Notes of PST2012: Day 2

Posted on July 17, 2012 by wunderbarb

As for yesterday, these notes reflect what pinged my interest and do not attempt to be non-biased, exhaustive reporting of the presentations.

Co-utility: rational cooperation for privacy, security and functionality in the information society (J. Domingo Ferrer , University of Tarragona)

He started with an environmental analogy: privacy preservation is essential and should be sustainable for the survival of information society. To limit privacy “pollution”, he proposes reducing identifiable information, reusing data to reduce utility,

He uses the game theory to define co-utility; Co-utility means that the two players have the best strategy if they are cooperating. Using different equilibriums, he defines Nash, Mixed Nashed, or Stackelberg (when one player can impose his strategy to the rest of the players) co-utility.

Application to PIR applications

Currently PIR assumes cooperation of database which is not always true. ( Not true if using Zero-Knowledge such as Micahli) Potential solutions:

Standalone approach: Track Me not generates fake queries or adding fake keywords
P2P: reuse queries submitted by other users. He explores this venue. If each player collaborates by submitting queries of the other players to flatten his profile (Nash equilibrium)

Trust session

Building robust reputation systems for travel-related services (H. DUAN, Heidelberg)

How to stop manipulation that inject fake reviews (promoting, demoting, system destructor)

The idea was to use the review helpfulness as a reputation measurement. They did not use textual analysis. It was OK for one set (New York City) and not for another town.

They were challenged on how they distinguished promoter, demoter from innocent reviewers.

Collaborative Trust Evaluation for Wiki Security

The issue is that malicious or incompetent contributors may modify documents. (Estimation 4-6% contribution of Wikipedia is vandalism)

Security Wiki Model is a layered model with promotion of authors on the quality of their contributions. A document has an integrity level (IL) and only author with higher quality level can contribute. The author attributes the first IL (necessarily less or equal his level)

Author increases his reputation by reviewing that are validated by other reviewers

Very conservative approach.

The theory of creating trust with untrusty principals (J. Viehmann, Fraunhoffer)

State of the art: Vote, democratic vote (majority), centralized Trusted Third Party

Using game theory with peer monitoring to detect manipulation in different cases:

plain
Law enforced
using mistrust (by testing through fake requests to see if somebody is trustworthy)

Theoretical, no real experiment to test the reaction of users.

Security Session

Effects of displaying access control information near the item it controls (K. Vaniea, Carnegie Mellon)

They tried on gallery with distinction between everybody, co-workers, friends and family.

When the icon is near the picture it has better effect than in sidebar. It has no better memory retention impact.

Detecting JavaScript-based attacks in pdf file (Schmitt F., University of Bonn)

Static detection is not sufficient if the code is building a malicious code.

The attack is typical with heap spraying, calling a vulnerable API method with the return address being overwritten.

They use PDF scrutinizer that has a JavaScript emulator, a reader emulator without actual rendering.

Interesting detectors: heap spray detector observes strings added to an array too often and with the same identical strings.

Automatic Detection of Session Management Vulnerabilities in Web Applications (Y. Takamatsu, Japan)

Typical attack with session fixation and cross site Request Forgery (CSRF)

They implemented a plug-in for Amberate to detect these vulnerabilities. Not convincing as it created false positives on PhPNuke

Notes on PST 2012: (day 1: Innovation day)

Posted on July 16, 2012 by wunderbarb

Here are some notes on the first day of PST2012. These notes are personal and biased in the sense that they reflect what topics did ping me. As such, they are not exhaustively representing the content of the various presentations.

Today’s challenges of cybercrime (E. FREYSSINET)

Eric is the head of the cyber crime department of French gendarmerie. As such, he has a deep knowledge of today’s cybercrime as he is fighting it.

He first presented the big trends and issues:

Data to analyze is exploding
Organized crime; interestingly, organized crime entered the game only lately. The target that attracted organized crime was car theft that required electronic specialist due to increased electronic defense; then, organized crime jumped to electronic money.
Cryptography becomes more generalized. It has impact. for instance, house search has to occur at a time of the day when the computer is already switched on.

Then he described more some cases. A few excerpt:

Crime against children; This is one of the most important threat handled by his team (25% of the cases). Several hundreds cases per year in France. The best defense is the education of children
Attacks on IT system; Botnets become the core element of many IT attacks. Often individuals do the tools, and are hired by organization that install such infrastructure. Interestingly, many SMEs are attacking each others!
There is a real business approach behind such crime. Carders are offering professional sites with customer supports. Malware is sold with a licensing approach, CMS,…

Then he presented a typical attack: the police ransomware. A malware blocks the computer, sometimes encrypts data and display a message supposed to be issued by police claiming that you violated the law and have to pay a fine. 10% of the infected people pay the alleged fine.

Cyber Defense

Can we protect against the unknown? (D. BIZEUL, Cassidian, Head of Security Assurance)

The focus of the presentation is on APT (Advanced Persistent Threat)

The six steps of APT:

Information gathering
Vulnerability identification
Spear phishing/RAT installation
Pass the hash protection/ propagation (for escalation)
Malware and pack of tools
Exfiltration

Detection of steps 3 to 6 should use reputation evaluation, Statistics and of course log. Thus, it is recommended to have savvy IT team, cyber intelligence, IDS/IPS and SIEM & SOC. Cyber intelligence is key.

CERT, CSIRT (O. CALEFF, Devoteam)

Presentation of what a CERT/CSIRT is , and how it works.

Cyber defense tools: the sourcefire example (Y. LE BORGNE)

He explains how an Intrusion Prevention System (IPS) works:

Stage 1: decoder of packets
Stage 2: pre-processor to normalize data
Stage 3: Rules engine

Why are there still intrusions?

The client side is more prevalent and it is the best place to attack.
File complexity is a good vector for malware
IDS exploitation is too complex
IPS needs skill for exploitation

Evolution of Snort

New pre-processors (gtp, modbus…), http compression.

>Deeper detection (cookies, javascript obfuscation…)

The message is that human is the key element. Thus, they claim to simplify the task by focusing the reporting.

Panel

APT is more a buzz word. It is not new. The most important aspect is the Persistent Threat aspect.

Keynote: The authorization leap from rights to attributes: Maturation or Chaos? (R. Sandhu)

Ravi is the father of Role Based Access Control (RBAC). Will RBAC be replaced by Attribute Based Access Control? In any case, we’re going towards flexible policy. According to him, the main issue with Access Control is and will always be the analog hole. Smile The main defect of RBAC is that it does not offer an extension framework. Thus, it is difficult to cope with short comings; ABAC has the advantage to offer inherent extensibility by adding for instance attributes.

Security policy requires Policy Enforcement, Policy Specifications and Policy Administration.

He believes in Security as a Service because there will be an incentive to properly secure stuff else you change the service provider.

SME session

Arxan (M. NOCTOR)

Nothing new. If you don’t know Arxan, and if you need software tamper resistance, visit their site.

CODENOMICON (R. Kuipers)

How to strip off a TV set? He highlights the risk of connected TVs that are not secure at all, although they may handle confidential data such as credit card number.

Secure IC (P. NGUYEN)

Silicon Security; Usual presentation on side channel attacks. The new attacks are Correlation Power Analysis and Mutual Information Analysis (new since 2010) The new trend is to use Information Theory realted metrics. They have a dual rail family with formally proved security (to be presented at CHES2012)

A new version of my site

Posted on July 15, 2012 by wunderbarb

Welcome in the new version of my site. Now both my site and my blog share the same consistency. Indeed, they share the same engine (wordpress). Translation form my homemade site to WP pages was simple. Nevertheless, I am sure that there are some remaining issues (such as missing or wrong links). Do not hesitate to signal them to me for fixing.

Linksys and the cloud snafu

Posted on July 12, 2012 by wunderbarb

A new trend in management of gateways and routers is to use the cloud. Currently, gateways and routers are locally managed by the user, and often remotely managed by the operator through protocols such as TR69. The new trend delocalizes the device management to the cloud. In other words, to modify the router/gateway, you have to use a remote service. Most manufacturers, if not all, are following this path.

Last month, Cisco launched its Cisco cloud connect service that offers this capability. For that purpose, Cisco has to install new firmware into deployed Linksys routers. Cisco launched such update. Thus, many customers who had opt-in the automatic firmware upgrade (which, by the way, is usually a smart decision) where automatically upgraded loosing the local ability to manage their device. This automatic upgrade started a huge rumpus on the forums; many people having the feeling that loosing the local management was equivalent to lose the ownership of their router. This was the first issue. Many people believed that this upgrade would be systematic for every Linksys router.

Unfortunately, inside the Terms Of Services (TOS) of Cisco Cloud Connect, it was mentioned that Cisco might keep track of a variety of information including Internet history and might share “aggregated and anonymous user experience information” with service providers and other third parties. This second issue was even more devastating for Cisco.

Cisco quickly reacted and took a set of appropriate actions:

Explaining that the upgrade was done only if the customer requests it or if he opted-in of automatically upgrading. Cisco provided a method to revert to local management,
Modifying the TOS to remove the section related to collection of data such as Internet history,
And highlighting that Cisco does not use the routers to collect information about Internet usage.

Lessons:

Full remote management of a user owned device may be adversely perceived. Hardware ownership is strongly connoted of control.
Privacy is important for some people and not necessarily rationale. Privacy’s perception is complex. How many of the people who complained regularly use Google (or whatever search engine) and click on the proposed link leaving a trace of their Internet usage to Google? An interesting sociological study to do; Privacy is a touchy complex topic.
There are some people who carefully read TOS!!!

Thanks to RG for the initial pointer.

“Securing Digital Video” is now available!

Posted on July 9, 2012 by wunderbarb

My book, “Securing Digital Video: Techniques for DRM and Content Protection” is now available on sale. It can be found directly at Springer (about one week delay), from US amazon (2-4 weeks delay) and from French Amazon (available only in August).

This is the last step of a long process. I hope that the reader will enjoy it and that it will be useful to the community. More details on the book are available here.

I would be glad to hear your suggestions, appreciations (even negative ones), and answer any question. For that, use preferably the address book@eric-diehl.com. I will always answer.

HADOPI: a little insight view

Posted on July 4, 2012 by wunderbarb

In may 2011, French HADOPI mandated an expert, Dadid Znaty, to evaluate the robustness of the system that tracks infringers on P2P. The objectives were:

Analyze the method used to generate fingerprints
Analyze the method used to compare sample candidates with these fingerprints
Analyze the process that collects the IP addresses
Analyze the workflow

On January 16, 2012, Mr Znaty delivered his report. A version without the annexes was published on HADOPI site for public dissemination. The report concluded that the system was secure.

Conclusion : en l’état, le processus actuel autour du système TMG est FIABLE. Les documents constitués du procès verbal (saisine), et si nécessaire du fichier complet de l’oeuvre (stockée chez TMG) associé au segment de 16Ko constituent une preuve ROBUSTE.

Le mode opératoire utilisé permet donc l’identification sans équivoque d’une oeuvre et de l’adresse IP ayant mis à disposition cette oeuvre.

An approximate translation of this conclusion is

Conclusion: The current process of TMG’s system is RELIABLE. The documents, the minutes, and if necessary the complete opus (stored by TMG) associated to the 16K segment are a ROBUST proof.

The workflow allows unambiguous identification of a piece of content and the IP address that made it available.

Quickly, content owners complained that sensitive information may leak from this report. Therefore, it was interesting to have a look to this report.

The report is not anymore available on the HADOPI site. The links are present, but there is no actual download. Sniffing around, you may easily find copies of the original report (for instance here). Once we have it, what is leaking out?

Most probably for the experts, nothing really interesting. We learn a lot on the process of identification of the right owners of a content. This part is well described in the document. When we look on the technical side, no details. the expert was always answered that the technology providers will not give any details on the algorithms. Therefore, to validate the false positive rate, the expert checks if there is any content inside the reference database that share the same fingerprint. The answer is no (excepted for one case where they fed twice the same master :Pondering: ). Conclusion: no false positive! I let you make your own conclusion.

The annexes that may have some details were not published. I have not found a copy on the net. What bit of information could we grasp:

There are two technology providers for the fingerprint. They are “anonymized” in the document for confidentiality (sigh! ) We can guess that the audio fingerprint provider is not French as a quote of an answer was in English. This is not a surprise as to the best of my knowledge there is no French technology commercialy available.
They look for copyrighted content on P2P networks using keywords. Once a content is spotted, its fingerprint is extracted and compared to the master database. If the content fits, its hashcode is recorded (most probably the md5 code). Then, TMG can look for this md5 sample and record the IP address.
The content is recognized if there is a ordered sequence of fingerprints. The length of the sequence seems to depend of the type of content and the rights owner. For audio, 80% of the duration. For video, in the case of ALPA, 35 minutes…

In conclusion, no a great deal…

The older, the more security concerned

Posted on July 2, 2012 by wunderbarb

This is the conclusion of a study performed by Dimensional Research for ZoneAlarm (a division of Check Point). For memory, ZoneAlarm offers a free Antivirus and Firewall, as well as two paid security suites.

The result is not surprising. One of the questions requested to rate relative importance of computer related activities between Community, Entertainment, Information, Productivity, and Security. Following picture summarizes the rating.

Without surprise, for younger generations, the computer is mainly used for entertainment and community (40% compared to the 8% of the baby boomers). Security and privacy will be sacrificed if they interfere with the access to community. This is normal in view of the addictive behavior related to social networking. I would guess that this trend will grow the pyramid of ages as more and more people will be enrolled in social networking (Facebook has more than 1 billion accounts, whereas Twitter has more than 500 millions).

Interestingly, Gen Y (18-25 years) believes to be more knowledgeable about security than baby boomers (63% versus 59%) but suffered of more security incidents in the last two years. This most probably comes from different activities and larger exposition to risk by more risky sites.

And without a surprise, the cost of security is one excuse for not implementing security solutions. Which highlights that some vendors such as ZoneAlarm, or Avast do not a good work on communication as they all offer free versions of their tools. Trans generational, half of the respondent estimated that security should be free.