Second Life: An additional frontier to secure the enterprise?

Posted on by
Reply

3 april, IBM and Linden Labs (LL) made an interesting announcement. IBM will host its own private islands on Second Life. See the Reuter news.
If you acquire, or rent a land in Second Life (SL), you may define who can access it. If you expect to open a shop, then it will be open to the public. If you want it to become the headquarter of your guild of hackers, then you will grant access only to the members of the guilds. So, a company may have meeting rooms for virtual meetings ony accessible to the avatars of its employees. The access control is performed by LL servers.

In the case of IBM, the server(s) managing IBM’s islands will be behind IBM’s firewall, i.e. within IBM’s cybersphere and not anymore LL’s cybersphere. When the avatar of IBM employee navigates in public SL, then it is managed by LL. Once it enters IBM’s island, it is managed by IBM dedicated server.

Of course, this should bring greater control and security for IBM. There are some interesting problems behind that:

  • In theory, an avatar can bring a virtual asset from the public SL into the private island
  • In theory, an avatar cannot bring a virtual asset from the island to the public SL.

For that to be true, it would mean that there is a total isolation between the two worlds. Ideally, the avatar in the island should be different from the avatar in public SL. The public avatar could pass his/her clothes and belongings to the island one. But the island one could not pass anything to the public one. This means also that there would be no retrofit from what happened on the island to the public SL. Every transfer from island to public domain may become a potential leakage (through scripting, …)

In any case, the fact to allow an avatar to bring a virtual asset into the island is a potential breach of security. A forged virtual asset could contain a virus or a Trojan. Of course, we may expect that the servers are inside a firewalled domain within IBM infrastructure. By the way, even while in the public domain, SL may already have a foot inside IBM firewall through the computer of the owner of the avatar.

Would it not have been safer to create its own IBM meeting virtual world totally independent from SL (even if using LL software)? But it would be probably less glamorous.

Wide distribution of fingerprints

Posted on by
Reply

In issue 92 of “die Datenschleuder”, the official magazine of Chaos Computer Club (CCC), on a plastic foil, you may find the fingerprint of German interior minister Wolfgang Schlauble. According to CCC, applying the foil on the biometrics reader to be used for German passport may impersonate the minister. CCC could not test it. Nevertheless, the hackers claim that they experimented with them.

One of the challenges of biometrics is to verify that the measured biometrics are from a living principal. For instance, new generation of fingerprint measures temperature of the finger, blood pressure, or resistivity of the skin. This may allow to detect fake fingers. Of course, another potential weakness is impersonation after the physical capture. In this case, all the additional measurements are useless.

This story, regardless of its potential veracity, highlights the inherent limitations of biometrics. It is possible to revoke a compromised key. It is impossible to revoke a compromised biometrics identity. If your fingerprint is available for a given technology, there is noway to stop it.

If this risk of capturing biometrics is real, then biometrics should be used only on two-factor authentication. In this configuration, the compromise of biometrics identity can be partly compensated by the second factor. In fact, in this case, the authentication is reduced (for the compromised identities) to a one-factor authentication. This is better than nothing. An upgrade of the biometrics method that would cope with the attacks would allow to re-validate the value of the biometrics.

In any case, generalization of biometrics will open a new black market: forged biometrics identity.

PS: “Die Datenschleuder” could be translated as “the data sling”.

The crusade: DRM sucks

Posted on by
Reply

There is a terrible crusade against DRM. Many bloggers try to illustrate that “DRM sucks”. As for all crusades, arguments are sometimes true, and sometimes wrong.

A famous blogger claimed that he had a perfect example of why DRM sucks. Following the death of HD DVD, it seems that the newest version of Cyberlink’s PowerDVD, one of the most used DVD software player, does not anymore support HD DVD. That was fast. According to the blogger that was the fault of DRM.

Unfortunately, this is the worst example. HD DVD and BluRay share the same basic DRM: AACS. Of course BluRay has in addition BD+. Nevertheless, the basic DRM is identical. The lack of interoperability is due to intrinsically different formats at every level (physical, organization, coding) except for DRM.

I suggest a better historical example of sucking DRM: VHS and Betamax  :Wink:

Establishing end to end trust

Posted on by
Reply
Microsoft issued an extremely interesting white paper: Establishing end to end trust. It has been presented at RSA2008. The paper is worth reading. The main idea is that a trusted stack (encompassing hardware trust, OS trust, application trust, data trust and persona trust) and the ability to audit for accountability should make a more secure Internet.

It is interesting to note the extreme caution Microsoft takes on the topic of privacy and identity. Section IV is a fully dedicated cautionary note. Clearly, Microsoft fears that this initiative is considered as a Big Brother initiative. This is probably a sequel of the backlash on palladium.

I will focus on the notion of trusted stack. This is an addition to previous post on XBOX hack. The trusted stack is based on signature. According to the paper, there will be three categories.
“Even if code is signed, however, it will still fall into one of three buckets. There will be code that is signed by a known entity (e.g., Microsoft, Oracle, Adobe) that is trusted due to past experience, brand reputation or some other factor; there will be code that is signed but known to be malware (e.g., spyware, which can then be blocked); and there will be code signed by entities that are not known to the user.”
The paper clearly highlights the importance of the criteria to obtain the signature. If they are weak, then the trust is weak. The concept of signature relies on the fact that an authority, often called trusted third party, provides signature keys and associated certificates only to compliant and trusted principals. We expect the trusted third party do correctly its job. One of the strength of PC is the wealth of available shareware and freeware. There are thousands of small software publishers in the world. Thus, thte authority will never be possible to know if they are trust worthy. Will these publishers be allowed to sign?

To compensate, Microsoft proposes a reputation platform. Unfortunately, like in all reputation system, it has limitations. Reputation will increase only with the number of users recommending the software, i.e., the number of people taking the risk. Furthermore, many people will not check ( the same people that do not use an antivirus or do not update their software).

Furthermore, as explained in previous post, signature does not mean that the software is secure. Only peer auditing of the software before signing the application may give this assurance.

In other words, trusted stack as described will end up with the following situations:

  • Signed software that we trust because they are open source or from a publisher we trust.
  • Signed software that we do not know if we can trust.

It is still up to the user to decide if he takes the risk. In other words, we are not far from the existing situation. The only difference is that with a trusted stack based on TPM, application may trust and use secure elements of lower layers and interact with other trusted principals.

There are also many things to be said about audit. This is for another post.

P2P: is giving access illegal?

Posted on by
Reply

Two US judges gave a different answer to the question: “Is putting a copyright content in a folder accessible to P2P share illegal?” According to Judge Kenneth Karras of New York, it is illegal, whereas for Judge Nancy Gertner of Boston it is not an infringement until the content has been downloaded by someone. Nevertheless, both judges agree that downloading copyright content is an infringement. The judgments are not final.

Would Judge Nancy Gertner confirm her decision, then it would open new perspectives in future trials.

  • Content owners will not have to prove the exposure of copyrighted content, but would have to prove the actual download of the exposed content by someone else.
  • Content owners should probably also have to proof that the exposure was deliberate. Known examples have illustrated that people may inadvertently expose data to peer to peer networks. See Confidential data and P2P

An interesting issue to be followed.

RFID to stop theft

Posted on by
Reply

SimplyRFID provides a system NOX to detect theft that is not simple at all. It is the combination of three techniques:

  • RFID tags are glued on items to be protected. The RFID tag provides the identity of the item, and through readers its location.
  • Optically charged dust is spread on restricted area, for instance in secure vaults.
  • Video surveillance has two roles. First it monitors the people. Second it detects presence of dust that is illuminated by a laser. The dust glows. It is thus possible to detect intrusion in sensitive area. Automatic software may detect the glowing dust and trigger an alarm.

The interesting part is that the RFID readers are hidden to the users. They are not aware of their existence. This is perhaps the “smarter” part of the concept.

How does it work? When a RFID tag passes near a hidden detector, it is triggered. It is then easy to discover the potential thief using the video surveillance. Of course, if the thief is aware of the location (or even of the presence) of hidden RFID tags, then he will be more cautious. The system targets insiders. Thus, the thief has time; He will first shield the tag. Then, he will pass through the detectors without triggering them. We assume that he hides the stolen device from the spying cameras. It is even better if there are several days between the shielding and the actual theft. It will require many hours to visually monitor the video tapes and if several people meanwhile handled the item, it is even better.

Interestingly, these hidden readers are violating privacy because employees are not informed of their presence.