Category Archives: Hack

Notes of PST2012: Day 2

Posted on by
Reply

As for yesterday, these notes reflect what pinged my interest and do not attempt to be non-biased, exhaustive reporting of the presentations.

Co-utility: rational cooperation for privacy, security and functionality in the information society (J. Domingo Ferrer , University of Tarragona)

He started with an environmental analogy: privacy  preservation is essential and should be sustainable for the survival of information society.   To limit privacy “pollution”, he proposes reducing identifiable information, reusing data to reduce utility,

He uses the game theory to define co-utility; Co-utility means that the two players have the best strategy if they are cooperating.  Using different equilibriums, he defines Nash, Mixed Nashed, or Stackelberg (when one player can impose his strategy to the rest of the players) co-utility. 

Application to PIR applications

Currently PIR assumes cooperation of database which is not always true. ( Not true if using Zero-Knowledge such as Micahli)  Potential solutions:

  • Standalone approach: Track Me not  generates fake queries or adding fake keywords
  • P2P: reuse queries submitted by other users.  He explores this venue.  If each player collaborates by submitting queries of the other players to flatten his profile (Nash equilibrium)

Trust session

Building robust reputation systems for travel-related services (H. DUAN, Heidelberg)

How to stop manipulation that inject fake reviews (promoting, demoting, system destructor)

The idea was to use the review helpfulness  as a reputation measurement.  They did not use textual analysis.  It was OK for one set (New York City) and  not for another town.

They were challenged on how they distinguished promoter, demoter from innocent reviewers.

Collaborative Trust Evaluation for Wiki Security

The issue is that malicious or incompetent contributors may modify documents. (Estimation 4-6% contribution of Wikipedia is vandalism)

Security Wiki Model is a layered model with promotion of authors on the quality of their contributions.  A document has an integrity level  (IL) and only author with higher quality level can contribute.  The author attributes the first IL (necessarily less or equal  his level)

Author increases his reputation by reviewing that are validated by other reviewers

Very conservative approach.

The theory of creating trust with untrusty principals  (J. Viehmann, Fraunhoffer)

State of the art: Vote, democratic vote (majority), centralized Trusted Third Party

Using game theory  with peer monitoring to detect manipulation in different cases:

  • plain
  • Law enforced
  • using mistrust (by testing through fake requests to see if somebody is trustworthy)

Theoretical, no real experiment to test the reaction of users.

Security Session

Effects of displaying access control information near the item it controls (K. Vaniea, Carnegie Mellon)

They tried on gallery with distinction between everybody, co-workers, friends and family.

When the icon is near the picture it has better effect than in sidebar.   It has no better memory retention impact.

Detecting JavaScript-based attacks in pdf file (Schmitt F., University of Bonn)

Static detection is not sufficient if the code is building a malicious code. 

The attack is typical with heap spraying, calling a vulnerable API method with the return address being overwritten.

They use PDF scrutinizer that has a JavaScript emulator, a reader emulator without actual rendering.

Interesting detectors: heap spray detector observes strings added to an array too often and with the same identical strings.

Automatic Detection of Session Management Vulnerabilities in Web Applications (Y. Takamatsu, Japan)

Typical attack with session fixation and cross site Request Forgery (CSRF)

They implemented a plug-in for Amberate to detect these vulnerabilities.  Not convincing as it created false positives on PhPNuke

Notes on PST 2012: (day 1: Innovation day)

Posted on by
Reply

Here are some notes on the first day of  PST2012.  These notes are personal and biased in the sense that they reflect what topics did ping me.  As such, they are not exhaustively representing the content of the various presentations.

Today’s challenges of cybercrime (E. FREYSSINET)

Eric is the head of the cyber crime department of French gendarmerie.  As such, he has a deep knowledge of today’s cybercrime as he is fighting it.

He first presented the big trends and issues:

  • Data to analyze is exploding
  • Organized crime;  interestingly, organized crime entered the game only lately.  The target that attracted organized crime was car theft that required electronic specialist due to increased electronic defense;  then, organized crime jumped to electronic money.
  • Cryptography becomes more generalized.  It has impact.  for instance, house search has to occur at a time of the day when the computer is already switched on.

Then he described more some cases.  A few excerpt:

  • Crime against children; This is one of the most important threat handled by his team (25% of the cases).  Several hundreds cases per year in France.   The best defense is the education of children
  • Attacks on IT system;  Botnets become the core element of many IT attacks.  Often individuals do the tools, and are hired by organization that install such infrastructure.   Interestingly, many SMEs are attacking each others!
  • There is a real business approach behind such crime.  Carders are offering professional sites with customer supports.  Malware is sold with a licensing approach, CMS,…

Then he presented a typical attack: the police ransomware.  A malware blocks the computer, sometimes encrypts data and display a message supposed to be issued by police claiming that you violated the law and have to pay a fine.  10% of the infected people pay the alleged fine.

Cyber Defense

Can we protect against the unknown?  (D. BIZEUL, Cassidian, Head of Security Assurance)

The focus of the presentation is on APT (Advanced Persistent Threat)

The six steps of APT:

  1. Information gathering
  2. Vulnerability identification
  3. Spear phishing/RAT installation
  4. Pass the hash protection/ propagation (for escalation)
  5. Malware and pack of tools
  6. Exfiltration

Detection of steps 3 to 6 should use reputation evaluation, Statistics and of course log.  Thus, it is recommended to have savvy IT team, cyber intelligence, IDS/IPS and SIEM & SOC.  Cyber intelligence is key.

CERT, CSIRT  (O. CALEFF, Devoteam)

Presentation of what a CERT/CSIRT is , and how it works.

Cyber defense tools: the sourcefire example (Y. LE BORGNE)

He explains how an Intrusion Prevention System (IPS) works:

  • Stage 1:  decoder of packets
  • Stage 2: pre-processor to normalize data
  • Stage 3: Rules engine

Why are there still intrusions?

  • The client side is more prevalent and it is the best place to attack.
  • File complexity is a good vector for malware
  • IDS exploitation is too complex
  • IPS needs skill for exploitation

Evolution of Snort

New pre-processors (gtp, modbus…), http compression.

>Deeper detection (cookies, javascript obfuscation…)

The message is that human is the key element.  Thus, they claim to simplify the task by focusing the reporting.

Panel

APT is more a buzz word.  It is not new.  The most important aspect is the Persistent Threat aspect.

 

Keynote: The authorization leap from rights to attributes: Maturation or Chaos? (R. Sandhu)

Ravi is the father of Role Based  Access Control (RBAC).   Will RBAC be replaced by Attribute Based Access Control?   In any case, we’re going towards flexible policy.  According to him, the main issue with Access Control is and will always be the analog hole.  Smile   The main defect of RBAC is that it does not offer an extension framework.  Thus, it is difficult to cope with short comings;  ABAC has the advantage to offer inherent extensibility by adding for instance attributes.

Security policy requires Policy Enforcement, Policy Specifications and Policy Administration.

He believes in Security as a Service because there will be an incentive to  properly secure stuff else you change the service provider.

SME session

Arxan (M. NOCTOR)

Nothing new.  If you don’t know Arxan, and if you need software tamper resistance, visit their site.

CODENOMICON (R. Kuipers)

How to strip off a TV set?  He highlights the risk  of connected TVs that are not  secure at all, although they may handle confidential data such as credit card number.

Secure IC (P. NGUYEN)

Silicon Security;   Usual presentation on side channel attacks.   The new attacks are Correlation Power Analysis and Mutual Information Analysis (new since 2010)  The new trend is to use Information Theory realted metrics.  They have  a dual rail family with formally proved security (to be presented at CHES2012)

LinkedIn Password Leak (2)

Posted on by
Reply

After the leak of 6 millions of non salted passwords of LinkedIn, a new episode in the story.  Katie SZPYRKA, residing in Illinois, premium member of LinkedIn, sues LinkedIn for

… failing to properly safeguard its users’ digitally stored personally identifiable information (“PII”), including e-mail addresses, passwords, and login credential;

She claims that LinkedIn fails to properly encrypt its users’ PII

… LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format.  The problem with this practice is two-fold.  First, SHA1 is an outdated hashing function, first published by the National Security Agency in 1995.  Secondly, storing users’ passwords in hashed format without first “salting” the passwords runs afoul of conventional data protection methods, and poses significant risks to the integrity users’ sensitive data.

The second statement is true.  I would be more cautious with the first one.  There are known attacks on SHA1.  it is why there is a new challenge to find a new replacement to SHA1.  Nevertheless, they are not easy and simple.  Using SHA1 was not the problem.  Using salted SHA1 for storing passwords is still a good practice for several years.

She also complains that the attack was using an SQL injection and that the site was not properly protected against this type of attacks, despite the existence of a NIST checklist to prevent them  :Weary:

An interesting statement

… free account users buy products  and services by paying LinkedIn in the form of contact information (first name, last name, and an email address)

That’s true.  I would even add by her/his network information that allows to better profile the user.

The outcome of this action will be interesting.   How many web sites would be under the same threat?  The main problem is to decide whether it is pure negligence or a vulnerability as there will always be in web sites (or nay products).  Zero vulnerability will never exist.  If each breach would end up in a class action, this would most probably the end of Internet.

The filing is available here.

LinkedIn password leak

Posted on by
1

OK, now everybody should be aware that about 6.5 millions hashed passwords did leak out from LinkedIn.   On 6th June, the information was starting to buzz around.   The same day, LinkedIn confirmed that some of the alleged leaked passwords were real.  Soon the leak was confirmed and LinkedIn requested the compromised users to change their password.  I was among the happy compromised users.

What is the problem.   You never store passwords in the clear on the computer.  In fact, the good practice is to store the hashed password rather than the password itself.

 hashedPassword=Hash(password)

To test the validity of the password you check whether the hash of the proposed password fits the stored, hashed password.  The hash is the result of a one way function (SHA1 and MD5) are examples of such one way function).  It is extremely difficult (not anymore impossible in the case of SHA1) to create a valid entry of a one way function that matches a given hash value.  In other words, having a hashed password, it is extremely difficult to guess a valid password matching this hashed password.

Then, we are safe.  No.  Where is the problem?   It comes from rainbow tables.  Rainbow tables are huge precomputed values for a given known hash function.  Ophcrack is such an example of rainbow tables.  If the password is part of this dictionary, then it is extremely fast to find it.

Indeed, the good security practice for storing password is to use salted hash.  A salted hash is a one way function that uses an additional “secret” value called the salt.  In that case, usual rainbow tables do not anymore work.

hashedPassword=Hash(password + salt)

Unfortunately, it seems that LinkedIn did not use salted password.

Lesson: Use always the best practice in security.  If we are using so many tricks, it is often because there are good reasons.  Often the result of a lesson coming from a hack.

Hacking reCaptcha

Posted on by
Reply

reCaptcha is the captcha by Google.  The hacking team DefCon 949 (DC949) disclosed at the conference LayerOne their method to break captcha.  The astonishing, announced accuracy is 99%.  Some interesting lessons from this hack

  • The method to break reCaptcha attacked the audio part. Normally, reCaptcha proposes challenges coming from altered scanned words from books, and you have to write them.  Thus, it should have  a large samples of challenges.  The trick: reCaptcha has a mode for visually impaired people.  The challenge is now audio with words on noisy background.  The vocabulary is limited to 58 words, and the background is a mix of a limited number of audio sequences.  Thus, there were far less audio challenges than visual challenges.  Thus, the attackers went against the easiest challenge.  As a cryptography metaphor, they had the choice between a large key or a small key for the same final result.
    A nice illustration of law 6: “Security is not stronger than its weakest link”.   Audio challenge was the weakest link.
  • Before the conference, Google updated its algorithms, thus defeating he hack.  This spoiled a little bit the presentation. Nevertheless, it removed nothing to the quality of the attack.  When reading blogs coverage, I had sometimes the feeling that some people thought that it was unfair behavior.  No!  It is the right thing to do.  It is always a cat and mouse game.  The mouse has to run fast.

The presentation is available on youTube
httv://www.youtube.com/watch?v=rfgGNsPPAfU

Securing Digital Video: the text is final and frozen

Posted on by
Reply

About one year ago, I informed you that the final draft of my book was sent to Springer, my editor.  Today, a new step:  after several copy edit rounds, the text is final.   We enter now the final stage:  layout and printing.  In other words, the book should be now soon available in the stores (before end of this quarter).

The book will have inserts entitled “Devil’s in the Details”.  These short sections will deeply dive in some naughty details highlighting the difference between theoretical schemes and actual robust security.  For instance, you will learn some details on the Black Sunday, or on how AACS was hacked.

I will keep you informed about the next steps.

Open API to Kinect (2)

Posted on by
Reply

Last year, in November 2010, Microsoft’s Kinect was hacked and its API was illegally published.  In an interesting move, Microsoft decided to make the API of Kinect public.  Not only was it very positive for Microsoft reputation, but it opened the way to thousands of hobbyists to create astonishing applications using the Kinect.

Microsoft continues to exploit the results of this initial hack.  It announced the Kinect Accelerator.  This is a contest where ten startups with the best application using Kinect will be supported.  The application does not need to use the XBox, it must use the Kinect gear.  I believe that it is a smart initiative.  It is better to have hobbyists on your side rather than against you.*

Law 2: Know the asset to protect.   In that case, the most valuable asset was not the Kinect, it was Microsoft’s relationship with the customers.