Thursday, August 11, 2011

USENIX Security 2011: Another Ring on the Tree Trunk for One of Cyber Security's Worthiest Gatherings, & A Strong CyLab Presence

Nektarios Leontiadis, Carnegie Mellon CyLab, speaking at USENIX Security Symposium 2011

USENIX Security 2011: Another Ring on the Tree Trunk for One of Cyber Security's Worthiest Gatherings, & A Strong CyLab Presence

The USENIX Security Symposium has been one of my favorite conferences to attend throughout my two decades in the realm of cyber security. I have been writing about it since my days as Editorial Director of the Computer Security Institute (CSI); and it has never disappointed me, either in terms of its content or its integrity. Incredibly, this year's Symposium is the twentieth, and it doesn't feel like USENIX getting old or selling out any time soon.

Here are some of my notes from Wednesday and Thursday, just two of the five days on the Symposium's agenda.

Hugo and Locus Reader Award winning Sci-Fi author Charles Stross gave the opening keynote on Network Security in the Medium Term: 2061–2561 AD.

What is network security going to be like, Stross asked, after Moore's Law has burnt out?

"By 2061 well over half of the world's populace will live in cities ... Governments not going to be as important as they used to be ... Mature nanotechnology all around us, but not be as life-like as people think ..."

Stross outlined these and other predictions about the nature of cyber/physical reality in 2061 and beyond, but then he did an about face: "Everything I just said is bunk, because it assumes nothing bad will happen ..."

For much of the rest of his musings, Stross focused on some specific future technologies and the potential impact and consequences.

Mobile phones? They already connect people not places, we are raising a generation of kids who won't know what its like to get lost. In the future, you will say I want to visit my cousin bill wherever he lives, and a cab will show up.

Where are we going to store it all? Memory diamonds, Stross predicted, a mesh with data bit encoded in each atom.

Life-logging will include face recognition on everything you see, and OCR on everything you read.

Life-logging will be mandated by insurers, for any employee involved in any work that's risk-related.

Home genome monitoring will deliver personal health benefits, provide health agencies with early warning

ID theft will be radically more drastic, it will capture human existence in 64 milligrams of memory diamond.

Is losing your health privacy an acceptable price to pay for avoiding a plague?

I asked friend and long-time colleague Rik Farrow, Editor of USENIX's bi-monthly magazine ;login, both for his savvy take on Stross' vision of of the "intermediate future," and for what jumped out at him from other sessions.

"Charlie Stross does an amazing job envisioning the future, both near term and further out. His predictions of two terabyte personal bandwidth seems a bit 'over-the-top', but then consider how some Conneticutt yankee with his proverbial time machine would consider the world of today. Stross was eloquent, intriguing, but dodged the thorny issues of the future of security. We've botched things terribly in our rush to just make things work. Critical systems, like the P25 radios described by Matt Blaze, have design flaws that make them easier to use incorrectly, without encryption, than with it enabled. Yet the ability to manage encryption keys and have systems that can use encryption without requiring a genius as operator are critical moving forward. Dave Aitel's invited talk, The Three Cyber-War Fallacies, opposite the papers track, also served notice on many security fantasies. Dave provided metrics to back up a lot of what he was saying, like attack is hard, or thae average useful likespan of a zero-day is 99 days! We need to move on from signature-based approaches to security, Dave said, and I strongly agree with him. The car hacking attack displayed the amazing perserverance seen in many of today's best researchers, and Steve Checkoway's demonstration (Comprehensive Experimental Analyses of Automotive Attack Surfaces) of remotely locating (with GPS), unlocking, and defeating the anti-theft measures using a hack embedded in an MP3 stream drew enthusiastic response from the audience. I really appreciated the work by Kevin Z. Snow (SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks) and others to test possible malicious data, like PDFs, for executable code by using a tiny operating system they had built, and run in a Linux VM for testing Windows exploits. Mindblowing."

The Matt Blaze study mentioned in Rik's remarks, is entitled Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System; co-authored by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze of University of Pennsylvania, it was one of two studies awarded "Outstanding Paper."

The other study to receive "Outstanding Paper" was Measuring Pay-per-Install: The Commoditization of Malware Distribution, co-authored by Juan Caballero, IMDEA Software Institute; and Chris Grier, Christian Kreibich and Vern Paxson, University of California, Berkeley, and ICSI.

CyLab had a strong presence at the 20th USENIX Security Symposium.

Two CyLab studies were among the refereed papers presented:
Alessandro Acquisti and Collin Jackson also delivered Invited Talks.

CyLab's Collin Jackson speaking at USENIX Security Symposium 2011

Collin Jackson's Invited Talk on Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors underscored why Jackson, based at Carnegie Mellon's Silicon Valley Campus, is a force to be reckoned in the space of browser security.

At the end of his talk, he even provided attendees with a list of "Controversial Things I Just Said" -

NoScript is a niche browser... not the browser of the future

Program committees actively harm good ideas

OCSP is risky.

SafeHistory is undeployable.

Breaking with sockets for six months was not a mistake.

You should crash Mozilla team meetings.

Nektarios Leontiadis, a Carnegie Mellon grad student conducting CyLab research, presented on Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade. This paper examines the latest findings in Nicolas Christin's compelling work in the space of Economics of Security and Cybercrime, etc. For more information on this study, see USENIX Security 2011: CyLab Researchers Release Study On Illicit Online Drug Trade And Attacks On Pharma Industry.

For more on Alessandro Acqusiti's latest study, Privacy in An Age of Augmented Reality, which was released last week at BlackHat Briefings 2011 in Las Vegas, see New Study Co-Authored By CyLab Researcher: Face Recognition Software And Social Media Result In Increased Privacy Risks, or or Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales, and my CSO Magazine interview with him Face recognition and social media meet in the shadows.

See Also

Voltaire Lives: A Report from USENIX Security Symposium 2010

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)