| |
| Current Topic: Computer Security |
|
|
|---|
| Topic: Computer Security |
5:25 pm EDT, Aug 30, 2007 |
Ross Anderson gave a TechTalk last week. Computer security has recently imported a lot of ideas from economics, psychology and sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities. Evildoers online divide roughly into two categories - those who don't want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected? Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I'll describe a number of dubious business enterprises we've unearthed. Recent advances in algorithms, such as Newman's modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution. I'll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.
Searching For Evil |
|
Microsoft Forges 'Pact' With Cyberwarriors Worldwide |
|
|
|---|
| Topic: Computer Security |
6:19 am EDT, Aug 7, 2007 |
Multinational corporations have foreign policies, and the "home" country doesn't necessarily get special treatment: In an effort to curb distrust, in 2003 Microsoft signed a pact with China, Russia, the United Kingdom, NATO and other nations to let them see the Windows source code.
A few thoughts: 1) Possession of source code has limited defensive value unless you actually build your software from that source. Based on press reports the agreement does not facilitate local compilation.
2) Is it really feasible for a third party to audit the Vista source? The people involved seem to think so, or are at least making a show of it. I am dubious.
3) The utility of this 'pact' would seem to be substantially offensive. Consider: Microsoft has reportedly signed a new government security program source code agreement with China Information Technology Security Certification Center, allowing CNITSEC and other approved institutions to look over the source code and relevant technical data of Microsoft's products, including Windows Vista ,so as to improve their evaluation on the security of Microsoft products. The agreement is an important part of the MOU signed between National Development and Reform Commission and Microsoft in April 2006. Microsoft's Government Security Program helps government departments and international organizations evaluate the security of Microsoft products. CNITSEC previously signed an agreement with Microsoft on security source code in February 2003 and was authorized to check over the company's major source code and technical data.
From 2003: According to sources at the software company, China is the eighteenth nation to sign such an agreement to view Microsoft's proprietary source code.
Surely the number has grown since then. Craig Mundie's doublespeak: This program is an integral element of our efforts to help address the unique security requirements of governments.
Microsoft Forges 'Pact' With Cyberwarriors Worldwide |
|
flayer - Taint analysis and flow alteration tool |
|
|
|---|
| Topic: Computer Security |
8:41 pm EDT, Aug 6, 2007 |
This is the Google project that was presented at WOOT. Flayer is a Valgrind tool which provides bit-precise dynamic taint analysis of input to a target application. In addition, it allows this flow to be altered irrespective of content through the modification of conditional jump (if clauses) and function call behavior. In addition, a small, Python wrapper library, LibFlayer, is included. It provides an easy interface for automation. This is a proof of concept implementation, but it is fully functional. Please check it out!
flayer - Taint analysis and flow alteration tool |
|
Terminus: the End of the Line for DDoS |
|
|
|---|
| Topic: Computer Security |
2:18 pm EDT, Aug 2, 2007 |
Denial-of-Service attacks continue to grow despite the fact that a large number of solutions have been proposed in the literature. The problem is that few are actually practical for real-world deployment and have incentives for early adopters. We present Terminus, a simple, effective and deployable network-layer architecture against DoS attacks that allows receivers to request that undesired traffic be filtered close to its source. In addition, we describe our implementation of each of the architecture’s elements using inexpensive off-the-shelf-hardware, and show that we can filter very large attacks in a matter of seconds while still sustaining a high forwarding rate even for minimum-sized packets. We conclude by discussing initial deployment incentives.
Terminus: the End of the Line for DDoS |
|
Latest Issue of IEEE Security & Privacy |
|
|
|---|
| Topic: Computer Security |
9:36 am EDT, Aug 2, 2007 |
Subscription required for access to full text of most articles, but I wanted to point out a couple of articles that you might find it worthwhile to track down: What Hackers Learn that the Rest of Us Don't: Notes on Hacker Curriculum The hacker culture has accumulated a wealth of efficient practices and approaches to computer technologies -- in particular, to analysis, reverse engineering, testing, and software and hardware modification -- that differ considerably from those of both the IT industry and traditional academia.
The above article references the article by Greg Conti that appears in the same issue as Academic freedom and the hacker ethic. It also references a book by Jonathan Rosenberg, How Debuggers Work. The End of Black and White, by Dan Geer It's no longer just black hats or white hats in computer security. The more someone has to lose, the less likely they should be to trust the computer. It means that all people, all programs, all transactions are shades of grey. Black and white are just a memory.
This one appears to be freely available: Estimating Software Vulnerabilities Any given piece of software has some number of publicly disclosed vulnerabilities at any moment, leaving the system exposed to potential attack. A method for identifying and analyzing these vulnerabilities uses public data from easily accessible sources.
Latest Issue of IEEE Security & Privacy |
|
Web 2.0 is vulnerable to attack |
|
|
|---|
| Topic: Computer Security |
5:09 pm EDT, Apr 2, 2007 |
Comments from the local experts? Fortify Software, which said it discovered the new class of vulnerability and has named it "JavaScript hijacking", said that almost all the major Ajax toolkits have been found vulnerable.
There's no mention of Jitko either here or in the Slashdot story. Web 2.0 is vulnerable to attack |
|
Why Information Security is Hard |
|
|
|---|
| Topic: Computer Security |
10:06 am EDT, Mar 26, 2007 |
This Ross Anderson paper from 2001 is worth (re-)reading. I'd be interested in any pointers to further reading along these lines. I particularly liked this quote, from the French economist Jules Dupuit in 1849: It is not because of the few thousand francs which would have to be spent to put a roof over the third-class carriage or to upholster the third-class seats that some company or other has open carriages with wooden benches ... What the company is trying to do is prevent the passengers who can pay the second-class fare from traveling third class; it hits the poor, not because it wants to hurt them, but to frighten the rich ... And it is again for the same reason that the companies, having proved almost cruel to the third-class passengers and mean to the second-class ones, become lavish in dealing with first-class customers. Having refused the poor what is necessary, they give the rich what is superfluous.
Here's the abstract of the paper: According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.
Anderson has been working this theme over the past several years; his latest paper is The Economics of Information Security - A Survey and Open Questions. Why Information Security is Hard |
|
The Eavesdropper's Dilemma - Matt Blaze et al... [PDF] |
|
|
|---|
| Topic: Computer Security |
8:01 pm EDT, Oct 26, 2006 |
This work was previously reported on Memestreams back in November 2005, when Markoff wrote about in NYT. There must be some reason why it is being revisited now, but it may not be publicly obvious. One presumes that it came up during the Here's Looking at You... session at Phreaknic. (Is there a slide presentation for that?) This paper examines the problem of surreptitious Internet interception from the eavesdropper’s point of view. We introduce the notion of ‘fidelity” in digital eavesdropping. In particular, we formalize several kinds of “network noise” that might degrade fidelity, most notably “confusion,” and show that reliable network interception may not be as simple as previously thought or even always possible. Finally, we suggest requirements for “high fidelity” network interception, and show how systems that do not meet these requirements can be vulnerable to countermeasures, which in some cases can be performed entirely by a third party without the cooperation or even knowledge of the communicating parties.
For practical results in real-world systems, see the authors' IEEE article, Signaling Vulnerabilities in Wiretapping Systems, in which this paper is reference #11. In a separate work [11], we formalized the concepts of evasion and confusion as eavesdropping countermeasures and identified the “eavesdropper’s dilemma” as a fundamental trade-off in certain interception architectures.
The Eavesdropper's Dilemma - Matt Blaze et al... [PDF] |
|
Computer System Under Attack |
|
|
|---|
| Topic: Computer Security |
9:54 am EDT, Oct 7, 2006 |
"It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient."
-- Undersecretary of Commerce Mark Foulon
Computer System Under Attack |
|
