"usenix security"

Tpmfail: a timing attack that can extract keys from secure computing chips in 4-20 minutes

Daniel Moghimi, Berk Sunar, Thomas Eisenbarth and Nadia Heninger have published TPM-FAIL: TPM meets Timing and Lattice Attacks, their Usenix security paper, which reveals a pair of timing attacks against trusted computing chips ("Trusted Computing Modules" or TPMs), the widely deployed cryptographic co-processors used for a variety of mission-critical secure computing tasks, from verifying software updates to establishing secure connections. Read the rest

A reliable credit-card skimmer detector: a card that detects multiple read heads

A team from the University of Florida won a 2018 Usenix Security Distinguished Paper Award for Fear the Reaper: Characterization and Fast Detection of Card Skimmers, which presents their work on the "Skim Reaper," a fast, easy-to-use, reliable credit-card skimmer-detector. Read the rest

Here's the funniest, most scathing, most informative and most useful talk on AI and security

James Mickens (previously) has a well-deserved reputation for being the information security world's funniest speaker, and if that were all he did, he would still be worth listening to. Read the rest

Award-winning security research reveals a host of never-seen, currently unblockable web-tracking techniques

Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies won the Distinguished Paper prize at this year's Usenix Security Conference; its authors, researchers at Belgium's Catholic University in Leuven, revealed a host of devastating, never-seen tracking techniques for identifying web-users who were using privacy tools supplied by browser-vendors and third-party tracking-blocking tools. Read the rest

Efail: researchers reveal worrying, unpatched vulnerabilities in encrypted email

A group of researchers have published a paper and associated website describing a clever attack on encrypted email that potentially allows an attacker to read encrypted emails sent in the past as well as current and future emails; EFF has recommended switching off PGP-based email encryption for now, to prevent attackers from tricking your email client into decrypting old emails and sending them to adversaries. Read the rest

You can hijack a gene sequencer by hiding malware in a DNA sample

Today at the Usenix Security conference, a group of University of Washington researchers will present a paper showing how they wrote a piece of malware that attacks common gene-sequencing devices and encoded it into a strand of DNA: gene sequencers that read the malware are corrupted by it, giving control to the attackers. Read the rest

It's pretty easy to hack traffic lights

Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system. Read the rest

100 million VWs can be unlocked with a $40 cracker (and other cars aren't much better)

In Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems, a paper given at the current Usenix Security conference in Austin, researchers with a proven track record of uncovering serious defects in automotive keyless entry and ignition systems revealed a technique for unlocking over 100,000 million Volkswagen cars, using $40 worth of hardware; they also revealed a technique for hijacking the locking systems of millions of other vehicles from other manufacturers. Read the rest

Car information security is a complete wreck -- here's why

Sean Gallagher's long, comprehensive article on the state of automotive infosec is a must-read for people struggling to make sense of the summer's season of showstopper exploits for car automation, culminating in a share-price-shredding 1.4M unit recall from Chrysler, whose cars could be steered and braked by attackers over the Internet. Read the rest

Insurance monitoring dashboard devices used by Uber let hackers "cut your brakes" over wireless

UCSD computer scientist Stefan Savage and colleagues will present their work at Usenix Security: they were able to disable the brakes on a 2013 Corvette by breaking into a Mobile Devices/Metromile Pulse dongle, used by insurance companies to monitor driving in exchange for discounts on coverage. Read the rest

Security researchers buy pornoscanner, demonstrate how to sneak in guns & bombs

Researchers from UCSD, the U Michigan, and Johns Hopkins will present their work on the Rapiscan Secure 1000 at Usenix Security tomorrow; the Secure 1000 isn't used in airports anymore, but it's still in courts, jails, and government security checkpoints (researchers can't yet get their hands on the millimeter machines used at airports).

Where Twitter spam-accounts come from

A pair of researchers -- one a grad student working at Twitter -- bought $5,000 worth of fake Twitter accounts (with Twitter's blessing) and developed a template for identifying spam Twitter accounts. The spammers were using cheap overseas labor to solve Twitter's CAPTCHAs, registering the new accounts with automatically created email boxes from Hotmail and Mail.ru, and spreading the registrations out across a range of IP addresses, courtesy of massive botnets of infected computers. Twitter nuked zillions of spam accounts and prevented new ones from signing up -- for a while. Quickly, the spammers adapted their tactics and went back to registering new accounts. The researchers, Kurt Thomas and Vern Paxson, presented their results today at Usenix Security DC, in a paper called Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse (PDF).

Update: Here's the full research team: "Kurt Thomas is a grad student at UC Berkeley who works at Twitter; Alek Kolz works at Twitter, Damon McCoy is a professor at GMU, Chris Grier is a researcher at ICSI and UC Berkeley and Vern Paxson is a lead researcher at ICSI and a professor at UC Berkeley." Read the rest

At VW's request, English court censors Usenix Security presentation on keyless entry systems for luxury cars

Flavio Garcia, a security researcher from the University of Birmingham has been ordered not to deliver an important paper at the Usenix Security conference by an English court. Garcia, along with colleagues from a Dutch university, had authored a paper showing the security failings of the keyless entry systems used by a variety of luxury cars. Volkswagon asked an English court for an injunction censoring his work -- which demonstrated their incompetence and the risk they'd exposed their customers to -- and Mr Justice Birss agreed. Read the rest

Adversarial mind-reading with compromised brain-computer interfaces

"On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces," a paper presented by UC Berkeley and U Geneva researchers at this summer's Usenix Security, explored the possibility of adversarial mind-reading attacks on gamers and other people using brain-computer interfaces, such as the Emotiv games controller.

The experimenters wanted to know if they could forcefully extract information from your brain by taking control of your system. In the experiment, they flashed images of random numbers and used the automatic brain-response to them to make guesses as which digits were in their subjects' ATM PINs. Another variant was watching the brain activity of subjects while flashing the logo of a bank and making a guess about whether the subject used that bank.

I suppose that over time, an attacker who was able to control the stimulus and measure the response could glean a large amount of private information from a victim, without the victim ever knowing it.

Brain computer interfaces (BCI) are becoming increasingly popular in the gaming and entertainment industries. Consumer-grade BCI devices are available for a few hundred dollars and are used in a variety of applications, such as video games, hands-free keyboards, or as an assistant in relaxation training. There are application stores similar to the ones used for smart phones, where application developers have access to an API to collect data from the BCI devices.

The security risks involved in using consumer-grade BCI devices have never been studied and the impact of malicious software with access to the device is unexplored.

Read the rest

BBtv "Hacker HOWTO": Cold Boot Encryption Attack

Xeni visits the offices of the Electronic Frontier Foundation and speaks with Jake Appelbaum and Bill Paul, two of the authors of a security research paper that shows how your computer's memory can be tricked into revealing data you thought was safely encrypted, and out of the reach of others.

Link to Boing Boing tv post with discussion and downloadable video.

- - - - - - - - - - - - - - - - - - - -

One method involves using a can of compressed air to quickly cool the memory chip, but freezing the target isn't the only way to lull it into submission -- Paul shows us how to use an iPod or a USB thumb drive to do the same thing. These methods have been shown to defeat three popular disk encryption products commonly used to protect data on laptops: BitLocker (Windows Vista), FileVault (MacOS X), and dm-crypt (Linux).

Here's the entire text of the report draft, released earlier this year: Lest We Remember: Cold Boot Attacks on Encryption Keys . Authors: J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten.

The team plan to research additional software tools and a final version of their report at Usenix Security Symposium in July/August.

Special thanks to Seth Schoen and Peter Eckersley of the Electronic Frontier Foundation. Read the rest

Geek law 101 audio

My cow-orker Cindy Cohn, EFF's Legal Director, gave a hell of a talk at the last USENIX Security Conference, a kind of geek-security-law 101 crash-course, usingthe fight over the leaked Diebold code as her example. EFF's just posted that talk in audio and as a set of slides. I just finished listening to it and man, did I get a lot out of it. Cindy is an amazing speaker, an amazing lawyer, and she's got a lot to say.

Link Read the rest

USENIX liveblog

Mitch Wagner sez, "I've been blogging the Usenix security conference here in San Diego, including a talk by EFF counsel Cindy Cohn:"

- EFF is deeply involved in projects to ensure honesty in e-voting. In California, she said, voters have the option to choose a paper ballot. "I'd like to see a significant percentage of people choose the paper in California. this will make the case to the rest of the country that this matters."

Many voting-rights advocates are urging people to sign up for absentee ballots--problem with that is that people order absentee ballots all the time, and legislators will assume the ordering is going on for normal reasons. Only people requesting paper ballots will make a case to legislators that people don't trust e-voting machines.

- EFF is also involved in a project called TechWatch, looking for technical people who want to be involved on election day, serving as, essentially, poll watchers, to document technical snafus on Election Day. More info and sign up on VerifiedVoting.org.

"I am concerned we will have some train wrecks involving the technology. We may not be able to prevent it but we can mitigate it and, more importantly, make sure it doesn't happen again."

Link

(Thanks, Mitch!) Read the rest

:)