And if you would authenticate by touching your mobile device?

We are not yet there.   Nevertheless, Christian Holz and Patrick Baudisch, two German researchers seem to have made some progress towards this dream.  They designed a tabletop system with a touch screen that allows fingerprint detection.  

The magic comes from the screen material.  it uses a new fiber optical plate.  The plate is made of million highly reflective fibers.   Infra red lights is reflected back to the emitter.  When infra red lights exits the plate through skin, it reflects less light back.   Thus, an high resolution infra red camera can capture highly contrasted fingerprints.   This allows to authenticate the user who is using the touch screen.

image

Unfortunately, the current system requires a projector and a camera.  Thus, it is suitable for table top solution with enough room beneath the screen.   Not yet ready for small portable devices.

In any cases, it opens many interesting use cases.  They will present a paper at UIST’13.

Bit9: when a security company signs malware…

Bit9 offers security solutions that control which applications are authorized to be executed on a platform. Rather than relying on detecting malicious applications, Bit9 uses an engine that only authorizes a whitelist of trusted applications. Every application that is not part of the whitelist is by default considered as suspect and denied access. Of course, the Bit9 engine considers as trusted every application issued by Bit9. The control is done by verifying whether the application was properly signed by Bit9 signing key.  Bit9 claims that their solution is the ultimate defense, and the only valid answer to Advanced Persistent Threats (APT)

On 2013 February 8 security consultant, Krebs Brian announced that some companies were affected by a malware signed by Bit9. Later ton he same day, Bit9 Chief Executive Officer (CEO), Patrick Morley, acknowledged the problem. Their own solution did not protect some of the Bit9 servers. Among them were servers used to sign digital applications. Attackers were able to penetrate the network and get their malicious code signed by Bit9. Thus, any Bit9 engine would accept these pieces of malware as trusted applications. Bit9 announced that they started to cure the issues. They applied their own solution to their complete infrastructure. They revoked the compromised digital certificate and informed their customers.

According to Bit9, only three undisclosed customers were affected. Due to the high profile of Bit9 customers (defense department, Fortune 100), it may be part of a larger APT targeting some companies.   Was it the same attempt to use a security technology as an entry door like for RSA hack.

Ironically, Bit9 a few hours before bragged that Anti Virus software were old story.  It would be interesting to learn how the attackers penetrated the network.

Two lessons:

  • In depth defense is mandatory;  multiply the number of defense mechanisms.  Relying on one unique mechanism is brittle security.
  • Signature of production code should be supervised by a trusted human operator. You may use automatic signature for the development process, if of course you are using an independent root key just dedicated to development code.  Normally, there are very few pieces of software going out in the field for production.  Thus, using a human operator will not increase the cost.

Mail In Black

Mail in Black is the name of a French company that provides an interesting anti-spam solution.  Their idea is simple.  Spam is generated by robots.  Thus, if you filter out every communication issued by robots, than you would get rid of spams.   How to detect a robot?  Apply a Turing test.

 

How does it work:

  • You define an initial white list of email addresses or domains.
  • When MailInBlack receives an email, it checks whether the emitter is part of the white list.  If it is the case, then the mail is forwarded to you.
  • If the emitter is not in the white list, MailInBlack returns, on your behalf, a captcha challenge (for instance, type the orange text). 

MIBNuageMots

  • If the challenge is successful, then it forwards the message and automatically adds the recipient to the white list.
  • Else the message is quarantined and the emitter is added to a black list.
  • Of course, if you rescue a message from the quarantine, then the emitter moves to the white list.

According to me, there are some potential hiccups:

  • You may loose messages from automatic systems that are legitimate to receive (and there are many legitimate).  Therefore, the initial building of the white list is important.
  • Some surprised emitters may believe that the challenge is actually a spam or worse, a malware.  This is mitigated as they just sent you a message an d “you” ask the challenge.
  • If they are successful, how long will it take before we will we the first malware spam mimicking a MailInBlack challenge but with a malicious site?

Nevertheless, an interesting approach to anti-spam. 

The power plug is watching you

Power PwnIf you watch this picture, you may just see an innocent power plug extension.  If you’re looking more carefully at the left bottom corner of the device, you may notice some connectors!   Why should a power extension need connectors?

Indeed, this device is a perfectly integrated penetration testing platform.  Here is a non-exhaustive list of features:

  • On board wireless Wifi connection, Bluetooth connection, Ethernet connection;   Everything to sniff communications.
  • Everything to create SSH connection, VPN connections
  • Out of band communication through 4G/GSM adapter!  You can send commands through SMS.
  • Stealth mode with device unpingable, and no listening ports
  • A wealth of preloaded tools
  • And many, many other goodies…
  • Of course, the plugs are functional

Of course, it should only be used by white hats.   Extracted from the user manual

All Pwnie Express / Rapid Focus Security products are for legally authorized uses only.

This may be a formidable tool!  Of course, it is better suited for the US, as the plugs are following US standards.   The device does not (yet) exist for other power plugs.

The product (and less powerful ones) is available form pwnie express.

Insuring clouds

Every body is running, very enthusiastically, towards cloud computing.  Sometimes, it reminds me lemmings.  I hope that I am wrong.  Let’s be positive.  Obviously, cloud computing will bring advantages.  Nevertheless, according to me, cloud security is only in its early infancy.

 

Thus, any cloud deployment should make a serious risk analysis (even if we have only a vague idea of the real threats).  When risks appear, insurance should also appear.

 

A company Cloud Insure seems to explore this new opportunity.

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment. In partnership with global insurance and reinsurance carriers, we’ve engineered privacy & security liability coverage to meet the needs of the Cloud Computing space for enterprise customers. Through our innovative underwriting models and proprietary analytics, we bring insurance solutions that move at the pace of Cloud technology.

Are you aware of other such companies?

ReDigi.com the resale locker

indexI must confess that I became aware of this interesting initiative only this summer, although ReDigi operates since October 2011.

ReDigi is a site that allows you either to resell your music songs that you do not want anymore, or purchase music songs that people do not want anymore.  In other words, a second-hand market for music.

How does it work, from the user point of view:

  1. Alice user subscribes to the service
  2. ReDigi locates the songs Alice may resell (either purchase with iTunes, or ReDigi)
  3. Alice selects the songs to sell and reDigi stores them in the cloud while wiping out the copies on the computers
  4. As long as the song is not yet sold, Alice can stream it
  5. Once Bob purchased it, she cannot anymore listen to it.
  6. If ever a copy of the sold song appears again on Alice’s device(s), she is notified.

 

How does it work (partly using the details provided by ReDigi in a court trial, an interview, and my guesses)

  1. She has to install a software called Music Manager
  2. Music Manager explores the directories and spots the iTunes and ReDigi songs.  It most probably directly jumps to the FairPlay protected directory to find the licenses.  It checks if it is legal (in other words if it can access the key, then meaning that it was bound to the device)
  3. It uploads the file (and probably the license) to the cloud and erases the accessible song.  At next sync, all iTunes copies should disappear.
  4. The uploaded copy is marked as such until it is sold
  5. Mark it for somebody else.  I would like to know if they rebuild their own license or a new iTunes license.
  6. During phase 3, it extracts a fingerprint of the song.  Music Manager scouts the hard drive to find copies.  I was not able to find if the fingerprint is a basic crypto hash (md5) or a real audio fingerprint.  If it is the second case, then funny things may happen. 
    Alice purchased Song1 on iTunes.  Later she purchase the full album on a CD.  Thus, she resells the iTunes song1, and rips her CD.  A legit copy of Song1 will reappear on her drive.  Music Manager will complain (ReDigi claims that after numerous complaints that would not be obeyed, i.e., the song is erased, the subscription is cancelled)
    Obviously, if it is just the hash, then the system can be easily bypassed.

 

The interesting question is not if the system can be bypassed.  I am sure that the readers of this blog have already guessed at least one or two ways to hack it.  It is not complex, and I will not elaborate on it.

 

The interesting question is to know if it is legal to resell a digital song.  There is a US first sale doctrine that allows to resell your own goods, nevertheless the answer may perhaps not be so trivial.  See this article.  We will soon have a (first) answer.  On January 2012, Capitol Records filed a suit against ReDigi.  On February 2012, the district court rejected the preliminary injunction.  Oral arguments should start on October 5.  This article gives a good summary of the legal case. 

Nano counterfeiting feature

The blue  morpho butterfly changes the color of iits wings through some special reflective structure.  The company nanotech security uses a “similar” trick for its NOtES (Nano Optic Technology for Enhanced Security).   Using nano holes smaller than the light wave, it creates a kind of light-amplification that generates a similar effect.

 

Thus, by embossing paper or plastic, it can create bright images through reflection.  The holes are about a few hundred nanometers.  How does it fit with security?   According to them, it could replace holograms used against counterfeiting (the kind of holograms that you find on microsoft official disks).  This technology seems to have some advantages:

  • It is extremely cost effective.  Once the master stamping build, it is just stamping the target, thus cheap and fast in production.
  • Easily identifiable by human
  • As it works infrared or UV, the pattern could be analyzed by machines using the right wave length (a kind of watermark)

 

The security relies on the difficulty for the counterfeiters to reproduce the stamping.  It seems that it relies mainly on a high barrier entry cost (class 1 clean room) and know how of the company to design the pattern and the stamping tool.   Clearly, it would require a funded organization to make it (as holograms today).   Nevertheless, I would be interested to see if it would be not possible to reverse engineer the pattern by careful examination through electronic microscope. Another question is how does it degrade with time?     

When will we have the first shiny bank notes?