Jul 29 2014

Fingerprinting canvas of browser

In 2012, Keaton Mowery and Hovav Shacham proposed a new original method to fingerprint a browser using HTML5: Pixel perfect: Fingerprinting Canvas in HTML5.  It uses a new feature <canvas> of HML5.   <canvas> defines an area of the screen that can be drawn by primitives.   The idea is to write a text, ideally a pangram, into a canvas, to retrieve the rendered bitmap of the canvas area (using command toDataURL) and calculates from this image a digest.   The expectation was that rendering would slightly differ depending on the operating system, the version of the browser, the graphical card and the version of the corresponding driver.   Fingerprinting canvas differentiated users.  Furthermore, all modern browsers support HTML5.

Canvas fingerprinting is transparent to the user.   It bypasses any cookies protection, any private browser mode…  If combined with other fingerprinting parameters such as, for instance, http agent or font detection, the uniqueness of the fingerprint is high.   The site http://www.browserleaks.com/ demonstrates the differentiation.  Do not hesitate to test with your configuration.

This paper was a nice academic study.   This month, Gunes Acar et al. published a paper “The Web never forgets: Persistent tracking mechanisms in the wild.”   They studied different tracking methods used by the top 100,000  web sites (ranking by Alexa).   They discovered that 5.5% of these sites used fingerprinting canvas!  It is mainly used by the “AddThis.com” system.   Furthermore, by reverse engineering the AddThis code, they highlighted that AddThis improved the technique described in the seminal paper.   For instance, the developers used a perfect pangram, or draw two rectangles and checked whether a specific point was part of the path…

User tracking is an arm race and tracking softwares use the latest academic research results.

Note 1:  you can opt out from AddThis at http://www.addthis.com/privacy/opt-out.  they put a cookie on the computer to  signal the opt out  :(

Note 2: a pangram is a sentence that uses all the letters of the alphabet.  A perfect pangram is a sentence that uses all the letters of the alphabet only once.


Jul 24 2014

Unlocking the phone with a tap on your wrist

This is the new phone unlocking mode that vivalnk designed for Moto X phone.  The system is rather simple.   YScreen Shot 07-24-14 at 11.33 AM 001ou stick an NFC-based skin temporary tattoo on your wrist.   Once the tattoo is paired with your phone, to unlock the phone you just need to bring the phone in the range of the tattoo.  It is possible to unpair a tattoo if it was lost or stolen.

According to vivalnk, the tattoo’s adhesive lasts about five days, even under water.   It costs one dollar per tattoo.  Currently, it is only available for the Moto X.

This tattoo is a wearable authenticator.   I forecast that we will see this kind of authentication method using an NFC start to spread.   It may come in ewatches, rings, or key rings.  I believe that the ring would be a good device.  The mere fact to take your phone in your hand may unlock it.

Jul 15 2014

Dr Who’s leaked

Bad week for the BBC.   Last week, scripts of five episodes of next season of Dr Who leaked online.  The scripts were accessed from a Miami-based BBC worldwide server.  It seems that that they were publicly available (with a lot of material) and was indexed by Google.   A typical Google request provided access to this confidential material.

Unfortunately, other material was available.  A black & white unfinished watermark version of the first episode has also been put online.  The copy is visibly watermarked for a given recipient.   Drei Marc is a Brazilian company that provides subtitling and dubbing services.  Nevertheless, it seems that it comes from the same server.  It is not sure that other episodes may not surface in the coming days.  Broadcast of the first episode is planed on 23 August.


BBC asked its fans not to spoil the release.

We would like to make a plea to anyone who might have any of this material and spoilers associated with it not to share it with a wider audience so that everyone can enjoy the show as it should be seen when it launches.

"We know only too well that Doctor Who fans are the best in the world and we thank them for their help with this and their continued loyalty

Several lessons:

  • Secure your servers and be aware of the indexing robots.   No server should be put online without prior pen testing.
  • Encryption at rest should be mandatory for early content.  If ever the attacker access the video server, he will access an encrypted video without the decryption key.  Useless.
  • Forensic marking should only occur at delivery time.  If prepared and stored before release, it is useless.  It will not hold in front of a Court with good security expert.
  • TV series are the new Eldorado of the movie industry

Jul 07 2014

Cloud services as Command and Control

Cloud services are increasing the surface of attack of corporate networks.   For instance, we  associate usually to file sharing services the risk of leak of confidential information.  This is a real threat.  These services may also present another more lethal threat: become Command and Control channels (C&C).   C&C is used by botnets or Trojans to communicate with the infected machines.

At Black Hat 2013, Jake Williams presented DropSmack: a C&C tool dedicated to dropbox.  In his paper, he explains the genesis of this tool.  It is a well documented story of an advanced penetration test (worthwhile to read, if you’re not familiar with these tests).  The interesting part of the story is that he succeeded to infect an employee’s home computer.   The employee used this home computer to work on corporate documents using his dropbox account.  Thus, any modification or new file in the dropbox folder was synchronized to the cloud based folder and then synchronized to the company’s computer.   If the attacker succeeds to implement a malware on the home network folder, it will appear and infect the corporate computer.

Thus, using DropSmack, he was able to implement a C&C using dropbox as channel.  What is interesting is that it flies below the radar of firewall, IDS or DLP because the synchronized files are encrypted!  Furthermore, the likelihood that Dropbox is whitelisted is high.  Furthermore, following the statictics presented in my last post, the likelihood that one of your employees is already using Dropbox, even without the blessing of IT department, is extremely high.

Last month, Trendmicro detected a Remote Access Tool using Dropbox as C&C!  It was used to target Taiwanese government agency.


A few lessons:

  • When a researcher presents an attack, it does not take long to appear in the wild.  Never downplay a disclosed attack.
  • Cloud brings new threats and we are just seeing the tip of the iceberg.  Worst to come.


PS: the same attack may be used on any file sharing service.  Dropbox as used due to its popularity and not because it is vulnerable.   The vulnerability resides in the concept of (uncontrolled) file sharing.

Jul 01 2014

BYOLC: Bring Your Own Loss of Control

In a recent post, I highlighted my belief that one of the most worrying new threats of the cloud was the Bring Your Own Cloud.   A recent study from LogMeIn and Edge Strategies confirms this risk by focusing on the use of cloud-based services.  They coined it as Bring Your Own App (BYOA)

Following is their infographics that summarizes the major outcomes.


In a nutshell, the problem is more worrying than expected.   Currently, a huge amount of applications (> 85%), and thus data, are under the radar of the IT team!    One of the answers that we proposed is that IT should provide company blessed solutions.   I am a strong proponent of this solution.   This study seems to show that it is not sufficient: 64% bring their own apps when a similar solution is already in place.  I must confess that during the era before cloud, I was doing the same, for instance, using Firefox when IE was blessed, or my preferred software editor…

Even if you ban BYOD, BYOA will be here.   This unavoidable BYOA means that we are losing more and more control on sensitive data.  What is the proper answer: DLP (dubito ergo sum), more control of what is executing on the user’s computer (not compatible with BYOD)…


Unfortunately, cloud is here and we cannot escape it.   THus ranting is useless.  We have to find new solutions and methods to protect our assets.  What answer do you suggest?


Thanks to Gomor for the pointer

May 26 2014

Facebook would like to listen to what you listen or watch

Last week, Facebook announced a new feature in their status update. If switched on, this feature will identify the songs or TV program that it will identify through the microphone of the mobile device.  It will propose to share this information with your community (and propose a 30 second free sample of the song or a synopsis of the TV program).

Screen Shot 05-26-14 at 05.13 PM

A new example of the use of audio fingerprinting.   By default, the feature is switched off.   Furthermore, the user decides when to share and with whom to share the information.  Thus, in theory, there is no associated privacy issues.   The user remains in control.

Facebook claims that it will not share it if you do not want.   Unfortunately, Facebook does not precise whether it will collect the information for its own profiling even if the user refuses to share it with friends.

As I’m paranoid and as there is no free lunch…     I don’t care as I do not have a Facebook account.  Will you use it?

Apr 23 2014

CataCrypt 2014

In the tsunami of the catastrophic HeartBleed bug, this new IEEE workshop will be interesting.   cataCRYPT stands for “catastrophic events related to cryptography and security with their possible solutions.”

The main point is: many cryptographic protocols are only based on the security of one cryptographic algorithm (e.g. RSA) and  we don’t know the exact RSA security (including Ron Rivest). What if somebody finds a  clever and fast factoring algorithm? Well, it is indeed an hypothesis but we know several  instances of possible progress. A new fast algorithm is a possible catastroph if not handled  properly. And there are other problems with hash functions, elliptic curves, aso. Think also about the recent Heartbleed bug (April 2014, see http://en.wikipedia.org/wiki/Heartbleed): the discovery was very late and we were close to a catastrophic situation.

So we are thinking about a regular workshop, the name is CATACRYPT, about these possible problems and their solutions. It includes problems with cryptographic algorithms, protocols, PKI, DRM, TLS-SSL, smart cards, RSA dongles, MIFARE, aso. Quantum computing, resilience and agility are also on the program.

The birth of cataCRYPT is not opportunistic.  His founder, Jean Jacques Quisquater, had launched the idea last year.  Its announcement following HeartBleed is a pure coincidence.

The paper submission deadline is 2 June 2014.   Hurry up…

The conference’s site is http://catacrypt.net/

Older posts «