Nov 20 2014

Who is monitoring your baby?

Data Watchdog announced that a Russian website featured a database listing of about 73,000  streaming IP webcams or CCTV whose owners are not aware that their webcam is broadcasting the video. The webcams are located all over the world. They are used for offices, baby monitoring, shop’s monitoring, pubs, etc.  All major manufacturers were present amongst the breached webcams.  The webcams were discovered by Internet scanning and trying the default password.  This is a good illustration of Law 8: If you watch Internet, Internet is watching you.  The UK Information Commissioner’s Office recommends changing the default password of the camera and when not needed disable remote access.

The site claims to do that for educational purpose.   This is what the site claims when accessing it.  It seems that it is efficient, as there are less and less listed feeds.

Sometimes administrator (possible you too) forgets to set the default password on security surveillance system, online camera or DVR. This site now contains access only to cameras without a password and it is fully legal. Such online cameras are available for all internet users. To browse cameras just select the country or camera type.

This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password.

Several interesting lessons:

  • As usual, default password are incriminated.  Users, and even professionals as it seems that CCTV are also listed, do not change the default password.  Manufacturers may not want to enforce the change of the default password, as it creates issues when users forget their password, but they should at least propose it the first time the user boots the device.
  • People are not good with security.  With the Internet of Things (IoT), there will be more and more connected devices.  This means that there will be more and more vulnerable devices on the Net.  IoT may make the Internet more brittle.
  • Who will inform the owners of these spied webcams that they are spied?  The remedy is simple, but the victims should at least be aware that they should apply this remedy.

By the way, did you change the default password of all your devices?  If not, I plead you to do so.

Nov 04 2014

When DRM sends personal information in the clear…

Adobe proposes an eBook reader called Digital Editions.  Current version is 4.  So far, so good.

Unfortunately, on 7 October, the website “The Digital Reader” reported that Digital Editions 4.0 collected information about the reading usage.  The announced gathered data were eBooks that were stored in the reader, eBooks that have been opened, pages that were read, and the order.   This information was sent back to the server  adelogs.adobe.com in the CLEAR.  Thus, this version had two issues regarding privacy:

  • It collected information without informing the end user.
  • It sent personal information in the clear.  Any sniffer could extract this information.

Adobe answered

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy

Obviously this answer is not satisfactory.   Last week, Adobe published a revised version 4.0.1 that sent back the information using SSL.  Furthermore, in a note published on October 23, 2014, Adobe listed the collected information:

  • User ID
  • Device ID
  • App ID
  • Device IP
  • Identification of the book
  • Duration for which the book was read
  • Percentage of the book read

The information is collected only for DRM protected eBooks.  The aim of this data gathering is used for potential clearing house.  Some business models of publishers may be based on the actual consumption.

The lesson is that technologists never learn from the past errors. It is not anymore acceptable that private information is sent over the Internet in the clear.  HTTPS is an easy solution to transfer secure data and servers scale properly in our days.

Oct 22 2014

New job

sonypictureslogo
Since yesterday, I am VP media & content security at Sony Pictures. This new affiliation should not have any impact on this blog. Regular readers of this blog know my, hopefully balanced, position regarding copyright and content protection.

Oct 02 2014

Designing a permission system

Asking users to make security-oriented decisions is not always wise.  For instance, Android asks the user to accept (or not) the permissions granted to an application at installation time.  Recent studies highlighted that only 17% of users paid attention to permissions during the installation phase.
Felt et al. in the paper “How to ask for permission” defined four potential strategies to manage permissions:

  • The designer automatically grants permissions without involving the end user. This strategy is valid if the designer makes the good decision and if no application abuses the end user. In any case, the end user should be able to reverse the decision.
  • The designer integrates the decision process within the task that the end user fulfills, and that will require a new permission. This is what happens when the user decides which directories a friend may access, or has to push on a button to send a message. Usually, the end user is not even aware that he takes a security decision. The end user is not distracted from his primary goal: performing the task.The paper calls that Trusted UI (which I find misleading)
  • The designer opens a dialog box when a decision has to be taken. The end user is distracted from his primary goal. Therefore, these dialog boxes should be rare and restricted to decisions that would have severe adverse consequences.
  • The designer proposes at the installation to the user to select all permissions. Android applies this strategy.

For the two last scenarios, the user should be helped with explanations that will highlight the potential risks he takes when making the decision.

An ideal product would mix the four approaches.  The authors propose an implementation strategy summarized by the figure below.

Permission

 

The paper is

A.P. Felt, S. Egelman, M. Finifter, D. Akhawe, D. Wagner, and others, “How to Ask for Permission.,” HotSec, 2012 available at https://www.usenix.org/system/files/conference/hotsec12/hotsec12-final19.pdf.

Jul 29 2014

Fingerprinting canvas of browser

In 2012, Keaton Mowery and Hovav Shacham proposed a new original method to fingerprint a browser using HTML5: Pixel perfect: Fingerprinting Canvas in HTML5.  It uses a new feature <canvas> of HML5.   <canvas> defines an area of the screen that can be drawn by primitives.   The idea is to write a text, ideally a pangram, into a canvas, to retrieve the rendered bitmap of the canvas area (using command toDataURL) and calculates from this image a digest.   The expectation was that rendering would slightly differ depending on the operating system, the version of the browser, the graphical card and the version of the corresponding driver.   Fingerprinting canvas differentiated users.  Furthermore, all modern browsers support HTML5.

Canvas fingerprinting is transparent to the user.   It bypasses any cookies protection, any private browser mode…  If combined with other fingerprinting parameters such as, for instance, http agent or font detection, the uniqueness of the fingerprint is high.   The site http://www.browserleaks.com/ demonstrates the differentiation.  Do not hesitate to test with your configuration.

This paper was a nice academic study.   This month, Gunes Acar et al. published a paper “The Web never forgets: Persistent tracking mechanisms in the wild.”   They studied different tracking methods used by the top 100,000  web sites (ranking by Alexa).   They discovered that 5.5% of these sites used fingerprinting canvas!  It is mainly used by the “AddThis.com” system.   Furthermore, by reverse engineering the AddThis code, they highlighted that AddThis improved the technique described in the seminal paper.   For instance, the developers used a perfect pangram, or draw two rectangles and checked whether a specific point was part of the path…

User tracking is an arm race and tracking softwares use the latest academic research results.

Note 1:  you can opt out from AddThis at http://www.addthis.com/privacy/opt-out.  they put a cookie on the computer to  signal the opt out  :(

Note 2: a pangram is a sentence that uses all the letters of the alphabet.  A perfect pangram is a sentence that uses all the letters of the alphabet only once.

 

Jul 24 2014

Unlocking the phone with a tap on your wrist

This is the new phone unlocking mode that vivalnk designed for Moto X phone.  The system is rather simple.   YScreen Shot 07-24-14 at 11.33 AM 001ou stick an NFC-based skin temporary tattoo on your wrist.   Once the tattoo is paired with your phone, to unlock the phone you just need to bring the phone in the range of the tattoo.  It is possible to unpair a tattoo if it was lost or stolen.

According to vivalnk, the tattoo’s adhesive lasts about five days, even under water.   It costs one dollar per tattoo.  Currently, it is only available for the Moto X.

This tattoo is a wearable authenticator.   I forecast that we will see this kind of authentication method using an NFC start to spread.   It may come in ewatches, rings, or key rings.  I believe that the ring would be a good device.  The mere fact to take your phone in your hand may unlock it.

Jul 15 2014

Dr Who’s leaked

Bad week for the BBC.   Last week, scripts of five episodes of next season of Dr Who leaked online.  The scripts were accessed from a Miami-based BBC worldwide server.  It seems that that they were publicly available (with a lot of material) and was indexed by Google.   A typical Google request provided access to this confidential material.

Unfortunately, other material was available.  A black & white unfinished watermark version of the first episode has also been put online.  The copy is visibly watermarked for a given recipient.   Drei Marc is a Brazilian company that provides subtitling and dubbing services.  Nevertheless, it seems that it comes from the same server.  It is not sure that other episodes may not surface in the coming days.  Broadcast of the first episode is planed on 23 August.

dr-who

BBC asked its fans not to spoil the release.

We would like to make a plea to anyone who might have any of this material and spoilers associated with it not to share it with a wider audience so that everyone can enjoy the show as it should be seen when it launches.

"We know only too well that Doctor Who fans are the best in the world and we thank them for their help with this and their continued loyalty

Several lessons:

  • Secure your servers and be aware of the indexing robots.   No server should be put online without prior pen testing.
  • Encryption at rest should be mandatory for early content.  If ever the attacker access the video server, he will access an encrypted video without the decryption key.  Useless.
  • Forensic marking should only occur at delivery time.  If prepared and stored before release, it is useless.  It will not hold in front of a Court with good security expert.
  • TV series are the new Eldorado of the movie industry

Older posts «