Well it looks like what happened to WEP all those years ago is going to happen to GSM now. The methods have been known, the theory is established but the breaking point is when freely available tools are published that makes it possible for anyone to perform the attacks even without really understanding what is going on.

The recent news about WPA2 being cracked generated a lot of discussion, mostly highly technical – which means that you don’t have to worry too much about WPA2 being insecure as the attack isn’t really viable and relies on the ‘attacker’ already being authenticated with the network. There are easily ways to do the same thing with good old ARP spoofing.

Independent researchers have made good on a promise to release a comprehensive set of tools needed to eavesdrop on cell phone calls that use the world’s most widely deployed mobile technology.

“The whole topic of GSM hacking now enters the script-kiddie stage, similar to Wi-Fi hacking a couple years ago, where people started cracking the neighbor’s Wi-Fi,” said Karsten Nohl, a cryptographer with the Security Research Labs in Berlin who helped spearhead the project. “Just as with Wi-Fi, where they changed the encryption to WPA, hopefully that will happen with GSM, too.”

The suite of applications now includes Kraken, software being released at the Black Hat security conference on Thursday that can deduce the secret key encrypting SMS messages and voice conversations in as little as 30 seconds. It was developed by Frank A. Stevenson, the same Norwegian programmer who almost a decade ago developed software that cracked the CSS encryption scheme protecting DVDs.

It seems that with this suite of tools and the right hardware kit it’ll be a LOT easier to snoop on GSM transmissions. This includes cracking the secret key for SMS messages as well as being able to listen to voice streams.

The rainbow tables required for the crack are rather large at 1.7TB but it allows the attack to be pulled off in a mere 30 seconds. And thankfully they are being offered freely rather than on a paid for basis. They are planning to push out a torrent for the files, which as long as people keep seeding it, will work well.

It has been designed to work seamlessly with 1.7TB worth of rainbow tables that are used to crack A5/1, a decades-old encryption algorithm used to protect cell phone communications using GSM, which is used by about 80 percent of the world’s mobile operators. A small confederation of researchers announced last year they were setting out to create the voluminous index, which exploits known weaknesses in the encryption formula.

Distributing the rainbow tables has proved to be a challenge to the project participants. Stevenson said people in Oslo, where he’s located, are welcome to exchange a blank hard disk for one that contains the data. Eventually, the group expects to make the tables available as a BitTorrent.

The GSM Alliance, which represents almost 800 operators in 219 countries, pooh poohed the universal snooping plan by characterizing the attack as theoretical and saying encryption wasn’t the only protection preventing eavesdropping on real-time communications.

That’s where another tool, called AirProbe, comes in. An updated version of the program, also to be distributed Thursday, works with USRP radios to record digital signals as they pass from an operator’s base station to a GSM handset. Combined with refinements in the open-source GNU radio, it works by pulling down voluminous amounts of data in real time as it travels to the targeted cell phone and storing only those packets that are needed to snoop on a call.

In all honestly I’m not really familiar with GSM protocols, encryption or their weaknesses as it’s not an area I’ve ever ventured into, so if any of you have any input on the above claims I’d be interested to hear it. Has this attack been possible for a while? Is it really a risk, or just another mostly theoretical attack depending on many factors to pull it off?

Either way it’s a pretty interesting story and I’ll be seeing where it goes.

Source: The Register

Now this is interesting a proper mathematical calculation for using cloud computing to crack passwords, now Amazon has opened up their EC2 (Elastic Compute Cloud) the cost of massive parallel processing power has come right down.

And guess what, someone thought of using it to crack passwords. It seems the cut-off would be a 12 character password as even with all lower case characters it would cost USD1.5 million to crack.

It gets exponentially cheaper as you remove each character (due to the calculation using the power of the number of characters) so a 10 character password would only cost you just over USD2000!

Forget what you’ve learned about password security. A simple pass code with nothing more than lower-case letters may be all you need – provided you use 12 characters.

That’s the conclusion of security consultant David Campbell, who calculated the cost of waging a brute-force attack on various types of passwords using cloud computing services offered by Amazon.

Based on hourly fees Amazon charges for its EC2 web service, it would cost more than $1.5m to brute force a 12-character password containing nothing more than lower-case letters a through z. But user beware, an 11-character code costs less than $60,000 to crack, and a 10-letter phrase costs less than $2,300.

Adding upper-case letters and numbers to a password offers some additional security, but not as much as you might think. Such a phrase using 10 characters would cost less than $60,000 to attack, while an 11-character code would cost roughly $2.1m. Even passwords that contain an additional 32 characters such as !@#$% are relatively cheap to crack if they are short enough. An eight-character password would cost a little more than $106,000.

I’d say adding upper case letters and numbers makes quite a difference, a 10 character passwords jumps from just over USD2000 to crack all the way up to USD60,000. That’s a factor of 30!

I’d say a 10 character password containing uppercase, lowercase, numbers and specials characters should be well into the millions and keep you fairly safe.

I did write some guidelines and tips on creating a secure password a while back, you can check it out here – Good Password Guidelines – How to Make a Strong/Secure Password.

The analysis, which Campbell posted here, builds off of research fellow security consultant Haroon Meer of SensePost presented earlier this year at the Black Hat conference. In it, he showed how EC2 could provide criminals using stolen credit cards with the equivalent of a super computer to crack encryption keys and passwords.

And that, in turn, will require new ways of thinking on the part of white hats.

“As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor,” said Campbell. “Using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.”

Although Amazon takes pains to ration resources it makes available to single customers, Meer showed it was possible to get around such limitations using a single credit card. Presumably, it would be even easier to bypass those controls using hundreds or thousands of stolen credit cards, something that is trivial for criminals to get a hold of. Campbell’s assumptions are based on simple arithmetic.

It’s interesting research nevertheless, I’d say Cloud Computing is only going to get more powerful and cheaper to rent so character based passwords may become completely defunct at some point in the future.

The computing power is not at the point where you have to worry about your 1024 bit RSA encryption quite yet, but it may well be in the near future as it’s already advised to use a 2048 bit key length!

Combining this platform with the abundance of stolen credit card details the blackhats have could be quite devastating.

Source: The Register

Splogs are becoming a huge problem, half the stuff you search for nowadays returns a splog, mostly auto syndicated content.

I find a lot of my own entries on there, surrounded by Adsense ads.

New age scrapers I guess.

Technorati returns a lot of results from splogs too, but at least they have made some efforts to clean that up and Google and being making sign-ups for blogspot much stricter so people are having to resort to their own domains, like the scrapers.

Microsoft today released new research on the epidemic of spam blogs — or “splogs” — as well as the “comment spam” that dodgy marketers splatter all over blogs in a bid to improve their sites’ search-engine rankings. Redmond’s research team found that splogs hosted on Google’s Blogspot.com appear to be widely spammed and fairly effective at jacking up the search results for the spammers’ Web sites.

Comment spam is also getting pretty bad, I can get a couple of hundred a day on some sites.

I’m glad they are making some kind of effort to sort it out.

Yi-Min Wang, manager of Microsoft’s cybersecurity and systems management research group, told me that the goal of Search Defender is to help the software giant automate the filtering of splogs and comment spam links in search results returned on MSN.com.

“We now have a method to identify spammers so that before they get indexed into search results, we can block them,” Wang said. “When this is fully automated, the spammers will need to spend a lot more effort trying to get into our search results.”

We ourselves as writers also have to take measures to curb the comment spam, I use Akismet and find it extremely effective!

But that’s just a start: Sitepoint has some excellent tips on fighting comment spam. Also, most of the major blogging sites now include pointers on how to use antispam features. Blogger.com lets users require commenters to follow a verification process — essentially a captcha — to help weed out automated processes. WordPress has its own tips here, or users can outsource their blogspam patrol (well, sort of) with Akismet, a free (for personal use) tool that compares any link, trackback or comment left on your WordPress blog to a service “which runs hundreds of tests on the comment and returns a thumbs up or thumbs down.” SixApart, which runs TypePad and LiveJournal, also lists a number of tips for users fed up with blogspam.

At least everyone is aware of it now, we just need to get back to fighting it.

Source: Washington Post