Author Archives: enicaise

It seems that one of the trendy subject of the moment is the return of the fappening (a portmanteau of the words “fap”, a slang term for masturbation, and the word “happening”[according to Wkikipedia]). As most sequel, the second one is not better than the first one. But my point isn’t to make a parallel with the cinema industry.

For the Fappening 2, it seems that this time two young actresses have been the new victims of hackers disclosing some intimate or sexy pictures. It is not necessary, I hope, to remind that this kind of behaviour is not only illegal as an illegal hacking but that it is aggravated by its intimate implications for the victims.

According to the journalists, there is not yet an explanation on how these pictures have been compromised. There is already a lot of advises given by newspapers and blogs on what to do and not do to avoid such situation. However, one thing that seems to be a common point to these pictures is that they have been taken by someone else than the victims themselves.

When you share information with a third party, you need to ensure that they are at least as careful as you are in their handling of your information.

In this case (and it is just a theory, I have no evidence or clue so far), if friends of these young ladies have taken pictures of them in some more intimate context, even if they trust their friends with their lives, they should ensure that their beloved friends were (also) careful and were following good practices with their phones and their “cloud” storage accounts. It is what we (should) do with our suppliers or any third party in a corporate context, and it is also the right thing to do with your friend (if you want to take intimate pictures of yourself).

In the future, Fashion stores will likely be equipped with interactive mirrors encompassing cameras and allowing them to display an image of yourself in any outfit available in the store (yes, it already exist). This will be the next IoT (Internet of Things) nightmare that will likely cause more Fappening if we don’t add a S for Security to the IoT accronym.

Related sources:

http://thehackernews.com/2017/03/fappening-emma-watson.html

This week, during the CanSecWest 2017 Conference in Vancouver, British Columbia, is held the PWN2OWN™ CONTEST organized by Zero-Day Initiative (http://zerodayinitiative.com/). A team carried on an attack on Microsoft’s Edge browser allowing them to escape a VMware Workstation virtual machine in which it ran. This exploit fetched them 105 000$ of reward. On the same day, another team successfully exploited 3 vulnerabilities and succeed to perform a virtual machine escape.

I will state what is obvious to me since the rising of the hardware virtualization technologies: Virtual Machines aren’t as safe as Physical one. I feel stupid writing it as it is just a matter of fact but it seems it has not yet been accepted by a lot of system admins who are still in denial.

And VMware is not the only to blame, all the Virtualization solutions have already been breached (Xen, KVM,…) one way or another. And those ares just the known exploits. So, whoever you’re talking too, there is no way (s)he can pretend the risks are the same between a physical and a virtual machine.

Of course, there is economics upsides using virtualization and that’s why it is a matter of risk management. But when it comes to crown jewels, we might have to think twice or at least strongly insist on a physical segregation between more sensitive systems and internet facing one.

I don’t say we shouldn’t use virtual machine, I just say we must stop pretending they are as safe as physical one. It is just not true. Risk are different and we must take that into account. The wolfs can pass the fences…

Further reading:

• http://blog.trendmicro.com/pwn2own-2017-day-three-schedule-results/
• https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
• https://en.wikipedia.org/wiki/Virtual_machine_escape