Nov 26 2014

Internet Wide Scanning

AT Usenix 2014, Alex Halderman, Zakir Durumeric and Michael Bailey, from the University of Michigan, presented an interesting study of the new landscape of wide scale Internet scanning.  Scanning the Internet for finding vulnerable targets is an old practice that is used by both academics, security research companies and black hats.   Nevertheless, the practice has changed during this last decade.

First of all, new tools have appeared: ZMap and masscan.  Provided they have access to a huge bandwidth, they can explore the full IPv4 address space in a few minutes from one point.  There is no more the need to use a botnet with tools such as nmap.   This team knows well ZMap as it is an open source project developed by the University of Michigan and at least two authors of this paper.

The type of ports that are scanned has also evolved during the past decade.   The big winner is port 445 for SMB-IP.  Interestingly, HTTP, HTTPS and SSH are mainly scanned by academic driven studies.

2004 2010 2014
HTTP (80) SMB-IP (445) SMB-IP (445)
NetBIOS (135) NetBIOS (139) ICMP Ping
NetBIOS (139) eMule (4662) SSH (20)
DameWare (6129) HTTP (80) HTTP (80)
MyDoom (3127) NetBIOS (135) RDP (3389)

Table describing Temporal differences in targeted protocols

They studied also three use cases.  I had a lot of interest in the use case related to Linksys router backdoor. After the public disclosure, 22 hosts completed 43 scans targeting port 32764 (the backdoor) of the IPv4 address space.  The first one was Shodan in less than 48 hours. Within one week, other ones tarted with two academic, 3 security firms but the reminder were unidentified hosts!

For the HeartBleed, same story

In the week following the disclosure, we detected 53 scans from 27 hosts targeting HTTPS. In comparison,
in the week prior to the disclosure, there were 29 scans from 16 hosts.

The lessons is that this environment is extremely dynamic.  New point of interests appear regularly and shift with time.   New tools appear.   Thus, be proactive to stay secure.

Nov 20 2014

Who is monitoring your baby?

Data Watchdog announced that a Russian website featured a database listing of about 73,000  streaming IP webcams or CCTV whose owners are not aware that their webcam is broadcasting the video. The webcams are located all over the world. They are used for offices, baby monitoring, shop’s monitoring, pubs, etc.  All major manufacturers were present amongst the breached webcams.  The webcams were discovered by Internet scanning and trying the default password.  This is a good illustration of Law 8: If you watch Internet, Internet is watching you.  The UK Information Commissioner’s Office recommends changing the default password of the camera and when not needed disable remote access.

The site claims to do that for educational purpose.   This is what the site claims when accessing it.  It seems that it is efficient, as there are less and less listed feeds.

Sometimes administrator (possible you too) forgets to set the default password on security surveillance system, online camera or DVR. This site now contains access only to cameras without a password and it is fully legal. Such online cameras are available for all internet users. To browse cameras just select the country or camera type.

This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password.

Several interesting lessons:

  • As usual, default password are incriminated.  Users, and even professionals as it seems that CCTV are also listed, do not change the default password.  Manufacturers may not want to enforce the change of the default password, as it creates issues when users forget their password, but they should at least propose it the first time the user boots the device.
  • People are not good with security.  With the Internet of Things (IoT), there will be more and more connected devices.  This means that there will be more and more vulnerable devices on the Net.  IoT may make the Internet more brittle.
  • Who will inform the owners of these spied webcams that they are spied?  The remedy is simple, but the victims should at least be aware that they should apply this remedy.

By the way, did you change the default password of all your devices?  If not, I plead you to do so.

Nov 04 2014

When DRM sends personal information in the clear…

Adobe proposes an eBook reader called Digital Editions.  Current version is 4.  So far, so good.

Unfortunately, on 7 October, the website “The Digital Reader” reported that Digital Editions 4.0 collected information about the reading usage.  The announced gathered data were eBooks that were stored in the reader, eBooks that have been opened, pages that were read, and the order.   This information was sent back to the server in the CLEAR.  Thus, this version had two issues regarding privacy:

  • It collected information without informing the end user.
  • It sent personal information in the clear.  Any sniffer could extract this information.

Adobe answered

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy

Obviously this answer is not satisfactory.   Last week, Adobe published a revised version 4.0.1 that sent back the information using SSL.  Furthermore, in a note published on October 23, 2014, Adobe listed the collected information:

  • User ID
  • Device ID
  • App ID
  • Device IP
  • Identification of the book
  • Duration for which the book was read
  • Percentage of the book read

The information is collected only for DRM protected eBooks.  The aim of this data gathering is used for potential clearing house.  Some business models of publishers may be based on the actual consumption.

The lesson is that technologists never learn from the past errors. It is not anymore acceptable that private information is sent over the Internet in the clear.  HTTPS is an easy solution to transfer secure data and servers scale properly in our days.

Oct 22 2014

New job

Since yesterday, I am VP media & content security at Sony Pictures. This new affiliation should not have any impact on this blog. Regular readers of this blog know my, hopefully balanced, position regarding copyright and content protection.

Oct 02 2014

Designing a permission system

Asking users to make security-oriented decisions is not always wise.  For instance, Android asks the user to accept (or not) the permissions granted to an application at installation time.  Recent studies highlighted that only 17% of users paid attention to permissions during the installation phase.
Felt et al. in the paper “How to ask for permission” defined four potential strategies to manage permissions:

  • The designer automatically grants permissions without involving the end user. This strategy is valid if the designer makes the good decision and if no application abuses the end user. In any case, the end user should be able to reverse the decision.
  • The designer integrates the decision process within the task that the end user fulfills, and that will require a new permission. This is what happens when the user decides which directories a friend may access, or has to push on a button to send a message. Usually, the end user is not even aware that he takes a security decision. The end user is not distracted from his primary goal: performing the task.The paper calls that Trusted UI (which I find misleading)
  • The designer opens a dialog box when a decision has to be taken. The end user is distracted from his primary goal. Therefore, these dialog boxes should be rare and restricted to decisions that would have severe adverse consequences.
  • The designer proposes at the installation to the user to select all permissions. Android applies this strategy.

For the two last scenarios, the user should be helped with explanations that will highlight the potential risks he takes when making the decision.

An ideal product would mix the four approaches.  The authors propose an implementation strategy summarized by the figure below.



The paper is

A.P. Felt, S. Egelman, M. Finifter, D. Akhawe, D. Wagner, and others, “How to Ask for Permission.,” HotSec, 2012 available at

Jul 29 2014

Fingerprinting canvas of browser

In 2012, Keaton Mowery and Hovav Shacham proposed a new original method to fingerprint a browser using HTML5: Pixel perfect: Fingerprinting Canvas in HTML5.  It uses a new feature <canvas> of HML5.   <canvas> defines an area of the screen that can be drawn by primitives.   The idea is to write a text, ideally a pangram, into a canvas, to retrieve the rendered bitmap of the canvas area (using command toDataURL) and calculates from this image a digest.   The expectation was that rendering would slightly differ depending on the operating system, the version of the browser, the graphical card and the version of the corresponding driver.   Fingerprinting canvas differentiated users.  Furthermore, all modern browsers support HTML5.

Canvas fingerprinting is transparent to the user.   It bypasses any cookies protection, any private browser mode…  If combined with other fingerprinting parameters such as, for instance, http agent or font detection, the uniqueness of the fingerprint is high.   The site demonstrates the differentiation.  Do not hesitate to test with your configuration.

This paper was a nice academic study.   This month, Gunes Acar et al. published a paper “The Web never forgets: Persistent tracking mechanisms in the wild.”   They studied different tracking methods used by the top 100,000  web sites (ranking by Alexa).   They discovered that 5.5% of these sites used fingerprinting canvas!  It is mainly used by the “” system.   Furthermore, by reverse engineering the AddThis code, they highlighted that AddThis improved the technique described in the seminal paper.   For instance, the developers used a perfect pangram, or draw two rectangles and checked whether a specific point was part of the path…

User tracking is an arm race and tracking softwares use the latest academic research results.

Note 1:  you can opt out from AddThis at  they put a cookie on the computer to  signal the opt out  :(

Note 2: a pangram is a sentence that uses all the letters of the alphabet.  A perfect pangram is a sentence that uses all the letters of the alphabet only once.


Jul 24 2014

Unlocking the phone with a tap on your wrist

This is the new phone unlocking mode that vivalnk designed for Moto X phone.  The system is rather simple.   YScreen Shot 07-24-14 at 11.33 AM 001ou stick an NFC-based skin temporary tattoo on your wrist.   Once the tattoo is paired with your phone, to unlock the phone you just need to bring the phone in the range of the tattoo.  It is possible to unpair a tattoo if it was lost or stolen.

According to vivalnk, the tattoo’s adhesive lasts about five days, even under water.   It costs one dollar per tattoo.  Currently, it is only available for the Moto X.

This tattoo is a wearable authenticator.   I forecast that we will see this kind of authentication method using an NFC start to spread.   It may come in ewatches, rings, or key rings.  I believe that the ring would be a good device.  The mere fact to take your phone in your hand may unlock it.

Older posts «