Author Archives: wunderbarb

SF: Timeline

Posted on by
Reply
Timeline is a book from Michael Crichton. Michael Crichton is the author of the best seller “Jurassic Park”. In Jurassic Park, time and science were already key elements of the novel. Scientists brought dinosaurs back from the past.

In “Timeline”, science and time are once more key elements. Scientists have found the way to travel to the past. Scholars will be sent in a thrilling adventure in the French Middle Age. The book gives a realistic vision of this period.

As “Jurassic Park”, it is written like a movie with the same kind of rhythm and cuts. A good book which I read in one strike.

I am not sure that there is an available French translation.

Stealing cars without difficulty

Posted on by
Reply

In the trend to be always more user-friendly, car manufacturers have introduced a new breed of keys : Passive Keyless Entry and Start (PKES) systems. The idea is that the car detects the right key and acts correspondingly. For instance, if your key is in the range of 2 m if will allow to open the door with the handle, if you are inside the car, it will allow to start the engine. And that, of course, with the key in your pocket. you don’t have to push any button. Awfully convenient.

Unfortunately, three researchers from ETH Zürich, Aurélien Francillon, Boris Danev and Srdjan Capkun, have demonstrated a simple attack: a classical relay attack. In PKES, the car is at the initiative of the challenge. They take a first antenna that captures the emission of the car (as the antenna of the key would do) and relay it to a second antenna close to the key (8-10m). The second antenna will act as the car antenna would act. And this is independent of any logical protocol. The two antennas are linked by a cable of RF transmission for longer range. Thus, if you know where the owner of the car is, and can come reasonably near from this owner, you may steal the signal of the key, and thus your accomplice can steal the car. They successfully experimented on real cars.

The recommended countermeasures are to deactivate the key with a switch. This is the worst scenario of countermeasure. You may be sure that people will forget to deactivate the key when leaving their car, or they will forget that they will had deactivated the system and thus will struggle. In nay case, adding a button would annihilate the perceived benefit of this system: being button less. And here is the problem. Unlocking is done without any conscious action of the user.

They propose another countermeasure that is far more complex to implement because it requires to accurately measure the trip time to detect the presence of the relay. And we know how difficult it is (we struggled on that with local control on content in DVB-CPCM).

The problem is that the action is done without the consent of the user, assuming that his presence means access granted. But the car cannot be sure of the actual physical presence.

Ten ways the IT department enables cybercrime

Posted on by
Reply

This is the provocative title of latest Kapersky lab’s white paper. This document lists some of the usual mistakes that are encountered in the today protection. It is mainly focused on the mandatory adaptation due to mobile devices. The paper is not mind-breaking. Nevertheless, it gives some true statements, such as

  • Enabler #1: assuming the data is in the data center.
    Of course today, data is redundantly stored in the laptops and even smart phones. They need protection
  • Enabler #3: Treating laptops and mobile devices as company assets that are never used for personal use…
    Awfully true.
  • Enabler #5: Adoption of Social Media without protection
    Social media and Web 2.0 are here to stay. furthermore, they are becoming part of the business tools. They create a new kind of risks.
  • Enabler #10: Assuming everything is OK.
    Remember our law 1: Attackers will always find their way.

As usual in this type of document, the first items are extremely relevant, whereas the last ones are less. it is always difficult to end up with 10 valid items. Nevertheless, 10 is the golden number in communication.

As a good citizen, I put the link to Kapersky lab. You’ll need to register to download the white paper. Nevertheless, you may easily find pdf versions on the Net without having to register :)

PS3 Jailbroken v(2)

Posted on by
1

If ever you were surprised by the statement of the need of a random number for signature in my post PS3 jailbroken or if you’re interested in the mathematics behind the exploit, I would recommend that you read Nate Lawson’s post DSA requirements for random k value.

Funnily, he posted that before the hack of PS3 was public. In general, his blog root lab rdist is excellent (although very technical). Nate was a former employee of CRI (the company of Paul Kocher)

Google’s anti-piracy new step

Posted on by
1

Without any official announcement, Google has made a new movement towards fighting content piracy. The auto complete function, i.e. the feature that proposes guessed choices while you type your query, does not anymore propose some proposals that may be related to piracy. For instance, when typing “Black Swan T”, it does not anymore propose Black Swan Torrent. Nevertheless, the filtering is not consistent. “Black Swan S” proposes “Black Swan Streaming” as seventh choice. When I type “pi”, I’m still proposed as second choice “Pirate bay”! TorrentFreak has analysed more in details the strategy of filtering. This new filtering does only impact the auto-completion, and not the query, i.e. “Black Swan torrent” gives links to torrents.

Obviously, this is one additional goodwill towards content owners. This is part of a larger strategy (see Google acquires Widevine)

Will it have any impact for users? No! It is just theater security as good will for studios.

PS3 jailbroken

Posted on by
1

Monday, January 24, 2011

At the December CCC conference, George Hotz, by the nickname of GeoHot, disclosed that he has discovered the private key used to sign the firmware of all PS3 devices.

Usually a piece of code is signed using a private key. The device checks that the code is properly signed using the corresponding public key. if it is the case, it proves that the software was not tampered and that it was issued by the owner of the private key (here Sony). Normally, there is no way to guess the private key from the public key. The usual assumption is that this private key never ever does leak out. They are usually stored in Hardware Secure Module (HSM) within a safe and with strict security policies. It is the corner-stone assumption of most of the trust models.

It seems that GeoHot and Fail0verflow guessed the private key due to a mistake in the signature software that uses a fixed value and not a true random value, dixit a member of Fail0verflow team in an interview to BBC.

PS3 was already jaibroken. The difference with the previous jailbreak[/url] is that this one is purely software. it does not require to change anything in the PS3.
There is no way to recover. It is now possible to execute any arbitrary code on the PS3, because it is possible to sign any code. The issue is that this checking is done in the loader which cannot be modified in the field (else the hackers could easily change this checking process :( )

Sony has launched, under the DMCA, a procedure of temporary restraining order that attempts to stop dissemination of jailbreak.

Lessons:
– Proper implementation of cryptography is difficult
– PS1 and PS2 were open to homebrew applications. They were never hacked. PS3 was closed… Blocking the access of a game console for homebrew may be an attractor for crackers.

Proliferation and Detection of Blog Spam

Posted on by
Reply

In a recent article, published in October’s IEEE Security and Privacy issue, S. ABU-NIMEH and T. CHEN studied the so-called blog spam. Spam blog is the phenomenon to add spamming comments, totally irrelevant to the topic. There are several categories:

  • Comment spam who try to corrupt the feedback of the community. Often done by trolls, they are not very problematic. This is the price of democracy and Web 2.0.
  • Term spam add some words to be more relevant to search queries
  • Link spam contains links to sites to increase the number of sites pointing towards the spamming site, thus increasing the famous page rank.
  • splogs or spam blogs are fake blogs which sole purpose is to increase the pagerank of a given site.

The study showed that the practice is increasing. From more than one million collected comments, 75% were spams! They were issued by a limited number of emails address and IP addresses.

Studies try to build classifiers that attempt to detect blog spams. They are not yet accurate.

Meanwhile, there are a few lines of defense:

  • CAPTCHA
  • Black lists of email and IP address
  • Black list of words

End of 2010, I experienced this damned attack on this site. In one night, I could find more several tens of blog spams on one topic. It even reached 300 in one night. At the beginning, I indulged (you may still find some of them) and cleaned the mess. Then, it started to become worrying. The default installation of my blog provides a basic anti-spam test that is the answer to a simple arithmetic calculus. It seemed not deterrent enough. Then I started to black list some words such as codeine, Valium or hemoroid. This is not the usual vocabulary of security :( It slowed down the number of comments, but did not stop them. My last solution was to use CAPTCHA. CAPTCHAs are not user friendly, and may even rebuke some people to post comments. Nevertheless, it seems to have (temporarily?) stopped the spammers.

By the way, this issue of IEEE security and privacy has also an excellent paper from Teddy Furon and Gwenael Doerr about “tracing pirated contents on the Internet” :)