Designing a permission system

Posted on October 2, 2014 by eric

Asking users to make security-oriented decisions is not always wise. For instance, Android asks the user to accept (or not) the permissions granted to an application at installation time. Recent studies highlighted that only 17% of users paid attention to permissions during the installation phase.
Felt et al. in the paper “How to ask for permission” defined four potential strategies to manage permissions:

The designer automatically grants permissions without involving the end user. This strategy is valid if the designer makes the good decision and if no application abuses the end user. In any case, the end user should be able to reverse the decision.
The designer integrates the decision process within the task that the end user fulfills, and that will require a new permission. This is what happens when the user decides which directories a friend may access, or has to push on a button to send a message. Usually, the end user is not even aware that he takes a security decision. The end user is not distracted from his primary goal: performing the task.The paper calls that Trusted UI (which I find misleading)
The designer opens a dialog box when a decision has to be taken. The end user is distracted from his primary goal. Therefore, these dialog boxes should be rare and restricted to decisions that would have severe adverse consequences.
The designer proposes at the installation to the user to select all permissions. Android applies this strategy.

For the two last scenarios, the user should be helped with explanations that will highlight the potential risks he takes when making the decision.

An ideal product would mix the four approaches. The authors propose an implementation strategy summarized by the figure below.

The paper is

A.P. Felt, S. Egelman, M. Finifter, D. Akhawe, D. Wagner, and others, “How to Ask for Permission.,” HotSec, 2012 available at https://www.usenix.org/system/files/conference/hotsec12/hotsec12-final19.pdf.

Fingerprinting canvas of browser

Posted on July 29, 2014 by eric

In 2012, Keaton Mowery and Hovav Shacham proposed a new original method to fingerprint a browser using HTML5: Pixel perfect: Fingerprinting Canvas in HTML5. It uses a new feature <canvas> of HML5. <canvas> defines an area of the screen that can be drawn by primitives. The idea is to write a text, ideally a pangram, into a canvas, to retrieve the rendered bitmap of the canvas area (using command toDataURL) and calculates from this image a digest. The expectation was that rendering would slightly differ depending on the operating system, the version of the browser, the graphical card and the version of the corresponding driver. Fingerprinting canvas differentiated users. Furthermore, all modern browsers support HTML5.

Canvas fingerprinting is transparent to the user. It bypasses any cookies protection, any private browser mode… If combined with other fingerprinting parameters such as, for instance, http agent or font detection, the uniqueness of the fingerprint is high. The site http://www.browserleaks.com/ demonstrates the differentiation. Do not hesitate to test with your configuration.

This paper was a nice academic study. This month, Gunes Acar et al. published a paper “The Web never forgets: Persistent tracking mechanisms in the wild.” They studied different tracking methods used by the top 100,000 web sites (ranking by Alexa). They discovered that 5.5% of these sites used fingerprinting canvas! It is mainly used by the “AddThis.com” system. Furthermore, by reverse engineering the AddThis code, they highlighted that AddThis improved the technique described in the seminal paper. For instance, the developers used a perfect pangram, or draw two rectangles and checked whether a specific point was part of the path…

User tracking is an arm race and tracking softwares use the latest academic research results.

Note 1: you can opt out from AddThis at http://www.addthis.com/privacy/opt-out. they put a cookie on the computer to signal the opt out 🙁

Note 2: a pangram is a sentence that uses all the letters of the alphabet. A perfect pangram is a sentence that uses all the letters of the alphabet only once.

Cloud services as Command and Control

Posted on July 7, 2014 by eric

Cloud services are increasing the surface of attack of corporate networks. For instance, we associate usually to file sharing services the risk of leak of confidential information. This is a real threat. These services may also present another more lethal threat: become Command and Control channels (C&C). C&C is used by botnets or Trojans to communicate with the infected machines.

At Black Hat 2013, Jake Williams presented DropSmack: a C&C tool dedicated to dropbox. In his paper, he explains the genesis of this tool. It is a well documented story of an advanced penetration test (worthwhile to read, if you’re not familiar with these tests). The interesting part of the story is that he succeeded to infect an employee’s home computer. The employee used this home computer to work on corporate documents using his dropbox account. Thus, any modification or new file in the dropbox folder was synchronized to the cloud based folder and then synchronized to the company’s computer. If the attacker succeeds to implement a malware on the home network folder, it will appear and infect the corporate computer.

Thus, using DropSmack, he was able to implement a C&C using dropbox as channel. What is interesting is that it flies below the radar of firewall, IDS or DLP because the synchronized files are encrypted! Furthermore, the likelihood that Dropbox is whitelisted is high. Furthermore, following the statictics presented in my last post, the likelihood that one of your employees is already using Dropbox, even without the blessing of IT department, is extremely high.

Last month, Trendmicro detected a Remote Access Tool using Dropbox as C&C! It was used to target Taiwanese government agency.

A few lessons:

When a researcher presents an attack, it does not take long to appear in the wild. Never downplay a disclosed attack.
Cloud brings new threats and we are just seeing the tip of the iceberg. Worst to come.

PS: the same attack may be used on any file sharing service. Dropbox as used due to its popularity and not because it is vulnerable. The vulnerability resides in the concept of (uncontrolled) file sharing.

Snowcrash, Snowden, Snow on trust

Posted on April 14, 2014 by eric

This prezi presentation describes how the perceived trust on Internet has eroded over time, with a clear acceleration last year. This is a personal (provocative) vision. The companies cited are just (non-exhaustive) examples and are more representing a category (type of flagship).

[prezi id="http://prezi.com/9jxg2wbcdm4z/snow-crash-et-al/" width=670]

Laundering money in the digital world

Posted on October 30, 2013 by eric

With the advent of the digital world, laundering money has been able to create new techniques. Two new trends: online gaming, and micro laundering.

Online gaming is not online gambling (which we may have thought about when speaking of illegal activities), it is the use role playing games (RPG) such as World Of Warcraft (WoW) to move money. Indeed many RPG provide the possibility to purchase or sell either virtual coins collected during the game play, or rare virtual artifacts. The trade can use real money. Blizzard recently announced that it will close Diablo III’s market place. A way to avoid this type of issues?

Micro laundering uses services such as PayPal or virtual credit cards and people that will transfer temporary through their accounts. Interestingly, I learned that some Nigerian scams were indeed semi-real. They look for people to transfer illegal money. The people accepting the transfer operation may be rewarded, but this person will be liable for money laundering!!

This activity is described in Jean Loup RICHET’s report “Laundering Money Online: a review of cybercriminals’ methods”. This report gives a high-level view of the new trends. Unfortunately, it misses serious figures, references and technical details. I do not know if there is a non-public version with more information.

If you look for a quick draft overview, it is a good start. Also, a good view on how inventive they can be.

J.-L. Richet, Laundering Money Online: a review of cybercriminals methods, 2013 available at http://arxiv.org/abs/1310.2368.

Ten laws: a little help?

Posted on October 20, 2013 by eric

I am writing my second book. It will explore the ten laws of security. It will be published by Springer in 2015. The book will describe many examples of real situations illustrating the laws. Some examples will comply with the law, others will violate the laws.

I have already many examples. Nevertheless, the larger the stock of potential examples, the better. Thus, I am looking for examples. If you have examples illustrating one law, and are ready to share it with me, you are welcome. Would it be a new unknown example that I would use in the book, then, of course, you will be cited in the book. Winking smile

I am also looking for examples:

Not related to IT
Historical examples

A votre bon coeur…

Murdoch’s pirates

Posted on February 22, 2013 by eric

In 2008, I wrote a post about “Big Gun”, a hacker who was supposed to have worked for NDS to hack competitors. It followed a suite of lawsuits against News.

This was only a small portion of the large picture of NDS story. With Murdoch’s pirates, Neil Chenoweth has just published a detailed description of how NDS acted to “keep ahead” of its competitors. And the story is as good as a good spying book. The difference is that this is real. And unlike in Hollywood movies, morale does not win.

You will discover the dark side of News and NDS. The book is not technical (there are even some inaccuracies). But the story is based on all the documents that were published during the multiple trials.

I do not like the style of the author. Despite he uses real information, he is not objective and takes clearly position. Furthermore, the two first sections are not following a linear narrations. This makes the introduction of the “heroes” of this book difficult to follow. Nevertheless, if you are working, or have worked, with Conditional Access providers, you will be thrilled by the book.

From the personal view, as I have met several of the early actors of this book, while we were designing videocrypt, it was a strange experience to discover very dark parts of some of them. I was not naïve, nevertheless it was worst than my darkest assumptions.

CA guys, read this book.

The blog of content protection

A site managed by Eric Diehl

Category Archives: Book/Paper