Entries Tagged "academic papers"

Page 65 of 86

Breaking the Xilinx Virtex-II FPGA Bitstream Encryption

It’s a power-analysis attack, which makes it much harder to defend against. And since the attack model is an engineer trying to reverse-engineer the chip, it’s a valid attack.

Abstract: Over the last two decades FPGAs have become central components for many advanced digital systems, e.g., video signal processing, network routers, data acquisition and military systems. In order to protect the intellectual property and to prevent fraud, e.g., by cloning an FPGA or manipulating its content, many current FPGAs employ a bitstream encryption feature. We develop a successful attack on the bitstream encryption engine integrated in the widespread Virtex-II Pro FPGAs from Xilinx, using side-channel analysis. After measuring the power consumption of a single power-up of the device and a modest amount of o-line computation, we are able to recover all three different keys used by its triple DES module. Our method allows extracting secret keys from any real-world device where the bitstream encryption feature of Virtex-II Pro is enabled. As a consequence, the target product can be cloned and manipulated at will of the attacker. Also, more advanced attacks such as reverse engineering or the introduction of hardware Trojans become potential threats. As part of the side-channel attack, we were able to deduce certain internals of the hardware encryption engine. To our knowledge, this is the first attack against the bitstream encryption of a commercial FPGA reported in the open literature.

Posted on August 1, 2011 at 12:29 PMView Comments

Using Science Fiction to Teach Computer Security

Interesting paper: “Science Fiction Prototyping and Security Education: Cultivating Contextual and Societal Thinking in Computer Security Education and Beyond,” by Tadayoshi Kohno and Brian David Johnson.

Abstract: Computer security courses typically cover a breadth of technical topics, including threat modeling, applied cryptography, software security, and Web security. The technical artifacts of computer systems—and their associated computer security risks and defenses—do not exist in isolation, however; rather, these systems interact intimately with the needs, beliefs, and values of people. This is especially true as computers become more pervasive, embedding themselves not only into laptops, desktops, and the Web, but also into our cars, medical devices, and toys. Therefore, in addition to the standard technical material, we argue that students would benefit from developing a mindset focused on the broader societal and contextual issues surrounding computer security systems and risks. We used science fiction (SF) prototyping to facilitate such societal and contextual thinking in a recent undergraduate computer security course. We report on our approach and experiences here, as well as our recommendations for future computer security and other computer science courses.

Posted on August 1, 2011 at 6:03 AMView Comments

Insurgent Groups Exhibit Learning Curve

Interesting research:

After analyzing reams of publicly available data on casualties from Iraq, Afghanistan, Pakistan and decades of terrorist attacks, the scientists conclude that “insurgents pretty much seemed to be following a progress curve—or a learning curve—that’s very common in the manufacturing literature,” says physicist Neil Johnson of the University of Miami in Florida and lead author of the study.

Paper here.

Posted on July 12, 2011 at 7:13 AMView Comments

The Problem with Cyber-crime Surveys

Good paper: “Sex, Lies and Cyber-crime Surveys,” Dinei Florêncio and Cormac Herley, Microsoft Research.

Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N=1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.

I’ve been complaining about our reliance on self-reported statistics for cyber-crime.

Posted on June 21, 2011 at 5:58 AMView Comments

Fourth SHB Workshop

I’m at SHB 2011, the fourth Interdisciplinary Workshop on Security and Human Behavior, at Carnegie Mellon University. This is a two-day invitational gathering of computer security researchers, psychologists, behavioral economists, sociologists, political scientists, anthropologists, philosophers, and others—all of whom are studying the human side of security—organized by Alessandro Acquisti, Ross Anderson, and me. It’s not just an interdisciplinary conference; most of the people here are individually interdisciplinary. For the past four years, this has been the most intellectually stimulating conference I have attended.

Here is the program. The list of attendees contains links to readings from each of them—definitely a good place to browse for more information on this topic.

Ross Anderson is liveblogging this event. Matt Blaze is taping the sessions; I’ll link to them if he puts them up on the Internet.

Here are links to my posts on the first, second, and third SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.

Posted on June 18, 2011 at 1:06 PMView Comments

Status Report on the War on Photography

Worth reading: Morgan Leigh Manning, “Less than Picture Perfect: The Legal Relationship between Photographers’ Rights and Law Enforcement,” Tennessee Law Review, Vol. 78, p. 105, 2010.

Abstract: Threats to national security and public safety, whether real or perceived, result in an atmosphere conducive to the abuse of civil liberties. History is littered with examples: The Alien and Sedition Acts of 1798, the suspension of habeas corpus during the Civil War, the Palmer Raids during World War I, and McCarthyism in the aftermath of World War II.Unfortunately, the post-9/11 world represents no departure from this age-old trend. Evidence of post-9/11 tension between national security and civil liberties is seen in the heightened regulation of photography; scholars have labeled it the “War on Photography” – a conflict between law enforcement officials and photographers over the right to take pictures in public places. A simple Google search reveals countless incidents of overzealous law enforcement officials detaining or arresting photographers and, in many cases, confiscating their cameras and memory cards, despite the fact that these individuals were in lawful places, at lawful times, partaking in lawful activities.

This article examines the so-called War on Photography and the remedies available to those who have been unlawfully detained, arrested, or have had their property seized for taking pictures in public places or private places open to the public. It discusses recent incidents that highlight the growing infringement of photography rights and the magnitude of the harm that law enforcement officials have inflicted, paying particular attention to the themes these events have in common. It explores the existing legal framework surrounding photography rights and the federal and state remedies available to those whose rights have been violated. It examines the adequacy of each remedy including: (1) declaratory and injunctive relief, (2) Section 1983 and Bivens actions, and (3) state tort remedies. It discusses the obstacles associated with each remedy and the reasons why these obstacles are particularly hard to overcome in the context of photography. It then argues that most, if not all, of the remedies discussed are either inadequate or altogether impractical considering the costs of litigation. Lastly, this article will discuss the reasons why people should be concerned about the War on Photography and possible ways to reverse the erosion of photography rights.

Posted on June 14, 2011 at 1:45 PMView Comments

Spam as a Business

Interesting research: Kirill Levchenko, et al. (2010), “Click Trajectories—End-to-End Analysis of the Spam Value Chain,” IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011.

Abstract: Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam interventions focus on only one facet of the overall spam value chain (e.g., spam filtering, URL blacklisting, site takedown). In this paper we present a holistic analysis that quantifies the full set of resources employed to monetize spam email—including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. In particular, we provide the first strong evidence of payment bottlenecks in the spam value chain; 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks.

It’s a surprisingly small handful of banks:

All told, they saw 13 banks handling 95% of the 76 orders for which they received transaction information. (Only one U.S. bank was seen settling spam transactions: Wells Fargo.) But just three banks handled the majority of transactions: Azerigazbank in Azerbaijan, DnB NOR in Latvia (although the bank is headquartered in Norway), and St. Kitts-Nevis-Anguilla National Bank in the Caribbean. In addition, “most herbal and replica purchases cleared through the same bank in St. Kitts, … while most pharmaceutical affiliate programs used two banks (in Azerbaijan and Latvia), and software was handled entirely by two banks (in Latvia and Russia),” they said.

This points to a fruitful avenue to reduce spam: go after the banks.

Here’s an older paper on the economics of spam.

Posted on June 9, 2011 at 1:53 PMView Comments

The Cyberwar Arms Race

Good paper: “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” by Jerry Brito and Tate Watkins.

Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.” Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices.

The rhetoric of “cyber doom” employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well.

Part I of this article draws a parallel between today’s cybersecurity debate and the run-up to the Iraq War and looks at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. Part II draws a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and looks at how unwarranted external influence can lead to unnecessary federal spending. Finally, Part III surveys several federal cybersecurity proposals and presents a framework for analyzing the cybersecurity threat.

Also worth reading is an earlier paper by Sean Lawson: “Beyond Cyber Doom.”

EDITED TO ADD (5/3): Good article on the paper.

Posted on April 28, 2011 at 6:56 AMView Comments

Social Solidarity as an Effect of the 9/11 Terrorist Attacks

It’s standard sociological theory that a group experiences social solidarity in response to external conflict. This paper studies the phenomenon in the United States after the 9/11 terrorist attacks.

Conflict produces group solidarity in four phases: (1) an initial few days of shock and idiosyncratic individual reactions to attack; (2) one to two weeks of establishing standardized displays of solidarity symbols; (3) two to three months of high solidarity plateau; and (4) gradual decline toward normalcy in six to nine months. Solidarity is not uniform but is clustered in local groups supporting each other’s symbolic behavior. Actual solidarity behaviors are performed by minorities of the population, while vague verbal claims to performance are made by large majorities. Commemorative rituals intermittently revive high emotional peaks; participants become ranked according to their closeness to a center of ritual attention. Events, places, and organizations claim importance by associating themselves with national solidarity rituals and especially by surrounding themselves with pragmatically ineffective security ritual. Conflicts arise over access to centers of ritual attention; clashes occur between pragmatists deritualizing security and security zealots attempting to keep up the level of emotional intensity. The solidarity plateau is also a hysteria zone; as a center of emotional attention, it attracts ancillary attacks unrelated to the original terrorists as well as alarms and hoaxes. In particular historical circumstances, it becomes a period of atrocities.

This certainly makes sense as a group survival mechanism: self-interest giving way to group interest in face of a threat to the group. It’s the kind of thing I am talking about in my new book.

Paper also available here.

Posted on April 27, 2011 at 9:10 AMView Comments

1 63 64 65 66 67 86

Sidebar photo of Bruce Schneier by Joe MacInnis.