[SecurityRatty] tag: serial

Government Can Determine Location of Cell Phones without Telco Help

Wed, 26 Nov 2008 03:06:43 +0000

Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone's precise location once cooperative cell providers had given a general location.
This summer, however, the American Civil Liberties Union and Electronic Frontier Foundation sued the Justice Department, seeking documents related to the FBI's cell-phone tracking practices. Since August, they've received a stream of documents—the most recent batch on November 6—that were posted on the Internet last week. In a post on the progressive blog Daily Kos, ACLU spokesperson Rachel Myers drew attention to language in several of those documents implying that triggerfish have broader application than previously believed.

Remotely Eavesdropping on Keyboards

Thu, 23 Oct 2008 08:48:16 +0000

Clever work:

The researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne are able to capture keystrokes by monitoring the electromagnetic radiation of PS/2, universal serial bus, or laptop keyboards. They've outline four separate attack methods, some that work at a distance of as much as 65 feet from the target.
In one video demonstration, researchers Martin Vuagnoux and Sylvain Pasini sniff out the the keystrokes typed into a standard keyboard using a large antenna that's about 20 to 30 feet away in an adjacent room.

Website here.

Security's connections and intersections

Sun, 28 Sep 2008 20:00:00 +0000

Security is perhaps the most difficult intellectual profession on the planet. The core knowledge base has reached the point where new recruits can no longer hope to be competent generalists; serial specialization is the only broad option available to them.

DPC urged to take tougher stance

Thu, 08 May 2008 11:26:37 +0000

The Data Protection Commissioner (DPC) has been urged to take a firmer stand against abusers of the data protection regime and fine serial offenders.

Got Entropy ?

Tue, 01 Apr 2008 22:55:47 +0000

So I have been planning a series of podcasts on Cryptographic Controls. In the process of this planning, I fell into one of the classic traps that crypto-geeks fall into: obsessing about random number generators (RNGs).

(FYI, for the impatient, click here.)

There are two ways to generate random numbers on computers: (1) use a software program called a Pseudorandom Number Generator (PRNG) or (2) use a hardware random number generator. A Pseudorandom Number Generator uses a seed value to generate a sequence of numbers that appear random. The problem is that the same seed generates the same random sequence. The hardware based RNG observes and samples some physical phenomenon which is random, such as cosmic rays, RF noise, etc. (aka Entropy).

RNGs are important in Information Security because they are used to generate encryption keys, salts, etc. Historically, attacking RNGs has proven effective, such as the defeat of Netscape’s HTTPS sessions.

Most operating systems utilize a hybrid approach, implementing a PseudoRandom Number Generator that has a seed that is regularly updated through the collection of random hardware events. This process is called Entropy Collection or Entropy Harvesting. For most applications, this approach should be completely sufficient. However, one of the key assumptions is that the operating system has been up and running long enough for the seed value itself to become hard to predict through the collection of Entropy. Also, many of the Entropy collecting events come from properties of hardware devices, such as the minor variations in hard drive rate of rotation. As such, there are a few circumstances where the OS RNG may not be good enough for strong cryptographic key generation:

Live Boot CD ( The start state of the RNG may be predictable. )
Virtualized Hosts ( OS may be dependent on simulated events for randomness. )

( Given the exploding popularity of virtualization, this is an area worthy of research. Stay tuned. )

Design of the Got Entropy Service

Many RNGs (such as the one included in Linux, as well as OpenSSL’s) allow the addition of entropy from outside sources. So I started looking to Entropy sources I could use to bolster the RNGs on my virtual hosts (and other uses…). While I was looking into this, it occurred to me that I had an unused TV tuner card, a PVR-350.

When a TV is tuned to a channel with no local station, the ’snow’ on the screen is RF noise (the same as the static between stations on AM radios). But, for reasons beyond our scope, you never use a direct physical observation as the RNG. You have to ‘de-skew and whiten’ the data prior to sampling it. Here is the process that I use:

Collect about 3 minutes of video ( about 130 MB data ).
Using a random key and IV, encrypt the data ( using openssl & AES-128-CBC ).
Discard the first 32k of the file.
Use each of the following 32k blocks as samples.
Compress each sample with SHA-256.
Discard the last block.

Steps 2 and 3 remove any patterns, such as MPEG file formatting, from the data.
Steps 4 and 5 generate a 32-byte random value ( 1024 to 1 compression in the hash ).

Check it out at http://gotentropy.artofinfosec.com

Can an Attacker Broadcast a Signal to Undermine This?

Such an attacker could not remove RF noise from the received signal. Our eyes and brains are good at filtering out the noise in the TV video, but there is a lot of it. Part of the noise comes from the atmospheric background RF, but there are also flaws (noise) in the tuner’s radio and analog-to-digital capture circuitry.

I think this is a pretty strong RNG, and I have provided an interface for pulling just the values.

Also, I have written a script ( getEntropy.sh ) that will pull Entropy from the service and seed it into /dev/random on Linux.

Results from ENT

Here are results, from a sample run of the Got Entropy, analyzed by ENT ( A Pseudorandom Number Sequence Test Program provided by John Walker of www.fourmilab.ch - Thanks, John! ).

Entropy = 7.999987 bits per byte
Optimum compression would reduce the size of this 13366112 byte file by 0 percent.
Chi square distribution for 13366112 samples is 233.85, and randomly would exceed this value 82.48 percent of the time.
Arithmetic mean value of data bytes is 127.4767 (127.5 = random).
Monte Carlo value for Pi is 3.143054786 (error = 0.05 percent).
Serial correlation coefficient is -0.000078 (totally uncorrelated = 0.0).

Resources for the Curious…

Cheers, Erik

Art of Information Security would love your feedback !

Got Entropy ?

Hollywood's 'Untraceable': Fact or fiction?

Thu, 17 Jan 2008 21:00:00 +0000

Sony Pictures' "Untraceable" presents a cyber serial killer using an unknown Web site to stalk and murder victims. Former FBI Special Agent Ernest E.J. Hilbert II consulted on the film and shares his take on its realism.

YWCA Retirement Fund participants exposed in stolen computer

Tue, 11 Dec 2007 09:23:19 +0000

Technorati Tag: Security Breach

Date Reported:
10/9/07 (backdated)

Organization:
The Young Women's Christian Association (YWCA) Retirement Fund, Inc.

Contractor/Consultant/Branch:
None

Victims:
Active fund participants between January 1st, 2002 and September 28th, 2007

Number Affected:
Unknown

Types of Data:
Name and Social Security number.

Breach Description:
On Monday, October 1st, 2007 YWCA Retirement Fund employees noticed that a computer had been stolen from the Fund's office in New York. The computer contained sensitive personal information including names and Social Security numbers for active fund participants from January 1st, 2002 to September 28th, 2007.

Reference URL:
State of New Hampshire Attorney General's Breach Notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the official breach notification and letter to victims:

We are writing to inform you that some of your personal identification information may have been compromised recently.
[Comfyllama] "May have been compromised"? No, no, no. If you do not have a reasonable assurance that data confidentiality, integrity, and availability remain intact, then the data IS compromised.

On Monday, October 1 when The Young Women's Christian Association Retirement Fund, Inc. staff arrived at the Fund's office we discovered one computer had been stolen.

The stolen computer contained the names and Social Security numbers of individuals who were active Participants in the Fund at anytime during the period from January 1, 2002 to September 28, 2007.
[Comfyllama] We couldn't find any information to give us an idea of how many people this refers to, but we didn't look long.

The stolen computer did not contain addresses, telephone or email contact points and most importantly no account balances.
[Comfyllama] Unauthorized access to any of this information is bad, but "most importantly no account balances"? If I had a choice, I think I would rather have my account balance disclosed than I would my name and Social Security number.

Several factors lead us to believe that the risk to your personal data is rather low.

Here is further information about what occurred and these facts should help you assess the risk to your personal identification information:

1. only the computer was stolen, not the monitor, nor the mouse, not the power pack
[Comfyllama] I am confused. What does this have to do with the risk of unauthorized data access?

2. the stolen computer was of a type that requires a power pack, not a power cord. Power packs are not sold through retail outlets but must be ordered from the computer manufacturer which requires the computer's serial number, the customer's account number and name. Dell has been notified of the theft. Any attempted order will be flagged, the caller id will be recorded and forwarded to both the Fund and the New York Police Department with whom we met Monday afternoon, October 1.
[Comfyllama] This is simply untrue and useless information. If you need a Dell power cord for a laptop, go to Dell and order one without proving a serial number, customer account number and name, or go to one of many of retail outlets that DO sell them.

3. a passcode is required to access the personal identification information stored on the stolen computer.
[Comfyllama] This "passcode" is nothing more that a momentary nuisance to anyone with simple computer skills.

The fund has reviewed the pertinent 24-hour surveillance tapes from the week-end and they have been turned over to the NYPD.

We have already purchased and installed DEFCON cable locks on all computers.

In the next few weeks the Fund will consult with a security firm to evaluate our entire operation. It is the intent of the Fund to implement the security firm's recommendations for improving data protection.
[Comfyllama] Let's hope that the "security firm" is worth at least half the price.

We sincerely apologize for causing you concern

Please be assured that we will be ever more vigilant in protecting your data. If you have any questions, or if we may be of any further assistance at anytime, please call us toll-free at 1-800-222-4738.

Commentary:
This breach occurred not just as a result of a break-in and theft of a computer. This breach occurred as a result of a fundamental failure of information security. We don't have the privilege of looking at the YWCA Retirement Fund's information security program (assuming one exists), so we don't know much more than what we read in the Fund's response. From reading the Fund's response, we can judge that the YWCA Retirement Fund is a poor custodian of sensitive information. The response is one of the most clueless that we have seen to date.

I sincerely hope that the security firm eluded to in the response will recommend some serious changes, one of which would include encryption of data at rest. I am sure the list will be long (assuming the security firm knows what they are doing).

Past Breaches:
Unknown

Domain Kiting vs. Domain Tasting

Mon, 06 Aug 2007 10:25:47 +0000

My latest column on ICANN's investigation into the domain tasting issue relies heavily on the ICANN GNSO Issues Report on Domain Tasting.

One point the report makes which I found very interesting is the distinction it draws between "domain tasting" and "domain kiting." I've frequently seen the two terms used interchangeably, or at least in a way that engendered confusion. The report draws a sharp distinction. The definition for domain tasting they give is:

A monetization practice employed by registrants to use the AGP to register domain names in order to test their profitability. During this period, registrants conduct a cost-benefit analysis to see if the tested domain names return enough traffic to offset the registration fee paid to the registry over the course of the registration period (e.g., currently $6 for a .NAME domain name).

The definition for "domain kiting" they cite is

A form of domain tasting which involves continual registration, deletion, and re-registration of the same names in order to avoid paying the registration fees. This practice is sometimes referred to as "domain kiting." This term has been mistakenly used as being synonymous with domain tasting, but it refers to multiple and often consecutive tasting of the same domain name that avoids paying the registration fee. N.B. there is no guarantee that a registrant who allows a name to drop at the end of the AGP will be successful in re-registering it as other registrants may also compete for the same name.

IOW, domain kiting is serial domain tasting.

This clears up a lot for me.

"Prosthetic Biometrics": Microchips Under Your Skin

Thu, 08 Feb 2007 21:00:00 +0000

Several years ago, I gave a talk at a local university on biometric authentication--the security applications of fingerprint recognition, iris scanning, and so forth. A faculty member approached me afterward to ask why I was bothering. After all, wouldn't we all be surgically implanted with digital authentication devices in the not-too-distant future? I laughed at the idea of "prosthetic biometrics." Gently, I hope. Today a company called VeriChip conducted an initial public offering. VeriChip sells small, encapsulated microchips (RFID tags) that transmit unique serial numbers over short distances via radioâ€”surgically implantable authentication devices, in fact. Dogs and cats have been regularly implanted with RFID tags for years. That beta test, if you will, has been has largely successful: Many shelters are equipped to scan RFID tags in animals lacking other identification, and many pets and owners owe their happy reunification to the devices...