Page |0

Cryptography Best Practices and Resource Portfolio Part A Phreaking

By: Desiree Carter
10/29/2012

Page |1

The Industry Im selecting is cellphones. Phreaking is a large problem with Cell Phones in this day and age. Home phones are a thing of the past. Now the only phones at risk of getting phreaked are cellphones, business phones and Internet Phones. The primary target for the cellphone and cryptography business would be the manufactures, designers, Chief Information Officers, employees and shareholders as well as stakeholders such as customers . The primary cellphone providers I will focus on are Sprint, Apple and Verizon and AT&T.

Sprint Sprint offers Smartphones, Basic phones and IPhones. Phones with the Android operating systems have been the target of hacking and viruses. Sprints newest offering for the holiday season is the LG Viper which runs the Android 4.0 Ice Cream sandwich operating system. Sprint offers twenty-three Smartphones the most notable other ones being iPhone 5, LG Optimus G and HTC EVO 4G LTE. They offer seven basic phones: LG Rumor Reflex, Samsung M400, LG Remarq, Samsung Array, LG Rumor Touch, Kyocera DuraCore and Kyocera DuraXT. Apple Apple has three iPhones still in circulation. The iPhone 4, iPhone 4 S and their newest offering iPhone 5.

Verizon Verizon offers twenty-three Smartphones. They are most known for their Droid phones. The newest notable phone they offer is the Window Phone 8X by HTC. They have several phones that use the Android operating system. The two most notable are the Samsung Galaxy S III and the Samsung Galaxy Note II.

AT&T

AT&T offers 47 smart phones. They are most known for carrying the iPhones. The two most notable phones that they carry that have the android operating system is the Samsung Galaxy Note II and the HTC One X+. Three more notable phones are the LG Optimus G, HTC TITAN II and the Samsung Galaxy S III

Page |2

Feasible Attacks
The words phone and freak combine to coin the term phreak to describe a phone hacker. The phreak tries to break into your telephone network with the intention of listening to your conversations or making costly calls at your expense. In other words, phreaking is a VoIP security threat to internet phone network as well as to conventional phones and can do lots of damage to you ("Phreaking - VoIP," ) The crime of phreaking goes back to the time of traditional phone lines which were the original victims of this criminal activity. Those who provide phone services such as Sprint Verizon, Apple and AT&T to customers have gotten more intelligent and tightened the security around their communication networks which have made phreaking more difficult and sometimes impossible. However, VoIP telephone technology which has become common and provides opportunities to the phreakers to get into them and do their nefarious work. The reason is that VoIP works on internet and is vulnerable to the same security threats that internet is prone to. ("Phreaking - VoIP,") If your Internet phone service has a security loophole, a phreaker can not only make calls at your expense but also can spy on you and learn about your personal financial information if it is given out while you use your phone. This could result in identity theft and other malicious acts. If you use a VoIP service for your business, a phreaking intrusion can result in your business secrets being passed to your competitors. ("Phreaking - VoIP,") Being aware of feasible attacks is important. My dad is a disabled Army vet he always says that the military never releases information on a tool or weapon unless there is something better already developed for their use. On September 28th of this year the military made their application for Android smartphones PlaceRaider public knowledge. Place Raider is malware developed by the military that uses the cameras on android phones to take pictures of a persons surroundings. From there the pictures can be retrieved and formed into a 3D model for the malwares operator to use. If this App were to fall in the wrong hands it could mean havoc for Android phone users. The power of modern smartphones is one of the technological wonders of our age. These devices carry a suite of sensors capable of monitoring the environment in detail, powerful data processors and the ability to transmit and receive information at high rates. (The physics arXiv, 20012) Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana and some of his connections at Indiana University released info about PlaceRaider which allows the theft of virtual objects such as financial information, data on computer screens and other identityrelated information. PlaceRaider if it were to fall into the wrong hands could be a virtual menace.

Page |3

It doesnt always take the technical skills of a cell phone phreak such as Lucky255 to access your phone account and accompanying personal information. There is websites that educate black-hat (bad hackers) and white-hat (good hackers) such as http://infinityexists.com/ There are also automated pre-packaged tools for compromising current smartphone platforms are readily available One such automated pre-packaged tool for compromising current compatible smartphones is FlexiSPY. Sadly there is also a growing market for products advertised by companies for lawful monitoring of cell phone activity. One syllogism I found about smartphones while doing my research is: Smartphones are vulnerable; Vulnerabilities are exploited; Smartphones will be exploited.

Protection Through Cryptography

There fortunately multiple companies and products out there to help combat the phreaking problem. Secur Star Computer Security is one such company. The Secur Star Companys product PhoneCrypt has 8 features. The first, feature is Military grade encryption. The second, feature is RSA 4096 but & AES 256 bit Encryption. The third, feature is DiffieHelman (DH) Key Exchange. The fourth, feature is MD5 & SHA512 Hash for voice integrity. The fifth, feature is Protection Agents detects, alerts and defends against attacks (Man-in-themiddle) approach. The sixth, feature is 100% secure calls. The seventh, feature is the software uses internet connectivity through 3G, UMTS, HSPA, W-CDMA, EDGE, GPRS and Wi-Fi. The eighth feature is that it is compatible with both landline and mobile phones. There are 5 PhoneCrypt products. The first, product is PhoneCrypt Mobile. PhoneCrypt Mobile is designed for individuals and business professionals. PhoneCrypt Mobile offers true mobile to mobile protection using military-grade encryption ensuring complete privacy. ("Phonecrypt," 2008). The second, product is PhoneCrypt PBX. It is a fully secure feature rich PBX designed for small to large enterprises. It is compatible with the PhoneCrypt suite of products for comprehensive security for all voice communications. The third, product is PhoneCrypt Gateway. It is a versatile fully secure phone gateway designed for use with existing PBX systems. It provides secure calls between gateways or gateway to PhoneCrypt Mobile Phone users. The fourth, product is PhoneCrypt Softphone. PhoneCrypt Softphone allows ultimate portability and includes the same features and protection found in the hardware offerings. It is designed for mobile professionals, and individuals. The final product is PhoneCrypt LandLine Adapter. It is also called PhoneCrypt Solo and is designed for mobile professionals, SOHO users, and individuals. It provides customers with complete privacy and integrates with existing land based phones.

Page |4

Digital Encryption Standards

The Digital Encryption Standard also called (DES) is a symmetric block cipher with 64-bit block size that uses a 56-bit key. It is a symmetric algorithm it was adopted in the United States in 1977 as a federal standard. It encrypts and decrypts data in 64-bit blocks, using a 56-bit key. It takes in a 64-bit block of plaintext as input and outputs a 64-bit block of ciphertext. It always operates on blocks of equal size and it uses both permutations and substitutions in the algorithm. It has 16 rounds which means the main algorithm is repeated 16 times to produce the ciphertext. The rounds is exponentially proportional to the amount of time required to find a key using a brute-force attack. Therefore as the number of rounds increases, the security of the algorithm increases exponentially. Due to major cracks in 1998 and 1999 the orginal DES is not considered safe anymore and Triple DES (3DES) has emerged as a stronger method.

Good Passwords
A good password is needed anytime you use the internet. More importantly a good password is needed when you use encryption. The RSA Security manual has 6 guidelines for making a password. They are: 1. Use at least 10 characters 2. Mix in uppercase and lowercase letters, numbers ,spaces ,punctuation , and other symbols. 3. Avoid using a character more than twice. 4. Avoid using actual words. 5. Avoid using personal information, such as the name of a spouse, child, parent, or friend, or your phone number, Social Security number, license plate number, or birthday. 6. Do not write it down. Instead, memorize it. (University, 2011)

How Public-Key Cryptography Works

When public key cryptography is used two keys are used. The one that encrypts the data is known as the public key. The one that decrypts the data is known as the private key. As long as the private key is not compromised then the data is secure when using the public key cryptography method.

Page |5

Key Recovery
It is possible to set up a scheme to restore keys that someone loses by forgetting a password or losing a token. There are also signing keys if these are lost its not a problem. existing signatures are still valid because only the public key is needed to verify. (University, 2011) When using new signatures you generate a new key pair and distribute the new public key. Because of this it is important that participants have separate signing and key exchange keys.

Use of Digital Signatures

The use of digital signatures has four know benefits. They are: Message Integrity: The use of digital signatures are superior to a handwritten signature because it attests to the contents of a message as well as to the identity of the signer. When a secure hash function is used, there is no way to take someones signature from one document and attatch it to another, or to alter the signed message in any way. The slightest change in a signed document will cause the digital signature verification process to fail. Thus, authentication allows people to check the integrity of signed documents. Of course, if signature verification fails, it may be unclear whether there was an attempted forgery or simply a transmission error. (University, 2011) Savings: Using open systems such as the Internet as transport media can provide considerable savings of time and money. Also, adding automation means that data can be digitally signed and sent in a timely manner. Storage: Business data such as contracts can be stored easily in electronic form. Also an electronic document that has been digitally signed can be validated indefinitely. If all parties involved in the contract keep a copy of the time-stamped document, each of them can prove that the contract was signed with valid keys. Also, the time stamp can prove the validity of a contract even if one signers key becomes compromised at some point after the contract was signed. Risk Mitigation: If properly implemented, digital signatures reduce the risk of fraud and attempts by a party to repudiate (disavow) the contract (University, 2011)

Page |6

Authentication of Digital Signatures

There are two types authentication when it comes to digital signatures signer authentication and data authentication. When a public/private key pair is associated with an identified signer, the digital signature attributes the message to the signer. The digital signature cannot be forged unless the signer compromises the private key by divulging it or losing the medium or device in which it is contained. Data authentication is comparable to stamping a document in a way that disallows all future modifications to it. Data authentication is usually accompanied by data origin authentication, which binds a concrete person to a specific document. A signature should identify what is signed, making it impracticable to falsify or alter either the signed matter or the signature without detection. The digital signature also identifies the signed message, typically with far greater certainty and precision than paper signatures. Verification reveals any tampering because the comparison of the hash results (one made at signing and the other made at verifying) shows whether the message is the same as when signed. (University, 2011)

Page |7

References
Sprint phones . (n.d.). Retrieved from http://shop.sprint.com/mysprint/shop/phone_wall.jsp?INTCID=AB:Shop:C:Phones:All Apple store shop iphone. (n.d.). Retrieved from http://store.apple.com/us/browse/home/shop_iphone Verizon wireless smartphones. (n.d.). Retrieved from http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneOv erviewByDevice&deviceCategoryId=1 Shop wireless devices smart phones. (n.d.). Retrieved from http://www.att.com/shop/wireless/devices/smartphones.html he physics arXiv, B. (20012, September 28). Placeraider: the military smartphone malware designed to steal your life. Retrieved from http://www.technologyreview.com/view/429394/placeraider-the-military-smartphonemalware-designed-to-steal-your-life/ Phreaking - VoIP security threat. (n.d.). Retrieved from http://www.smart-voipsolution.com/phreakthreat.html/ Schiffman, N. (2008, December 12). When smartphones attack. Retrieved from http://www.networkworld.com/community/node/36328 Phonecrypt. (2008). Retrieved from http://www.securstar.com/products_phonecrypt.php Decryption, E. (2012). Digital encyption standard. Retrieved from http://www.encryptionanddecryption.com/algorithms/digital_encryption_standard.html University, D. (2011). Cryptography and security mechanisms. (p. 73). McGraw-Hill Companies. University, D. (2011). Cryptography and security mechanisms. (pp. 93-94). McGraw-Hill Companies. University, D. (2011). Cryptography and security mechanisms. (p. 173). McGraw-Hill Companies. University, D. (2011). Cryptography and security mechanisms. (pp. 295-296). McGraw-Hill Companies. University, D. (2011). Cryptography and security mechanisms. (p. 300). McGraw-Hill Companies.