Showing posts with label Cryptography. Show all posts

The Evolution of Encrypted IM Messenging Platforms - The Rise and Future of the OMEMO Protocol - An Analysis

0
January 28, 2022

Dear blog readers,

I've decided to share with everyone an article that I've been recently working on namely the rise of the OMEMO real-time Jabber/XMPP encryption protocol and also discuss in-depth the security risks involved in OMEMO type of communications including to offer practical security and privacy recommendation advice which I originally wrote for my ex-employer Armadillo Phone.

In a modern and vibrant secure and encrypted mobile device ecosystem facing various hardware and physical security type of threats including the general rise of insecure WiFi hotspots and various other factors including the rise of various nation-state and rogue and malicious advanced persistent threat type of malicious and fraudulent campaigns a new protocol has recently emerged called OMEMO basically limiting the burden of online ID verification mechanisms and adding a new set of privacy and security enhancing features to modern instant messaging applications making it hard potentially virtually impossible for a malicious attacker to eavesdrop and intercept an OMEMO user's personal private including sensitive and personally identifiable information further aiming to commit financial fraud and launch a variety of social engineering campaigns aimed at targeting the victim's address book and the confidentiality availability and integrity of their devices further exposing the mobile device to a multi-tude of malicious and fraudulent software and rogue and malicious campaigns.

Protocol Introduction

What exactly is OMEMO? Long story short it's an OTR and OpenPGP-based communication protocol that actually has a lot of new improvements in terms of privacy and security including interoperability between multiple IM clients and mobile applications courtesy of different vendors. Compared to OTR (Off-the-Record) which basically allows single-user type of secure and encrypted communication the OMEMO protocol actually allows multi-user type of data and information exchange further strengthening the protocol's position on the market for secure mobile IM (instant messaging) applications.

Basic OTR Protocol Overview in the context of the global growing cybercrime trend

Throughout the years Jabber's OTR (Off-the-Record) plugin and feature quickly became the de-facto communication channel for a huge portion of Eastern European and Russia-based cybercriminals looking for ways to properly offer and present their cybercrime-friendly services including to actively communicate with each other for the purpose of managing and launching cybercrime-friendly online communities including to actually offer a newly launched cybercrime-friendly service or a tool and actually reach out to current and potential customers in a secure fashion. It should be worth pointing out over 98% of Russian and Eastern European cybercrime-friendly propositions actively rely on the use of public and private proprietary Jabber-based servers and active OTR (Off-the-Record) type of communications. How does the process work in terms of Russian and Eastern European cybercrime gangs and groups? Pretty simple. Basically the cybercriminal in question would either use a custom-made and set up proprietary Jabber-server or a publicly accessible one in combination with a popular off-the-shelf or proprietary offshore VPN service provider to actually attempt to hide the actual metadata from law enforcement and would then include the actual contact details in terms of user ID within the actual cybercrime-friendly proposition which on the majority of occasions is a newly launched stolen and compromised credit card shop or a newly launched cybercrime-friendly service aiming to assist novice or experienced cybercriminals on their way to commit financial fraud online.

The following mobile device IM clients are known be currently compatible with the OMEMO secure and privacy-enhancing protocol:

  • BeagleIM
  • ChatSecure
  • Conversations
  • Cryptocat
  • Dino
  • Gajim
  • Psi
  • Adium
  • Profanity
  • SiskinIM

Possible Threat Modelling Scenarios

It should be worth pointing out that on the vast majority of occasions the majority of IM-based encryption protocols are perfectly suited to respond and actually protect against a large portion of modern eavesdropping and surveillance campaigns. It should be also noted that a direct compromise of the actual mobile device or a device in question might be successfully acting as the "weakest link" in the entire secure and privacy-conscious communication chain including the actual impersonation attacks launched against a specific participant in the actual communication next to good old fashioned social engineering type of campaigns.

Possible physical security and network-based attack scenarios:

 - physical device compromise 

A possible device compromise through device stealing or actually obtaining a physical copy of the device for digital forensic examination by third-parties. Users interested in protecting their personal including sensitive IM communication should definitely look into using time-expiring messages with a short period of time and actually take advantage of Armadillo Phone's built-in advanced physical protection features including the availability of anti-theft token and NRC physical authentication card including heavy reliance on off-the-shelf and heavily modified going beyond industry-standards implementation of popular encryption ciphers.

 - network communication provider compromise 

Among the key factors to consider when attempting to actually launch an encrypted IM conversation with a colleague or a friend including possible third-party that also includes a journalist or a free speech writer is to ensure that the network infrastructure provider has taken all the necessary measures to protect its network from external and internal cyber attacks including plain simple social engineering attempts and active network-based reconnaissance and actual network-based infrastructure compromise. A possible attack surface mitigation scenario here would be the use of a vendor-specific VPN (Virtual Private Network) further ensuring that the actual metadata including actual traffic obfuscation will prevent possible man-in-the-middle attacks launched through the use of insecure WiFi hotspots or the actual GSM-based 3G/4G/5G type of network connectivity infrastructure.

The Armadillo Phone has a built-in VPN (Virtual Private Network) service built-in which is free of charge and can heavily assist in possible network-based metadata obfuscation including actual network-traffic obfuscation making it harder for a malicious attacker including rogue actors to actually attempt to launch a possible eavesdropping or active traffic interception or surveillance campaign.

A rather practical and often neglected privacy-conscious advice would be to periodically verify the actual participant's fingerprint by asking a very specific question that only he knows the answer to.

Stay tuned!

Continue reading →

Are You On Silent Circle?

May 23, 2019
Dear blog readers,

I wanted to find out whether any of my blog readers might be using Silent Circle - and whether you might be interested in approaching me with your Silent Circle ID to get the conversation going?

Feel free to approach me at dancho.danchev@hush.com

Stay tuned! Continue reading →

All Your Confidentiality Are Belong To Us

June 10, 2006
The proof that commercial and open source encryption has surpassed the technologies to police it, or the idea that privacy and business growth as top priorities would ruin the whole initiative?

"The Government has launched a public consultation into a draft code of practice for a controversial UK law that critics have said could alienate big business and IT professionals. Part III of the Regulation of Investigatory Powers Act 2000 (RIPA) will, as it stands, give police the authority to force organisations and individuals to disclose encryption keys. The Government issued the public consultation on the code of practice for Part III, which will regulate how police and the courts use powers under the legislation, on Wednesday."

It would be interesting to see how they would initiate the response from individuals, without raising the the eyebrows on the majority of civil liberties watch dogs out there and, of course, businessess. That's of course, assuming they use encryption at the first place. Could be much more "wiser" to take advantage of covert practices to obtain the necessary information, instead of "forcing" this measure -- detecting encrypted/covert communication channels is another topic. Moreover, compared to the Australian police whose capabilities of obtaining information on criminals include the use of spyware is a bit contraversial, but adaptave approach.

If national infrastructure security matters, have individuals and enterprises personally take care of their security and encryption keys, promote data encryption, instead of dictating the vibrations by slowing down the basics through such laws. Continue reading →

Distributed cracking of a utopian mystery code

April 13, 2006
If you have missed the opportunity to buy yourself a portable Enigma encryption machine, or didn't know you could devote some of your CPU power while trying to crack unbroken Nazi Enigma ciphers, now is the time to consider another distributed computing cracking initiative I just came across to - "Assault on the Thirteenth Labour", part of the utopian Perplex City alternate reality game.


More on the story itself :



"The story centers on a fictional metropolis known as Perplex City. The Receda Cube, a priceless scientific and spiritual artefact, has been stolen and buried somewhere on Earth, and the game offers a real-life $200,000 reward to whoever can find it."



As a matter of fact, ever heard of Hive7? This is where the future is going, as I think virtual worlds intrigues result in a more quality real life, don't they? Still, it can also result in security problems with stolen virtual goods. The trend, given the popularity of these, will continue to emerge -- people, both rich and poor are putting hard cash into virtual properties and DoS attacks and phishing practices are already gaining popularity as well.



Technorati tags:
, , , , , Continue reading →

Wanna get yourself a portable Enigma encryption machine?

April 03, 2006
Hurry up, you still have 5 hours to participate in the sale at Ebay as the BetaNews reported "eBay has long been a purveyor of the unusual and the unique, but it's not often an authentic piece of tech history captures as much attention as the Enigma 3 portable cipher machine that has racked up bids of almost 16,000 euros. The Enigma device was used extensively by Nazi Germany during World War II."



The Enigma machine was a key success factor for the Germans during WWII, until of course its messages started getting deciphered, it's great someone managed to preserve and resell one. Today's situation is entirely different, namely an average Internet user can easily encrypt data achieving military standards with the use of public tools, where Phil Zimmerman's PGP has been cause troubles for governments across the world since its release.


However, what the majority of end users don't realize is the how the keys lenght and the passphrase's quality means totally nothing when law enforcement is sometimes empowered to use spyware, and that quantum cryptography is also subject to attacks. Client side attacks and social engineering ones don't take into consideration any key lenght -- just naivety. In one of my previous posts "Get the chance to crack unbroken Nazi Enigma ciphers"


I mentioned about the existence of a distributed project to crack unroken nazi ciphers you can freely participate into. Being a total paranoid in respect to my favorite SetiATHome, you should also consider the possibility of a SETI Hacker -- which partly happened in Contact in case you reckon.



Technorati tags :
, , Continue reading →

Get the chance to crack unbroken Nazi Enigma ciphers

February 27, 2006
Nice initiative I just came across to. From the "M4 Message Breaking Project" :



The M4 Project is an effort to break 3 original Enigma messages with the help of distributed computing. The signals were intercepted in the North Atlantic in 1942 and are believed to be unbroken. Ralph Erskine has presented the intercepts in a letter to the journal Cryptologia. The signals were presumably enciphered with the four rotor Enigma M4 - hence the name of the project.


This project has officially started as of January 9th, 2006. You can help out by donating idle time of your computer to the project. If you want to participate, please follow the client install instructions for your operating system:

Unix Client Install
Win98 Client Install
Win2000 Client Install
WinXP Home Client Install
WinXP Pro Client Install



The first message is already broken as a matter of fact, and looks like that :



Ciphertext :

nczwvusxpnyminhzxmqxsfwxwlkjahshnmcoccakuqpmkcsmhkseinjus
blkiosxckubhmllxcsjusrrdvkohulxwccbgvliyxeoahxrhkkfvdrewezlx
obafgyujqukgrtvukameurbveksuhhvoyhabcjwmaklfklmyfvnrizr
vvrtkofdanjmolbgffleoprgtflvrhowopbekvwmuqfmpwparmfha
gkxiibg



Deciphered and in plain text :

From Looks:Radio signal 1132/19 contents:Forced to submerge during attack, depth charges. Last enemy location08:30h, Marqu AJ 9863, 220 degrees, 8 nautical miles, (I am) following(the enemy). (Barometer) falls (by) 14 Millibar, NNO 4, visibility 10.



You no longer need the NSA to assist in here, still they sure have contributed a lot while "Eavesdropping on Hell", didn't they?



Distributed Computing is a powerful way to solve complex tasks, or at least put the PC power of the masses in use. It's no longer required to hire processing power on demand from any of these jewels, but download a client, start participating, or find a way to motivate your future participants. In my previous post "The current state of IP spoofing" I commented on the ANA Spoofer Project and featured a great deal of other distributed projects. Meanwhile, the StartdustAThome project also started gaining grounds, so is it ETs, Space dust, global IP spoofing susceptibility, or unbroken Nazi's ciphers - you have the choice where to participate!



Technorati tags :
, , , Continue reading →
Subscribe to: Comments (Atom)