Author Archives: wunderbarb

After The Pirate Bay, here is BayFiles

Posted on by
Reply

Two founders of The Pirate Bay, Fredrik Neij and Peter Sunde, launched in August a new service: BayFiles.  BayFiles is a cyberlocker such as MegaUpload or RapidShare.  Thus, users can upload files and share them with other public.  The upload limit, as well as the bandwidth, depends on the subscription model.  Unregistered users can share up to 250Mb whereas premium users have no limits.

When examining the available services, and the terms of service, BayFiles officially claims proper behaviour regarding copyright.

We have a policy of terminating, without notice and without recourse, accounts of subscribers or account holders who are repeat infringers of copyright, and you agree that we may apply that policy to your account or subscription in our sole judgment based upon a suspicion on our part or a notification we receive regardless of proof of infringement.

Although they seem not to use detection tools, they should obey to DMCA take down notices (which was never the case with The Pirate Bay).  Furthermore, BayFiles does not offer search options or shared directories.  Thus, it is the user who will have to create the infringement by publicly publishing the sharing address.  Furthermore, BayFiles has not implemented a reward program which is often a huge incentive for illegal sharing.

And because they do not trust pirates, they put the legal fences:

If you write programs aiming to violate our Conditions of Use, you will be prosecuted and made liable for any losses occurred.

This transition from Peer-To-Peer towards cyberlockers is logical:

  • Cyberlockers are taking an increasing share of illegal sharing of copyrighted content
  • Cyberlockers are easier to monetize than tracker sites with subscription for premium services.

Cyberlockers are the new challenge in anti-piracy.

Glitching the Xbox

Posted on by
Reply

A group of hackers has designed a stunning attack to run arbitrary code on Xbox.  XBox uses a hypervisor (or boot loader) that checks that the software that is running is properly signed (or does not have the wrong hash).  They use fault injection techniques, here glitching.  The aim of the attack is to make the processor derail after a serious glitch when applied at the precise moment.  This technique was initially designed to attack smart cards or secure processors (For instance, see chapter 9 of  Markantonakis and K. Mayes, Smart Cards, Tokens, Security and Applications, Springer-Verlag New York, 2008)

In the case of Xbox, the attackers had to produce a 100 nS glitch on the chip reset when it compares the calculated hash with the stored values.  If well designed, the glitch should make the memcmp positively fail and thus should allow to run arbitrary code.  They had to succeed two challenges:

  • Find the precise moment for the glitch to occur, and find the right shape for this pulse
  • Find a method to slow down the processor; with a slower processor, the accuracy of the glitch can be reduced.

They succeeded!  It is interesting to note that they had to design two solutions: one for the fat Xbox, and one for the slim one.  They have different PCBs.  For the fot box, they found a pin to slow down the CPU, whereas for the slim one, they attacked PLL by over writing parameters in an I2C memory (this old serial bus is not protected).

It is a  nice piece of reverse engineering.  This is not a consumer-grade hack.  It is extremely complex.  I believe that here, the motivations are purely to succeed a technical challenge (real Hackers).

Lessons:

  1. As always, Law 1 is true.  Attackers will always find a way.
  2. Attackers may use top-notch techniques.

 

 

TELEX: a new path to anti-censorship

Posted on by
Reply

Usually when you want to avoid censorship on Internet, you used tools such as TOR and other anonymizing proxies.  Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman propose another solution: TELEX.  The idea is elegant:

  • The client software hides, using steganography, the query to a censored site in a query for a high-traffic innocent site.  As the request is hidden, the censorship should not detect it.
  • Stations outside of the frontier of the censoring state, within collaborating routers, will extract the hidden query and route it to the censored site.  For that purpose, they will use Deep Packet Inspection (DPI).
  • The censored site and the client enter into a secure channel, thus avoiding the censor to analyze the exchanged data.
  • The collaborating router “impersonates” the innocent site in traffic to avoid detection.

The paper presents a nice threat analysis explaining all the trade-offs to remain stealthy, the strategy that optimally locates the collaborating stations, and how to ideally select the “innocent” site.   It is an excellent work that was presented at Usenix 2011.

The main issue is of course to find collaborating routers.  This would require either collaborating NSPs or state-funded infrastructure.  This is most probably the trickiest part to solve.  An utopia?

Alex Halderman, the last author, is well known by the medias.   He is the one (at that time he used John A) who in 2002 demonstrated the weakness of Sony anti-rip solution (shift key), or more recently how to retrieve keys after a cold boot.

A cloud over ownership

Posted on by
Reply

This is the title of an excellent article of Simson Garfinkel in Technology Review.  He explores the consequences of the switch from physical cultural goods to digital cultural goods stored in the cloud.  It is nothing really new but it has the advantage to be clearly stated.

The first point is about privacy.  When you purchased a physical book or a CD, the merchant has no way to profile you.  Of course, if you purchase it on  a digital store such as Amazon, the merchant will be able to profile some of your preferences.  but with a digital good stored in the cloud, the merchant will be able also to analyze how you consume this digital good.  And this is even more interesting.  he will know what is you prefered book among the ones you purchased.  For the same result with a physical book, you need to look for the more worned book in my library.

The second point is really about persistence.  When I purchase a book, it is mine until I destroy it, or give it away.  With a e-book in the cloud, it is mine as long as the cloud operator accepts (or survives).  This si a massive difference.  I am not sure that the legislation has taken into account this shift.   I do not even tackle the issue of DRM that may shape the ways I can consume the digital good.

Thus, the notion of ownership of a digital cultural good is changing.  As the good itself, the ownership seems to become more ethereal.  Is it good or bad?  I don’t know.  It is most probably useless to look for the answer, I’m afraid it is an unavoidable shift.  We will have to adapt for the best and the worst.

 

 

Lessons from RSA hack

Posted on by
1

It is now six months since RSA suffered from the hack that compromised secureID.  RSA had a positive attitude regarding the hack by providing some details and good visibility.  Thus, we can learn many things about it.

We know now how RSA was penetrated.  It was through a targeted email using an excel file.  The excel file had an embedded flash object inside.   The object, using a zero-day vulnerability, installed Poison Ivy Backdoor.  For more details see F-secure’s analysis.  The attacker used the backdoor to get access to the sensitive data to break SecureID.  The mail was addressed to four members of RSA, thus a targeted attack.  Once SecureID compromised, the attackers could access Lockeed Martin.

This is the first publicly known instance of Advanced Persistent Threat (APT).   This corresponds to extremely targeted attack that works stealthily, slowly in order not to be detected, and performed by extremely skilled attackers.  It was currently reserved to warfare.   As the final target was Loockhed Martin, we may believe that it as a high-profile attack.  They used a zero-day exploit which passed under the radar of any anti-virus scanner.

RSA and Kapersky Labs presented an interesting analysis of the attack.

What can we conclude:

  • The perimetric defense is not anymore sufficient, at least in a professional environment.  Skilled hackers will try to attack from inside.  We need new tools to detect suspect behaviour within the enterprise network.  For instance, an alert should be triggered when a device communicates with “exotic” IP addresses.  Unfortunately, they will be more complex to administrate and probably need more manual monitoring. :Weary:
  • Targeted attacks will be more and more used against industrial targets.  Security awareness will become key.  People must also be aware of business intelligence.  It is a reality that is too often downplayed by people.
  • I will rant against all these software that are used for other purposes than the initial ones.  How often did I see Excel used for other things than calculating!  For instance, to display tables of text.   As a result, software editors add new features.  Why should we have to add flash object in calculus?  In security, KISS (Keep It Simple & Stupid) is a golden rule.  The more features, the more potential  vulnerabilities.

 

 

 

 

SF: Unseen Academicals

Posted on by
Reply

You may know my “addiction” to Pratchett’s disc world.  Thus, you may be not be surprised by this post.

Unseen academicals is the latest opus (June 2010).  Once more, it is a great book.  As usually, we find the usual members of Ankh Morpok.  In this book, the focus is on the UU (Unseen University).  You will discover that Ponder Gibbons is taking an increasing position within the University.

Terry Pratchett adds new interesting characters (and even a species that was missing (or lost)).  I am sure that we will see them again in next books.

You know my passion for  Lord Vetinari.  In this book, you will discover that he may even sometimes have some human feelings :Wink:

Read it!!  If don’t think that the book is available in French.

To pay, show me your credit card

Posted on by
Reply

The company Jumio proposes a new system to pay on line: netSwipe.   It uses the usual credit card for payment.  Rather than entering your credit card number, your name, and the expiration date, the netSwipe applet asks to present your credit card to the webcam.  The system is supposed to extract the data by visually scanning the image.  The process is remotely done.  The applet should securely stream the output of the webcam to the remote server.

You still have to dial in the CV2, i.e. the 3 digits at the back of the card, or the 4 digits in the case of AMEX).

Impact for the merchant:

  • The fee is 2.75% of the transaction.
  • The usual PCI-DSS security requirements

Note: Security Requirements

Using Netswipe Scanning or Netswipe Recycle Swipe to capture credit card data means that you will be capturing, transmitting and possibly storing card data. The Card Schemes, Visa and MasterCard, have never permitted the storage of sensitive data (track data and/or CVV2) post-authorization, and it is prohibited under ‘Requirement 3′ of the Payment Card Industry Data Security Standard (PCI DSS). Merchants who store Sensitive Authentication Data (SAD) are being fined by the Card Schemes.

Consequently, if you use Netswipe Scanning or Netswipe Recycle Swipe you will need to demonstrate that your system can handle this data securely and that you are taking full responsibility for your PCI DSS compliance. One part of this is the need for us to see a clean Vulnerability scan being made on your systems.

There are two interesting questions:

  1. Is it more user-friendly than the current method?  If the recognition is accurate, probably yes.
  2. Is it more secure than the current method?  Depending on what the scanning method actually detects, it may increase the security.  Imagine that the system does not only extract the three semantic data but would also validate the hologram, and  check whether the graphical layout of the credit card is the one expected for this customer (and that it is also a plastic card).   Then, the system would near an approximation of proving the presence of the actual card.   I was not able to find the corresponding patent.
    Nevertheless, at the end the “ultimate” defense is the CV2.
    As a conclusion, provided that the streaming is secure, which may be tested, then it is probably not less secure than usual manual acquisition.