iMobileSitter
A innovative anti brute force solution to store your credentials on iPhones?
The Fraunhofer Institute for Secure Information Technology recently released a password manager (iMobileSitter) for the iPhone with an innovative approach which makes brute force attacks useless. The idea of the iMobileSitter is not to notify the user if the entered master password for authentication is incorrect. The app lets the user in anyways, but the plain text credentials (pins, passwords) are not correctly encrypted as well.
Accordingly the user would not know if he mistyped his password. Therefor an optical feedback exists. It shows a unique set of icons for any password.
A main reason for buying is that I do not want to save my secrets within a password manager from any company. Nothing about their know how or their technology public. Things are different with Fraunhofer SIT. A well know German research institute.
The app is available on the AppStore.
Cheers, mavi
Forensischer Bericht
Forensicher Bericht zum Tatvorwurf der Kinderpornographie!
Die Anzahl meiner Posts ist in der letzten Zeit wieder besonders stark gesunken. Leider liegt das nicht an mangelden Themen, sondern an Dingen die ich für die Uni oder Arbeit erledigen muss. Nun recycle ich einfach mal meine Prüfungsleistung der Vorlesung Computer Forensik.
Dazu sollte ich als fiktiver Sachverständiger einen Datenträger forensisch analysieren. Es sollte die Vermutung untermauert oder entkräftet werden, dass Karsten Karton kinderpornographisches Material (dargestellt durch Cheerleader) im Internet bezogen und verbreitet hat.
Vielleicht interessiert jemanden so etwas oder ihr müsst eine ähnliche Prüfung ablegen. Der Bericht wurde anonymisiert.
Download: Forensischer Bericht
Cheers, mavi
Quicktip: CMD symlink
If you want to preform a specific command always after opening the console, there is the possibility to create a symlink with command:
C:\Windows\System32\cmd.exe /K “COMMAND”
/K tells cmd that a command is going to follow and that the cmd window should stay open afterwards.
Cheers Chris
db4o at Honeycomb and Ice Cream Sandwich – UPDATE
Did you receive a NetworkOnMainThreadException while opening a new db4o database?
Since my last post I just worked with Andorid 2.x on which I could get db4o easily to run. When I wanted to run my db4o app at Android Honeycomb I received the NetworkOnMainThreadException exception.
Google introduced with Honeycomb the Android.os.NetworkOnMainThreadException which occurs when an application attempts to perform a networking operation on it’s main thread (see here). This doesn’t sound like it matters for a database environment. But that’s exactly what happens when I call
Db4oEmbedded.openFile(Db4oEmbedded.newConfiguration(), dbPath);
for the first time. Just for the first time because it seems that when db4o creates a new db file it generates it’s unique internal signature by calling java.net.InetAddress.getLocalHost().getHostName(). Because java.net belongs to the network classes the exception java.net.InetAddress.lookupHostByName(InetAddress.java:477) is thrown.
Here is the piece of db4o code which causes the exception:
try {
String hostName = java.net.InetAddress.getLocalHost().getHostName() + "_";
if(hostName.length() > 15){
hostName = hostName.substring(0,15);
}
sb.append(hostName);
} catch (UnknownHostException e) {
}
sb.append(Long.toHexString(System.currentTimeMillis()));
sb.append(Integer.toHexString(_counter++));
int hostAddress = 0;
byte[] addressBytes;
try {
addressBytes = java.net.InetAddress.getLocalHost().getAddress();
for (int i = 0; i < addressBytes.length; i++) {
hostAddress <<= 4;
hostAddress -= addressBytes[i];
}
} catch (UnknownHostException e) {
}
A workaround is to just catch the NetworkOnMainThreadException (okay, then it’s a android specific jar) or change the UnknownHostException to a generic Exception. This is kind of dirty but if nothing happens within the the catch it doesn’t matter anyways.
Another aproach would be to to preform the first call for opening a new db not into the UI Thread. A possibility could be to use the AsyncTask:
class OpendDBTask extends AsyncTask<Void, Void, ObjectContainer>{
@Override
protected ObjectContainer doInBackground(Void... params) {
String dbPath = "/data/data/" + DBManager.getPackageName() + "/database";
ObjectContainer db = Db4oEmbedded.openFile(Db4oEmbedded.newConfiguration(), dbPath);
return db;
}
}
Maybe I’ll provide a android database manager framework for db4o later. If you want to try db4o check out this post.
A bug entry has been created and it seems that it is fixed now. I didn’t retest yet.
Once again I would like to point out that this issue only occurs when a new db is created via “Db4oEmbedded.openFile(Db4oEmbedded.newConfiguration(), dbPath);” at Android Honeycomb or later!
Cheers, mavi
Using db4o as Database for Android
Sick of object rational mapping with SQLite?
I read a long time ago about the object database db4o, which is very handy for storing objects instead of mapping the variables of objects to tables of a database. After some work with SQLite at Android it crossed my mind and I finally had enough time to give it a try. Normally you have to do the mapping by hand, means writing kind of DB manager which handles requests. These requests need to be coded in SQL which makes it very time-consuming. So you need to take care of all CREATE, INSERT, SELECT, UPDATE and DELETE operations by yourself.
The approach of db40 is to persist an entire object. To make clear how it works in practice I’m going to give some code snippets:
The class for the objects which should be persisted:
public class Person{
//vars
public String name;
public int number;
public String email;
//empty constructor
public Person(){}
//constructor for a retrieve operation
public Person(String name, int number, String email){
this.name = name;
this.number = number;
this.email = email;
}
Create the DB:
String dbPath = "/data/data/" + getPackageName() + "/database"; ObjectContainer db = Db4oEmbedded.openFile(Db4oEmbedded.newConfiguration(), dbPath);
Insert an object:
//creates object
Person person = new Person("Tom", "100", "Tom@db4o.com");
//saves object
try {
db.store(person);
} finally {
db.close();
}
Retrieve all objects:
try {
result = db.queryByExample(Person.class);
while(result.hasNext()){
Person person = (Person)result.next();
Log.v("TAG", "Name: " + person.name + " Number: " + person.number + " eMail: " + person.email);
}
} finally {
db.close();
}
Retrieve all objects with the persom.name “Tom”:
//Specifies the search pattern (null and 0 is wildcard)
Person protoPerson = new Person("Tom", 0, null);
try {
result = db.queryByExample(protoPerson);
while(result.hasNext()){
Person person = (Person)result.next();
Log.v("TAG", "Name: " + person.name + " Number: " + person.number + " eMail: " + person.email);
}
} finally {
db.close();
}
Do you see what my point is? Very straight forward to use db framework which has in accordance with this document even high performance. Further documentation on how to use db4o is available here. Source of a prototype test app maybe later here.
There is a small snag: It is under GPL or a commercial license.
Cheers mavi
Reto Meier wanted to hack me?
A prominent example for account stealing and using it for social engineering…
I was really wondering when I received a PM via Twitter by Reto Meier (g+, twitter). I’m a follower of him, fine. But he doesn’t even follow me and the content was kind of mysterious:
Time to start a VM and have a closer look:
Okay, looks like the login screen of “twitter.com”. In the address line is something said about “session_timed_out”. But wait! What a weird domain name “itwiitter.com”. And didn’t I enabled the https for twitter? It’s missing as well. It’s obviously a fake site which tries to steal your twitter login. When I entered something to login. I just saw an error page.
Later the day I read a tweet by Reto Meier:
I thought this prominent victim might be a good example/warning for you folks. Stay distrustful 
Cheers, mavi
Blur the Background of Android Standard Search Dialog
How to blur the background of a standard search dialog?
I didn’t find any good solution on this topic in the web. The common response was “it’s not possible”. So I began to figure out a solution by myself, which finally works fine! Let’s start over:
Because you don’t get a handle of the standard android search dialog it seems to be impossible to blur the background by calling
Window.addFlags(WindowManager.LayoutParams.FLAG_BLUR_BEHIND);
But there is an other approach: Generally you want to perform a search on a list. The ListView can be set on a RelativeLayout. On top of it you can set a View with the android:background=”@drawable/aShape”, which covers the entire ListView. The visibility should be “gone”. The drawable aShape is in my case a gradient with an alpha value.
The RelativeLayout:
<ListView android:id="@+id/list" android:layout_width="fill_parent" android:layout_height="fill_parent" android:layout_weight="1" android:drawSelectorOnTop="false"/> <View android:layout_weight="1" android:layout_width="wrap_content" android:id="@+id/list_search_overlay" android:layout_height="wrap_content" android:background="@drawable/search_overlay" android:visibility="gone"></View>
The shape (search_overlay in my case):
<gradient
android:startColor="#80000001"
android:endColor="#80000001"/>
Now onSearchRequested() must be overridden and set the View (in my case R.id.list_search_overlay) to visible. Finally a listener must be registered at SearchManager.setOnDismissListener() to set the View to visible again if the search dialog is closed.
The code (from the activity):
@Override
public boolean onSearchRequested() {
((View) findViewById(R.id.list_search_overlay)).setVisibility(View.VISIBLE);
final SearchManager searchManager = (SearchManager) this.getSystemService
(this.SEARCH_SERVICE);
searchManager.setOnDismissListener(new OnDismissListener() {
@Override
public void onDismiss() {
((View)ServiceListBase.this.
findViewById(R.id.list_search_overlay)).setVisibility(View.GONE);
}
});
return super.onSearchRequested();
I hope this will assist you by optimizing the user experience with your app.
Cheers Mavi
How to write a paper in a scientific context
Have you ever been in the position to write a scientific paper and you didn’t know where to start and what to do?
In the paper “How to Write a Paper” the author Mike Ashby describes the 5 steps to write a successful paper.It was very supportive while I wrote my Bachelor-Thesis, so I would like to provide it here.
First he describes how to figure out the market needs and how this brings you to a concept. Based on the concept get the first draft and improve it recursive. Finally the layout has to be done.
This brief manual gives guidance in writing a paper about your
research. Most of the advice applies equally to your thesis or to
writing a research proposal. The content of the paper reflects the
kind of work you have done: experimental, theoretical,
computational.
Download as *.pdf: How to Write a Paper
Cheers Mavi
PowerShell 2.0 – Binary Runtime measuring
How to measure runtimes for applications not in the program itself?
Therefore the PowerShell is a nice utility under windows. Sometimes there are reasons why it’s not possible to measure the runtime of a specific algorithm or program in itself. Means not in the native code of the program. Or you just want to measure different programs automated. Get the job done by the Windows PowerShell!
To be concrete:
#!msh
function Pause ($Message="Press any key to continue...")
{
Write-Host -NoNewLine $Message
$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
Write-Host ""
}
function Benchmark($path)
{
write-host "Benchmark for "$path
$startTime = New-TimeSpan "01 January 1970 00:00:00" $(Get-Date)
$startTimeLong = [LONG] $startTime.TotalMilliseconds
write-host "Started @" $startTimeLong
Start-Process -wait $path
$endTime = New-TimeSpan "01 January 1970 00:00:00" $(Get-Date)
$endTimeLong = [LONG] $endTime.TotalMilliseconds
write-host "Ended @" $endTimeLong
$result = $endTimeLong - $startTimeLong
write-host "Time(Milliseconds):" $result
}
Benchmark("a.exe")
Benchmark("b.exe")
Benchmark("c.exe")
Benchmark("../pki3/d.exe")
Benchmark("../pki3/e.exe")
Pause
The function “Pause” I’ve taken from Windows Powershell Blog. The function “Benchmark” handles the measurments for the given program (program path).
For measuring the time while the program is running it first gets the date and saves it as a long (milliseconds since 01.01.1970) in $startTimeLong. Afterwards the external program is started, the parameter “-wait” lets the script pause until it terminates. After termination it the gets the date again and saves it as $endTimeLong. The result in milliseconds is the execution time.
Various usage of this function is thinkable.
Cheers Mavi
The Shell with Power! PowerShell 2.0 [how to activate script execution]
Sick of *.bat – shell scripts? – Powershell (2.0)!
It’s not really something new, but I just did need it until now. So I’m surprised by the mighty of it. Additional it comes with a small IDE which makes developing and debugging very handy.
Before you enjoy the power of the shell you have to activate the script execution within your system. Therefore you have to set the execution policies:
Start the PowerShell as administrator
Get-ExecutionPolicy
Displays the current policy
Set-ExecutionPolicy RemoteSigned
This sets a policy. Valid values are:
- Restricted -> Impossible to run any PS script (standart)
- AllSigned -> Each script needs to be signed (check PS Blog for details). Possible choice but to unhandy for my taste.
- RemoteSigned -> Each local script can run unsigned, scripts from the web need to be signed. My choice!
- Unrestricted -> Each script runs! Way to insecure!!!
After changing the policy it’s possible to run your scripts. You can simply work with a text editor (eg. Notepad++) and save the script as *.ps1. If you’re doing so, you can start the script by double click in your file browser.
Even more comfortable is the PowerShell ISE. It comes with syntax highligthing, part execution and real debugging.
Finally I have an other scope: Using it as a calculator! Nice if you want to see your calculation and not just the final result. More…
Cheers Mavi
