Category Archives: Book/Paper

Security Newsletter 22 is available

Posted on by
Reply

The  Security Newsletter 22 is available. We are proud to have as guest Joan DAEMEN. Joan is one of the authors of KECCAK, the new algorithm selected by NIST to become the new official SHA-3 function. Mohamed is presenting this new hash function. SSL is the most deployed security protocol on the Internet, thus it is highly scrutinized by the community. Olivier, Christoph and Benoit have a deep dive into the latest attacks against SSL.

Hoping that you will enjoy its reading. Do not hesitate to comment.

How BitTorrent is monitored…

Posted on by
Reply

In a recent study, CHOTIA Tom et al., four researchers from the University of Birmingham, attempted to check whether BitTorrent was monitored, how it was, and by whom.  They studied the two types of monitoring:

  • Indirect monitoring where the copyright infringement agency does not participate to the transaction and just collects clues with not extremely convincing evidence
  • Direct monitoring where the agency is part of the transaction.  in that case, the evidence is better.

For the first type of monitoring, they used six heuristics (5 that they collected from the literature and one that they created).  The conclusion is clear: many agencies are scouting the swarms.  Funnily, they spotted the French INRIA team who was making a similar study.  ( see Identifying providers and downloader in bittorrent).   Without surprise, this part of the study was conclusive.

For direct monitoring, they tried other heuristics such as checking whether the reported completion progresses or is consistent, or the duration of connection.  Once more, they detected monitoring activity.

The study presents also several interesting (but not surprising) conclusions:

  • The most popular pieces of content are far more monitored than less popular.  This is logic as monitoring as a cost and who would pay for the long tail?
  • When sharing a popular piece of content, the likelihood to be monitored within three hours is high.
  • The block lists of supposed monitors (which are available for most popular clients) are not complete.

The definition of the heuristics is interesting.   It gives a good hint to the agencies on what they should do to become stealthier.

Designing security warnings

Posted on by
Reply

Microsoft released some interesting rules for deciding when and what to display to users in case of a security warning.  Microsoft proposed two nice acronyms.

 

A security warning should be Necessary, Explainable, Actionable and Tested (NEAT).  In other words, the designer should only present a security warning to the user if the user is needed to make a decision and that it could be precisely explained to the user.

Explaining a security warning is a difficult task.  Thus, Microsoft proposed another acronym.  The explanation should clearly explain the Source of the issue, the Process that the user may follow to solve, describe the Risk, Unique to user (with his/her context), offer some Choices and give Evidence (SPRUCE).

A nice initiative.

WHITEHAT SECURITY WEBSITE STATISTICS REPORT

Posted on by
Reply

Every semester, WhiteHat security publishes its website security statistics report.   It provides a good insight on the evolution of the landscape.   Its reading is interesting although the data must be taken very carefully rather than ground truth.  To be honest, the author clearly highlights this point.

 

Some of the points that interested me.

  • The number of serious vulnerabilities is decreasing each year.  Unfortunately, the deviation is large.  Some sites presents hundreds of serious vulnerabilities whereas banking sites present only a few (hopefully).   Here also, this is a best case scenario. image
  • Number one type of vulnerability: XSS, followed by Information leakage.   The famous SQL injection appears only in 8th position.  But we know how SQL injection can be devastative.
  • In the ranking of type of companies, as already said banking industry are the best students in the class with only 17 serious vulnerabilities.  Interestingly, social networks are not doing a bad job being at 3rd rank with 31 vulnerabilities

.image

  • An interesting, and worrying, data: the vulnerability reopen rates.  20% of the vulnerabilities have been reopened at least once!  The more serious the vulnerability, the higher the likelihood of reopening.

 

If you’re interested in collecting this type of trends, then read this white paper.

Why do Nigerian scammers say they are from Nigeria?

Posted on by
Reply

Nigerian scam is a generic term for the category of scams that always follow the same scheme: the widow/lawyer/son/exiled person has a huge sum of money blocked somewhere.  They need the help of a trusted person to exfiltrate this money.  You are this person.  Of course, you will be nicely rewarded for your help.  Obviously, if you accept to help, soon the scammer will ask a minimum fund to be able to make the paper or bribe the proper officials… Of course, at the end, no money transfer to you.   Nigerian scam is a very old trick.

 

As Nigerian scam is old and well-known, the question why the attackers still use such an obvious trick is a valid one.  And the basic answer that attackers may be stupid is not appropriate.  HERLEY Cormac, from Microsoft Research, provides a very convincing answer.

 

Scammers have also false positive.  This type of scams needs a lengthy interaction with the target.  This interaction has a cost (time, effort).   When starting the interaction, the attacker would rather like to have no false positive.  Ideally, the attacker should only start with viable targets, i.e. targets that will carry the interaction till the succesful skimming.   Intuitively, you may guess that the more gullible the target is, the higher the chance of success is.  Therefore, using such a worn-down trick filters the initial respondents.  It skims out only the most gullible persons. Thus, it lowers the rate of false positive.

 

Cormac analyses the typical Receiver Operator Characteristic curves that are usually used to draw the tradeoff between true and false positive of classifiers.  He checks for the optimal operating point.   He analyzes the impact of density (i.e. the ratio of viable targets) and the quality of the classifier.   Then, he applies the outcomes to the Nigerian scams.   He shows that the “dumbness” of the mail is a good classifier and that the attackers try to operate in a better overall profit.

 

This paper is interesting to read as it uses the usual maths for classifiers to analyze the impact of false positives on the financial gain of the attacker.  It takes also the stance that not all scams are costless to attackers.

 

The paper reference:

C. Herley, “Why do Nigerian Scammers Say They are from Nigeria?,” Berlin, Germany: Microsoft Research, 2012 available at http://research.microsoft.com/apps/pubs/?id=167719.

You are what you wear

Posted on by
Reply

Usual knowledge is that what you are wearing has some influence on the perception of your interlocutors.   When visiting a therapist, would you  trust more the one  in shorts and torn tee shirt than the one formally dressed?   But  do your clothes have some influences on your behavior?

This is what ADAM Hajo and GALINSKY Adam  explored in their paper “Enclothed cognition”.  And their findings are interesting.

Yet, the clothes we wear have power not only over others, but also over ourselves.

Clothes have influence on our behavior and even efficiency!  To prove that, they set up an experiment comparing the respective performance on completing a task between people wearing a white labcoat and people without the labcoat.   The first group performed better than the second group.

We posit that wearing clothes causes people to “embody” the clothing and its symbolic meaning.

This is even more interesting.  It is actually not the cloth itself but rather its symbolic meaning that impacts the wearer.  In another experiment, they created three groups;  the first group wore  a white labcoat that was announced to be for doctors.  The second group wore the same white labcoat but this time it was announced to be for painters.   The third group did not wear any labcoat.   The first group consistently performed better than the two other groups.   The people wearing a “painter” labcoat performed not better than people without a labcoat.

How is that related to security?   SOCIAL ENGINEERING!  We already knew that  you’d better be dressed in a way consistent with is expected from the role you are try to mimic. This helps to trick the target and to create good ground for trust;  here clearly, clothes carry a strong symbolic meaning that influences the victim.  Uniforms carry a message of order, authority and strength.  Labcoats carry a meaning of science, and expertise. ..   It seems that these clothes may also help the social engineer to  perform better his “supposed” role. 

By the way, in our daily life, could this trick help to boost our performances?

Reference

H. Adam and A.D. Galinsky, “Enclothed cognition,” Journal of Experimental Social Psychology, vol. 48, Jul. 2012, pp. 918–925 available at http://www.utstat.toronto.edu/reid/sta2201s/labcoatarticle.pdf.

Notes on PST 2012: (day 1: Innovation day)

Posted on by
Reply

Here are some notes on the first day of  PST2012.  These notes are personal and biased in the sense that they reflect what topics did ping me.  As such, they are not exhaustively representing the content of the various presentations.

Today’s challenges of cybercrime (E. FREYSSINET)

Eric is the head of the cyber crime department of French gendarmerie.  As such, he has a deep knowledge of today’s cybercrime as he is fighting it.

He first presented the big trends and issues:

  • Data to analyze is exploding
  • Organized crime;  interestingly, organized crime entered the game only lately.  The target that attracted organized crime was car theft that required electronic specialist due to increased electronic defense;  then, organized crime jumped to electronic money.
  • Cryptography becomes more generalized.  It has impact.  for instance, house search has to occur at a time of the day when the computer is already switched on.

Then he described more some cases.  A few excerpt:

  • Crime against children; This is one of the most important threat handled by his team (25% of the cases).  Several hundreds cases per year in France.   The best defense is the education of children
  • Attacks on IT system;  Botnets become the core element of many IT attacks.  Often individuals do the tools, and are hired by organization that install such infrastructure.   Interestingly, many SMEs are attacking each others!
  • There is a real business approach behind such crime.  Carders are offering professional sites with customer supports.  Malware is sold with a licensing approach, CMS,…

Then he presented a typical attack: the police ransomware.  A malware blocks the computer, sometimes encrypts data and display a message supposed to be issued by police claiming that you violated the law and have to pay a fine.  10% of the infected people pay the alleged fine.

Cyber Defense

Can we protect against the unknown?  (D. BIZEUL, Cassidian, Head of Security Assurance)

The focus of the presentation is on APT (Advanced Persistent Threat)

The six steps of APT:

  1. Information gathering
  2. Vulnerability identification
  3. Spear phishing/RAT installation
  4. Pass the hash protection/ propagation (for escalation)
  5. Malware and pack of tools
  6. Exfiltration

Detection of steps 3 to 6 should use reputation evaluation, Statistics and of course log.  Thus, it is recommended to have savvy IT team, cyber intelligence, IDS/IPS and SIEM & SOC.  Cyber intelligence is key.

CERT, CSIRT  (O. CALEFF, Devoteam)

Presentation of what a CERT/CSIRT is , and how it works.

Cyber defense tools: the sourcefire example (Y. LE BORGNE)

He explains how an Intrusion Prevention System (IPS) works:

  • Stage 1:  decoder of packets
  • Stage 2: pre-processor to normalize data
  • Stage 3: Rules engine

Why are there still intrusions?

  • The client side is more prevalent and it is the best place to attack.
  • File complexity is a good vector for malware
  • IDS exploitation is too complex
  • IPS needs skill for exploitation

Evolution of Snort

New pre-processors (gtp, modbus…), http compression.

>Deeper detection (cookies, javascript obfuscation…)

The message is that human is the key element.  Thus, they claim to simplify the task by focusing the reporting.

Panel

APT is more a buzz word.  It is not new.  The most important aspect is the Persistent Threat aspect.

 

Keynote: The authorization leap from rights to attributes: Maturation or Chaos? (R. Sandhu)

Ravi is the father of Role Based  Access Control (RBAC).   Will RBAC be replaced by Attribute Based Access Control?   In any case, we’re going towards flexible policy.  According to him, the main issue with Access Control is and will always be the analog hole.  Smile   The main defect of RBAC is that it does not offer an extension framework.  Thus, it is difficult to cope with short comings;  ABAC has the advantage to offer inherent extensibility by adding for instance attributes.

Security policy requires Policy Enforcement, Policy Specifications and Policy Administration.

He believes in Security as a Service because there will be an incentive to  properly secure stuff else you change the service provider.

SME session

Arxan (M. NOCTOR)

Nothing new.  If you don’t know Arxan, and if you need software tamper resistance, visit their site.

CODENOMICON (R. Kuipers)

How to strip off a TV set?  He highlights the risk  of connected TVs that are not  secure at all, although they may handle confidential data such as credit card number.

Secure IC (P. NGUYEN)

Silicon Security;   Usual presentation on side channel attacks.   The new attacks are Correlation Power Analysis and Mutual Information Analysis (new since 2010)  The new trend is to use Information Theory realted metrics.  They have  a dual rail family with formally proved security (to be presented at CHES2012)