Author Archives: wunderbarb

Adobe fake flash player

Posted on by
Reply

A new worm seems to use social engineering to install malware. The worm asks to load a newer version of Adobe Flash Player and of course provides a link to this upgrade. The upgrade in fact is a fake one with real malware. The social engineering part is nicely done because it uses one of the most freely available software in the world (Adobe Flash Player) and nobody knows when an upgrade is available. Today, it is extremely current to upgrade the installed software.

Adobe proposes the following remedies:

  • Load upgrade and installers only from adobe.com site
  • Verify that the installer is signed with a certificate belonging to Adobe.

The two remedies are very good ones that should be generalized to every installation. Although they have some limits:

  •  It is rather common to download installation from many sites that are not the sites of the developing team. It is less convenient to search for the issuer site than take the first site offering it. For instance Adobe Flash Player is available in many places. I tried to search on Google France. Fortunately, the first site proposed was adobe.com. But I found many other ones. Should I trust them?
  • How many people are able to analyze a digital certificate? Furthermore, some very respectable companies use expired certificates or with an unknown root certificate.

Once more, we end up with the need to educate users. A lot of work to do here.

Security and Prospect Theory

Posted on by
Reply

Which choice would you take:

  • 500€ sure gain or a 50% chance of winning 1.000€?

About 85% people will take the sure gain.

Which choice would you take:

  • 500€ sure loss or a 50% chance of loosing 1.000€?

About 70% people will take the risky loss.

This is a result of the economic theory called Prospect Theory. In an article, Bruce Schneier applies it to the problem of selling security products. When faced to purchasing a security product, the customer is in the position of choosing between a sure loss of money (the price of your product) and the risky loss he/she may incur in case of an exploit. The theory shows where the purchase mood will go. He proposes two methods to bias this natural trend:

  •  Increase the feeling of fear which give a feeling of higher probability of the risk
  • Package (hide ?) security with other features that provide a perceived gain.

I would add a third one: Educate your customer. Use real figures and facts. Avoid the fear strategy that is neither ethic neither trustful.

Definitively a must read article. It is available at CIO: How_to_Sell_Security

I have now to read the seminal work of Kahneman and Tversky on Prospect

Security Newsletter #10 is available

Posted on by
Reply

This quarter, our guest is Ton Kalker from the HP labs. Ton is well done in the content protection community and many topics such as watermark or interoperability of DRM.

Dekun explains how to retrieve redacted information on classified documents. Arnold and Uhlrich introduce the captchas. Olivier and Patrice describe an anonymous P2P: Freenet.

Enjoy the reading and do not hesitate to comment.

FCC ruled against Comcast

Posted on by
Reply

Comcast was throttling BitTorrent. On Friday 1st August, FCC ruled against Comcast. Comcast is not allowed to block or throttle any P2P traffic. FCC pushes for strict net neutrality (regardless of the legality or illegality of the transferred data). Nevertheless, FCC did not fine Comcast.

FCC’s message is clear. Illegal activity on P2P cannot be fought through throttling or any other type of bandwidth shaping.

Legal eavesdropping

Posted on by
Reply

Swedish government passed a law that allows eavesdropping of any communications that is passing the border. It means that any mail, or phone conversation may be read or listened to. Obviously, the announced argument is to fight terrorism. More than 1 millions Swedes protested by mail. They claim that is a blow to privacy.

More and more such types of laws are passed by many governments. Another example is the law that allows to open laptop at US borders (I will come back to it soon) Does fighting terrorism require to loose privacy? I doubt. There are two possibilities:

  • Legislators believe that they will really fight terrorism with this type of method. This is probably wrong. We should stop to believe in the image of stupid terrorist. They will be able to use modern tools to hide the communication. They may encrypt mails or communications. Or even better, if they want to be stealthy, they may use stenography.
  • Governments cannot on one hand claim they fear cyberterrorism that requires cyber attackers and in the other hand use methods that any beginner hacker could bypass.
  • Or legislators do know it is snake oil. Then either they use it for theatrical security (to reassure Joe Sixpack), or for an hidden agenda.

According to you, which one is the good explanation?

Comcast throttling BitTorrent: trouble

Posted on by
Reply

ISP throttling P2P networks is not new. But often, they just control the bandwidth once they identified P2P packets. It is why encrypting the transfer (BitTorrent has an encryption mode) often cures throttling. Comcast uses a new method, deployed by Sandvine, of throttling. When a comcast peer seeds a non-comcast user/peer, after a few seconds Comcast issues a reset (RST) packet to the non-Comcast user. This has two consequences:

  • The non comcast-user losses its seed
  • The comcast-user losses some upload bandwidth. This may have an impact on the transfer ratio in case of private P2P. In these P2P network, the more you seed, the more and faster you receive

Of course, the community immediately reacted and worked on the problem. The nicest solution is based on the use of Linux Firewall. It is possible to filter the RST packets, thus stopping the throttling. Some sites provide all the information to setup the filtering for different Linux distributions ( For instance Tux training)

But was is more interesting is the reaction of the FCC. It is expected that FCC will order Comcast to cease throttling. According to a majority of members of FCC, they believe it is illegal to throttle without informing customers. Decision to be announced in the coming days.

We may expect some ISPs soon to change their licensing conditions and put in it that they may throttle. If there is an obligation to announce clearly throttling, this will be an argument for choosing his/her ISP (with or without throttling).

Yahoo will not deliver new licenses

Posted on by
Reply

In April 2008, Microsoft was announcing that it was closing its MSN music service. As consequence, it announced that it would not anymore deliver licenses for purchased songs.This time, it is Yahoo music store that announces its closing end of September 2008.

Once more, user will loose their purchased songs if ever they change the computer, or even upgrade it. This is due to so called computer fingerprinting. The license is attached to the computer and not to the user. To attach it, the DRM embeds in the license parameters that are supposed to uniquely identify the computer, for instance mac address, serial number of the hard drive, of the OS, … This disables illegal duplication of the license. But as a consequence, if the user changes his/her computer, then the licenses are not any more valid. The user has to request new licenses to the DRM server for his/her new computer. This operation will not be any more supported.

Yahoo proposes two alternatives to its customers:

  • Reimburse the lost songs
  • Migrate the license to Rhapsody Unlimited service that will continue to operate.

Once more, this event will give arguments to the opponents of DRM. Is there any solution to this type of problem. In theory yes. The first onbe is the mythical DRM interoperability. It should be possible to migrate all the songs to another DRM seamlessly. A second one is to attach the license to the user and not to the computer. The notion of domain, initially defined by DVB-CPCM (and :Wink: SmartRight) and now adopted by OMA is a potential answer. The domain is linked to a user or a familly and not to a given device.

PS: Follow up of Microsoft story, In June, Microsoft announced that it would operate the license server until end of 2011. This is another solution.