Category Archives: Security

Film Piracy, Organized Crime and Terrorism

Posted on by
Reply

The RAND corporation has published a heavy document entitled: “Film Piracy, Organized Crime and Terrorism”. This 162 page document is extremely well documented. Through published facts, it sheds some lights on the proven links between film piracy and organized crime (and even terrorist organizations) all over the world. It also shows some examples of legal authorities that are helping piracy. My preferred story is this Russian illegal replication DVD plant (pressing capabilities of 800,000 per month) which was closed after a first raid. It was sealed and put under surveillance by the police. Four months later, a new raid seized 55,000 new illegal DVDs (while the plant was supposed to be closed!)

Film piracy is an activity that has a low entry barrier, and low risk of heavy jail sentencing. It has even a better margin than drug selling (at least 3 times bigger).

This document is somewhat frightening. We are far from the student downloading a movie and distributing it to friends.

Of course, no technological answer can help in this case. The only thing we can do is to delay as much as possible the availability of bootlegs! But once available, technology is out of game.

The answer is obviously legal. The report is not very optimistic. Film piracy is still considered as victimless counterfeiting. This is not the case for pharmaceutical counterfeiting. Thus, it may not be the first priority of the authorities. The report expects that if public awareness of the links between film piracy and organized crime or terrorism would increase, then people would be less attracted by cheap illegal DVDs.

17-march:repaired the broken link to RAND document

Hate and Love authentication

Posted on by
Reply

Raven White proposes a new authentications system Blue Moon Authentication in the trend to replace typical password challenge by a more user friendlier (and less memory requesting) one.

The authentication will ask you your dislike and like choices on 15 questions. If you have right on a large numbers, you are authenticated. The initialization of the system requires you to select 8 like topics and 8 dislike topics among a selection of about 70 topics.

:Happy: The choice of the topics seem to have been done nicely. Interview of a sample of users of about 200 topics has allowed to reject the topics that have the less entropy. Some Human Computer Interaction specialists participated.

:Sad:  The distribution of 8 like and 8 dislike helps a lot when trying to guess the answer. Remember that the challenge is about 15 topics. Mathematically, you need to end up with 7 from one side and 8 from the other side. I did not do the math, but it decreases the space of exploration. I’m too lazy It is too late, and the day was hard) to calculate but is is less than 2^14 trials. Of course, if you know a little bit the person you want to impersonate, the odds are definitively changing.

:Sad: The system is supposed to remove the burden of password replacement. Nevertheless, with such a limited challenge, you will have necessary to block any brute force attack. Once the user is blacklisted, how will he be reauthorized? Through which authentication mechanism? Password?

I did not read the papers. I will do soon.

It reminds me the authentication based on the selection of pictures or icons among a set of pictures.

Would you trust this authentication process?

Security and cloud computing

Posted on by
Reply

RSA recently published a white paper entitled The role of Security in Trustworthy Cloud Computing. The document is extremely interesting.

It presents the different security challenges that enterprise will face when switching to public or even private cloud computing. With cloud computing, IT departments will loose control. This loss of control needs to be balanced by more trust and confidence in external providers (cloud infrastructure provider such as Amazon’s E2C, service provider in case of SaaS…).

For instance, the document some requirements for secure data

It will require
* Data isolation
* More granular data security
* Consistent data security
* Effective data classification
* Information Rights Management
* Governance and Compliance

We could argue that all these requirements already exist in the non cloud world. Nevertheless, they become MANDATORY in cloud computing! They will be more complex to implement and to monitor.

The document seems to lack one important threat. The insider threat was already a member of the cloud provider who illegally access private data. I believe there is another threat, another user of the cloud that attempts to access your data if isolation is not perfect.

There is already a rush towards cloud computing. But clearly, security of cloud computing is not yet mature. There is no integrated secure available solution.

Security and its unforeseen consequences

Posted on by
Reply

First of all, view first this comic.
It is extremely true. How many times did we end up with such things? We may even apply it to AACS. In the right box, put we will let poor developers implement it.

Nevertheless, I would like to highlight another issue with security. Sometimes security as collateral damages. Modern high price cars have sophisticated anti theft system. It may have reduced the number of car theft. Nevertheless, it has also created a new type of crimes: carjacking. The best way to steal this type of car is to wait for his owner to arrive in front of his/her garage or entry door. While he/she waits, violently eject him/her and drive away with the car. These sophisticated anti-theft system have replaced non violent theft by a violent theft. Many car owners have been injured.

Lessons: security may have collateral effects. They need to be analyzed. One more trade-offs to play with.

Fighting Jessica

Posted on by
Reply

In the security newsletter #5, Frédéric Lefebvre presented the research works of Jessica Fridrich. Through analyzing the noise of pictures, she attempts to uniquely fingerprints a camera. Each CCD generates a unique template of noise. Thus, it should be possible to detect if pictures were taken by a given camera.

It seems that this work has been spotted by the community and raised some fears. The site instructables proposes a process “anonymizing” the pictures. Obviously, the author has no serious knowledge of signal processing theory. Some of the tricks are more than questionable. Nevertheless, he is serious. he did not forget the most obvious steps 1 and 6. In step 1, he removes the metadata attached to a picture (How many people ignore or forget that Microsoft documents embed identification metadata?. In step 6, he suggests to use TOR to anonymize the Internet postings.

The lesson is that the community check the latest works of the academic world. Although, they do not necessarily understand the scientific details (thus they may have a wrong estimation of the maturity), they clearly understand the potential consequences and outcomes.

An occasion to read the latest results from Jessica Fridrich? :Wink: Thanks Bertrand

DNS weakness starts to be cured

Posted on by
Reply

In security newsletter #11, Patrice AUFFRET recounted the latest attack on DNS by Dan KAMINSKY. Patrice’s conclusion was that the only cure was wide deployment of DNSSEC. DNSSEC is a secure version of DNS that binds textual internet addresses to actual numerical IP addresses. DNSSEC exists for about 14 years but was not yet seriously deployed.

The cure starts! The Public Interest Registry is deploying DNSSEC for all addresses it handles. The Public Interest Registry handles all the .org addresses. The US government, that handles .gov addresses, will also turn to DNSSEC.

With these two big domain spaces turning to DNSSEC, we may expect a snowball effect with more and more domains switching to DNSSEC. The Internet will become (a little bit) more secure. This is a good news for this new year :Happy:

Is Adobe 9 weaker than Adobe 8?

Posted on by
Reply

Once more Elcomsoft is making the buzz (see post where they claimed to have broken WPA2). Their new target is Adobe 9.

Adobe 9 uses AES-256 to protect pdf files. Unfortunately, calculating SHA256 is faster using Graphical Processor Units (GPU) than calculating MD5 as in previous versions of Adobe. Thus, ElcomSoft claims that is less secure because they can brute force 8 characters passwords with Adobe 9 at the same speed than 6 characters with previous versions of Adobe.

The answer from Adobe is clear and technical (see Security matters: Acrobat 9 and passwords encryption). With the new version, they have allowed passphrases of up to 127 characters!

My comments are:

  • Was is it useful to used AES256? Is it not simply a stupid commercial argument? To use the full benefit of AES256, the passwords should exceed 37 characters (I used 127 bits per character to calculate it). It represents passphrase as long as “Law #1: Attackers will always find th”. Who will
    1. dial such long passphrase?
    2. remember it? especially if not used daily.
  • Would it not be also better for Adobe to come with a more human understandable answer?
  • Once more, Elcomsoft is twisting the information. The only thing they are really demonstrating is that they are able to crack a 8 character password. Wow! :Sad:  But, they succeed to create the buzz in a field that most people do not understand. They are good at that.
  • Password sucks if there is no limitations in the number of trials.