Subject: Electronic CIPHER, Issue 56, September 15, 2003 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 56 September 15, 2003 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen, Book Review Editor, cipher-bookrev @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Cipher calendar o Upcoming calls-for-papers and events * Commentary and Opinion o Fred Cohen's review of Writing Secure Code by Michael Howard and David C. LeBlanc o Robert Bruen's review of Modern Cryptography Theory and Practice by Wenbo Mao o Robert Bruen's review of Real 802.11 Security. Wi-Fi Protected Access and 802.11i by Jon Edney and William Arbaugh o Robert Bruen's review of Halting the Hacker, A Practical Guide to Computer Security by Donald Pipkin o Jeremy Epstein and Sven Dietrich's notes on the USENIX Security Conference held August 4-8, 2003 o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Reader's guide to recent security and privacy literature, * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The Blaster worm has been smashing its way through RPC buffers, overrunning networks and generating as much traffic as a lingerie preview. How much would it cost to prevent this kind of attack, how much does the disruption cost business? It appears that we've yet to solve the network security problem. Two major conferences were held in August, and we have a report on Usenix Security from Jeremy Epstein and Sven Dietrich, and a few of Richard Schroeppel's impressions of Crpyto. The field of information security has matured to the point of including many women as high profile leaders. Information Security magazine, int their September issue, recognized 25 outstanding women in the field. This issue contains, in addition the usual assortment of announcements, reports, and reviews, an extended book review by Fred Cohen. He reviews a book by Michael Howard, a leader in security practices at Microsoft. Howard was an invited speaker at the Security and Privacy conference in May. News snippets, readers guide material, and conference reports are welcome at all times. Please send material to cipher @ ieee-security.org , and note that Cipher does not accept advertising. I extend my editorial gratitude to our colleagues who contribute to Cipher! With secure sentiments, Hilarie Orman cipher-editor @ ieee-security.org ho @ alum.mit.edu Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://vulcan.ee.iastate.edu/~cipher/cfp.html The Cipher event Calendar is at http://www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. * 9/17/03: Grand Challenges, Warrenton, Virginia; position papers are due; http://www.cra.org/grand.challenges/ * 9/19/03: WiSe, Workshop on Wireless Security. San Diego, CA; in conjunction with Mobicom, http://www.ece.cmu.edu/~adrian/wise2003 * 9/20/03: Public Key Cryptography '04, Singapore; submissions are due, http://www.i2r.a-star.edu.sg/pkc2004 * 9/20/03- 9/24/03: Mathematical Methods, Models, and Architectures for Computer Network Security, St. Petersburg, Russia, http://space.iias.spb.su/mmm-acns03/ * 9/28/03-10/ 1/03: IEEE Conference on Networks, ICON, Sydney, Australia, http://www.ee.unsw.edu.au/~icon/ * 9/30/03: International Conference on Advanced Information Networking and Applications, submissions are due, Fukuoka, Japan, http://www.takilab.k.dendai.ac.jp/conf/aina/2004/ -------------- * 10/ 1/03-10/ 3/03: Information Security Conference (ISC), Bristol, UK; http://www.hpl.hp.com/conferences/isc03/call_for_papers.htm * 10/ 2/03-10/ 3/03: Communications and Multimedia Security Conference (CMS), Turin,Italy; http://security.polito.it/cms2003 * 10/10/03-10/13/03: International Conference on Information and Communications Security (ICICS), Mongolia, China, http://www.cstnet.net.cn/icics2003/ * 10/10/03: IEEE International Information Assurance Workshop (IAW), Charlotte, NC; Submissions are due, http://iwia.org/2004 * 10/12/03: UBICOMP communities: privacy as boundary negotiation, Seattle, Washington, http://guir.berkeley.edu/privacyworkshop2003/ * 10/13/03-10/15/03: European Symposium on Research in Computer Security, (ESORICS), Gjovik, Norway; http://www.hig.no/esorics2003 * 10/15/03: Workshop on Pervasive Computing and Communication Security (PerSec), Orlando, Florida; submissions are due, http://www.list.gmu.edu/persec * 10/16/03-10/19/03: Applied Cryptography and Network Security (ACNS), Kunming, China, http://www.onets.com.cn/dhe.htm * 10/27/03-10/31/03: ACM Conference on Computer and Communication Security, Washington, DC; http://www.acm.org/sigs/sigsac/ccs/CCS2003 * 10/27/03: Workshop on Rapid Malcode (WORM), Washington, DC; in conjunction with CCS 2003 * 10/30/03: Formal Methods in Security Engineering (FMSE), Washington, DC, http://www.zurich.ibm.com/~mbc/FMSE02 * 10/30/03: Workshop on Privacy in the Electronic Society (WPES), Washington, DC; http://seclab.dti.unimi.it/wpes2003 * 10/31/03: Security in Storage Workshop (SISW), Washington, DC; http://www.stortek.com/hughes/sisw2003 * 10/31/03: A Multiple View of Individual Privacy in a Networked World (WHOLES), Stockholm, Sweden; Submissions are due; http://www.sics.se/privacy/wholes2004 -------------- * 11/ 4/03-11/ 7/03: International Conference on Network Protocols (ICNP), Atlanta, Georgia; http://icnp03.cc.gatech.edu * 11/ 5/03: Security and Privacy 2004, Oakland, CA; Submissions are due; http://www.cs.berkeley.edu/~daw/oakland04-cfp.html * 11/10/03: Formal Methods in Security Engineering (FSE), Delhi, India; submissions are due, http://www.zurich.ibm.com/~mbc/FMSE02 * 11/15/03: RFID Privacy Workshop (RFIDPriv), MIT, Cambridge, MA; http://www.rfidprivacy.org/ * 11/16/03-11/19/03: Grand Challenges, Warrenton, Virginia, http://www.cra.org/grand.challenges/ * 11/19/03: Privacy Preserving Data Mining (PPDM), Melbourne, FL; http://www.cis.syr.edu/~wedu/ppdm2003 * 11/19/03: Data Mining for Computer Securityf(DMSEC), Melbourne, Florida; http://www.cs.fit.edu/~pkc/dmsec03/ -------------- * 12/ 8/03-12/12/03: 19th Annual Computer Security Applications * Conference (ACSAC), Las Vegas, Nevada; http://www.acsac.org * 12/ 8/03-12/10/03: Workshop on Security of Information Technologies (WSTI), Algiers; http://etudiant.epita.fr:8000/~wsti03/en/home.htm -------------- * 1/ 5/04: Computer Magazine special issue, High-Speed Internet Security, Submissions are due, http://www.computer.org/computer/author.htm * 1/11/04: Applied Cryptography and Network Security (ACNS), Yellow Mountain, China; submissions are due, http://www.rsasecurity.com/rsalabs/staff/bios/mjakobsson/acns.htm ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers New Since Last Cipher Issue for more information, please see http://vulcan.ee.iastate.edu/~cipher/cfp.html ____________________________________________________________________ Journal of the Association for Logic Programming, TPLP Special Issue on Specification, Analysis and Verification of Reactive Systems, Editors: Giorgio Delzanno (University of Genova, Italy), Sandro Etalle (University of Twente and CWI Amsterdam, the Netherlands), and Maurizio Gabbrielli (University of Bologna, Italy). (submissions due November 15, 2003) IEEE Computer special issue on high-speed Internet security, Editors: Simon Shim (San Jose State University), Li Gong (Sun Microsystems), Avi Rubin (The Johns Hopkins University), and Linley Gwennap (the Linley Group). (submissions due January 5, 2004) Workshop on RFID Privacy and Security, MIT, Cambridge, MA, USA, November 15, 2003. (submissions due September 15, 2003) Radio Frequency Identification technology is fast becoming a lightning rod for consumer privacy activists. Is RFID destined to become the enabling technology for massive state-sponsored surveillance, Big Brother's "call-home" chip? Or is RFID really nothing more than a supply-chain management technology, it's dangers being over-hyped by alarmists who fundamentally misunderstand the technology? The goal of the RFID Privacy Workshop is to bring together RFID technologists, boosters, critics, privacy activists and journalists covering the space to establish some technical truths and a creating a framework for understanding the growing body of RFID policy issues. FORMAT: A series of speakers including academics, RFID innovators, and privacy activists will discuss RFID technology, policy and privacy. There will be ample time for discussion and Q & A. For more information, see http://rfidprivacy.org/. IWIA 2004 Second IEEE International Information Assurance Workshop, April 8-9, 2004, Charlotte, NC, USA. (submissions due October 10, 2003) The IEEE Task Force on Information Assurance is sponsoring a workshop on information assurance in cooperation with the ACM SIGSAC on research and experience in information assurance. The workshop seeks submissions from academia, government, and industry presenting novel research, applications and experience, and policy on all theoretical and practical aspects of IA. Possible topics include, but are not limited to the following: - Operating System IA & S - Storage IA & S - Network IA & S - IA Standardization Approaches - Information Sharing in Coalition Settings - Security Models - Survivability and Resilient Systems - Formal Methods and Software Engineering for IA - Proactive Approaches to IA - CCITSE Experience and Methodology - Intrusion Detection, Prediction, and Countermeasures - Insider Attack Countermeasures - Specification, Design, Development, and Deployment of IA Mechanisms - Policy Issues in Information Assurance Work-in-progress (WIP) reports are intended to provide timely dissemination of ideas and preliminary research results. WIP will not be included in the proceedings volume, but will be made available to workshop attendees and optionally through the IWIA WWW site. Papers on development, assurance, or evaluation methodologies should submit a similar argument explaining the relationship of the proposed work to the Common Criteria. More information can be found on the workshop web page at http://iwia.org/2004. PerSec 2004 First IEEE International Workshop on Pervasive Computing and Communication Security, March 14, 2004, Orlando, FL, USA. (submissions due October 15, 2003) Research in pervasive computing continues to gain momentum. However, research in the provision of security and privacy in these environments is still in its infancy. PerSec 2004 will provide an international forum to encourage and present original research ideas and results that address security and privacy for pervasive computing and communication. Contributions are solicited in all aspects of security and privacy in pervasive computing. Topics include: - Models for access control, authentication and privacy management. - Incorporation of contextual information into security and privacy models, and mechanisms. - Management of tradeoffs between security, usability, performance and other attributes. - Architectures and engineering approaches to fit security and - privacy features into mobile and wearable devices. - Biometric methods for pervasive computing. - Incorporation of security into communication protocols for pervasive computing. - Descriptions of pilot programs, case studies, applications, and experiments integrating security into pervasive computing. - Auditing and forensic information management in pervasive settings. - Protocols for trust management in networks for pervasive computing. - Impact of security and privacy in relation to the social, legal, educational and economic implications of pervasive computing. More information can be found on the workshop web page at www.list.gmu.edu/persec. WHOLES - A Multiple View of Individual Privacy in a Networked World, January 30-31 2004, Stockholm, Sweden. (submissions due October 31, 2003) The main goal of the workshop is to create a forum for the exchange of experience and knowledge among researchers and developers concerned with multi-disciplinary aspects of privacy in the context of emerging information technologies. We hope that the workshop will serve to foster the development of an international community interested in the themes of this workshop. The workshop will explore privacy in the intersection of information technologies, law, political choices, public opinions, etc., and thus, a wide range of topics is conceivable. Suggested topics include, but are not limited to: - Privacy in ubiquitous, pervasive, and ambient computing - Legal models for regulating privacy - Anonymity and pseudonymity as means for protecting privacy - Privacy implications in user modeling, personalization, and adaptive interaction - Informed consent as a legal and technical means for protecting privacy - Privacy, conflicting values, and political choices - Relationships between privacy and security - Privacy implications in context awareness and context representation - Relationships between privacy and trust - Personal privacy with regard to public records - Privacy in public spaces More information can be found on the conference web page at http://www.sics.se/privacy/wholes2004. S&P 2004 IEEE Symposium on Security and Privacy, Oakland, California, USA, May 9-12, 2004. (paper & panel submissions due November 5, 2003; 5-minute talks due March 15, 2004) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Previously unpublished papers offering novel research contributions in any aspect of computer security or electronic privacy are solicited for submission to the 2004 symposium. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. Topics of interest include, but are not limited to, the following: - Commercial and Industrial Security - Mobile Code and Agent Security - Network Security - Data Integrity - Information Flow - Viruses and Other Malicious Code - Authentication - Secure Hardware and Smartcards - Intrusion Detection - Language-Based Security - Security of Mobile Ad-Hoc Networks - Electronic Privacy - Distributed Systems Security - Anonymity and Pseudonymity - Access Control and Audit - Security Verification - Security Protocols - Biometrics - Peer-to-Peer Security - Database Security - Denial of Service Details on submitting a paper, a panel proposal, or a 5-minute research talk, can be found at http://www.cs.berkeley.edu/~daw/oakland04-cfp.html. ACNS'04 The 2nd conference of Applied Cryptography and Network Security, Yellow Mountain, China, June 8-11, 2004. (Submission deadline: January 11, 2004) Original research papers on all technical aspects of cryptology are solicited for submission to ACNS 04. The full list of topics of interest along with instructions for submitting a paper can be found on the workshop web page at http://www.rsasecurity.com/rsalabs/staff/bios/mjakobsson/acns.htm DIMVA Workshop on Detection of Intrusions and Malware & Vulnerability Assessment, Dortmund, Germany, July 6-7, 2004. (Submission deadline: January 31, 2004). The workshop is intended to give an overview of the state of the technology and practice and brings together the German-speaking players in industry, services, government and research on the topics Intrusion Detection, Malicious Agents (Malware) and Vulnerability Assessment. The presentations aim particularly at results from research, development and integration, relevant applications, new technologies and resulting product developments on a conceptual level. The discussion also embraces legal issues and commercial factors. The program committee invites the submission of papers in German and English language. Since the workshop brings together German-speaking players, the call for papers and the web site are yet available in German language only. See the workshop web site at http://www.gi-fg-sidar.de/dimva2004 for topics of interest and submission details. DIMACS 2004 Workshop on Usable Privacy and Security Software, Rutgers University, New Jersey, USA, July 7-9, 2004. (submissions due April 2, 2004) This workshop and working group is intended to bring together security and privacy experts with human-computer interaction experts to discuss approaches to developing more usable privacy and security software. Participation in the workshop is open to anyone who registers (no submission necessary). Participation in the working group on July 9 is limited because of the emphasis on achieving a high degree of interactivity and discussion. Workshop participants who are interested in participating in the working group session should send a 1-page abstract or position paper describing their work relevant to this workshop to lorrie@acm.org. Submissions are especially encouraged that identify security and privacy areas in need of examination by HCI researchers, as well as areas where HCI researchers would like assistance from security and privacy researchers. Details on the workshop can be found at http://dimacs.rutgers.edu/Workshops/Tools/. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) for more information please see http://vulcan.ee.iastate.edu/~cipher/cfp.html ==================================================================== ETFA'2003 The 9th IEEE International Conference on Emerging Technologies and Factory Automation (Special session on IT Security for Automation Systems), September 16-19, 2003, Lisbon, Portugal. WiSe 2003 Workshop on Wireless Security (in conjunction with MobiCom 2003), San Diego, CA, USA, September 19, 2003. MMM-ACNS-2003 The Second International Workshop "Mathematical Methods, Models and Architectures for Computer Networks Security", September 20-24, 2003, St. Petersburg, Russia. SEFM'2003 International Conference on Software Engineering and Formal Methods, Brisbane, Australia, September 22-27, 2003. ISC'03 6th Information Security Conference, Bristol, United Kingdom, October 1-3, 2003. CMS 2003 The Seventh IFIP Communications and Multimedia Security Conference (joint working conference IFIP TC6 and TC11), Turin, Italy, October 2-3, 2003. ICICS'03 5th International Conference on Information and Communications Security, Huhehaote City, Inner-Mongolia, China, October 10-13, 2003. Workshop at ACM Ubicomp'03: Ubicomp communities - privacy as boundary negotiation, Seattle, Washington, USA, October 12, 2003. ESORICS 2003 8th European Symposium on Research in Computer Security, Gjøvik, Norway, October 13-15, 2003 Nordsec2003 Nordic Workshop on Secure IT Systems, Gjøvik University College, Norway, October 15-17, 2003. ACNS'03 First MiAn International Conference on Applied Cryptography and Network Security, Kunming, China, October 16-19, 2003. DRM203 ACM Workshop on Digital Rights Management, Washington DC, USA, October 27, 2003. The Workshop on Rapid Malcode (in association with 10th ACM Conference on Computer and Communications Security), Washington, D.C., October 27, 2003. CCS2003 The 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, October 27-31, 2003. WPES 2003 2nd Workshop on Privacy in the Electronic Society, Washington, D.C., USA, October 30, 2003. FMSE 2003 Formal Methods in Security Engineering: From Specifications to Code, Washington, D.C., USA, October 30, 2003. SISW 2003 The Second IEEE International Security in Storage Workshop, Washington, DC, USA, October 31, 2003. 2003 ACM Workshop on Survivable and Self-Regenerative Systems (in association with the 10th ACM Conference on Computer and Communications Security), George Mason University, Fairfax VA, October 31, 2003 SASN 2003 Workshop on Security of Ad Hoc and Sensor Networks, Washington, D.C., USA, October 31, 2003. Adaptive and Resilient Computing Security (ARCS), Santa Fe Institute Workshop, SFI, NM, November 5-6, 2003. IICIS'2003 Sixth IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, Lausanne, Switzerland, November 13-14, 2003. DMSEC'03 Workshop on Data Mining for Computer Security (at IEEE ICDM03), Melbourne, Florida, USA, November 19, 2003. Communications Security Symposium (part of the IEEE GLOBECOM 2003 workshop), San Francisco, CA, USA, December 1-5, 2003. CEC2003 Special session at the Congress on Evolutionary Computation, Canberra, Australia, December 8-12, 2003. ACSAC 19 The 19th Annual Computer Security Applications Conference, Las Vegas, Nevada USA, December 8-12, 2003. Security and Survivability of Networked Systems (in conjunction with HICSS-37), Big Island, Hawaii, USA, January 5-8, 2004. NDSS'04 The 11th Annual Network and Distributed System Security Symposium, San Diego, California, USA, February 4-6, 2004. TCC'2004 The First Theory of Cryptography Conference, Cambridge MA, USA, February 18-20, 2004. PRDC'2004 10th IEEE Pacific Rim International Symposium on Dependable Computing, March 3-5, 2004, Papeete, Tahiti, French Polynesia. ==================================================================== News Briefs ==================================================================== Note from Carl Landwehr: I want to announce the creation of a new mailing list for announcements concerning NSF's Cyber Trust theme, which plans to have an announcement on the street in mid-October, with proposals due probably in mid-January. Though all information is tentative at this point, we expect to support single and multiple investigator proposals, as well as some "center-scale" efforts. Naturally, I'll be needing not only proposals, but panelists to help evaluate them! Those interested in receiving announcements sent to the list should send an e-mail (blank subject and contents is fine) to: join-cyber-trust-announce@lists.nsf.gov _____________________________________________________________________ Nature article about HSARPA delays, Nature 424, 986 (28 August 2003) Research mired in Homeland Security delays. GEOFF BRUMFIEL ... The official said last week that the Homeland Security Advanced Research Projects Agency — a branch of the department modelled on the Defense Advanced Research Projects Agency — will ask for research proposals "within a matter of days". It also plans to establish its first university-based research centres in November. _____________________________________________________________________ Information Security Magazine gave awards to 25 women leaders in the field of information security in their September issue. Cipher readers certainly will recognize the names of Dorothy Denning (one of the top 5 women), Becky Bace (one of the top 5 women), Radia Perlman, Teresa Lunt, and many others. Congratulations from Cipher! ________________________________________________________________________ News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Fred Cohen September 15, 2003 (see http://www.ieee-security.org/Cipher/BookReviews/2003/Howard_by_fcohen.html for the full version of this review) ____________________________________________________________________ Writing Secure Code by Michael Howard and David C. LeBlanc Microsoft Press 2002 ISBN 0735617228 2nd edition This 800 page book is about how Microsoft has screwed up security in their programming practices over the years and how they are trying to fix it. The length is justified but poorly used with only about 40 pages of useful content. I now have low expectations about Microsoft producing more secure systems. This book, and Microsoft's approach to addressing these issues, lacks the most fundamental sorts of models that are required for success in addressing such problems. The ease with which they distance themselves from theory and analysis is symptomatic of the problems they have created because of their rush to produce features without a comprehensive approach to design, and it shows in the book just as it has shown in their operating environments for many years. The book is not really about writing secure code, it is really about Microsoft's lack of software quality and how they are trying to change it. The misinformation on the book starts in the 2nd sentence of the first paragraph of Chapter 1 and continues throughout. The authors ignore a great deal of work done by many researchers over a long period of time, but this is not unusual. Relatively speaking, if the Internet were all that was out there, they would be doing a good job of finding prior work related to Microsoft. They miss lots of related work like most of the work sponsored by governments or done by academia, which is the vast majority of work done to date. Factual accuracy, careful scholarship, and details consideration of the underlying issues is lacking throughout the book. Most of part 1 of the book is about corporate culture at Microsoft and how they are trying to change it. They do tell us that no more Trojan Horses will be allowed in Microsoft software, apparently a substantial change. They tell us to do it right the first time, something they are apparently now embracing, the second time around. They tell us to use flow charts, and spend a whole chapter discussing it. They tell us about STRIDE and DREAD, models of threats and consequences they use at Microsoft, which helps me to understand why they miss the boat so often. Part 2 and Part 3 talk largely about the same problem; separation of data from control. If the authors had realized this they could have saved a lot of time and effort. But they didn't so we get, instead, chapters on buffer overruns, determining access control settings, and least privilege. Of course these topics should not be fully consumed under separating control from data, but they are in this book because anything they don't directly encounter is apparently ignored. The key to this part of the book is understanding that the authors are in a race with their programmers to stop the programmers from doing silly things before the programmers can find more of them to do. The authors are apparently losing. The authors have a decent chapter on the issues in cryptography with a good section on pseudorandom numbers, with only a few flaws. They tell us to use salts for hash functions to store things like passwords, but their this advice was ignored by Microsoft, leading to a widely published dictionary-based attack based on this weakness. In section 4, page 567, under 'Special Topics", they cover protection testing, which they called critical and fundamental in the introduction to the book. They start to begin to put a model on the security issue, but their start falls short by ignoring things like coverage, not carrying the model through to their long checklists, and giving us examples of hiring a tester who clinched the job based on the statement that he could "break anything that opened a socket", the same reason I would use to not hire that person. Chapter 9 has an especially good quote - "Don't run code you don't trust", and they also tell us lots of reasons not to trust Microsoft's code. Chapter 10 through 13 tell us that all input is evil. I would likely change 'is evil' to 'may come from malicious sources', but careful is not a word I would attribute to the authors of this book in their writing style. They approach the issues with reckless abandon, and that's entertaining at a minimum. They tell us how to check input syntax validity, but even this seemingly simple issue shows us another major lapse in the book, the lack of sequential machine models and appropriate controls. The book seems to make the assumption that they are securing stateless machines. They just missed the basic notion that we are dealing with sequential machines. And of course asynchronous issues between communicating sequential machines never even hits their radar. For example, the whole field of input verification is covered by regular expressions on single inputs. Chapter 15 does a poor job of handling network issues with the exception of providing some reasonable advice on building firewall-friendly applications. Chapter 16 tells us 50 variables to set to specific values in RPC and Kerberos code (why they don't set these by default I don't know). Chapter 17 tells us to protect against denial of service attacks by invoking quotas on everything. It also gives us a really bad example of using performance profiling instead of complexity analysis to find possible denial of service exploits, a really bad choice in this case. Chapter 18 explains how to write secure .NET code, ignoring all of the previous lessons. Chapter 20 is poor and chapter 21 does no better. They tell us that installation software missed that security thing followed by really hokey advice. Chapter 22 is about legal issues, but all it really does is pile more mindless data on the reader. Chapter 23 tells us about 'good practices'. We are given a paragraph on what not to tell attackers. They tell us not to use banner strings on servers, but then tell us that this is hopeless because all of their software uses these banners to differentiate between how to deliver services. In Chapter 24, they tell us not to use security through obscurity, after having told us in the prior chapter not to tell attackers anything. A few pages later, they tell us to not reveal anything sensitive in error messages, then give a 'good example' of an error message that tells the attacker that a wrong password had some characters in the wrong case. Of course this eliminates the value of using case sensitive passwords by reducing the search space by several orders of magnitude, but they seem to have missed that. We are also told that ANY application running on the desktop can be taken over by ANY OTHER application running on the desktop! The advice is simply not to use the desktop - impractical for Windows. While this book has interesting items and details that dispel many of the common misimpressions that programmers have about how exploitable errors in code are, it fails to help them understand the real issues in building secure programs. As such it is misnamed. A better name might be something like: "How poor quality programmers at Microsoft have produced hundreds of instances of the same 10 big mistakes in their code, and how they can do their jobs a little bit better". ____________________________________________________________________ Book Review By Robert Bruen September 15, 2003 ____________________________________________________________________ Mao, Wenbo. Modern Cryptography. Theory and Practice. Prentice-Hall 2003. Index, Bibliography, List of alogrithms, protocols and attacks. 707 pages. $54.99. ISBN 0-130066943-1. A large number of cryptography books are available, a smaller number are good, an even smaller number are suitable for use as a textbook. Mao's book falls into the category of a good cryptography textbook which is also useful for anyone. The people who will most appreciate it are those with a solid math background, at least advanced algebra. It is common to see algorithms like RSA presented in mathematical terms, but often the reader is spared from mathematical details for the rest. However if you want to really understand the underlying reasons for why somethings works in a particular manner, or you want to see how an attack works, the math is necessary. For the math challenged, the best one can hope for is that enough words surround the symbols. This author has done an excellent job of putting words that clarify the math, making some difficult material accessible to advanced undergraduates. The cryptology professionals know that this an enterprise of mathematics. There are other books covering the same material that I like. Each takes its own approach and focus, and each author has a unique style in explaining concepts. It is reassuring to know that there is this much quality work available. Mao has focused on "introducing fit-for-application cryptographic schemes and protocols with their strong security evidently established." He states that many of the existing textbook cryptographic approaches fail under real world stress. He feels that many problems exist in current systems because the designers used textbook crypto. The solution to this problem is to closely analyze protocols and algorithms to discover the properties that will lead to their improvement. Readers can benefit such a close analysis for both learning about the inner workings of an algorithm and the weaknesses that will be subject to attack. The attacks are spelled out in a clear, formal manner. The author takes the analysis to higher levels by covering formal methods and techniques for strengthen cryptographic systems. The methods introduced also gives us principles for the design of systems. The book covers the required math background, authentication, digital signatures with an emphasis on provable systems. This book could easily be used in a cryptography course that preceded one in writing secure software, because it would lay out a solid foundation of principles. Advanced math and computer science undergraduates now have enough topics and books that allow for specialization in secure systems and software. I am happy to recommend this book as one of those textbooks. I would also recommend it to security professionals looking for methods to evaluate protocols and algorithms, not just learn how they operate. ____________________________________________________________________ Book Review By Robert Bruen September 15, 2003 ____________________________________________________________________ Edney, Jon and William Arbaugh. Real 802.11 Security. Wi-Fi Protected Access and 802.11i. Addison-Wesley 2003. Index, Acronym list, Bibliography, three appendices. $44.99. ISBN 0-321-13620-9. LoC TK5105.59.E36 2004. 451 pages. Wireless connectivity is certainly taking off in popularity for a host of reasons. We are reliving the period when the telegraph was starting to lose ground to the newly invented radio. The telegraph was the first wired internet and radio was the first wireless network. The problems that existing early in the twentieth century look a lot like the problems in the early twenty-first century. The security problems are the same, although it is always hoped that once a lesson is learned, it is not forgotten. The wired Internet has constant security problems which are dealt with every day in a constant battle. The wireless world seemed to have started out with pretend security that was compromised quickly and publicly. Wireless telephones, which no expects to be secure, has begun to seriously integrate with wireless computing. In addition the telephones are adding features such as digital picture capture, email, instant messaging and a host of new ideas yet to come. The future of course is hard to predict, but it seems clear that combination mobile communication and computing devices will be part of any future we end up in. It also seems that the lack of security has not slowed down the spread of wireless telephones, it will become a serious speed bump for wireless computing at some point. No one has missed the problems of open wireless networks and, say, Netstumbler on a laptop. Businesses that spend money on firewalls and anti-virus software will be unwilling to allow the convenience of wireless connectivity once they realize what is going on. The demand for good material on Wi-Fi security is is becoming louder. Fortunately, Edney and Arbaugh have offered us something that meets that demand. Real 802.11 Security is just that. If you are new to wireless and wireless security, this is the book to start with. The authors cover the world of wireless, which is very different from the wired world, very well. They also explain in clear terms what went wrong with WEP. How attacks work in wireless is helpful and interesting. The book has an explanation as to why these details of attacks are included, but there was no need to explain. The methods need public scrutiny to prevent the past failures. I consider this book the best source for wireless security and recommend it for anyone interested in wireless communication and computing. The books that will surely follow will have to meet the standards set by this one. ____________________________________________________________________ Book Review By Robert Bruen September 15, 2003 ____________________________________________________________________ Pipkin, Donald. Halting the Hacker. A Practical Guide to Computer Security 2nd ed. Prentice Hall 2003. Index, glossary, CD-ROM. $44.99 ISBN 0-13-046416-3. LoC QA76.9.A25 P56 2002. More than five years have passed since the first edition of this book, so it was really time for an update. Much has happened during the intervening years. Halting the Hackers is aimed at understanding who the hackers are, why they are doing what they are doing and what exactly they are doing. Protecting your network from unknown attackers is more difficult than protecting it from attackers you know or at least understand. The idea of knowing your attackers is so important that honeypots were created, soon followed by the HoneyNet Project involving many people around the globe. While it would be nice to know who the individuals are, we can not expect that much. What we can expect is to learn about their motives and behavior. For a number of years, hackers were portrayed as the misunderstood geek genius who sometimes went over to the dark side. Today we know that hackers and crackers are motivated by finances, politics, revenge, nationalism, and a host of other sources. All of these motives are pretty standard human motives which have moved into the digital age. A good psychology textbook book should be on every security professional's bookshelf. But until that need is filled, one can use Pipkin's book to gain some insight. It is not enough to block ports, install firewalls and run anti-virus software, threat analysis is also necessary. On one side of the analysis are techniques to know your enemy. This is both a good idea and another good book (Lance Spiztner Honey Project) in this area. The Honey Project has taken one approach to identifying by setting up machines which can be probed and hacked to watch and learn. Pipkin has analyzed knowledge taken from extensive experience and other resources. Both approaches are helpful. Pipkin has not stopped at describing the hacker mentality with specific categories, but he has also provided ways to deal with them. After explaining what the goal a hacker might be, he shows the steps needed to protect against the achievement of that goal. The examples are geared towards Unix/Linux because the author feels that this is where the future lies. The book is a straight forward, sensible presentation without scare tactics. It is not the only book in this area, but it is an excellent one. I recommend it, especially to people who are working in technical positions that have found themselves in a position requiring them to learn about protecting their assets quickly. ==================================================================== Conference Reports ==================================================================== ____________________________________________________________________ Conference Report By Jeremy Epstein September 15, 2003 ____________________________________________________________________ USENIX Security was held in Washington DC Aug 4-8 2003. USENIX Security is one of the best security research conferences. It gets really good, practical papers. They also usually have very good invited talks. Here's notes on some of the more interesting ones. They're all available for download by USENIX members from http://www.usenix.org/publications/library/proceedings/sec03/. Those that are labeled [Invited talk] or [Panel] don't have papers, though. Remote Timing Attacks are Practical ----------------------------------- They looked at two types of attacks: one where you have multiple web servers on the same machine that are mutually hostile (e.g., in a hosted environment) and the other where you have remote attackers. The idea was to determine a web site's private key in either/both environment, which they did. They basically found some timing differences in how SSL handshake implementations respond based on whether a particular bit in the private key is correct or incorrect. You get the same error (a handshake failure), but you can figure out one bit at a time by starting at the most significant and moving your way down. Surprisingly, network latency doesn't really affect gathering the results. It turns out you can "steal" a private key remotely in 2 hours and 1.4 million queries (i.e., failed SSL handshakes). The only way to detect it is if you log failed handshakes. Blinding (introducing artificial timing delays) is an effective countermeasure, and has been implemented in OpenSSL. They expect that all SSL implementations (even those in Java) are vulnerable unless specifically protected against this attack. This is the first semi-practical attack I've seen on SSL since about 1997. All other attacks have been harder than breaking into the end-system. A PKI Your Mother Could Use --------------------------- PKI is just too hard to use: there are thousands of pages of standards, and obtaining certificates is complex. For example, it takes about 18 forms on a web site to get a free certificate (vendor unstated, but presumably VeriSign). It takes 30 minutes to 4 hours just to get the certificate. And when you go through all that, all it says is that you were able to receive email at the address listed in the certificate... it says nothing about who you really are. There needs to be a simpler way. Everyone knows that passwords are really a lousy protection scheme, but they're reality. So they propose a scheme that allows getting a private key & certificate using a password scheme. It's vulnerable to Man In The Middle (MITM) attacks just like SSH, but that's "good enough". It avoids all the effort required in certificate creation. Seems like a good scheme to me, given its limitations. Electronic Voting [Panel] ------------------------- David Elliot, Washington State, Office of the Secretary of State; David Dill, Stanford University; Douglas Jones, University of Iowa; Sanford Morganstein, Populex; Jim Adler, VoteHere; Brian O'Connor, Sequoia; [he was listed on the program, but didn't show up] Avi Rubin, Johns Hopkins University & Technical Director of the Hopkins Information Security Institute This wasn't a paper, but rather a panel with people from academia and e-voting companies. The accuracy of electronic voting has been getting a lot of attention recently due to a paper from Avi Rubin at Johns Hopkins Univ (see it at avirubin.com/vote if you're interested). What he points out isn't new: there's been research going back at least 10 years on problems with e-voting, and there are numerous concrete examples of how e-voting has failed. [BTW, this discussion is about using electronic voting machines, known as direct recording electronic (DRE), not voting over the Internet which is far worse.] Doug Jones from Univ of Iowa sits on the Iowa board that reviews voting machines before they can be purchased. In that role he sees confidential reports from the labs that certify voting systems, and says that five years ago he identified some of the problems that Rubin recently reported. He was assured by the voting machine company (which is now part of Diebold) that they were fixed. Since they obviously were not fixed, he's calling for decertification of Diebold machines in Iowa. Jim Adler is CEO of Votehere, a company doing voting software. He described the risks of electronic voting, including undetected election compromise and secret ballot compromise. He says their product relies on multiple trustees taking responsibility, and suggests "live auditing" on election day, in addition to before/after the election. David Elliot is the election administrator for the state of Washington. Many elections still use punch cards, largely because spending money on voting machines isn't popular ("do you want a new police car or fire truck or voting machines"). The Help America Vote Act (HAVA) throws federal money at the problem to eliminate punch cards, and allow for voting by visually impaired. There's a Jan 1 2006 deadline for compliance. However, voting standards are all voluntary, so if they get too strict (e.g., in the interest of greater security) and drive the cost of the machines up, local jurisdictions may ignore the standards and buy whatever is cheapest. Sanford Morganstein is from Populex, another voting machine company. They use the Mercuri method of voting (named for Rebecca Mercuri, a professor who proposed it). When you vote, a printed record is generated which you can inspect for correctness before you leave the voting booth. The paper copy (which is behind glass, to avoid tampering) is then put in the ballot box for reconciliation. That way you have a paper record validated by the voter which can be used to cross-check the results from the computer. David Dill from Stanford has been doing research in this area. He says that voting rests on the shoulders of the computer security community, and we need to help. Mostly, though, the vendors don't want help. Most (all?) of the products are vulnerable to insider and outsider attacks. For safety, we need to stop the acquisition of the current paperless systems, and fix the regulatory framework that makes security optional. The key question is how to get better voting systems without squelching innovation... we can write requirements precisely enough to get safe systems, but that eliminates the innovation. High Coverage Detection of Input-Related Faults ----------------------------------------------- They've developed a method to find security vulnerabilities in C code by measuring what lines are actually tickled by input, and then seeing how other inputs would impact those lines. For example, they want to detect if buffer overruns could occur. It works by automatically instrumenting the code (by modifying GCC). There's major overhead... many times slower than standard generated code, so this is only suitable for a testing environment. They can't deal with multithreaded applications, which limits the usefulness. And there's some overlap between what they do and automated tools like Purify. I like tools like this at one level, because they help improve the quality of C code. But I'm very disturbed at the amount of effort being invested in ways to make C/C++ less dangerous, rather than working in an inherently safer language like Java. This comment also applies to the two following papers. I commented on this to the author during the Q&A session, and several people came to me afterwards and said they agreed. Address Obfuscation ------------------- The idea here is to randomize locations of variables, which makes it harder for an attacker to do stack or heap overruns, because the locations in memory are unpredictable. They do simple transformations at load or link time. Other more complicated transformations (such as reordering variables on the stack) can only be done at compile time. It doesn't provide absolute protection, and it doesn't require system-wide changes (e.g., recompiling everything). The types of randomization they use include: - Randomizing the location of the bottom of the stack by adjusting it upwards by 1 to 100MB (which takes up virtual memory but not physical memory). - Rewrite binary code to add random padding onto the stack between function calls. - Randomize the location of the code and data segment base addresses. - Randomly increase the size of all malloc requests by 0-25%. Since buffer overruns frequently rely on knowing the absolute address of code, any/all of these make those attacks impossible. Another technique is to place unreadable pages randomly through memory, so attacks that randomly hit addresses will cause exceptions and crashes. "Success" is defined as reducing a successful penetration to a system crash (i.e., a denial of service attack). That doesn't seem like such a good idea to me! However, there's essentially zero overhead, since it's just moving an address at load/link time. In the future, they want to permute code & data, and do more obfuscation at runtime. PointGuard ---------- This paper is part of a series of very effective technologies to make it harder to attack C/C++ code. The idea is very simple: modify the GCC compiler so all pointer are kept "encrypted" in memory, and decrypted whenever they're used. The encryption is an XOR with a randomly chosen value (randomly chosen whenever the program starts). If pointers get corrupted (e.g., by an attack), when they get decrypted, they'll point to a random memory location, thus crashing the program. It doesn't matter that the encryption is trivial, since the attacker doesn't get to see the key (which changes for every run), or the plaintext (the actual pointer), or the ciphertext (the encrypted pointer). Static data is a special case because static pointers have to be initialized at runtime to the encrypted values, rather than to a statically set value. There are some gotchas: the encrypted pointers need to be decrypted before any kernel calls that take pointers (e.g., any system call that needs a buffer), since the kernel doesn't know the encryption key for that process. And if you have mixed code (some that's been modified to use encrypted code and libraries that haven't), it gets nasty. For example, if you're trying to run an application that you don't have code for on top of a library that uses encrypted pointers, things get ugly. They extended the C pointer syntax to allow defining encrypted & unencrypted pointers (encrypted pointers look like "char *foo", and unencrypted pointers look like "char @foo"). The performance results are surprising... in some cases the code actually runs slightly faster, due to how register usage gets optimized to do the pointer decryption. In other cases, it's slightly slower, but little enough that it's not much of an issue. They're planning to put out a Linux system completely recompiled using their encrypted pointers. But unless they can get application vendors to do the same, it's of limited value. Static Analysis of Executables of Malicious Code Detection ---------------------------------------------------------- Polymorphic viruses are hard to find. Their goal is to identify malicious intent while remaining safe against the attack. They can find and remove code reordering, null (noop code), etc. The key problem is that they need a spec for the un-obfuscated code before they do anything, which renders it pretty useless! The Internet as a Surveillance Network [Invited Talk] by Richard M. Smith -------------------------------------- RFID tags are everywhere, and will be in more places. Not just for toll taking on highways, but also embedded in clothing, cell phones, computers, toys, etc. Mailboxes won't accept your mail unless the stamps have RFID tags embedded in them. A database maintained by the private sector will be able to track where you are by correlating the RFID tags you buy on your credit card with where they're detected. You won't have to show your credit card, because the RFID in it will identify itself to the reader. Just walking around you'll be leaving a trail of evidence. There are obviously many security & privacy issues associated with this. But it's no dream/nightmare... it's happening already. [The day after the conference, I read an article in the newspaper about a clothing designer that's embedding RFID chips within the fabric of the clothing.] Trusted Computing [Panel] ------------------------- David Farber, University of Pennsylvania Lucky Green, IBM; Leendert van Doorn, IBM; Bill Arbaugh, University of Maryland; Peter Biddle, Microsoft This was a review of Microsoft's Trusted Computing system, which encompasses Palladium, TCPA, etc. There was nothing really new here.... just a rehash of the same old issues about whether it's Microsoft's stalking horse to take over the world by preventing non-Microsoft software from running, etc. There's an overview of TCPA and the terminology in this month's Linux Journal. They've renamed it NGSCB (which I can't pronounce, but they did) because Palladium is someone else's trademark! For more info, see www.microsoft.com/ngscb, www.trustedcompting.org, or www.trustedcomputinggroup.org. The Internet is Too Secure Already [Invited Talk] by Richard M. Smith ---------------------------------- [Slides for this talk available at http://www.rtfm.com/TooSecure-usenix.pdf] Eric Rescorla is very entertaining, as well as knowledgeable. His claim is that we have lots of good technology (e.g., crypto algorithms like RSA & AES), but virtually nothing gets secured. His hypothesis is that we have the wrong threat model - we worry about all of the known threats, even when they're unimportant (e.g., minor crypto weaknesses that are impractical to exploit) and ignore the big ones. So "too good security" is trumping deployment. The current threat model is that attackers can see/modify all communication traffic, and end systems are secure. But in fact attackers generally CANNOT see comms traffic, and the end systems are weak. The reason for the disconnect is that security engineers want to avoid being embarrassed. The real threat model is (1) remote penetration (via buffer overflows, etc) and exploitation, (2) malware (viruses & worms) and (3) Distributed Denial of Service (DDoS). To counter these, we have two wins (SSL & SSH), three draws (IPsec, S/MIME, and PKIX, which aren't in widespread use), and one loss (WEP, which is just broken). Wins: SSL/TLS are widely deployed, but only on 1% of all servers. It's succeeded because it's easy to use and doesn't require a lot of help to get set up. SSH is a de facto standard, but IETF has gotten bogged down trying to make it a real standard. It's totally displaced telnet. It can be deployed without any help, so it became ubiquitous. It's much easier to use than a VPN. Yes, it's vulnerable to Man In The Middle (MITM) attacks, but the risk is acceptable, and it makes deployment easy. Draws: IPsec is way behind, even though it's built into most operating systems now. Only used for point-to-point VPNs, and even those are being replaced by SSL VPNs because they're easier to deploy. S/MIMEv2 is standardized (S/MIMEv3 has been stuck in standards hell), and is built into most mail clients, but it's used even less than PGP (which isn't used much). Problem is that getting your own key/certificate is too hard, and getting other peoples' certificates is even harder. Maybe people just don't want secure email? They keep saying they want it, and VCs keep funding it. Maybe the problem is barrier to entry? PKIX has made lots of progress, if you measure by volume of standards. Although there's lots of implementations, there's no interoperability. Deployment is limited to SSL. Losses: WEP is "security" for 802.11, but badly broken. Deployment is good - 28% of wireless sites use it, and it's better than nothing. The common themes are to use what's available, and that certificates are a roadblock. Some possible explanations: - Security is inherently hard - possible, but doesn't help - Customers are stupid - probably true, but they're not getting smarter - We're delivering the wrong products - either because it's not mature enough or we have the wrong design criteria Why do we do the wrong things? Because we think they're the right ones (e.g. IPsec) or we mis-prioritize features. Too much effort is going into new mechanisms and polishing existing protocols (e.g., fixing impractical attacks) rather than addressing the real threats. All of the security protocol *implementations* have had buffer overflow attacks, which is much worse than the cryptanalytic failures in the protocols themselves. We should put the energy into fixing the bugs in implementations rather than the weird crypto stuff. Customer say "security is really important" but what they really mean is "the *appearance* of security is really important". Customers say "security is more important than features" but what they really mean is "I want my dancing pigs". That is, features always win over security. Customers say "make security easy to install" and really mean it. His proposal: should go to a zero-based view: what do users *really* want, what are the *real* threats, etc. What market research says is (a) no cryptanalytic attackers, (b) protocol flaws are rare, (c) programming flaw attacks are common, (d) DDoS is common. What can we do? Stop using C! Sandboxing, StackGuard, etc. No ideas on how to fix DDoS. Need real data on how much the techniques really fix the problem. SCrash - Generating Secure Crash Data ------------------------------------- The problem they're addressing is that sending crash data in some cases will include sensitive data such as documents, data put in web forms, etc. Some people are opposed to sharing that data with vendors; Dept of Energy put out a circular banning users from sending any crash reports, lest sensitive/classified data leak that way. There are several problems: protecting the data in transit to the vendor site, and secure storage of crash data on vendor site. The trust model is that when you use software, you assume the vendor of the software isn't trying to sabotage you (or else you wouldn't use their software). [Not sure I agree with this one, but it's probably right.] But at the same time, you don't trust the vendor to store your data securely. Their tool is designed to scrub sensitive data before it leaves the user machine by scanning source code to figure out what's sensitive, and scrub that out of the crash image. The idea is that they do data flow analysis on the source and then put all the sensitive stuff in one heap/stack, and the non-sensitive stuff in another heap/stack. You can then just delete the sensitive stuff before sending the crash. That sounds good, but data flow analysis is really hard. Their results show that depending on the program, they get as much as 97% of the data being sensitive. The related question is whether once you scrub the data, whether what's left is actually of any use in figuring out what the problem really was. This solution can't deal with binary, but only source code since it's a source to source transformation. There's relatively little performance impact (around 2-3%) at runtime, but compile time is much slower because of the data flow analysis. [In my opinion, if the analysis is sensitive enough to get the sensitive stuff, you're not left with anything useful. For example, if "buf" contains sensitive data, so does "strlen(buf)". If you say "if strlen(buf) > 10 then i = 1 else i = 2", the value of "i" is sensitive. It just goes on from there...] An audience member asked whether, if Microsoft used this technology, users would be induced to send crash reports. The authors think so, but I doubt it. Implementing and Testing a Virus Throttle ----------------------------------------- This paper talks about some research to try to stop worm spread by putting limits on outbound connections. The kernel has to be modified so it refuses to allow a host to contact more than one new host every second (where "new" means not already in the cache of the most recently used hosts). If a program tries to connect to more than one host per second, it's suspended, and it gets to connect at that rate. So worm propagation is greatly slowed, since instead of connecting to and infecting thousands of hosts a second, it gets one a second. This doesn't prevent a given host from being infected, but slows down the rate of spread. As such, it's only useful if a significant fraction of people use it. They have nice graphs to show what happens to the spread rate at various percentages of people using the tool. They also have a version that does effectively the same thing on throttling SMTP connections (the subject of an earlier paper at ACSAC 2002), which slows down worms that use your email address book to spread themselves. The biggest threat is that if the malicious software knows about the throttle, it could disable it before it starts attacking. So it's only an element in the escalating war between attackers & defenders. ____________________________________________________________________ Conference Report By Sven Dietrich September 15, 2003 Additional USENIX Security notes ____________________________________________________________________ There was a Works-in-Progress session at Usenix Security this year, led by Kevin Fu. I walked in a bit late, only to catch the tail end of Adam Stubblefield's presentation. Adam Stubblefield Adam talked about the analysis of an electronic voting system, more to be found at: http://www.avirubin.com/vote Kevin Fu - A WiP of ill repute Kevin spilled water on and then destroyed "Avi's laptop", demonstrating how a reputation system works. Clif Flynt - Validating a firewall clif@noucorp.com Clif discussed methods for validating a firewall, using a Master, an Assistant, and a Golem More details to follow on the website: www.noucorp.com Steve Bellovin - LInk-cutting attacks AT&T Research Steve suggested cutting links to force traffic past "controlled" points Calculations for various topologies take just a few seconds and offer a success rate of 80-90%. More at: http://www.research.att.com/~smb/papers/reroute.pdf Simson Garfinkel - Stream - an e-mail encryption scheme Simson Garfinkel discussed a new e-mail encryption scheme. He compared SSL/https vs S/MIME & PGP. His scheme solves the e-mail encryption usability problem in an unobtrusive way. The keys are kept unencrypted on file systems. Three components: sproxy/sfilter/ssendmail and it's "Zero-Click". More at: http://stream.simson.net/web/ Future work: Migrating keys between multiple laptops, and ways to handle webmail. Algis Rudys - Wireless LAN Location-Sensing for Security Applications Rice University It can track cooperative users, but attackers won't be using coalitions It can't train for everything an attacker will do. Algis provided sample trace of attack, some jitter. If attacker varies signal strength, the jitter is more noticeable. This can locate any user within 3.5 meters. To be presented at WiSe 2003: http://wwwcs.rice.edu/~arudys/papers/wise2003.html Nazario - Trends in DoS attacks Arbor Networks Jose talked about blackhole monitoring using a /8 network over a very long time at Arbor Networks in conjunction with Merit. The research looks at backscatter from various attacks. He noticed a shift from TCP to UDP, and mostly small packets. What can be highlighted is the cumulative effects of small attacks and that some attacks have more sources/bandwidth. In the arena of spoofed vs. nonspoofed - the "bot armies" don't care about disclosure of IPs. Greg Rose - SonicKey QualComm Down Under Greg introduced the idea of an acoustic key. Shows 1024-bit DSS key appication on a phone which allows to sign this and send signature over phone. He demosntrated this live. According to him, it enables electronic commerce. No replay attacks supposedly, but no challenge response yet, but working on it. It has some hardware support for the modulo ops. David Molnar - A Rekeying Protocol for Wireless Sensor Networks Harvard University He showed the Berkeley Mica2 Mote that runs TinyOS. TinySEC does not provide runtime rekey support. Rekeying allows for forward secrecy and secure transient associations. This displays an unreliable radio, low power budget, low CPU power, and a small code area (128KB). Suggested application of this is in the triage in the field for vital sign monitoring. Nick Weaver - Wormholes and a honeyfarm Nick talks about the problem of detecting new worms automatically. A set of k honeypots will detect a worm when ~1/k of the vul machineasare infected. It splits traffic endpoints from the honeypots. A honeyfarm will use virtual machine images to implement honeypots. This will create a "vulnerability signature" and a possible attack signature. It works best for human attackers and scanning worms. However, it must trust wormhole devices, not the honeyfarm operator. The detection based on infected honeypot, not traffic from wormhole. At his point the status is at the paper design phase. Suggested cost: Wormhole: $350 per node, but 1000 endpoints would be necessary. Niels Provos - Honeyd - A Virtual HoneyPot Daemon CITI Niels talked about Honeyd, a virtual honeypot daemon that adopts different OS personalities and fools nmap and xprobe2. It features load sharing, provides network decoys, etc. Honeyd acts as a frontend for real high-interaction honeypots: connect virtual IPs to real machines You can (and should) sandbox Honeyd subsystems using systrace. It can be used for spam prevention: collaborative filter like Razor, by simulating open proxies and mail relays and resend to spam trap. Also can act as wireless honeypots with a fake internet topology Scott Crosby - Regular Expression DoS This talk was a bit cryptic. Scott talked about ways to "render SpamAssassin unusable" by overloading what regular expressions look for. Aimed at regular expression parsing in Perl. No defenses were suggested. Hm. Robert Watson - SEDarwin: Porting TrustedBSD MAC and SEBSD to Apple's Darwin Robert talked about his experience in porting MAC and SEBSD to Mac OS X. monkeys@monkeys.org Still using cleartext after all the years. One of the "monkeys" talked about the passwords collected from the wireless network at the conference. Reactions were mixed in the audience. They posted the actual passwords (sans usernames) in their slides. Claimed to have caught one ssh password via MITM attack (sshd + dhcpd). Meant as a follow-up to Dug Song's 2000 paper "Passwords found on a wireless network" More at: http://monkey.org/~marius/netics The full Usenix Security 2003 WiP agenda can be found at: http://www.usenix.org/events/sec03/wips.html including some of the abstracts. ____________________________________________________________________ Conference Report By Richard Schroeppel September 15, 2003 IACR Crypto Conference, August 17-21, 2003 Santa Barbara, CA, USA ____________________________________________________________________ The leadoff talk was "Factoring Large Numbers with the TWIRL device", by Eran Tromer and Adi Shamir. The slides were excellent; I hope they appear on the web soon. The authors have continued to improve the TWIRL concept. The idea is to use a special chip for implementing the hard part of the Number Field Sieve, the sieving step. To factor a 1024-bit number, the authors estimate a setup cost of $20M, plus $10M per sieving machine. The machine would use 600 wafers and run for a year. It would sieve 3x10^23 values (half of Avogadro's Number), using a factor base of 3.5G primes. Each clock cycle (at 1GHz) would process 16000 values per wafer. For a 512-bit number, they estimate one $15K wafer could do the necessary sieving in ten minutes. The TWIRL webpage http://www.wisdom.weizmann.ac.il/~tromer/twirl/ has the paper along with more details. A preprint (to appear in Asiacrypt 2003) discusses parameter selection for the 1024-bit RSA challenge number. The biggest technical uncertainty in the design seems to be the wafer-scale integration: The design uses a very wide bus and needs a lot of inter-chip and inter-wafer connections. The design of factoring machines is a very active area of investigation, with several groups offering designs and sharing ideas. This work reinforces the notion that long-term security for RSA requires keys longer than 1024 bits. "Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Grobner Bases", by Antoine Joux and Jean-Charles Faugere, presents more efficient algorithms for computing Grobner bases. They find that HFE cryptosystems generate systems of quadratic equations that are easier to solve than random systems of the same size, and conclude that HFE-based systems can be cryptanalyzed in polynomial time when the degree of the secret polynomial is fixed. Although the security estimates for HFE must be revised downward, repair may be possible by increasing parameter sizes. The first invited talk was "Cryptographic Assumptions and Challenges" by Moni Naor. The security of common cryptographic primitives rests on the assumed difficulty of various hard problems. Naor presents a new scheme for classifying these cryptographic assumptions, based on the difficulty of falsification. He examines the logic of challenge problems, and the costs of checking solutions to challenges. He proposes several meta-problems, such as constructing a competitive block cipher based on an efficiently falsifiable assumption. "A Polynomial Time Algorithm for the Braid Diffie-Hellman Conjugacy Problem", by Jung Hee Cheon and Byungheup Jun, develops an attack on the straightforward braid-group key exchange. Their new algorithm begins by converting the braid problem into a linear algebra problem, using the Lawrence-Krammer representation of the braid group. They simplify the linear algebra problem, and apply Gaussian elimination, eventually recovering a pseudo-key, equivalent to Alice's secret key. The complexity is O(N^14) for braid-index N. The attack is based on the group structure, and fails against some braid group key agreement methods that depart from the group structure. "Cryptanalysis of SAFER++", by Alex Biryukov, Christophe De Canniere, and Gustaf Dellkrantz, presents several attacks. The best result breaks 5.5 rounds of SAFER++. (The actual cipher is 7 rounds.) The attacks use either multisets (like the Square attack), or a nice application of Wagner's boomerang. The attacks take advantage of some algebraic properties of the SAFER sboxes. A three-round version of the multiset attack is practical, and was implemented and tested. "Primality Proving via One Round in ECPP and One Iteration in AKS", by Qi Cheng, is another improvment on the polynomial-time prime proving algorithm discovered last year by Agrawal, Kayal, and Saxena. The key idea: Berrizbeita discovered a subset of cheaply-provable primes. Cheng has expanded the subset. A general B-bit prime can be proven in heuristic time roughly O(B^4), by using one round of Elliptic Curve Prime Proving to reduce the general prime to a cheaply-provable prime. The new algorithms are still less efficient than existing heuristic probable-prime tests, but a remarkable amount of progress has been made in the year since AKS was discovered. "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication", by Elad Barkan, Eli Biham, and Nathan Keller, introduces several new attacks against cell phone ciphers and protocols. The attacks are very practical, with simulations taking less than a second on one PC. Once again, the risks of non-publicly- vetted encryption are apparent. The Rump Session talk "Analysis of an electronic voting system", by Yoshi Kohno, Adam Stubblefield, Avi Rubin, and Dan Wallach, sketched out some problems with Diebold voting machines. The audience reaction ranged from incredulity to wild laughter. Details of the analysis are available at http://avirubin.com/vote. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy ==================================================================== The Reader's Guide from Past issues of Cipher is archived at http://www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. Proceedings by credit card or check. IEEE CS Press You may also order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm This resolves to the June 2001 in Cape Breton, Nova Scotia Proceedings of the IEEE CS Computer Security Foundations Workshop ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon University Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Hilarie Orman Purple Streak, Inc. 500 S. Maple Dr. Salem, UT 84653 (801) 423-1052 (voice) cipher-editor @ ieee-security.org BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html