You probably noticed that I have some delays in reporting news. This month was rather busy for me. I could not avoid to say some words about WPA attack.

Ars Technica made an excellent coverage of the attack. In addition, they provide a short history of the Wifi encryption story.

Are we safe? I am sure that you are all using WPA2 or at least WPA with AES. In that case, you are perfectly safe. The attack works on TKIP without AES and only for short packets. That means it is not possible to decrypt a complete normal stream WPA protected. Nevertheless, the attack is a first hit to WPA. The attack was extremely clever and required a deep knowledge of the different 802.11 flavors.

Some people may question the interest of attacking a protocol that is quasi obsolete in the field (hopefully, most Wifi networks should be WPA2 and AES). Any exploit is a new lesson on how a protocol is attacked. Next generation of protocols should be resistant to this type ofg exploits. Thus, it is always useful to increase the knowledge in security, and widen the database of attacks.

Probably a topic for next newsletter.

On 21st October, Microsoft launched an initiative called the global anti piracy day. The objective was to launch enforcement actions and education programs in 49 countries. See the Microsoft’s press release. This Global anti piracy day did not attract a lot of interest from media. Nevertheless, The Pirate Bay brought its “contribution” to this day. See Pirate Bay’s doodles.

More seriously, better awareness of the consequences and risks of counterfeiting and piracy is an important tool. It would be perhaps more interesting to have combined initiatives with many industries suffering piracy. It would be interesting to demonstrate the risks people take by using pirated, counterfeited goods (virus, fake devices, litigations, …) At the early day of CPTWG, the motto was “Keep honest people honest”. Increasing awareness is going in this direction.

Yesterday, Luc CHATEL, the French minister of Industry and Consumption announced an initiative to stop spam on SMS. When receiving an alleged spammed SMS, user may forward it to a call center at number 33700.

How it will operate exactly is not extremely clear. The numerous comments from media described a simple method. When entering more in the details (see diagram ), the system is far more complex.
The number of the spam’s emitter will not be transferred with the first transfer. The user just receives an acknowledgment. OPTIONALLY, the user may forward the message a second time, at the same number 33700. Only then, the caller ID of the spam’s emitter will be transmitted. After the second “call”, the system starts to analyze and eventually trigger retaliation against the spammer.

An important information: the call to 33700 is not free. It costs the price of an SMS! When asked why this number was not free, the minister answered (interviewed by Jean Luc Hess on Radio Classique 22 October)that there were three potential entities that could pay for the service: the state, the telco operators, or the consumers. He preferred to put the burden on consumers. He considered it as a good citizen action.

This will simply not work, for at least two reasons:
– The two-step process is a non sense from usability point of view. How do you want the people to make a mental model of this system? Why should the user call twice the same number? I looked for a rationale. the best one I found was to restrict the number of starting analysis, thus reducing cost. Would each call trigger a human action, it would soon become too costly.
– Once more the economic incentives are not aligned. The person who suffers from the threat (spam) is also bearing the cost of the spotting. the entities that indirectly benefits from SMS spams, i.e. telco operators do not bear the cost of the countermeasures. Misaligned incentives generate failed security system.

33700 is probably a nice propaganda tool but will never be an efficient anti-spam tool. :Wink:

The Yomiuri Shimbun reported additional information. Some products that will be subject to the approval:

• OS of contactless cards such as Felica (Sony’s contactless smart card) and MultOS
• Digital photocopier, OS of AV products, ATMs or Point Of Sales devices!
• Routers (no surprise at all, it would have been the first category I would have requested)
• Software for data backup

The list is rather interesting because most of them may have an impact of overall security of the nation. An entity that would have a backdoor in these devices would have access to interesting data. Let’s take a simple device like a digital photocopier machine. The OS may have access to the digitized image. It could store it in some hidden storage unit. Maintenance crew could retrieve the storage unit. Of course storage capacity is limited. But now add an OCR software and a filtering software that spots a list of sensitive tag names. The spy software stores only the potentially interesting data. By the way, how are we sure that it is not already the case? Photocopier have some hidden features that are not often publicized. Try to copy a banknote with a high res color XEROX. Surprise, surprise…

To the mere intent of economical intelligence, we could add to the list: detecting potential backdoors and spywares, or implementing such backdoors.

By the way, the new regulation is scheduled for May 2009!

Many thanks to Masaru san.

According to the Yomiuri Shimbun, Chinese government plans to request access to source code of electronic equipment. The official rationale is to validate that the device will be immune against Internet viruses to fight these malwares. Without this approval, foreign companies would be banned to import devices to China. The Japanese newspaper does not disclose what happens if the examiners find some weaknesses. Will they return the information to the manufacturer for it to cope with? Will they keep it secret?…

Of course, most people assimilate this process to economic intelligence. Chinese government does provide no guarantee that the source codes would not leak. It is far easier than making reverse engineering. It would also an interesting method to find some ways to crack installed devices. They would just not disclose the exploit (and it is smarter than asking for back doors). this type of exploits could be used both on domestic market (to spy Chinese citizens) or in foreign countries (if the exploit is applicable on other releases). This would also ease production counterfeited critical devices (see FBI warning against counterfeited CISCO routers

The announced rationale has no sense. Every security specialist knows that it is impossible to analyze a full source code to find all the security vulnerabilities. Would we know how to do it, we would have more secure products in the field. Already strengthening a small piece of software is a complex task, then a complete application.

It is more likely that judging Chinese government on mere intent is legitimate. I doubt that many companies would accept.

Greek researchers will present tomorrow a attack using Facebook as vector. The idea is that they provide an applet that displays nice picture from National Geographic. Unfortunately, the applet in addition to its benign display request to download a big file from one server. If this applet spreads within social network, it may end up in thousands of applets downloading big file from one given server, in other words in a Distributed Denial Of Service (DDOS)

And all journalists discover that there is a risk with social network. I am always amazed to see when people discover the obvious. Why should Web 2.0 be different from “old” computing time? Anybody is expected to understand that it is not safe to execute a piece of software from a an unknown publisher. It may be a malware. It is expected to be accepted by users as a good practice.

And now on the sudden comes Web 2.0. And any body is happy to add nice widget to his/her site, web page, desktop, … Why should widget be different from normal application? Why should widget not carry lethal payload? Why should Web 2.0 be secure? (at least not by construction). I am only amazed that there are not more plagued widgets today.

Using social network is even worse. You may trust your friends in your social network. thus, you may eagerly accept nice widgets from them. But how do they know it is a safe widget. Imagine a widget with a delayed bomb inside (as it is used in virus). It spreads nicely within facebook, and then it is triggered… :Sad:

Am I too paranoid? Why did web 2.0 escape common sense? Any idea?