security

Trusted Execution Environment, millions of users have one, do you have yours?

mobile phone

I have been spending few years monitoring the development of a technology named Trusted Execution Environment in standard. Switching from a quest, to a technical concept and now starting to be embedded in devices, I felt it is time to share few things about that security enabler. At the time I discovered that strange stuff, it was just a question ‘how can we make the mobile more secure?’. That question was extensively discussed in OMTP, a dead consortium of mobile network operators and device makers. They wrote some security requirements, based on well know existing attacks on mobile environments and expected someone to solve the problem. (more…)

W3C security roadmap needs you !

W3C security sessionTwo weeks ago, W3C held its yearly event, named TPAC, gathering most W3C Working Groups, all official W3C members and most of the W3C team. This impressive stack of geeks, combined with the fact that the venue was great, and lunch and dinners were also organized by W3C, lead to an impressive density of interesting conversation. While having spied a lot, I am reporting here things related to security, which was one of my drivers to be there (in addition to friends, curiosity, and spending one week on the other side of the globe). (more…)

[ParisWeb] Security Take Away

logo-parisweb-2013

ParisWeb is a french-european event gathering web developers motivated for doing things right : quality, accessibility and standard. Last week the conference was held Place de la Bourse, in Paris downtown. That conference is known to be terrific, as people are sharing their experience, their good practice, their good feelings. Every talk is an opportunity to learn something and meet smart people. Here is a first post, reporting the security conversation that happened in Palais Brongniart. (more…)

Chip to Cloud conference : modernism and usual suspects

chip-to-cloud-2013Once a year the smart card industry meets in Nice, during an event named Chip to Cloud, co-located with the NFC World Congress and the M2M Innovation event. Chip to Cloud tagline is ‘Security Forum’. In other words, this is where you will meet the traditional security solution industry, this old good industry relying on chip/hardware/tokens (call it as you want) to secure the world. The number of tracks was impressive, as usual, but here is a take away from what I captured, between two coffees with goods friends.

The traditional industry is getting modern.

Being part of that industry since quite a long time now, we all know by heart our favorite use cases. Banking, corporate, telecom business… But this year, some new markets were mentioned. As an example social media was discussed with the underlying problem of trust in reputation. How to make sure a user is a real/good/reliable user ? (more…)

OWASP in Paris : Diving in Firefox OS Security !

You might have heard about it, a new mobile operating system was announced few months ago : Firefox OS, by Mozilla.This mixing of a browser product together with the ‘OS’ word is not a typo. It is a new type of operating system, web based, which will get rid of the open-but-proprietary mobile operating systems. On a web-based operating system, web apps will be the application bringing the services to the user. And Mozilla, is offering to have HTML5/CSS3 web apps running on their Firefox OS. Together with special APIs, names Web APIs that will enable some mobile-phone related features, such as access to phone call, SMS, and few other nice things.

So, yes, Firefox OS has landed in the mobile area … and its security challenges too. Imagine : a web engine, on which you execute applications, based on the web security model, which main security constraint is the single origin policy (any resource used by a web app must be from the same origin). If the ambition is really to port any kind of service on the web, including the highly sensitive ones, this imposes to have more constraints on the application and execution model. And this is what Mozilla has been integrating in their OS design and application deployment scheme. This is this nice story that Paul Theriault @creativemisuse, Mozilla Corporation, came to tell in Mozilla Paris offices this week, during a meeting organized by OWASP French Chapter. Here are the basics to remember about the Firefox OS security model :

– There will be several categories of web app : normal web apps, privileged web apps, certified web apps.

– Normal webapps are the ones with the lowest right, they can *only* use HTML5 and CSS3.

– Privileged and certified web apps are accessing the Web APIs, and will be submitted to the user permissions. The user will have to grant access when the web apps will actually access those APIs.

– Certified web apps will the ones accessing sensitives Web API, related to the mobile phone system. At the moment, certified apps are only developed by Mozilla and built in the mobile device, before going on the field. The so-preserved APIs are the ones related to TCP socket, mobile network, system XHR, alarms…

– Each web app will have dedicated cache and cookies memory.

– Web apps and browser will run in a separate thread, allowing to preserve the permissions and isolation during execution.

A video is available there, and will definitely make you better understand the main challenges that Mozilla is facing with their crazy idea to put the web on a mobile.

And, as all the activities of Mozilla are public and open to contributors, the ones interested in security aspects can stay tuned on https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security

First Web Crypto implementations : expecting your imagination to play with !

Being chair of a W3C Working Group puts you in a nice situation that you are aware of any brand new implementations of the specifications your working group is supposed to design. In the case of the Web Crypto WG, I must confess I am quite lucky : the group has started one year ago, the first public working drafts were fired 10 months ago, last call is planned for October (planned, I said, no blood signed promise here) and there are already several implementations and prototypes disclosed :

Which specification are we talking about ?

The Web Cryptography API is an API, edited by Ryan from Google. Once implemented natively in browser, it will provide web apps with primitive for cryptographic operations. Generate strong random number, generate a key (or a key pair), manage data ciphering of data signature with it. This is a nice toy to design the security model of your web application. Identified use cases are data synchronization between client and server, signing legal documents, protecting banking transactions, … See the Web Cryptography Use Cases, edited by Arun from Mozilla, for more information. The Working Group is also working on an API to discover keys available in the key store of the browser, but this API, edited by Mark from Netflix, named Web Cryptography Key Discovery does not have yet any implementation available.

What are the available implementations ?

As several companies have interest in that security feature, several implementations or experiments are made available to web developers.

A polyfill designed by BBN. BBN is a research laboratory sponsored by US government. It has issued a polyfill, a pure javascript implementation of the Web Crypto API (based on the version from December 2012). It is compatible with a large number of browsers, including Chrome, Firefox, Safari, Internet Explorer 10, Opera, iCab. You can grab more by visiting the Polycrypt project : http://polycrypt.net/ and the related github : https://github.com/polycrypt/polycrypt .

A plugin by Netflix for Chrome. Netflix is working hard those day on delivering a complete solution to protect its streamed content over the combination of the Encrypted Media Extension and Web Crypto API (based on the version from April 2013). The current native plug-in has been designed and successfully tested in Chrome on Linux amd64 – but do not dream, it will not allow you to watch Netflix catalog for free ! All material and explanations are available under Netflix github.

A Microsoft IE 11 Preview feature. Microsoft has included the Web Crypto API in Internet Explorer 11 Preview (build date: 6/14/2013). This pre-release version is available to web developers.

A Chromium announced feature. Google has announced that the Web Crypto API would be available in Chromium. If you want to witness the on-going work, you can have a look at the chromium issue tracker.

A Firefox open feature**. Mozilla is working since this spring on the implementation of the Web Crypto API and progresses can be monitored under Bugzilla @ Mozilla tracker.

A teasing implementation from Inventive Designers.

One in another what can you do, now. And what are the limits ?

You can play with those prototypes, which are here to fill the gap, while browser makers embed the final feature in their final products. Note that none of the available plug-in, polyfill, pre-release do rely on Promises, which is the new taste of DOM, while the final version as lots of chance to  : the most recent draft already embeds it, and it is expecting review of the javascript and W3C Technical Architecture Group community. In addition the referenced plug-in, polyfill, pre-release features are relying on old version of the specification which is submitted to changes, as the Working Group is still managing some open issues. Nevertheless by having some tools today, it gives you a chance to play with crypto primitives on different platforms.

Which one to choose ? If your project is just about creating a key and using it for the basic operations such as generate key, sign, encrypt and corresponding operations, then the BBN polyfill will perfectly match. If you want to experience more with key wrapping (in order to protect your keys when being stored in your client), then, the Netflix and Microsoft tools will make the job.

Each of the implementations made some choices in algorithms supported, but in most of the cases, if your project does not require exotic algorithm, you will find what you need inside.

If you are having fun with it, who should you report it to ?

As you may imagine all W3C crypto community and implementers are expecting your report on your experiment. Feel free to tell us more on public-webcrypto-comments@w3.org or by reporting directly to the implementation providers…

You can also read a more recent post related to Web Crypto API development here : https://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/

** Thanks @clochix for the info.

Where do you think IT guys are discussing web security ? (Tip, it might be next door…)

owasp_logo

In your town OWASP chapter. OWASP standing for Open Web Application Security Project. And there might certainly be an OWASP chapter closed to your office, as there are more than 200 chapters in 70 countries. The reason why I am blogging on that foundation is that last week the French OWASP chapter met in my employer’s offices. Gathering about 30 security experts or security-concerned people, the Paris meeting was fruitful and interactive. The French chapter leaders are Ludovic Petit (@Owasper), and Sébastien Gioria (@SPoint), supported by Ely de Travieso (@ElydeTravieso, yes, the one who already committed Secutic Day I reported in earlier posts). The objective of OWASP is to support the developers community with tools, code and documentation related to security. Web application and everything related to it. All this material is obviously available for free.

Great projects. During this meeting, new OWASP foundation projects were unveiled : a Top 10 related to cloud deployment [1], a revised version of Mobile Top 10 [2]. I can only recommend you to have a look at the OWASP website and analyse the different projects handled there. There might definitely have one which answers your most recent security question on web application (https://www.owasp.org/index.php/Main_Page).

Liability or how to avoid ending in jail. Another topic was discussed, a topic which is sometimes far from the developers working constraints : the liability. The complex question of ‘who is liable in case of software failure’ was addressed by Ludovic [3], based on its large experience related to fraud and legal aspects. The answer is quite simple : a developer can be liable for a piece of software creating damages (information leak, privacy damage, functional incident, …). The rationale behind is that the web application delivered are most of the time part of the IT systems, which are submitted to strict laws, such as guarantee that no incident could happen. Most off countries are requiring IT systems to be reliable when treating data such as integrity, availability, non-repudiation, and confidentiality. Obviously this does not mean that any developer will end in jail. It means that potentially, in case of problem, he will be challenged on the quality of the product, based on its skills and knowledge (if you are known as good but are coding with a lazy style, you might get into trouble).

Data privacy in Europe. The light was also made, during that meeting, on the recent progress of the European Community to deliver a law on the data privacy. This status was made by Thiébaut Devergranne, PhD in law, experienced developer and consultant. His message was quite direct :  European text will be a tool to attack any company missing to take care of data privacy [4]. This new regulation will be the same for all 27 European countries, and takes into account the aspects of internet, mobility, social media which recently reshaped all information systems and services. The other major changes compared to the EU previous directive issued in 1995 relies on the fact that (1) companies will have to demonstrate that they made a risk analysis related to data treatment, and (2) European commission will be able to tax up to 2% of companies turnover if they do not correctly implement the law. The most impressive aspects is that this law will be applicable to any company managing data of European citizen – including large software and service company located in the silicon valley. And last but not least, a new job will soon be hype: data privacy officer – similar to the Correspondant Informatique Liberté in France – required for every private companies larger than 250 people, or any company treating sensitive data.

The passionate discussion following that talk demonstrated how this could impact the life of companies… Stay tune on OWASP projects !

[1] OWASP Top 10 cloud project https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project

[2] OWASP Mobile Security Project, in collaboration with ENISA https://www.owasp.org/index.php/OWASP_Mobile_Security_Project, look at the Top 10 mobile controls

[3] French chapter leader presentation about OWASP projects and liability https://www.owasp.org/images/2/2a/Chapter_Meeting_OWASP_France_-_7_Feb_2013.pdf

[4] Thiébaut Devergranne presentation about EU data privacy regulation [fr] http://www.donneespersonnelles.fr/donnees-personnelles-le-nouveau-projet-de-reglement-europeen

[2/2] Main IT threats today – learning from Secutic Day in Marseille

Two weeks ago was held in Marseille the first edition of the Secutic Day PACA, a conference dediacted to IT managers focusing on protection of digital economy. A first post reported the legal aspects behind the risk of having weak security in IT systems, together with means for IT managers to understand and implement the primary security measures. This new post is detailing the views of the different invited experts on the recent threats that IT managers should face. Warning, this post includes all attractive buzz words, such as BYOD, cloud and social media …

Which environment are we trying to control ?

Thanks to the diversity of the speakers, different IT framework have been discussed, relying on different population and services :

  • Employees : big companies offering IT services to several hundreds of employees, a.k.a. corporate;
  • Citizen : government environment, where services are offered to citizen to pay tax or declare revenues, a.k.a e-government;
  • Machines : distributed industrial environment, where cars or vending machines are accessing central services, a.k.a M2M;
  • Mixing human : partnering environment, meaning environment such as Marseille Innovation [1], a place where start up are sharing a same physical space and IT systems, where new business models are designed, in a collaborative but protected environment. People are ready to share crazy ideas in front of the coffee machine, but do not want to disclose their business cases and make sure their innovations stay theirs. (more…)

[1/2] What IT Manager should know about security – learning from Secutic Day in Marseille

Last week was held in Marseille the first edition of Secutic Day PACA [1], a security conference, organized by Secutic. This one day event tagline was about securing the digital economy. While being a free and open to public event, it was mainly dedicated to IT managers interested to know more about security. The program gathered 24 great speakers who shared with the public the state of the art of security in various domain such as digital crime investigation, liability of IT managers, major today’s and tomorrow’s threats. Here is a sumup of the major ideas that some highly experienced people discussed.

About the legal risk for IT managers.

Some officials of the Gendarmerie Nationale together with Claude Leloustre, representing the Club de la Sécurité des Systèmes d’Information PACA (CLUSIR), reminded the legal aspects associated with the management of IT systems. Managing an IT network induces some liability. (more…)