China wants source code (2)

Posted on by
Reply

The Yomiuri Shimbun reported additional information. Some products that will be subject to the approval:

  • OS of contactless cards such as Felica (Sony’s contactless smart card) and MultOS
  • Digital photocopier, OS of AV products, ATMs or Point Of Sales devices!
  • Routers (no surprise at all, it would have been the first category I would have requested)
  • Software for data backup

The list is rather interesting because most of them may have an impact of overall security of the nation. An entity that would have a backdoor in these devices would have access to interesting data. Let’s take a simple device like a digital photocopier machine. The OS may have access to the digitized image. It could store it in some hidden storage unit. Maintenance crew could retrieve the storage unit. Of course storage capacity is limited. But now add an OCR software and a filtering software that spots a list of sensitive tag names. The spy software stores only the potentially interesting data. By the way, how are we sure that it is not already the case? Photocopier have some hidden features that are not often publicized. Try to copy a banknote with a high res color XEROX. Surprise, surprise…

To the mere intent of economical intelligence, we could add to the list: detecting potential backdoors and spywares, or implementing such backdoors.

By the way, the new regulation is scheduled for May 2009!

Many thanks to Masaru san.

China wants source code

Posted on by
Reply

According to the Yomiuri Shimbun, Chinese government plans to request access to source code of electronic equipment. The official rationale is to validate that the device will be immune against Internet viruses to fight these malwares. Without this approval, foreign companies would be banned to import devices to China. The Japanese newspaper does not disclose what happens if the examiners find some weaknesses. Will they return the information to the manufacturer for it to cope with? Will they keep it secret?…

Of course, most people assimilate this process to economic intelligence. Chinese government does provide no guarantee that the source codes would not leak. It is far easier than making reverse engineering. It would also an interesting method to find some ways to crack installed devices. They would just not disclose the exploit (and it is smarter than asking for back doors). this type of exploits could be used both on domestic market (to spy Chinese citizens) or in foreign countries (if the exploit is applicable on other releases). This would also ease production counterfeited critical devices (see FBI warning against counterfeited CISCO routers

The announced rationale has no sense. Every security specialist knows that it is impossible to analyze a full source code to find all the security vulnerabilities. Would we know how to do it, we would have more secure products in the field. Already strengthening a small piece of software is a complex task, then a complete application.

It is more likely that judging Chinese government on mere intent is legitimate. I doubt that many companies would accept.

Securing Virtual Worlds

Posted on by
Reply

Dr Igor MUTTIK, McAfee Labs, edited a document entitled “Securing Virtual Worlds Against Real Attacks”. The document is interesting. It is very IT security oriented in that it works on the traditional problems related to IT in a client server environment. The only specificity to the Virtual Worlds is the fight against cheating applet. Thus, only good advises but nothing revolutionary. In other words, he did not explore the new threats specific to Virtual Worlds (and there are many).

Nevertheless, he gives interesting advises for potential researchers for in-game threats. They will need

  • better than average knowledge of the environment
  • better access to the environment
  • clearance from the employer to run tests for malware in various gaming environments. This need of clearance is applicable to any researcher who handles malware.
  • enough demand from customers to justify research and development for such security solutions. For him, customers are the gamers. this is a typical bias coming from an anti-virus company. the customer is the end user. I believe that the customers are the game editors. If their game will be plagued by security flaws, making it not fun to play, then gamers will escape to another world.

Virtual worlds will be under fire of typical malwares but also new threats specific to them. Gamers will request their favorite virtual world to be safe (from the computing environment point of view, not from the game play point of view). There is a need to study these problems with a scope larger than traditional IT security

Spore: a great game (even with DRM)

Posted on by
Reply

Last week, I presented the crusade anti DRM against the new simulation gain Spore. In any case, DRM did not stop me to purchase it. My personal opinion is that it is a great game (at least as I like them ;-)) Hereafter are some of my first creatures.

The installation requires connection to Internet. Without initial registration on the server, the game will not start ( This is frustrating when installing in a train 🙁) Once registered, there is no more need of Internet, or of the genuine disk. Nevertheless, online connection offers many goodies: possibility to share creatures, bio diversity on the planet due to creatures from other players, possibility to post videos of your creatures on YouTube, automatic patch installing.

A 86Mb path is already available. In theory, it is possible to do it manually without the official download manager. Nevertheless, I did not succeed. The patch did not find my official Spore version. When patching through the game, it was painless.

A naughty idea of mine: What about issuing an application with a severe known flaw. The patch release would need online registration. Furthermore, the patch would check that the copy protection elements are not tampered and still in place. Of course, it may not be pleasing customers. Furthermore, it may not be legal.

A cracked version is already available. It seems to be a good success when looking the number of seeds and leeches. It works. The crack does bypass the registration phase. Of course, it also provides a key generator. I did not test if the patch works on it.

Conclusion: Online connection to Spore server does bring so many goodies that may be Electronic Arts (EA) could have avoided the limitations to three computers. Online real time checking of the uniqueness by the server may have been sufficient. EA will issue next year another blockbuster: The Sims 3. Will EA use the same DRM policy for it?

Red Hat compromised

Posted on by
Reply

In august, Red Hat informed that some packages of OpenSSH have been illegally signed. An intruder succeeded to penetrate Red Hat’s IT infrastructure and to access the signing computer of Red Hat. Thus, he succeeded to sign his/her own variants of OpenSSH. There was no evidence that they leaked out. Nevertheless, Red Hat provided tools to detect these variants and issued a new clean version signed with a new signature key. the old one will be revoked.

This is extremely serious. Today, most trust models are based on the assumption that the access to signing key is secured. Three main events may shatter this assumption for company X:
– company X’s private key leaks out. Then Alice, Bob, Eve are able to sign on the behalf of company X
– Alice is able to get company X to sign without controlling the data
– Alice is able to get a trusted certification authority to issue a digital certificate with the name of company X. Then Alice can impersonate company X. This is what happened in March 2001 with Verisign and Microsoft (see http://news.cnet.com/2100-1001-254586.html.

In this case, it is second attack.

Signature key is the core of many security system. It is the most important asset to protect. Red Hat probably protected correctly it (there is no evidence that the key leaked out), but not its usage. Security policy definition and implementation is a big problem.

Academic research and free speech

Posted on by
Reply

As usual,a company attempted to stop the disclosure of weaknesses at a security conference. This time, Massachusetts Bay Transportation Authority seeked to restrain Zack Anderson, R.J. Ryan and Alessandro Chiesa, students at MIT, to present a paper about the weaknesses of the RFID and magnetic stripes card. The targeted conference was Defcon, one of the great hacking conference. Nothing especially new.

The interesting fact is that the District judge Douglas Woodlock granted such temporary restrain. He backed up his decision with the Computer Fraud and Abuse Act. This law targets hackers who “knowingly causes the transmission of a program, information, code, or command to a computer or computer system.” In other words, according to this judge, presenting a paper disclosing weaknesses is equivalent to using a software to penetrate a system.

Obviously, Electronic Frontier Foundation (EFF) immediately fought back invoking the first amendment about free speech. Once more, we have this legal battle between academic researchers who find a flaw and a company that doe not want this flaw to be disclosed. One of the first example was the Felten versus RIAA case (#CVB-01-2669 (GEB)) about SDMI. The team of Ed Felten broke the watermarks scheme proposed by SDMI in an open challenge. RIAA attempted Ed to restrain to disclose it at Information Hiding 2000. Finally, RIAA withdrew its objection and the paper was presented at ICASP2001.

Once more, this case highlights the same questions and remarks

  • What should be done when discovering a security flaw? Typical ethical procedure is to inform the company abut the flaw, give them sometimes to react and then publish. The problem is often on the definition of the reaction time.
  • What is the right reaction of the company? Often they react badly. In believe it is more beneficial to have been informed by white hats who disclose the weakness than to attacked by black hats who will keep it secret. Once informed, you may at least monitor to find eventual attackers. I prefer a flaw in my product that everybody is aware of (and myself) then one present that I am not aware.
  • Are judges sufficiently prepared to deal with high technological issues? Should there not be a special type of technological judge? They rely on experts, but do they understand what experts are explaining. We have even sometimes difficulty to understand our peer experts!

In any case, it is mandatory that researchers continue to look for weaknesses and disclose them. No security by obscurity.

Security and Facebook like

Posted on by
Reply

Greek researchers will present tomorrow a attack using Facebook as vector. The idea is that they provide an applet that displays nice picture from National Geographic. Unfortunately, the applet in addition to its benign display request to download a big file from one server. If this applet spreads within social network, it may end up in thousands of applets downloading big file from one given server, in other words in a Distributed Denial Of Service (DDOS)

And all journalists discover that there is a risk with social network. I am always amazed to see when people discover the obvious. Why should Web 2.0 be different from “old” computing time? Anybody is expected to understand that it is not safe to execute a piece of software from a an unknown publisher. It may be a malware. It is expected to be accepted by users as a good practice.

And now on the sudden comes Web 2.0. And any body is happy to add nice widget to his/her site, web page, desktop, … Why should widget be different from normal application? Why should widget not carry lethal payload? Why should Web 2.0 be secure? (at least not by construction). I am only amazed that there are not more plagued widgets today.

Using social network is even worse. You may trust your friends in your social network. thus, you may eagerly accept nice widgets from them. But how do they know it is a safe widget. Imagine a widget with a delayed bomb inside (as it is used in virus). It spreads nicely within facebook, and then it is triggered… :Sad:

Am I too paranoid? Why did web 2.0 escape common sense? Any idea?