Cracking commercial quantum cryptography

Posted on by
Reply

Quantum cryptography is a strange beast. The first commercial solutions, for instance by Quantique ID, are already available. And they are already hacked. Researchers of the Norge Quantum Hacking group have succeed to succesfully eavesdrop communications.

Of course, the vulnerability was not in the concept of quantum cryptography itself but on some technological loopholes. As usually, weakness comes from implementation. They present a nice gallery of pictures illustrating the material and the methods used by the exploit.

It is not the first exploit of this team. See Cracked Quantum Cryptography?

An analysis of Private Browsing Modes in Modern Browsers

Posted on by
Reply

Tuesday, November 2, 2010

Gaurav AGGARWAL, Elie BURZSTEIN, Collin JACKSON and Dan BONEH published an analysis of the private browsing mode in Internet Explorer, 8, Firefox 3.5, Safari 4, and Chrome 5.

What is private browsing mode? According to Mozilla:

Firefox 3.5 and later provide “Private Browsing,” which allows you to browse the Internet without Firefox saving any data about which sites and pages you have visited.

According to the researchers, all four browsers failed. Don’t panic!

The researchers provided a very drastic definition of private browsing that extends further than Mozilla’s one. For instance, they define four types of persistent state changes:

  • Initiated by the web site without user interaction such as cookie, adding entry in the history file…
  • Initiated by a web site but with user interaction such as generating a client certificate, adding a password to the password database
  • Initiated by the user such as adding a bookmark
  • Installing a patch or updating a blocking list

All browsers do a decent job for the first category. Nevertheless, they are less well-performing for the other categories. For instance, all the four browsers retain a SSL certificate generated while in private browsing mode. The certificate will leak the site address.

Most of the people are only concerned with the first category. Thus, they are safe. More paranoid people should study their browser and act correspondingly.

Interestingly, the paper proposed three goals versus a web attacker:

  • A web site cannot link a user visiting in private mode to the same user visiting in public mode
  • A web site cannot link a user in one private session to the same user in another private session.
  • A web site should not be able to guess if the browser is in private mode

They also highlighted an under evaluated risk. Although the browser supports a private mode, it does not mean that the plug-ins act also in private mode. In other words, while the browser is in private mode, your addons may still leak information  :Happy:

ACM DRM 2010

Posted on by
Reply

Thursday, October 28, 2010

The 9th ACM Workshop on Digital Rights Management was held in Chicago on October 4, 2010. The conference was sponsored by Microsoft and Technicolor.

Following is a short highlights of my preferred papers:

  • The privacy of tracing traitors , Moni NaorHe presented mainly issues about privacy in the case of statistical analysis of largely populated databases. He presented his recent works (2008) on how to sanitize such databases while maintaining differential privacy. The idea is to present a fake database that should have the same answers than the real one but without the actual data. This is extremely computing hungry.

    The link with traitor tracing was dim. The conclusion was that traitor tracing is possible if and only if sanitizing is hard. The not surprising conclusion is that traitor tracing and privacy are contradictory.

  • A General Model for Hiding Control Flow, Jan Cappaert (UKL)This presentation was about software tamper resistance, more specifically obfuscation. The idea is to enhance the flattening Control Flow Graph with relative values rather than local values plus the use hash. They propose a switch function as template.
    Worthwhile to read. It was most probably one of the best paper of this workshop (at least according to me).
  • Is the Internet a Foe or a Friend to Theatrical Releases and the Motion Picture Industry?, Warren LieberfarbHe presented the history of the video distribution highlighting that each threat ended up as an opportunity. Then, he pleaded for a standard endorsed by all studios that would encompass a removable tiny storage media (NAND flash based) and a robust DRM with forensics capabilities. In other words, vertical interoperability.
    The audience was captivated. Warren is a pionneer of video and knows perfectly the history of video distribution being one of its early actors. I am sure that many people in the audience discovered several interesting stories.
  • An Interoperable Usage Management Framework, Pramod JamkhedkarA framework that attempts to unify the different RELs independently from the execution platform. It should unify both declarative RELs and logical RELs. The approach is object oriented and focus on the REL and not the enforcement.
    Highly theoretical work.

I presented a paper, co-authored with ROBERT Arnaud (Disney) about Interoperable Digital Rights Locker.

The full program is available here.

XSS vulnerabilities and anti virus vendors

Posted on by
Reply

Team Elite, a team of white hackers, disclosed last week Cross Site Scripting (XSS) vulnerabilities on the sites of three antivirus vendors: Symantec, ESET, and Panda Security. All three vendors promptly closed the vulnerabilities. The mere fact that the sites of security specialists host such well-known vulnerabilities highlights the difficult to create a clean secure software/site.

XSS is probably one of the most spread (and faster growing) vulnerability on the Web. The next issue of the security newsletter (#17, to be issued within a fortnight) will touch this issue of XSS. XSS is to Web sites what buffer overflow is to normal software: a well-known issue that nevertheless always appears.

The site of Team Elite is a nice repository of many vulnerabilities.

Apple, Jailbreaking and Patents

Posted on by
Reply

Monday, September 13, 2010

Put together these three words and you obtain an explosive cocktail that will surely make the headlines. End of July, a new type of Jailbreaking for iPhone and iPad appeared. Two weeks later, Apple closed the hole. Unfortunately, one week later, somebody highlighted an Apple patent that was filed in February 2009 (There is a period of 18 months after filing while the text of the patent is not public). It was claimed that Apple patented a method to fight jailbreaking and even brick the phone in case of jailbreaking. Most of the news I’ve seen on the Net where making the same statement.
Thus, I decided to have a look on this patent. The title of the patent is “Systems and methods for identifying unauthorized users of an electronic device”. Where is jailbreaking? The patent is about identifying an unauthorized user, not about identifying an unauthorized action. To identify an unauthorized users, the patent proposes in sub claims many solutions such as voice identification (comparing to voice print of authorized users), face recognition, heartbeat sensor (I was not aware of this type of biometrics, has somebody a good pointer?), or proximity detection of a sensor such as NFC. Once an unauthorized user detected, the patent claims that the device collects some information such as keylogging, logging the Internet activity, taking pictures with geotag, or using an accelerometer to identify the current mode of transportation. Then it sends an alert to a responsible party with the collected data.
The patent describes also a larger definition of unauthorized user by

“[0039]As another example, an activity that can detect an unauthorized user can be any action that may indicate the electronic device is being tampered with being, for example hacked, jailbroken, or unlocked. For example, a sudden increase in memory usage of the electronic device can indicate that a hacking program is being run and that an unauthorized user may be using the electronic device. “

:Happy:
Even funnier

“As yet another example of activities that can indicate tampering with the electronic device, an unauthorized user can be detected when a subscriber identity module (SIM) card is removed from or replaced in the electronic device.”

Good luck for the many false positives. Jailbreaking is really a side issue in this patent. It is more valid against thefts than against jailbreaking. Would the device be able to detect jailbreaking, most probably would it be able to cancel the action. Of course, now it is legal to jailbreak the phone, at least in the US.

The lesson is that you should not trust too much what you read in the blogs. Build your own opinion. read the source documents. I am sure that very few of the journalists or bloggers that reported the news did in fact have read the patent.

The risk of geo-tagging

Posted on by
Reply

Once more, new technology introduced threats on privacy. FRIEDLAND Gerald and SOMMER Robin, in their paper “Cybercasing the Joint: On the Privacy Implications of Geo-Tagging” clearly highlight the new risks.

Many high end phones, such as iPhones, come with GPS. Undoubtfully, GPS is a great feature. Once you used it, you cannot live anymore without. Nevertheless, the combination of GPS and camera is a problem. Currently, all such devices embed a geo-tag, i.e. the precise location, in the metadata of pictures shot by the camera. And many of such pictures end up on Flicker, Facebook and Craig List. This metadata can be easily extracted through standard tools.

In other words, if you publish on Internet a picture of your house taken with your iPhone, it will be extremely easy for anybody to locate you for instance using Google Street View. The paper presents a very illustrative example.

Of course, you can disable the geo-tagging. But, (1) you must be aware of the threat, and then (2) find how to disable it. The solution should be that the manufacturers make this feature as opt-in, i.e. disabled by default. Very unlikely, because manufacturers load the devices with new features ready to work.

If you have a mobile phone with GPS, think about it. Personnaly, I know what I would do.

But(t) Authentication

Posted on by
Reply

No, I’m not turning my blog into a porn site. I just refer to a recent paper from FERRO M., PIOGGIA G., TOGNETTI A., CARBONARO N., and DE ROSSI D. These extremely serious Italian researchers have published “A Sensing Seat for Human Authentication“.

We know many biometrics authentications using voice, finger, palm, or iris. We had recognition through the way you walk, or the way you type. This one is recognition through the way you seat.

The seat is equipped with a set of strain sensors. These sensors show piezoresistive properties that can be turned into a digital fingerprint of the seating person. the paper describes the system, explains the measuring methods. They tested their system on 20 people over a period of 20 days in a truck simulator. The True Acceptance Rate is about 90-95%. The False Acceptance Rate was about 5%.

The researchers acknowledge that there are may parameters in the real world that may impact these rates such as movements and vibrations and changes of the human profile. A wallet in the pocket may derail the system. Too many hamburgers during a long period most probably also  :Wink:

The target is automotive industry. They foresee to couple it with face and voice recognition.

Thanks to BC for the pointer.