Feeds

Voice crypto fails spark astroturf claims

SecurStar denies running dirty tricks marketing campaign

Protecting users from Firesheep and other Sidejacking attacks with SSL

Doubts have arisen about the integrity of supposedly anonymous tests on the security of voice encryption products.

As previously reported, an "anonymous hacker" called Notrax claims to have defeated 11 out of 15 phone scrambling technologies using the commercially available FlexiSpy wiretapping utility and a 'homemade' Trojan. Notrax published findings from his ongoing work on a blog at infosecurityguard.com.

Other security watchers were suspicious of what the tests actually proved and whether they were actually a marketing exercise disguised as a security review. News of the tests was publicised last week via a press release issued by SecurStar, the developers of PhoneCrypt, one of only three products and the only software technology to come out clean from the tests.

The previously unknown infosecurityguard.com used by Notrax is anonymously registered. Security blogger Fabio Pietrosanti (naif) turned Veronica Mars by baiting a blog post on infosecurityguard.com back to a post on his blog at infosecurity.ch.

This meant that when the blog post on infosecurityguard.com was approved the IP address of a machine making the approval was recorded in infosecurity.ch logs. Sure enough this happened, allowing the IP address of the infosecurityguard.com blog to be traced back to SecurStar.

"This is evidence that the security review made by an anonymous hacker on infosecurityguard.com is in facts a dishonest marketing plan by the SecurStar GmbH to promote their voice crypto product," Pietrosanti writes in a post containing screenshots and evidence to support his conclusion.

Pietrosanti added in an email to El Reg: "I don't remember in all my life a so irresponsible and dirty marketing trick in the security world, abusing of hackers reputations."

Asked to comment on this evidence, SecurStar chief exec Wilfried Hafner denied any contact with Notrax. Notrax, he said, must have been using his firm's anonymous browsing service, SurfSolo, to produce the results reported by Pietrosanti.

Hafner firmly denied suggestions SecureStar had commissioned the research. "If we had done this research we would have published the results ourselves and taken the credit," Hafner told El Reg. "We don't know of Notrax, although it's possible he might have been a tester we gave products to in order to test."

Notrax's work had only publicised a well-known problem, according to Hafner, the susceptibility of phone encryption technology to viruses (malware). "The difference is he taped the tests and posted a YouTube video," Hafner said.

Hafner argued more attention ought to be focused on the results of the tests rather than who is behind them. He criticised Pietrosanti for trying to discredit the results of the tests but acknowledged that other criticism of the test methodology being less than objective may have some validity.

He denied running an astroturfing campaign. "The results were quite favourable. I think that many firms when they see such research would jump on the horse and use it for marketing."

SecurStar's decision to use Notrax's research for publicity purposes just days away from the Mobile World Congress has sparked a scrap that has turned personal. Pietrosanti's blog post points out that Hafner was jailed for three years for phone phreaking offences in Germany back in 1994.

Hafner acknowledged this but said this happened well before he co-founded SecurStar in 2001. "I broke into satellites. It was wrong but it was a long time ago and gave me a solid understanding of security. People are mashing [throwing] dirt to make me and SecurStar look bad, as if we had done something wrong."

Pietrosanti works for a Swiss firm called Khamsa who make phone encryption software called PrivateGSM and have crypto luminary Phil Zimmermann on the board. Zimmerman's Zfone software was one of the 11 products that failed the test. "This is why he [Pietrosanti] is trying to discredit the tests," Hafner alleged. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.