Bring Your Own Cloud

Posted on by
Reply

In 2013, the cloud security alliance released “The Notorious Nine” threats for cloud. A few months later, I have the feeling that the most important threat is missing: “Bring Your Own Cloud (BYOC)”.

BYOC is when an employee uses a cloud based service without the blessing of his company for business purpose. The employee clearly puts the company at risk. The employee may bypass all the security policies of the company, as well as the fences the company put to protect its IP or infrastructure.

BYOC is so easy to do and unfortunately it is awfully convenient.

  • You just need to enroll on a free SaaS service to launch it immediately. It is sometimes faster than asking the same service from the IT team. How many of your employees have opened an account at DropBox, Box, GitHub, or whatever other cloud sharing service. How many of your sensitive information are already widely in the cloud? The employee will most probably not check whether the system is secure. The default settings are not necessarily the ones that you would use. Of course, the employee will not have read the SLA.
  • You just need to use the company credit card to open an account at IaaS or PaaS providers. This is clearly faster than asking the IT team to install a bunch of servers in the DMZ. But how secure will they be?

The fast and free/cheap enrollment of cloud services make it extremely attractive for employees. And they do not make it maliciously. They will always have strong rationales for their action.

But, it can become easily a nightmare for the company when the things are going wrong. Especially, if the employee used his/her personal mail to register rather than the company’s email. In that case, the company will have hard time to handle these accounts.

What can we do? Cloud is inevitable, thus we must anticipate the movement. A few actions:

  • Provide a company blessed solution in the cloud for the type of services will need. This solution can be fine tuned to have the security requirements you expect. The account will be in the name of the company, thus manageable. Premium services offer often better security services such as authentication using your Active Directory, logging, metering…
  • Update your security policy to make it mandatory to use only the company blessed solution
  • Educate your employees so that they are aware of the risks of BYOC
  • Listen to their needs and offer an attractive list of company blessed services
  • Make it convenient to enroll the company blessed services.

 

Do you share this concern? What would you recommend?

A graphical password solution: PixelPin

Posted on by
Reply

Graphical passwords are an alternative to usual textual passwords. They use an image as main support and image handling such as pointing position in the picture as entry mode. They can be convenient on tactile screens, more difficult for robots to mimic human behavior, and claimed to offer better memory resilience.

Since early 1990s, the literature has been rather extensive in the field. Technicolor published several papers in the field (search for Maetz and Eluard). But we rarely see a product that implements such a solution.

UK-based company, PixelPin offers such a solution. It is based on Bonder’s seminal patent (5559961). When registering, you select one image as a support and four points in the image in a given order. When answering the challenge, you have to select the four points in the initial order. To limit risks of shoulder surfing, the precision of positioning is rather fine (at least on a computer). After 5 attempts, the account is locked for 15 minutes. Reset sends a reset token via the email used to register.

To increase memory resilience, and to ease the positioning you should select a picture with clear identified salient points else you will be quickly locked out. Of course, using too obvious salient points reduces the space of “keys” to explore.

The main issue is the network effect needed for such solution. It will be efficient if the sites are common and often visited, else your memory will fade. Unfortunately, I did not find many sites using PixelPin. The startup was launched beginning last year.

NSA spies us: what a surprise!

Posted on by
Reply

I twill start this new year (for which I wish you all the best) by some ranting.  Since the Snowden’s story started, I never commented.  Now I will a little bit as I start to be upset by all this hypocrisy.  Snowden shed some lights on the behavior and skillset of the NSA.   This is interesting.  But what is not acceptable, is that media seem to be surprised.  WE KNEW IT FOR YEARS.

 

NSA spies our electronic personal communications!  We knew it for years.  Echelon was  known in the 90s.  The new systems are just a natural evolution to new communication means and enhanced computing capacities. It was even known that the scope was larger than military/political actions.   NSA published patents about semantic analysis of natural speech.  The purpose was obvious.  I remember an initiative that asked people to generate random mails with gibberish inside but also some alleged keywords (such as terrorism, NSA,…) that should trigger the scrutiny of NSA.  The aim was to try to flood the system.

 

NSA is studying advanced techniques such as quantum computing to crack ciphers!  I would expect any serious governments to have their black cabinet studying this topic.  Once more, it is known that NSA may have some advances over the academic/public domain in this field.  In 1974, US banking industry asked IBM to design a commercial cipher to protect electronic banking transaction.  With the help of the NIST, IBM designed the famous DES.  End of 80s, academic world discovered a new devastating technique: differential cryptanalysis.  In 1991, Eli BIHAM and Adi SHAMIR demonstrated that surprisingly DES was immune to this ”unknown” attack (which was not the case for many other ciphers).  In 1994, Don COPPERSMITH, who was part of the DES design team, revealed that DES had been designed to resist to differential cryptanalysis.  In 1974, NSA knew already differential cryptanalysis but kept this knowledge secret as it gave a competitive edge to US secret agencies.

Secret services do not play fair democratic games!  This is why they are called secret services.  Hollywood told about that so often as well as John LE CARRE. 

 

So please, let us stop this hypocrite surprise: we knew about (but not the details).

 

E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” Journal of Cryptology, vol. 4, Jan. 1991, pp. 3–72 available at http://link.springer.com/article/10.1007/BF00630563.

D. Coppersmith, “The Data Encryption Standard (DES) and its strength against attacks,” IBM Journal of Research and Development, vol. 38, 1994, pp. 243–250.

Preventing weak passwords by reading your mind

Posted on by
Reply

This is what the site Telepathwords proposes. This site estimates the strength of a password. The interesting part of this Microsoft Research site is the used heuristics.

After each dialed character, it attempts to guess what the next character. if it guessed right, then the character is considered as weak (indicated by a red cross). How does it guess the characters?

Telepathwords tries to predict the next character of your passwords by using knowledge of:

  • common passwords, such as those made public as a result of security breaches
  • common phrases, such as those that appear frequently on web pages or in common search queries
  • common password-selection behaviors, such as the use of sequences of adjacent keys

It considers the password strong if it has at least six non guessable characters.

Of course, the strength of the system relies on the richness of its dictionaries of common passwords and common phrases. Obviously, the game was to play with it. My first thought was that it would be purely English centric. Thus, I tried French and the first one was azerty. Azerty of course was weak. “abrutifrançais” (or French idiot) was a strong password even without the special character ç  “Je pense donc je suis” was also middle (as it guessed the end) . Let’s go further and switch to Latin. “CogitoErgoSum” was also weak as well as “venividivici”.  But “aleajactaest” was extremely robust!!

For the fun, I checked consistency with Microsoft Password Checker. The answers are not consistent. For instance, “CogitoErgoSum” turns out to be strong whereas “aleajactaest” is medium.

As always, it is always rather easy to trick this type of sites. Nevertheless, the site clearly explains that it will not detect all weak passwords, especially from languages other than English

Laundering money in the digital world

Posted on by
Reply

With the advent of the digital world, laundering money has been able to create new techniques. Two new trends: online gaming, and micro laundering.

Online gaming is not online gambling (which we may have thought about when speaking of illegal activities), it is the use role playing games (RPG) such as World Of Warcraft (WoW) to move money. Indeed many RPG provide the possibility to purchase or sell either virtual coins collected during the game play, or rare virtual artifacts. The trade can use real money. Blizzard recently announced that it will close Diablo III’s market place. A way to avoid this type of issues?

Micro laundering uses services such as PayPal or virtual credit cards and people that will transfer temporary through their accounts. Interestingly, I learned that some Nigerian scams were indeed semi-real. They look for people to transfer illegal money. The people accepting the transfer operation may be rewarded, but this person will be liable for money laundering!!

This activity is described in Jean Loup RICHET’s report “Laundering Money Online: a review of cybercriminals’ methods”. This report gives a high-level view of the new trends. Unfortunately, it misses serious figures, references and technical details. I do not know if there is a non-public version with more information.

If you look for a quick draft overview, it is a good start. Also, a good view on how inventive they can be.

 

J.-L. Richet, Laundering Money Online: a review of cybercriminals methods, 2013 available at http://arxiv.org/abs/1310.2368.

Ten laws: a little help?

Posted on by
Reply

I am writing my second book.  It will explore the ten laws of security.  It will be published by Springer in 2015.   The book will describe many examples of real situations illustrating the laws.  Some examples will comply with the law, others will violate the laws.

I have already many examples. Nevertheless, the larger the stock of potential examples, the better.   Thus, I am looking for examples.   If you have examples illustrating one law, and are ready to share it with me, you are welcome.  Would it be a new unknown example that I would use in the book, then, of course, you will be cited in the book.   Winking smile

I am also looking for examples:

  1. Not related to IT
  2. Historical examples

A votre bon coeur…

SF: Rainbow Ends

Posted on by
Reply

It is interesting to see how contemporary Sci-Fi authors embrace the new technologies.   Vernor Vinge in his “Rainbow Ends” demonstrates his deep knowledge of current IT technologies.  In a not too far future, his heroes are immerged in a world with three technical characteristics:

  • Wearables; computers are part of the day to day clothing.  Funnily, the French translation uses the sad term “vetinf”.
  • Augmented reality; Every body wears eye lenses.  Not only do they give additional information but they can also disguise the world with the fantasy desired by the viewer
  • Ubiquitous network

Therefore, from the technical point of view, the book is interesting.  What about the story itself.  It is mixture of Fahrenheit 411, Snow Crash and a jump to the future.  Unfortunately, there are some inconsistencies with characters, as some young kids are too “efficient” ‘(at least, according to me).  Thus a good book, but not a major opus.

PS: I do not share his vision and definition of DRM Smile