Author Archives: wunderbarb

Computer System Security: basic concepts and solved exercises

Posted on by
Reply

This book, written by Gildas Avoine, Pascal Junod and Philippe Oeschlin, is a collection of eight chapters and 106 solved exercises. Each chapter proposes an introduction to a generic problem encountered in computer security systems. After the introduction, the authors propose a set of exercises. Of course, the authors also reveal the succinct corresponding solutions. In a simplified summary, each chapter proposes a lesson, the examination and the corrected results.

The “lessons” are very basic. I would even state too basic. If you are already knowledgeable about the topic, then you will probably learn nothing. If you are not knowledgeable, then you will just get a glimpse of the main issues. Fortunately, the bibliographic references often allow exploring more in details the topic.

The book, initially written in 2005, neglects (or does not give enough emphasis to) the newest threats such as web services exploits. For instance, there is no emphasis on XSS or Cross Site Reference Forgeries (XSRF). It does not present the latest “hot” trends such as the use of cloud for anti viruses or intrusion detection. A revised version should add several new chapters taking into account the Web 2.0 environment, more detailed application vulnerabilities…

Should you read this book? If you are a student in security computer science, then this book is for you. It is a kind of book of past exams. Would you succeed to solve all the exercises, then you are pretty ready to get graduated. If you are not a student, you may read it for fun or to refresh aging knowledge. If you are looking for an introduction to computer system security, try another book or even better several dedicated books.

Sadly, readers who do not understand French will lose the touches of humor of the names used in the exercises. Thus, readers may encounter Salem Enthal, Mehdi Khamenteux, Sosie Sonsek…  :Happy:

A more detailled review is available at IACR book review.

Blizzard and the hackers

Posted on by
Reply

It seems that Blizzard’s World Of Warcraft (WoW) has very serious issues with account theft. Why would it be interesting to steal an account of a game? Of course, not to play on the behalf of the stolen gamer, but to steal his/her virtual belongings. There is a black market where you can purchase artifacts, and gimmicks. It is done with REAL money. (This is different from gold farming where somebody looks after your character on your behalf. You pay the farmer for him to increase the level of your character)

The hackers use the usual toolbox such as keylogger or phising. And of course, it works. Once your account stolen, you have two choices; either you expect Blizzard to restore your virtual belonging using backups. Unfortunately, there is a queue of several days (hard task for addicts) or you accept a standard care package.

Blizzard is already proposing a solution for gamers. it is the authenticator token, b a company named Vasco, that serves to log into youraccount. It is similar to the usual RSA ID token used for business VPNs. Of course, this makes the theft more difficult. The use of this token is not yet mandatory!

We see that online games become interesting targets for professional hackers. There is (a lot of) money at stake. Security of games will need to leapfrog.

For more information, check wow.com

SF: The nine princes of Amber

Posted on by
Reply

Last week, I run out of new books to read. Thus, I went down in my cellar and explored the box containing many books I purchased while student. Among the first ones I found, was Zelazny’s “The nine princes of Amber”.

Why not reading it again? Good surprise, I had as much pleasure to read the book than 20 years ago! I finished it quickly, and no other choices that dive in the box to find the four other volumes of the saga.

Zelazny is one of my favorite authors. He mastered many mythologies. If you have never read Zelazny’s saga of Amber, run quickly to your library and start. If you read it long time ago, I recommend you to re-read them.

In the past, I started with the two first volumes of the sequel of the saga relating the history of Merlin who is the son of Corwin (the heroe of the first saga). I did not read the complete saga. Did somebody read it? Did you appreciate it?

I am always surprised that nobody in Hollywood tried to adapt this saga to the screen. I am sure that it could be a blockbuster.

Amazon’s PayPhrase

Posted on by
Reply

On November 2009, Amazon launched a new payment mode so called PayPhrase. The idea is simple. You associate to your profile a passphrase, i.e. a sentence with at least two words (more than four characters) and a 4-digit PIN. The payphrase is linked to a shipping address and a payment method. Would you like another shipment address, use a second payphrase.

Amazon offers this service for other sites. The other sites will validate the information through Amazon but will never have access to your personal data neither to your credit card data. The basic assumption is that you trust Amazon to make a clean work in securing your personal data (which seems a reasonable assumption)

Of course, Amazon expects to become a competitor to established payment methods such as PayPal.

Is it serious? Well, I have spotted one funny issue. How do I define a payPhrase?

Create an original PayPhrase yourself, or choose one of our suggestions. Once you have claimed a particular PayPhrase, it can’t be claimed by anyone else.

The unicity of the payPhrase shows that the idea is that you replace your identity by the payPhrase and the authentication is the PIN. This means two things:

  • The latest incomers may have some trouble to set up an easy to remember payPhrase because the most trivial will be used.
  • People will use the most trivial ones

And this last one is the fun part of the game. Try to find a trivial payPhrase and check if it is active. Then, you may try a DOS for this person by trying many PINs until it is blacklisted.

I tried my favorite trivial passphrase “Trust no one”. Guess what? It belongs to somebody of Portland paying with Visa! I did not try the PIN.

Lesson: Some design decisions may have “funny” side effects.

Ten ways hackers breach security

Posted on by
Reply

I have decided to launch a new category: “the ten …” In this category, I will put the classifications and lists that we find around the net about security, such as the top 10 vulnerabilities in software.

Of course, the first one of the category is the Technicolor Ten Security Laws of my team.

I found this Ten ways hackers breach security as a white paper from global knowledge. The paper is clearly not revolutionary. Nevertheless, it is another ten laws…

Here are the ten ways:

  • 1- Stealing Passwords
  • 2- Trojan Horses
  • 3- Exploiting Defaults (a cruel one but awfully true. How many people do change the default password of their admin in the gateway?)
  • 4- Man In The Middle Attacks (more sophisticated, but at the heart of some recent wireless attacks)
  • 5- Wireless Attacks
  • 6- Doing their homework; what was meant here was to collect information about the target. This of course is one of the first stages for social engineering.
  • 7- Monitor Vulnerability Research (!!!)
  • 8- Being patient and Persistent
  • 9- Confidence Games; this is where they present social engineering
  • 10- Already Being on the Inside; the usual insider

Nice introduction paper, but not interesting if you’re already security aware.

Free: The future of a radical price

Posted on by
Reply

Monday, January 18, 2010

This book seems to have been one of the best sellers of 2009. Chris Anderson is known for many reasons. He is editor at Wired but also the person who launched the famous concept of “the long tail”. Today, I am not sure that the long tail made anybody rich. Some recent studies from Harvard seemed to contradict this theory.

Nevertheless, reading this new book was mandatory for me. One of the popular beliefs is that Internet is free. It is often claimed that DRM is useless because Free is the future of media (or at least supported by some means).

The book clearly shows that there is no free lunch and it describes the economical mechanisms behind “Free”. Anderson provides an interesting taxonomy of the different forms of cross subsidies. Then, he illustrates them.

For instance, why is interesting for Google to promote the free use of online activities on almost everything? It allows to better profile the users and better place advertisements.

Every click in Google Maps is more information about consumer behaviour, and every mail in Gmail is a clue to our human network of connections, all of which Google can use to help invent new products or just sell ads better

The explanation of the attraction of free by human factors is great. According to him, people are wired to understand scarcity better than abundance. Because we are afraid of loss, free is attractive. We do not take any perceptible risk.

He also explains why Internet will be free:

TV is a scarcity business (there are only so many channels), but the Web is not. You can’t change scarcity prices in an abundant market, nor do you need to, since the costs are lower too.

Now, does he present solutions? The examples of audio seem promising. Nevertheless, I have many doubts about the portability to video market. Would ads be able to support a movie such as “Avatar” whose cost exceeded $300M?

Nevertheless, this book is mandatory to read if you want to better understand some of the big waves of the Internet and the entertainment world. This may help you to build your own opinion.

Do you believe that the Future is Free?

Refence: Anderson C., Free: the future of radical price, Hyperion, 2009

Oh, by the way, you can download the book for free and legally!

SF: L’accroissement mathématique du plaisir

Posted on by
Reply

Unfortunately for English readers, this book is only available in French. The author, Catherine Dufour, is a young promising French writer.
It is a long time since I was not such delightfully surprised by a French SF author. This book is a collection of twenty short stories. She is brilliant, provocative and politically incorrect. She reminds me Philip K. Dick with a little of Pierre Pelot (French writer of the 80’s) and Edgar Allan Poe.

In “L’accroissement mathématique du désir” (The mathematical growth of desire) my preferred short stories are “Je ne suis pas une légende” (I’m not a Legend) which is obviously a tribute to Matheson, “L’mmaculée Conception”, “Confession d’un mort” (Confession of a Dead) and the hilarious “Une Troll d’histoire” another tribute to a series of French comics.

Thus, if ever you find her books in a library, run and read.