I hear that the creator of the melissa worm was convicted based on the fact that the GUIDs generated could be linked back to a MAC Address of a computer he used.
How hard is it to do this? And what data do they need other than the GUID? Like the MAC Address itself or the time it was created?
That relates to a specific version 1 UUID included in the office document that contained the macro virus, this was becuse it came from UuidCreate/Sequential which did contain MAC info;
For security reasons, UuidCreate was
modified so that it no longer uses a
machine's MAC address to generate
UUIDs. UuidCreateSequential was
introduced to allow creation of UUIDs
using the MAC address of a machine's
Ethernet card.
It depends on how and by what OS/library that GUID was generated. As of Windows and its standard UuidCreate() function:
The UuidCreate function generates a
UUID that cannot be traced to the
ethernet address of the computer on
which it was generated. It also cannot
be associated with other UUIDs created
on the same computer.
Here: http://msdn.microsoft.com/en-us/library/aa379205(v=vs.85).aspx
Whether or not you can identify someone based on a UUID (GUID) depends entirely on the implementation.
RFC 4122 (the RFC for UUID) has three reference implementation (see http://www.ietf.org/rfc/rfc4122.txt) the first of which uses the MAC-address in the unique node identifier, but the other two uses random numbers instead. I've seen both in libraries and sometimes libraries have a switch between these methods, so the only way to know for sure is to read the documentation/source for the specific library you use for UUID/GUID generation.
Usually the MAC-address is hashed, so you could compare the original to the generated, but not decypher the original MAC-address only from knowing the UUID. So far I have only seen UUID generators that don't hash the timestamp so that is easier to find. There is a simple tool that can decode a UUID for you (see http://linux.die.net/man/1/uuid)
Related
I want to know if my BLE 5 (low energy, not "typical"/core bluetooth) embedded system uses (preferably asymmetric) encryption, if encrypted at all.
I'm using this ble module that is communicating with an SOC. My SOC is capable of encryption but the FAE of the BLE module product couldn't come up with any useful information.
My program doesn't appear to have a bonding/pairing process, but I could be wrong since I did not take a closer look at the HAL layer program.
My question is, does BLE 5 require encryption?
If not, how do I find out if my connection is encrypted or not, using methods other than sniffers? For example are there any steps which must be gone through to facilitate encryption, in which case I should check if these steps were skipped or not? (If skipped then surely my communication is in plain texts).
ETA: The target BLE module is based on nrf52832, don't know what BLE stack/softdevice they are using. My soc is STM32WB55 series, using a rather comprehensive BLE stack that supports most functions of which name I couldn't recall for the moment.
BLE does not require encryption for a connection to be made.
At first, every BLE connection starts in Security Mode 1, Level 1 which does not use any encryption at all. Every message will be sent in cleartext. To increase the security two devices have to "pair". Security keys are exchange during the pairing process. There are multiple different pairing methods with different requirements. Have a look at this article for a starting point.
The pairing process is usually not started manually but automatically as soon as a device tries to access a secured characteristic. If you are using a phone to access such a characteristic you will be prompted with a pairing request popup. Based on your description I would assume that your connection is currently not encrypted.
To enable encryption on your SoC please have a look at the function aci_gatt_add_char. This document (direct download link) refers to this function on page 55 and shows that it takes Security_Permissions as an argument. The next page states the possible options as:
0x00: ATTR_PERMISSION_NONE
0x01: Need authentication to read
0x02: Need authorization to read
0x04: Link should be encrypted to read
0x08: Need authentication to write
0x10: Need authorization to write
0x20: Link should be encrypted for write
I am porting some Windows code to Linux. Part of the windows objects properties was not implemented in .net core's linux implementation. UnicastIPAddressInformation.PrefixOrigin is one of them.
.NET Core code docs show define it as:
value that identifies the source of a unicast IP address prefix.
MSDN defines it as:
Specifies how an IP address network prefix was located.
I am searching .NET Core repo browser for the implementation of this property, which returns the following enumeration:
public enum PrefixOrigin
{
Other = 0,
Manual,
WellKnown,
Dhcp,
RouterAdvertisement,
}
I could not find in .NET Core repo browser a class that implements UnicastIPAddressInformation. In .NET Framework repo browser, I understand the struct IdAdapterUnicastAddress is assigned a PrefixOrigin by marshaling OS data into C# classes/types. Anyway, I do not know at this point how to determine which enumeration value should be applied to a given IP.
Knowing barely nothing about computer networks, I am researching what is an IP prefix and how to figure it out. The practical example I could find was this one. As far as I understand, however, it provides a way to calculate the prefix length. I still need to know how to determine the PrefixOrigin enumeration value to a given IP.
Is it something that can be done by simply taking the prefix length into account ? If not, how do I figure out which PrefixOrigin value a given IP should be assigned ?
This field's value is telling you how a configured (or automatically-configured) IP address on the system was determined.
Manual: Somebody keyed it into the adapter configuration GUI in control panel or set it using e.g. netsh or similar.
Well Known: From a well-known source. I'm not really sure if Windows uses this value. It might be used when a 169.254.x.x address is assigned in the absence of any other configuration and when no DHCP server is present.
DHCP: When a DHCP server automatically assigns an IP address, which is the case in almost all home and office networks (but sometimes not on datacenter networks!), this is how you can tell.
Router Advertisement: IPv6 has an automatic configuration system which was supposed to replace DHCP. To keep things simple, think of this as being functionally the same as the field's DHCP value.
Eddystone-EID beacons transmit Ephemeral Identifiers which will be resolved by Google's Proximity Beacon API. This means one can not detect an Eddystone-EID beacon without an active internet connection. The approach is pretty new, so there is not much info on the internet.
Generation of ephemeral identifier and resolving mechanism is described in this paper provided by Google researchers. Here is the summary of the procedure: Eddystone-EID beacons encrypt the value from their embedded time counters with AES-128 using their key, while the key is unique identifier for each beacon. The result is the ephemeral id that's goning to be transmitted. Like every 512 secs, beacons recomputes their ephemeral ids. When an ephemeral id received by the receiver side, the resolver tries to find the key which provides correct decryption among known predefined keys. The found key corresponds to identification of the beacon.
I'm wondering whether it's possible to implement an offline resolving/decryption procedure according to given paper, that works with Eddystone-EIDs on the market. Instead of using a global resolver at the cloud, can we develop a local resolver which works with much less number of beacons?
If yes, is there any previous attempts or implementations etc?
What's your opinions on this topic?
Yes, it is theoretically possible to implement an EID resolver in Android or iOS code that does the calculations to see if an EID transmission comes from a known beacon transmitter.
The mobile device implementation would need to use compatible AES-128 encryption libraries and somehow store copies of the keys needed to do the resolution for each beacon.
When building a server-side resolver implementation for testing purposes, I considered building such a library. I also learned it is very tricky to get everything exactly right. Many AES libraries only provide partial functionality so are unusable.
It is also important to note that US export restrictions on encryption software will make putting apps that do this in the Apple AppStore and Google Play Store problematic.
Is it possible that to identify a network adapter by only its MAC Adress?
I know that it is possible to find out the vendor, but i need the exact Name/Description, e.g. "Intel Ethernet I217-LM".
Update (more info):
Let's say I have 10 MAC addresses. I want to paste them into a (online) tool that gives me then name of the adapter.
Is this even possible? The 6 first digits are vendor specific, I know that but, is there any other scheme?
No, the MAC Address is simply a unique Identifier for each network adapter. You can think of it as a unique random number coded directly into the networking hardware, so that it can never change. You can figure out the vendor, because "blocks" of MAC addresses are assigned to each vendor, in order to ensure that no one gets a card with a duplicate address. To which models the addresses are assigned is up to the vendor, and it is highly unlikely that a vendor will publish such a list.
In order to obtain the information you need, you will have to use a OS/Programming language specific function. If you can tell us what environment you are working on, maybe someone can help you figure out how to get the information.
In C++ I Can Read The MAC Address Of The NIC and Use It To Generate A Unique Identifier For Each Computer That Interacts With My Web Service. Even If The User Deletes Their Cookies, And Temporary Internet Files, Reformats Their HardDrive And Installs A Different Version Of Windows, That Computer Still Generates The Same Unique ID.
How Can I Create Such A Unique Key Using Flex Or Air? The Number Has To Be Either Hardware Based Or Similarly Tamper Resistant.
Thanks In Advance.
In Air 2 you can spawn a native process and get a result back. You'll need to use that to get access to low level info like this.