Category Archives: Book/Paper

Attacking the BitLocker Boot Process

Posted on by
Reply

TPM and BitLocker are interesting targets for security experts. Tarnovsky has recently reverse engineered a Trusted Platform Module (TPM) chip from Infineon. Five researchers from German Fraunhofer Institute have explored attacks on BitLocker when using TPM to seal the data.

The paper is interesting even if you are not familiar with TPM. The team targets the boot loader and especially the recovery strategy. If you illegaly modify the environment of the machine, the TPM will detect it but the sealing data for BitLocker will not be accurate anymore. Thus, Bitlocker uses a recovery mechanism independent from the TPM. The idea is to trick the user in this mode. They suggest five attacks: create a false plausible recovery situation, spoof the recovery message, Spoof then hide, replace the computer by a “‘phishing” computer, and preemptive modification (i.e. modify the computer before activating BitLocker. The two last attacks are less plausible. All attacks require physical access to the target.

Lesson: The attacks target the operating mode and process and not the technology itself. Therefore, they are clever.
Recovery systems are always BACKDOORS in a system!!

The paper is available at here.

Computer System Security: basic concepts and solved exercises

Posted on by
Reply

This book, written by Gildas Avoine, Pascal Junod and Philippe Oeschlin, is a collection of eight chapters and 106 solved exercises. Each chapter proposes an introduction to a generic problem encountered in computer security systems. After the introduction, the authors propose a set of exercises. Of course, the authors also reveal the succinct corresponding solutions. In a simplified summary, each chapter proposes a lesson, the examination and the corrected results.

The “lessons” are very basic. I would even state too basic. If you are already knowledgeable about the topic, then you will probably learn nothing. If you are not knowledgeable, then you will just get a glimpse of the main issues. Fortunately, the bibliographic references often allow exploring more in details the topic.

The book, initially written in 2005, neglects (or does not give enough emphasis to) the newest threats such as web services exploits. For instance, there is no emphasis on XSS or Cross Site Reference Forgeries (XSRF). It does not present the latest “hot” trends such as the use of cloud for anti viruses or intrusion detection. A revised version should add several new chapters taking into account the Web 2.0 environment, more detailed application vulnerabilities…

Should you read this book? If you are a student in security computer science, then this book is for you. It is a kind of book of past exams. Would you succeed to solve all the exercises, then you are pretty ready to get graduated. If you are not a student, you may read it for fun or to refresh aging knowledge. If you are looking for an introduction to computer system security, try another book or even better several dedicated books.

Sadly, readers who do not understand French will lose the touches of humor of the names used in the exercises. Thus, readers may encounter Salem Enthal, Mehdi Khamenteux, Sosie Sonsek…  :Happy:

A more detailled review is available at IACR book review.

Free: The future of a radical price

Posted on by
Reply

Monday, January 18, 2010

This book seems to have been one of the best sellers of 2009. Chris Anderson is known for many reasons. He is editor at Wired but also the person who launched the famous concept of “the long tail”. Today, I am not sure that the long tail made anybody rich. Some recent studies from Harvard seemed to contradict this theory.

Nevertheless, reading this new book was mandatory for me. One of the popular beliefs is that Internet is free. It is often claimed that DRM is useless because Free is the future of media (or at least supported by some means).

The book clearly shows that there is no free lunch and it describes the economical mechanisms behind “Free”. Anderson provides an interesting taxonomy of the different forms of cross subsidies. Then, he illustrates them.

For instance, why is interesting for Google to promote the free use of online activities on almost everything? It allows to better profile the users and better place advertisements.

Every click in Google Maps is more information about consumer behaviour, and every mail in Gmail is a clue to our human network of connections, all of which Google can use to help invent new products or just sell ads better

The explanation of the attraction of free by human factors is great. According to him, people are wired to understand scarcity better than abundance. Because we are afraid of loss, free is attractive. We do not take any perceptible risk.

He also explains why Internet will be free:

TV is a scarcity business (there are only so many channels), but the Web is not. You can’t change scarcity prices in an abundant market, nor do you need to, since the costs are lower too.

Now, does he present solutions? The examples of audio seem promising. Nevertheless, I have many doubts about the portability to video market. Would ads be able to support a movie such as “Avatar” whose cost exceeded $300M?

Nevertheless, this book is mandatory to read if you want to better understand some of the big waves of the Internet and the entertainment world. This may help you to build your own opinion.

Do you believe that the Future is Free?

Refence: Anderson C., Free: the future of radical price, Hyperion, 2009

Oh, by the way, you can download the book for free and legally!

Articulating The Business Value Of Information

Posted on by
Reply

I read a recent report from Forester research: “Articulating The Business Value Of Information” by Khalid Kark

According to this report, security adds value in five sectors:

  • Reputation: Security protects your brand equity
  • Regulation: Security reduces the cost of meeting IT regulatory mandates
  • Revenue: Security protects existing revenue streams nnd helps generate new ones
  • Resilience: Security ensures your business functions even during adverse conditions
  • Recession: Security affects the top line and the bottom line of the business

Khalid proposes ten tricks to change the security’s image. Following are my favorites:

  • • Redirect the conversation away from threats and toward risks
  • • Make security processes transparent
  • • Focus more on value articulation and less on return on investment (ROI)

The report has nothing revolutionary. It is well known for practitioners, but it has the advantage to list and present them. Hoping that you may find some more arguments next time you have to negotiate a security related budget.

Smart cards, Tokens, Security and Applications

Posted on by
Reply

This book (Springer 2008), by Keith Mayes and Konstantinos Markantonakis (editors), provides an overview of secure chips and their applications. It mainly focuses on two types of tokens: contact and contactless. Excepted a brief introduction to Trusted Platform Modules (TPM), the book does not detail embedded IC or Hardware Secure Modules (HSM). The book depicts the major operating systems and environments (Java Card, Global Platform, MultOS…) and describes in details the application development environments for Java and SIM toolkit. The book explores different fields of application: mobile, banking, Pay TV and ID cards. A special focus is given to the mobile applications.

In my mind, smart card is strongly associated to security. Security is the absent one from this book. The book never speaks about the hacks. In the contactless field, often the transport cards are cited. Never the recent hacks have been cited. In the ID cards, never the recent problems of passports have been disclosed.

Should you read it? If you are looking for a basic introduction to smart cards, this may be one of the references to read. Thus, it may interest non-security students, people who want to have a first level of understanding, journalists… If you are looking for a good understanding of one of the domains of use of smart cards, then look for a more specialized book. If you are a security expert, definitively this book is not for you.

A more complete review is available on the IACR web site.

Seven good security questions

Posted on by
Reply

We just received the Autumn issue of 2600 The Hacker Quarterly. I love this magazine for two reasons. Some of the articles are good. But the more important, this magazine gives a vision of the mindset of hackers, or at least I should say the Hackers. By Hackers with a H capital, I mean the guys who want to use the gimmick in a way different from the one that was intended by the designers. Sometimes, you discover also some security vulnerabilities that seem so obvious that you would not dare to test them (See the short paper Free DirecTV on by outlawyr)

Sometimes, you also find papers written by authors without warnames pseudonyms and who dare to give their email address. These papers have another tone (the type of tone you would find in French Misc magazine)

In this issue, John Bayne presented a comparison between SSL and DNSSec. At least, he compared just the management of certificates. The interesting part was not too much on the result of the match (SSL won!), but on the set of criteria, he used.
He asked interesting questions that could be used for evaluating any IT security system.

  • 1- How is trust implemented?
  • 2- How strong are the algorithms that are in use?
  • 3- Does the technology provide true end to end security?
  • 4- How clear is the warning that the technology presents to the users?
  • 5- How easy is it to implement a centralized policy for the technology?
  • 6- How widespread is the technology?
  • 7- How broadly will the technology protect you?