Designing a permission system

Posted on October 2, 2014 by eric

Asking users to make security-oriented decisions is not always wise. For instance, Android asks the user to accept (or not) the permissions granted to an application at installation time. Recent studies highlighted that only 17% of users paid attention to permissions during the installation phase.
Felt et al. in the paper “How to ask for permission” defined four potential strategies to manage permissions:

The designer automatically grants permissions without involving the end user. This strategy is valid if the designer makes the good decision and if no application abuses the end user. In any case, the end user should be able to reverse the decision.
The designer integrates the decision process within the task that the end user fulfills, and that will require a new permission. This is what happens when the user decides which directories a friend may access, or has to push on a button to send a message. Usually, the end user is not even aware that he takes a security decision. The end user is not distracted from his primary goal: performing the task.The paper calls that Trusted UI (which I find misleading)
The designer opens a dialog box when a decision has to be taken. The end user is distracted from his primary goal. Therefore, these dialog boxes should be rare and restricted to decisions that would have severe adverse consequences.
The designer proposes at the installation to the user to select all permissions. Android applies this strategy.

For the two last scenarios, the user should be helped with explanations that will highlight the potential risks he takes when making the decision.

An ideal product would mix the four approaches. The authors propose an implementation strategy summarized by the figure below.

The paper is

A.P. Felt, S. Egelman, M. Finifter, D. Akhawe, D. Wagner, and others, “How to Ask for Permission.,” HotSec, 2012 available at https://www.usenix.org/system/files/conference/hotsec12/hotsec12-final19.pdf.

Fingerprinting canvas of browser

Posted on July 29, 2014 by eric

In 2012, Keaton Mowery and Hovav Shacham proposed a new original method to fingerprint a browser using HTML5: Pixel perfect: Fingerprinting Canvas in HTML5. It uses a new feature <canvas> of HML5. <canvas> defines an area of the screen that can be drawn by primitives. The idea is to write a text, ideally a pangram, into a canvas, to retrieve the rendered bitmap of the canvas area (using command toDataURL) and calculates from this image a digest. The expectation was that rendering would slightly differ depending on the operating system, the version of the browser, the graphical card and the version of the corresponding driver. Fingerprinting canvas differentiated users. Furthermore, all modern browsers support HTML5.

Canvas fingerprinting is transparent to the user. It bypasses any cookies protection, any private browser mode… If combined with other fingerprinting parameters such as, for instance, http agent or font detection, the uniqueness of the fingerprint is high. The site http://www.browserleaks.com/ demonstrates the differentiation. Do not hesitate to test with your configuration.

This paper was a nice academic study. This month, Gunes Acar et al. published a paper “The Web never forgets: Persistent tracking mechanisms in the wild.” They studied different tracking methods used by the top 100,000 web sites (ranking by Alexa). They discovered that 5.5% of these sites used fingerprinting canvas! It is mainly used by the “AddThis.com” system. Furthermore, by reverse engineering the AddThis code, they highlighted that AddThis improved the technique described in the seminal paper. For instance, the developers used a perfect pangram, or draw two rectangles and checked whether a specific point was part of the path…

User tracking is an arm race and tracking softwares use the latest academic research results.

Note 1: you can opt out from AddThis at http://www.addthis.com/privacy/opt-out. they put a cookie on the computer to signal the opt out 🙁

Note 2: a pangram is a sentence that uses all the letters of the alphabet. A perfect pangram is a sentence that uses all the letters of the alphabet only once.

Unlocking the phone with a tap on your wrist

Posted on July 24, 2014 by eric

This is the new phone unlocking mode that vivalnk designed for Moto X phone. The system is rather simple. You stick an NFC-based skin temporary tattoo on your wrist. Once the tattoo is paired with your phone, to unlock the phone you just need to bring the phone in the range of the tattoo. It is possible to unpair a tattoo if it was lost or stolen.

According to vivalnk, the tattoo’s adhesive lasts about five days, even under water. It costs one dollar per tattoo. Currently, it is only available for the Moto X.

This tattoo is a wearable authenticator. I forecast that we will see this kind of authentication method using an NFC start to spread. It may come in ewatches, rings, or key rings. I believe that the ring would be a good device. The mere fact to take your phone in your hand may unlock it.

Dr Who’s leaked

Posted on July 15, 2014 by eric

Bad week for the BBC. Last week, scripts of five episodes of next season of Dr Who leaked online. The scripts were accessed from a Miami-based BBC worldwide server. It seems that that they were publicly available (with a lot of material) and was indexed by Google. A typical Google request provided access to this confidential material.

Unfortunately, other material was available. A black & white unfinished watermark version of the first episode has also been put online. The copy is visibly watermarked for a given recipient. Drei Marc is a Brazilian company that provides subtitling and dubbing services. Nevertheless, it seems that it comes from the same server. It is not sure that other episodes may not surface in the coming days. Broadcast of the first episode is planed on 23 August.

BBC asked its fans not to spoil the release.

We would like to make a plea to anyone who might have any of this material and spoilers associated with it not to share it with a wider audience so that everyone can enjoy the show as it should be seen when it launches.

"We know only too well that Doctor Who fans are the best in the world and we thank them for their help with this and their continued loyalty

Several lessons:

Secure your servers and be aware of the indexing robots. No server should be put online without prior pen testing.
Encryption at rest should be mandatory for early content. If ever the attacker access the video server, he will access an encrypted video without the decryption key. Useless.
Forensic marking should only occur at delivery time. If prepared and stored before release, it is useless. It will not hold in front of a Court with good security expert.
TV series are the new Eldorado of the movie industry

Cloud services as Command and Control

Posted on July 7, 2014 by eric

Cloud services are increasing the surface of attack of corporate networks. For instance, we associate usually to file sharing services the risk of leak of confidential information. This is a real threat. These services may also present another more lethal threat: become Command and Control channels (C&C). C&C is used by botnets or Trojans to communicate with the infected machines.

At Black Hat 2013, Jake Williams presented DropSmack: a C&C tool dedicated to dropbox. In his paper, he explains the genesis of this tool. It is a well documented story of an advanced penetration test (worthwhile to read, if you’re not familiar with these tests). The interesting part of the story is that he succeeded to infect an employee’s home computer. The employee used this home computer to work on corporate documents using his dropbox account. Thus, any modification or new file in the dropbox folder was synchronized to the cloud based folder and then synchronized to the company’s computer. If the attacker succeeds to implement a malware on the home network folder, it will appear and infect the corporate computer.

Thus, using DropSmack, he was able to implement a C&C using dropbox as channel. What is interesting is that it flies below the radar of firewall, IDS or DLP because the synchronized files are encrypted! Furthermore, the likelihood that Dropbox is whitelisted is high. Furthermore, following the statictics presented in my last post, the likelihood that one of your employees is already using Dropbox, even without the blessing of IT department, is extremely high.

Last month, Trendmicro detected a Remote Access Tool using Dropbox as C&C! It was used to target Taiwanese government agency.

A few lessons:

When a researcher presents an attack, it does not take long to appear in the wild. Never downplay a disclosed attack.
Cloud brings new threats and we are just seeing the tip of the iceberg. Worst to come.

PS: the same attack may be used on any file sharing service. Dropbox as used due to its popularity and not because it is vulnerable. The vulnerability resides in the concept of (uncontrolled) file sharing.

BYOLC: Bring Your Own Loss of Control

Posted on July 1, 2014 by eric

In a recent post, I highlighted my belief that one of the most worrying new threats of the cloud was the Bring Your Own Cloud. A recent study from LogMeIn and Edge Strategies confirms this risk by focusing on the use of cloud-based services. They coined it as Bring Your Own App (BYOA)

Following is their infographics that summarizes the major outcomes.

In a nutshell, the problem is more worrying than expected. Currently, a huge amount of applications (> 85%), and thus data, are under the radar of the IT team! One of the answers that we proposed is that IT should provide company blessed solutions. I am a strong proponent of this solution. This study seems to show that it is not sufficient: 64% bring their own apps when a similar solution is already in place. I must confess that during the era before cloud, I was doing the same, for instance, using Firefox when IE was blessed, or my preferred software editor…

Even if you ban BYOD, BYOA will be here. This unavoidable BYOA means that we are losing more and more control on sensitive data. What is the proper answer: DLP (dubito ergo sum), more control of what is executing on the user’s computer (not compatible with BYOD)…

BYOD + BYOC + BYOA = BRYLC

Unfortunately, cloud is here and we cannot escape it. THus ranting is useless. We have to find new solutions and methods to protect our assets. What answer do you suggest?

Thanks to Gomor for the pointer

Facebook would like to listen to what you listen or watch

Posted on May 26, 2014 by eric

Last week, Facebook announced a new feature in their status update. If switched on, this feature will identify the songs or TV program that it will identify through the microphone of the mobile device. It will propose to share this information with your community (and propose a 30 second free sample of the song or a synopsis of the TV program).

A new example of the use of audio fingerprinting. By default, the feature is switched off. Furthermore, the user decides when to share and with whom to share the information. Thus, in theory, there is no associated privacy issues. The user remains in control.

Facebook claims that it will not share it if you do not want. Unfortunately, Facebook does not precise whether it will collect the information for its own profiling even if the user refuses to share it with friends.

As I’m paranoid and as there is no free lunch… I don’t care as I do not have a Facebook account. Will you use it?

The blog of content protection

A site managed by Eric Diehl

Author Archives: eric