Wiretapping Countermeasures

The Electronic Frontier Foundation’s Seth Schoen reports on wiretapping: how it works, and how a simple touch-tone chord can disable it. I found it interesting that law enforcement actually auctions off their old wiretapping equipment on ebay, sometimes failing to erase old taps off the system.

Read “Wiretapping Vulnerabilities

Related: “Signaling Vulnerabilities in Wiretapping Systems”


Securing VoIP with Zfone

Philip Zimmerman, creator of PGP, has released new software for Linux, MacOS and Windows called Zfone which encrypts VoIP telephony. Here is how Zimmerman describes it:

Zfone is my new secure VoIP phone software, which lets you make secure phone calls over the Internet. It encrypts your call so that only the other person can hear you speak. Zfone lets you whisper in someone’s ear, even if their ear is a thousand miles away.

In the future, the Zfone protocol will be integrated into standalone secure VoIP clients, but today we have a software product that lets you turn your existing VoIP client into a secure phone. The current Zfone software runs in the Internet Protocol stack on any Windows XP, Mac OS X, or Linux PC, and intercepts and filters all the VoIP packets as they go in and out of the machine, and secures the call on the fly. You can use a variety of different software VoIP clients to make a VoIP call. The Zfone software detects when the call starts, and initiates a cryptographic key agreement between the two parties, and then proceeds to encrypt and decrypt the voice packets on the fly. It has its own little separate GUI, telling the user if the call is secure. It’s as if Zfone were a “bump on the cord”, sitting between the VoIP client and the Internet. Think of it as a software bump-on-the-cord. Maybe a bump in the protocol stack.

Zfone is still in beta and versions are available for download for Linux and MacOS. A Windows version is due out in mid-April.

Read more at the Zfone website

A Brief Introduction to Port Knocking

Infoworld’s Roger Grimes writes:

Many, many innovations come from the Linux and Unix world. Few are more intriguing to me than port knocking. As a global security plug-in to protect services, it has a lot going for it and few downsides. However, for one reason or another, it suffers from lack of use and understanding. A lot of administrators may have heard of it, but few know how to implement it. Even fewer have used it.

Port knocking works on the concept that users wishing to attach to a network service must initiate a predetermined sequence of port connections or send a unique string of bytes before the remote client can connect to the eventual service. In its most basic form, the remote user’s client software must first connect to one or more ports before connecting to the final destination port.

Read the rest of the article.

More on Port Knocking:

Top Ten Security and Forensics Live CD Distros

Darknet has put together a list of the ten best security and forensics linux live CD distributions. A brief description of each with links to the distros’ websites are included.

Read more at darknet.org.uk

New Bill Makes it Illegal to Report On Surveillance

Reporters who write about government surveillance could be prosecuted under proposed legislation that would solidify the administration’s eavesdropping authority, according to some legal analysts who are concerned about dramatic changes in U.S. law. Welcome to 1984.

read more | digg story

Defeating Human User Authentication

Do you know those little graphics with a code for you to type in order to foil automatic scripts or bots when registering for a forum or posting on digg? They are annoying and sometimes hard to decipher when the text is very distorted. They are called captchas. PWNtcha is software that can defeat many of the common captcha implementations. Examples of broken and unbroken captchas are given along with a live proof of concept cgi script.

read more | digg story

Anti-Terrorism Data Mining Expensive and Ineffective

Security guru Bruce Schneier offers his analysis of the government’s use of data mining in fighting the boundless “war on terror.” He finds that such a system – even if ridiculously accurate according to today’s standards – would still produce over 2700 false-positive leads per day that would have to be investigated by law enforcement. Considering the waste of law enforcement resources, the low probability of actual useful leads such a system would produce and the cost to Americans in privacy and liberty, he concludes that such an effort is a raw deal.

In the post 9/11 world, there’s much focus on connecting the dots. Many believe that data mining is the crystal ball that will enable us to uncover future terrorist plots. But even in the most wildly optimistic projections, data mining isn’t tenable for that purpose. We’re not trading privacy for security; we’re giving up privacy and getting no security in return.

Essentially, Schneier sees the problem as one of putting the cart before the horse.

Finding terrorism plots is not a problem that lends itself to data mining. It’s a needle-in-a-haystack problem, and throwing more hay on the pile doesn’t make that problem any easier. We’d be far better off putting people in charge of investigating potential plots and letting them direct the computers, instead of putting the computers in charge and letting them decide who should be investigated.

A very intriguing conclusion. I anticipate it will be summarily disregarded by our government. When reading the article, don’t ignore the comments from readers either as many raise important counterpoints to Schneier’s hypothesis.

Read the article at Schneier’s blog.