Thursday, August 11, 2011

USENIX Security 2011: Another Ring on the Tree Trunk for One of Cyber Security's Worthiest Gatherings, & A Strong CyLab Presence

Nektarios Leontiadis, Carnegie Mellon CyLab, speaking at USENIX Security Symposium 2011

USENIX Security 2011: Another Ring on the Tree Trunk for One of Cyber Security's Worthiest Gatherings, & A Strong CyLab Presence

The USENIX Security Symposium has been one of my favorite conferences to attend throughout my two decades in the realm of cyber security. I have been writing about it since my days as Editorial Director of the Computer Security Institute (CSI); and it has never disappointed me, either in terms of its content or its integrity. Incredibly, this year's Symposium is the twentieth, and it doesn't feel like USENIX getting old or selling out any time soon.

Here are some of my notes from Wednesday and Thursday, just two of the five days on the Symposium's agenda.

Hugo and Locus Reader Award winning Sci-Fi author Charles Stross gave the opening keynote on Network Security in the Medium Term: 2061–2561 AD.

What is network security going to be like, Stross asked, after Moore's Law has burnt out?

"By 2061 well over half of the world's populace will live in cities ... Governments not going to be as important as they used to be ... Mature nanotechnology all around us, but not be as life-like as people think ..."

Stross outlined these and other predictions about the nature of cyber/physical reality in 2061 and beyond, but then he did an about face: "Everything I just said is bunk, because it assumes nothing bad will happen ..."

For much of the rest of his musings, Stross focused on some specific future technologies and the potential impact and consequences.

Mobile phones? They already connect people not places, we are raising a generation of kids who won't know what its like to get lost. In the future, you will say I want to visit my cousin bill wherever he lives, and a cab will show up.

Where are we going to store it all? Memory diamonds, Stross predicted, a mesh with data bit encoded in each atom.

Life-logging will include face recognition on everything you see, and OCR on everything you read.

Life-logging will be mandated by insurers, for any employee involved in any work that's risk-related.

Home genome monitoring will deliver personal health benefits, provide health agencies with early warning

ID theft will be radically more drastic, it will capture human existence in 64 milligrams of memory diamond.

Is losing your health privacy an acceptable price to pay for avoiding a plague?


I asked friend and long-time colleague Rik Farrow, Editor of USENIX's bi-monthly magazine ;login, both for his savvy take on Stross' vision of of the "intermediate future," and for what jumped out at him from other sessions.

"Charlie Stross does an amazing job envisioning the future, both near term and further out. His predictions of two terabyte personal bandwidth seems a bit 'over-the-top', but then consider how some Conneticutt yankee with his proverbial time machine would consider the world of today. Stross was eloquent, intriguing, but dodged the thorny issues of the future of security. We've botched things terribly in our rush to just make things work. Critical systems, like the P25 radios described by Matt Blaze, have design flaws that make them easier to use incorrectly, without encryption, than with it enabled. Yet the ability to manage encryption keys and have systems that can use encryption without requiring a genius as operator are critical moving forward. Dave Aitel's invited talk, The Three Cyber-War Fallacies, opposite the papers track, also served notice on many security fantasies. Dave provided metrics to back up a lot of what he was saying, like attack is hard, or thae average useful likespan of a zero-day is 99 days! We need to move on from signature-based approaches to security, Dave said, and I strongly agree with him. The car hacking attack displayed the amazing perserverance seen in many of today's best researchers, and Steve Checkoway's demonstration (Comprehensive Experimental Analyses of Automotive Attack Surfaces) of remotely locating (with GPS), unlocking, and defeating the anti-theft measures using a hack embedded in an MP3 stream drew enthusiastic response from the audience. I really appreciated the work by Kevin Z. Snow (SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks) and others to test possible malicious data, like PDFs, for executable code by using a tiny operating system they had built, and run in a Linux VM for testing Windows exploits. Mindblowing."

The Matt Blaze study mentioned in Rik's remarks, is entitled Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System; co-authored by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze of University of Pennsylvania, it was one of two studies awarded "Outstanding Paper."

The other study to receive "Outstanding Paper" was Measuring Pay-per-Install: The Commoditization of Malware Distribution, co-authored by Juan Caballero, IMDEA Software Institute; and Chris Grier, Christian Kreibich and Vern Paxson, University of California, Berkeley, and ICSI.

CyLab had a strong presence at the 20th USENIX Security Symposium.

Two CyLab studies were among the refereed papers presented:
Alessandro Acquisti and Collin Jackson also delivered Invited Talks.

CyLab's Collin Jackson speaking at USENIX Security Symposium 2011

Collin Jackson's Invited Talk on Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors underscored why Jackson, based at Carnegie Mellon's Silicon Valley Campus, is a force to be reckoned in the space of browser security.

At the end of his talk, he even provided attendees with a list of "Controversial Things I Just Said" -

NoScript is a niche browser... not the browser of the future

Program committees actively harm good ideas

OCSP is risky.

SafeHistory is undeployable.

Breaking with sockets for six months was not a mistake.

You should crash Mozilla team meetings.





Nektarios Leontiadis, a Carnegie Mellon grad student conducting CyLab research, presented on Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade. This paper examines the latest findings in Nicolas Christin's compelling work in the space of Economics of Security and Cybercrime, etc. For more information on this study, see USENIX Security 2011: CyLab Researchers Release Study On Illicit Online Drug Trade And Attacks On Pharma Industry.




For more on Alessandro Acqusiti's latest study, Privacy in An Age of Augmented Reality, which was released last week at BlackHat Briefings 2011 in Las Vegas, see New Study Co-Authored By CyLab Researcher: Face Recognition Software And Social Media Result In Increased Privacy Risks, or or Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales, and my CSO Magazine interview with him Face recognition and social media meet in the shadows.

See Also

Voltaire Lives: A Report from USENIX Security Symposium 2010

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)

Friday, August 5, 2011

Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales


Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales

By Richard Power


Here are my notes from Black Hat Briefings (USA) 2011, held at Caesar's Palace in Las Vegas, Nevada.

Mudge of DARPA

"Mudge of DARPA" sounds like the name of a character out of World of Warcraft, or some other massively multiplayer online role-playing game (MMORPG). But no, and although in the case of this analogy, truth is not stranger than fiction, it was indeed remarkable to see Peiter "Mudge" Zatko, legendary denizen of the L0pht, author of L0phtCrack, and founder of @Stake, truly one of the iconic figures of the cyber security counter culture, keynoting at Black Hat 2011, in his new role as Program Manager at the Defense Advanced Research Project Agency (yes, DARPA).
In his talk, Mudge offered glimpses into two of his initiatives: Analytic Framework for Cyber Security and Cyber Fast Track.

Touching on the Analytic Framework for Cyber Security, Mudge remarked, "Think of the cold war, and spending, right now we're looking pretty much like Russia."

Using a few fascinating graphs and charts, Mudge illuminated some of fundamental flaws in established approaches. For example, one of his charts, titled "We are Divergent with the Threat," compared average lines of code over a fifteen year period from 1985 to 2010: security software (currently at ten million lines) versus average lines of code in malware (holding consistently at one hundred twenty five lines of code).

The second of these two initiatives, the Cyber Security Fast Track (DARPA-RA-11-52), had just gone live.

According to Mudge, a single government cyber security project typically takes eighty-one months to reach completion.
"Six years. The threat landscape will be different by then. So rather than run one program for six years let's run hundreds with maker spaces and boutique security firms ... Small groups of motivated and like-minded researchers have repeatedly shown significant talent and capabilities."

He hopes to reach such entities with a streamlined funding application and approval process, vetted by four compatriots belonging to that same cyber security counter culture from which Mudge emerged.

"This relationship needs to be mutually beneficial. DARPA intends to cultivate relations and become a resource."

I do not know how the tale of Mudge of DARPA will end; but somehow it feels right to me that he's there, and I hope it leads to genuine breakthroughs. But I assure you, after twenty years in the wilderness that is cyber security, I could only be pleasantly surprised.


100% Out of Sync

In a panel discussion entitled Trillions of Lines of Code and Counting - Securing Applications At Scale, Jeremiah Grossman, founder and CTO of WhiteHat Security offered some insightful perspectives that echoed that kind of critical thinking Mudge had been advancing when talking about developing his Analytical Framework earlier in the day.

Grossman's views are worthy of attention. His street cred? WhiteHat performs weekly vulnerability assessments on four thousand high profile sites (.e.g, banks, insurance companies, healthcare providers, retailers, etc.), seven out of ten of those sites have serious vulnerabilities (i.e., the kind that would enable attackers to access customer information, or hack users accounts, or perform other headline-grabbing misdeeds).

"Whenever we discuss the software security problem, it is inevitably said that what we need to do is train developers to secure code, and it is difficult to argue against that position, especially in regard to people going through college and graduate school programs. But meanwhile there are seventeen million active developers, my guess is that less than one percent of them have formal software security training. How do you give remedial training to seventeen million developers? We don’t even have anywhere near the number of instructors that would be required. Computer-based training would be the only viable solution."

But according to Grossman, the loudly trumpeted issue of training developers hides a different problem, that is just as systemic and at least as damning.

"If you look at IT budgets, businesses investing in the network, host and application layers. Generally, organizations spend the least on routers and switches, and spend a little more on servers, desktops, commercial software, etc. But they spend the most on their own applications, they have legions of developers writing code. It is said that one of the major financial institutions has three developers for every banker. So that's where the business is investing. Now InfoSec likes to say it practices risk management aligned with business. And yet, where does InfoSec spend its money? It spends the most on firewalls and IDS, to protect what the business spends the least in building, followed by anti-virus and patch managements to protect the host, but very little protecting the apps where the business is spending the most. The way we do Infosec budgeting doesn't work. Congratulations, InfoSec, you are 100% out of sync!"


In the Age of Augmented Reality, the Ultimate "Wingman"

CyLab's Alessandro Acquisti broke some of the biggest news at Black Hat Briefings 2011; well, just prior to Black Hat 2011 actually, since The Economist (8-30-11) and the Wall Street Journal (8-1-11) ran exclusives leading up to his conference presentation.

In "Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be," Acquisti debuted the results of research conducted with two other Carnegie Mellon researchers, Ralph Goss and Fred Stutzman. This sensational work is a worthy follow-up to the blockbuster study on guessing social security number) Acquisti and Goss co-authored in 2009.


In the course of three experiments, Acquisti and his research colleagues investigated the "feasibility of combining publicly available online social network data with off-the-shelf face recognition technology for the purpose of large-scale, automated, peer-based ... individual re-identification, online and offline, and 'accretion' and linkage of online, potentially sensitive, data to someone’s face in the offline world."

What does this mean in practical terms. A lot. And in terms of individual privacy much of it disconcerting.

Imagine a smartphone app, with which a man in a bar could snap a photo of a woman he is talking to, and after a brief search have access to her dating site info; imagine at the same moment, she is accessing his credit score. Acquisti and a member of his team demonstrated how this would work with a little program amusingly named "Wingman."

The implications are staggering, as Acquisti articulates.

"Is the combination of technologies described [facial recognition and social media applications] going to provide these linkages [all your different, perhaps disguised on-line personas with your actual identity], where we are not simply giving a name to an anonymous face, but we actually blend together on-line and off-line data? ...[Guessing social security numbers] is just one example of what is going to happen, through this blending of on-line and off-line data, this convergence of personal and predictable information - in a way it is written on your face, even if you may not be aware of it. It may democratize surveillance, and i am not saying this in a good sense, I am saying it with concern. We are not talking just about constricted and restrained Web 2.0 applications that are limited to consenting, opt-in users, such as maybe Picasia or currently Facebook tagging. We are talking about a world in which anyone could, in fact, recognize your face and make these inferences, because the data is already out there, it is already publicly available. So what will our privacy mean in this kind of future of augmented reality? We have already created a de-facto Real ID infrastructure ... Nationally, Americans are against Real IDs, but we have already created one for the marketplace."

For better and worse, it will change our world.

"In fact, augmented reality may also carry deep‐reaching behavioral implications. Through natural evolution, human beings have evolved mechanisms to assign and manage trust in face‐to‐face interactions. Will we rely on our instincts, or on our devices, when mobile devices make their own predictions about hidden traits of a person we are looking at?"

For more insights on this important study, you can read my CSO Magazine interview with Acquisti, "Face recognition and social media meet in the shadows". And on Acquisti's own site, you will find an excellent Frequently Asked Questions (FAQ) on the Facial Recognition, as well as the Draft Slides for the Black Hat 2011 Presentation



Google This ...

In "Pulp Google Hacking: Next Generation Search Engine Hacking Arsenal," Fran Brown and Rob Ragan of Stach & Liu, LLC debuted a slew of sophisticated, new tools to optimize the use of Google searches for open source intelligence, including:
  • GoogleCodeSearchDiggity, which identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, etc. (loaded with 40 default searches that identify SQL injection, cross-site scripting, insecure remote and local file includes, hard-coded passwords, etc.)
  • DiggityDLP, which leverages Google and Bing to identify exposures of SSNs, credit card numbers and other sensitive information via common document formats such as .doc, .xls, and .pdf
  • FlashDiggity, which provides automated Google searching, downloading, decompiling and analysis of SWF files to identify Flash vulnerabilities and info disclosures
  • DroidDiggity, an smartphone app that delivers GoogleDiggity and BingDiggity to Android phones.
Here is just one of their numerous (and compelling) examples of such tools' powerful capabilities, and the implications thereof.

"Another interesting one that made the news last week or the week before ... I believe this was released by one of the members of Anonymous ... governmentsecuritybags.com ... this is a web site that sells bags with locks on them that you can use to carry around top secret or classified documents ... this has been removed now ... while they were good enough to remove it, thank you Google for cacheing it ... This made the news last week, I didn't even notice it until one of our searches with "Blvd" and "75th." So, basically, we are looking at the actual personal information, billing addresses, usernames and passwords that they registered with ... So if you want to go one-stop shopping for the e-mail addresses, passwords, billing addresses ... it even has a picture of the bag they purchased, so you know what to look for ... Here is a list of six hundred or so people you could go after, who are walking around with top secrets bags on them."

If intelligence gathering is something required in your work (and at this point, if you are in cyber security and it isn't already your skill set, you are way behind the curve), or if you or your organization are the likely target of intelligence gathering, whether it be corporate, state-sanctioned or lone wolf (and at this point who or what wouldn't be from some vector or another), then you ignore the Google Hacking Project at your own risk.



Why is the Water Commissioner's Hair on Fire?

In the developed world, when people turn on the tap, they expect the water to flow; and while they might prefer to drink bottled water, they also expect the tap water to be relatively safe. Of course, although these expectations are based on a lifetime's experience, it is also based on ignorance. Water is one of the most pressing sustainability issues that confronts the human race in the 21st Century. Furthermore, the infrastructures that delivers the water to our populations are, in many (if not most) cases, old, deteriorating and vulnerable to both bad actors and bad luck.

Of course, that's not stopping the push toward and smart water meter networks; and just as with the similar, albeit much more high-profile push toward a smart power grid, this push will open new vulnerabilities and aggravate some existing ones.

John McNabb of South Shore PC Services (Boston, MA.), has undertaken his own independent research into the potential risks and threats involved. For thirteen years, McNabb served as Water Commissioner for a small local water utility.

Speaking on "Vulnerabilities of Wireless Water Meter Networks" at Black Hat 2011, McNabb shared his insights.

There is a lot at stake and a lot at risk.

"Water is a $400 billion global industry ... Al Qaeda has repeatedly threatened to 'poison' U.S. drinking supplies ... the American Society of Civil Engineers gives the nation’s drinking water infrastructure a D- grade and estimates that an investment of $255 billion is needed to bring the system to needed standards."

Think of a water meter as a cash register, McNabb suggest.

"$40 billion, the annual income of US water utilities, comes mostly from meter information."

Thus, the threats and risks involve not only terrorists or some disgruntled ex-worker bent on sabotage, but also common criminality (yes, the kind of criminality that always rises in times of great economic hardship).

According to McNabb, theft through meter tampering is not only a big issue for energy suppliers ("electric utilities assume 10% loss each year from theft"), it is also an issue for water utilities (“Theft of water by tampering with or bypassing water meters costs BWSC [Boston] thousands of dollars a year & .. imposes costs every paying customer.”

There should be plenty of opportunity for everyone.

"The U.S. advanced metering infrastructure (AMI) market (electricity+gas+water) will grow from $2.54 billion in 2010 to $5.82 billion in 2015, an 18% compound annual growth rate." Although most US water meters are still read manually (only 28% have [Automatic Meter Reading] AMR meters). the worldwide installed base of smart water meters is expected to increase from 5.2 million in 2009 to 31.8 million by 2016."

Today, McNabb continued ,much of the data collection. even with smart meters, is done by walk-by and drive-by, but, of course, the fixed network is where it is all going.

"This takes the full capabilities of the wireless water meter and enables it to become a sensor network for the water utility that can allow almost continuous water usage readings (usually every 5-15 minutes). In the fixed network the signals from the single meter are transmitted and then collected in a central receiving station, if close enough, or to repeaters and then to the central receiving station. In most cases a star topology is used, but in some implementations a mesh topology is used to each meter can act as a repeater for any others within range."

McNabb cites numerous vulnerabilities in wireless water meters, ranging from design (e.g., low on-board memory) to lack of security awareness ("Badger gives out its default network username, password and wireless key on web site') to no encryption (even though "more of them are coming out with encryption now").

"Water meters are an integral component of the national drinking water infrastructure," McNabb concluded. "Tampering with water meters, either mechanically or electronically, cost s money for local water systems. Wireless water meters need to be better secured to prevent potential financial loss to water suppliers and to reduce potential security vulnerability to the water system."

Hopefully, his quest will prove to be more than Quixotic.

After all, there is the Maroochie incident, as McNabb reminded us in his presentation.

"The Maroochie incident in 2000, when a disgruntled former contractor used inside info to release 800,000 liters of sewage into the environment, using wireless network communications from his laptop, is an example of how insider threat could impact a wireless sensor network."

Related Posts

BlackHat USA 2010: How to Turn ATMs Into Jackpotted Slots, Basejump the GSM, Lift Malware Developer's Fingerprints & Face Our Existential Dilemma

From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)