Wednesday, July 28, 2010

BlackHat USA 2010: How to Turn ATMs Into Jackpotted Slots, Basejump the GSM, Lift Malware Developer's Fingerprints & Face Our Existential Dilemma






BlackHat USA 2010: How to Turn ATMs Into Jackpotted Slots, Basejump the GSM, Lift Malware Developer's Fingerprints & Face Our Existential Dilemma

By Richard Power


Flying into Las Vegas at dawn for the first day of BlackHat USA 2010, I once again felt the poignancy of this extraordinary place. From the original Ocean's Eleven (1960) to Martin Scorsese' Casino (1995), from Howard Hughes to Hunter S. Thompson, Las Vegas is the stuff of legends.

As I walked to the taxi stand, I wondered, which is more remarkable, the incredible heat and dryness of this desert, or the incredible flow of energy and water demanded to sustain this desert city?

And, of course, in Las Vegas, all around you, every moment of the day, the sun beats down, offering all the energy you would need to negate the heat it generates; and of course that energy is yet to be tapped.

Ah, the human folly.

Now the subject of human folly provides an excellent segue way to the cyber security scene here at the end of the first decade of the 21st Century.

In his opening remarks of Jeff Moss (the man who launched BlackHat way back when), made an important point: “We are all heads’ down, working on technical, specific problems. Everyone once in awhile it is probably a pretty good idea to get an idea about ‘what’s the bigger world we are all operating in, what is the larger context we do this for, is it for society, or your business, or your personal advancement? ... What security problems have we fundamentally solved? I can’t really think of any real big things we have killed. Can we send e-mail securely? I don’t think so. Can we write a packet securely? Can we browse the Web securely? No. But we’ve got 50,000 new vendors, and lots of widgets. I am trying to understand what is the incentive? How do we solve these larger problems that are so fundamental, the underpinnings of everything we do? For our country and for every country in the world the Internet is an engine for innovation and commerce. And yet , we do not seem capable of putting the energy forth to secure the fundamental underpinnings .. In whatever endeavor you are in I want you to think about how we can fix the underlying fundamentals."

Moss' creation, BlackHat continues to evolve, year after year, both as an important industry event and as an invaluable technical resource.

Here are some highlights from three of the sessions that I found compelling.

The Grugq, who lives in Thailand, and works as a senior security researcher for Singapore-based Coseinc, spoke on "Base Jumping: Attacking the GSM Baseband and Base Station."

The Grugq gave an overview of the GMS protocol and infrastructure, and then explained some GSM attacks: RACHell, in which the attacker floods the BSS with requests and prevents everyone from using that cell, IMSI Flood, in which the attacker overloads the HLR/VLR infrastructure, and prevents everyone from using the network, and IMSI DETACH, in which the attacker sends multiple Location Update Requests, including a spoofed IMSI, and prevent a SIM from receiving calls and SMS.

In his understated conclusions, Grugq observed: "GSM is no longer a walled garden. GSM spec has security problems. Expect many more issues as OSS reduces costs for entry."

Greg Hoglund of HBGary, Inc. spoke on "Malware Attribution: Tracking Cyber Spies and Digital Criminals."

Hoglund suggested that in a world where "the largest computing cloud" is "controlled by Conficker," we should be paying more attention to the creators of such malicious programs: "Attribution is about the human behind the malware, not the specific malware variants; and that the focus must be on human influenced factors."

He went on to show that on a spectrum of intelligence sources regarding the originators of malware, ranging from "nearly useless" (e.g., blacklists) to "nearly impossible" (physical surveillance/HUMINT), "Developer Fingerprints" (e.g.,"IDS signatures with long‐term viability") occupied a "Sweet Spot."

Hoglund offered some compelling evidence that malware attribution was "possible through forensic toolmarking combined with both open and closed source intelligence."

Barnaby Jack, Director of Research at IOActive Labs, spoke, to an overflowing audience, on "Jackpotting Automated Teller Machines Redux."

To loud laughter from the audience, Jack cited the disturbing words of Windows CE developer, Thomas Fenwick: “We were concerned about protection, but not about security. We weren’t trying to design an airtight system like Windows NT.”

Then Jack proceeded to take us step by step through turning a stand-alone ATM machine into the equivalent of a Vegas slot machine that had hit the jackpot, and highlighting the tools he has developed to do so, Scrooge, his own rootkit, and Dillinger, his own remote attack and administration tool, which allows for "management of unlimited ATMs."

By the end of Jack's stunning presentation, the two ATMs on the stage were spitting out dollar bills to uproarious applause.

What a compelling metaphor for the state of cyber security in the last year of the first decade of the 21st Century.

Jack offered some suggestions in terms of countermeasures, including "offer upgrade options on physical locks," and "implement trusted environment."

See Also

From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)

And Other CyBlog Conference Coverage ...

SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium

Notes on TIW 2010: The Builders & Building Blocks of Trustworthy Infrastructure

CyLab Research has Powerful Impact on 2010 IEEE Security & Privacy Symposium

RSA 2010: Lost in the Cloud, & Shrouded in the Fog of War, How Far Into the Cyber Future Can You Peer? Can You See Even Beyond Your Next Step?

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

RSA Conference 2009: Summary of Posts

Sunday, July 18, 2010

TIW 2010: Jonathan McCune for Adrian Perrig on "Software-Based Attestation: History, Constructions, Applications, Current State of Research" (6-9-10)

Jonathan McCune for Adrian Perrig on "Software-Based Attestation: History, Constructions, Applications, Current State of Research," TIW 2010, 6-9-10, CyLab/Carnegie Mellon University (Part I)



Jonathan McCune for Adrian Perrig on "Software-Based Attestation: History, Constructions, Applications, Current State of Research," TIW 2010, 6-9-10, CyLab/Carnegie Mellon University (Part II)



Jonathan McCune for Adrian Perrig on "Software-Based Attestation: History, Constructions, Applications, Current State of Research," TIW 2010, 6-9-10, CyLab/Carnegie Mellon University (Part III)



Jonathan McCune for Adrian Perrig on "Software-Based Attestation: History, Constructions, Applications, Current State of Research," TIW 2010, 6-9-10, CyLab/Carnegie Mellon University (Part IV)



For more information on TIW 2010:

Notes on TIW 2010: The Builders & Building Blocks of Trustworthy Infrastructure

CyLab Chronicles: A Report on TIW 2010

Trustworthy Infrastructure Workshop (TIW) 2010

TIW 2010: Research Workshop Panel Discussion - Adrian Perrig, Jonathan McCune. (6-9-10)

TIW 2010 Research Workshop Panel Discussion: Adrian Perrig, Jonathan McCune. 6-9-10, CyLab/Carnegie Mellon University



TIW 2010 Research Workshop Panel Discussion: Adrian Perrig, Jonathan McCune. 6-9-10, CyLab/Carnegie Mellon University (Part II)



TIW 2010 Research Workshop Panel Discussion: Adrian Perrig, Jonathan McCune. 6-9-10, CyLab/Carnegie Mellon University (Part III)



TIW 2010 Research Workshop Panel Discussion: Adrian Perrig, Jonathan McCune. 6-9-10, CyLab/Carnegie Mellon University (Part IV)



For more information on TIW 2010:

Notes on TIW 2010: The Builders & Building Blocks of Trustworthy Infrastructure

CyLab Chronicles: A Report on TIW 2010

Trustworthy Infrastructure Workshop (TIW) 2010

TIW 2010: Virgil Gligor Delivers "A Challenge for Trustworthy Computing" (6-7-10)

Virgil Gligor, CyLab Director, issues "A Challenge for Trustworthy Computing" at TIW 2010 on the Carnegie Mellon Campus, in Pittsburgh, Pa., on 6-7-10. (Part I)



Virgil Gligor - Part II - Axioms (continued), (Ir)relevance of Virtualization to Humans



Virgil Gligor - Part III - (Ir)relevance of Security Kernels to Assurance, Conclusions



For more information on TIW 2010:

Notes on TIW 2010: The Builders & Building Blocks of Trustworthy Infrastructure

CyLab Chronicles: A Report on TIW 2010

Trustworthy Infrastructure Workshop (TIW) 2010

Saturday, July 17, 2010

CyLab Business Risks Forum: Cormac Herley - "Everything You Know About Cybercrime is Wrong"



CyLab Business Risks Forum: Cormac Herley - "Everything You Know About Cybercrime is Wrong" (4-26-10)

This CyLab You Tube Channel video is a brief excerpt from a CyLab Business Risks Forum event featuring
Cormac Herley
, Principal Researcher at Microsoft Research, speaking on "Everything You Know About Cybercrime is Wrong."

The CyLab Business Risks Forum is a part of the CyLab Seminar Series.

Forum events feature guest speakers from business and government, invited by CyLab Distinguished Fellow, Richard Power.

CyLab Business Risks Forum and CyLab Seminar Series events are open to CyLab Partners and to Carnegie Mellon CyLab faculty and students.

Full-length recordings of these talks are available via the CyLab Partners Portal, and access to the Portal is only granted to participants in the CyLab Partners Program.

For more information on how and why to become a CyLab Partner, visit CyLab Online at http://www.cylab.cmu.edu.

CyLab Business Risks Forum: Ed Stroz - "Manipulation of Digital Evidence in Investigations"



CyLab Business Risks Forum: Ed Stroz - "Manipulation of Digital Evidence in Investigations" (3-22-10)

This CyLab You Tube Channel video is a brief excerpt from a CyLab Business Risks Forum event featuring Ed Stroz of Stroz Friedburg, speaking on "Manipulation of Digital Evidence in Investigations."

The CyLab Business Risks Forum is a part of the CyLab Seminar Series.

Forum events feature guest speakers from business and government, invited by CyLab Distinguished Fellow, Richard Power.

CyLab Business Risks Forum and CyLab Seminar Series events are open to CyLab Partners and to Carnegie Mellon CyLab faculty and students.

Full-length recordings of these talks are available via the CyLab Partners Portal, and access to the Portal is only granted to participants in the CyLab Partners Program.

For more information on how and why to become a CyLab Partner, visit CyLab Online at http://www.cylab.cmu.edu.

CyLab Business Risks Forum: Christoper Burgess - "Common Sense Approach to Social Media"



CyLab Business Risks Forum: Christoper Burgess - "Common Sense Approach to Social Media"(1-25-10)

This CyLab You Tube Channel video is a brief excerpt from a CyLab Business Risks Forum event featuring Christoper Burgess, co-author of Secrets Stolen, Fortunes Lost, and a Senior Security at Cisco Systems, speaking on "Common Sense Approach to Social Media."

The CyLab Business Risks Forum is a part of the CyLab Seminar Series.

Forum events feature guest speakers from business and government, invited by CyLab Distinguished Fellow, Richard Power.

CyLab Business Risks Forum and CyLab Seminar Series events are open to CyLab Partners and to Carnegie Mellon CyLab faculty and students.

Full-length recordings of these talks are available via the CyLab Partners Portal, and access to the Portal is only granted to participants in the CyLab Partners Program.

For more information on how and why to become a CyLab Partner, visit CyLab Online at http://www.cylab.cmu.edu.

CyLab Business Risks Forum: Erin Kenneally - "Information Sharing vs. Privacy, Is it a Celebrity Death Match?"



CyLab Business Risks Forum: Erin Kenneally - "Information Sharing vs. Privacy, Is it a Celebrity Death Match?"(11-16-09)

This CyLab You Tube Channel video is a brief excerpt from CyLab Business Risks Forum: Erin Kenneally on "Information Sharing vs. Privacy - Is it a Celebrity Death Match?"

The CyLab Business Risks Forum is a part of the CyLab Seminar Series.

Forum events feature guest speakers from business and government, invited by CyLab Distinguished Fellow, Richard Power.

CyLab Business Risks Forum and CyLab Seminar Series events are open to CyLab Partners and to Carnegie Mellon CyLab faculty and students.

Full-length recordings of these talks are available via the CyLab Partners Portal, and access to the Portal is only granted to participants in the CyLab Partners Program.

For more information on how and why to become a CyLab Partner, visit CyLab Online at http://www.cylab.cmu.edu.

CyLab Business Risks Forum: Richard Power - "Starting Over After A Lost Decade; In Search of a Bold New Vision for Cyber Security"



CyLab Business Risks Forum: Richard Power - "Starting Over After A Lost Decade; In Search of a Bold New Vision for Cyber Security" 10-26-09

This CyLab You Tube Channel video is a brief excerpt from CyLab Business Risks Forum: Richard Power on "Starting Over After A Lost Decade; In Search of a Bold New Vision for Cyber Security."

The CyLab Business Risks Forum is a part of the CyLab Seminar Series.

Forum events feature guest speakers from business and government, invited by CyLab Distinguished Fellow, Richard Power.

CyLab Business Risks Forum and CyLab Seminar Series events are open to CyLab Partners and to Carnegie Mellon CyLab faculty and students.

Full-length recordings of these talks are available via the CyLab Partners Portal, and access to the Portal is only granted to participants in the CyLab Partners Program.

For more information on how and why to become a CyLab Partner, visit CyLab Online at http://www.cylab.cmu.edu.

CyLab Business Risks Forum: Jennifer Bayuk - "Enterprise Security for the Executive: Setting the Tone From the Top"



CyLab Business Risks Forum: Jennifer Bayuk - "Enterprise Security for the Executive: Setting the Tone From the Top"(09-28-09)

This CyLab You Tube Channel video is a brief excerpt from CyLab Business Risks Forum: cyber security expert and author Jennifer Bayuk on "Enterprise Security for the Executive: Setting the Tone From the Top."

The CyLab Business Risks Forum is a part of the CyLab Seminar Series.

Forum events feature guest speakers from business and government, invited by CyLab Distinguished Fellow, Richard Power.

CyLab Business Risks Forum and CyLab Seminar Series events are open to CyLab Partners and to Carnegie Mellon CyLab faculty and students.

Full-length recordings of these talks are available via the CyLab Partners Portal, and access to the Portal is only granted to participants in the CyLab Partners Program.

For more information on how and why to become a CyLab Partner, visit CyLab Online at http://www.cylab.cmu.edu.

CyLab Business Risks Forum: Rebecca Herold - Convergence of Information Security, Privacy and Compliance



CyLab Business Risks Forum: Rebecca Herold, "Convergence of Information Security, Privacy and Compliance" (2-23-09)

This CyLab You Tube Channel video is a brief excerpt from CyLab Business Risks Forum: Rebecca Herold of www.rebeccaherold.com on "Convergence of Information Security, Privacy and Compliance."

The CyLab Business Risks Forum is a part of the CyLab Seminar Series.

Forum events feature guest speakers from business and government, invited by CyLab Distinguished Fellow, Richard Power.

CyLab Business Risks Forum and CyLab Seminar Series events are open to CyLab Partners and to Carnegie Mellon CyLab faculty and students.

Full-length recordings of these talks are available via the CyLab Partners Portal, and access to the Portal is only granted to participants in the CyLab Partners Program.

For more information on how and why to become a CyLab Partner, visit CyLab Online at http://www.cylab.cmu.edu.

CyLab Business Risks Forum: Mike Susong - Electronic Crime Ecosystem: Evolution from Cold War to Cold Cash



CyLab Business Risks Forum: Mike Susong - "Electronic Crime Ecosystem: Evolution from Cold War to Cold Cash" (1-26-09)

This CyLab You Tube Channel video is a brief excerpt from CyLab Business Risks Forum: Mike Susong of iSIGHT Partners on "Electronic Crime Ecosystem: Evolution from Cold War to Cold Cash."

The CyLab Business Risks Forum is a part of the CyLab Seminar Series.

Forum events feature guest speakers from business and government, invited by CyLab Distinguished Fellow, Richard Power.

CyLab Business Risks Forum and CyLab Seminar Series events are open to CyLab Partners and to Carnegie Mellon CyLab faculty and students.

Full-length recordings of these talks are available via the CyLab Partners Portal, and access to the Portal is only granted to participants in the CyLab Partners Program.

For more information on how and why to become a CyLab Partner, visit CyLab Online at http://www.cylab.cmu.edu.

Friday, July 16, 2010

SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium

Carnegie Mellon students Richard Shay and Saranga Komanduri present on "Encountering Stronger Password Requirements: User Attitudes and Behaviors" at SOUPS 2010 (Photo credit: Lujo Bauer)


SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium

By Richard Power


SOUPS 2010 is the sixth annual event, and the third one it has been my pleasure to cover. It is also the second year in a row that the event was held at one of the centers of true power in cyberspace; last year it was held at the Google campus in Silicon Valley, this year it was held at Microsoft campus in Redmond, Washington.

Adam Shostack, a program manager for Microsoft's Trustworthy Computing Initiative, gave the Invited Talk. Shostack's presentation was titled, "Engineers Are People, Too."

Cormac Herley and Dinei Florencio of Microsoft Research won the Best Paper Award for their "Where Do Security Policies Come From?

To give you a feeling and a sense for the nature of the research explored at SOUPS 2010, here are some brief excerpts from the papers presented on just one day:

Do Windows Users Follow the Principle of Least Privilege? Investigating User Account Control Practices by Sara Motiee, Kirstie Hawkey and Konstantin Beznosov, University of British Columbia (Vancouver, B.C.):

All our participants used an admin account on their laptop. Although 71% had a partial understanding of the limitations and rights of each user account type, 91% of participants were not aware of the security risks of high-privilege accounts or the security benefi ts of low-privilege ones. Also, while 62% had experienced a low-privilege user account, they were not motivated to use it on their own laptops be- cause of the limitations they had faced using these accounts.

"Encountering Stronger Password Requirements: User Attitudes and Behaviors" by Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin and Lorrie Faith Cranor, Carnegie Mellon University (Pittsburgh, PA.):

Our results reveal flaws in NIST's assumptions. NIST bases its per-password entropy estimates on several assumptions that are inconsistent with our findings [2]. They assume users will create passwords of the minimum required length, but our results show an average length more than two characters above the minimum. NIST also assumes users will have the minimum number of special characters, but our participants frequently indicated using more. Over two-thirds of users who responded said they used more than the one required number. It would be useful to examine larger sets of passwords created under a variety of password policies to provide empirical data to improve the NIST guidelines.

"A Closer Look at Recognition-based Graphical Passwords on Mobile Devices" by
Paul Dunphy of Newcastle University (Newcastle upon Tyne, U.K.), Andreas Heiner and N. Asokan of Nokia Research (Helsinki, Finland):

Despite the increasing presence of biometrics for user authentication on consumer electronics e.g. laptops, knowledge-based authentication systems are likely to remain attractive due to being purely software-based solutions. Graphical password systems based on recognition potentially have a role to play in this area, due to accurate user performance in previous studies, including this one. One key limitation however, is that login durations recorded for our systems – and others – are still too long. User acceptance is often driven by convenience and login durations of approximately 20 seconds are unattractive to many users.

"Usably Secure, Low-Cost Authentication for Mobile Banking" by Saurabh Panjwani and Ed Cutrell of Microsoft India:

While the design of secure and usable authentication for banking applications is a well-studied problem in the developed world, applying the same solutions to developing-world mobile banking is a challenge, primarily due to the limited capacity of the phones available in these regions. Amongst all mobile banking providers in the world, EKO is unique ... In this paper, we have demonstrated a security weakness in EKO’s solution which causes the privacy of user PINs to be easily compromised. On the positive side, we have also shown an alternative solution which not only fixes this problem with EKO’s scheme but also improves its usability and user-friendliness. This is an absolute win-win situation for user-centric security design – better security with better usability. Our research has potential implications for banking in the developed world also. While ATM-based banking is claimed to offer secure 2-factor authentication, such claims have considerably weakened with the increasing incidence of skimming attacks in the recent past ...

"Two Heads are Better Than One: Security and Usability of Device Associations in Group Scenarios" by Ronald Kainda, Ivan Flechais and Andrew William Roscoe of Oxford University (Oxford, U.K.):

We have analysed, evaluated and compared methods for transferring ngerprints among devices for the purpose of bootstrapping security in group scenarios. While it has been believed that group settings may be more subject to failures during the association process compared to single user pair-wise associations, our findings show the converse to be true ...
Based on participants' feedback and video analysis, we concluded that in group settings security of device association is a function of a sum of efforts rather than weakest link. Data further revealed that users rarely read instructions before using a new system but learn as they 'get on with it.' Users also believe that a secure system must be complex and difficult to use. In addition we realised how contextualising laboratory studies can lead to richer data and responses from participants.


"Influence of User Perception, Security Needs, and Social Factors on Device Pairing Method Choices" by Iulia Ion and Srdjan Capkun of ETH Zurich (Zurich, Switzerland), Marc Langheinrich of University of Lugano (Lugano, Switzerland) and Ponnurangam Kumaraguru of IIIT Delhi (New Delhi, India):

Creating a technically secure and highly usable method is not always sufficient to meet users' needs. The method should also comply with users' security perception and be appropriate for the specific social situation.
1. Map perceived security to method guarantees: Designers should create methods whose actual security guarantees are consistent with users' perceived security. To achieve this, it might be necessary to introduce redundant steps, controls, cancel buttons, and double confirmations.
2. Include security by default: We detected several mismatches between users' mental models and system designs, which prove the need to include security by default when dealing with sensitive data, such as a customer entrusting a confidential financial report or a bank issuing a credit card. Also, our results show users' willingness to have security enabled by default.
3. Support several methods: Some users liked Take a picture very much and disliked Listen up, and others felt exactly the opposite. To account for diverse personal preferences, mobile devices should support a set of different pairing methods.
4. Account for social factors: No single method is adequate for all situations. Users are likely to bypass security before breaking social norms. Designers should provide appropriate methods for professional environments, public and private places, and interaction with friends or strangers. The user could, for instance, choose between several variants: meeting mode, quiet room mode, professional mode, play/fun mode, etc.


The full text of these papers, as well as the others presented at SOUPS 2010, are available from the event's official site; along with information on two workshops held: Usable Security Experiment Reports (USER) and Security & Privacy Usability Technology Transfer: Emerging Research (SPUTTER).

See Also

NSF Awards Grant for Privacy Study to CyLab Researchers Acquisti, Cranor and Sadeh

CyLab Chronicles: Q and A with Lorrie Cranor (2010)

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

Glimpses into the Fourth Annual Symposium on Usable Security and Privacy (SOUPS 2008)