Archive

Archive for the ‘General’ Category

T-MPC

July 30, 2014 Leave a comment

Some of my PhD research was recently published in IEEE Information Forensics and Security journal. It is on a paradigm shift I came up with relating to multiparty computation, which I call transferable multiparty computation. The idea is to allow the set of parties involved in the computation to change over time without leaking intermediate results. Check it out here.

Advertisements
Categories: General

Good Passwords

July 14, 2014 2 comments

I was thinking about good passwords today. There has been a lot of talk about good passwords in the past few years. This is especially true given some problems we’ve seen with service providers not following best practices (*cough* Adobe *cough*). XKCD gave it’s thoughts, which Schneier says isn’t so great any more. 

So, it made me wonder, is there a super simple way to gauge the security of your password? The thought I came up with is: if you write it down and show it to someone for 1 second, is your password still secure? If not, your method for generating passwords is too simple. If so, you may have something.

That said, password managers are still a good way to go. Given the fact that you can even get them on your phone with an encrypted database, there is no reason to not be using one.

Categories: General

“Avoid an interruption of your data service”

September 1, 2009 3 comments

AT&T Free Msg: Important information! Your iPhone does not currently have the necessary data plan required for all iPhones. Plase call us by Sept. 14 to avoid an interruption of your data service. Our reps are ready for your call. Just dial 611. We appreciate your business.

They are at it again. AT&T sent the above SMS out this morning to all iPhones without the proper service plan. This mean they want to force you to purchase a data plan for you iPhone you either bought off eBay (or wherever) which is not under contract with AT&T. If you don’t have a data plan at all, will it matter that you have interrupted data service? I doubt it. Can they legally do this, add a service to your plan without your consent? Well, it is possible, but why even find out. Why not just switch service providers to another GSM provider that doesn’t care. This is the great part about competition and a free-market economy.

Categories: General

Is someone reading your SMS and listening to your phone conversations?

August 26, 2009 Leave a comment

There is a new project out there that will make it possible for anyone to listen to your GSM cellular phone conversations, read SMS message, etc. GSM is very popular; it is used on AT&T, T-Mobile and many others. GSM uses A5/1 encryption which has been known to be vulnerable to attacks for years. Karsten Nohl is simply starting a project that uses these old vulnerabilities to index enough information so anyone can easily decrypt the conversations without knowing the encryption key. Will this light a fire under cellular network designers to make their systems more secure?

Categories: General

AT&T doesn’t like your Jailbroken iPhone

August 18, 2009 29 comments

Today, AT&T sent out the following text:

We need your help regarding your iPhone account. Your iPhone does not currently have the necessary data plan required for all iPhones. Please call us by Sept. 14. Just dial 611. We appreciate your business.

Personally I don’t think this will go well for AT&T. People with iPhones but no data plan are doing it for a reason. They want the cool new phone without spending all the extra money. They aren’t bogging down AT&T’s network at all and any cellular data they use, they are charged for. It seems like a non-issue to me. If they really plan on doing anything, they better expect a lot of people to switch to T-Mobile, since I’m sure T-Mobile doesn’t care one bit if people are using iPhones on their network.

Apple has been warning jailbreakers that they are a risk to national security for some time now. I guess it was time AT&T started going after people too.

For now I would suggest people ignore AT&T, but I am not a lawyer. If you do call them, however, leave a comment and let us know what they say.

Update: It seems a lot of people have gotten this message, so I have been doing a little research. I found an interesting post that explains AT&T’s policy. It seems like if you don’t have a data plan at all, it won’t matter since they are only going to disrupt data service. I could be wrong though.

As a side note, I don’t see why AT&T has to know you are using an iPhone. If someone has any ideas on how to block the iPhone from sending that sort of information to AT&T, let us know. Also, if someone has a spare iPhone they want to donate, I’ll do some research on how to stop that information from being sent to AT&T. No promises, but I’ll do my best!

Another Update (Sept. 1, 2009): Avoid an interruption to your data service

Categories: General

There is no hiding the source (and use SSL while you’re at it)

May 31, 2009 1 comment

Security through obscurity is never a good thing and will always be broken. We can see this with the iPhone’s encrypted AppStore binaries. Once the phone is jailbroken, it is trivial to decrypt the apps; you simply run the program with gdb and set a breakpoint after the decryption software has run. Viola! you have the decrypted app. The virus writers do a much better job at this.

Recently I downloaded a Firefox plugin (I know, nothing to do with the iPhone, but illustrates my point) which required paid registration to gain access to all the features. I pulled up wireshark and noticed that every time I started Firefox it would query the companies servers to see if the license was valid. The silly part was, however, that all the queries ran over traditional http (no encryption). It would be trivial to change the hosts file on my computer so that their domain was redirected somewhere else. Perhaps to a server that I controlled that would tell the program that the license was valid.

This is not the worst part, however. In the ~/.mozilla/firefox/profile.default/extensions/addondirectory (not sure where it is on Windows) directory I had access to all the javascript which did the queries to see if the registration was valid. A simple modification of two or three lines of code to make the server response a static “VALID” is all it would have taken.

Why do I bring this all up? First of all any iPhone app developer who thinks no one will have access to the files on the device is obviously wrong. Hard coded passwords, registration numbers/processes, etc are all a bad idea. Second, of all the third party apps I’ve tested that use network connections to push out the user’s recent score in a game, download the high score list, etc, none of them use SSL. This is a bad idea because using MITM techniques I could modify the packets and no one would be able to detect that. Also, let’s say there was a buffer overflow in the code that parses the high score list. Any exploit could be thwarted if the connection were SSL and proper certificate checking were performed. Instead, however, all an attacker would have to do is MITM the host and inject the exploit when the high score list comes back from the server.

Categories: General Tags: , ,

Bad proxy, bad!

May 21, 2009 Leave a comment

At the IEEE Symposium on Security and Privacy this year, a group from Microsoft Research and some students presented an attack on browsers using proxies. There paper can be found here. Basically any browser that was using a proxy server (either through WPAD, automatic or manual configuration) was vunerable to this attack. Basically the proxy server could respond to an https request with an error, but they could put any html/javascript/etc code in the response they wanted. For example, the server could respond with an error that also had an iframe pointing to the originally requested page. That page would then get displayed, but the attacker could inject additional javascript to steal elements off of the iframed page. They also demoed another attack in which the attacker tricked the browser into caching the actual page’s certificate but also sent some refresh code. The browser would then show the real site’s certificate info but the attackers website. This would be perfect for phishing sites.

This got me to wonder, are smart phone browsers vulnerable to this too? My guess is that they are, but to what extent. I believe that AppStore and iTunes connections are SSL. What about older Windows Mobile IE browsers? In the next few weeks I hope to code up a tool that can test these OSes against this vulnerability.