Blog: System Would Monitor Feds for Signs They're 'Breaking Bad'

System Would Monitor Feds for Signs They're 'Breaking Bad'
Government Computer News (12/06/11) Kevin McCaney

Georgia Tech researchers, in collaboration with researchers at Oregon State University, the University of Massachusetts, and Carnegie Mellon University, are developing the Proactive Discovery of Insider Threats Using Graph Analysis and Learning (PRODIGAL) system. PRODIGAL is designed to scan up to 250 million text messages, emails, and file transfers to identify insider threats or employees that are about to turn against the organization. The system will integrate graph processing, anomaly detection, and relational machine learning to create a prototype Anomaly Detection at Multiple Scales system. PRODIGAL, which initially would be used to monitor the communications in civilian, government, and military organizations in which employees have agreed to be monitored, is intended to identify rogue individuals, according to the researchers. "Our goal is to develop a system that will provide analysts for the first time a very short, ranked list of unexplained events that should be further investigated," says Georgia Tech professor David Bader.

View Full Article

Blog: Major Breakthrough Improves Software Reliability and Security

Major Breakthrough Improves Software Reliability and Security
Columbia University (11/02/11)

Columbia University researchers have developed Peregrine, software designed to improve the reliability and security of multithreaded computer programs. "Our main finding in developing Peregrine is that we can make threads deterministic in an efficient and stable way: Peregrine can compute a plan for allowing when and where a thread can 'change lanes' and can then place barriers between the lanes, allowing threads to change lanes only at fixed locations, following a fixed order," says Columbia professor Junfeng Yang. "Once Peregrine computes a good plan without collisions for one group of threads, it can reuse the plan on subsequent groups to avoid the cost of computing a new plan for each new group." The researchers say the program gets at the root cause of software problems, enabling Peregrine to address all of the issues that are caused by nondeterminism. They note that Peregrine can handle data races or bugs, is very fast, and works with current hardware and programming languages.

View Full Article

Blog: Researchers Defeat CAPTCHA on Popular Websites

Researchers Defeat CAPTCHA on Popular Websites
IDG News Service (11/01/11) Lucian Constantin

Stanford University researchers have developed an automated tool that can decipher Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs), which are used by many Web sites as an anti-spam test. The Stanford team, led by researchers Elie Bursztein, Matthieu Martin, and John C. Mitchel, developed various methods of cleaning up purposefully introduced background noise and breaking text strings into individual characters for easier recognition. Some of the CAPTCHA-breaking algorithms are based on tools used by robots to orient themselves in new environments. The researchers created Decaptcha, which was run against CAPTCHAs used by 15 high-profile Web sites. The only tested site that could not be broken was Google. The researchers also developed several recommendations to improve CAPTCHA security, including randomizing the length of the text string, randomizing the character size, applying a wave-like effect to the output, and using collapsing or lines in the background.

View Full Article

Blog: How Revolutionary Tools Cracked a 1700s Code

How Revolutionary Tools Cracked a 1700s Code
New York Times (10/25/11) John Markoff

A cipher dating back to the 18th century that was considered uncrackable was finally decrypted by a team of Swedish and U.S. linguists by using statistics-based translation methods. After a false start, the team determined that the Copiale Cipher was a homophonic cipher and attempted to decode all the symbols in German, as the manuscript was originally discovered in Germany. Their first step was finding regularly occurring symbols that might stand for the common German pair "ch." Once a potential "c" and "h" were found, the researchers used patterns in German to decode the cipher one step at a time. Language translation techniques such as expected word frequency were used to guess a symbol's equivalent in German. However, there are other, more impenetrable ciphers that have thwarted even the translators of the Copiale Cipher. The Voynich manuscript has been categorized as the most frustrating of such ciphers, but one member of the team that cracked the Copiale manuscript, the University of Southern California's Kevin Knight, co-published an analysis of the Voynich document pointing to evidence that it contains patterns that match the structure of natural language.

View Full Article

Blog: XML Encryption Cracked, Exposing Real Threat to Online Transactions

XML Encryption Cracked, Exposing Real Threat to Online Transactions
Government Computer News (10/24/11) William Jackson

Ruhr-University Bochum researchers have demonstrated a technique for breaking the encryption used to secure data in online transactions, posing a serious threat on all currently used implementations of XML encryption. The attack can recover 160 bytes of a plain-text message in 10 seconds and decrypt larger amounts of data at the same pace, according to the researchers. The attack exploits weaknesses in the cipher-block chaining (CBC) mode of operation that is commonly used with many cryptographic algorithms, making it possible to also use the attack against non-XML implementations. "I would not be surprised to see variants of this attack applied to other protocols, when CBC mode is used in similar context," says the World Wide Web Consortium's (W3C's) Thomas Roessler. The researchers recommend fixing existing CBC implementations or developing secure new implementations without changing the XML Encryption standard. Roessler says such a change should be simple because the XML Encryption standard is not specific to any algorithm or mode of operation. He notes that W3C's XML Security Working Group is developing a set of mandatory algorithms used in XML Encryption to include use of only non-CBC modes of operation.

View Full Article

Blog: Father of SSL Says Despite Attacks, the Security Linchpin Has Lots of Life Left

Father of SSL Says Despite Attacks, the Security Linchpin Has Lots of Life Left
Network World (10/11/11) Tim Greene

Despite high-profile exploits, secure sockets layer/transport layer security (SSL/TLS), the protocol that safeguards e-commerce security, can remain viable through proper upgrades as it becomes necessary, says SSL co-creator Taher Elgamal in an interview. He says the problem is not rooted in SSL/TLS itself, but rather in the surrounding trust framework and the problems it causes when it comes time to patch the protocol to correct vulnerabilities. "If there is a way that we can separate who we trust from the vendor of the browsers, then that would be the best thing to do," Elgamal notes. "And the root of the trust should be the Internet with its built-in reputation ecosystem." Elgamal says that in such a scenario, if people were to notice that a specific certificate authority is issuing bad certificates, then the reputation would jettison it immediately with no need to issue patches. What is needed is the construction of an automatic update mechanism, and Elgamal believes the technology to facilitate self-updating exists. "I hope people look for these things because honestly, every protocol will have roles for self-updating things," he notes. "Nothing will remain secure forever."

View Full Article

Blog: New Forensics Tool Can Expose All Your Online Activity

New Forensics Tool Can Expose All Your Online Activity
New Scientist (09/07/11) Jamie Condliffe

Software developed by researchers from Stanford University can be used to bypass the encryption on a personal computer's hard drive to find what Web sites a user has visited and whether any data has been stored in the cloud. The team launched the Windows-based open source software, Offline Windows Analysis and Data Extraction (OWADE), at the Black Hat 2011 security conference. Most sensitive data on a hard drive, including browsing history, site logins, and passwords, uses an algorithm to generate an encryption key based on the standard Windows login. Elie Bursztein and colleagues discovered how to decrypt the files a year ago. OWADE combines their knowledge of how this system works with existing data-extraction techniques into a single forensics package. "We've built a tool that can reconstruct where the user has been online, and what identity they used," Bursztein says. Law enforcement would be able to use the tool to track sex offenders, but people who want to remain anonymous could potentially exploit the software and develop new ways of avoiding being caught.

View Full Article

Blog: Protecting Networks Is Just a Game

Protecting Networks Is Just a Game
EurekAlert (07/27/11)

A defensive strategy for computer networks based on game theory is more effective than previous methods, says Iona College information technologist Heechang Shin, who developed an anti-hacking tool that plays a game of reality versus forecast. Called defensive forecasting, the tool wins when reality matches its forecast, and then sends out an alert to block an attempt to attack the computer network. The tool works on real-time data flowing in and out of the network, rather than analyzing logs, and detects intrusions as they are happening. Shin's game theory model continuously trains the tool so that it can recognize the patterns of typical network attacks. To measure the effectiveness of the tool, Shin compared it using the semi-synthetic dataset generated from a raw TCP/IP dump data by simulating a typical U.S. Air Force local-area network to a network intrusion system based on a support vector machine (SVM), which is one of the best classification methods for detection. During testing, the tool was as good or better than one based on SVM for detecting network intrusion while adding the benefits of real-time detection.

View Full Article

Blog: Sandia's CANARY Software Protects Water Utilities From Terrorist Attacks and Contaminants, Boosts Quality

Sandia's CANARY Software Protects Water Utilities From Terrorist Attacks and Contaminants, Boosts Quality
Sandia National Laboratories (07/25/11) Heather Clark

Researchers at Sandia National Laboratories and the U.S. Environmental Protection Agency have developed the CANARY Event Detection Software, an open source program that monitors public water systems to protect them from terrorist attacks or natural contaminants. The CANARY software tells utility operators whether something is wrong with their water system within minutes. CANARY can be customized for individual utility systems with their own sensors and software, according to Sandia's Sean McKenna. The researchers used algorithms to analyze data coming from multiple sensors and differentiate between natural variability and unusual patterns that indicate a problem. When new data is received, CANARY determines whether it is close enough to a known cluster to be considered normal or whether it is far enough away to be deemed anomalous. An unintended benefit of the software is that when utility operators better understood the data being sent by their sensors, they could make changes to the management of the water systems to improve its overall quality.

View Full Article

Blog: Cornell Computers Spot 'Opinion Spam'

Cornell Computers Spot 'Opinion Spam'
Cornell Chronicle (07/25/11) Bill Steele

Cornell University researchers have developed software that can identify opinion spam, which are phony positive reviews created by sellers to help sell their products, or negative reviews meant to downgrade competitors. In a test of 800 reviews of Chicago-area hotels, the program was able to identify deceptive reviews with almost 90 percent accuracy. The researchers, led by professors Claire Cardie and Jeff Hancock, found that truthful hotel reviews were more likely to contain concrete words that had to do with the hotel, such as "bathroom," "check-in," or "price," while deceptive reviews contained scene-setting words, such as "vacation," "business trip," and "my husband." In general, deceivers use more verbs and honest reviewers use more nouns. The researchers found that the best results came from combining keyword analysis with the ways certain words are combined in pairs. The next step will be to see if the system can be extended to other categories, such as restaurants and consumer products, says Cornell graduate student Myle Ott.

View Full Article

Blog: A Futures Market for Computer Security

A Futures Market for Computer Security
Technology Review (07/05/11) Brian Krebs

A pilot prediction market that can forecast major information security incidents before they occur is under development by information security researchers from academia, industry, and the U.S. intelligence community for the purpose of supplying actionable data, says Greg Shannon with Carnegie Mellon University's Software Engineering Institute. "If you're Verizon, and you're trying to pre-position resources, you might want to have some visibility over the horizon about the projected prevalence of mobile malware," he says. "That's something they'd like to have an informed opinion about by leveraging the wisdom of the security community." Consensus Point CEO Linda Rebrovick says the project's objective is to draw a network of approximately 250 experts. Prediction markets have a substantial inherent bias--respondents to questions are not surveyed randomly—but there also is an incentive for respondents to respond only to those queries they feel confident in answering accurately. "People tend to speak up only when they're reasonably sure they know the answer," says Consensus Point chief scientist Robin Hanson. Even lukewarm responses to questions can be useful, notes Dan Geer, chief information security officer at the U.S. Central Intelligence Agency's In-Q-Tel venture capital branch.

View Full Article

Blog: The Botnets That Won't Die

The Botnets That Won't Die
Technology Review (04/21/11) Kurt Kleiner

Researchers warn that coordinated attacks on conventional botnets could lead spammers and criminal organizations to pursue more resilient communication schemes. Although conventional botnets are controlled by a few central computers, botnets that use peer-to-peer communications protocols pass messages from machine to machine. The controller inserts a command into one or more of the peers and it is spread gradually throughout the network. Some botnets using peer-to-peer communications have been implemented, but authorities have been able to infiltrate and disrupt them by spreading phony commands, files, and information. Meanwhile, Los Alamos National Laboratory's Stephen Eidenbenz and colleagues have designed and simulated a botnet that potentially would be even more difficult to shut down--one that would randomly configure itself into a hierarchy, with peers accepting commands only from machines higher up in the hierarchy, and would reconfigure the hierarchy every day.

View Full Article

Blog: iPhone Secretly Tracks User Location, Say Researchers

iPhone Secretly Tracks User Location, Say Researchers
Computerworld (04/20/11) Gregg Keizer

Apple iPhones and iPads track users' locations and store the data in an unencrypted file on the devices and on owners' computers, according to two researchers. The data is in a SQLite file on devices with 3G capability. The file, named consolidated.db, includes locations' longitude and latitude, a timestamp, and nearby Wi-Fi networks. "There can be tens of thousands of data points in this file," the researchers say. To view the location file on an iPhone remotely, an attacker would have to exploit a pair of vulnerabilities, one to hack Safari and another to gain access to the root directory, says researcher Charlie Miller. The biggest threat to users would be if the device is lost, making the data available to whoever finds it. The researchers created an application that extracts the data from a Mac and displays the location history on a map. "Why this data is stored and how Apple intends to use it--or not--are important questions that need to be explored," according to the researchers.

View Full Article

Blog: DARPA Will Spend $20 Million to Search for Crypto's Holy Grail

DARPA Will Spend $20 Million to Search for Crypto's Holy Grail
Forbes (04/06/11) Andy Greenberg

The U.S. Defense Advanced Research Projects Agency (DARPA) plans to spend $20 million over five years to find a way to both encrypt data and let it be used and manipulated. The Programming Computation on Encrypted Data (PROCEED) project would build upon the work of IBM researcher Craig Gentry, who has solved the theoretical problem of performing complex computations on encrypted data without decrypting it. Such full homomorphic encryption would enable someone to query a database without it ever knowing the content of the request. Gentry's method takes immense computational power, so DARPA wants the participating contractors and academic research teams to reduce the computing time for full homomorphic encryption by a factor of 10 million compared to its current state, or alternatively reduce it to 100,000 times the computation required for unencrypted computing. Meanwhile, Gentry says he recently discovered a less efficient version that could offer more computational shortcuts. Gentry recently received ACM's Grace Murray Hopper Award, which is awarded to the outstanding young computer professional of the year.

View Full Article

Blog: Researchers Show How a Car's Electronics Can Be Taken Over Remotely

Researchers Show How a Car's Electronics Can Be Taken Over Remotely
New York Times (03/09/11) John Markoff

Researchers at the University of California (UDSD), San Diego and University of Washington have shown that computer hackers could gain remote access to a car and take over the vehicle's basic functions including control of the engine. The hackers accessed the car through the vehicle's built-in cellular connections and Bluetooth wireless technology, enabling them to track the car's location, eavesdrop on the cabin, and steal vehicle data. "This report explores how hard it is to compromise a car's computers without having any direct physical access to the car," says UCSD professor Stefan Savage. Services such as General Motors' OnStar system, Toyota's Safety Connect, Lexus' Enform, Ford's Sync, BMW's Assist, and Mercedes Benz's Mbrace all use a cellular connection embedded in the vehicle to provide a variety of automated and call center support services to a driver. These cellular channels "can be accessed over arbitrary distance [due to the wide coverage of cellular data infrastructure] in a largely anonymous fashion, typically have relatively high bandwidth, are two-way channels [supporting interactive control and data exfiltration], and are individually addressable," Savage says.

View Full Article

Blog: Fresh Advice on Building Safer Software

Fresh Advice on Building Safer Software
Government Computer News (02/08/11) William Jackson

The Software Assurance Forum for Excellence in Code (SAFECode) recently released the second edition of "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today," a set of guidelines based on real-world tools that reflects advancements in software security. "The second edition of the paper aims to disseminate the new knowledge SAFECode has gathered and provide new tools and improved guidance for those implementing the paper's recommended practices," says SAFECode executive director Paul Kurtz. The new edition contains more information on each best practice, using Common Weakness Enumeration (CWE) references to identify software weaknesses addressed by each specific practice. "By mapping our recommended practices to CWE, we wish to provide a more detailed illustration of the security issues these practices aim to resolve and a more precise starting point for interested parties to learn more," the paper says. The guidelines are designed to serve as a platform of practices, already employed by member companies, that have demonstrated efficacy.

View Full Article

Blog: DARPA Seeks Security Expertise From a Nontraditional Source: the Hacker Community

DARPA Seeks Security Expertise From a Nontraditional Source: the Hacker Community
NextGov.com (02/04/11) Dawn Lim

The U.S. Defense Advanced Research Projects Agency (DARPA) recently launched the Cyber Fast Track program, which will reward security research done quickly and inexpensively, criteria designed to attract nontraditional developers such as hobbyists, startups, and hackers. "Since the early '80s there has been some contingent of cyber researchers and hobbyists operating in low-budget settings," says DARPA's Peiter Zatko. He says limited resources force these groups to be extremely creative. DARPA also wants to apply the Cyber Fast Track process to other areas of defense. Zatko says the agency is looking toward unconventional solutions to cybersecurity problems because the current strategy of layering costly defensive security applications onto large IT infrastructures isn't sustainable. DARPA found that defensive applications contained about 10 million lines of code, while 9,000 samples of malware used only 125 lines of code. Although it is counterintuitive, more lines of code makes a system more vulnerable to attacks. An IBM metric suggests that for every 1,000 lines of code, there could be as many as five bugs introduced to the system. "You're spending all this effort layering on all this extra security, and it turns out that's introducing more vulnerabilities," Zatko says.

View Full Article

Blog: DARPA Goal for Cybersecurity: Change the Game

DARPA Goal for Cybersecurity: Change the Game
DVIDS (12/20/10) Cheryl Pellerin

The U.S. Defense Advanced Research Projects Agency (DARPA) has developed programs that deal with cybersecurity threats by surprising the attackers. The agency created the Clean-slate Design of Resilient, Adaptive, Secure Hosts (CRASH) and Programming Computation on Encrypted Data (PROCEED) programs to enhance the agency's cybersecurity research, says DARPA's Kaigham Gabriel. CRASH aims to develop new computer systems that resist cyberattacks the same way organisms fight bacteria and viruses. Gabriel says the researchers are developing computer hardware that give systems a kind of genetic diversity that would make them more resistant to cyberinfections by learning from attacks and repairing themselves. He notes that over the last two decades, the lines of code in security software has increased from approximately 10,000 to about 10 million lines, but the number of lines of code in malware has remained constant at about 125 lines. This analysis and others "led us to understand that many of the things we're doing are useful, but they're not convergent with the problem," Gabriel says. The PROCEED program is working to improve the efficiency of working on encrypted data that has not been decrypted. "If we were able to do relevant sorts of operations without ever having to decrypt, that would be a tremendous gain because ... whenever you decrypt into the open, you create vulnerability," he says.

View Full Article

Blog: JASON: Science of Cyber Security Needs More Work

JASON: Science of Cyber Security Needs More Work
Secrecy News (12/14/10) Steven Aftergood

The JASON independent scientific advisory panel has produced a report on cybersecurity for the U.S. Department of Defense (DoD) that says a fundamental understanding of the science of cybersecurity is needed to improve the country's security approaches. The advisory says the science of cybersecurity "seems underdeveloped in reporting experimental results, and consequently in the ability to use them." The report notes that the science of cybersecurity is unique in that the background for events is almost completely created by humans and is digital, and there are good actors as well as adversaries who are purposeful and intelligent. The JASON report also addresses the importance of definitions, the need for a standard vocabulary to discuss the subject, and the need to devise experimental protocols for developing a reproducible experimental science of cybersecurity. "At the most abstract level, studying the immune system suggests that cybersecurity solutions will need to be adaptive, incorporating learning algorithms and flexible memory mechanisms," the report says. It also says the DoD should support a network of cybersecurity research centers in universities and elsewhere.

View Full Article

Blog: Cryptographers Chosen to Duke It Out in Final Fight [SHA-3]

Cryptographers Chosen to Duke It Out in Final Fight
New Scientist (12/13/10) Celeste Biever

The U.S. National Institute of Standards and Technology (NIST) has selected five Secure Hash Algorithm (SHA-3) entrants as finalists for its competition to find a replacement for the gold-standard security algorithm. The finalists include BLAKE, devised by a team led by Jean-Philippe Aumasson of the Swiss company Nagravision, and Skein, which is the work of computer security expert and blogger Bruce Schneier. "We picked five finalists that seemed to have the best combination of confidence in the security of the algorithm and their performance on a wide range of platforms" such as desktop computers and servers, says NIST's William Burr. "We wanted a set of finalists that were different internally, so that a new attack would be less likely to damage all of them, just as biological diversity makes it less likely that a single disease can wipe out all the members of a species." The finalists incorporate new design ideas that have arisen in recent years. The Keccak algorithm from a team led by STMicroelectronics' Guido Bertoni uses a novel idea called sponge hash construction to produce a final string of 1s and 0s. The teams have until Jan. 16, 2011, to tweak their algorithms, then an international community of cryptanalysts will spend a year looking for weaknesses. NIST willl pick a winner in 2012.

View Full Article