Category Archives: Book/Paper

How people perceive hacking

Posted on by
1

People make decision following mental models that they have of how a system works.  Security is not different from other fields.  Experts or technically well-informed people may have mental models that are reasonably accurate, i.e. the mental model fits reasonably with the real world behavior.  For normal users, the problem is different.  Wash Rick identified several mental models used by normal users when handling security in a paper entitled “Folk Model of Home Computer Security”. For instance, he extracted four mental models describing what viruses are:

  • Viruses are bad; people using this mental model have little knowledge about virus and thus believed they were not concerned. They thought to be immune.
  • Viruses are buggy software; viruses are normal software that are badly written. Their bugs may crash the computer or create strange behavior.  People understood that they needed to download and install such viruses.  Thus, their protection solution was only to install trusted software.
  • Viruses cause mischief; viruses are pieces of software that are intentionally annoying. They disrupt the normal behavior of the computer.  People do not understand the genesis of virus.  They understand that the infection comes from clicking on applications or visiting bad sites.  Their suggested protection is to be careful.
  • Viruses support crime; the end goal of viruses is identity theft or sifting personal and banking information. As such, people believe that viruses are stealthy and do not impair the behavior of the computer.   Their suggested protection is the regular use of anti-virus software.

Wash extracted four mental models used to understand hackers.

  • Hackers are digital graffiti artists; hackers are skilled individuals that enter in computers just for mischief and show off. They are often young geeks with poor morality.  This is the Hollywood image of hackers.  The victims are random.
  • Hackers are burglars; Hackers act with computers as burglars act with physical properties. The goal is financial gain.  The victims are chosen opportunistically.
  • Hackers are criminals targeting big fish; these hackers are similar to previous ones but their victims are either organizations or rich people.
  • Hackers are contractors who support criminals; these hackers are similar to the graffiti hackers but they are henchmen of criminal organizations. Their victims are mostly large organizations.

When applying these mental models, it is obvious that some best practices will never be used by end users, regardless of their pertinence.  Most of them do not understand these practices or feel they are not concerned by these practices.  For instance, users who believe that virus are bad or buggy software cannot understand the interest to install an anti-virus.  Users assimilating hackers to contractors believe that hackers will never attack their home computers.  Better understanding the mental model of users highlights where awareness is needed to adjust user’s mental model to the reality.  It helps also to design efficient secure solutions that may seem to fit the mental model although they fight in the real model.

Reference:

Wash, Rick. “Folk Models of Home Computer Security.” In Proceedings of the Sixth Symposium on Usable Privacy and Security, 11:1–11:16. SOUPS ’10. New York, NY, USA: ACM, 2010. .

RowHammer: A powerful new attack

Posted on by
Reply

In 2014, a group of researchers from Carnegie Mellon University and Intel published a new kind of disturbance attack on DRAM: rowHammer [1]. At the difference of SRAM (static), DRAM (dynamic) need regular refreshing to keep their memory. DRAM are organized by rows. Indeed, when reading or writing to an address, the circuit access the full row rather than only one specific cell. Cells are susceptible to inter-cell crosstalk (like any electronic elements). The researchers discovered the fast, repetitive reading of two rows they could generate a high rate of disturbances that produce errors in the memory. The actual code to produce errors is simple and short. It is a simple loop that reads two addresses, flushes the registers and the instruction cache. A typical 1 million iterations takes less than one second. The code does not need to be root. They tested 129 different DDR3 DRAM commercial modules. They induced errors in 110 modules.

Thus, they demonstrate that with simple software, it was possible to wreck DRAM memory.

This month, Google researchers went one step further. They used the rowHammer technique to create actual fault injection. On a standard x86-64 bit machine, they demonstrated two exploits [2].

  • Native Client (NACl) is a sandboxing system that allows only a limited subset of instructions. They were able to have ‘blacklisted’ instructions to execute in the NACl environment.
  • They succeeded to escalate the privilege to Kernel privilege on a standard Linux.

Of course, these exploits have some limitations. The escalation was done only on a Linux machine without some sandboxing mechanisms. Nevertheless, they highlight that rowHammer may become a powerful fault injection tool. The interesting part of rowHammer is that it is purely software.

Currently, they have only experimented rowHammer on standard DRAM commercial modules. This may be an interesting way to bypass some trusted execution environment that isolate the DRAM space.

DRAM for servers should be more resistant to rowHammer as Error Correction is embedded in the chip. Nevertheless, error correction can only correct a limited amount of simultaneous errors. It may be possible perhaps to also overflow the correction. If rowHammer would be possible on DRAM for servers, then it may be a potential interesting attack vector in the public cloud. The attacker may either bypass the sandbox or impair the memory of another user of the same server.

We may see in coming months more studies and exploits around rowHammer. Will it have the same impact than side channel attacks? To be surveyed…

The two papers are worthwhile to read. Read them in the chronological order.

[1]    Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu, “Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors,” in Proceeding of the 41st annual international symposium on Computer architecture, 2014, pp. 361–372.

[2]    C. Evans, “Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges,” Project Zero, 09-Mar-2015.

 

Does your TV set watch you?

Posted on by
Reply

Benjamin Michele and Andrew Karpow presented a scary Proof of Concept  using two Samsung Smart TVs.  They used the integrated media player of these Smart TV set.  For the most recent one, they discovered that the TV set used a 2011 version of the open source FFMPEG’s libavformat library. This library identifies the type of content to be played and demux it before the content is transmitted to Samsung’s proprietary media player.  The libavformat library supports many containers.  It is a complex piece of software, and as such as many new discovered bugs. By scanning the bug-tracking database of this open source library, the researchers selected one vulnerability that was not patched in the version used by the TV set.  This vulnerability allowed them to execute arbitrary code when playing a forged content.  As the player executes in root shell, the forged payload also executes in root shell.  This means that the payload has full access to the platform.  As the Smart TV had an integrated camera and microphone, they wrote an exploit that captured the video of the camera and the sound from the microphone.  The captured information can then be sent to a remote server.  As the payload is encapsulated in a real movie, the consumer is not aware that his TV set is being infected and that he is spied.  The researchers found a way to flash the Smart TV set and thus make the infection permanent.

Of course, the payload could do other things.  The researchers could perform a thorough analysis of the TV set because they succeeded to get root access, and thus could explore the system and easily work on the exploit. The target were Samsung TV sets.  Most probably, any other smart TV of any brand could be attacked in a similar way but using another vulnerability.

This POC highlights several interesting points:

  • This exploit highlights an important issue of IoT.  Will devices in the field be upgraded and securely patched?  There are two issues that are not yet solved:
    • Will manufacturers do the security maintenance for the lifetime of the product?   Currently, the business model is to sell one device and not maintain it (unless there is a very serious bug that impact the behaviour).  How could the manufacturer finance this maintenance?  In the software world, maintenance is financed by either new version or maintenance contract for professional expensive applications.  This is not the case in the consumer domain.
    • Will consumers apply the patch?  The likelihood is low if we extrapolate from the computer world. Too many consumers’ computers are not patched.
  • The wide use of open source libraries has brought some benefits.  It is less expensive for companies and it is claimed to be more secure.  Unfortunately, it also has its downside.
    • This last claim is only true if all systems would be patched.  If it is not the case, then the use of widely deployed open source libraries may be an advantage for the attackers.  The attacker can experiment on his own system before trying on the targeted device.
    • Furthermore, the more a ‘common’ library is deployed, the more targets will be hit whenever a vulnerability is found in this library.  Heartbleed is a good illustration.
  • The more features a device has, the higher the risk to have vulnerabilities.

Reference:

Michele, Benjamin, and Andrew Karpow. “Watch and Be Watched:  Compromising All Smart TV Generations.” In Proc. of the 11th Consumer Communications and Networking Conference (CCNC). Las Vegas, NV, USA: IEEE, 2014.

IoT, Security and energy

Posted on by
Reply

Trappe, Howard and Moore, three researchers from the University of Rutgers, have published an interesting paper in the latest issue of IEEE Security & Privacy.   The title is ‘Low-Energy Security: Limits and Opportunities in the Internet of Things’

IoT will not only be connected phones, TVs, or fridges, it will also be myriads of tiny sensors (the famous concept of smart dust).   Whereas the big devices have reasonable access to energy and calculation, these sensors  do not have access to energy and calculation.  They will have two issues:

  • A very low energy consumption;  You do not expect to charge every day a thermal sensor.  You will rather install it and forget about it for many years.
  • As they are low cost and low energy consumption, the calculation capabilities will be drastically reduced.

Unfortunately, the collected data will serve to major decisions by applications or may leak private information. They will need to be protected in integrity, and confidentiality.  With the hardware constraints, conventional cryptography is out of reach.   Moreover, poor security is not an option (it is useless), there is a major challenge for the security of IoT.

They present some of the potential new methods to secure the communication.  For instance, the receiver that has serious calculation power could authenticate the sensor by fingerprinting the analog characteristics of the transmission.  This would not put any burden on the sensor.   To reduce the encrypted data which burns energy, they propose to encrypt only major variations.  This may open interesting side channel attacks.  For confidentiality, they propose to revisit the concept of ‘wire-tap channel’ disclosed by Wyner in 1975.

The paper is worthy to read as it clearly states the problems and highlights some potential research topics.

 

Opportunistic Security

Posted on by
Reply

Under the lead of Dukhovni (2 sigma), IETF issued an interesting concept:  Opportunistic Security (RFC 7435).  Currently, communications are either cleartext or authenticated and encrypted.    Unfortunately, wide scale deployment of ‘inter-operable’ authentication schemes is difficult.  The internet is a good example with hundreds of certification authorities with not all them trustworthy.

With current protocols, if the authentication fails, then either the communication fails or falls back to clear text.  Opportunistic security proposes a new approach.

  • The default state is clear text.
  • If ever encryption is available between peers, then communication uses the encrypted service.   This communication is protected against passive attacks, but still vulnerable to active attacks such as man in the middle.
  •  If ever authentication is also available between peers, then the protocol attempts to authenticate.  if successful, it would use encryption with a negotiated session key.  This communication  is protected against both passive and active attacks.  If the authentication fails, then communication falls back to encrypted communication.

The announced concept is that encryption alone, even with deprecated algorithms,  is better than clear text.   The wide use of encryption would thwart , at least, information collection by sniffing.   The claimed purpose is to boost the deployment and use of encryption technologies to prepare the later proper deployment of authenticated protocols.

The idea is interesting.  Nevertheless, I believe that a mandatory component  would be to indicate clearly to the user in which mode his communication is currently: clear, encrypted, authenticated and encrypted.  This would be an indicator of the level of trust associated with the transfer.  Unfortunately, the distinction may be difficult for laymen.

 

Some notes on Content Protection Summit 2014

Posted on by
Reply

The conference was held on 9th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors.

The big trend and message is that cyber threats are more and more severe.  Traditional Content Protection is not anymore sufficient.  It has to be extended to IT cyber threats.  The SPE issue was cited very often.

The conference did not disclose surprisingly new information and technology.  Nevertheless, the event is a good occasion to share knowledge and basic best practices.  The following part will highlight interesting points or figures I collected during the event.

Welcome Remarks (by ROSE M., Ease)

He highlighted that the cyberwar is a reality.  It is performed by government funded teams or hacktivists,  It has serious implications such as wild censorship…

The Global State of Information Security (by BANTHANAVASI S., PcW)

The cyber world becomes more dangerous.  The state seems to degrade.  Some interesting figures from PcW’s annual report:

  • In 2014, the U.S. government notified 3,000 U..S. companies that they had been attacked
  • There was 48% more reported incidents in 2014.  Furthermore, the average cost of a breach increased.
  • Investment in security diminished
  • More and more incidents are attributed to third parties with trusted access

What to do (and who to call) (panel)

The usual stuff.  The most interesting advices were:

  • Log must be switched on.   This is essential in a cloud environment where low-cost plans may not have the logging feature available.  It is worthwhile to pay for it.  It is mandatory to learn and analyze when an incident occurs.
  • Have a response team available beforehand.  You will not have to time to look for and organize it when the incident will occur or will be detected.

The focus of the discussion was always on script kiddies, and never on Advanced Persistent Attack (APT)

This script will self destruct in 2 hours (panel)

The script is of high value, especially when the actual shooting was not started, or that the decision was not yet taken.  Nevertheless, it needs to be convenient.   Typical challenge for a confidential sensitive document that needs controlled distribution.  Warner announced that sometimes they even used 3-factor authentication.  Creative people may have hard feeling about privacy and traceability.

Protecting content: where creativity and security meet (panel)

Key message:  embed security within the existing ecosystem

According to Fox, TV is more forgiven than feature movie in case of leakage (excepted perhaps for the opening and closing episodes).  The biggest coming challenge is the request of international day+1 release of TV shows.

How to Secure Workflows in the age of digital services (panel)

Key message:  be aware of third parties (and their own third parties) and freelancers

The creative process behind great storytelling (panel)

Refreshing session with creative people.  The end of the session was a playdoyer for copyright.  The arguments were similar to the ones in the book Free Ride.

It’s about the money: strategies to disrupt funding piracy (LAWRENCE E., ABS-CBN and SUNDERLAND J., Lionsgate)

According to me, the most interesting session.  They presented real use cases.

Elisha explained how she drastically reduced the online piracy against ABS-CBN (the Philippines Netflix).   She performed different steps:

  1. Analyze the pirate landscape
  2. With SEO, increase the RANK to get the official sites as the first links in Google and bring pirate sites back to farther pages.
  3. Use investigators to collect proofs to enable shutdown sites
  4. Lawsuits with high fines.  The arrested webmaster are interviewed to learn all their techniques and tricks,

Jane explored the methods to have good brands advertising on pirate sites.   80% of the revenues of streaming cyberlockers are coming from advertisement.  Among them, 22% are coming from institutional brands. Tools exist to filter out placement on malicious sites, but brands have to opt-in. Brands should be worried to place their advertisement in such sites as they are sometimes also hosting malwares.

The culture of piracy: A European perspective (VERSTEEG G., Rights Alliance)

He explained the historical rationales why much piracy went from Sweden (Kazaa, The Pirate Bay…)  He asked that there should be a transactional VOD release window concurrent with Theatrical and Home windows.   The price could be dynamic, starting high and decreasing with time.

Being European, I did not see what was specifically European.   It was more his opinion.

What’s the forecast for securing the cloud? (panel)

According to me, the worst session.   No serious discussion on actual security of the cloud.   No discussion of hybrid clouds.  No precise definition of cloud (even no mention of NIST definition).  It seemed even to me that there was a consensus that implementations in cloud would be more secure than today’s implementations.

The topic is far more complex than the simplified vision drawn during the panel.

Internet Wide Scanning

Posted on by
Reply

AT Usenix 2014, Alex Halderman, Zakir Durumeric and Michael Bailey, from the University of Michigan, presented an interesting study of the new landscape of wide scale Internet scanning.  Scanning the Internet for finding vulnerable targets is an old practice that is used by both academics, security research companies and black hats.   Nevertheless, the practice has changed during this last decade.

First of all, new tools have appeared: ZMap and masscan.  Provided they have access to a huge bandwidth, they can explore the full IPv4 address space in a few minutes from one point.  There is no more the need to use a botnet with tools such as nmap.   This team knows well ZMap as it is an open source project developed by the University of Michigan and at least two authors of this paper.

The type of ports that are scanned has also evolved during the past decade.   The big winner is port 445 for SMB-IP.  Interestingly, HTTP, HTTPS and SSH are mainly scanned by academic driven studies.

2004 2010 2014
HTTP (80) SMB-IP (445) SMB-IP (445)
NetBIOS (135) NetBIOS (139) ICMP Ping
NetBIOS (139) eMule (4662) SSH (20)
DameWare (6129) HTTP (80) HTTP (80)
MyDoom (3127) NetBIOS (135) RDP (3389)

Table describing Temporal differences in targeted protocols

They studied also three use cases.  I had a lot of interest in the use case related to Linksys router backdoor. After the public disclosure, 22 hosts completed 43 scans targeting port 32764 (the backdoor) of the IPv4 address space.  The first one was Shodan in less than 48 hours. Within one week, other ones tarted with two academic, 3 security firms but the reminder were unidentified hosts!

For the HeartBleed, same story

In the week following the disclosure, we detected 53 scans from 27 hosts targeting HTTPS. In comparison,
in the week prior to the disclosure, there were 29 scans from 16 hosts.

The lessons is that this environment is extremely dynamic.  New point of interests appear regularly and shift with time.   New tools appear.   Thus, be proactive to stay secure.