Category Archives: Security

Of the need to back up root CA

Posted on by
Reply

Germany is planning to roll out a system of electronic health care smart cards, as already deployed in France (Carte Vitale). The deployment is currently in a first phase of tests.

As usual, this type of system is using a PKI (Public Key Infrastructure). And every PKI is based on the use of a root key pair that signs the certificates and the revocation lists. Thus, the private key of the root Certificate Authority (root CA) is one of the most important secret of the system. Generally, this private key is stored in a Hardware Secure Module (HSM) that makes all the operations of certificate signatures, revocation list signature, … A HSM is a enhanced tamper resistant module that will stop to work when it detects an attempt to tamper.

The German system of course used such a HSM. Unfortunately, a voltage drop was interpreted by the HSM as an attack. It thus erased the private key. The normal procedure is to take the back up HSM, duplicate it and start again. HSM have special strict procedure to make back up of the secret keys on another HSM. Unfortunately, there was no such back up. The consequence is that the trial cannot anymore generate a new smart card.

Fortunately, this is only the test phase. For sure, there will be a backup for real deployment phase.

Root CA management, storage , and handling is an extremely complex task. Some companies (such as Entrust, Verisign…) have made a living of this activity. So if ever you use a root CA, either make a backup (and store ii somewhere in high security) or use a proven operator.

For more details, read here.

Should we stop to mask password?

Posted on by
Reply

According to Jakob Nielsen, masking password while dialing it is a bad idea. The arguments are that users may make more errors with blind typing, and that due this complexity, they will choose simpler passwords.

Jakob Nielsen is a highly respected guru of usability. When I was working in User Interfaces research (many years ago), I religiously read all his books. I learn a lot. It was my first contacts with human psychology and brain behavior. I’ll soon come back to that interesting topic. Thus, his comments deserve our interest.

His first argument is definitively true. Who had never got his/her password rejected because the cap key was on? A visual feedback would avoid this type of errors. I must confess that each time I have to enter my long passphrase of PGP, I’m nervous. Especially if you are like me keyboard dyslexic. 🙁

I would tend to disagree on the second argument. People mainly choose a simple password because it is more difficult to remember complex passwords, rather than because it is difficult to dial them.

Sometimes, we have forgotten the initial design purpose. Password masking is mainly to avoid shoulder surfing. Shoulder surfing on a mobile device (such as BlackBerry) is far more difficult than on a notebook in an airport. Thus, is it using to protect against this threat on mobile? If there is nobody present for shoulder surfing, why protect against an non existing threat?

Thus, I would rather agree with Jakob Nielsen to mitigate the orthodoxy of password masking with some rules:

  • When shoulder surfing is not possible, do not mask (unless you fear screen capture, but then you may also fear key logging)
  • Propose a checkbox that would allow to mask/unmask the password. I would suggest that the default state could be masking.

Should we violate this rule?

New succesful media = new threats

Posted on by
Reply

The web2.0 is extremely active. Very quickly new usages and new tools appear. Some of them are extremely successful. One of the most currently successful one is Twitter. If you do not have both a Facebook/mySpace account and a twitter, you’re a dinosaur. (This is my case :Wink: )

Thus, Web 2.0 is evolving extremely fast. The only thing that evolves faster is the cracking community. The more successful the new service, the more attractive target for crackers.

There are already some worms dedicated to Twitter. The latest one (30 may) is the “best video” from http://juste.ru. The twittee who clicks on this link inside the message connects to this site. This site then infects the host computer and steals Facebook and Twitter credentials. With these credentials, it sends the spam message to your friends who trust you. It is spreading fast. Here are the recommendations of Twitter.

No matter how good that “best video” looks, don’t go to any juste.ru domains. We’re aware of the situation and are working on it.

Update: We do not believe that anyone’s personal information was compromised as a result of this outbreak; suspended accounts should be cleaned and restored soon.

Once more, the same old tricks based on social engineering. It is not because it comes from twitter that a site is not nefarious. People should stop to click on any links without knowing what is behind (as they should not open files they do not know).

The new medias just open new highways for attacks. And the crackers immediately use these nice unprotected avenues.

Retrieving lost passwords through social interaction

Posted on by
Reply

What happens when you forget your password? Often there is an automatic back up procedure that allows to get it back. Sometimes, it is just an authentication through mail address, i.e. the password or a new one is sent to the address you registered. More often, it uses secret questions that should authenticate you. For instance the name of your pet, your birth town… Obviously, these secret questions have two problems:

  • They are easy to guess because too simple. You may harden it by cheating with the answer, but you need to remember your cheating.
  • If they are too complex, then you may have forgotten the answer.

In other words, they are inadequate, although largely deployed.

SCHECHTER S., EGELMAN S. and REEDER R. from Microsoft describe an interesting solution to this problem in “It’s not what you know, but who you know“. Each user defines a list of trustees. Each trustee will receive a recovery code. To retrieve the password, the user must obtain form his/her trustees their recovery code.

The experiment highlighted two issues:

  • After a while, the user often forgets his/her trustees. Thus, you need a procedure to retrieve the trustees’ identity.
  • Many trustees would provide the recovery code to someone close to the user.

I would also add one major one. It takes a lot of times. One subject took 5 days to get three recovery codes. Often, you want immediate access.

Nevertheless, an interesting paper to read. I recommend the section that describes how the trustee gets the recovery code. It was designed to highlight many risks of social engineering. Nice work.

Conficker

Posted on by
Reply

Armageddon did not happen. For a few weeks, the virus specialist were ranting about the famous Conficker worm. This worm was so nicely written and protected (it should even use the latest encryption algorithms) that nobody was able to describe its payload.

Nevertheless, it was announced that the worm may trigger some lethal attacks on Fools April day. Every anti virus software vendors (at least some subscription based ones) were releasing dedicated tools to scan your network. Microsoft offered $250.000 for the arrest of the author(s). Armageddon was near.

On Saturday, we knew who the fools were. Not a smell of Y2K? If the purpose of Conficker’s author(s) was to scare people, then the success is great. Remember that often the purpose of terrorism actions is to create a feeling of insecurity, to scare people, to make their life less comfortable. Bingo!

The anti virus industry should be careful: too many false alarms like this one, and consumers will not care any more and will not use the latest updates. And then when the real threat will occur, bad bad bad 🙁 Of course, if they have really believed in the risk,then they should have reacted. But the only appropriate solution would be to come with a real detection tool integrated in their software suite, ie, transparent to the user. Why should Jo Six Pack care about the behavior of the virus, he only cares that it is removed.

Some people are already questioning who benefits from a climate of fear of worms and virus? Guess who…

Privacy, security and Internet

Posted on by
Reply

The French engineering school Epitech published a survey on this topic. They polled 1032 persons.

Sorry, the report is in French. Nevertheless, the most interesting out comes:

  • Among the people who use Internet at work for personal use, 47% believe that it may cripple the security of their company 🙁 And they do it nevertheless!!!
  • 61% feel safe on Internet
  • 96% are aware that they leave many traces on Internet. This is a very positive point. I was not expecting such level of awareness 🙂
  • This information leakage worries 52% only.
  • Only 8% would trust the government to guarantee their security on Internet.
  • 94% believe that it is possible to spy exchanges on Internet
  • Furthermore, 44% believe that spying can be done by anybody.
  • 62% would not give away privacy for more security. Nevertheless, 23% would! 🙁
  • 80% believe that ITC may lead to establishing files on every body. Big Brother

I was more pessimistic. People seem more aware of privacy and security issues on Internet then I thought. Unfortunately, we do not see the job categories of the polled people.

Would the data in other countries be similar?

India and content production

Posted on by
Reply

I participated to a workshop on content protection organized by CCP and MPA at Convergence India 2009. It was interesting to check what the issues were in India.

The interest for content protection is rising. The other speakers were Rajiv DALAL (MPA India), Steve CHRISTIAN (Verimatrix), Sanjeev FERNANDES (NDS), Gautam GANDHI (Google India), Sanjiv KAINTH (IRDETO) and Vidar SANDVIK (CONAX). In other words, CA providers were very present at the workshop.

Rajiv gave some interesting information about India. All major US studios are investing in Indian production houses. It seems even that Will Smith will play in some Indian movies! And vice versa, Reliance is taking a foot in the US. Reliance purchase US theaters and invest in small US production houses. This may partly explain the rise of interest for content protection. US studios want to protect their financial investments.

Gautam explained the new strategy of YouTube. If a studio provides the reference movie, YouTube will filter its upload. This is a contract they have with Sony BMG India. Thus, Sony uses YouTube India to make electronic distribution in India. Surprisingly, it is still easy to find illegal copyrighted content on YouTube.

When discussing with the audience, the two main concerns seemed:

  • theater piracy and mainly analog theater.
  • Illegal rebroadcast of content. It seems that the pirates are well organized for crickett match (THE Indian sport). They prepare 12 STBs. they start with the first one. After a while, the broadcaster blacklists the STB (They use a visible watermark which carries a STB identifier, so called fingerprint) Then the “pirate” switches to the second STB…

When listening to all the speakers, I noted a problem. Every speaker used a different terminology for invisible watermark, session watermark, video fingerprint,… This is confusing. The industry should define a common vocabulary.