IRDETO becomes a key actor of B2C content protection

Posted on by
Reply

On 24th october, IRDETO announced that it acquired  BayTSP (who was founded by Marc ISHIKAWA).   BayTSP is one of the few companies that are scouting the Net, on behalf of the content owners, to identify illegal copies of content.   IRDETO was initially a Conditional Access solution providers.   For several years, IRDETO has been acquiring some companies to enlarge its offer while staying focused on distributing securely content.

Recently, IRDETO purchased Cloakware, a company specialized in Tamper Resistant Software.  This acquisition allowed IRDETO to promote a more robust software-based solution (card less).  Cloakware would take care of the protection of the software which is the usual weakness point of card less solutions.   More recently, IRDETO acquired the division of Rovi in charge of SPDC.  SPDC is the system that may implement applets to bring additional secuity in BD+.  Rovi acquired this division from Paul Kocher’s CRI (Cryptography Research Inc).

Now with BayTSP, IRDETO can offer, in addition to its protection; a service of investigation.   Nice move.   Is the offer complete?  I would tend to believe that there is a missing piece: forensic watermark.  Next acquisition?

Thanks to Gwen for the pointer.

 

 

Degate

Posted on by
Reply

Martin Schobert has designed an open source software, called Degate, to help reverse-engineering hardware components.   The process is the following:

  • You must first take pictures of the layout of the depassivated hip
  • Degate will attempt to recognize standard cells image pattern matching.
  • Degate attempts also to reconstruct the netlist of wires and vias (vias are electronic connection between different layers).
  • Then, it can build the full or partial logical layout.

Of course, the better the quality of the initial pictures (for instance using a Focussed Ion Bean (FIB)), the easier (and better) the automated result.

Degate will not do all the job.  It is a software aid to reverse engineer.  In any case, at the end, you will have to understand what the logic layout does.  Degate is not a tool for script kiddies.  It requires a good knowledge of micro electronics.  You’re working at the transistor/cell level.

The site provides also an interesting repository of documentation related to IC reverse-engineering.

Lesson: As for software obfuscation, the less reused patterns in the design of the chip, the more robust to reverse-engineering.

 

Sony once more under fire, but proper reaction

Posted on by
Reply

Philip Reitinger, CISO of Sony, has announced that about 93,000 accounts on Sony’s systems have been compromised.  They monitored a suspect massive set of trials of login/passwords.  Most of them were unsuccessful, but about 93,000 succeeded.  Most probably, the attackers get access to a database of plugin/passwords of another web site (such information is available on the Darknet).

Some people use the same login/password for different sites.  These persons may be the victims of this attack.

We must congratulate Sony for its reaction:

  • Transparency;  they were clear on what happened, and provided the data.  The reaction of customers was extremely positive
  • Monitoring:  this proves that Sony is carefully monitoring activities to detect strange behaviour or patterns.  This is key in security.

Lessons:

  • Customers are ready to hear the truth in case of attack.  I would even guess that they would rather be aware than listen about it once it is far too late.
  • Do not use the same password for all sites, at least not for the critical ones.

NuCaptcha: moving letters

Posted on by
Reply

A funny technology where the cat and mouse game is extremely active is the field of Captcha.  Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart.   In other words, the objective is to make a test that should differentiate a human operator from a computer.  It is the test of scrambled letters that you have to type to proof that you’re not a robot.  For instance, if you want to add a comment on my blog, you’ll have to answer a captcha.

Captcha initially started with a few letters. OCR solved too easily the problem.  Then, the fonts were distorted, twisted, scratched…  And the attackers refine their detection algorithms.

This summer, NuCaptcha, proposed a new challenge: you had to identify letters of a given color within a moving text on top of a background.  It combined three challenges: identify the color (which may change for each challenge.  Thus, you have to identify where the color to detect is defined), extract the text from the background, and then extract the proper letters.  In some case, the background may be animated like a clip.  Thus, it seems an interesting challenge.

Interestingly, since August, they added a few new solutions which were branded, or advertisement driven.  Unfortunately, although they may bring some revenues, these versions have seriously impaired the difficulty of the challenges (have a look at the demo page, and make your own opinion).  Would you like to use NuCaptcha, I would recommend avoiding the branded or ads versions.  Most of the benefits have vanished (at least as they are presented in the demo)

Nevertheless, Captcha is an interesting tradeoff between security and usability.

 

After The Pirate Bay, here is BayFiles

Posted on by
Reply

Two founders of The Pirate Bay, Fredrik Neij and Peter Sunde, launched in August a new service: BayFiles.  BayFiles is a cyberlocker such as MegaUpload or RapidShare.  Thus, users can upload files and share them with other public.  The upload limit, as well as the bandwidth, depends on the subscription model.  Unregistered users can share up to 250Mb whereas premium users have no limits.

When examining the available services, and the terms of service, BayFiles officially claims proper behaviour regarding copyright.

We have a policy of terminating, without notice and without recourse, accounts of subscribers or account holders who are repeat infringers of copyright, and you agree that we may apply that policy to your account or subscription in our sole judgment based upon a suspicion on our part or a notification we receive regardless of proof of infringement.

Although they seem not to use detection tools, they should obey to DMCA take down notices (which was never the case with The Pirate Bay).  Furthermore, BayFiles does not offer search options or shared directories.  Thus, it is the user who will have to create the infringement by publicly publishing the sharing address.  Furthermore, BayFiles has not implemented a reward program which is often a huge incentive for illegal sharing.

And because they do not trust pirates, they put the legal fences:

If you write programs aiming to violate our Conditions of Use, you will be prosecuted and made liable for any losses occurred.

This transition from Peer-To-Peer towards cyberlockers is logical:

  • Cyberlockers are taking an increasing share of illegal sharing of copyrighted content
  • Cyberlockers are easier to monetize than tracker sites with subscription for premium services.

Cyberlockers are the new challenge in anti-piracy.

Glitching the Xbox

Posted on by
Reply

A group of hackers has designed a stunning attack to run arbitrary code on Xbox.  XBox uses a hypervisor (or boot loader) that checks that the software that is running is properly signed (or does not have the wrong hash).  They use fault injection techniques, here glitching.  The aim of the attack is to make the processor derail after a serious glitch when applied at the precise moment.  This technique was initially designed to attack smart cards or secure processors (For instance, see chapter 9 of  Markantonakis and K. Mayes, Smart Cards, Tokens, Security and Applications, Springer-Verlag New York, 2008)

In the case of Xbox, the attackers had to produce a 100 nS glitch on the chip reset when it compares the calculated hash with the stored values.  If well designed, the glitch should make the memcmp positively fail and thus should allow to run arbitrary code.  They had to succeed two challenges:

  • Find the precise moment for the glitch to occur, and find the right shape for this pulse
  • Find a method to slow down the processor; with a slower processor, the accuracy of the glitch can be reduced.

They succeeded!  It is interesting to note that they had to design two solutions: one for the fat Xbox, and one for the slim one.  They have different PCBs.  For the fot box, they found a pin to slow down the CPU, whereas for the slim one, they attacked PLL by over writing parameters in an I2C memory (this old serial bus is not protected).

It is a  nice piece of reverse engineering.  This is not a consumer-grade hack.  It is extremely complex.  I believe that here, the motivations are purely to succeed a technical challenge (real Hackers).

Lessons:

  1. As always, Law 1 is true.  Attackers will always find a way.
  2. Attackers may use top-notch techniques.

 

 

TELEX: a new path to anti-censorship

Posted on by
Reply

Usually when you want to avoid censorship on Internet, you used tools such as TOR and other anonymizing proxies.  Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman propose another solution: TELEX.  The idea is elegant:

  • The client software hides, using steganography, the query to a censored site in a query for a high-traffic innocent site.  As the request is hidden, the censorship should not detect it.
  • Stations outside of the frontier of the censoring state, within collaborating routers, will extract the hidden query and route it to the censored site.  For that purpose, they will use Deep Packet Inspection (DPI).
  • The censored site and the client enter into a secure channel, thus avoiding the censor to analyze the exchanged data.
  • The collaborating router “impersonates” the innocent site in traffic to avoid detection.

The paper presents a nice threat analysis explaining all the trade-offs to remain stealthy, the strategy that optimally locates the collaborating stations, and how to ideally select the “innocent” site.   It is an excellent work that was presented at Usenix 2011.

The main issue is of course to find collaborating routers.  This would require either collaborating NSPs or state-funded infrastructure.  This is most probably the trickiest part to solve.  An utopia?

Alex Halderman, the last author, is well known by the medias.   He is the one (at that time he used John A) who in 2002 demonstrated the weakness of Sony anti-rip solution (shift key), or more recently how to retrieve keys after a cold boot.