A tweet from #AndroidPolice on Android booloaders and the security mechanism around it came to me through #cyanogen today. While it’s not meant to be comprehensive, I think it does help point developers and modders in the right direction to understanding come fundamental building blocks in information security. The fact that these security circumvention techniques float about on the Net goes to show that although the underlying encryption schemes and ciphers remain intact, hackers have consistently managed to find attack vectors that “side step” these measures, hence the term “circumvention”. It’s a proverbial game of cat and mouse perhaps calculated to cost-effectively block a majority of users while appeasing to script kiddies and modders alike. Link to the post on Android Police here.
German researcher Karsten Nohl has cracked the encryption used for GSM. His team has made information and tools needed to replicate the attack with a somewhat modest set up. The A5/1’s 64-bit encryption key used in GSM is simply too short for the kind of computing power widely available today. Considering that the technology is over 20 years old, however, it’s robustness is still remarkable.
Here’s the A5/1 Cracking Project’s website.
A report from The Register said that hours of unencrypted surveillance video feeds were intercepted by the Iraqi insurgents. A laptop containing the video feeds were discovered late 2008, but it’s not clear from the report when those feeds were intercepted.
Why were those video feeds unencrypted? Granted even the strongest encryption scheme to date isn’t unbreakable, given enough technical know-how, processing power, and time. My guess is that the contractor or subcontractor supplying the camera or the transceiver forgot to turn encryption on, and no one caught the fatal error.
Here’s the full story.
I don’t need to tell you how important data backups are. These days, several online backup services based on cloud computing are available for either free with some limited storage to a affordable monthly fee for unlimited storage. Carbonite, Mozy, Blackblaze, and Dropbox are a few excellent examples. There are advantages and disadvantages of these various services. I use 3 out of the 4 mentioned, depending on the type of data, frequency of changes, , and how often I need to access them, etc. For my VPS host at RapidVPS which runs on Ubuntu, I use Dropbox because Dropbox has a fairly decent support for Linux.
Here’s a pretty good instruction at Dropbox. I didn’t follow the instruction exactly, but I’ve repeated the step enough times to know that it works for the most part. I had some problems with my Python 2.6 installation after incrementally upgrading from 8.04 -> 8.10 -> 9.04 -> 9.10, but it’s all good now. Anyway, on my VPS host, I set up several cron jobs to dump mysql databases and svn repos, rsync contents of some /var/www and tar-gzip contents of /etc, /root, and /var/log. I don’t need to keep multiple versions of the backups because dropbox automatically takes care of incremental backup and versioning. One thing to be aware, however, is that Dropbox doesn’t encrypt data, either in the transmission or storage, so you might want throw something like TrueCrypt or GnuPG in the mix.
Once backups are set-up with Dropbox, you can even subscribe to the backup/revision history RSS feed(s) provided by Dropbox to stay on top of the status.
Several other useful resources:
TLS is the underlying technology used by modern browsers and web servers to encrypt data communicated between them. (Since TLS is a transport layer facility, it can be used in any other application layer protocols like SMTP, POP, etc, in addition to HTTP.) While the encryption itself has been regarded as “secure enough” by online banking services (encryption relying on 4096-bit public key as of 2009), among others, there is another type of attack which is independent of the strength of the encryption used – man-in-the-middle (MITM) attack.
Here’s a blog post demonstrating one way it can be done. Browser security patches should be on their way.