Category Archives: Hack

Top threats for cloud computing

Posted on by
Reply

The Cloud Security Alliance released a document listing the nine top threats of cloud computing: “The Notorious Nine”.  The top nine threats are:

  1. Data breaches; an attacker may access your data
  2. Data loss; the loss may result either from an attack, a technical problem or a catastrophe.   The document wisely highlights the issue raised by encryption (to protect against threat 1)
  3. Account hijacking
  4. Insecure APIs;  this one is extremely important, especially for system designers.  It is not necessarily unique to the cloud, but it is clearly exacerbated with a cloud infrastructure.
  5. Denial of service
  6. Malicious insiders
  7. Abuse of cloud services;  using the cloud for nefarious actions such as password cracking. Well, every coin has two sides.
  8. Insufficient due diligence; jumping in the cloud wagon without enough preparation may be an issue.  This is not proper to the cloud. It is true for any new paradigm.  BYOD (Bring your own device) is a perfect illustration of such problem.
  9. Shared technology vulnerability; As you share components, pieces of software with not necessarily enough isolation, a single vulnerability may impact many players.

Each threat is described and illustrated by a real world example of an attack.  A risk matrix allows to compare them.

This list has been established by conducting a survey of industry experts.  Unfortunately, the document does not give details about the number of surveyed experts, their locations, and their qualifications.

Good document to read.

European industry worried by APT

Posted on by
Reply

According to a recent report from Quocirca, the trouble heading for your business, European business claim they are concerned by APT.  Many interviewed companies assert to have been under targeted attacks.  Even more worrying, most of them believe that undetected malwares are running on their networks.

Advanced Persistent Attacks (APT) or targeted attacks are high profile attacks that aim to one precise target with a precise objective.   The attackers are highly efficient attackers.  most of the time, they are either funded by criminal organizations or are state operated teams.     This is the most dangerous type of attack.  Usual tools such as firewall and anti viruses are not sufficient.  Bit9 and RSA attacks are good examples of targeted attacks.

The report gives interesting insights to the perceived impact on business of APTs.  For instance, we discover that loss of regulated financimageial data is the top impact.  Loss of IP is in fourth position.  Reputational damage and negative media coverage are the least impacts.

(Copyright Quocirca 2013 for the figure)

The ranking of concern about the impacts following an APT:

  1. Loss of regulated data
  2. Loss of IP
  3. Reputational damage
  4. Fines
  5. Remediation costs

 

 

Thus, this report is a good reference when you have t explain why you need this new deep  packet inspection tool, or the latest behavioral analysis software. 

It is good to see that companies are aware of this new APT risk.  Is your company aware?

Unlocking phone in the US: is it illegal?

Posted on by
Reply

In 2010, the Librarian of Congress ruled that unlocking a phone to be able to move to another carrier was legal.   On 26th October 2012, the Librarian of Congress has changed his mind.  Unlocking phones purchased after January 2013 will be again illegal.

 

In the same ruling, the Librarian of Congress allowed the jailbreaking of iPhones for interoperability, but did forbid it for iPads!

Wireless telephone handsets – software interoperability
Computer programs that enable wireless telephone handsets to execute lawfully obtained  software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications with computer programs
on the telephone handset.
This exemption is a modification of the proponents’ proposal. It permits the circumvention of computer programs on mobile phones to enable interoperability of non-vendor-approved software applications (often referred to as “jailbreaking”),but does not apply to tablets – as had been requested by proponents – because the record did not support it.

Recently, the White House officially announced that it was

Time to Legalize Cell Phone Unlocking

How the White House will try to revert the Librarian ruling is unclear.

Once more, we see that interpretation of DMCA is complex and evolving with time.  Some decisions may even seem strange: authorizing mobile phone but not tablets (despite they use the same OS, and may act as phones), is difficult to understand for consumers.

Murdoch’s pirates

Posted on by
1

images   In 2008, I wrote a post about “Big Gun”, a hacker who was supposed to have worked for NDS to hack competitors.  It followed a suite of lawsuits against News.

This was only a small portion of the large picture of NDS story.  With Murdoch’s pirates, Neil Chenoweth has just published a detailed description of how NDS acted to “keep ahead” of its competitors.  And the story is as good as a good spying book.  The difference is that this is real.  And unlike in Hollywood movies, morale does not win.

You will discover the dark side of News and NDS. The book is not technical (there are even some inaccuracies).  But the story is based on all the documents that were published during the multiple trials.

I do not like the style of the author.  Despite he uses real information, he is not objective and takes clearly position.  Furthermore, the two first sections are not following a linear narrations.  This makes the introduction of the “heroes” of this book difficult to follow.  Nevertheless, if you are working, or have worked, with Conditional Access providers, you will be thrilled by the book.

From the personal view, as I have met several of the early actors of this book, while we were designing videocrypt, it was a strange experience to discover very dark parts of some of them.   I was not naïve, nevertheless it was worst than my darkest assumptions.

 

CA guys, read this book.

Bit9: when a security company signs malware…

Posted on by
Reply

Bit9 offers security solutions that control which applications are authorized to be executed on a platform. Rather than relying on detecting malicious applications, Bit9 uses an engine that only authorizes a whitelist of trusted applications. Every application that is not part of the whitelist is by default considered as suspect and denied access. Of course, the Bit9 engine considers as trusted every application issued by Bit9. The control is done by verifying whether the application was properly signed by Bit9 signing key.  Bit9 claims that their solution is the ultimate defense, and the only valid answer to Advanced Persistent Threats (APT)

On 2013 February 8 security consultant, Krebs Brian announced that some companies were affected by a malware signed by Bit9. Later ton he same day, Bit9 Chief Executive Officer (CEO), Patrick Morley, acknowledged the problem. Their own solution did not protect some of the Bit9 servers. Among them were servers used to sign digital applications. Attackers were able to penetrate the network and get their malicious code signed by Bit9. Thus, any Bit9 engine would accept these pieces of malware as trusted applications. Bit9 announced that they started to cure the issues. They applied their own solution to their complete infrastructure. They revoked the compromised digital certificate and informed their customers.

According to Bit9, only three undisclosed customers were affected. Due to the high profile of Bit9 customers (defense department, Fortune 100), it may be part of a larger APT targeting some companies.   Was it the same attempt to use a security technology as an entry door like for RSA hack.

Ironically, Bit9 a few hours before bragged that Anti Virus software were old story.  It would be interesting to learn how the attackers penetrated the network.

Two lessons:

  • In depth defense is mandatory;  multiply the number of defense mechanisms.  Relying on one unique mechanism is brittle security.
  • Signature of production code should be supervised by a trusted human operator. You may use automatic signature for the development process, if of course you are using an independent root key just dedicated to development code.  Normally, there are very few pieces of software going out in the field for production.  Thus, using a human operator will not increase the cost.

DDos as a form of free speech

Posted on by
Reply

Dykan K. (from Eage, Wisconsin) stared on January 7 an online petition to ask the Obama administration that

Make, distributed denial-of-service (DDoS), a legal form of protesting.

With the advance in internet techonology, comes new grounds for protesting. Distributed denial-of-service (DDoS), is not any form of hacking in any way. It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any “occupy” protest. Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.

Many newspaper claim it is issued by Anonymous.  Nevertheless,  I was not able to find a related tweet issued by @AnonNews (if somebody spotted it, please send me the pointer).

Is it a legitimate demand?  Obviously, some DDos actions were used to protest against authorities, resented actions…  For instance, when MegaUpload was closed, Anonymous organized such attack (see http://eric-diehl.com/megaupload-is-down/).   Nevertheless, DDos is also used for black mailing or just simple malevolence.   Therefore, we can foresee the answer of the Obama administration.   To receive an official answer, the petition must score more than 25,000 signatures in one month.   At writing time, it was at 4,255.

Update 16-jan:  Since Tuesday, the White House has raised the threshold from 25,000 signatures up to 100,000 signatures.  At writing time, it was at 4,855.  Of course, this rising is not correlated to this petition (rather to secessionist petitions)

Security Newsletter 22 is available

Posted on by
Reply

The  Security Newsletter 22 is available. We are proud to have as guest Joan DAEMEN. Joan is one of the authors of KECCAK, the new algorithm selected by NIST to become the new official SHA-3 function. Mohamed is presenting this new hash function. SSL is the most deployed security protocol on the Internet, thus it is highly scrutinized by the community. Olivier, Christoph and Benoit have a deep dive into the latest attacks against SSL.

Hoping that you will enjoy its reading. Do not hesitate to comment.