Confidential data and P2P

Posted on by
Reply

Last year, Pfizer had a serious security breach. Personal records of 17,000 employees and previous employees were available on a peer-to-peer (P2P) network. The wife of a Pfizer employee installed a file sharing software on her husband’s company laptop. The configuration was badly set and confidential information leaked. This type of leakage is rather common. In Security Newsletter n°4, I reported a virus using P2P software to distribute random file of a hard disk. Japanese defense plans leaked!

The first-thought recommendations would be to ban P2P software from company’s computers. This recommendation has limits:

  • P2P software may be useful in some context (and probably will become more prevalent in the future)
  • There is no serious way to avoid user to install such software and use it outside the fire walled environment of the company. In fact, it is possible to block installation of software by users, but it becomes quickly a problem for the IT department (cost of installing new software, upgrades, patches, …). It is often not practical excepted in highly secure environment. In any case, in most case, IT aware users will bypass the control.

Thus, the best recommendation I would give is to encrypt all confidential files on the laptop. This answers this threat, because what is shared is encrypted data, i.e. useless, and answers many other threats such as theft of laptops. Obviously the choice of the encryption tool is important (We will report on the latest hack on encryption tools in next security newsletter to be published in a fortnight)

It is also important to remember that you are also at risk at home with your private data. If ever you, or your relatives, use P2P software on your personal computer, check carefully its configuration to strictly sandbox the sharing space. Hoping that there is no backdoor that allows changing it  :Wink:

In the referenced article, I found also interesting the data mining performed on queries on P2P network. Privacy is even leaking on P2P network usage :Amazed:

Social networks and privacy

Posted on by
Reply

Recently Facebook enhanced its privacy controls on the information. Users are supposed to be able to control who can access personal data for instance personal pictures. Nevertheless, a hole in security allowed to access personal pictures independently from their control rules. Journalist from Associated Press (AP) was able to browse among personal pictures (see AP news) Facebook quickly fixed the hole.

Once more, this news rises the question about privacy and social networks. Social networks are not different from traditional web sites. Data stored on their server are vulnerable and may be exposed. Social networks, due to their social role, increase the problem. Information posted on these networks are by nature personal thus potentially sensitive.

Data on social networks (or any other type of sites) have two characteristics:

  • They are vulnerable. They may leak or may be stolen
  • They are persistent. Internet has a huge memory. Ten years old data are still somewhere in the cyberspace, available to revealed.

The consequences are:

  • Information that you do not want to be public may become public
  • Information that were not important today may become embarrassing in the future. These information will be available and may ruin reputation.

Thus, a rule: Do never post a personal information that you do not want to become one day public It may become public.

Some thoughts about RFID and passports

Posted on by
Reply

Last week, I discussed with a well known cryptographer: JJQ. We were exchanging about RFID security, last mifare hack, and security of RFID-based passports. During the discussion, we went through a new threat.
Let us now assume that the RFID passport is largely used, and even that one country requires RFID-based passport for entering. We assume that forging a RFID-based passport is extremely difficult (it will never be impossible, law 1). We may assume that forging the paper part of the passport will be easier (else why replacing them with more expensive passports). But the forgery would be detected by mismatch between the information in the passport and the RFID.
The obvious attack would be to blast the RFID of the passport. Then the border guard would check only the paper part. Nevertheless, this may not be sufficient because we may assume that the border guard will be watchful because he faces an exceptional case.
Let us now assume that the attacker was able to build a gimmick that blasts all the RFID of every passports in a plane before leaving it. You will have several hundreds of exceptional cases. In other words, the border guards will be overwhelmed by the situation. Furthermore, if the attacker will present itself among the last ones, then his probability to go through with the forged passport will significantly raise.
Here it is a nice example of combined attacks: technique to blast the RFID and social engineering by creating an exceptional situation to stress the border guards.
Thus, for such type of applications, Denial of Services attacks should be carefully studied and prevented.

SlySoft announces that it broke BD+

Posted on by
Reply

Slysoft, the manufacturer of AnyDVD HD software announced that the new version allows to copy BD+ protected disks. See Press Release
AnyDVD was the first commercial package that allowed to rip AACS protected discs. Successive versions keep the pace with the changes in the revocation of players. For more information about the hacks read Security newsletter 5 and Security newsletter 6

BluRay consortium decided to launch its BD+ protection. BD+ is a layer of additional protections on top of AACS. One of the most interesting feature of BD+ is SPDC (Self Protecting Digital Content). SPDC was developed by CRI, the company of Paul Kocher. Paul Kocher is well known for his devastating side channel attacks on smart cards such ad Differential Power Attack or Differential Timing Attack. Recently, CRI sold the SPDC technology to Macrovision. SPDC allows to append to a BD title a small application that redefines the security mechanism of the player. In other words, it would be possible for reach title to have a different security protection. Renewability is one key element (Law 1).

What does the announcement of SlySoft mean?
Two scenarios are possible.
1- SlySoft has designed a class attack, i.e. an attack that definitively defeats any BD+ implementation for instance by finding a lethal weakness.
2- SlySoft has been able to defeat the current protection of new BD+ titles.
In view of the announcement, scenario 2 is more realistic. SlySoft acknowledges that BD+ is not yet using all the available features. In other words, the current version of anyDVD breaks the current titles. A new SPDC code would require SlySoft to design new circumventing code (Three months in the company Dungeon :Wink:)

BD+ has been designed for renewability. The concept of BD+ acknowledges that hackers will find their way. But BD+ also allows a new race to start.

Conclusion
The question is not too much to know if some BD+ titles could be ripped. It is more how long it will take to find a method to rip them. If the new protection remains secure for enough weeks to preserve the maximum sales, then BD+ will be successful.

I will be provocative. This first BD+ hack is the best justification of the existence of BD+. Dynamic defense is better than static defense. Security is never absolute. It is a compromise.

In any case, we will keep you informed of any news on the AACS front.

DVD Jon launches doubleTwist

Posted on by
Reply

doubleTwistJon Lech JOHANSEN, together with Monique FARANTOS launched doubleTwist, a controversial software and service. Jon is better known as DVD Jon. In 1999, he wrote DeCSS, the software decrypting protected DVDs. DeCSS spread over the Internet despite the efforts of studios to stop it. The source code was even available on printed T-shirts. In 2006, he authored software defeating Apple’s DRM FairPlay. DoubleTwist seems to be a sequel of this early hack.

DoubleTwist allows sharing your contents on all your devices and sharing your contents with your friends on social networks such as FaceBook. Currently, doubleTwist supports a limited number of devices through iTunes synchronization: Nokia phones, Sony Walkmans, Sony PSP and Windows Mobile 6.0 platforms. Nevertheless, traditional USB download is valid. DoubleTwist is only available for Windows. The Mac version is under way.

Does doubleTwist infringe copyright laws? According to Electronic Frontier Foundation (EFF), it does not. To by pass FairPlay, doubleTwist uses the analog hole, i.e. it records content while played by iTunes. Thus, EFF claims that it does not circumvent any protection scheme and thus falls out of the scope of DMCA. Will this argument hold in front of a court?

Nevertheless, doubleTwist limited the duration of the shared video to ten minutes and the duration of shared audio to twenty minutes per file. This policy reminds the limitations of User Generated Content sites.

The launch of doubleTwist on 18th February raised a flurry of news. The personality of DVD Jon is probably one explication of such media interest. Since then, no news. Surprisingly, there is no known public reaction of Apple. Would a negative reaction be coherent with Steve Jobs advocating DRM-free content?

Nagra reinforces its secure coding capacities

Posted on by
Reply

Kudelski group announced that it acquired EDSI. Kudelski is better known in the world of security as NAGRAVISION. Nagra is one of the main Conditional Access provider. EDSI is a small French company, based at CESSON SEVIGNE.

Since 1990, EDSI specialized in the development of software for smart card dedicated to Pay TV or banking applications. EDSI acquired a strong expertise in security for these smart cards. It has also a certification laboratory assessing the robustness of smart card implementations.

Through this acquisition, NAGRA provides a strong positive message of a capacity to fight piracy. Another potential message is that smart card based Conditional Access Systems are not dead. A current trend, coming with IP delivery, was to promote card less solutions (Verimatix, Widevine, …). None of these card less solution has not yet had a large scale deployment as card based Conditional Access had. Thus their actual robustness against piracy has not been assessed. I will come back to the card less topic in one of my future post.

The corresponding press release is available at http://www.nagra.com/pressreleases/view_release.php?id=583〈=e

NXP enhances the security of its chip

Posted on by
Reply

NXP, the RFID manufacturer, has announced the launching of new generation of mifare RFID chips: mifare plus. This new version has enhanced the security comared to previous mifare classic. For instance, it implements 128-bit AES, and more diversity for the identification. Mifare Plus seem to have an easy migration path from mifare clasic.

For memory, it was the NXP mifare classic that was recently hacked. This is a nice timely answer to this hack. How long will the new generation resist?