Category Archives: Security

Ten security concerns on cloud

Posted on by
Reply

Cloud computing becomes the hot buzz topic. We will all migrate to cloud computing, sooner or later. Although it is extremely attractive from the financial point of view, it raises extremely serious concerns about security.

Global knowledge has issues a white paper that provides a kind of check list for selecting your provider, or to decide if it is wise to switch to the cloud.

  1. Where’s the data?
  2. Who has access?
  3. What are your regulatory requirements?
  4. Do you have the right to audit?
  5. What type of training does the provider offer their employees?
  6. What type of data classification system does the provider use?
  7. What are the service level agreement (SLA) terms?
  8. What is the long-term viability of the provider?
  9. What happens if there is a security breach?
  10. What is the disaster recovery/business continuity plan (DR/BCP)?

By the way, many of these questions are equally valid with an internal/outsourced IT traditional service. For instance, 1 or 2. have you asked yourself these questions for your current system. What is the answer for 5 in your company?

The document is here.

Anonymity Loves Company

Posted on by
Reply

It is the title of an interesting paper by Roger Dingledine and Nick Mathewson. They are members of the Free Haven project. This project studies topics such us onion routing (technology used by TOR), or Mixminion an anonymous email network.

The paper presents two challenges: usability and network effect.

  • Usability is a typical challenge of security solutions. The authors show that often privacy setting requires technological skills that are opposed to ease of use for everybody. The easy solution is often to delegate security decision to the user, who is not necessarily the best person to decide. This reminds me the security model of Android, where you have to decide (too) many parameters.
  • Network effect; efficient anonymity requires to have a lot of traffic to hide within. This rises the problem of bootstrapping. And here is a nice tradeoff. If your system is extremely secure, it will most probably be difficult to use, thus attract fewer people, thus reducing the strength of anonymity. On the other hand, if the system is easy to use, thus less secure, it may attract more users, thus strengthening anonymity.
    For instance, in the design of Mixminion, they had to answer the following tradeoff:

    Since fewer users mean less anonymity, we must
    ask whether users would be better off in a larger network where their messages
    are likelier to be distinguishable based on email client, or in a smaller network
    where everyone’s email formats look the same.

The three described use cases, Mixminion, TOR, and JAP, are excellent illustrations of the issues. An excellent paper.

Citation: N. Mathewson and R. Dingledine, “Anonymity Loves Company: Usability and the Network Effect,” Proceedings of the Fifth Workshop on the Economics of Information Security WEIS 2006, pp. 547-559.

A Taxonomy of Social Networking Data

Posted on by
Reply

In July 2010’s issue of IEEE Security & Privacy, Bruce Schneier in a one-page paper presented his taxonomy. It is extremely interesting. My comments are in italics.

  • 1. Service data is the data used to manage the service such as your name.
    You have control on the creation, although you may be obliged to give sometimes real data.
  • 2. Disclosed data is what you post on your own pages.
    You normally have full control on it.
  • 3. Entrusted data is what you post on other people’s pages.
    You have control on the creation, but lose control on its life.
  • 4. Incidental data is what other people post about you.
    You do not have control on the creation, nor on its life. Of course, your entrusted data are incidental data for other people.
  • 5. Behavioral data is data the site collects about your habits by recording what you do and who you do it with.
    This is the “raison d’être” of many social networks. Never forget that there is no free lunch. Most of the business models are based on “selling/using” your profile. You have no control, excepted that you may try to control your behavior.
  • 6. Derived data is data about you that is derived from all the other data.
    This is where the social networks are polishing your profile and thus increasing its value. The more they know you, the more valuable ads/personalized services they will be able to offer. You have definitively no control.

Category 5 and 6 are the most interesting ones from the privacy point of view. How can you control what the social network provider will infer from your activity on the social network.

The reference of the paper is
B. Schneier, “A Taxonomy of Social Networking Data,” IEEE Security and Privacy, vol. 8, 2010, p. 88.

Amazon Cloud Player and Cloud Drive

Posted on by
Reply

Is the launch of Amazon Cloud Player one of these events that will change the world? Yesterday, Amazon launched two new services: Amazon Cloud Drive and Amazon Cloud Player.

Amazon Cloud Drive is a service that offers 5GB of free storage. For that, you just need an Amazon account. It is always interesting to read the Terms of use.

Amazon put some safeguards to avoid (or at least give Amazon a way to stop) any attempt to use it as “Direct Download Site”. Thus in clause 1,

You agree not to use the Service in any other way, including to store, transfer or distribute files of or on behalf of third parties, for any form of file sharing, to operate your own file storage service or to resell any part of the Service.

In clause 5.1

You must ensure that you have all the necessary rights in Your Files that permit you to use the Service without infringing the rights of any copyright owners, violating any applicable laws or violating the terms of any license or agreement to which you are bound. You must ensure that Your Files are free from any malware, viruses, Trojan horses, spyware, worms, or other malicious or harmful code.

Not bad, the liability against the malware. About liability, what is the liability of Amazon? All is said in the clause 5.3.

5.3.Security. We do not guarantee that Your Files will not be subject to misappropriation, loss or damage and we will not be liable if they are. You’re responsible for maintaining appropriate security, protection and backup of Your Files.

And of course, if you believe in Amazon’s altruism, read clause 6.4

6.4.Information Provided The Service and the Software may provide Amazon with information relating to your use and performance of the Service and the Software, as well as information regarding the devices on which you download and use the Software and the Service. For example, this information may include the device type, mobile network connectivity, location of the device, information about when the Software is launched, individual session lengths for use of the Service, or occurrences of technical errors. Any information we receive is subject to the Amazon.com privacy notice located at www.amazon.com/privacy.

Amazon Cloud Player is more interesting. When you buy a song on Amazon store, you’ll be able to upload it to your Cloud Drive. Using the software Amazon Cloud Player, you may listen to your library from any devices that supports Amazon Cloud Player (It seems that it is only available for Windows OS, and Android). Amazon is the second larger seller of digital music behind Apple. Of course, you may also upload songs not purchased at Amazon and still listen them, as long as they are not DRM-protected).

Thus, Amazon Cloud Player combined with Amazon Cloud Drive is an instance of Digital Locker for music. It is not a Digital Rights Locker (DRL, such as UltraViolet or KeyChest) because there is no notion of usage rights associated. Furthermore, there is no notion of content protection.

Will it change something? Most probably yes. Apple and Google will react, most probably with a similar offer. Will the content owners like it? I am not sure. it may depend on the conditions that were negotiated for selling songs. In any case, I am sure that we will see many ripples around this launch.

PS: Amazon Cloud Player is only available for US customers. Amazon Cloud Drive has not such limitation.

Serious Captcha!!!

Posted on by
Reply

The Croatian Ruder Boskovic Institute proposes the services of a quantum random bit generator. We often insisted on the importance of high randomness in secure protocols.

But this institute has also find an extremely “funny” why to limit the access to its service to a limited set of knowledgeable people with its captcha. Captcha is a set of technique that attempts to discriminate humans trying to sign in from automatic machines. It usually requests people to dial in a set of characters which readability has been decreased. The Institute succeeded to discriminate between different categories of human. It requires to solve mathematical problems (and not simple arithmetic calculus :) ). Definitively, not a place to sign in after an exhausting day.

Have a look at the registration page, and look for several challenges. :)

Ten ways the IT department enables cybercrime

Posted on by
Reply

This is the provocative title of latest Kapersky lab’s white paper. This document lists some of the usual mistakes that are encountered in the today protection. It is mainly focused on the mandatory adaptation due to mobile devices. The paper is not mind-breaking. Nevertheless, it gives some true statements, such as

  • Enabler #1: assuming the data is in the data center.
    Of course today, data is redundantly stored in the laptops and even smart phones. They need protection
  • Enabler #3: Treating laptops and mobile devices as company assets that are never used for personal use…
    Awfully true.
  • Enabler #5: Adoption of Social Media without protection
    Social media and Web 2.0 are here to stay. furthermore, they are becoming part of the business tools. They create a new kind of risks.
  • Enabler #10: Assuming everything is OK.
    Remember our law 1: Attackers will always find their way.

As usual in this type of document, the first items are extremely relevant, whereas the last ones are less. it is always difficult to end up with 10 valid items. Nevertheless, 10 is the golden number in communication.

As a good citizen, I put the link to Kapersky lab. You’ll need to register to download the white paper. Nevertheless, you may easily find pdf versions on the Net without having to register :)

An analysis of Private Browsing Modes in Modern Browsers

Posted on by
Reply

Tuesday, November 2, 2010

Gaurav AGGARWAL, Elie BURZSTEIN, Collin JACKSON and Dan BONEH published an analysis of the private browsing mode in Internet Explorer, 8, Firefox 3.5, Safari 4, and Chrome 5.

What is private browsing mode? According to Mozilla:

Firefox 3.5 and later provide “Private Browsing,” which allows you to browse the Internet without Firefox saving any data about which sites and pages you have visited.

According to the researchers, all four browsers failed. Don’t panic!

The researchers provided a very drastic definition of private browsing that extends further than Mozilla’s one. For instance, they define four types of persistent state changes:

  • Initiated by the web site without user interaction such as cookie, adding entry in the history file…
  • Initiated by a web site but with user interaction such as generating a client certificate, adding a password to the password database
  • Initiated by the user such as adding a bookmark
  • Installing a patch or updating a blocking list

All browsers do a decent job for the first category. Nevertheless, they are less well-performing for the other categories. For instance, all the four browsers retain a SSL certificate generated while in private browsing mode. The certificate will leak the site address.

Most of the people are only concerned with the first category. Thus, they are safe. More paranoid people should study their browser and act correspondingly.

Interestingly, the paper proposed three goals versus a web attacker:

  • A web site cannot link a user visiting in private mode to the same user visiting in public mode
  • A web site cannot link a user in one private session to the same user in another private session.
  • A web site should not be able to guess if the browser is in private mode

They also highlighted an under evaluated risk. Although the browser supports a private mode, it does not mean that the plug-ins act also in private mode. In other words, while the browser is in private mode, your addons may still leak information  :Happy: