Category Archives: Security

A cloud over ownership

Posted on by
Reply

This is the title of an excellent article of Simson Garfinkel in Technology Review.  He explores the consequences of the switch from physical cultural goods to digital cultural goods stored in the cloud.  It is nothing really new but it has the advantage to be clearly stated.

The first point is about privacy.  When you purchased a physical book or a CD, the merchant has no way to profile you.  Of course, if you purchase it on  a digital store such as Amazon, the merchant will be able to profile some of your preferences.  but with a digital good stored in the cloud, the merchant will be able also to analyze how you consume this digital good.  And this is even more interesting.  he will know what is you prefered book among the ones you purchased.  For the same result with a physical book, you need to look for the more worned book in my library.

The second point is really about persistence.  When I purchase a book, it is mine until I destroy it, or give it away.  With a e-book in the cloud, it is mine as long as the cloud operator accepts (or survives).  This si a massive difference.  I am not sure that the legislation has taken into account this shift.   I do not even tackle the issue of DRM that may shape the ways I can consume the digital good.

Thus, the notion of ownership of a digital cultural good is changing.  As the good itself, the ownership seems to become more ethereal.  Is it good or bad?  I don’t know.  It is most probably useless to look for the answer, I’m afraid it is an unavoidable shift.  We will have to adapt for the best and the worst.

 

 

Guidelines on Security and Privacy in Public Cloud Computing

Posted on by
Reply

NIST provides some recommendations when using a public cloud.  This excellent document gives very practical guidelines.  Every IT manager who plans to use a public cloud infrastructure, and who cares about reliability, security and liability, should read it before making any decisions and selecting the right service provider.

In front of the economic benefits of public cloud, it is extremely difficult to resist to the songs of the mermaids.  This document rises some serious issues and may help to keep the things under control.  For instance:

  • Even if you are using a public cloud, your company is accountable for the overall security of your service, i.e. even that of the outsourced part.
  • As the cloud computing infrastructure is highly uniform, it should be in theory easier to harden the platforms and manage its security (which is a positive point for IaaS).  Unfortunately, the use of hypervisors (virtual machines) increases the surface of attack (although many people believe that virtual machines are more secure)
  • Sharing an infrastructure with unknown parties is a potential issue.  A strong assurance should be provided for the mechanism enforcing the logical separation.
  • Be ready to audit your service provider if security matters to you.

A must read paper if you are about to board on the cloud boat.  The paper is about public cloud.  Nevertheless, some parts are also useful in the context of private cloud.

Reference

W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, 2011 available at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.

Password re-use

Posted on by
Reply

We often suppose that some users re-use the same password on many Internet sites. Most probably, the same password will be used to log on their company network. This is an extremely valuable path for hackers, as sometimes some Internet sites are not protecting correctly the stored passwords (if they even protect them). thus, an attacker that get access to such a list of accounts and passwords with a little bit of social engineering may try to log on companies’ accounts.

Gaw and Felten (Princeton, 2006) and Florencio and Herley(Microsoft, 2007) published empirical studies which evaluate the re-use at less than 20%.

Some password accounts have been hacked since the beginning of this year. Joseph Bonneau from Cambridge used this opportunity to make a new empirical study. His conclusions are that the ratio of re-use is higher. With a conservative approach, he estimates that 30% of the people may reuse passwords.

This is worrying but understandable. For every users, the number of sites requiring a logging is exploding. I just checked how many passwords my Firefox password handles (not far from 200 :( and with several different identities!) How can we reasonably expect users to use for each site a different password.

Nevertheless, it may be mitigated by some observations. One of the important factor is what are the sources of comparisons, i.e. the leaking sites. I suppose (or hope) that many people have multi-level approach of passwords: using a weak re-used password for non important sites, and more robust and diversified ones for more important sites.

For the sites where I do not care to be impersonated, I use the same very simple password. For sites where I must not to be impersonated, I use diversified robust passwords. And of course, for Technicolor accounts, passwords radically different from the ones I use on Internet.

What policy do you use?

In any case, Bonneau’s post is ineteresting to read.

North Dakota Security Awareness Training

Posted on by
Reply

On the site of North Dakota, you may find a security awareness training. It is reasonably good and informative. The targeted audience was North Dakota administration employees. Nevertheless, it can be used by every body.

You may say: “OK, one more”. And you would be right. What I found interesting is the date of this training 2001. It is a jump to the past. And ten years later, it is still valid!!! Of course, there are some missing new threats such as removable storage media (such as USB memories), and the new Internet threats such as phishing, social networks… But the threats that were already present in 2001 are still present in 2011. We have solved none of them , and many new ones appeared.

We rely more on more on IT, and the environment is becoming more and more dangerous. More and more people handle tools that they do neither master, nor understand. We have to make a better training, to increase security awareness. At school, it should be a mandatory training, and that starting at the early age, so that it becomes a pure reflex.

If in 2021, we will look a security awareness training of 2011, will there be at least some old threats that will have disappeared? Medicine succeeded to eradicate some illnesses, why could we not succeed the same in security?

Sanitizing SSD

Posted on by
Reply

Sanitizing a drive is the action to fully and securely erase the information on a drive so that there is no mean, logical through commands, or analog through examination of stored analog information, to recover any erased data. This action is well-known and mastered for magnetic drives. There are clear documented software methods and even ATA or SCSI dedicated commands.

What about Solid State Drives (SSD)? SSD are becoming mainstream. They offer the benefits of speed and low consumption. Can they be securely erased? WEI, GRUP, SPADA and SWANSON presented at Usenix FAST a study. Their paper, entitled “Reliably Erasing Data From Flash-Based Solid State Drives”, checks whether the methods used for magnetic drives are still valid, and if the ATA and SCSI commands are efficient.

The conclusions are worrying.

For sanitizing entire disks, built-in sanitize commands are effective when implemented correctly, and software techniques work most, but not all, of the time. We found that none of the available software techniques for sanitizing individual files were effective.

In other words, if nobody has done the test before and published it, you cannot be sure. You have to either trust the manufacturer or do the test (which is destructive) yourself.

Funnily, BELL and BODDINGTON published in the The Journal of Digital Forensics, Security and Law, a paper entitled “Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?”. Their conclusion was that because SSD implemented automatic garbage collection that erased unused sectors, remnant data would be erased.

Who is right? I would believe the conclusions of the first team. The second team assumes that the forensics team accesses the data through logical commands or means. In that case, yes, data may be erased. On the other hand, the first team directly accesses the physical flash chips. Thus, they bypass the garbage collection. We may assume, that a serious forensics team, being aware of this problem, would rather directly work on the physical components. By the way, forensics teams are already doing this same type of examination when the hard disk has been voluntarily smashed.

Conclusion: Be aware of this risk at least until SSD manufacturers will have agreed on a certification that would prove the efficiency of the implementation of their sanitizing commands.

Blippy is changing

Posted on by
Reply

Last year, I spotted a site Blippy that was frightening me (Blippy: Do people care about privacy?). Its purpose was help you to share with others what you purchased with your credit cards. I could not believe that such site existed. What is even worse is that some people used it! They announced 100K subscriber with 30% sharing purchase. They raised up to 13 millions.

Recently, Techcrunch announced that Blippy changed its product offer. Blippy does not anymore report your purchases but allows you to post recommendations. That is far safer from the privacy point of view, but is is special?

I was hoping that this change was because people were concerned about privacy. It seems more that Blippy did not attract enough activities. Perhaps because people were not ready tho share this type of information?.

PS: In April 2010, Blippy leaked out some credit card numbers of subscribers.

Identity and its verification

Posted on by
Reply

Nicholas BOHM and Stephen MASON explore the problems of identity and to verify it (or them). as the authors are lawyers, this paper has an interesting point of view. They are fully aware(and even surprisingly accurate) of technology and security limitations.

First, they explain what an identity (or an identifier) is, and what the challenges are in our modern shrinking world. My preferred statement is

And there is an increasing tendency to confuse a person’s knowledge of an identifier with evidence that the person with the knowledge is the person to whom the identifier relates

Then, they explore the difficulty to prove the relationship between an identifier and a person. They show the limits of identification documents (intrinsic such as birth certificate, or extrinsic such as utility bill). Finally, they tackle the identity cards, more precisely electronic identity cards. They show the short-come because not every one will have a trusted reader, and especially not with general purpose devices.

Due to their background, the paper has a strong focus on liability. For instance, no Government will ever take liability for the passports it issues. This analysis of the identity problem is enlightening.

Due to this special point of view, it is recommended to read this paper. Even if you’re not interested in identity matters, the paper will be educational for the liability point of view.

Reference
N. Bohm and S. Mason, “Identity and its verification,” Computer Law & Security Review, vol. 26, Jan. 2010, pp. 43-51 available at http://www.stephenmason.eu/wp- … 011/01/bohm-mason-identity.pdf.