Security newsletter 9 is available. Our guest is Antoine JOUX (well known cryptographer). Together with the latest news, you will learn about about how to crack WEP in less than 6 minutes, that NOSTRADAMUS predicted next US president, and everything about Security of MPLS. The last article explains in detail the attack on disc encryption through freezing the memory. A great exploit from Princeton university.
The previous issues are available here.
6 May: Oups! Bad links. Thank you MK :Wink:
Recently, the Cult of the Dead Cow (cDcreleased a new powerful hacking tool: Goolag Scanner. cDc is a famous group of hackers. They are used to provide serious “hacking” tools such as the famous BackOrifice (remote administration of a computer).
Goolag Scanner scans a web site for more than 1000 known vulnerabilities. The originality of this new tool is that the scan is not direct. It is down using Google requests. Thus, the scanned site is not aware that it is scanned!! Facing this new method, Google decided to limit the number of simultaneous queries for a site. The risk is that Google may blacklist the querying IP address. This makes the scan fastidious. We may expect that cDc will issue soon a version allowing to make a “batch” solution that would counterstrike this black listing.
The obvious countermeasure is to have all the vulnerabilities patched. Another one is to have the file robots.txt listing the files allowed to be indexed by the bot and listing the forbidden ones. Google obeys to the rules defined by robots.txt. Unfortunately, some indexing tools do not care about robots.txt.
Is Goolag Scanner an evil tool? As for all cDc’s tools, they will of course be used by hackers. But, they can also be used by administrators as administration tools. BO2K is an efficient remote administration tool. GoolagScan is an efficient vulnerability scanner. Administrators should use them, at least to be level with hackers.
RIAA is suing Project PlayList. RIAA claims that “Project Playlist performs and reproduces Plaintiffs’ valuable works (and induces and enables others to do so) without any authorization whatsoever and without paying any compensation whatsoever.”
Project playlist allows users to build playlist and share them through social networks such as mySpace. In fact, project playlist does not store any songs. They offer a search tool that proposes only contents that are found on Internet public sites. Here is the description of their music search engine:
Our internet search engine allows you to locate media files that are freely available on the world wide web. The listings in our search engine are automatically gathered from music blogs, trade-friendly concert archives, artist websites, record label websites and other public sources. In addition to automatic gathering, we accept submissions to our search engine by our users.…
Unfortunately, being available on web sites does not mean copyright free. Sources such as blogs are for instance often not extremely regarding about copyright. Thus, when giving access to the hosting site of the link, project playlist displays a banner with legal notices.
Below is the website (http://xxx.xxx/) containing the music file. Some music files located in this site may be subject to copyright. To be safe, don’t download from this site. If you like it, click here to download from iTunes or you can download the ringtone!
The page about copyright notices is extremely interesting to read. Some extracts:
– Project Playlist, Inc. aspires to index and organize the music on the Internet in a responsible and efficient manner, and is therefore committed to copyright protection.…
– The creators and publishers of the songs you hear through project playlist.com or our embedded music player, are being paid a royalty for their work if they are members of ASCAP, BMI or SESAC or any one of over 125 other PSOs that represent songwriters and music publishers around the world. The more a song is included on our users’ playlists, the more royalties the writer and publisher of that song are paid by Project Playlist, Inc. …
– Our users are also allowed to post URLs of music files that they discover on the Internet. Our Terms of Use Agreement prohibits a user from posting a link to a music file that the user knows is not posted by the artist, record label, a music blogger or other third party for promotional or other legal uses.…
Will it be sufficient for RIAA? Wait and see.
HP announced that some USB keys shipped with floppy disk reader for HP ProLiant servers are infected by two minor virus; SillyFDC and Fakerecy. Up-to-date anti-virus detect them. But, if you install the floppy reader before the anti-virus software …
It was already troublesome that some consumer electronic devices (see security newsletter 9 to be published tomorrow) were infected by virus. It is really problematic in case of professional devices and applications.
USB keys become pervasive. They are a perfect vector for worms. A good protection is to disable autorun for every USB port. And of course keep your anti-virus always up-to-date.
Is History always stuttering? In 2002, French broadcaster Canal+ sued NDS for having reverse engineered the software of its smart card, and having organized the leakage of the pirated software through the site DR7.com. Christopher TARNOVSKY, a former hacker known as “Big Gun” and employee of NDS, was supposed to have participated to the operation. The complete story is worth the best spying books or Hollywood action movies.
Six years later, the same story again but with Dish Network. Christopher TARNOVSKY is testifying in front of a court. He recognizes that he worked for NDS and that he wrote a tool “the stinger” able to communicate with any smart cards. He claimes that he did not use his skills to break Dish Network’s security. NDS recognizes that it did reverse engineer the smart cards and then enhance their security to create a better product. NDS denies that it is disseminated the code of pirate cards.
Communicating with any card is not the difficult part. Accessing the code and data of the card is difficult. Reverse engineering a piece of software, or hardware is a common practice in security research. The only way to validate the strength of a secure system is to attack it. And that must be done by a team different from the team that designed the system. Furthermore, the attacking team must have hacking skills to “mimick” the real world environment.
Therefore, for a security company to hire skilled people to evaluate their security is a good practice. Of course, there is always some related risk. There must be a strong trust relation between the attacking and designing teams.
Once more, security is about TRUST.
On November 2006, MSN music closed its service. The service was not successful at competing with Apple’s iTunes. Recently, Rob BENNET, Microsoft, announced that they will not deliver anymore keys after 31 August 2008.
Why would you need new keys although MSN music does not sell anymore new songs? MSN music sold songs to be consumed on a given computer. Thus, the license containing the decryption key is linked to the targeted computer. The linking uses unique characteristics of the computer, such as configuration, or hard disk identifier. These characteristics are sometimes called computer fingerprinting. Therefore, there are two legitimate conditions to ask for new key (or more precisely new license) for an already purchased song:
In other words, after August 2008, consumers will not anymore be able to listen to their legally purchased song if they change computer. Rob BENNET announced that Microsoft did not succeed to negotiate DRM free songs with studios. It is surprising that the merchant of the songs is Microsoft, and the supplier of the DRM technology is Microsoft. And Microsoft did not find a solution? Perhaps, it is a strategy of Microsoft to get DRM free content. An interesting question: is MSN music liable? Is a class action possible by fooled consumers?
Unfortunately, this story gives new strong arguments to the DRM opponents. The problem is not too much about the DRM. The problem is that the song is linked to a computer rather than to a “larger” entity. Would the song be linked to the customer rather than to her computer, this problem would be solved. Would Microsoft DRM be interoperable with another DRM, this problem would be solved.
An example of solution is the domain. A domain is the set of devices belonging to a person, or a family. Would the song be attached to a domain, it would not be managed by a merchant. Currently, two systems support domain based DRM: DVB-CPCM and Coral. Unfortunately, they are not yet implemented in consumer devices. This story may be a booster for these solutions.
Always in the same issue of 2600, phundie describes an attack on GnuPG: an open signature programme. He used Linux command LD_PRELOAD to overload a shared library. By analyzing the software in passphrase.c from the GPG distribution, he spotted the use of functions read() and memcpy(). He wrote a software to overload them and to dump the data in a file. Later, it was rather simple to spot the potentially dialed passphrase.
In the paper, he proposes several countermeasures such as using only static binary, rewrite its own procedures, or verify that LD_PRELOAD is not modified.
This paper clearly illustrates that open source is not adapted to hostile environment. It gives a strong advantage to an attacker who controls the host. It would be interesting to write a good paper analyzing the trust model of open source software highlighting the assumptions. Any volunteer to be co-author?