Archive for the 'Confidentiality' Category Page 3 of 9

« Older Entries
Newer Entries »
Mar 04

What personnal data Facebook really send to external application ?

in Confidentiality, Internet and Security. Comments Printable version Printable version

One of the Facebook key feature is the ability to add tons of custom applications developed by third party authors. They range from movie quiz to photo tagging to vampire fights. No doubt the idea is very cool but it rises the following privacy concern: what personal data about me an external application is able to get from Facebook ?

Facebook and the success of third party application

Third party applications undeniably contribute to Facebook success. The number
speaks for themselves.

Thousand of applications available

Currently the Facebook application directory list 17754 applications
that you can add to your profile.

Millions of installation

According to Inside Facebook more than 65 Millions of applications where added by users in the first month. This success is so huge that even design of the Facebook interface will evolve to add tabs to handle the increasing amount of information added by these applications. Here is a screenshot of the upcoming application:

]Bottom line: If you use Facebook, you use third party applications. Hence you should start to wonder what data you give to the application when you add it.

The Enrollment Process

The application enrollment process is straightforward. A single screen ask you if you authorize the application to get your data and in which part of your profile you want to place it:

As you can see, there is no information about the data you share with the application or a control mechanism.

The Facebook Application

In order to know, what data are accessible from a third party application, I
took a look at the Facebook API. It is publicly available here.

The most interesting part of the API is the Users.getInfo one. It allows the third party application to get data from the user. There is also a part of the API to work with Friend links but that’s an other story. When the application issues the User.getInfo query, Facebook return an XML file that contains user data.

Information available

So what’s in this XML file ? Your complete profile. Plain and simple. There is a little subtlety though. If you don’t have signup for the application the following data are not available:

  • meeting_for: list of desired relationship types corresponding to the “Looking For” profile element. If no relationship types are specified, the meeting_for element is empty. Otherwise represented as a list of seeking child text elements, which may each contain one of the following strings: Friendship, A Relationship, Dating, Random Play, Whatever I can get.
  • meeting_sex: list of desired relationship genders corresponding to the “Interested In” profile element. If no relationship genders are specified, the meeting_sex element is empty. Otherwise represented as a list of sex child text elements, which may each contain one of the following strings: male, female .
  • religion: User-entered “Religious Views” profile field. No guaranteed formatting.
  • significant_other_id: the id of the person the user is in a relationship with. Only shown if both people in the relationship are users of the application making the request.

Everything (Yes everything) is available regardless you have signup or not. Among these some can be very private:

  • current_location: User-entered “Current Location” profile fields. Contains four children: city, state, country, and zip.
  • education_history: list of school information, as education_info elements, each of which contain name, year, and concentration child elements.
  • relationship_status: User-entered “Relationship Status” profile field. Is either blank or one of the following strings: Single, In a Relationship, In an Open Relationship, Engaged, Married, It’s Complicated
  • work_history: List of work history information, as work_info elements, each of which contain location, company_name, position, description, start_date and end_date child elements. If no work history information is returned, this element is blank.
  • pic*: list of your profile picture.

Once again, If you have signup for the application, all the data are available to the third party, including the four mentioned in the beginning. I wonder what is the point to a movie quiz to know, if I am heterosexual or homosexual.

If you want to see the full list of the data sent take a look at this page.

What Facebook is doing for security ?

It is not surprising that with all this information available the Facebook API
is used for spam, hoax and so on. So what do Facebook ? It tries to restrict
developer power, by adding rate limit and making prominent the link for abuse.
Yeah but that is too late, data are already in the third party database …

Edit 03/22: It seems that facebook now offers a way more advanced to filter personnal informations. That is a very good thing (Does Facebook developper read my blog ? :) ).

A better control of privacy ?

So what can we do ? The solution exists, at least in research lab, it is called selective access control for XML documents. The underlying idea is to provide various level of access to the same XML file. In our Facebook case it could be used to create various level based on the nature of the application. For instance a quiz application does not need to know where I work or if I am married.

If you would like to know more about selective control access, you can read “Securing XML Documents” (pdf) by E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, P. Sarnarati

Feb 04

Does Sim Card Still Clonable ?

in Analysis and production, Hardware, Security and side-channel. Comment Printable version Printable version

It has been ten years since the first attack used to clone sim, and five year since the discolure of the last attack in the paper “Partitioning Attacks: Or how to rapidly clone some GSM cards” by J.R. Rao and Al. So in 2008 does sim cloning still possible ?

SIM Cloning the basic

To clone a SIM card you need various information easily dumpable from the SIM and a secret key stored inside a none readable part of the smart card. People often refers to it as KI.  Knowing this key and public data is sufficient to make calls, sms and receive call. The tamper-resistant smartcard is supposed to protect the key from disclosure. To be more precise the KI is used for the initialization of the A3 and A8 GSM algorithms. Theses algorithms are used to “prove” the knowledge of the key to the service provider, thus authorizing a call. They are also used to setup the “privacy” of the call but that is a different story.

The known attack

The vulnerable instantiation of the A3/A8 is called COMP128. In 1998 the ISAAC reseach group from Berkeley shows that using collisions it was possible to guess the KI in few hours. The speed of the attack was improved and the last attack known to recovers the KI is the paper cited in the introduction.

Many softwares implement this attack to extract the KI. For instance simscan can be used to extract KI used in the comp128v1

simscan

Attack Response

To prevents the extraction of the KI with the collision method the algorithm was upgraded to the COMP128V2 version. It appears that since 2003 most of providers have switched to it.

It is not currently possible to extract the comp128v2 KI. Although some sites claim to have sim analyzer based on side channels analysis. I doubt that these readers ars real, they are more likely scam. Even if side channel analysis such as power consumption have been proved efficient in hardware attack making a device that use it automatically is hard to believe (at least for civilians). User posts on forum tends to be consistent with the fact that they are fake.

esrcomplect

As additionnal protection, there is a hard limit implemented in SIM. After 65xxx authentification the sim is burned. That ensure that no brute force attack can be made. It also probably explains why sim card stop working after a couple of years.

The 3G card

3G card are refered as USIM (Universal Subscriber Identity Module). They use a new authentification algorithm based on AES. If there is a doubt about the possibility of extracting the KI from a COMP128V2, there is none about the USIM algorithm. This is a public algorithm so it has been reviewed by the scientific communauty and so far It assumed as solid.

Conclusion

I have tried the Ki extraction on a quite recent SIM card. It appears that in France providers are at least used comp128v2 and that new card are USIM. So as far as I know cloning SIM is a dying field. In few years there will be only comp128v2 and USIM around unless a new vulnerability is found. Note that not be able to clone a SIM does not mean that your conversation are not eavesdropped. Privacy is ensured by the A5 algorithm and this one is broken…

« Older Entries
Newer Entries »