Archive for July, 2013

Another Blow To Data Breach Class Actions: Bell, Et Al. V. Blizzard …

Terms Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you
are granted a non-exclusive, revocable license to access the Website under its
terms and conditions of use. Your use of the Website constitutes your agreement
to the following terms and conditions of use. Mondaq Ltd may terminate your use
of the Website if you are in breach of these terms and conditions or if Mondaq
Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to
read the full text of the content and articles available (the Content). You may
not modify, publish, transmit, transfer or sell, reproduce, create derivative
works from, distribute, perform, link, display, or in any way exploit any of the
Content, in whole or in part, except as expressly permitted in these terms
conditions or with the prior written consent of Mondaq Ltd. You may not use
electronic or other means to extract details or information about Mondaq.coms
content, users or contributors in order to offer them any services or products
which compete directly or indirectly with Mondaq Ltds services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the
suitability of the information contained in the documents and related graphics
published on this server for any purpose. All such documents and related
graphics are provided “as is” without warranty of any kind. Mondaq Ltd and/or
its respective suppliers hereby disclaim all warranties and conditions with
regard to this information, including all implied warranties and conditions of
merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall Mondaq Ltd and/or its respective suppliers be liable for any
special, indirect or consequential damages or any damages whatsoever resulting
from loss of use, data or profits, whether in an action of contract, negligence
or other tortious action, arising out of or in connection with the use or
performance of information available from this server.

The documents and related graphics published on this server could include
technical inaccuracies or typographical errors. Changes are periodically added
to the information herein. Mondaq Ltd and/or its respective suppliers may make
improvements and/or changes in the product(s) and/or the program(s) described
herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally
identifies you, including what sort of information you are interested in, for
three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a
    colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide
    information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third
parties other than information providers. The reason we provide our information
providers with this information is so that they can measure the response their
articles are receiving and provide you with information about their products and
services.

If you do not want us to provide your name and email address you may opt out
by clicking here .

If you do not wish to receive any future announcements of products and
services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to
view the free information on the site. We also collect information from our
users at several different points on the websites: this is so that we can
customise the sites according to individual usage, provide ‘session-aware’
functionality, and ensure that content is acquired and developed appropriately.
This gives us an overall picture of our user profiles, which in turn shows to
our Editorial Contributors the type of person they are reaching by posting
articles on Mondaq (and its affiliate sites) meaning more free content for
registered users.

We are only able to provide the material on the Mondaq (and its affiliate
sites) site free to site visitors because we can pass on information about the
pages that users are viewing and the personal information users provide to us
(e.g. email addresses) to reputable contributing firms such as law firms who
author those pages. We do not sell or rent information to anyone else other than
the authors of those pages, who may change from time to time. Should you wish us
not to disclose your details to any of these parties, please tick the box above
or tick the box marked “Opt out of Registration Information Disclosure” on the
Your Profile page. We and our author organisations may only contact you via
email or other means if you allow us to do so. Users can opt out of contact when
they register on the site, or send an email to [email protected] with no
disclosure in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate
registration form. This is a personalised service where users choose regions and
topics of interest and we send it only to those users who have requested it.
Users can stop receiving these Alerts by going to the Mondaq News Alerts page
and deselecting all interest areas. In the same way users can amend their
personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a users hard drive that contains an
identifying user number. The cookies do not contain any personal information
about users. We use the cookie so users do not have to log in every time they
use the service and the cookie will automatically expire if you do not visit the
Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to
personalise a user’s experience of the site (for example to show information
specific to a user’s region). As the Mondaq sites are fully personalised and
cookies are essential to its core technology the site will function
unpredictably with browsers that do not support cookies – or where cookies are
disabled (in these circumstances we advise you to attempt to locate the
information you require elsewhere on the web). However if you are concerned
about the presence of a Mondaq cookie on your machine you can also choose to
expire the cookie immediately (remove it) by selecting the ‘Log Off’ menu option
as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example,
advertisers). However, we have no access to or control over these cookies and we
are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement,
and gather broad demographic information for aggregate use. IP addresses are not
linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or
its affiliate sites) are not responsible for the privacy practices of such other
sites. We encourage our users to be aware when they leave our site and to read
the privacy statements of these third party sites. This privacy statement
applies solely to information collected by this Web site.

Surveys Contests

From time-to-time our site requests information from users via surveys or
contests. Participation in these surveys or contests is completely voluntary and
the user therefore has a choice whether or not to disclose any information
requested. Information requested may include contact information (such as name
and delivery address), and demographic information (such as postcode, age
level). Contact information will be used to notify the winners and award prizes.
Survey information will be used for purposes of monitoring or improving the
functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our
site, we ask them for the friends name and email address. Mondaq stores this
information and may contact the friend to invite them to register with Mondaq,
but they will not be contacted more than once. The friend may contact Mondaq to
request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users
information. When users submit sensitive information via the website, your
information is protected using firewalls and other security technology. If you
have any questions about the security at our website, you can send an email to
[email protected]

Correcting/Updating Personal Information

If a users personally identifiable information changes (such as postcode),
or if a user no longer desires our service, we will endeavour to provide a way
to correct, update or remove that users personal data provided to us. This can
usually be done at the Your Profile page or by sending an email to [email protected]

Notification of Changes

If we decide to change our Terms Conditions or Privacy Policy, we will
post those changes on our site so our users are always aware of what information
we collect, how we use it, and under what circumstances, if any, we disclose it.
If at any point we decide to use personally identifiable information in a manner
different from that stated at the time it was collected, we will notify users by
way of an email. Users will have a choice as to whether or not we use their
information in this different manner. We will use information in accordance with
the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at [email protected]

If for some reason you believe Mondaq Ltd. has not adhered to these
principles, please notify us by e-mail at [email protected] and we will use
commercially reasonable efforts to determine and correct the problem promptly.

Article source: http://www.mondaq.com/unitedstates/x/255420/Class+Actions/Another+Blow+To+Data+Breach+Class+Actions+Bell+Et+Al+V

,

No Comments

NSA Director Defends Surveillance Activities During Tense Black Hat Keynote

LAS VEGAS –NSA director Gen. Keith Alexander’s keynote today at Black Hat USA 2013 was a tense confessional, an hour-long emotional and sometimes angry ride that shed some new insight into the spy agency’s two notorious data collection programs, inspired moments of loud applause in support of the NSA, and likewise, profane heckling that called into question the legality and morality of the agency’s practices.

Loud voices from the overflowing crowd called out Alexander on his claims that the NSA stands for freedom while at the same time collecting, storing and analyzing telephone business records, metadata and Internet records on Americans. He also denied lying to Congress about the NSA’s capabilities and activities in the name of protecting Americans from terrorism in response to such a claim from a member of the audience.

For the first 40 minutes of his talk, Alexander made the case for the agency’s authority under Section 215 of the Patriot Act and 702 of the FISA Act, backing that up with specific examples of terrorist plots such as the New York City subway bombings that were disrupted because of intelligence gathered in the two programs. He also talked about the training agents must pass before having access to the databases housing the collected data, as well as the auditing and compliance associated with those requests.

“The tools and things we use are very much the same tools you use in securing networks. The difference is the oversight and compliance that we have in these programs. That part is missing in much of the discussion,” Alexander said. “I believe it’s important for you to hear that, for you to understand what these people have to do to do their job to defend the nation and the oversight regime we have with the courts, Congress and the administration. You need to understand that to get a full understanding of what we do and do not do.”

All of this happened under the backdrop of new revelations from whistleblower Edward Snowden. The Guardian UK disclosed today, some three hours before Alexander took the stage, new details about another of the spy agency’s top secret data collection programs, this one called XKeyscore. The details, provided to the newspaper by Snowden, indicate that analysts have access to databases housing the online activities of millions, including browsing history, email messages and online chats.

U.S. intelligence leaders today also testified before a Senate Judiciary Committee and released previously classified documents on data collection activities.

The Snowden documents, the Guardian report says, back up a claim made by the former Booz Allen contractor that he as an analyst could “wiretap” any individual. Snowden, who reportedly remains in the Moscow airport awaiting asylum somewhere, shared training materials for XKeyscore with the Guardian. The documents instruct analysts how to mine intelligence databases for information on anyone in the U.S. The Guardian report says analysts need only to fill out a short on-screen form requesting the search; the form is not looked at nor approved by a court or NSA officials.

Alexander, meanwhile, said the two programs were birthed in 2007 largely because of the failures of intelligence agencies to connect the dots on information prior to the September 11 terrorist attacks. He reiterated that Internet companies share data only when compelled to do so by a court order. Alexander then shared a screenshot of the business records the NSA has access to through Section 215; the interface showed the date and time a record was collected, the from and to address of the call, length of the call, source and origin of metadata record. He said the NSA does not collect content such as voice or text message, nor does it gather subscriber names, addresses or locational information. If there is a suspicion of a terrorist connection, Alexander said the business record is passed on to the FBI, which then will investigate deeper.

As for PRISM, or Section 702 of the FISA Court, Alexander said this is the United States’ lawful intercept program, under which service providers can be compelled via a court order to hand over data to the intelligence agency. Alexander said agents are not authorized to listen to communications and that a Senate Select Committee review of the program found no “willful or knowledgeable violations of the law under this program,” he said, adding that the agency’s auditing tools would detect unauthorized access to records and the agent would be held accountable.

“There are allegations [the NSA] listen to all our emails; that’s wrong. We don’t,” Alexander said, adding that of 54 different terrorist-related activities identified through PRISM, 42 of which were disrupted, including 13 in the U.S., and 25 in Europe. “And if we did, we would be held accountable. There is 100 percent auditability on what we do.”

Alexander then answered questions from Black Hat general manager Trey Ford, which the conference solicited from its advisory board and select people in the security community. The questions, Ford said, were evaluated and ranked, though Alexander had no knowledge of them, according to Ford. During the QA, Alexander said the Snowden leaks had done significant and irreversible damage to the U.S.

“We’re talking about future terror attacks and the success we’ve had the last 10 years. What will we have in the next 10? What if the 42 of 54 were executed, what would that have meant to our civil liberties and privacy?” Alexander said; a response that was met with loud applause.

Article source: http://threatpost.com/nsa-director-defends-surveillance-activities-during-tense-black-hat-keynote/101541

No Comments

Google Bolsters Security, Updates Encryption on Certificates

Article source: http://threatpost.com/google-bolsters-security-updates-encryption-on-certificates/101538

No Comments

Inside the Security Model of BlackBerry 10

LAS VEGAS–The new BlackBerry 10 operating system contains a number of security improvements and upgrades over earlier versions, but there are still some features and functions that an attacker may be able to exploit. The OS also contains a diagnostic tool called QUIP that has the ability to collect various kinds of user data, including voice and audio communications, screen captures and raw memory dumps, and send it to BlackBerry.

The QUIP functionality is designed specifically to gather a variety of data and ship it off to BlackBerry. Ralf-Phillip Weinmann of the University of Luxenbourg said he was surprised to find the functionality in the software during a review of its security capabilities.

“I was not amused,” he said.

However, BlackBerry officials said that the feature is turned off by default on all BlackBerry 10 devices and the user has to go in and opt to turn on each specific logging function.

“All of it is clearly enumerated to the user. QUIP is off by default,” said Adrian Stone, head of security response at BlackBerry. “It’s a diagnostic tool. Users can turn it on if they want to. I wouldn’t expect that to be a large number. For us it was a clear choice. We wanted to have that diagnostic capability but we also wanted to respect users’ privacy.”

The logging functionality is in the security and privacy menu on BlackBerry 10 devices.

Weinmann, known for his mobile security and baseband research, took a detailed look at the security model of BBOS 10, and what he found was that the software has some new features that made it harder to attack in some cases. However, he said there are some concerning weak points that could give an attacker the opening he needs to compromise a device. The operating system runs on the new BlackBerry 10 handsets, and unlike previous versions, it’s built on the QNX platform. Weinemann said that the change has made some significant differences in the new OS.

“You have a very weird mix of things running on there now,” Weinmann said.

The security change most noticeable for users is the new partition between personal and business data, known as BlackBerry Balance. The feature enables users to split their sensitive work data from their everyday personal apps, email and other data. Both partitions are encrypted and data doesn’t flow from one to the other. But, Weinmann said that Balance doesn’t make much of a difference in terms of security for most users.

“As a real security mechanism, I don’t have that much faith in it at the moment, to be honest,” Weinmann said in a talk at the Black Hat 2013 conference here Wednesday.

BlackBerry OS 10 also includes some less-obvious security functions, namely exploit mitigations such as ASLR, DEP and stack cookies. Weinmann said that despite these improvements, it’s likely to be easier for attackers to maintain persistence on a compromised BlackBerry device than on an iOS device, for example.

“If you’re any user you can copy binaries to the device and execute them,” he said. “You can totally binaries on the system that remain there. Persistence on the BlackBerry at the moment is significantly easier than on last-generation iOS device. Although, it’s somewhat, if not significantly, better than on most Android phones.”

Weinmann said that because of the way the security is set up on the new BlackBerry 10 devices, the revelation of one privilege-escalation exploit could be a major hit for the OS.

“The security model fundamentally hinges on privilege-escalation exploits not to be available,” he said. “I don’t find that very comforting.”

Article source: http://threatpost.com/inside-the-security-model-of-blackberry-10/101542

No Comments

In Largest Known Data Breach Conspiracy, Five Suspects Indicted in New Jersey

On July 25, 2013, the United States Attorney for the District of New Jersey announced indictments against five men alleging their participation in a global hacking and data breach scheme in which more than 160 million American and foreign credit card numbers were stolen from corporate victims, including retailers, financial institutions, payment processing firms, an airline, and NASDAQ.  The scheme is the largest of its kind ever prosecuted in the United States. 

The Second Superseding Indictment alleges the defendants (four Russian nationals and one Ukrainian national) and other uncharged co-conspirators targeted corporate victims’ networks using “SQL [Structured Query Language] Injection Attacks,” meaning the hackers identified vulnerabilities in their victims’ databases and exploited those weaknesses to penetrate the networks.  Once the defendants had access to the networks, they used malware to create “back doors” to allow them continued access, and used their access to install “sniffers,” programs designed to identify, gather and steal data. 

Once the defendants obtained the credit card information, they allegedly sold it to resellers all over the world, who in turn sold the information through online forums or directly to individuals and organizations.  The ultimate purchasers encoded the stolen information on blank cards and used those cards to make purchases or withdraw cash from ATMs.

The defendants allegedly used a number of methods to evade detection.  They used web-hosting services provided by one of the defendants, who unlike traditional internet service providers, did not keep records of users’ activities or share information with law enforcement.  The defendants also communicated through private and encrypted communication channels and tried to meet in person.  They also changed the settings on the victims’ networks in order to disable security mechanisms and used malware to circumvent security software.

Four of the defendants are charged with unauthorized access to computers (18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)) and wire fraud (18 U.S.C. § 1343).  All of the defendants are charged with conspiracy to commit these crimes.

Two of the defendants have been arrested, with one in federal custody and the other awaiting an extradition hearing.  The other three defendants, two of whom have been charged in connection with hacking schemes, remain at large. 

This conspiracy is noteworthy for its massive scale, and for the patience the hackers demonstrated in siphoning data from the networks.  The U.S. Attorney “conservatively” estimates more than 160 million credit card numbers were compromised in the attacks, and alleges that the hackers had access to many victims’ computer networks for more than a year.  Many prominent retailers were targets, including convenience store giant 7-Eleven, Inc.; multi-national French retailer Carrefour, S.A.; American department store chain JCPenney, Inc.; New England supermarket chain Hannaford Brothers Co.; and apparel retailer Wet Seal, Inc.  Payment processors were also heavily targeted, including one of the world’s largest credit card processing companies, Heartland Payment Systems, Inc., as well as European payment processor Commidea Ltd.; Euronet, Global Payment Systems and Ingenicard US, Inc. The hackers also targeted financial institutions such as Dexia Bank of Belgium, “Bank A” of the United Arab Emirates; the NASDAQ electronic securities exchange; and JetBlue Airways.  Damages are difficult to estimate with precision, but they total several hundred million dollars at least.  Just three of the corporate victims suffered losses totaling more than $300 million.

©2013 Drinker Biddle Reath LLP. All Rights Reserved

Article source: http://www.natlawreview.com/article/largest-known-data-breach-conspiracy-five-suspects-indicted-new-jersey

,

No Comments

Latest hospital data breach involves cloud services

So far, healthcare data breaches have primarily involved lost or stolen smartphones, laptops, tablets or thumb drives. A recent transgression at the Oregon Health Science University, however, has added a new area of concern: Unsecured cloud platforms.

OHSU officials recently notified more than 3,000 patients that their health information had been compromised after residents and physicians-in-training in three departments used Google cloud services to share patient data. Officials said the university doesn’t have a contractual agreement to use the cloud-based ISP.

According to officials, the university discovered in May that residents and physicians-in-training in the Division of Plastic and Reconstructive Surgery were using cloud services to maintain a spreadsheet of patients, which included names, ID numbers, ages, provider names, diagnoses, dates of service and, in some cases, addresses. The intent, officials said, was to make it easier to share accurate information about patients admitted to those involved in each patient’s care.

An investigation discovered similar practices in the Department of Urology and Kidney Transplant Services; in all, officials said, the spreadsheets contained HIPAA-protected data concerning 3,044 patients admitted to the hospital between Jan. 1, 2011 and July 3, 2013.

“We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients,” said John Rasmussen, chief information security officer at OHSU, in a company notice. “We sincerely apologize for any inconvenience or worry this may cause our patients or their families.”

This is the fourth HIPAA violation since 2009 for the Portland, Ore.-based provider. In 2009, an unencrypted laptop containing personal health information of some 1,000 patients was stolen from an employee’s car. And in July 2012, an unencrypted thumb drive that an employee had brought home without authorization was stolen. The thumb drive contained personal health information of 14,000 patients, though only 702 patients, were notified of the breach, as officials said the drive contained sensitive data on only those patients.

Article source: http://www.mhealthnews.com/news/latest-hospital-data-breach-involves-cloud-services

,

No Comments

Report: Health Data Breaches Now Mostly Targeted Incidents

Health data breaches have evolved over the last decade from accidental exposures to mostly targeted incidents by hackers and cyber criminals, according to a report by data security firm ID Experts, American Medical News reports.

Report Findings

In 2012, 12.5 million individuals were victims of identity theft, compared with five million individuals in 2003, according to the report. Experts say that increase is caused in part by the changing nature of most health data security breaches, which used to be caused primarily by human error, according to American Medical News.

Hackers and cyber criminals now are targeting personal health information, which is inherently valuable and relatively easy for thieves to obtain, according to Rick Kam, president and co-founder of ID Experts.

“These criminals essentially are finding ways into those systems to go after very specific pieces of data, and using [those] data to create bigger frauds,” Kam said, adding that several studies suggest that medical records hold an average black market value of $50 per record.

Vulnerability of Health Data

Surveys show that 94% of health care organizations have had at least one data breach in the last two years, according to Kam. Experts say thieves have had more opportunities to target sensitive health information as data have become more mobile and increasingly stored on unsecured smartphones, laptops and tablets, according to American Medical News.

Kam added that the statewide health information exchanges, which were funded under the 2009 federal economic stimulus package’s HITECH Act, could become a growing source of breaches because many are short on funding and might lack the ability to safeguard their data (Lewis Dolan, American Medical News, 7/29).

Article source: http://www.ihealthbeat.org/articles/2013/7/30/report-health-data-breaches-now-mostly-targeted-incidents

,

No Comments

Blizzard Data Breach Lawsuit Heads to Mediation

Blizzard Entertainment Inc. and gamers angry about a data breach will attempt to resolve their legal dispute behind closed doors in private mediation, according to a Monday court filing.

The announcement of settlement negotiations come after a judgment on the pleadings earlier this month that fell mostly in Blizzard’s favor.

U.S. District Judge Beverly Reid O’Connell said plaintiffs in the purported class action lawsuit had failed to show that they were harmed by a data breach last summer and failed to show that actual personal information was stolen, according to the July 11 ruling.

Blizzard is behind the popular games World of Warcraft, StarCraft II and Diablo III. Customers are required to register online in order to play any of those titles, even those that aren’t actually played on the Internet.

In their complaint, gamers allege that the popular video game manufacturer failed to protect private information customers gave to Blizzard through the Battle.net website.

Despite known security failings, the plaintiffs said, the company did not inform customers up front that the purchase of an additional security authenticator would be necessary to keep data safe.

In her ruling, O’Connell said Blizzard has not convincingly said why it didn’t tell consumers up front that an authenticator device — with an extra cost of $6.50 for each customer — was necessary to keep data secure.

As a result, O’Connell did not throw out claims alleged under the Delaware Consumer Fraud Act.

Plaintiffs also allege that Blizzard was negligent for not telling gamers of a massive Aug. 4 data breach in a timely manner, a violation of Delaware’s Data Breach Notification Law.

The suit is filed in the Central District of California and alleges violations of Delaware law, as set out in Blizzard’s terms of use agreement.

The information accessed in an Aug. 4 hack includes email addresses, encrypted passwords and answers to security questions. O’Connell said this doesn’t meet the definition of personal information under Delaware law.

Likewise, O’Connell said that plaintiffs have failed to show that the breach actually harmed them, noting that an increased risk of identity theft is not enough to sustain a negligence claim.

The parties have until Sept. 15, 2014 to reach a settlement. If no agreement is reached, the suit will go to trial that November.

Counsel are required to file a joint report with the court on their  discussions following a settlement conference and tell the judge any help the court can provide in working toward a settlement.

Parties have until Nov. 1, 2013 to amend their pleadings.

Blizzard’s lawyers Kathyleen A. O’Brien and Mark S. Melodia, both partners at Reed Smith LLP, were not immediately available for comment.

Plaintiffs’ counsel Gillian L. Wade of Milstein Adelman LLP and Hank Bates of Carney Bates Pulliam PLLC were not immediately available.

The case is 2:12-cv-09475 in the Central District of California.

Article source: http://www.mainjustice.com/2013/07/30/blizzard-data-breach-lawsuit-heads-to-mediation/

,

No Comments

US Airways Acknowledges Data Breach

US Airways recently began notifying its employees that programming error at ADP may have made it possible for other US Airways employees to view their names, Social Security numbers, and total taxable W-2 wages for the tax years 2010, 2011, and/or 2012 (h/t DataBreaches.net).

“Your information could have been downloaded with another US Airways employee’s W-2, but it would not have been readily apparent to the other employee and would only be detected by the other employee if he or she took additional steps to retrieve the information,” US Airways managing director for corporate disbursements Jill Shoop wrote in the notification letter [PDF].

ADP apparently corrected the programming error on May 4, 2013, but didn’t inform US Airways of the issue until June 6, 2013.

While US Airways hasn’t received any reports that the information was misused, the airline has hired an outside law firm to investigate the breach, and ADP is offering all affected employees a free one-year membership in Experian’s ProtectMyID Alert service.

DataBreaches.net notes that this appears to be the same ADP breach that affected 5,000 Houston government employees last month.

Article source: http://www.esecurityplanet.com/network-security/us-airways-acknowledges-data-breach.html

,

No Comments

New Software Obfuscation Throws Wrench into Reverse Engineering

Researchers at UCLA said they’ve developed a game-changing obfuscation mechanism that will put a dent in hackers’ efforts to reverse engineer patches and understand how an underlying piece of software works.

“You write your software in a nice, reasonable, human-understandable way and then feed that software to our system,” UCLA computer science professor Amat Sahai said in a university release. “It will output this mathematically transformed piece of software that would be equivalent in functionality, but when you look at it, you would have no idea what it’s doing.”

Sahai and his fellow researchers, Sanjam Garg, Craig Gentry, Shai Halevi and Mariana Raykova of IBM Research, and Brent Waters of the University of Texas, said this is the first time software obfuscation has been accomplished and could be an important tool in protecting intellectual property, for example. Sahai said that previous obfuscation attempts could be broken in days; this new method would require a hacker to spend hundreds of years to break the cryptography they’ve put in play.

“The real innovation that we have here is a way of transforming software into a kind of mathematical jigsaw puzzle,” Sahai said. “What we’re giving you is just math, just numbers, or a sequence of numbers. But it lives in this mathematical structure so that these individual pieces, these sequences of numbers, can only be combined with other numbers in very specified ways.

“You can inspect everything, you can turn it upside-down, you can look at it from different angles and you still won’t have any idea what it’s doing,” Sahai said. “The only thing you can do with it is put it together the way that it was meant to interlock. If you tried to do anything else — like if you tried to bash this piece and put it in some other way — you’d just end up with garbage.”

The team’s paper, “Candidate Indistinguishability Obfuscation and Functional Encryption for All Circuits,” will be presented at the IEEE Symposium on Foundations of Computer Science in October. It also covers functional encryption, a method that encrypts information on the fly and depending on identity characteristics of the recipient, they would be able to decrypt only certain bits of information. Sahai offered the example of a hospital sharing treatment outcomes with a researcher without sharing patient information.

The secret sauce, however, is in the jigsaw puzzle analogy.

In Multilinear Jigsaw Puzzle we view group elements as the puzzle pieces. The intuitive analogy to jigsaw puzzles is that these group elements can only be combined in very structured ways—like jigsaw puzzle pieces, different puzzle pieces either fit together or, if they do not fit, then they cannot be combined in any meaningful way,” the researchers wrote in their paper. “We view a valid multilinear form in these elements as a suggested solution to this jigsaw puzzle: a valid multilinear form suggests ways to interlock the pieces together.”

The paper said that the jigsaw puzzle scheme consists of two algorithms, a Jigsaw generator and verifier. The generator builds system parameters and group elements that are mathematically verified whether they are a correct solution.

By obfuscating software patches, for example, vulnerabilities being repaired would be hidden from an attacker, the paper said, giving IT teams time to test and deploy patches without fear of the patch being reverse engineered in the meantime. The same goes for cases where intellectual property is being shared and that legal protections would not be enough to protect the IP from being reverse engineering new software, for example.

Article source: http://threatpost.com/new-software-obfuscation-throws-wrench-into-reverse-engineering/101531

No Comments