This presentation was given at the Over The Air event #ota11 at Bletchley Park. The idea was to get developers thinking about how they are securing their applications (or not) and to have an open discussion about methods that could be employed to help developers. Julius Caesar was nearly defeated a few times and had his codes have been broken, just maybe, the world might have been a different place. For more information on the individual battles (I did a verbal run through, check out the great wikipedia pages on them). The code breaking exercise contained within is a fun tool to help people understand about the need to protect information.

1. Historical code cracking with phones: What if Pontus, the Gauls, Germans, Nervii, Egyptians and Helvetii had iphones?Over The Air 2011, Bletchley Park http://www.mobilephonesecurity.org David Rogers, Copper Horse Solutions Ltd. 1st October 2011

2. http://www.mobilephonesecurity.org Some Information About Me 12 years in the mobile industry Hardware and software background Head of Product Security at Panasonic Mobile Worked with industry and government on IMEI and SIMlock security Pioneered some early work in mobile phone forensics Brought industry together on security information sharing Director of External Relations at OMTP Programme Manager for advanced hardware security tasks Chair of Incident Handling task Head of Security and Chair of Security Group at WAC Owner and Director at Copper Horse Solutions Blog: http://blog.mobilephonesecurity.org, Twitter: @drogersuk About Copper Horse Solutions Ltd. Established in 2011 Software and security company Focussed on the mobile phone industry Services: Mobile phone security consultancy Industry expertise Standards representation Mobile application development http://www.copperhorsesolutions.com

3. Histiaeous http://www.mobilephonesecurity.org In 499BC sent a trusted slave to encourage a revolt against the Persians Shaved the head of the slave Tattooed a message to his head, let the hair grow back Recipient shave off the slave’s hair to get the message This is an early form of steganography From: http://www.retroworks.co/scytale.htm

4. Scytale http://www.mobilephonesecurity.org Transposition cipher Ancient Greeks, particularly the Spartans used it for military communication (also apparently used by the Romans): From: http://www.retroworks.co/scytale.htm

5. CAESAR Shift http://www.mobilephonesecurity.org Supposedly used by Caesar to protect military messages – by shifting the alphabet 3 places to the left: Still used today (scarily!) – e.g. ROT13 It helped that a lot of Caesar’s enemies were illiterate anyway… From: http://www.retroworks.co/scytale.htm

6. Phaistos Disc… http://www.mobilephonesecurity.org Still plenty of mystery text to decipher out there… Source: PRA

7. Code Cracking Challenge http://www.mobilephonesecurity.org After each battle I describe there will be some codes to crack in which you would be able to change the course of history. You can also get these at: http://blog.mobilephonesecurity.org From: http://www.retroworks.co/scytale.htm

8. Some Source Code to Help! http://www.mobilephonesecurity.org Hint: The codes are all Caesar ciphers but with different rotations https://github.com/mkoby/RotationCipher (not mine!) and a cheat: http://textmechanic.com/ROT13-Caesar-Cipher.html

9. Julius Caesar (Briefly!) http://www.mobilephonesecurity.org 100BC – 44BC Spent 9 years campaigning in Gaul (and made a fortune) Invaded Britain Was involved in a civil war with Pompey Defeated the Egyptians Assassinated on the ‘Ides of March’ in 44BC

10. http://www.mobilephonesecurity.org

11. List of Battles http://www.mobilephonesecurity.org 58BC Battle of the Arar – Helvetii 58BC Battle of Vosges - Germans 57BC Battle of the Sabis – Nervii 52BC Battle of Alesia - Gauls 47BC Battle of the Nile - Egyptians 47BC Battle of Zela - Pontus

12. Battle of the Arar http://www.mobilephonesecurity.org 58BC Caesar v Helvetii, Switzerland

13. Break This Roman Code! http://www.mobilephonesecurity.org Also here: http://blog.mobilephonesecurity.org Can the Helvetians defeat Caesar? bgxxwfhkxmbfxyhkkxbgyhkvxfxgml

14. Battle of Vosges http://www.mobilephonesecurity.org 58BC Caesar v Germans, River Rhine, Alsace

15. Break This Roman Code! http://www.mobilephonesecurity.org Also here: http://blog.mobilephonesecurity.org Should the Germans attack the Romans? bpmumvizmnqopbqvonqbemkivpwtlwcbnwzivwbpmzemms

16. Battle of the Sabis http://www.mobilephonesecurity.org 57BC Caesar v Nervii, Wallonia

17. Break This Roman Code! http://www.mobilephonesecurity.org Also here: http://blog.mobilephonesecurity.org Are the Nervii ready for Caesar? muqhuweydwjeruqjiqryiydjmetqoi

18. Battle of ALesia http://www.mobilephonesecurity.org 52BC Caesar v Gauls, France

19. Break This Roman Code! http://www.mobilephonesecurity.org Also here: http://blog.mobilephonesecurity.org Is there anything the Gauls do to help themselves? qebobfpxtbxhmlfkqfklrotxiikbxoqebqobbp

20. Battle of the NILE http://www.mobilephonesecurity.org 47BC Caesar & Cleopatra v Ptoloemic forces, Alexandria, Egypt

21. Break This Roman Code! http://www.mobilephonesecurity.org Also here: http://blog.mobilephonesecurity.org Are the Egyptians ready for action? wbssrgiddcfhhcpfsoycihobrtwuvhdhczsam

22. Battle of Zela http://www.mobilephonesecurity.org 47BC Caesar v Pontus, Turkey

23. Break This Roman Code! http://www.mobilephonesecurity.org Also here: http://blog.mobilephonesecurity.org Save Pontus? sbkfsfafsfzf

24. http://www.mobilephonesecurity.org Mobile Phones! Open discussion on mobile application security

25. Don’t Use Roman Codes! http://www.mobilephonesecurity.org ROT13 and XORing / obfuscation are not adequate!! Modern crypto (not surprisingly) is significantly better However, developers don’t have access to secure hardware APIs on mobile 

26. Mobile Development http://www.mobilephonesecurity.org How are you storing keys for both symmetric and asymmetric ciphers? Common issue amongst developers Also application signing keys

27. Mobile Development http://www.mobilephonesecurity.org Think about security when designing your apps Are you playing fast and loose with your users’ private data? Have you explained to users why you used certain permissions? What have you (not) encrypted? Is your application designed badly? – gift to hackers / fraudsters? E.g. asking for credit card details from a QR code

28. Mobile Development http://www.mobilephonesecurity.org Do your research Are you using weak / insecure methods? Do you understand basic secure coding techniques? Do you understand the platform security guidelines?

29. Discussion http://www.mobilephonesecurity.org From: http://stackoverflow.com/questions/4671859/storing-api-keys-in-android-is-obfustication-enough

30. Discussion http://www.mobilephonesecurity.org “I look at KeyStore but it does not really solve my problem. It can store my keys given that I can provide a password. Then I need to find a secure place to store this password which is same as my original problem.”

31. Platform Security Guidelines http://www.mobilephonesecurity.org Apple: http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Introduction.html Android:http://developer.android.com/guide/topics/security/security.html Blackberry: http://docs.blackberry.com/en/developers/deliverables/29302/index.jsp?name=Security+-+Development+Guide+-+BlackBerry+Java+SDK7.0&language=English&userType=21&category=Java+Development+Guides+and+API+Reference&subCategory= Windows Phone 7 (Nokia Guidelines): http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security

32. http://www.mobilephonesecurity.org Romans with iphones…. Contact Email: david.rogers@copperhorses.com Twitter: @drogersuk Blog: http://blog.mobilephonesecurity.org http://www.flickr.com/photos/laurenthaug/4127870976/sizes/l/in/photostream/

33. http://www.mobilephonesecurity.org Code Solutions Don’t look at the next slide if you don’t want the answers!

34. Code Solutions http://www.mobilephonesecurity.org Helvetii: I need more time for reinforcements (h shift) Germans: the men are fighting fit we can hold out for another week (s shift) Nervii: we are going to beat sabis in two days (k shift) Gauls: there is a weak point in our wall near the trees (d) Egyptians: I need support to break out and fight ptolemy (m shift) Pontus: venividivici(d shift) The famous: I came, I saw, I conquered message Of course, the Pontic army could not save themselves!