An original way to mark text

Posted on by
Reply

Amazon has filed an interesting patent titled System and method for marking content. The idea is rather simple. Create a dictionary of synonyms. To uniquely mark a piece of textual content, permute a set of defined words by selected synonyms. Of course, the patent explores all the alternatives, but in a nutshell this is the main idea.

For the fun, here is the first claim

1. A system, comprising: a processor; and a memory comprising program instructions, wherein the program instructions are executable by the processor to: receive a request for particular content; extract a copy of the requested particular content from a content collection, wherein the particular content includes textual data; substitute a synonym for each of one or more selected words in the textual data of the copy, wherein to substitute a synonym for each of one or more selected words, the program instructions are further executable by the processor to: access a synonym database comprising a plurality of key words, wherein each key word is associated with one or more synonyms in the synonym database; and select a particular synonym to substitute for a particular selected word in the textual data of the copy from one or more synonyms associated with a key word in the database that matches the particular selected word in the textual data of the copy; and return the copy with the substituted synonyms in response to the request.

Does it work? For watermark, there are typically three parameters to examine:

  • • Transparency: There are some issues. First of all, it probably is not applicable to literature. Synonyms are rarely perfect and authors may not accept modifications of their text. Nevertheless, for many texts, and for non-purists, it may be rather transparent. Although I’m not sure that there may not be some readable artifacts.
  • • Robustness: It is obvious that it is easy to detect some substitutions. If the content is not protected in integrity, it is rather easy to wash or forge a new marked content. If the purpose is to fight piracy (such as illegal redistribution), it will not work. The hacker will remove the integrity protection and substitute.
  • • Payload: This depends of the text’s length and the variety of the used vocabulary.

It is an interesting approach although not robust. In some specific contexts, it may have some interest.

Thanks to JJQ for pointing to this patent. :Happy:

Bourse aux Technologies 2009

Posted on by
Reply

IE club (a network of entrepreneurs), Seventure Partners (VC) and Institut Telecom (group of schools) organize each year a technology fair. This year’s theme was security.

I was invited to make the opening presentation for the panel. My presentation was ”Sécurité et Success Stories : quelques leçons” (Sorry, it is in French).

Of course, the key event is the demonstration of a set of technologies. The goal is for entrepreneurs to possibly find a technology to promote/use in their products.

Many demonstrators were promising. My selection:

  • Analysis of vulnerabilities in software; all demonstrated technologies were limited to static analysis
  • Analysis of information flow for embedded devices
  • Secure storage of files using P2P based on control access
  • Hardware based real random generator
  • Smart card emulation for simulation of fault injection

The two last ones were extremely technical but have probably a very narrow possible market (secure IC manufacturers that were not present)

Both the panel and the demonstrations demonstrated that France is still one of the homes of serious security.

Articulating The Business Value Of Information

Posted on by
Reply

I read a recent report from Forester research: “Articulating The Business Value Of Information” by Khalid Kark

According to this report, security adds value in five sectors:

  • Reputation: Security protects your brand equity
  • Regulation: Security reduces the cost of meeting IT regulatory mandates
  • Revenue: Security protects existing revenue streams nnd helps generate new ones
  • Resilience: Security ensures your business functions even during adverse conditions
  • Recession: Security affects the top line and the bottom line of the business

Khalid proposes ten tricks to change the security’s image. Following are my favorites:

  • • Redirect the conversation away from threats and toward risks
  • • Make security processes transparent
  • • Focus more on value articulation and less on return on investment (ROI)

The report has nothing revolutionary. It is well known for practitioners, but it has the advantage to list and present them. Hoping that you may find some more arguments next time you have to negotiate a security related budget.

H1N1 and social engineering

Posted on by
Reply

The spammers become extremely good at social engineering. The latest one I received is very clever.

From: Centers for Disease Control and Prevention [674651373med@cdcdelivery.gov]
To: *Security Reporting
Subject: Create your personal Vaccination Profile

You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:

create personal profile

This mail is damned clever.

  • First of all, it uses basic fear motivation: the swine flu and the current actuality: vaccination.
  • Then a pinch of truth “The Vaccination is not obligatory” and then the trick “every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site” That you vaccinate or not, you have to register!!
  • Of course, the CDCs exist and the site cdc.gov also. The address inside the link of course does not point to cdc.gov but to an .im This extension belongs to the Isle of Man but can be used by any individual.
  • Grammar and orthography are OK (at least for me 🙂 ) which is often not the case

When such a mail arrives in a non personal mailbox, there is no doubt that it is a malware. But, will Joe Average detect it as such? Will he not follow the initial reactions of his reptilian brain (flu = fear, CDC = authority…)?

Social engineering is definitively a dangerous weapon.

[update: 3-dec The news about this malware is every where on the blogosphere. Here are more technical details http://blog.appriver … tribute-malware.html ]

Security of cloud computing

Posted on by
Reply

There is not a lot of doubt that cloud computing is the next frontier. Unfortunately, like for Far West, Cloud Computing will be in its early days a territory where the security may be weak (euphemism :Wink: ).

Already, a lot of effort is placed on analyzing the threats and finding solutions. In this trend, there is an interesting approach proposed by Thomas RISTENPART, Eran TROMER, Hovav SHACHAM and Stefan SAVAGE in their paper “Hey, You, Get off of My Cloud“. They discovered that a same server may run Virtual Machines (VM) for different customers. The goal of their attack was to plant a malicious VM on the same server than the target. Then, by measuring several parameters such as cache usage, or estimated traffic rates, they should be able to infer some information. In other words, a side channel attack.

Obviously the most questionable point is the first one. It has two assumptions:

  • – Being able to co-reside on a server with the target. A complete section (number 7) proposes different strategies to succeed on Amazon’s EC2.
  • – being able to implement a malicious VM for instance through existing vulnerability. This one seems even more questionable.

I am not sure that the disclosed attack is more than a nice theoretical play. Nevertheless, it has the advantage to rise many interesting questions. I’m sure that side channel attacks on cloud computing will become a very thrilling domain of exploration.

The paper was presented at CCS’09. Thomson was sponsor of one the hosted workshop (ACM DRM workshop 09)

Smart cards, Tokens, Security and Applications

Posted on by
Reply

This book (Springer 2008), by Keith Mayes and Konstantinos Markantonakis (editors), provides an overview of secure chips and their applications. It mainly focuses on two types of tokens: contact and contactless. Excepted a brief introduction to Trusted Platform Modules (TPM), the book does not detail embedded IC or Hardware Secure Modules (HSM). The book depicts the major operating systems and environments (Java Card, Global Platform, MultOS…) and describes in details the application development environments for Java and SIM toolkit. The book explores different fields of application: mobile, banking, Pay TV and ID cards. A special focus is given to the mobile applications.

In my mind, smart card is strongly associated to security. Security is the absent one from this book. The book never speaks about the hacks. In the contactless field, often the transport cards are cited. Never the recent hacks have been cited. In the ID cards, never the recent problems of passports have been disclosed.

Should you read it? If you are looking for a basic introduction to smart cards, this may be one of the references to read. Thus, it may interest non-security students, people who want to have a first level of understanding, journalists… If you are looking for a good understanding of one of the domains of use of smart cards, then look for a more specialized book. If you are a security expert, definitively this book is not for you.

A more complete review is available on the IACR web site.