James Mickens (previously) has a well-deserved reputation for being the information security world's funniest speaker, and if that were all he did, he would still be worth listening to.
Read the rest
Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies won the Distinguished Paper prize at this year's Usenix Security Conference; its authors, researchers at Belgium's Catholic University in Leuven, revealed a host of devastating, never-seen tracking techniques for identifying web-users who were using privacy tools supplied by browser-vendors and third-party tracking-blocking tools.
Read the rest
A group of researchers have published a paper and associated website describing a clever attack on encrypted email that potentially allows an attacker to read encrypted emails sent in the past as well as current and future emails; EFF has recommended switching off PGP-based email encryption for now, to prevent attackers from tricking your email client into decrypting old emails and sending them to adversaries.
Read the rest
Today at the Usenix Security conference, a group of University of Washington researchers will present a paper showing how they wrote a piece of malware that attacks common gene-sequencing devices and encoded it into a strand of DNA: gene sequencers that read the malware are corrupted by it, giving control to the attackers. Read the rest
Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system. Read the rest
In Lock It and Still Lose It—On the (In)Security
of Automotive Remote Keyless Entry Systems, a paper given at the current Usenix Security conference in Austin, researchers with a proven track record of uncovering serious defects in automotive keyless entry and ignition systems revealed a technique for unlocking over 100,000 million Volkswagen cars, using $40 worth of hardware; they also revealed a technique for hijacking the locking systems of millions of other vehicles from other manufacturers. Read the rest
Sean Gallagher's long, comprehensive article on the state of automotive infosec is a must-read for people struggling to make sense of the summer's season of showstopper exploits for car automation, culminating in a share-price-shredding 1.4M unit recall from Chrysler, whose cars could be steered and braked by attackers over the Internet. Read the rest
UCSD computer scientist Stefan Savage and colleagues will present their work at Usenix Security: they were able to disable the brakes on a 2013 Corvette by breaking into a Mobile Devices/Metromile Pulse dongle, used by insurance companies to monitor driving in exchange for discounts on coverage. Read the rest
Researchers from UCSD, the U Michigan, and Johns Hopkins will present their work on the Rapiscan Secure 1000 at Usenix Security tomorrow; the Secure 1000 isn't used in airports anymore, but it's still in courts, jails, and government security checkpoints (researchers can't yet get their hands on the millimeter machines used at airports).
A pair of researchers -- one a grad student working at Twitter -- bought $5,000 worth of fake Twitter accounts (with Twitter's blessing) and developed a template for identifying spam Twitter accounts. The spammers were using cheap overseas labor to solve Twitter's CAPTCHAs, registering the new accounts with automatically created email boxes from Hotmail and Mail.ru, and spreading the registrations out across a range of IP addresses, courtesy of massive botnets of infected computers. Twitter nuked zillions of spam accounts and prevented new ones from signing up -- for a while. Quickly, the spammers adapted their tactics and went back to registering new accounts. The researchers, Kurt Thomas and Vern Paxson, presented their results today at Usenix Security DC, in a paper called Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse (PDF).
Update: Here's the full research team: "Kurt Thomas is a grad student at UC Berkeley who works at Twitter; Alek Kolz works at Twitter, Damon McCoy is a professor at GMU, Chris Grier is a researcher at ICSI and UC Berkeley and Vern Paxson is a lead researcher at ICSI and a professor at UC Berkeley." Read the rest
Flavio Garcia, a security researcher from the University of Birmingham has been ordered not to deliver an important paper at the Usenix Security conference by an English court. Garcia, along with colleagues from a Dutch university, had authored a paper showing the security failings of the keyless entry systems used by a variety of luxury cars. Volkswagon asked an English court for an injunction censoring his work -- which demonstrated their incompetence and the risk they'd exposed their customers to -- and Mr Justice Birss agreed.
Read the rest
"On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces," a paper presented by UC Berkeley and U Geneva researchers at this summer's Usenix Security, explored the possibility of adversarial mind-reading attacks on gamers and other people using brain-computer interfaces, such as the Emotiv games controller.
The experimenters wanted to know if they could forcefully extract information from your brain by taking control of your system. In the experiment, they flashed images of random numbers and used the automatic brain-response to them to make guesses as which digits were in their subjects' ATM PINs. Another variant was watching the brain activity of subjects while flashing the logo of a bank and making a guess about whether the subject used that bank.
I suppose that over time, an attacker who was able to control the stimulus and measure the response could glean a large amount of private information from a victim, without the victim ever knowing it.
Read the rest
Brain computer interfaces (BCI) are becoming increasingly popular in the gaming and entertainment industries. Consumer-grade BCI devices are available for a few hundred dollars and are used in a variety of applications, such as video games, hands-free keyboards, or as an assistant in relaxation training. There are application stores similar to the ones used for smart phones, where application developers have access to an API to collect data from the BCI devices.
The security risks involved in using consumer-grade BCI devices have never been studied and the impact of malicious software with access to the device is unexplored.
Xeni visits the offices of the Electronic Frontier Foundation and speaks with Jake Appelbaum and Bill Paul, two of the authors of a security research paper that shows how your computer's memory can be tricked into revealing data you thought was safely encrypted, and out of the reach of others.
Link to Boing Boing tv post with discussion and downloadable video.
- - - - - - - - - - - - - - - - - - - -
One method involves using a can of compressed air to quickly cool the memory chip, but freezing the target isn't the only way to lull it into submission -- Paul shows us how to use an iPod or a USB thumb drive to do the same thing. These methods have been shown to defeat three popular
disk encryption products commonly used to protect data on laptops: BitLocker (Windows Vista), FileVault (MacOS X), and dm-crypt (Linux).
Here's the entire text of the report draft, released earlier this year: Lest We Remember: Cold Boot Attacks on Encryption Keys
. Authors: J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten.
The team plan to research additional software tools and a final version of their report at Usenix Security Symposium in July/August.
Special thanks to Seth Schoen and Peter Eckersley of the Electronic Frontier Foundation. Read the rest
My cow-orker Cindy Cohn, EFF's Legal Director, gave a hell of a talk at the last USENIX Security Conference, a kind of geek-security-law 101 crash-course, usingthe fight over the leaked Diebold code as her example. EFF's just posted that talk in audio and as a set of slides. I just finished listening to it and man, did I get a lot out of it. Cindy is an amazing speaker, an amazing lawyer, and she's got a lot to say.
Link Read the rest
Mitch Wagner sez, "I've been blogging the Usenix security conference here in San Diego, including a talk by EFF counsel Cindy Cohn:"
- EFF is deeply involved in projects to ensure honesty in e-voting. In California, she said, voters have the option to choose a paper ballot. "I'd like to see a significant percentage of people choose the paper in California. this will make the case to the rest of the country that this matters."
Many voting-rights advocates are urging people to sign up for absentee ballots--problem with that is that people order absentee ballots all the time, and legislators will assume the ordering is going on for normal reasons. Only people requesting paper ballots will make a case to legislators that people don't trust e-voting machines.
- EFF is also involved in a project called TechWatch, looking for technical people who want to be involved on election day, serving as, essentially, poll watchers, to document technical snafus on Election Day. More info and sign up on VerifiedVoting.org.
"I am concerned we will have some train wrecks involving the technology. We may not be able to prevent it but we can mitigate it and, more importantly, make sure it doesn't happen again."
(Thanks, Mitch!) Read the rest