Author Archives: eric

Has NSA broken the crypto?

Posted on by
Reply

With the continuous flow of revelations by Snowden, there is not one day without somebody asking me if crypto is dead.  Indeed, if you read some simplifying headlines, it looks like the Internet is completely unsecure.

 

Last Friday, Bruce Schneier published an excellent paper in the guardian : “NSA surveillance: a guide to staying secure.”  For two weeks, he has analyzed documents provided by Snowden.   From this analysis, he drives some conclusions and provides some recommendations.  In view of the security profile of Bruce, we may trust the outcome.  I recommend the readers to read the article.

My personal highlights from this article.

  • The documents did not present any outstanding mathematical breakthrough.   Thus, algorithms such as AES are still secure.
  • To “crack” encrypted communications, NSA uses the same tools than hackers but at a level of sophistication far higher.   They have a lot of money.  The tricks used:
    • Look for used weak algorithms
    • Look for weak passwords with dictionary attacks
    • Powerful brute force attacks
  • The two most important means are:
    • Implementing back doors and weakening commercial implementations (poor random generator, poor factors in Elliptic Curve Cryptosystems (ECC), leaking keys…).   The same is true for hardware.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about.

    • Compromising the computer that will encrypt or decrypt.  If you have access to the data before it is secured, then you do not care about the strength of the encryption.

These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

His recommendations are common sense.   The most interesting one is to avoid using ECC as NSA seems to influence the choice of weak curves and constants in the curve.

 

His final statement

Trust the math.

is OK, but I would add “Do not trust the implementation.”  Always remember law 4: Trust No One.

Toilet DOS

Posted on by
Reply

A humorous news today as we are in holiday period.

imageJapanese toilets are known to be extremely sophisticated.  Company LIXIL sells Bluetooth powered toilets under the brand name SATIS.  There is even an application (My Satis) available on Google Play that drives your toilet from your android phone.You can select the music played by the toilets, open or close the lid, and managed many other features. 

 

Where is the relation with security?  Security company, Trustware Spiderlabs, issued on August 1 a security advisory about LIXIL Satis Toilet!  The application uses a hardcoded PIN at ‘0000’.   In other words, any body with the application and in the range of the toilet can take control over the toilet.   I let you imagine interesting hacking scenarios…  According to the security advisory,

Attackers could cause the unit to unexpectedly open/close the lid, activate
bidet or air-dry functions, causing discomfort or distress to user.

In other word, a new breed of Denial Of Service… Sarcastic smile

What I would like to understand is how a security analyst decided to have a look at the security of a toilet?  Nevertheless, it shows that security is not taken seriously today in most of consumer devices, although they are more and more connected.  As a proof, LIXIL did not react to this advisory for more than six weeks.

Thanks to MY for the pointer Open-mouthed smile

Favor helps

Posted on by
Reply

If you do favor to one person, will this person more likely comply to your request? Dennis Regan studied this question in 1971. The purpose was to validate:

  • Subject is more likely to respond your request favorably if he likes you
  • Subject is more likely to answer your request favorably if you just did him a favor

The experiment is complex.  As usually, it uses a confederate.   In a first phase, the confederates manipulates liking: becoming either pleasant or unpleasant (depending the way he answers a phone call).  Then, they have to participate to a common experiment.   Then, the confederate manipulates favor.  For positive favor, he offers a soda to the subject.  For no favor, he does not offer a soda.   For irrelevant favor, another person offers a soda both to the confederate and to the subject.

Then the experiment measures the compliance to a request.  Thus, the confederate proposes the subject to purchase some cheap raffle tickets.  The amount of purchased ticket is the metric.

The experiment measures also the liking by asking, among many other questions, to rate how the subject felt toward the confederate.

Following are the average purchased raffle tickets depending on the experimental conditions

  Favor Irrelevant Favor No Favor
Pleasant confederate 1.91 1.50 0.80
Unpleasant confederate 1.60 1.00 0.80

The experiment shows that a favor increases the likelihood to comply with a request.  It seems that the Reciprocity principle applies here.  The normative pressure to return the favor is stronger than the attitude.

Of course, good social engineers use this trick.

D.T. Regan, “Effects of a favor and liking on compliance,” Journal of Experimental Social Psychology, vol. 7, Nov. 1971, pp. 627–639.

And if you would authenticate by touching your mobile device?

Posted on by
Reply

We are not yet there.   Nevertheless, Christian Holz and Patrick Baudisch, two German researchers seem to have made some progress towards this dream.  They designed a tabletop system with a touch screen that allows fingerprint detection.  

The magic comes from the screen material.  it uses a new fiber optical plate.  The plate is made of million highly reflective fibers.   Infra red lights is reflected back to the emitter.  When infra red lights exits the plate through skin, it reflects less light back.   Thus, an high resolution infra red camera can capture highly contrasted fingerprints.   This allows to authenticate the user who is using the touch screen.

image

Unfortunately, the current system requires a projector and a camera.  Thus, it is suitable for table top solution with enough room beneath the screen.   Not yet ready for small portable devices.

In any cases, it opens many interesting use cases.  They will present a paper at UIST’13.

Do users care about security warnings?

Posted on by
Reply

This is an important question.   The common belief in the community is that people are oblivious of security issues.  They will not care.   Akahawe (Berkley) and Felt (Google) launched and empirical study by observing more than 25 million real interactions during security warnings for Chrome and Firefox browsers. This recent study was conducted during May and June 2013.    They collected information using the in-browser telemetry system.  For memory, the telemetry system is switched on voluntarily by users.   The researchers studied phishing warnings, malware warnings and SSL warnings.  They measured the click-through ratio, i.e. the number of times, users click through to view the corresponding page

First some raw data extracted from their paper.

Firefox Chrome
Malware 7.2% 23.2%
Phishing 9.1% 28.1%
SSL 32.2% 73.3%

The good news is that the majority of users take into account the security warnings in case of malware or phishing.  As the detection mechanism uses Google’s Safe Browsing List, the ideal ratio should be near 0% as the ratio of false positive in the list is extremely low.   For SSL warnings, the ratio is significantly higher.   Of course, there are many legitimate sites that generate such warnings (misconfiguration of the server, self signed certificates…).  Thus, the ideal ratio may not be null.  Nevertheless, the ratio seems high.

Interestingly also, Chrome has a higher click-through ratio than Firefox.  In other words, Chrome users take less care of the warnings.  In the case of SSL, the huge difference (+40%) can be explained because for several reasons, Chrome users receive more warnings.  For instance, by default, Firefox memorizes an accepted SSL warning whereas Chrome will repeatedly present the same warning.

Some interesting findings:

  • Consistently, Linux users did have a higher click-through ratio than  other operating systems’ users. Two reasons may explain it:
  • They feel more confident in their skill set because they are tech savvy, and have less risk aversion than average users.
  • They feel that being under Linux prevents them from security issues.  Unfortunately, that is not true for phishing or SSL.
  • The number of clicks to go through the warning did not impact the ratio.  To accept malware or phishing, you need one click with Mozilla and two clicks with Chrome.
  • Users who discarded the warnings spend less time on the page (1.5s) compared to users who took into account the warnings (3.5s).

In any case, a good reading…

D. Akhawe and A.P. Felt, “Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness,” 2013 available at http://research.google.com/pubs/archive/41323.pdf.

Is French HADOPI law dead (12)?

Posted on by
Reply

In his long report, Pierre Lescure proposed to lighten the graduated response.   He recommended to replace the controversial suppression of Internet access by a fine about 60€.  He has been listened.

This morning, a decree has modified the law.  The suppression of Internet is officially annulled.

Objet : infraction de négligence caractérisée ; abrogation de la peine complémentaire de suspension de l’accès à un service de communication au public en ligne ;

It has been replaced by a fine.  The fine will not be automatic but decided by a court order.

Seule une peine d’amende contraventionnelle de 5e classe pourra désormais être prononcée pour l’infraction de négligence caractérisée prévue à ce même article.

A fifth class penalty cannot exceed 1,500€ (about 1,900$) but can reach up to 3,000€ in case of  recidivism.

End of the story?

Top threats for cloud computing

Posted on by
Reply

The Cloud Security Alliance released a document listing the nine top threats of cloud computing: “The Notorious Nine”.  The top nine threats are:

  1. Data breaches; an attacker may access your data
  2. Data loss; the loss may result either from an attack, a technical problem or a catastrophe.   The document wisely highlights the issue raised by encryption (to protect against threat 1)
  3. Account hijacking
  4. Insecure APIs;  this one is extremely important, especially for system designers.  It is not necessarily unique to the cloud, but it is clearly exacerbated with a cloud infrastructure.
  5. Denial of service
  6. Malicious insiders
  7. Abuse of cloud services;  using the cloud for nefarious actions such as password cracking. Well, every coin has two sides.
  8. Insufficient due diligence; jumping in the cloud wagon without enough preparation may be an issue.  This is not proper to the cloud. It is true for any new paradigm.  BYOD (Bring your own device) is a perfect illustration of such problem.
  9. Shared technology vulnerability; As you share components, pieces of software with not necessarily enough isolation, a single vulnerability may impact many players.

Each threat is described and illustrated by a real world example of an attack.  A risk matrix allows to compare them.

This list has been established by conducting a survey of industry experts.  Unfortunately, the document does not give details about the number of surveyed experts, their locations, and their qualifications.

Good document to read.