New succesful media = new threats

Posted on by
Reply

The web2.0 is extremely active. Very quickly new usages and new tools appear. Some of them are extremely successful. One of the most currently successful one is Twitter. If you do not have both a Facebook/mySpace account and a twitter, you’re a dinosaur. (This is my case :Wink: )

Thus, Web 2.0 is evolving extremely fast. The only thing that evolves faster is the cracking community. The more successful the new service, the more attractive target for crackers.

There are already some worms dedicated to Twitter. The latest one (30 may) is the “best video” from http://juste.ru. The twittee who clicks on this link inside the message connects to this site. This site then infects the host computer and steals Facebook and Twitter credentials. With these credentials, it sends the spam message to your friends who trust you. It is spreading fast. Here are the recommendations of Twitter.

No matter how good that “best video” looks, don’t go to any juste.ru domains. We’re aware of the situation and are working on it.

Update: We do not believe that anyone’s personal information was compromised as a result of this outbreak; suspended accounts should be cleaned and restored soon.

Once more, the same old tricks based on social engineering. It is not because it comes from twitter that a site is not nefarious. People should stop to click on any links without knowing what is behind (as they should not open files they do not know).

The new medias just open new highways for attacks. And the crackers immediately use these nice unprotected avenues.

SF: L’agent des ombres

Posted on by
Reply

I started this saga from Michel Robert. It is awfully deceptive. The hero is a super hero with super power and extremely powerful in the middle of battle between the forces of Light, forces of Darkness and forces of Chaos. No main default. I hate this type of heroes. They are not interesting.

As super hero working for the chaos, I prefer Elric of Menilboe the Necromancer. Funnily, the hero has a dagger with special power that he does not control. This looks far too much to Stormbringer the evil magic sword of Elric.

My advise, don’t start this saga. Read (or re-read) rather Moorcock’s saga of Elric.

The saga is only available in French.

Sims 3 leaked out

Posted on by
Reply


The long awaited Sims 3 were expected to be officially worldwide launched on 2nd June. Electronic Arts, following the outcry against DRM within Spore, decided to stay with its usual disc activation without online authentication.

It seems that this gesture of good will was not sufficient. The game is already available on P2P networks. It leaked beginning of this week. The version seems to work (at least when reading the comments) and is delivered with the crack. Three versions seem available. The 5.6Gb Iso file has already more than 3.000 seeders. No doubt that it will be a success in the download top ten.

After the leak of “Wolverine”, it is the turn of EA. Unfortunately, this is a final version. Will that impact the sales? It is sure that this game was waited for a very long time by aficionados. It became even worse when EA announced a multi-month delay. For sure, eagerness to get the hand on the game asap will push people to download it. How many of them will turn back to the official version once available?

The game industry has the same issue than the movie industry with the leak before release. Finding efficient solutions is probably more difficult for games. Date enforcement and traitor tracing should be interesting topics to investigate.

Let’s wait the 2nd July to see the impact. By the way, the comments of downloaders are extremely positive on the game itself. :Happy:

Duplicating remotely physical keys

Posted on by
Reply

We all protect our house with keys and locks. We are most probably all aware that locks will not resist to an expert locksmith using lock picking or lock bumping. Last year, three US students demonstrated that we should perhaps also fear our neighbors.

They demonstrated that with some minor signal processing tools, it is easy to extract all the needed information from a digital picture to reproduce the key. The steps are rather simple:

  • Take one picture
  • Using reference points (from the given type of key, compensate distortion through homography
  • Normalize the picture to get a reference size
  • measure the pits and valleys
  • reproduce the key

They experimented using normal digital cameras, cell phones. the most impressive one is using a 5000mm focal to capture pictures from up to 100 feet. And it worked!

Funny paper that once more demonstrates that the frontiers of security are always moving back.

Cheap face recognition

Posted on by
Reply

I just read about KeyLemon, a company who offers face recognition based login to Windows XP for less than 40$. They have a trial version. For fun I decided to try it.

The installation was straight forward. It used my webcam. When registering for the first time, it became touchy. The software wants you to be in a given relatively precise position.

Instead of your typical login screen, you have a screen who displays what the webcam sees, and a field to possibly enter your password. Once it recognized me (after a few seconds), it logged on without any problem. Now, the funny part, let’s push slightly the limit. I registered with my glasses, because I work without them in front of my screen. When I tried with the glasses, it did not recognize me. OK, let’s do it without the glasses.

Of course, you all already though about it. I took a picture of me with the webcam and printed it on the color printer. YES!!!! It recognized my picture! That’s really bad! An easy way to impersonate.

Then, I decided to comb my hairs (those who know me will understand :Wink: ) It did not recognize me. Ouf, my picture works.

Then, I decided to train better the tool (after 20 cumulative training with glass or not, comber or not), it did perform worse. Gracefully, there was still the field to type the password in.

KeyLemon is a funny tool but not a secure tool. Don’t trust it. Interestingly, the announced advantage

Stop wasting time entering your password

I’m not sure who would win the race

Stop remembering your password

No!!! What if it does not work correctly.

The only funny feature is the lock of the computer once it does not see you anymore in front of the screen.

Retrieving lost passwords through social interaction

Posted on by
Reply

What happens when you forget your password? Often there is an automatic back up procedure that allows to get it back. Sometimes, it is just an authentication through mail address, i.e. the password or a new one is sent to the address you registered. More often, it uses secret questions that should authenticate you. For instance the name of your pet, your birth town… Obviously, these secret questions have two problems:

  • They are easy to guess because too simple. You may harden it by cheating with the answer, but you need to remember your cheating.
  • If they are too complex, then you may have forgotten the answer.

In other words, they are inadequate, although largely deployed.

SCHECHTER S., EGELMAN S. and REEDER R. from Microsoft describe an interesting solution to this problem in “It’s not what you know, but who you know“. Each user defines a list of trustees. Each trustee will receive a recovery code. To retrieve the password, the user must obtain form his/her trustees their recovery code.

The experiment highlighted two issues:

  • After a while, the user often forgets his/her trustees. Thus, you need a procedure to retrieve the trustees’ identity.
  • Many trustees would provide the recovery code to someone close to the user.

I would also add one major one. It takes a lot of times. One subject took 5 days to get three recovery codes. Often, you want immediate access.

Nevertheless, an interesting paper to read. I recommend the section that describes how the trustee gets the recovery code. It was designed to highlight many risks of social engineering. Nice work.

Is French HADOPI law dead? (7)

Posted on by
Reply

The French law “Création et Internet” has been approved by the two chambers. On Tuesday, the French deputies voted for the second time the law. This time it passed easily. The right wings deputies were massively present to vote yes (compared to the last presentation).
Yesterday, the senators approved the law. The French government can now launch the HADOPI. The HADOPI is the body that will manage the graduated riposte.

Is the story finished? Not sure. Last week European parliament approved the amendment 138 that requires a court decision to cancel the Internet connection. it is not yet sure that the modus operandi of HADOPI will respect the law. No doubts that the anti-HADOPI proponents will try to use this threat.

The story continues…