A graphical password solution: PixelPin

Graphical passwords are an alternative to usual textual passwords. They use an image as main support and image handling such as pointing position in the picture as entry mode. They can be convenient on tactile screens, more difficult for robots to mimic human behavior, and claimed to offer better memory resilience.

Since early 1990s, the literature has been rather extensive in the field. Technicolor published several papers in the field (search for Maetz and Eluard). But we rarely see a product that implements such a solution.

UK-based company, PixelPin offers such a solution. It is based on Bonder’s seminal patent (5559961). When registering, you select one image as a support and four points in the image in a given order. When answering the challenge, you have to select the four points in the initial order. To limit risks of shoulder surfing, the precision of positioning is rather fine (at least on a computer). After 5 attempts, the account is locked for 15 minutes. Reset sends a reset token via the email used to register.

To increase memory resilience, and to ease the positioning you should select a picture with clear identified salient points else you will be quickly locked out. Of course, using too obvious salient points reduces the space of “keys” to explore.

The main issue is the network effect needed for such solution. It will be efficient if the sites are common and often visited, else your memory will fade. Unfortunately, I did not find many sites using PixelPin. The startup was launched beginning last year.

And if you would authenticate by touching your mobile device?

We are not yet there.   Nevertheless, Christian Holz and Patrick Baudisch, two German researchers seem to have made some progress towards this dream.  They designed a tabletop system with a touch screen that allows fingerprint detection.  

The magic comes from the screen material.  it uses a new fiber optical plate.  The plate is made of million highly reflective fibers.   Infra red lights is reflected back to the emitter.  When infra red lights exits the plate through skin, it reflects less light back.   Thus, an high resolution infra red camera can capture highly contrasted fingerprints.   This allows to authenticate the user who is using the touch screen.


Unfortunately, the current system requires a projector and a camera.  Thus, it is suitable for table top solution with enough room beneath the screen.   Not yet ready for small portable devices.

In any cases, it opens many interesting use cases.  They will present a paper at UIST’13.

Bit9: when a security company signs malware…

Bit9 offers security solutions that control which applications are authorized to be executed on a platform. Rather than relying on detecting malicious applications, Bit9 uses an engine that only authorizes a whitelist of trusted applications. Every application that is not part of the whitelist is by default considered as suspect and denied access. Of course, the Bit9 engine considers as trusted every application issued by Bit9. The control is done by verifying whether the application was properly signed by Bit9 signing key.  Bit9 claims that their solution is the ultimate defense, and the only valid answer to Advanced Persistent Threats (APT)

On 2013 February 8 security consultant, Krebs Brian announced that some companies were affected by a malware signed by Bit9. Later ton he same day, Bit9 Chief Executive Officer (CEO), Patrick Morley, acknowledged the problem. Their own solution did not protect some of the Bit9 servers. Among them were servers used to sign digital applications. Attackers were able to penetrate the network and get their malicious code signed by Bit9. Thus, any Bit9 engine would accept these pieces of malware as trusted applications. Bit9 announced that they started to cure the issues. They applied their own solution to their complete infrastructure. They revoked the compromised digital certificate and informed their customers.

According to Bit9, only three undisclosed customers were affected. Due to the high profile of Bit9 customers (defense department, Fortune 100), it may be part of a larger APT targeting some companies.   Was it the same attempt to use a security technology as an entry door like for RSA hack.

Ironically, Bit9 a few hours before bragged that Anti Virus software were old story.  It would be interesting to learn how the attackers penetrated the network.

Two lessons:

  • In depth defense is mandatory;  multiply the number of defense mechanisms.  Relying on one unique mechanism is brittle security.
  • Signature of production code should be supervised by a trusted human operator. You may use automatic signature for the development process, if of course you are using an independent root key just dedicated to development code.  Normally, there are very few pieces of software going out in the field for production.  Thus, using a human operator will not increase the cost.

Mail In Black

Mail in Black is the name of a French company that provides an interesting anti-spam solution.  Their idea is simple.  Spam is generated by robots.  Thus, if you filter out every communication issued by robots, than you would get rid of spams.   How to detect a robot?  Apply a Turing test.


How does it work:

  • You define an initial white list of email addresses or domains.
  • When MailInBlack receives an email, it checks whether the emitter is part of the white list.  If it is the case, then the mail is forwarded to you.
  • If the emitter is not in the white list, MailInBlack returns, on your behalf, a captcha challenge (for instance, type the orange text). 


  • If the challenge is successful, then it forwards the message and automatically adds the recipient to the white list.
  • Else the message is quarantined and the emitter is added to a black list.
  • Of course, if you rescue a message from the quarantine, then the emitter moves to the white list.

According to me, there are some potential hiccups:

  • You may loose messages from automatic systems that are legitimate to receive (and there are many legitimate).  Therefore, the initial building of the white list is important.
  • Some surprised emitters may believe that the challenge is actually a spam or worse, a malware.  This is mitigated as they just sent you a message an d “you” ask the challenge.
  • If they are successful, how long will it take before we will we the first malware spam mimicking a MailInBlack challenge but with a malicious site?

Nevertheless, an interesting approach to anti-spam. 

The power plug is watching you

Power PwnIf you watch this picture, you may just see an innocent power plug extension.  If you’re looking more carefully at the left bottom corner of the device, you may notice some connectors!   Why should a power extension need connectors?

Indeed, this device is a perfectly integrated penetration testing platform.  Here is a non-exhaustive list of features:

  • On board wireless Wifi connection, Bluetooth connection, Ethernet connection;   Everything to sniff communications.
  • Everything to create SSH connection, VPN connections
  • Out of band communication through 4G/GSM adapter!  You can send commands through SMS.
  • Stealth mode with device unpingable, and no listening ports
  • A wealth of preloaded tools
  • And many, many other goodies…
  • Of course, the plugs are functional

Of course, it should only be used by white hats.   Extracted from the user manual

All Pwnie Express / Rapid Focus Security products are for legally authorized uses only.

This may be a formidable tool!  Of course, it is better suited for the US, as the plugs are following US standards.   The device does not (yet) exist for other power plugs.

The product (and less powerful ones) is available form pwnie express.

Insuring clouds

Every body is running, very enthusiastically, towards cloud computing.  Sometimes, it reminds me lemmings.  I hope that I am wrong.  Let’s be positive.  Obviously, cloud computing will bring advantages.  Nevertheless, according to me, cloud security is only in its early infancy.


Thus, any cloud deployment should make a serious risk analysis (even if we have only a vague idea of the real threats).  When risks appear, insurance should also appear.


A company Cloud Insure seems to explore this new opportunity.

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment. In partnership with global insurance and reinsurance carriers, we’ve engineered privacy & security liability coverage to meet the needs of the Cloud Computing space for enterprise customers. Through our innovative underwriting models and proprietary analytics, we bring insurance solutions that move at the pace of Cloud technology.

Are you aware of other such companies?

ReDigi.com the resale locker

indexI must confess that I became aware of this interesting initiative only this summer, although ReDigi operates since October 2011.

ReDigi is a site that allows you either to resell your music songs that you do not want anymore, or purchase music songs that people do not want anymore.  In other words, a second-hand market for music.

How does it work, from the user point of view:

  1. Alice user subscribes to the service
  2. ReDigi locates the songs Alice may resell (either purchase with iTunes, or ReDigi)
  3. Alice selects the songs to sell and reDigi stores them in the cloud while wiping out the copies on the computers
  4. As long as the song is not yet sold, Alice can stream it
  5. Once Bob purchased it, she cannot anymore listen to it.
  6. If ever a copy of the sold song appears again on Alice’s device(s), she is notified.


How does it work (partly using the details provided by ReDigi in a court trial, an interview, and my guesses)

  1. She has to install a software called Music Manager
  2. Music Manager explores the directories and spots the iTunes and ReDigi songs.  It most probably directly jumps to the FairPlay protected directory to find the licenses.  It checks if it is legal (in other words if it can access the key, then meaning that it was bound to the device)
  3. It uploads the file (and probably the license) to the cloud and erases the accessible song.  At next sync, all iTunes copies should disappear.
  4. The uploaded copy is marked as such until it is sold
  5. Mark it for somebody else.  I would like to know if they rebuild their own license or a new iTunes license.
  6. During phase 3, it extracts a fingerprint of the song.  Music Manager scouts the hard drive to find copies.  I was not able to find if the fingerprint is a basic crypto hash (md5) or a real audio fingerprint.  If it is the second case, then funny things may happen. 
    Alice purchased Song1 on iTunes.  Later she purchase the full album on a CD.  Thus, she resells the iTunes song1, and rips her CD.  A legit copy of Song1 will reappear on her drive.  Music Manager will complain (ReDigi claims that after numerous complaints that would not be obeyed, i.e., the song is erased, the subscription is cancelled)
    Obviously, if it is just the hash, then the system can be easily bypassed.


The interesting question is not if the system can be bypassed.  I am sure that the readers of this blog have already guessed at least one or two ways to hack it.  It is not complex, and I will not elaborate on it.


The interesting question is to know if it is legal to resell a digital song.  There is a US first sale doctrine that allows to resell your own goods, nevertheless the answer may perhaps not be so trivial.  See this article.  We will soon have a (first) answer.  On January 2012, Capitol Records filed a suit against ReDigi.  On February 2012, the district court rejected the preliminary injunction.  Oral arguments should start on October 5.  This article gives a good summary of the legal case.