_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 76 January 18, 2007 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's book review of Audit and Trace Log Management: Consolidation and Analysis by Phillip Q. Maier o Review of the New Security Paradigms Workshop (Schloss Dagstuhl, Germany, September 19-22, 2006) by Carol Taylor o Reviews of the ACSAC (Annual Computer Security Applications Conference (Miami, Florida, December 11-15, 2006) by Tom Haigh, Charlie Payne, and Jeremy Epstein * Announcements o Call for Proposals for Fellowships, from the Dartmouth Institute for Infrastructure Protection (I3P) o Research Position, Singapore o Preliminary Program, Financial Cryptography o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o This month we are not sending out the new CFPs and calendar items, but they are available, as always, on the website * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The venerable Computer Security Foundations Workshop, sponsored by the same IEEE Technical Committee that sponsors this publication, has moved up to Symposium status. This reflects its increased attendance figures and the quality of its proceedings over the last many years. Congratulations to the new CSFS! We are fortunate to have great reviews of two conferences for this month's issue. We have good coverage of the ACSAC conference from three reviewers (Tom Haigh and Charlie Payne combined their reviews, and Jeremy Epstein provided additional commentary), and the result is almost "like being there". The New Security Paradigms Workshop review by Carol Taylor similarly is an excellent report on the novel work that the workshop always provides. Top that off with Richard Austin's book review, and there is so much material that I decided to skip the detailed calendar listings this month. The calendar and calls-for-papers are, as always, available at the Cipher website. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 1/4/2007 ____________________________________________________________________ Audit and Trace Log Management: Consolidation and Analysis by Phillip Q. Maier Auerbach Publications 2006. ISBN 978-0-8493-2725-4 Amazon.com $79.95 If I had to pick one topic that was both critical to the security practitioner and yet as interesting as watching paint dry or grass grow, it would be the subject of audit logging. Our enterprises are littered with intelligent devices that commonly have some capability to generate copious floods of event notifications or log records and it has long been common practice to use these data in various ways to allow detection of security incidents and support the follow-on investigation of exactly what may have happened. However, new regulatory requirements that are making their way into the auditing standards require us to yet again revisit this issue with an eye to harnessing this ocean of data to demonstrate compliance with policy and ensure accountability. Maier provides an excellent roadmap for this re-exploration. The first page of this book seized my attention with one of the most succinct summaries of the problems in enterprise audit logging: "The security administrator of today may feel like the SETI scientists, who have gathered countless terabytes of radio wave data and are endlessly sifting through it in an attempt to find intelligible signals ..." The first two chapters delve into the "why" of logging to flesh out just exactly what "intelligible signals" may mean to a particular enterprise in a given regulatory environment. In the third chapter, Maier presents a 14 point survey that asks important questions to aid in understanding today's situation. The survey includes obvious capacity planning questions around the daily rates and volume of data, but then it moves into less obvious questions regarding where the logs are to be stored (on the monitored device or centrally), the security classification of log data, and the policy for permitting access to the various parts of it. After establishing a firm foundation in understanding what is being done presently, Maier delves into the process and criteria for deciding what to capture and how. There's little concrete guidance provided, but Maier gives good coverage to the issues one needs to consider and pays due attention to one that has vexed your humble correspondent on more than one occasion: normalization. Unfortunately, log record formats tend to be very vendor and even device specific, which makes creating and querying a central log repository a most "interesting" endeavor. Interposing a step to "normalize" log records to a standard format between the filter and the central repository is a critical measure to enable the ensuing tasks of correlating records, reporting and, quite importantly, setting alert thresholds and escalation levels. These topics each receive good coverage in their own chapter with detailed examples and a few flowcharts to illustrate processes in operation. The book concludes on the important topic of "making your case" to build a business justification for the creation of a logging infrastructure (including metrics). There are only a few books that I would recommend every security professional keep on the shelf, but this is one of them. It was written by someone who has lived the numbing nightmare of surveying the endlessly proliferating sources of event data in a modern enterprise, of identifying what must be collected, how it should be collected, filtered and stored, and what should be done with it. Most importantly, Maier kept careful notes along the way and has provided a guidebook that will help those of us who follow. Richard Austin is a resident curmudgeon at a Fortune 100 company who continues to wage a battle with a tottering tower of new security tomes. Periodically he has been known to take a break and share his opinion of the latest book to migrate from the tower to the shelf. He can be reached at rda7838@kennesaw.edu. ____________________________________________________________________ Review of New Security Paradigms Workshop Schloss Dagstuhl, Germany, September 19-22, 2006 by Carol Taylor ____________________________________________________________________ The New Security Paradigms Workshop was started in 1992 with the intent of examining new paradigms in security. The idea was to offer a venue where research that was promising but might not be accepted elsewhere could be examined critically. Consequently, requirements for acceptance at NSPW include justification from the authors attesting to the novelty of the research or idea being presented. to the critical examination of new paradigms in security. The NSPW program committee screens papers based on the newness of the proposed paradigm, novel approaches to existing problems, or topics that might generate controversy which other conferences wouldn't be likely accept. NSPW has a unique format with highly interactive, lively discussion of each topic. Of the papers accepted, at least one author is required to attend the entire several day workshop. Total attendance is limited to about 30 participants and only authors, and the workshop organizers are invited to attend with an occasional sponsor attendee. The workshop presentations and proceedings are unusual in format from most other workshops and conferences. Authors are expected to prepare a 20 minute summary of their work with over an hour reserved for discussion and participation. All attendees can comment on the work presented and question the author. Authors respond and all the feedback is captured in notes that are later presented to the author. Authors are encouraged to include the feedback in the final copy of their work which is included in the NSPW proceedings. The idea of this design is to encourage authors to consider the feedback and therefore hopefully improve their original ideas prior to final publication. This allows authors to incorporate feedback from many other views than the typical three-peer reviews from other conferences. NSPW's registration fee includes all room and board so that participants can spend time together at meals and carry on the discussions and socialize without worry of travel. This provides a wonderful opportunity to form more lasting connections with colleagues. This year I was the Vice Chair of the conference which was held on September 19th-22nd at a truly beautiful site named Schloss Dagstuhl, in Germany. I have presented summaries of the papers done by several of the conference participants. Researchers who believe they have new paradigms in computer security or answers to old paradigms, please submit your paper to future New Security Paradigms Workshops. Next year the site will be on the Eastern side of the US. -- Carol Taylor NSPW 2006 Vice Chair Papers Presented Title: Hitting Spyware Where it Hurts by Richard Ford and Sarah Gordon, Florida Institute of Technology and Symantec The authors attempt to solve the spyware problem by defining a cost based approach to reduce the effectiveness of spyware and adware. The authors develop a method for reducing return on investment for adware owners and develop an attack aimed at disrupting the earnings of these owners by sending many fake requests. Unknown is the number of hosts required to actually increase risk to adware Maintainers. Someone suggested a biological analogy was the eradication of the Mexican Screw Worm in the 1970's, which was done by using sterile male Screw Worms who competed with the fertile male population. A large number of infertile males was required to neutralize the fertile population and by analogy suggesting that any attack network used would also have to be disproportionately large. Title: Dark Application Communities By Michael Locasto, Angelos Stavrou, Angelos Keromytis, Columbia University This paper presented an idea called a "Dark Application Community". A DAC is a botnet that forwards crash reports and other state disruptions to the bot maintainer. The bot maintainer can acquire stack traces and other state disruptive information from normal use so he/she can then acquire information on new potential vulnerabilities and threats which can be used to generate exploitable code. One question asked at the workshop was whether this result would be more productive than "fuzzing" or other diversity techniques. Some experiments suggested were to compare the bug discovery rates from open source auto-updated tools such as Firefox or Adium. Title: Challenging the Anomaly Detection Paradigm Carrie Gates (CA Labs) and Carol Taylor (University of Idaho) This paper didn't so much present a new paradigm as critique an old paradigm, that of anomaly detection. The application of anomaly detection to networks was the main focus of this paper. Questions about the rarity and hostility of anomalies, training data problems, and operational requirements were asked. Dorothy Denning's original paper was cited as inspiration for the paper. Denning had developed her anomaly theory under circumstances completely different than those in effect today. Systems that are networked are more complex, more prone to normal network traffic abnormalities and less manageable than those of Dennings time. Questioning the anomaly detection paradigm will lead to better research with more clearly stated assumptions. Title: Inconsistency in Deception for Defense By Vicentiu Neagoe, Matt Bishop, UC Davis This paper examined whether deceptive mechanisms as portrayed by servers and systems need to maintain consistent false views to fool the attackers. The authors examined the nature of inconsistency in system response and actions. The deception model divides commands into two categories: ones that alter system state and commands which provide information on system state. Participants suggested multilevel systems, where commands are not supposed to provide feedback to the users. Not sure how MLS systems would affect the model? Title: A Model of Data Sanitization By Rick Crawford, Matt Bishop, Bhume Bhuiratana, Lisa Clark, Karl Levitt, UC Davis The paper described model of sanitization in the form of an inference game. The game involved a sanitizer, an analyzer and an adversary. One goal of sanitization and success in the game is for the sanitizer to transform the data so that the analyst can obtain the desired information without the adversary obtaining any private information. Questions were asked regarding actively tampering with the dataset before releasing any sanitized information. Attacks could include salting the data beforehand, and using the sanitization as an excuse to announce something known privately. Title: Panel: Control vs. Patrol: A new paradigm for network monitoring Panelists: John McHugh (Dalhousie University), Fernando Carvalho-Rodrigues (NATO), David Townshed (University of New Brunswick) This panel involved an idea of an independent network monitoring authority operating to ensure network integrity. Panelists contrasted their concept of patrol versus more traditional discussions of network monitoring. An analogy was used of highway patrols: where a person drives in public spaces which is their own business and that they were present is publicly accessible knowledge. The panel discussion focused on two areas including the logistics of such a patrol mechanism, and the role and implicit privacy of users. With the logistics question, fundamental questions of what the patrol would observe and collect were posed. Some patrol functions already exist but developing a large-scale patrol would involve aggregating and analyzing large volumes of data, plus deciding what classes of problems the patrol would address. With the initial concept of privacy on the highway, there was debate about the role of privacy on-line, recognizing that a user's perception of privacy is contextual and possibly unrelated to the facts. Title: Large Scale Collection and Sanitization of Security Data By Phil Porras (SRI), Vitaly Shmatikov (UT Austin) Porras and Shmatikov's paper looked at existing research challenges in data collection and sanitization for security research. The authors suggested that security research lacks empirical work because there are so few data sets. Though public data sets are slowly being released, data sanitization is still not handled well. Participants discussed the problems with sanitization explicitly within the area of empirical research. Suggestions focused on allowing the sanitizer to decide when Data should be released. Title: Googling Considered Harmful By Greg Conti, United States Military Academy This paper was very timely in light of the release of private data by AOL. Greg Conti showed AOLStalker, a search engine using the recently released AOL dataset. He demonstrated how AOLStalker could be used to ferret out one user's data from seemingly benign queries. Through the use of free on-line services, users implicitly contribute their personal data. The author develops a threat analysis model to privacy based on information released from these services. Discussion focused on forms of signal analysis and social contracts previously used to protect privacy. Examples included tracking military mobilization by studying pizza deliveries in the D.C. area. Similarly noted were previous requirements to families of service members to keep silent before a deployment compared to the kind of logistic actions families may take en masse before a mobilization, such as communicating with various soldiers' benefits services. Title: A Pact With The Devil By Mike Bond (University of Cambridge) and George Danezis (KU Leuven) In this paper, the authors outlined a new, hypothetical, virus that would negotiate with its victim so it could improve its changes to spread across networks. The hypothetical virus would offer the infected user an opportunity to commit a collaborative computer crime. An example, would be that the original victim would write a mail that a new victim would open. In exchange for this, the virus would seek data on the new victim's drive such as e-mail and pass it on to the original victim. Participants examined strategies such a virus could take, and if the victim could double-cross the virus. For example, in addition to offering carrots, the virus could eventually offer sticks such as threatening to release private or incriminating information, or planting criminal information on the victim's computer. Title: E-Prime for Security By Steve Greenwald, Independent Consultant This paper offered E-Prime, a restricted subset of the English language developed by the General Semantics movement. E-Prime avoids uses of the verb "to be", such as "is", "am" and "is not". Steve Greenwald argued that by eliminating these verbs, a writer is forced to provide more complete information, such as providing attribution to some action or requirement. By forcing security policies to be written in E-Prime, policies that are easier to read might be created. Title: Diffusion and Graph-Spectral Methods for Network Forensic Analysis By Wei Wang and Tom Daniels, Iowa State The authors describe a graph-theoretic approach to analyzing audit logs and network traffic. Their approach is to have each node represent a host while connections between nodes represent events. Events then have a weight associated with them based on some quality of the event or alert. Use of eigenvectors to determine qualities of the network. Authors used data from the Lincoln Labs data set for testing, and so discussion focused on how this approach would perform given data from a real network. The main issue with this paper was what effect the noise inherent in a real network would have on the ability for this approach to identify attack information. Title: PKI Design for the Real World By Peter Gutmann (U Auckland), Ben Laurie (Google), Bob Blakley (Burton Group), Mary-Ellen Zurko (IBM), and Matt Bishop (UC Davis) Panelists described their belief about PKI and its use in the real world. Ms. Zurko described the PKI system in use by Lotus Notes at IBM. This is a system that is deployed to many large enterprises and has been in use for several years. Laurie felt that the issue with PKI was the I - the infrastructure required for PKI was lacking. Bob Blakley believed that PKI was developed because, key distribution is hard and should be easier, and digital signatures are useful. Bob felt that the main problem with PKI was that it was designed to solve a problem that didn't exist. Bishop believed that the issue with PKI was that the design of it was difficult to understand. ____________________________________________________________________ Review of ACSAC (ACM Computer Security Applications Conference) Miami, Florida, December 11-15, 2006 by Tom Haigh and Charlie Payne ____________________________________________________________________ ACSAC 2006 took place December 11 - 15 at the Miami Beach Resort and Spa. It was a very well run conference with a strong program. The notes below reflect the interests of the reviewers, so are not complete. Please see www.acsac.org for the full program. Invited speakers were: - Distinguished Practioner, Dixie Baker (SAIC), described the interplay between security(privacy) and the objective of providing for a healthy society. She observed that detecting biological events near to time of initial exposure reduces public health risk but increases risk to personal privacy. Hence, there is a trade to be made, and how to make this trade is a policy decision. She also talked about the somewhat baroque state, federal, and national systems, the interplay among them, and the impact of HIPAA. Along the way, she made an interesting distinction between the perception of federal control (not desired) versus a willingness to engage in national level cooperation (bottom-up, grassroots). This appears to be true for many aspects of critical infrastructure protection. How effective can this approach be? Her presentation, along with the presentation by Lillian R0stad reported below, suggest that there is a significant amount of work that could be done to improve both security policy and security mechansism applicable to healthcare systems. - In his presentation Invited Essayist Brian Witten (Symantec) described an approach for using a separation kernel architecture, formal methods, and automated binary code analysis (model checking) to build highly assured systems. In his intro he made two very interesting assertions. First, he claimed that Symantec has anecdotal evidence of a pre-zero day attack being used to create a botnet on over a million nodes, and that it existed for over a week before it was detected. So he claims we may have reached the point where the time to exploit, defined as the time a vulnerability is reported minus the time it was exploited, has gone negative. Second, he suggested that the reason there have not been any massive DoS attacks for several years is that it is now in the financial best interest of the attackers to keep the Internet running. This presentation stimulated a great deal of discussion, with two predominant themes. The first was the observation by many veterans that aspects of Brian's approach have been tried before. The second was a question about the relative merits of separation kernels and hypervisors as a foundation for assured computing. - In the Classic Papers session Jeremy Epstein (Web Methods) provided a very good review of the Trusted X-Windows work. His presentation provided a good stimulus for people to think about the problems associated with building a truly trustworthy windowing system, and he illustrated very clearly the challenges associated with building highly assured systems. His paper is good reading for both the veterans and people new to Infosec. - For the second Classic Paper Peter Neumann (SRI) presented conclusions based on what he has seen in the risks forum. Read the paper for some amazing stories. Peter expressed concern over emergent properties in complex systems. He suggested composability analysis. Afterward John McHugh suggested it might not be reasonable to expect a priori analysis to identify emergent properties. It could have been a long and very interesting discussion if the moderator had not stepped in. Definitely a fun question to think about. Other presentations that caught the reviewers' attention: 1. Shamon: A System for Distributed Mandatory Access Control by Jonathan McCune (CMU grad student), Trent Jaeger (Penn State), Stefan Berger, Ramone Cackeres, Reiner Sailer (all IBM) The problem they considered was to ensure that corresponding partitions on separate Xen hosts can communicate with each other, akin to what the reviewer knew as distributed type enforcement in the SCC LOCKed Workstation days. They run a MAC gateway in a separate Xen partition. The gateway can communicate with all the partitions on the local host and with other gateways. It is trusted to keep information from different partitions separate. For communication with other gateways, it runs the SE Linux labeled IPSec. McCune gave the presentation and did a good job. 2. Backtracking Algorithmic Complexity Attacks Against a NIDS by Randy Smith, Cristian Estan, Somesh Jha (all UW Madison) This won the best paper award. They provided examples of Snort rules that can take unacceptably long times to execute because of the way the Snort engine evaluates rules with relative predicates. When a predicate evaluates to false, the engine ignores all it has learned about the truth of other predicates, and starts over (too much backtracking). As a result, an attacker can disable a system with a relatively small amount of bandwidth (4 kbps) They then introduced an approach for avoiding this problem by saving information about predicates that have already been evaluated. They also observe that Bro is not susceptible to these backtracking attacks. 3. Practical Attack Graph Generation for Network Defense by Kyle Ingols, Richard Lipmann, Keith Piworarski (Lincoln Labs) They created what they called a ''Multiple Pre-Requisite Graph'' and claim generation in times that grow nearly linearly with the size of the network. They reported it has processed synthetic networks with 50,000 hosts in 4 mminutes. The reviewer is uncertain what they assumed about the hosts. They use Nessus to create their network model, and they include vulnerabilities found in CVE and NVD. They also collect configuration rules from Sidewinder and Checkpoint firewalls. They have applied it to a live network of 250 nodes and found a previously unknown configuration error. 4. A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs. by Lillian R0stad and Ole Edsberg (Norwegian University of Science & Tech) This team analyzed access logs from the Siemend DocuLive Electronic Patient Record (EPR) system to see how often there were exceptions to the defined role-based access control policy. The notion of exception is a part of the policy, and it is used when, in the judgment of the person granting or requesting the exception, it is necessary for the treatment of the patient. They learned that about 25% of accesses are exceptions, and they are concentrated in certain wards. Their conclusion is that exceptions are clearly not "exceptions" and a different sort of policy is required. 5. Automatic Evaluation of Intrusion Detection Systems by Frederic Massicotte (Commmunications Research Center) Francois Gagnon, Yvan Labiche, Lionel Briand, Mathieu Coutrure (Carlton Univ. - Canada) They are building a system to generate attack traffic, and they want to make their traffic (and their system?) freely available. They have about 125 exploits against both Linux and Windows systems. In evaluations of Snort and Bro, they found that both systems missed about 25% of the attacks, and Snort did a poorer job of discriminating between successful and unsuccessful attacks. They are looking for partners in this work. Learn more at networksystems-security@crc.ca. From the vendor track: 6. Trusted Storage - Dave Anderson (Seagate) Seagate is coming out with a line of secure hard drives for PCs based on the TPM. There are some public papers at www.trustedcomputinggroup.org/home. 7. Using Predictive Analytics and Modeling to Improve Insider Threat Detection and Cyber Threat Identification - Peter Frometa (SPSS, Inc) His approach combined data mining and text mining (linguistics-focused). For detecting insider threats, he used cluster maps to identify typical behaviors and outliers. Clusters are tagged, then rulesets are built to characterize each cluster. As new users enter the system, they are characterized by cluster type. From the Works in Progress session: 8. Federated Identity Architecture Evaluation. Fragoso-Rodriguez, Laurent-Makanavicious, Incera-Vieguez (Instituto Technolgico Autonomo de Mxico) They are developing metrics and method of evaluating the Liberty Alliance, Shibboleth, and WS-Federation architectures. 9. An Open Source High Robustness VMM. John McDermot and Myong Kang at NRL. They are using Xen to build an EAL6 system. They are trying to do everything right, and this reviewer has some hope that they might pull it off, which would be great. ____________________________________________________________________ Review of ACSAC (ACM Computer Security Applications Conference) Miami, Florida, December 11-15, 2006 by Jeremey Epstein ____________________________________________________________________ Dixie Baker (SAIC) kicked off the conference with "Privacy and Security in Public Health: Maintaining the Delicate Balance between Personal Privacy and Population Safety", a discussion of security in healthcare systems from a US perspective. She was the author of a trailblazing paper about PCASSO in 1997 which discussed using MLS technology for healthcare systems, but their successes using MLS have not been copied. Dixie started with a very informative overview of what public health means in the US, and what types of information are routinely collected. She then surveyed the legal situation, focusing on HIPAA, which allows for release of the "minimum necessary" information without patient consent. Just as security and usability frequently collide, she described how privacy and health risk can collide or at least be interdependent. For example, while issuing X.509 certificates to health care workers has many advantages, in case of an epidemic where door-to-door surveys are required in a very short time window, waiting for certificate issuance is not feasible. Adding to the usual security issues, health care information is collected at many different levels, and not routinely shared. For example, localities and states collect information that's not passed up to the federal level. This can be critical because some information is passed up in an anonymized form with a "linkback" ID, but if due to an epidemic some people need to be contacted, the privacy of the linkback must be breached very quickly. Jonathan McCune (CMU/IBM) presented "Shamon: A System for Distributed Mandatory Access Control". Their goal is to have machines shared (e.g., for web hosting companies that may be competitors) using a hypervisor that provides separation. They provide protected controls between instances of the same label (i.e., same company) on different machines. They've built a prototype using mostly open source tools, and have it generally working. Concerns from the audience are that this isn't really MLS, it's just isolation because there's no communication across labels. Their eventual plan is to support more sophisticated policies. Michael Korman (Univ of Connecticut) presented "An Internet Voting System Supporting User Privacy". Electronic voting is obviously a hot topic, and they want to provide a transparent solution that can allow voting over the Internet. This has obvious advantages (e.g., allowing absentee balloting without mailins), but significant disadvantages as well (opportunities for vote buying, even if they address anonymity, accuracy, etc). They get accuracy by allowing voters to see their ballots after the election in such a way that they can be totaled, but other voters can't tell how the voted. Their scheme is based on homomorphic encryption. [JE comments: even if this is totally workable, which I doubt, it fails the grandma test - it's just not understandable to average voters - or even to this security-savvy but non-crypto expert.] They recognize some of the hard problems such as ensuring that voters' machines haven't been compromised (suggest booting from CD-ROM before voting), denial of service attacks (suggest puzzles to prevent), vote buying and coercion (not easy to address), etc. As Peter Neuman commented in the Q&A session, "Vote selling is the key problem in this design. This is a nice technological solution to something that's not the real problem." Brian Witten (Symantec) started the second day with his talk "Engineering Sufficiently Secure Computing". After a review of attack and response statistics, he presented a set of axioms, starting with "defense must cover all weaknesses - offense needs just one" and "perfection is not possible - there are n silver bullets; for every move, there is a counter-move". He then proposed that we base security on four technologies: cryptography, separation kernels (an old idea, but worth revisiting), formal verification (perhaps to verify pieces of the separation kernels), and static analysis (to reduce the number of flaws in code). He then delved into the four technologies, bringing some new perspectives (e.g., Intel uses automated formal verification because they have no other choice - the verification team was tripling in size every time the engineering team doubled). Static analysis isn't perfect, but it's a lot cheaper than formal verification, and gets us much of the way there. Topics raised in the Q&A session included how this is revisiting 30 year old ideas, and Brian's note that chip vendors are now willing to use silicon to improve security, since there's less need for more raw speed. As part of the DHS panel chaired by Doug Maughan, Dave Jevans (Anti-Phishing Working Group and IronKey) described the state of the art in fighting phishers. While it's not hard to get phishing sites removed, the phishers are determined, and are fighting the countermeasures. The volume of attacks has doubled in the last two months. Russian sites are selling tailored malware to attack specific sites, and no longer just the big sites like eBay and Citibank, but also small banks and credit unions (I guess they've figured out free enterprise!). They've come up with new ways of getting cash out through manipulation of thinly traded stocks, buying stock using commandeered accounts. Despite common belief, a majority of phishing sites are in the US with many in China and Korea (the latter because of ubiquitous broadband and weak security controls). The most interesting of the Works In Progress (WIP) session was by David Perlowski (NSA) on Software Assurance Analysis Methodology. They've recognized that existing DoD schemes are insufficient to measure software security - Common Criteria isn't timely and doesn't cover all software, and C&A is inadequate. Individual services have had efforts but they haven't addressed timeliness, repeatability, quality, etc., and don't scale. Their goal is to "let the code speak" by performing time-constrained evaluations that are goal-based, highly automated, and repeatable. They'll define a set of metrics that can be automatically calculated from code (source, binary, script) - using a diverse set of metrics, and apply them to the code with a weighting as an indicator. The idea is to turn this into a high level statement of code, with percentage confidence. So far they've done some pilot evaluations with the results published internally at NSA, with a second round soon. Also in the WIP session, but not a WIP, was David Bell's follow-up from last year's "Classic Paper". He concluded after last year's pessimistic talk that he had been too optimistic, and set out to correct that impression. He reviewed the mistakes NSA has made (and is making) including MISSI (which killed off commercial high assurance systems), SE-Linux (which popularized MLS but isn't high assurance), the failure to provide a path for MLS vendors to move from TCSEC to Common Criteria, etc. An excellent set of slides and his paper are available at www.selfless-security.org. Chongkung Kil (North Carolina State Univ) presented "Address Space Layout Permutation, Towards Fine-grained randomization of Commodity Software", one of several papers at the conference on this subject. While Microsoft Windows Vista provides 8 bits of address space randomization (which can be effectively defeated), others have been working on greater amounts of randomization. Kil's approach is for Linux, and uses binary rewriting to modify programs before they are loaded. The risk is that if it's not done perfectly, the program will crash strangely, and will be hard to figure out why. David Whyte (Carleton University) explained "Addressing SMTP-based Mass-Mailing Activity within Enterprise Networks". His premise is to use a simple form of anomaly detection: machines other than mail servers are very unlikely to do MX lookups. This will catch nearly all bots that try to bypass mail servers and broadcast directly. ISPs aren't particularly interested since they avoid this problem by blocking port 25, but his solution allows unblocking port 25 without increasing spam. However, in the escalating spam wars, all the spammer has to do is provide their own DNS server (which will admittedly increase the size of the bot) and this scheme stops providing any protection. The "Highlights from the 2006 New Security Paradigms Workshop" is always a great panel, and this year met expectations. Lt Col Greg Conti (USMA, but speaking for himself!) talked about just how much information Google collects, and using the AOL dataset showed how much information can be used to trace back to individuals. If you're going to Google yourself, don't do it from the same machine where you look at porn! Carrie Gates (CA Labs) & Carol Taylor (U of Idaho) challenged the established intrusion detection paradigms, noting that the assumptions made in the early days of IDS (attacks are anomalous, distinguishable, rare; anomalous activity is malicious, and attack-free data is available) are all incorrect. Additionally, the early work was done in non-networked environments, and the assumption was made that the results carried out, but the assumption has never been vetted. Among their recommendations are the development of meaningful sample data for training and testing IDSs, unlike the Lincoln Labs data which has many unrealistic characteristics. Richard Ford (U of Florida) noted that spam occurs because spammers find it economically lucrative, and if we can tip the economic balance we can drive them out of business by making their business model unstable. To do so, he proposed a scheme of installing as much adware as possible on a protected network (thus getting fees from those who pay for the installation) and just as quickly wiping them out. This will force those who pay for spyware installation to revisit their model. Subsequent phases try to similarly break the economic model using automated clickthroughs of the spam ads that don't lead to sales. He then (briefly) raised some of the ethical issues of trying to kill off spammers. ACSAC will be back in Miami Beach in December 2007, although the hotel has not been determined (there was much grumbling that the hotel was too far from restaurants and the food in the hotel was overpriced). ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ---------------------------------------------------------------------------- Institute for Information Infrastructure Protection (I3P) Fellowship Positions Contributed by Patricia Erwin January 3, 2007 ---------------------------------------------------------------------------- The Institute for Information Infrastructure Protection (I3P) has issued a Call for Proposals from post-doctoral researchers, junior faculty and research scientists. Applicants must submit proposals to the host institutions by February 7, 2007. Host Institutions must submit completed application packets to the I3P by February 21, 2007. For more information about application requirements see: http://www.thei3p.org/fellowships/2007callforproposals.html I3P Research Areas of Interest: - Enterprise Security Management - Trust Among Distributed Autonomous Parties - Discovery and Analysis of Security Properties and Vulnerabilities - Secure systems and Network Responses and Recovery - Traceback, Identification and Forensics - Wireless Security - Metrics and Models - Law, Policy and Economic Issues The Institute for Information Infrastructure Protection (The I3P) is a Consortium that includes academic institutions, federally-funded labs and non-profit organizations. The I3P funded by the Department of Homeland Security and the National Institute of Standards and Technology. The I3P is managed by Dartmouth College. ---------------------------------------------------------------------------- Security Research Position Contributed by Jianying Zhou Singapore December 24, 2006 ---------------------------------------------------------------------------- Network Security Group at Institute for Infocomm Research - a national research institute fully funded by Singapore government, is looking for a network security researcher. This is a full-time position in our core headcount. A 2-3 year contract will be offered and is renewable subject to the candidate's performance. Our group is active in the security community, and has established extensive collaborations with local and overseas universities and research institutes. We are also involved in an EU-funded project. More information is available at http://icsd.i2r.a-star.edu.sg/staff/nsl/ The candidate should have a PhD degree with strong background on network security, especially on wireless sensor network security. (MSc with independent R&D capability may also be considered.) The candidate is expected to do research on network security, create valuable intellectual properties, publish papers at leading conferences and journals, and produce project deliverables in time. If you are interested in this job, please send your CV to Jianying Zhou . Short-listed candidates will be contacted for interview. ---------------------------------------------------------------------------- Financial Cryptography and Data Security 2007 (FC07) PRELIMINARY PROGRAM & CALL FOR PARTICIPATION Hilton Tobago Resort Lowlands, Scarborough, Trinidad/Tobago February 12-15, 2007 ------------------------------------------ Hotel & Registration ------------------------------------------ The FC07 Hotel Accommodatoins can be found at: http://fc07.ifca.ai/accommodations.html Registration will open early next week. The deadline for early early registration rates is January 22. http://fc07.ifca.ai/registration.html ------------------------------------------ Preliminary Program ------------------------------------------ All events take place at the Hilton Tobago Resort unless otherwise noted. Sunday, February 11, 2007 5:00pm-7:00pm Registration reception poolside Hilton Tobago Resort Monday, February 12, 2007 7:30am-8:30am Breakfast and Registration 8:30am-8:45am Welcome, Minister of Finance (tentative) 8:45am-9:00am Conference opening, Conference Chairs 9:00am-10:00am Keynote Address Mike Bond Title: Leaving Room for the Bad Guys When designing a crypto protocol, or building a large security architecture, no competent designer ignores considering the bad guy, and anticipating his plans. But often we designers find ourselves striving to build totally secure systems and protocols -- in effect writing the bad guys entirely out of the equation. In a large system, when you exclude the bad guys, they soon muscle their way in elsewhere, and maybe in a new and worse way over which you may have much less control. A crypto protocol with no known weaknesses may be a strong tool, but when it does break, it will break in an unpredictable way. This talk explores the hypothesis that it is safer and better for designers to give the bad guys their cut, but to keep it small, and keep in control. It may not just be our systems but also our protocol building blocks that should be designed to make room for the bad guy to take his cut. The talk is illustrated with examples of very successful systems with known weaknesses, drawn primarily from the European EMV payment system, and banking security in general. We also discuss a few "too secure" systems that end up failing in worse ways as a result. 10:00am-10:30am Break 10:30am-12:00pm Technical Paper Session Payment Systems Vulnerabilities in First-Generation RFID-enabled Credit Cards, Thomas S. Heydt-Benjamin (University of Massachusetts Amherst, USA), Daniel V. Bailey (RSA Laboratories, USA), Kevin Fu (University of Massachusetts Amherst, USA), Ari Juels (RSA Laboratories, USA), and Tom O'Hare (Innealta, Inc.) Conditional E-Cash, Larry Shi and Bogdan Carbunar (Motorola Labs) and Radu Sion (Stony Brook University, USA) A Privacy-Protecting Multi-Coupon Scheme with Stronger Protection against Splitting, Liqun Chen (HP Laboratories), Alberto Escalante, Hans Loehr, Mark Manulis, and Ahmad-Reza Sadeghi (Horst Goertz Institute Bochum, Germany) 12:00pm-1:00pm Lunch 1:00pm-2:30pm Panel: RFID - yes or no, Moderator: Kevin Fu 2:30pm-3:00pm Break 3:00pm-4:00pm Technical Paper Session Anonymity A Model of Onion Routing with Provable Anonymity, Joan Feigenbaum (Yale University), Aaron Johnson (Yale University, USA), and Paul Syverson (Naval Research Laboratory, USA) K-Anonymous Multi-party Secret Handshakes, Shouhuai Xu (UTSA) and Moti Yung (RSA Laboratories and Columbia University, USA) 4:00pm Adjourn 6:00pm-9:00pm Reception Location: TBA Tuesday, February 13, 2007 7:30am-9:00am Breakfast 9:00am-10:30am Technical Paper Session Authentication Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer, Mohammad Mannan and Paul C. van Oorschot (Carleton University, Canada) Scalable Authenticated Tree Based Group Key Exchange for Ad-Hoc Groups, Yvo Desmedt (University College London, UK), Tanja Lange (Eindhoven University of Technology, Netherlands) and Mike Burmester (Florida State University, USA) On Authentication with HMAC and Non-Random Properties, Christian Rechberger and Vincent Rijmen (Graz University of Technology, Austria) 10:30am-11:00am Break 11:00am-12:00pm Technical Paper Session Anonymity and Privacy Hidden Identity-Based Signatures, Aggelos Kiayias and Hong-Sheng Zhou (University of Connecticut, USA) Space-Efficient Private Search, George Danezis and Claudia Diaz (K.U. Leuven, Belgium) 12:00pm Adjourn - Box Lunches Available 8:00pm-9:00pm IFCA General Meeting, Location: TBD 9:00pm-12:00am Rump Session Location: TBD Wednesday, February 14, 2007 7:30am-9:00am Breakfast 9:00am-10:30am Technical Paper Session Cryptography and Commercial Transactions Cryptographic Securities Exchanges, Christopher Thorpe and David C. Parkes (Harvard University, USA) Improved multi-party contract signing, Aybek Mukhamedov and Mark Ryan (University of Birmingham, UK) Informant: Detecting Sybils Using Incentives, N. Boris Margolin and Brian Neil Levine (University of Massachusetts Amherst, USA) 10:30am-11:00am Break 11:00am-12:00pm Technical Paper Session Financial Transactions & Web Services Dynamic Virtual Credit Card Numbers, Ian Molloy (Purdue University, USA), Jiangtao Li (Intel Corporation) and Ninghui Li (Purdue University, USA) The unbearable lightness of PIN cracking, Omer Berkman (The Academic College of Tel Aviv Yaffo, Israel) and Odelia Moshe Ostrovsky (Algorithmic Research Ltd. and Tel Aviv University, Israel) 12:00pm-1:00pm Lunch 1:00pm-2:30pm Panel: Virtual Economies - Threats and Risks, Moderator: Jean Camp 2:30pm-3:00pm Sponsor Presentation: TBD 3:00pm Adjourn 6:00pm-9:00pm Beach BBQ Location: TBA 10:00pm-?? Event (TBA) Thursday, February 15, 2007 7:30am-9:00am Breakfast 9:00am-10:00am Invited Talk --- Dawn Jutla Title: Usable SPACE: Security, Privacy, and Context for the Mobile User Users breach the security of data within many financial applications daily as human and/or business expediency to access and use information wins over corporate security policy guidelines. Recognizing that changing user context often requires different security mechanisms, we discuss end-to-end solutions combining several security and context mechanisms for relevant security control and information presentation in various mobile user situations. We illustrate key concepts using Dimitri Kanevsky's (IBM Research) early 2000s patented inventions for voice security and classification. 10:00am-10:30am Break 10:30am-11:00am System paper session Personal Digital Rights Management for Mobile Cellular Devices, Siddharth Bhatt (Stony Brook University, USA), Carbunar Bogdan (Motorola Labs), Radu Sion (Stony Brook University, USA), and Venu Vasudevan (Motorola Labs) 11:00am-12:00pm Technical Paper Session Cryptography Certificate Revocation using Fine Grained Certificate Space Partitioning, Vipul Goyal (UCLA, USA) An Efficient Aggregate Shuffle Argument Scheme, Jun Furukawa (NEC Corporation, Japan) and Hideki Imai (National Institute of Advanced Industrial Science and Technology, Japan) 12:00pm-1:00pm Conference closing/Lunch, Conference Chairs ==================================================================== Listing of academic positions available by Cynthia Irvine http://cisr.nps.edu/jobscipher.html ==================================================================== University of North Carolina at Charlotte Department of Software and Information Systems UNC Charlotte Charlotte, NC 28223 ASSISTANT OR ASSOCIATE Application review will begin in January 2007 and will continue until the position is filled. URL: http://www.sis.uncc.edu University College London London & Martlesham, UK Senior Lecturer/Lecturer (3 openings) January 15th 2007 http://www.adastral.ucl.ac.uk/vacancies Iowa State University Department of Electrical and Computer Engineering Iowa State University Ames, IA 50011 ASSISTANT OR ASSOCIATE OR FULL PROFESSOR To guarantee consideration, application must be received by 2/10/2007. URL: http://www.iastatejobs.com and http://www.ece.iastate.edu/jobs.html -------------- The job listings at http://cisr.nps.edu/jobscipher.html are maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2006 Symposium proceedings and 11-year CD are sold out. The 2005 Symposium proceedings are available for $20 plus shipping and handling. The 2004 proceedings are $15 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Hilarie Orman The MITRE Corporation Purple Streak, Inc. Mail Stop S119 500 S. Maple Dr. 202 Burlington Road Rte. 62 Salem, UT 84653 Bedford, MA 01730-1420 oakland06-chair@ieee-security.org 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2007 General Chair: and Technical Committee Treasurer: Deborah Shands Hilarie Orman The Aerospace Corporation Purple Streak, Inc. El Segundo, CA 500 S. Maple Dr. oakland07-chair@ieee-security.org Salem, UT 84653 cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year