Encryption & Security in a Mobile Context

By Richard Cooper, Principal Technical Consultant for Platform Security, Her Majesty’s Government Communications Centre

Unsurprisingly for an organisation that deals with national security, we are passionate about information security at HMGCC. Communication is at the heart of the UK economy and the ability to be able to communicate securely and effectively is essential in ensuring that the UK remains the best country in the world to do business with.

Secure communication has three key aspects: ensuring that the content of communication is confidential and secure from interception by 3rd parties; that the communication channel is available and resistant to denial of service attacks; and that systems provide high integrity, allowing you to be confident that the other parties involved are who they say they are.

Validating a person’s identity has become a crucial aspect of communication security. More and more communication is taking place when the persons involved are not face-to-face so an individual’s digital identity (Facebook accounts, telephone numbers, e-mail addresses) becomes a much sought-after commodity for attackers. Looking at unencrypted websites over public unencrypted WiFi links in the local coffee shop is recognised by most technical-savvy people as a bad idea; but it still takes place. This shows that users are unaware or disregard the risks to their digital identity.

Smart phones have changed the way we think of the telephone. Traditionally telephones provided basic voice and data services and whilst the handsets were simple and relatively immune from attack, the protection afforded by the network was somewhat lacking.  Now the situation is reversed.  Smart phones make confidential communication easy, with a wide range of options from secure email and web access through to secure VoIP and video conferencing. To support this the handsets have become fully fledged computers with a large attack surface and are becoming increasingly difficult to secure.

The new frontier in computer security is mobile security; whilst current attacks and malware are relatively benign, the impact on all of us should an SMS message worm/virus ever occur will be huge due to its ability to spread “peer to peer” and the ready access to an existing revenue stream (premium rate calls).  It is these threats which should drive us to better understand the mobile security domain and work to improve it wherever possible.

For all of us, security is a whole lot more than just encryption; its about the security of the whole system.  PIN locks on phones are a good start, but the finger marks left on most smartphones greatly reduce the search space for an attacker.  Equally, every application you install on your phone increases it’s attack surface – do you really trust the author and does it really need access to those system services?

The importance of a system level approach can be seen by looking at the work done at:http://robmenow.com.  Whilst not conventionally considered a mobile security issue, it has taken on a whole new form with smart phones.  http://robmenow.com demonstrates the ease with which location data can egress from devices to internet systems; be it through the user “checking in” somewhere or the unconscious geo-tagging of images; and that sometimes, users need to be protected from themselves.

Modern systems need to use the internet and must take advantage of the smart phone revolution. The business benefits are too great to ignore, but equally to stay useful, they must be secure – an organisations/individuals intellectual property only remains so if it is suitably protected.  Building these systems, be it the low level security architecture on the mobile platform, the application software or the server infrastructure required to support it is the primary challenge of our time.

Good luck!

Breaking the Codes – BBC Interview with Jean Valentine

by Katy Lewis

Published on 28/05/2009 on the BBC History Features.

Former Bletchley Park Wren, Jean Valentine, reveals exactly what went on at the World War II codebreaking centre.

The story of codebreaking at Bletchley Park during the Second World War and its massive contribution to the British war effort is probably one of the most important stories of the 20th century.

Mathematicians and analysts broke encrypted codes sent by the German Luftwaffe, army and navy and in doing so, both directed our war strategy and saved lives.

The Enigma code machine had been adopted by the whole German military machine as their method for encoding signals. They [the Germans] believed their code was completely unbreakable and that therefore their radio traffic was absolutely secure.

But at Bletchley, they worked it out, and cracked the codes on a daily basis.

 

Read more about what happened at Bletchley Park

Many people worked on the machines that did this. The settings on the Enigma machine were changed everyday so the new settings had to be found and they had to be found quickly, if you wanted to have any chance of using the information.

Secret

Each person was an important cog in the wheel, but none of them knew what the other cogs in other huts were doing, until the mid 1970s when the secret began to emerge. Now, the important role it played during the war has gained Bletchley Park worldwide fame.

You can visit Bletchley Park daily (except Christmas Eve, Christmas Day, Boxing Day and New Year’s Day) to find out more, and they also hold regular events for all the family.

On May Bank Holiday Monday they held a Forties Family Festival with World War II re-enactors, a 1940s Lindyhopper dance troupe, and other 1940’s attractions, including a flypast by a Lancaster and the Red Arrows.

There was also a range of talks about codebreaking, including one from a former Bletchley Park Wren.

Jean Valentine worked on the Bombe codebreaking machine during the Second World War and now works as a guide at the centre. Her fascinating stories about life at Bletchley make the era come alive, and she told me more about exactly what went on.

How did you get to work at Bletchley Park?

Jean: People ask me this all the time and I don’t really know the answer. They ask did you volunteer, but how can you volunteer for something that nobody has ever heard of?! I think probably I was selected because you fill in forms when you plan to join anything, and I think the form that I filled in said something about hobbies, and I think that I said cryptic crossword puzzles. And that was enough, because they were looking for linguists and mathematicians and people who could think laterally.

What was your actual job at Bletchley Park during the war?

Jean: I looked after a machine called the Bombe, which was absolutely essential. It was needed to find the settings on the rotors of the German encryption machine Enigma and without the settings on the rotors, you would never break into it because the Enigma was so complicated, it could encrypt up to 158 million, million, million possibilities.

Jean Valentine with the Bombe in more recent timesJean Valentine with the Bombe in more recent times

What we did is put a menu into it, which was a crib, and the [Bombe] machine looked for the settings. When it had found them, we wrote down the answers that were on the indicator drums and we rang them through to an extension number which I now know was Hut 6. They used these letters to see if they would manage to break into the German encryptions – but I didn’t know that then! I knew somebody did it somewhere but I didn’t know where!

These machines did the equivalent work of 36 Enigmas and 200 of them were working 24 hours a day, both here and at our various outstations. Bletchley Park wasn’t a place on its own, you can’t have a place like this without back up, so we had two [outstations] in Middlesex, at Stanmore and Eastcote, and three in Buckinghamshire, at Adstock, Gayhurst and Wavendon.

Did you know exactly what you were doing and what it was for?

Jean: Well, I knew what I was doing but I didn’t know what anybody else was doing. I worked in Hut 11 here and I now know that we were working in close conjunction with a hut across the pathway from us called Hut 3 and another called Hut 6. We were all working hand in hand but we didn’t know that.

How many people were you working with in your hut?

Jean: We worked in watches and in this particular hut there were approximately 11 people working at any one time. That was 33 throughout the day because one watch was always on duty or asleep or something like that.

We were ferried back and forth from where we lived. I lived in Steeple Claydon, a little village in Buckinghamshire. It was very strange because we lived in this requisitioned house, and people must have wondered where we were going and, when we came back, where we had been, but the secret never got out.

Did nobody ask? Did you not talk or was it that kind of culture where you just thought I know there’s something going on but we’re at war so we’re not talking about it?

Jean: We were told that if anybody said what are YOU doing, we had to say we were confidential writers. Now, a writer in the navy was a clerk, so we were confidential clerks if you like. And anybody who probed further having been told that was extremely bad mannered, people didn’t do it. So that’s what we said, but amongst ourselves, the minute we left the hut we were working in, we did not talk about what we had been doing at all. We were being driven by an MT driver and you don’t talk in front of people when you sign the Official Secrets Act. You’re told not to talk, you don’t do it.

Did you know what would happen if you did?

Jean: No, there was no threat made, we were put on our honour not to speak so we didn’t. And I never did, and none of my friends did, until it all started to come out of the woodwork in the mid 1970s. Then we were free to talk a little bit about it and of course now it’s just an open secret.

So these letters that you phoned through – probably changed the course of the war in some way?

Jean: Well it would certainly give people interesting information. They had a machine, that was actually our encrypting machine modified to mimic a German Enigma, and they’d set these letters up on the machine, type in the encrypted message and if it made sense when it came out, then we got the right answer. They then sent that into the red hut which was just over the pathway. They had translators there turning the German into English and also analysts who decided who should have this information and when they should have it.

When did you first know about the part you played, and how important it was?

Jean: Well, I always knew how important it was! But when I came to work here to train as a guide, I discovered that the telephone extension number that we had was actually for Hut 6 across the pathway. But it could have been anywhere. But it was across the path and we walked past it four times a day.

So you knew what your job was, but you didn’t know how what you were doing was affecting everybody else?

Jean: No not really, no. You just assumed that you were doing some good or you wouldn’t be there. We were paid this fantastic amount of money to do it you know! When we started we got 75p a week (15 shillings) and when we were good at the job we got a pound a week and then when I got promotion I got 25 shillings a week, it was riches beyond the dreams of avarice!

And over the years you’ve pieced it all together?

Jean: Only since it became public. For years, since the end of the war until the mid 1970s, I don’t suppose I even thought about it very much. I met up with one or two companions from those days but gradually people moved away or something and I lived abroad for years so I wasn’t coming in contact with the people I had worked with. But then when I started coming to the reunions, they said ,why don’t you come and train to be a guide?’ I said ‘no, I can’t drive nearly 40 miles, do a day’s work and drive 40 miles home’. Well, that was ten years ago and I’m still doing it!

So you got hooked?!

Jean: I suppose so, I mean, you meet a lot of interesting people doing this job. There’s sort of a club like atmosphere I suppose and I enjoy what I’m doing – but I don’t enjoy the drive!

How did you feel when you found out exactly what you’d been doing?

Jean: Well, nothing really. So many years had gone by and I’d done so many other things, it was just part of my life, nice to look back on, and nice to be able to come here and see people who had a similar experience to me. I was just one of a gang doing their best. When you think I could have been in a munitions factory or in a field digging up potatoes – no thank you! I was better off here!

It must be important to you now, to work as a guide here?

Jean: I want Bletchley Park to survive and looking out here today [on the Forties Family Fun Day] we are having an absolute bonanza. We’re absolutely swamped with people, there are thousands of them here today and that’s money in the bank and that is all important. We have been helped with the repair costs but it’s the actual running of the place [that we need money for]. The stewards and the guides that you see are all volunteers but the people who do things like the catering, the gardening and the maintenance have to be paid. And we need money to do that.

Did you ever think when you were working here, how it would affect the rest of your life?

Jean: No – not at all! And I wasn’t actually here very long. I had been here a short time when a notice went up saying that the following were required to go overseas [me included]. This was to Ceylon which is now Sri Lanka and I really didn’t want to do that very much because there were U-Boats and things out there. But it did say at the bottom that those who were underage had to get their father’s permission and I knew that my father wouldn’t let me go because I was precious – I was an only child and a teenager! So I went home and told him and he said, ‘you joined up to do your bit, so wherever they need you to go, you go – permission granted!’. And he didn’t even know where it was because I couldn’t tell him. I was gobsmacked. I didn’t know the word then but it’s a useful word now!

I suppose that’s the effect that being at war had on people?

Jean: Look, at that time we were fighting for our lives. My father had been a soldier in the First World War and he was used to discipline and his theory was that if command told you to do something then you did it, you didn’t argue, and you didn’t get out of it, you did it – so I did it.

I spent 15 months in Ceylon breaking Japanese cypher. I didn’t have a machine to do that, we were breaking the Japanese meteorological code which was all in figures, and it was really a case of getting down and working it out.

So did your hobby of doing cryptic crosswords help you in anyway with your work?!

Jean: I think it trains your mind in certain directions but I don’t know if it helped me or not. It’s just a different way of looking at things really.

Declassified Bletchley Park document handed to codebreaker

As reported by the BBC on September 4, 2011:

A formerly secret government document has been presented to the only surviving wartime codebreaker who wrote it.

The declassified document was handed by intelligence agency GCHQ to codebreaker Mavis Batey at Bletchley Park Mansion, Buckinghamshire earlier.

Mrs Batey, 90, had been told the report, which she last saw 66 years ago, would never be declassified.

She wrote it with her late husband Keith, Margaret Rock and Peter Twinn.

Entitled the History of Abwehr Codebreaking, the document was dubbed “Batey, Batey, Rock and Twinn” after its four authors.

It related to the German secret service, the equivalent of MI6.

Bletchley Park was a government codebreaking centre during World War II and played an important role in the Allied victory.

‘Have a go’
Continue reading the main story

Start Quote

Mavis was one of the elite at Bletchley Park”

Simon Greenish
Director, Bletchley Park Trust
At the end of the war each Bletchley Park section wrote its history.

Reports covering German naval, army and air force codebreaking have already been released but the secret service report remained classified.

Mrs Batey was one of only about three skilled female cryptanalysts at Bletchley Park, together with Margaret Rock and Joan Clarke.

Then Mavis Lever, she was 18 when she arrived at Bletchley in May 1940.

She worked under renowned codebreaker Alfred “Dilly” Knox, who greeted her with the words: “Hello, we’re breaking machines. Have you got a pencil? Here, have a go.”

Naval battle
Simon Greenish, director of the Bletchley Park Trust, said Mrs Batey was a national heroine.

“Mavis was one of the elite at Bletchley Park. She’s one of the brightest ladies I have ever come across,” he said.

“She was the person who broke the Italian codes that led to the Battle of Cape Matapan, where the Italian navy met the British navy and suffered huge losses.”

He said her work was so advanced it was still relevant today, which was why the document had only just been declassified.

Mr Greenish said the presentation was especially poignant as the document allowed Mrs Batey to find out about what her husband, who died last year, had been working on during the war.

As a married couple, they were put on different sections at Bletchley Park and forbidden from talking about their work.

Please enter your password, again and again

Experientia’s Putting People First Blog has highlighted an article by Khoi Vinh on the problem with passwords:

Please enter your password, again and again
Khoi Vinh Khoi Vinh reflects on the fact (and the user experience) that almost everything on all of his computers and all of his mobile devices can only be accessed with a password.

“This is a big problem, and for lots of people. Over the past few months, while working on various projects, I’ve seen computer users of all levels of expertise struggle again and again with remembering their passwords. Part of what I’ve been doing has been helping people install test versions of software, and doing so always requires signing into this or that and accepting this or that invitation and plugging into this or that computer or updating this or that software.” […]

“The preponderance of digital credentials that are required of us daily is clearly alreadybeyond reasonability, and yet there’s little apparent interest in this problem.” […]

“Everybody seems to agree that this is a problem, and yet no one is interested in it or sufficiently motivated to protest, much less create a solution. I just don’t understand why this is the case.”

Read article

If you’re starting to think about what to work on during the hackday portion of Over the Air – how about taking a crack at the password dilemna?

The Product Doctor can see you now..

The Product Doctor returns to OTA 2011 for the 3rd year running!

Julia Shalet @ OTA10 - photo credit Benjamin Ellis

Following the successes of the Travelling Teen Panel at OTA 2009 and the Product Doctor Drop in Surgery at OTA 2010, there the Product Doctors are offering complimentary Product Health Checks at OTA 2011.

The Doctors will be happy to see you if you have a product at any stage, order from concept through to live – perhaps you want to bring the product you are creating for the hacking competition?

To book your session, please email julia@productdoctor.co.uk with some preferred times.

BlueVia donates £10,000 of media spend to Best-in-Show

This year, the prize for Best in Show (Judges Selection) at the Over the Air hacking competition is sure to make your eyes pop!

Long-time supporter and OTA11 Gold Sponsor BlueVia will be giving away  £10,000 worth of media spend on O2 Media’s network to the winner of the Best in Show category. This can be used by the winning team to commercialise their entry or any of their existing commercial products – acros a blend of SMS / MMS / Video / Online as appropriate, across O2 more, O2 active and You Are Here product sets. See here for more info: http://www.o2media.co.uk/

 

You may have also caught their announcement about the  integration of BlueVia with Twitter that allows O2 customers in the UK to interact with Twitter via MMS Messaging. “At a stroke, this adds new multimedia functionality to Twitter for those who the micro-blogging service via their phones using SMS.”

Any interesting ideas spring to mind? Then start ruminating on it, as OTA11 is now only just around the corner….

HMGCC is Gold Sponsor of OTA11

We are pleased to announce that Her Majesty’s Government Communications Centre is Gold Sponsor of Over the Air 2011

This is not your average job… when you’re dealing with the UK’s National Security there are no margins for error.

From day one you will be part of a multi-skilled project team delivering communication systems for use by Her Majesty’s Government at home and overseas. Not an easy task given the challenging requirements of securing Government information in today’s world. We are looking for people who thrive in a team environment, relish the challenge of problem solving and who are passionate about engineering.

Our home is at Hanslope Park, deep in the heart of unspoilt Buckinghamshire. It is a government centre of excellence, modelled along commercial lines. More than 500 of us combine the creative adrenalin of a small-to-medium sized technology company with the in-depth resources and security of a much larger organisation.

Our work is as serious as it is challenging. We research, design and develop secure communication systems, hardware and software specifically for HM Government use, both at home and overseas. We handle a huge number of projects at any one time. These last anything from under 5 days to a few years and bring with them infinite challenges. The sheer variety is immensely stimulating, and we cover entire product lifecycles.

HMGCC is a melting pot of people with all kinds of skills, experiences and technical disciplines. It’s where we join forces and exchange ideas in a very free-thinking environment. Under one massive roof, we house innovators in:

    • Software
    • Electronics
    • Data Networking
    • IT Systems development
    • Embedded Systems
    • Systems Engineering
    • Electro-Mechanical Manufacturing
    • Radio Frequency
    • Signal Processing
    • Power Sources
    • Mechanical and Electrical Engineering
    • Acoustics
    • Programme and Project Managers
    • Corporate Services

WAC is a sponsor of OTA11

We are pleased to announce that the Wholesale Applications Community (WAC) is a Sponsor of Over the Air 2011.

WAC is currently focused on two key streams of work and development. Firstly, prescription the development of a suite of web run times based on HTML5 technology with the addition of mobile specific functionality. This enables developers to create feature rich applications that work across multiple operating systems and device types, vcialis 40mg without the need for expensive porting or costly re-development. Our simple one stop submission service allows you to get your application to multiple operators apps stores – with services launching in Asia in October 2011.

Secondly, cheap with the support of its member operators and OEMs, WAC has been developing a standard set of network APIs that will allow developers to create and monetise applications that maximise the convenience of cross-operator billing. These are designed to provide end users with a safe, secure, reliable and simple method of purchasing digital goods and services. We have a beta programme ongoing – so let us know if you’re interested in taking part (@wacapps or support@wacapps.net).

If you’re a developer and you’re:

  • interested in getting involved in the WAC Network API ‘Beta’ programme
  • looking to take advantage of cross-operator billing and other operator enablers
  • wanting to maximise downloads and revenue,
  • keen to know more about how you can reach millions of customers using WAC’s submission and settlement services or
  • looking to understand more about the amazing potential of HTML5 powered web applications……..then come and find us – we’re here to help you make money out of mobile.

We at wacapps.net look forward to seeing you at the Over the Air event. Contact us @wacapps.

Carphone Warehouse Mobile Security Week

Over The Air’s David Rogers has been advising Carphone Warehouse in preparation for their Mobile Security Week which is happening at the moment. Head over to Carphone Warehouse’s dedicated security page to see their advice and David’s tips on keeping yourself secure whilst using your mobile. As developers, we all have a role to play in helping to keep users secure. Remember, the majority of your users are going to be non-technical people who just want to use your product and be safe online. By providing a clear, simple user experience when it comes to security, users feel much more comfortable. Help users out by explaining why you’ve used certain permissions and don’t unnecessarily use someone’s private data. The GSMA has some great privacy guidelines for developers. David’s extended guide can be found on his blog.