Archive for October, 2011

Turkey to rewrite software source codes of 204 F-16 fighters

October 31st, 2011

The US administration agreed in principle almost two months ago for the transfer of information over software source codes of US Lockheed Martin-made F-16 fighters to Turkey.

Once the agreement is completed, and if approved by the US Congress, Turkey will have the capability to automatically modify the software source codes of the fighters’ weapons systems with national software source codes, said US sources who asked not to be named.Turkey will become the first nation among 26 to have the F-16s in their inventories and have the ability to receive information on the F-16 fighters’ software source codes — primarily their weapons systems — thereby enabling it to replace them with national software source codes whenever necessary.

Once Turkey and the US complete around 50 pages of technical details over the nature of the US transfer of technology, an agreement should be signed, pending US congressional approval.

The US Congress has long prevented arms transfers to NATO member Turkey, mainly in reaction to its strained ties with Israel.

However, the US administration has as of late sought US congressional authorization for the sale of three AH-1W Super Cobra attack helicopters to Turkey. This indicates a softening on the part of the congress toward Turkey.

Turkey has a long-standing request for Super Cobras. It has a shortage of these helicopters, required in its ongoing fight against the outlawed Kurdistan Workers’ Party (PKK) terrorists, who have increased their violent attacks as of late.

Meanwhile, it is not clear whether the US administration will seek US congressional authorization for another long-standing Turkish request for the sale of four Predator unmanned aerial vehicles (UAVs) and two armed Reaper UAVs.

However, some of the weapons, including Predators that the US reportedly pledged to transfer to Turkey as it withdraws from Iraq in December of this year, are said to not be subject to the approval of the US Congress. These are weapons the US used during its war in Iraq.
Missile defense link

US sources stated that Washington has agreed in principle to transfer the information mainly concerning the weapon systems of the F-16s so that Turkey can integrate by itself the national software source codes because Turkey has pursued a very persistent policy on the matter.

However, Turkey’s approval to deploy a radar system of the US-supported NATO Missile Defense System on its soil is understood to have played an important role in Washington’s agreement to in principle transfer the software source codes of mainly the weapons systems of the F-16s to Turkey. Turkey agreed last month to host a powerful US-supplied radar system to act as advanced eyes for a layered shield against ballistic missiles coming from outside Europe.

The AN/TPY-2 surveillance radar in Turkey will boost the shield’s capability against Iran, which Washington alleges is seeking to build nuclear weapons, a charge Tehran denies.

“By agreeing to transfer information on F-16 weapon systems so that Turkey could automatically integrate them with national software source codes, the US sought to ease tensions with its NATO ally, which is important in safeguarding US interests in the Middle East. The US also puts strong emphasis on seeing Turkish-Israeli relations normalize,” said the US source.
50 weapons systems on each F-16

Lockheed Martin this year began supplying Turkey with 14 F-16C variants and 16 F-16Ds under a deal signed in May 2007. The total cost of 30 additional F-16s to Turkey is $1.78 billion.

Under a separate agreement signed in April 2005 between Turkey and the US, 213 Turkish F-16s are being upgraded at a cost of $1.1 billion at the Turkish Aerospace Industries (TAI) in Ankara. Turkey will be able to change the software source codes of the weapons systems on a total of 204 F-16s with national software source codes if a final agreement is reached with the US.


Local software upstarts use employers to find consumers

October 31st, 2011

HelloWallet experimented with seven different business models when the District-based firm piloted its financial management software last spring, including direct-to-consumer sales and partnerships with mortgage servicers.

Executives ultimately chose to sell the program to large corporations and 401(k) providers that in turn offer it as a benefit to their employees and clients. It, more than any other model, would allow them to grow rapidly, said chief executive Matt Fellowes.

“Trying to buy customers or convert customers on a one-by-one basis in the consumer market is a lot like playing the lottery,” Fellowes said. “There’s hundreds of thousands of companies that have failed at that.”

Several local startups have taken an approach similar to HelloWallet, opting to bypass the massive-but-risky consumer market and instead pitch their products as a benefit that large corporations should offer employees.

But these businesses often exchange one set of challenges for another. While consumers may be finicky and bombarded with options, big corporations can be price-conscious and risk-adverse.

Corporations have scaled back the amount of money they spend on employee benefits in recent years as health care costs rise and economic uncertainty strains budgets, said Mark Schmit, vice president of research at the Society for Human Resource Management.

A report released in June by the Alexandria-based organization found that 77 percent of surveyed HR professionals said the economy had a negative impact on their company’s benefits offerings to some or a large extent.

Schmit added that the ratio of base salary to benefits has remained relatively constant in the past decade. Thus as health care costs have climbed, other voluntary benefits, such as education or relocation assistance, have been squeezed out of the mix.

“Because the money is limited, if they cut in one place, they want to try to find a way to compensate for that cut,” he said. “So they try to take on benefits that will cost them little or nothing.”

Cost savings to the employer or health care payer has been an integral part of WiserTogether’s sales pitch. The District-based software firm sells products to help people make medical decisions based on others’ experiences and what insurance covers.

“They don’t add benefits for the heck of adding benefits,” said founder and chief executive Shub Debgupta, who formerly led the Corporate Executive Board’s Benefits Roundtable. “They are driving to that bottom line and looking to manage their internal costs as well.”

But the notion of spending money to save money may hit a snag in a down economy, Schmit said, when some companies are forced to prioritize short-term survival over long-term savings.

“The problem is a lot of organizations that are running on really tight budgets can’t justify the investment, so it gets put on hold even if it has the potential to save money,” he said.

The Fortune 500-size corporations that HelloWallet, WiserTogether and a third District upstart, FitFeud, target hold significant amounts of cash in their coffers. But convincing them to spend it can require a long and arduous sales process.

FitFeud co-founder J. Nicholas Tolson thinks the potential payoff justifies the effort. His company allows employers to set up health and fitness contests that encourage employees to shed pounds.

“The bottom line is we can get into one company and reach tens of thousands of people at the drop of a hat,” Tolson said. “It may take three months to make that sale, but that’s still quicker than trying to touch thousands or hundreds of thousands of individuals.”


Oxygen Software Performs Forensic Study of Password and Pattern Lock Protection in Android OS Devices

October 31st, 2011

In this study, Oxygen Software enhances forensic feasibility of recovering or bypassing password lock and pattern lock protection of mobile devices running the Android OS.

In Android security model, pattern lock and password lock are two different methods used to unlock the device, wake it up from power off or sleep mode, or gain access to device’s desktop after a period of inactivity. The two methods use different input methods to achieve the task. With password lock, the user enters a plain passcode by typing on the virtual keyboard. Pattern lock works with gestures, allowing the user to enter a password by using a specific touch pattern or sequence, e.g. swiping a finger in different directions.

Researchers from Oxygen Software, the manufacturer of Oxygen Forensic Suite 2011, analyzed this security mechanism and discovered how password lock and pattern lock work and how password and gesture information is stored.

The plain-text password information is stored in the /data/system/pc.key file. The data is represented as a one-way SHA1 hash or the actual password. In order to recover the password, a common brute-force or dictionary attack can be used.

Apparently, pattern lock data is kept in a file named gesture.key and stored in the /data/system folder. The data is encrypted with a SHA1 algorithm. In case of pattern lock, gesture information is being stored instead of the actual password it represents. For example, a finger swipe from the top-left point of the input screen and to the bottom-right, the pattern will be recorded as the following byte sequence: 0×00, 0×01, 0×02, 0×05, 0×08, representing the number sequence 1, 2, 3, 6, 9. Dictionary attack is not applicable when recovering gesture information, so brute-force is the only way. Apparently, in this case, some byte combinations would not make sense and cannot appear close to each other. By knowing this, researchers were able to eliminate the impossible combinations, making the recovery of pattern-lock gestures significantly faster than by using plain brute-force.

Performing further analysis, Oxygen researchers found the need of recovering either the plain-text password or a pattern-lock combination questionable. Indeed, in order to recover the password or pattern lock combination, the researcher needs access to pc.key or gesture.key files stored in the device. In order to gain access to these files the device must be rooted (Oxygen Forensic Suite 2011 with Android Rooting Add-On is a perfect tool to do that) and the USB debugging mode setting must be switched on. Alternatively, the device can be booted in recovery mode with a special boot loader. However, if the phone is rooted and has a USB debugging mode already enabled, then neither pattern lock nor password lock can prevent accessing information from the device.

Moreover – if an Android device is rooted, investigators can simply delete two files containing the password and pattern locks, or replace these files with ones containing known passwords or patterns. Either way, investigators will be able to access device’s desktop without knowing the original gesture or password, or even bothering to recover one.

There are commercially available tools offering the recovery of Android passwords or pattern lock sequences. The features are typically marketed as product highlights. Oxygen researchers found that, in the case of Android OS, the recovery is not needed in order to perform a forensic analysis of the device. Granted, Apple and BlackBerry employ a different security model, tying many more essential things to user passcodes. In the case of Android, user-selectable device unlock keys are not being used to encrypt either user or system data, and can be ignored entirely by investigators.


Get Adobe Flash player