S.M.A.R.T.S. Technology designed HushCrypt on Android to encrypt voice calls handset-to-handset using AES-256 based on the ZRTP utilizing the ECDH-38 elliptic curve. Their competition, RedPhone by Whisper Systems, uses ZRTP and its encrypting component, SRTP. Experiment with them as you see fit and determine which is best for you.

Similarly, my favorite secure texting app on Android (also provided by Whisper Systems), is TextSecure, as it relies on ECC in transit and AES-128. Keys are generated on a session-to-session basis and remain “alive” until either party cancels the session (this is complaint with NSA Suite B, for more information see the related link below).

Pretty heavy encryption, huh? But as Henry Kissinger once said, “Just because you’re paranoid don’t mean they’re not after you.” And in this world of increased threats: a little security goes a long way.

ECC & Cellular Crypto Resources

If you’re interested in learning more about the encryption standards used in commonly accepted technologies, please feel free to visit the links below (think I missed a cool link? feel free to share and I’ll pop it up on the list).

Also feel free to check out the WordPress recommended links throughout the post as I’ve approved some good Wikipedia entries!

NSA Suite B on the combined use of AES, ECC and SHA Hashes  (includes Whitepapers for interested Math majors)
ECC to replace RSA,” Blogspot’s In God I Trust blog
The Case for Elliptic Curve Cryptography,” NSA/CSS Homepage.
HushCrypt Secure Phone on Google Play Android Store
Whisper Systems Security Products
WhisperSystems/TextSecure Wiki on the Protocols Used
WhisperSystems/RedPhone Wiki on the Protocols Used
Voice Encryption Basics on Wikipedia
SRTP Protocol Whitepaper
NSA Watch,” Schneier, Bruce.  September 30, 2005. Schneier on Security blog. *

* Note: If you aren’t subscribed to his blog, read his articles or read his books (and you’re interested in computer security), you don’t know what you’re missing. This Schneier blog post has everything you need to know about ECC including links to some great resources that go well beyond this shallow post. Bruce Schneier is a name you can trust.

Related Posts

I mentioned using PK and ECC in my blog posts entitled “Encrypted Messaging Using OpenPGP and Psi,” “DNS Threats and Security Solutions,” and “Links – PGP Security.”