Dragan on Security

There is news that the copy protection technology used by Blu-ray discs has been cracked by the same hacker who broke the DRM technology of rival HD DVD discs last month. The coder known as muslix64 used much the same plain text attack in both cases. By reading a key held in memory by a player playing a HD DVD disc he was able to decrypt the movie been played and render it as an MPEG 2 file.

The latest Blu-ray hack was performed by muslix64 using a media file provided by Janvitos, through the video resource site Doom9, and applied to a Blu-ray copy of the movie Lord of War. In this case, muslix64 didn’t even need access to a Blu-ray player to nobble the DRM protection included on the title.

Both HD DVD and Blu-ray use HDCP (High-Bandwidth Digital Content Protection) for playback display authentication and similar implementations of AACS (Advanced Access Content System) for content encryption.

More details at Arstechnica article, Bruce Schneier’s blog, Freedom to Tinker blog, and The Register article.

In couple of posts on this blog, I’ve written about dilemmas, different views, challenges and positions related to security of new Microsoft’s operating system Vista. Once again, new article in IEEE Security & Privacy Magazine (January/February 2007 (Vol. 5, No. 1) appeared. In this article titled “DRM, Complexity, and Correctness“, Steve Bellovin looks at the complex code behind Microsoft Vista and its DRM mechanisms. Increased amounts of code add to insecurity, but the real danger with DRM is with increased interaction among different pieces of code. A lot of new mechanisms have been introduced; more seriously, a lot of new communications paths and dependencies have been introduced. Worst of all, these paths and mechanisms are solving a new problem, one with which the profession has very little experience. Did Microsoft get it right?

Read full article here (requires subscription).

Very interesting post on Jim Allchin’s blog about some of the design issues Vista team went through and tradeoffs they made in Windows Vista around DEP, UAC, IE and so on. It’s a long, but worthwhile read.

It says:

One of the most basic conundrums in computer security is the constant trade-off between security and usability.  At the end of the day, if security is too complicated to use, then it simply won’t be used.  Even if a feature offers a good level of security protections, if it is complicated or has poor usability it will likely be disabled by the end-user or network administrator, which doesn’t benefit anyone.  The same issue with safety and security exists in the physical world.  I remember when car alarms were first available (as an aftermarket product) — you had to remember to set the alarm after you locked your car and half the time people forgot.  Today, many cars come with alarms from the factory and the task of setting the alarm is usually just part of locking the car — and as a result, alarms get set.

Read full post here.

Note: Jim Allchin is Microsoft Co-President, Platforms & Services Division.

In previous post I wrote about Finsoft PCI-C appliance for compliance with payment card industry data security standard (PCI DSS).

Finsoft made available White Paper about this concept and appliance on company’s web site. It gives more details about: applying PCI DSS to existing systems, routes to PCI DSS compliance, PCI-C appliance architecture, how does PCI-C reduce PCI DSS impact and how it delivers implementation and operational savings.

This is an interesting solution for problem that can be an expensive exercise if you choose the wrong route - let a well known consultancy loose on your environment… :).

Read more here.

Article in the Epoch Times (a Chinese newspaper) writes about a brilliant Chinese professor who has cracked her fifth encryption scheme in ten years. There is also post on Slashdot about this.

[Thanks to colleague Maksa for bringing this to my attention].

The Payment Card Industry (PCI) Data Security Standard is a world-wide benchmark mandated by the card schemes (VISA, Mastercard, Amex, Diners, JCB) for the protection of cardholder identity and transaction information. It requires users of card data to:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management programme
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

Each of theses six requirements is supported by one to three major recommendations, which are subdivided into over 170 detailed controls on the storage, transmission and use of card data. This includes requirements for the management of computer systems, network devices and software used to store, process and transmit the data. Refer to PCI DSS 1.1 and PCI Audit Procedures 1.1, both in the PCI Security Standards Council (PCI SSC) web site.

Minimising the Impact of PCI DSS in the Betting Industry

Finsoft ’s MarginMaker (TM) enjoys a widespread use in the betting industry worldwide. Finsoft engaged leading UK PCI specialists to review its organisational processes and the technology used to deliver and support Margin Maker (TM), with the goal of reducing the impact of PCI DSS for its clients.

By re-architecting key elements of MarginMaker (TM), Finsoft has been able to concentrate all card-oriented activity into a highly secure appliance-type unit known as Finsoft PCI-C. This device can be represented diagrammatically as per the illustration below. In simple terms, it implements the following key functions:

• Capture
• Authorisation
• Payments (settlement)

The PCI-C device is accompanied by a toolset of software interfaces to enable external programs to authenticate and use the device, and by a set of secure processes which ensure the continued security of the device itself. Finsoft also provides a maintenance service to future-proof PCI-C against any changes in the standard itself .

For more information, visit Finsoft Web site.

If you are a passionate security researcher or hacker and want to earn money by challenge this is chance for you.

iDefense Labs announced its quarterly vulnerability challenge with focus on: Remote Arbitrary Code Execution Vulnerabilities in Vista & IE 7.0. Prize amount is $8,000 - $12,000 and submission deadline: before midnight EST on March 31, 2007.

Read more here.

[Again, thanks to colleague Dejan Vesic for bringing this to my attention].

Again about weak and strong passwords: In post “Is your password strong enough“, I wrote about password policies and how to create strong passwords. It seems that majority of people use weak passwords. In recent article on his blog and essay that appeared on Wired.com, Bruce Schenier analyzed common usual passwords used by people. It was initiated by “MySpace password exploit“. It is amazing to see usual and simple passwords that are used very often. [Thanks to colleague Dejan Vesic for bringing this to my attention].

In earlier post on this Web site, I wrote about dilemma to disclose or not to disclose security flaws publicly. This disclosure game is becoming hotter and hotter at present time. Recently I’ve read four interesting articles at CSO online. These articles put light on this problem from different angles, sometime totally opposite.

1. Article “Microsoft: Responsible Vulnerability Disclosure Protects Users“ by Mark Miller, Director, Microsoft Security Response Center says:

“Responsible disclosure benefits everyone in the security ecosystem by providing the most comprehensive and highest-quality security update possible.”

2. Next article “The Vulnerability Disclosure Game: Are We More Secure?“ by Marcus J. Ranum says in headline:

“Can we speak frankly about “vulnerability disclosure” now? More than a decade into the process, can anyone say security has improved?”

3. Third article “Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea’“ has subtitle:

“Security guru Bruce Schneier sounds off on why full disclosure forces vendors to patch flaws.”

4. Interesting and little bit longer then previous articles is article “The Chilling Effect“ by Scott Berinato which says:

“How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.”

This dilemma probably will be around for prolonged period of time. It is my estimation that, as usual, will end up with balanced view that will reconcile different views in socially and technologically acceptable manner.

Recently I read again interesting article in IEEE Security & Privacy magazine by Michael Howard, “A Process for Performing Security Code Reviews,” IEEE Security & Privacy, vol. 4, no. 4, July/August 2006, pp. 74-79. That very good article starts with:

No one really likes reviewing source code for security vulnerabilities; it’s slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isn’t an option.

Absolutely true. Read full article here.