If your power adapter could recover your lost password?

This is the idea that Apple protected by a patent.   The basic idea is that a familiar peripheral could serve as a vault for the recovery process of lost credentials.

Claim 1: A method of storing a password recovery secret on a power adapter, the method comprising:

  • receiving a password recovery secret associated with a computing device at an electrical power adapter via an interface with the computing device; and
  • storing the password recovery secret on a memory in the electrical power.

The peripheral would store the memorized password encrypted with a identifier unique to the main device.   This means that there is a pairing between the device and the peripheral.  In other words, it is useless to steal the peripheral to try to extract the stored password.  The claims specifically cites electrical power adapter and non-transitory computer-readable storage medium.

To recover the lost password, you will have to start a procedure of recovery.   The recovery procedure returns the encrypted password that can be decrypted if recovered by the proper device.   It can also share the secret between the peripheral and a remote server.

You may already have spotted the tricky part of the game:  how do you trigger the recovery procedure?  The patent does not tackle this issue.   If Alice is able to trigger it only because she has access to both the portable and the power adapter, then of course game over.   Steal both of them, then you can get access to the computer by recovering the secret and changing the password.   It would make the system even weaker than before.  If  Alice needs a secret to  trigger it, then we’re back to the starting point.  The likelihood that she forgot this recovery secret is even higher than forgetting the day to day password!    By the way, this is always one of the difficult parts of every recovery system.

Will we see that in one of the next MacBook generations?

Facebook, privacy protection and civil lawsuit

Is Facebook a privacy harbor in case of a civil lawsuit?   Can  your Facebook posts be used against you even if they are tagged as private?   This is the question that the court of Pennsylvania- Franklin county (USA)  answered last November.

Following an accident, the plaintiffs claimed serious injury.  She testified that she suffered from chronic physical and mental pains, and used a cane to walk.  The defendant claimed that on the plaintiff’s Facebook account, the plaintiff announced that she went to gym and posted family pictures that contradicted the allegations.  The plaintiff claimed that it could not be used in front of the court.

The judge ruled differently and  detailed his objections in a 14 page opinion document.  The rationales:

  • Discoverability; the court made it clear that material on social networks was discoverable on civil cases
  • Privacy;  the court made it clear that there was no expectation of privacy on social networks because their purpose was to share with others.

Almost all information on Facebook is shared with third parties, and there is no reasonable privacy expectation in such information…   even “private” Facebook posts are shared with others.

  • Embarrassment; The judge estimated that contrary to  personal sure that may create embarrassment, it is not the case for Facebook posts and posted pictures as their purpose is to be shared with others.

This is an interesting statement that highlights that privacy in social network is more related to access control than to actual privacy, at least for the US law.   An interesting reading that shows all the complexity of privacy in front of the law.

PS: I was not able to find out if the use of these posts helped the defender to win or not.  

Notes of PST2012: Day 2

As for yesterday, these notes reflect what pinged my interest and do not attempt to be non-biased, exhaustive reporting of the presentations.

Co-utility: rational cooperation for privacy, security and functionality in the information society (J. Domingo Ferrer , University of Tarragona)

He started with an environmental analogy: privacy  preservation is essential and should be sustainable for the survival of information society.   To limit privacy “pollution”, he proposes reducing identifiable information, reusing data to reduce utility,

He uses the game theory to define co-utility; Co-utility means that the two players have the best strategy if they are cooperating.  Using different equilibriums, he defines Nash, Mixed Nashed, or Stackelberg (when one player can impose his strategy to the rest of the players) co-utility. 

Application to PIR applications

Currently PIR assumes cooperation of database which is not always true. ( Not true if using Zero-Knowledge such as Micahli)  Potential solutions:

  • Standalone approach: Track Me not  generates fake queries or adding fake keywords
  • P2P: reuse queries submitted by other users.  He explores this venue.  If each player collaborates by submitting queries of the other players to flatten his profile (Nash equilibrium)

Trust session

Building robust reputation systems for travel-related services (H. DUAN, Heidelberg)

How to stop manipulation that inject fake reviews (promoting, demoting, system destructor)

The idea was to use the review helpfulness  as a reputation measurement.  They did not use textual analysis.  It was OK for one set (New York City) and  not for another town.

They were challenged on how they distinguished promoter, demoter from innocent reviewers.

Collaborative Trust Evaluation for Wiki Security

The issue is that malicious or incompetent contributors may modify documents. (Estimation 4-6% contribution of Wikipedia is vandalism)

Security Wiki Model is a layered model with promotion of authors on the quality of their contributions.  A document has an integrity level  (IL) and only author with higher quality level can contribute.  The author attributes the first IL (necessarily less or equal  his level)

Author increases his reputation by reviewing that are validated by other reviewers

Very conservative approach.

The theory of creating trust with untrusty principals  (J. Viehmann, Fraunhoffer)

State of the art: Vote, democratic vote (majority), centralized Trusted Third Party

Using game theory  with peer monitoring to detect manipulation in different cases:

  • plain
  • Law enforced
  • using mistrust (by testing through fake requests to see if somebody is trustworthy)

Theoretical, no real experiment to test the reaction of users.

Security Session

Effects of displaying access control information near the item it controls (K. Vaniea, Carnegie Mellon)

They tried on gallery with distinction between everybody, co-workers, friends and family.

When the icon is near the picture it has better effect than in sidebar.   It has no better memory retention impact.

Detecting JavaScript-based attacks in pdf file (Schmitt F., University of Bonn)

Static detection is not sufficient if the code is building a malicious code. 

The attack is typical with heap spraying, calling a vulnerable API method with the return address being overwritten.

They use PDF scrutinizer that has a JavaScript emulator, a reader emulator without actual rendering.

Interesting detectors: heap spray detector observes strings added to an array too often and with the same identical strings.

Automatic Detection of Session Management Vulnerabilities in Web Applications (Y. Takamatsu, Japan)

Typical attack with session fixation and cross site Request Forgery (CSRF)

They implemented a plug-in for Amberate to detect these vulnerabilities.  Not convincing as it created false positives on PhPNuke

Notes on PST 2012: (day 1: Innovation day)

Here are some notes on the first day of  PST2012.  These notes are personal and biased in the sense that they reflect what topics did ping me.  As such, they are not exhaustively representing the content of the various presentations.

Today’s challenges of cybercrime (E. FREYSSINET)

Eric is the head of the cyber crime department of French gendarmerie.  As such, he has a deep knowledge of today’s cybercrime as he is fighting it.

He first presented the big trends and issues:

  • Data to analyze is exploding
  • Organized crime;  interestingly, organized crime entered the game only lately.  The target that attracted organized crime was car theft that required electronic specialist due to increased electronic defense;  then, organized crime jumped to electronic money.
  • Cryptography becomes more generalized.  It has impact.  for instance, house search has to occur at a time of the day when the computer is already switched on.

Then he described more some cases.  A few excerpt:

  • Crime against children; This is one of the most important threat handled by his team (25% of the cases).  Several hundreds cases per year in France.   The best defense is the education of children
  • Attacks on IT system;  Botnets become the core element of many IT attacks.  Often individuals do the tools, and are hired by organization that install such infrastructure.   Interestingly, many SMEs are attacking each others!
  • There is a real business approach behind such crime.  Carders are offering professional sites with customer supports.  Malware is sold with a licensing approach, CMS,…

Then he presented a typical attack: the police ransomware.  A malware blocks the computer, sometimes encrypts data and display a message supposed to be issued by police claiming that you violated the law and have to pay a fine.  10% of the infected people pay the alleged fine.

Cyber Defense

Can we protect against the unknown?  (D. BIZEUL, Cassidian, Head of Security Assurance)

The focus of the presentation is on APT (Advanced Persistent Threat)

The six steps of APT:

  1. Information gathering
  2. Vulnerability identification
  3. Spear phishing/RAT installation
  4. Pass the hash protection/ propagation (for escalation)
  5. Malware and pack of tools
  6. Exfiltration

Detection of steps 3 to 6 should use reputation evaluation, Statistics and of course log.  Thus, it is recommended to have savvy IT team, cyber intelligence, IDS/IPS and SIEM & SOC.  Cyber intelligence is key.

CERT, CSIRT  (O. CALEFF, Devoteam)

Presentation of what a CERT/CSIRT is , and how it works.

Cyber defense tools: the sourcefire example (Y. LE BORGNE)

He explains how an Intrusion Prevention System (IPS) works:

  • Stage 1:  decoder of packets
  • Stage 2: pre-processor to normalize data
  • Stage 3: Rules engine

Why are there still intrusions?

  • The client side is more prevalent and it is the best place to attack.
  • File complexity is a good vector for malware
  • IDS exploitation is too complex
  • IPS needs skill for exploitation

Evolution of Snort

New pre-processors (gtp, modbus…), http compression.

>Deeper detection (cookies, javascript obfuscation…)

The message is that human is the key element.  Thus, they claim to simplify the task by focusing the reporting.

Panel

APT is more a buzz word.  It is not new.  The most important aspect is the Persistent Threat aspect.

 

Keynote: The authorization leap from rights to attributes: Maturation or Chaos? (R. Sandhu)

Ravi is the father of Role Based  Access Control (RBAC).   Will RBAC be replaced by Attribute Based Access Control?   In any case, we’re going towards flexible policy.  According to him, the main issue with Access Control is and will always be the analog hole.  Smile   The main defect of RBAC is that it does not offer an extension framework.  Thus, it is difficult to cope with short comings;  ABAC has the advantage to offer inherent extensibility by adding for instance attributes.

Security policy requires Policy Enforcement, Policy Specifications and Policy Administration.

He believes in Security as a Service because there will be an incentive to  properly secure stuff else you change the service provider.

SME session

Arxan (M. NOCTOR)

Nothing new.  If you don’t know Arxan, and if you need software tamper resistance, visit their site.

CODENOMICON (R. Kuipers)

How to strip off a TV set?  He highlights the risk  of connected TVs that are not  secure at all, although they may handle confidential data such as credit card number.

Secure IC (P. NGUYEN)

Silicon Security;   Usual presentation on side channel attacks.   The new attacks are Correlation Power Analysis and Mutual Information Analysis (new since 2010)  The new trend is to use Information Theory realted metrics.  They have  a dual rail family with formally proved security (to be presented at CHES2012)

A new version of my site

Welcome in the new version of my site.  Now both my site and my blog share the same consistency.  Indeed, they share the same engine (wordpress).   Translation form my homemade site to WP pages was simple.  Nevertheless, I am sure that there are some remaining issues (such as missing or wrong links).  Do not hesitate to signal them to me for fixing.

Linksys and the cloud snafu

A new trend in management of gateways and routers is to use the cloud. Currently, gateways and routers are locally managed by the user, and often remotely managed by the operator through protocols such as TR69.    The new trend delocalizes the device management to the cloud.   In other words, to modify the router/gateway, you have to use a remote service.  Most manufacturers, if not all, are following this path.

Last month, Cisco launched its Cisco cloud connect service that offers this capability.  For that purpose, Cisco has to install new firmware into deployed Linksys routers.  Cisco launched such update. Thus, many customers who had opt-in the automatic firmware upgrade (which, by the way, is usually a smart decision) where automatically upgraded loosing the local ability to manage their device.   This automatic upgrade started a huge rumpus on the forums; many people having the feeling that loosing the local management was equivalent to lose the ownership of their router.  This was the first issue.  Many people believed that this upgrade would be systematic for every Linksys router.

Unfortunately, inside the Terms Of Services (TOS) of Cisco Cloud Connect, it was mentioned that Cisco might keep track of a variety of information including Internet history and might share “aggregated and anonymous user experience information” with service providers and other third parties.  This second issue was even more devastating for Cisco.

Cisco quickly reacted and took a set of appropriate actions:

  • Explaining that the upgrade was done only if the customer requests it or if he opted-in of automatically upgrading.  Cisco provided a method to revert to local management,
  • Modifying the TOS to remove the section related to collection of data such as Internet history,
  • And highlighting that Cisco does not use the routers to collect information about Internet usage.

Lessons:

  • Full remote management of a user owned device may be adversely perceived.   Hardware ownership is strongly connoted of control.
  • Privacy is important for some people and not necessarily rationale.   Privacy’s perception is complex.  How many of the people who complained regularly use Google (or whatever search engine) and click on the proposed link leaving a trace of their Internet usage to Google?    An interesting sociological study to do;  Privacy is a touchy complex topic.
  • There are some people who carefully read TOS!!!

 

Thanks to RG for the initial pointer.