Author Archives: mberezin

What’s KRACK, and Why Should It Bother You?

You may have recently noticed a new headline on the IT Newsreel you see when logging into a UMass service. The headline reads “Campus Wireless Infrastructure Patched Against New Cybersecurity Threat (Krack Attack)“. It’s good to know that UMass security actively protects us from threats like Krack, but what is it?

The KRACK exploit is a key reinstallation attack against the WPA2 protocol. That’s a lot of jargon in one sentence, so let’s break it down a little. WPA2 stands for Wi-Fi Protected Access Version 2. It is a security protocol that is used by all sorts of wireless devices in order to securely connect to a Wi-Fi network. There are other Wi-Fi security protocols, such as WPA and WEP, but WPA2 is the most common.

WPA2 is used to secure wireless connections between the client, such as your smartphone or laptop, and the router/access point that transmits the network. If you have a Wi-Fi network at home, then you have a router somewhere that transmits the signal. It’s a small box that connects to a modem – another small black box – which might connect to a large terminal somewhere in your house called the ONT, and which eventually leads to the telephone poles and wiring outside in your neighborhood. Secure connections have to be implemented at every level of your connection, which can range from the physical cables that are maintained by your internet service provider, all the way to the web browser running on your computer.

In order to create a secure connection between the router and the client, the two devices have to encrypt the data that they send to each other. In order to encrypt and decrypt the data they exchange, the two devices have to exchange keys when they connect. The two devices then use these keys to encrypt the messages that they send to each other, so that in transit they appear like gibberish, and only the two devices themselves know how to decipher it; they use these same keys for the duration of their communications.

WPA2 is just a protocol, meaning that is a series of rules and guidelines that a system must adhere to in order to support the protocol. WPA2 must be implemented in the software of a wireless device in order to be used. Most modern wireless devices support the WPA2 protocol. If you have a device that can connect to eduroam, the wireless network on the UMass Amherst campus, then that device supports WPA2.

This KRACK exploit is a vulnerability in the WPA2 protocol that was discovered by two Belgian researchers. They were able to get WPA2-supporting devices to send the same encrypted information over and over again and crack the key by deciphering known encrypted text content. They were able to get WPA2-supporting Android and Linux devices to reset their WPA2 keys to all zeroes, which made it even easier to crack encrypted content.

The real concern is that this is a vulnerability in the WPA2 protocol itself, not just any one implementation of it. Any software’s implementation of WPA2 that is correct is vulnerable to this exploit (newsflash – most are). That means essentially all wireless-enabled devices need to be updated to patch this vulnerability. This can be especially cumbersome because many internet-of-things devices (think of security webcams, web-connected smart home tools like garage doors) are rarely ever updated, if at all. Their software is assumed to just work without needing regular maintenance. All of those devices are vulnerable to attack. This WIRED article addresses the long-term impact that the KRACK exploit may have on the world.

The good news is that many software implementation patches are already available for your most critical devices. UMass Amherst has already updated all of our wireless access points with a patch to protect against the KRACK exploit. Also, with the exception of Android & Linux devices which are vulnerable to key resets, it is not very easy to exploit this vulnerability on most networks. One would need to generally know what they are looking for in order to crack the encryption key, but an attacker may be able to narrow down possibilities with social cues, such as if they see you at Starbucks shopping for shoes on Amazon.

The general takeaway is that you should update all of your wireless devices as soon as possible. If you are interested in learning more about KRACK, how it works on a technical level, and see a demonstration of an attack, check out the researchers’ website.

Browsing the Web Anonymously with a VPN

You may have heard someone say that they use a VPN to protect themselves on the internet. What is a VPN? What does it do? How can you use it to protect yourself?

VPN stands for virtual private network. They are essentially simulations of connections (hence the ‘virtual’ part) to a certain private networks (networks that one can’t normally connect to from outside or over the internet). They allow users to connect to a local private (e.g. corporate) network remotely from, say, their home, or a coffee shop. A VPN allows its users to interact with the local network as if they were normally connected to it. For example, say a developer at a tech startup wanted to work on her project at her local Starbucks instead of commuting into the office, but to protect their intellectual property the startup doesn’t allow anyone to look at their code without being connected to their local onsite network (sometimes referred to as an intranet). However, the developers at the startup aren’t big fans of the cubicle life, and like to roam around and do their work at the library with a book, or at home with their dogs. Fortunately, the startup has a VPN set up so that the developers can log into the intranet and look at their projects remotely. The computer appears as if it actually is physically located in the office and has almost all of the access that it would have if it was literally in the office.

But how does the VPN make sure that only the right people have access to the network? This is where the magic of the VPN is. When you log into your VPN client with your username and password and the server authenticates you, your computer creates a point-to-point encrypted tunnel between you and the VPN server — think of it as a really long tube that runs between your computer and the server in the office that nobody in between can look inside of. That means if you’re sitting at Starbucks and your company uses Comcast as its internet service provider, nobody in your Starbucks can peek into your Wi-Fi signal (this is referred to as a man-in-the-middle attack), and Comcast can’t snoop into what’s in the data that your company is sending to you before it delivers it to you.

Computer Privacy Hood

Just like nobody can see what’s going on here between the computer display and the man’s eyes, nobody over the internet can see what’s going on between the endpoints of a VPN point-to-point encrypted tunnel.

Having a reliable, trustworthy connection to a server over the internet can be a very valuable tool. In a world of big data, hacking, online banking, password leaks, and government surveillance, being able to communicate with anyone securely is very important.

In addition to providing secure connections to remote servers, VPNs provide another incredibly useful ability as a sort of side effect — a VPN can act as a sort of ‘online mask,’ so that you can browse around a website without the website knowing exactly who you are. Generally speaking, your identity to the World Wide Web is your IP address, which can be used to determine your location down to the city/town. When you access a website, you send your IP address to the website’s server (so that the website knows who to send information back to), and your internet service provider (e.g. Comcast) knows that you are communicating with this website (if your connection is unencrypted, Comcast can also see the content of your communications with the website). When you access this website through a VPN server, your request first goes through the encrypted tunnel to the VPN server, and the VPN server then bounces the request along to the website itself (over an unencrypted connection). When the website responds to the VPN server, the server bounces the response back to you over your encrypted tunnel. The website believes that they are just communicating with the VPN server, without any clue that their response is being passed on to anyone else. Comcast may be able to read the communications between the website and the VPN server, but they have no way of knowing that the communication is connected to you.

VPN Server Setup

This diagram shows the path that information travels through between your computer and the internet when you are connected to a VPN server. The encryption between your computer and the VPN server prevents anyone from snooping in on the communications between you and the server.

There are other ways to hide your identity on the internet. You can use a proxy, which appears similar to a VPN on the surface. You can connect to a website through a proxy to hide your IP address from the website, so the proxy also acts like a man-in-the-middle like a VPN does. The difference is that your computer’s connection to the proxy is not encrypted, so from a large enough scope, your communication with the website could be traced back to you. If an internet service provider such as Comcast happened to service both the connection from you to the proxy server, AND from the proxy server to the website, they could piece together that it was you who connected to the website over the proxy, and since the communications aren’t encrypted, they could also see exactly what you were communicating about with the website over the proxy. Proxies also don’t mask your IP address over the entire computer — you have to configure each application individually to send all of it’s internet-based protocols through a proxy server. VPNs are OS-wide, meaning that it protects your entire computer no matter what internet-based protocol is being sent out.

Proxy Server Setup

The layout of a connection to a proxy server. Only individual applications can connect to a proxy server, not the entire computer. Communications are also not encrypted and open to being intercepted.

Thanks to the ability to provide anonymity over the internet, some companies have emerged that make a business out of providing access to their VPN servers. Their business model is that, for a fee, you can connect to their VPN servers to use as an ‘online mask’ however you like, and whatever you do won’t be traced back to you. The catch is whether a particular company is trustworthy or not — some VPN service providers log your activity and give it to authority or sell it to the highest bidder, essentially nullifying the anonymity that a VPN provides. You should always be skeptical and selective when choosing a VPN service provider; and remember, you get what you pay for. There are many free VPN service providers out there that allow you to use their servers for free up to a certain bandwidth; as a general rule of thumb, whether it be regarding free VPN service providers or free social networks, as long as someone is making a profit, if you’re not paying for the product, YOU are the product!

In conclusion, there are many ways to protect yourself over the internet, and selecting the best tool for your needs is the way to go. If you’re abroad and you want to watch a show on Netflix but it’s not available in the country you’re in, you can use a proxy to connect to a US server and stream it over your proxy connection, since encryption isn’t mandatory for this case. If you’re at Dunkin’ Donuts and you’re working on a top-secret project for your startup and you don’t want any tech-savvy thieves stealing your code over your free Wi-Fi connection, you can use a VPN to encrypt your connection between you and your company server. If you want to check your bank account online, but the bank doesn’t have good online business practices and don’t encrypt their web communications by default, you may want to use a VPN when logging into your bank’s website to make sure that nobody successfully fishes for your username and password. And if you’re working on an absolutely, positively, unconditionally classified, top-secret, sensitive, need-to-know-basis document, but you really, really, really want to get a frappuchino, perhaps you should consider getting yourself one of those sweatshirts with the oversized privacy hoods that you can wrap around your computer display, as seen above.

Getting Started with Android Studio

Android is a great platform for a beginner developer to make his or her first smartphone app on. Android apps are written in Java, and the graphics are generally written in XML. Android apps are developed in many well-known IDEs (integrated development environments – programs that typically package together a code editor, compiler, debugger, interpreter, build system, version control system, and deployment system, as well as other tools) such as Eclipse, IntelliJ IDEA, and Android Studio. In this article we will cover the basics of Android Studio.

Android Studio logo

Continue reading

Virtual Reality: The Next Generation of Gaming

Virtual reality has long been a dream of gamers everywhere. The next level of immersion into a fictional world will bring players themselves into the game, instead of simply showing it on a screen. The idea of being ‘plugged in’ to a different reality has been used in fictional films like The Matrix and TV shows like Fringe, but that’s all these realities have been – fiction.

Until now.

For the past few years, virtual reality projects have been popping up and growing in complexity and immersion. There are a few different ideas about how it should be done; here we will take a look at some of the most well-known virtual reality projects.

Oculus Rift

Oculus_VR_Logo

The Oculus VR company logo, creators of the Oculus Rift.

One of the first major virtual reality projects, the Oculus Rift is arguably the most recognizable name in the industry so far. Originally announced in August 2012, the Oculus Rift started as a Kickstarter campaign that raised $2.4 million. In June 2015, Facebook bought the Oculus VR company for $2 billion. Oculus Rift devices have been seen at numerous gaming and technology expos, such as PAX, E3 and SXSW, as development kit platforms for many indie games. The Oculus Rift Development Kit has went through 2 iterations and has been used for development for the past 3 years.

The Oculus Rift boasts a 1080×1200 resolution per eye, a 90Hz refresh rate, and a 100 degree field of vision.The consumer edition of the device is approaching its release in Q1 2016.

Initially, it was little more than a virtual reality development kit exclusive to developers and game studios. The company had been distributing Development Kits since its Kickstarter campaign. Today, the Oculus Rift is preparing for its consumer launch, and some preorders have already been shipped.

oculus-rift-consumer-edition

The Oculus Rift Consumer Edition, available Q1 2016.

The Oculus Rift is generally considered the most premium of current VR projects. The manufacturing process for the Rift involves hundreds of custom parts and tracking sensors. The project has been praised for being one of the most sleek and seamless VR devices, and is also notable in its progress in one of the biggest challenges in the VR industry today: VR interaction.

We are a long way away from virtual reality experiences that would allow the user to naturally move in or touch something in the environment. Many other projects either leave the user stationary and only able to look around; some, including the Oculus Rift, allow users to move using a gamepad. Oculus, however, has also made progress of their own in VR interaction. The Oculus Touch is a pair of ergonomic controllers featuring buttons, joysticks, and triggers that also track hand movement. The Oculus Touch compliments the Oculus Rift and is currently available for developers.

oculus-rift-with-oculus-touch

The Oculus Touch controllers communicate wirelessly with the Oculus Rift, offering a more immersive and less tethered VR interaction experience.

The Oculus Rift will need to be run by a very powerful computer, since it is so graphically intensive. Their website recommends a machine with:

  • CPU: Intel i5-4590 equivalent or greater
  • GPU: GTX 970 / AMD 290 equivalent or greater
  • RAM: 8GB+
  • OS: Windows 7 or newer
  • 2x USB 3.0 ports
  • 1x HDMI 1.3 video output

Dell, Alienware, and ASUS have already announced lines of Oculus-ready high performance PC towers, starting at around $950-$1000.

The Oculus Rift Consumer Edition is scheduled to hit the market in Q1 2016. It will cost $350, and include removable headphones (allowing the user to use their own headphones), an Xbox One for Windows controller, the Oculus Touch controller, and an LED camera stand used to track head movement.

Samsung Gear VR

Originally announced in September 2014, the Samsung Gear VR was developed by Samsung in collaboration with Oculus. The device itself is not a complete virtual reality experience; the most recent revision needs a Samsung Galaxy S6, S6 Edge, or Note 5 to be plugged into it by Micro USB to act as the display and processor. The headset itself contains only the field of view lenses and an accelerometer (the phone’s built-in accelerometer is not very powerful and does not provide adequately accurate tracking capability to provide a premium VR experience).

samsung-gear-vr-for-s6

Samsung’s most recent revision of the Gear VR, made for use with the S6 device line.

The Samsung Gear VR is currently one of the most popular consumer-grade virtual reality headsets because of its low price; the headset itself only costs $100. The phone, of course, is separate, but many Gear VR users already use an S6 device as their personal smartphone.

The Gear VR features a small trackpad and button on the right side of the headset, allowing for limited VR interaction capability.

samsung-gear-vr-tested

Will from Tested gives the Samsung Gear VR a shot – but forgets to insert the display. Click to watch their test run of the headset.

However, you do get what you pay for. The display’s immersion is only as good as the device powering it, which is usually 60Hz or less, and there are no built-in headphones; you have to plug them into the phone and deal with the headphone wire. Graphics are usually prerendered and not as detailed as tethered VR devices that rely on a PC tower for active rendering.

Google Cardboard

Google Cardboard is the cheapest of the consumer-level options for virtual reality.
It is essentially a build-it-yourself Gear VR. Like the Gear VR, it is powered entirely by the smartphone, but unlike the VR, it relies the phone’s built-in accelerometer, and there is no headstrap so you have to hold the device up to your eyes while using it. The headset itself is, as the name implies, nothing but a folded cardboard container with a pair of convex lenses inside.

fold

A Google Cardboard headset using a Nexus phone. The phone is folded into the front of the headset and held in place with velcro.

Google Cardboard is easy to make at home, and its website gives instructions on how to find the parts necessary and put them together. There are many manufacturer variations on Google Cardboard that are built in different ways and available for purchase and assembly.

google-cardboard-virtual-reality-vr-headset-3d-glasses

A diagram of the basic parts needed to assemble Google Cardboard. Click the image to learn more about how to get Google Cardboard.

The headset fits any phone up to 6″ and Cardboard apps are available for iOS, Android, and Windows Phone.

HTC Vive

The HTC Vive, announced in March 2015, is a virtual reality headset being developed in partnership between HTC and Valve. The device is part of Valve’s larger effort to expand the Steam platform into more areas – including other projects such as the Steam Controller, Steam Link, Steam Machines, and SteamOS, all part of the Steam Universe.

htc_vive

The many dots on the front of the headset are laser position sensors – the device is meant to operate in a 15’x15′ space.

The headset is tethered to a base known as the Lighthouse, but it is still meant to be moved around in. The device contains more than 70 sensors including a MEMS gyroscope, accelerometer and laser position sensors. The headset comes with two Lighthouse towers that emit lasers to map out the room in accordance with the headset’s front cameras. The cameras also track static and moving objects in front of the user, allowing the device to warn the user of hitting an obstacle, like a wall.

Valve has released SteamVR APIs to everyone under the label OpenVR, allowing developers to create virtual reality environments with or without the use of Steam.

The Vive Developer Edition is available now for free for certain developers, and it comes with SteamVR Controllers, a pair of one-handed controllers similar to the Oculus Touch, but based off of the concave trackpads of the Steam Controller. No word yet on a Consumer Edition.

Microsoft HoloLens

Microsoft’s HoloLens platform is a little different from the other virtual reality headsets we’ve seen; it’s more like Google Glass than the Oculus Rift. Instead of showing you a completely different world, the HoloLens captures the setting around you and superimposes ‘holograms,’ in a sort of ‘mixed reality.’ You still see what’s in front of you, but you can see and interact with non-real figures as if it’s all right in front of you.

https://www.youtube.com/watch?v=aThCr0PsyuA

Users can interact with the holograms through eye movements, voice commands, and hand gestures. The device uses an array of video cameras and microphones, an inertial measurement unit (IMU), an accelerometer, a gyroscope, and a magnetometer. A ‘light engine’ sits atop the lenses and projects light into a diffractive element that then reflects into the user’s eyes, creating the illusion of holograms.

microsoft-hololens-minecraft-virtual-reality

Microsoft bought Mojang in September 2014 for $2.5 billion. Minecraft for HoloLens is one of the most notable uses for the headset currently in development.

The most impressive part of the HoloLens is its integration. The device needs no wires nor external processing power. It is completely untethered, allowing the user to move freely through their environment. The headset houses the battery and all of the processor systems inside. It contains a holographic processing unit (HPU) that takes in the information from the environmental sensors and creates the holographs. The holographic display is presented with an optical projection system.

microsoft-hololens

The Microsoft HoloLens is completely untethered and houses all of the processing power inside of the headset.

The Development Edition will begin shipping in Q1 2016 and will cost $3000. There is no word yet of a consumer edition.