| |
|
Research Experiences for Undergraduates
WISE
Secure Control Systems Workshop - CPSWeek 2010
Research Experiences for Undergraduates
SECuR-IT
Conferences 
Key Resources:
Security flaw exposed on Home Shopping NetworkWhen a possible security flaw exposing customers of a large television shopping network to credit card fraud was encountered by a user, ABC's 7 On Your Side contacted computer security expert at UC Berkeley Doug Tygar, who suggested that they find out for themselves if her fears were founded.The customer tried the 'Shop by Remote' feature on Home Shopping Network but directed her order to be shipped to her sister's address and found she could do so without her sister even knowing about it. This result was brought back to Tygar. "I didn't believe it," he said. "I was shocked that you could do that, that such an obvious and large hole would be left open."Tygar says requiring passwords is an industry standard. It is true that HSN requires both a user name and password when customers shop online. However, neither are required with HSN's "Shop by Remote" feature. "I would imagine they would be able to deploy a password mechanism in a matter of days. It shouldn't take that much effort," Tygar said. See full article at 7 on Your Side .  Breaking the Botnet CodeUC Berkeley Professor Dawn Song co-presented a talk on Malware and Bots at the Association for Computing Machinery's Conference on Computer and Communications Security this week.Networks of compromised computers controlled by a central server, known as 'botnets' can be used to systematically spew spam, host malicious code, or flood a network to cut off its access to the Web. Researchers presented a tool at the conference that can decipher the structure and purpose of communications between a control server and its bots through automatic reverse engineering. The researchers parlayed the technique into a tool called Dispatcher that will analyze botnet network communications and even inject new information into the communications stream. The researchers note that such automated tools are not yet needed for analyzing most malware since more than 90 percent of all botnets use easy-to-break encryption with their communications, making manual techniques rather easy and fast. Yet botnets will continue to evolve, says UC Professor Song. "Botnet programs are becoming more complicated," she says. "They are using various obfuscation techniques and so on. So maybe manual analysis can work for now, but in the future, we will need better tools." See article in Technology Review.  UC Berkeley computer science professor and privacy expert, Doug Tygar, consulted about security flaws in CalJOBS websiteWhen "CBS 5 Investigates" discovered a state-run website may be putting hundreds of thousands of Californians at risk of identity theft, they asked UC Berkeley Computer Science professor and privacy expert Doug Tygar to take a look at a problem experienced by laid off worker Tom Diederich.Diederich had posted his resume on CalJOBS, the state's job site, as is required for getting unemployment benefits. However, when Diederich logged back in to the site the next day, he saw someone else's information, including their name, where they live, email and phone number. The next time, he got someone else's information and the following 5 or 6 times he logged in, he saw the same info about those other people. Professor Tygar said, "I consider that to be a serious security breach." Moreover, Tygar was able to get into the site and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said. Just by changing a few numbers in the URL, he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if I were a malicious attacker," he said. The glitch that allowed Diederich to click on his bookmark and read other peoples' resumes appears to be fixed. EDD said their web site team is now following up on the other possible vulnerabilities identified by CBS 5 Investigates. They say if such vulnerabilities are found, they will correct them immediately. See full story at CBS News.  UC Berkeley Professor David Wagner contracted by the state to investigate voting logsThe state of California is conducting a months-long investigation into audit logs inside the state's electronic voting systems after reports of serious problems with the logs, even to the point where an election official or someone else could delete votes while leaving no electronic trail of such action.According to Secretary of State Debra Bowen, the investigation is examining what the audit logs actually record and whether they can be easily altered or deleted. Bowen, appearing at an event concerning an open source voting project in development, told Threat Level that the state had contracted with David Wagner, a computer scientist with the University of California at Berkeley to investigate what the logs on the Premier/Diebold e-voting system, as well as every other voting system used in California, do and do not record. See full article in THREAT LEVEL.  TRUST Executive Director at launch of UK's new cybersecurity centerThe United Kingdom's lead center for cyber security research opens today at Queen's University Belfast. The £30 million Centre for Secure Information Technologies (CSIT) will become the UK's principal center for the development of technology to combat malicious cyber attacks and is one of the first Innovation and Knowledge Centres (IKCs) created in the UK.Attendance at the Centre's launch of some of the most respected national and international figures in the field of cyber-security, including Larry Rohrbough, Chief Executive of TRUST, the United States' major center in the area of cyber-security at the University of California at Berkeley, highlights the significance of the new Centre to the global communications and IT industries. Professor John McCanny, CSIT principal investigator says "The approach adopted within CIST contrasts with the more conventional way academic research is undertaken. Our starting points tend to be larger "mission-driven" projects involving sizeable teams for which ambitious and challenging end goals have been identified". See press release at EurekAlert!.  UC Berkeley Professor Ruzena Bajcsy receives Technical Leadership AwardThe winner of the Anita Borg Technical Leadership Award, awarded to a woman that has inspired the women's technology community through outstanding technological and social contributions, is Ruzena Bajcsy, Professor of Electrical Engineering at the University of California, Berkeley as well as Director Emerita of the Center for Information Technology Research in the Interest of Society (CITRIS). Dr. Bajcsy has spearheaded new research fields, guided national policy regarding social issues and lead the computing community in addressing them.See press release at MarketWatch.  Sequoia e-voting machine commandeered by clever attackUsing a method known as return-oriented programming, computer scientists have figured out how to trick a widely used electronic voting machine machine into altering tallies by bypassing measures that are supposed to prevent unauthorized code from running on it.The Sequoia AVC Advantage machine is programmed to execute code only when it's stored on read-only memory chips that are difficult to install and remove. By expressly forbidding running code in random access memory, the intention was to make it impossible for attackers to inject malicious programs that might compromise the integrity of an election. However, a computer science research team from Princeton, UC San Diego and the University of Michigan succeeded with an attack by reverse engineering first the hardware on a legally purchased Sequoia AVC Advantage and then also reverse engineer the software it ran by analyzing the ROM. The research was presented this week at the 2009 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections. "It's excellent research," said David Wagner, a computer scientist from the University of California at Berkeley who attended the conference. "The research is significant because it illustrates that attacks get better over time and it shows just how difficult it is to protect paperless voting systems." ® See article in The Register.  Creating the New Cybersecurity Pro; Interview with Cornell Computer Science Professor Fred SchneiderSamuel B. Eckert Professor of Computer Science at Cornell University Fred Schneider believes the future of the IT profession is handicapped by a shortage of academics to provide the training for needed IT security skills.In an interview with GovInfoSecurity.com, Schneider contends that to produce not only the teachers, but the practitioners themselves, American universities need to create innovative graduate-level programs that provide training that encompasses not only an understanding of IT security technologies, but an understanding of why the technology is needed as well. Schneider, also a member of the federal government's Information Security and Privacy Advisory Board and co-chair of Microsoft's Trustworthy Computing Academic Advisory Board, says "In the longer term, when you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making and understanding about business models." See full story and interview transcriptin GovInfoSecurity.com.  Academic: Wireless sensors can easily measure caloric intakeShankar Sastry, Dean of Engineering at the University of California Berkeley, was recently interviewed along with Senior Director of Manhattan Research, Monica Levy, by the California Healthcare Foundation's iHealthBeat. Both Sastry and Levy discuss the current state and the promise of wireless-enabled healthcare tools.?The cell phone is perfect because it?s like a wrist watch you carry around, I think the idea of having access to electronic medical records is transformational in that it changes electronic medical records to be personal health records,? Sastry said. ?So I think that going forward there will be a huge consumer push to be able to both record and analyze data and the cell phones are gradually becoming not just a place for repository and also for analyzing data, but also as a distributive sensor network in the sense that the cell phone can interrogate other sensors which are attached to your body.? ?It?s reasonably easy for us to measure the [caloric] in-take ? the out-take has always been way, way difficult, partly because we have such different metabolic rates,? Sastry said. ?But I do think with the sensing though you do get a handle on those metabolic rates. So That I think is huge: To be able to then get sense of how much you are burning up in addition to how much you are taking in.? See more at mobilehealthnews.com.  Dr. Ruzena Bajcsy to receive HP Innovation AwardDr. Ruzena Bajcsy, EECS Professor at the University of California, Berkeley, was among Professors selected from around the world to receive an award as part of the second annual HP Labs Innovation Research Program.The Program is designed to create opportunities for colleges, universities and research institutes for conducting breakthrough collaborative research with HP. Given the significant contributions achieved in last year's program, which includes 61 published papers and 13 invention disclosures, HP extended a second year of funding to 31 professors in 2009. Awardees will work with HP Labs' researchers on fundamental research areas like intelligent infrastructure, immersive interaction and cloud computing, which includes social computing. See complete article at TRADINGMARKETS.COM.  National cyber security: Cornell's Fred Schneider will testify before CongressCornell University Computer Science Professor Fred Schneider, a noted expert on cyber security, will testify at the Hearing on Cyber Security Research and Development on Wednesday, June 10, organized by the Committee on Science and Technology, U.S. House of Representatives.See announcement in Media Newswire,  Stanford's Dawson Engler Receives 2008 Grace Hopper AwardTRUST researcher and Stanford University Professor Dawson Engler was awarded theAssociation for Computing Machinery Grace Murray Hopper Award for 2008. This prestigious award is given annually to the "outstanding young computer professional of the year" who is selected based on a "single recent major technical or service contribution". Prof. Engler was cited for his groundbreaking work in developing advanced tools and techniques that automate program checking to identify software errors. His approaches based on static analysis, model checking, and symbolic execution have proven very successful at finding bugs in large and complex applications. Technical papers describing this research are available on Prof. Engler's homepage.  Personal information of thousands of UC Berkeley students, alumni hackedApproximately a decade's worth of information on current and former UC Berkeley students was stolen by hackers, as announced by the University last Friday. The infractions concerned records dating back to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians.The thefts were initially discovered about a month ago, but system administrators did not realize the scope of the attack until April 21. University Associate Vice Chancellor for Information Technology Shelton Waggener said the hackers disguised their work as routine operations and then left taunting messages for UC Berkeley employees. Waggener says that the thieves accessed the information through the University web site. Stanford University Professor of Computer Science John Mitchell said that thieves worldwide have set up black markets to sell stolen data, adding that Asia, Eastern Europe and Nigeria have particularly active hackers. Mitchell also stated that the taunting messages left by the Berkeley thieves may indicate they are amateurs. "If your intent is to steal information and sell it on the black market, you're probably not going to call attention to yourself like that," he said. "It could be that these are kids." See more in The Daily Review.  Momentum Shifts Against Google in Old Books ControversyBNET media relates several new developments in the class action suit between Google and some authors over who will control publishing rights of millions of out-of-print books.One of the leading legal experts on issues of intellectual property rights, UC Berkeley Professor Pamela Samuelson has written a powerful argument to the presiding judge in the case, U.S. District Judge Denny Chin. Judge Chin himself has also announced that he is extending the deadline for those wishing to oppose the settlement by four months, from May 4 to September 4. The Justice Department is checking out the antitrust implications of the arrangements made between Google and groups representing publishers and authors, where it would be possible for millions more books to be included in Google Book Search unless the copyright holders take steps to opt out. A larger issue to those who were not party to the deal concerns the large number of "orphan works", those whose rights holders cannot be identified. ?The proposed settlement of this lawsuit is a privately negotiated compulsory license primarily designed to monetize millions of orphan works,? wrote Professor Samuelson. ?[It] would give Google a monopoly on the largest digital library of books in the world. It and BRR, which will also be a monopoly, will have considerable freedom to set prices and terms and conditions for Book Search?s commercial services. ? Google will also be the only service lawfully able to sell orphan books and monetize them through subscriptions.? See more on this story at Good Morning Silicon Valley, Los Angeles Times, and Silicon Beat.  Google Books Rival Objects to SettlementSan Francisco's digital library Internet Archive opposes the current 125 million dollar Google settlement with authors and publishers that gives Google the rights to scan and sell books on the Internet.Dismay at the fate of orphan works, estimated at some 70 percent of books being scanned, is mounting as the May 5 deadline for objections to the settlement nears. UC-Berkeley School of Law professor Pamela Samuelson said the issue of orphaned works should be handled by legislators, not as a settlement in a class action. "Usually if you want a compulsory license you have to go to Congress," she said.Professor Samuelson favors a scenario in which the Internet Archieve as well as other digital libraries in addition to Google, would get a license to scan the boks and make them available online. "I hadn't expected them to intervene," she said. "It's an interesting development -- it's going to be interesting to see how it turns out." See more at Law.com .  Copyright Scholar Challenges RIAA/DOJ PositionSlashdot refers to an article in New York Country Lawyer about UC Berkeley Professor Pamela Samuelson, leading copyright law scholar, publishing a 'working paper' that argues directly against the stand taken by the US Department of Justice in RIAA cases on the constitutionality of the RIAA's statutory damages theories. The Department of Justice has argued that the Court should follow a 1919 United States Supreme Court case upholding the constitutionality of a statutory damages award that was 116 times the actual damages borne, under a statute that gave consumers a right of action against railway companies.The paper discusses, in depth, a number of issues regarding statutory damages under the Copyright Act and also concludes that the State Farm/Gore due process test is applicable to statutory damage awards under the Copyright Act. This position is consistent with that taken in the amicus curiae filed by the Free Software Foundation in earlier RIAA case defending the defendant's Due Process defense to the RIAA's claim for statutory damages and contradicts the Department of Justice briefs, arguing that the Gore due process test applies. See the complete working paper, Statutory Damages in Copyright Law: A Remedy in Need of Reform, by Pamela Samuelson and Tara Wheatland . The DOJ's intervention last month on behalf of the RIAA was covered in a Slashdot posting Obama DOJ Sides with RIAA.  Google?s Plan for Out-of-Print Books Is ChallengedSlashdot mentions an article in the New York Times about a growing tide of complaints against Google in response to an extensive settlement that some feel will grant the mammoth company too much control over the "orphan books" they have been scanning into digital format. The settlement could give Google near-exclusivity with respect to the copyright of books that the author and publisher have basically abandoned. They may be out of print but while they remain under copyright, the rights holders are unknown or cannot be found.?No other company can realistically get an equivalent license,? said Pamela Samuelson, a professor at the University of California, Berkeley, and co-director of the Berkeley Center for Law and Technology.Critics say that without the orphan books, no competitor will ever be able to compile the comprehensive online library Google intends to create. Without competition, Google will be able to charge universities and others a high price for access to its database. While most of the critics, including copyright specialists, antitrust scholars and some librarians, agree that the public will benefit, they say others should also have rights to orphan works. See complete article in the New York Times.  Do Breach Notification Laws Work?Deirdre Mulligan, professor of information technology law and policy at UC Berkeley's School of Information was one of several speakers at a Security Breach Notification symposium held in Berkeley last Friday. The symposium's directive was to try to answer the question of whether breach notification laws are actually working.California passed the first data breach notification law in 2003, which quickly became the standard for the rest of the country. While it is clear that the laws have made the public more aware of the vulnerability of their data and have exposed poor security practices at many a business, it is unclear what other benefits the laws have had. Breach notifications should, in theory, reduce incidence of identity theft or fraudulent charges to credit cards if consumers take proper precautions when they receive a notification, as with a fraud alert or a freeze on their credit account because of suspicious transactions. There are also other questions to ask about what effect breach notifications have on the relationship between the customer and the breached organization. While consumers often express anger and mistrust toward companies that lose their data, it is unclear how often that mistrust actually translates to action. According to Professor Mulligan, a Ponemon study found that about 20 percent of respondents claimed to have terminated their relationship with a company after discovering the company experienced a breach. But a separate survey of companies found that the percentage of customers who actually do terminate their relationship is less than 7 percent. Both numbers need to be taken with a grain of salt. "Consumers have a tendency to say they're going to do one thing when they actually do another," says Mulligan, "and companies also can't be relied on to honestly report the numbers of customers they lose from a breach." See full article in Wired.  Shankar Sastry interviewed on Federal News RadioDr. Shankar Sastry, Dean of of the College of Engineering at the University of California, Berkeley, was interviewed by Tom Temin for 'Federal Security Spotlight' on Federal News Radio in his role as director of the Team for Research in Ubiquitous Secure Technologies (TRUST).Sastry described how TRUST, funded by the National Science Foundation and housed at the University of California at Berkeley, as a team of some of the best minds from UC Berkeley, Vanderbilt, Cornell, Carnegie-Mellon, and Stanford Universities with Smith, San Jose State University and Mills College as outreach partners, was formed to examine the interconnection between cyber infrastructure and physical infrastructure. The complex interplay of component technology, policy, law, privacy issues and economic considerations are the motivations for putting together the TRUST Center. Prof. Sastry described how initially it was the internet that was the primary security concern with various worms and viruses emerging, but as time went on, power, water, telecommmunications and other physical infrastructures also became implicated in security concerns. Temin raised the issue of security and health-care concerns with electronic medical records/personal health records. The issues, according to Prof. Sastry, are about trying to make sure that (a) we can collect this information and (b) we can make the information available without all the paperwork. Having the data available to the patient is also an objective. "The issues of privacy and selective disclosure is a subject of some debate", says Sastry. "I think there are legitimate needs for the medical industry to learn about, say, the efficacy of certain drugs", but there is also a tension between personal and medical records that are seen by many entities, billing, pharmaceuticals, different kinds of doctors, he says. Sastry observed the need to stop any 'mining' of this information and a need to be able to stop a 'fishing expedition' in this area. Trust research is focusing on both the security and the privacy of patients as well as the possibility of a patient 'customizing' their records to make some records available to their doctors only. Another area of research involves wireless networking vulnerabilities. Sastry describes a scenario where we will literally have a 1000 radios around people, controlling the physical environment by means of embedded rfid's and wireless sensor networks, evolving to a future of computation on wireless devices. Dr. Sastry says we need a reliable and secure medium for a wireless network. Wireless airwaves are not as reliable as a wired infrastructure because they are susceptible to jamming, to retransmission, etc. A secure communications medium interacts with privacy and security. The privacy agenda enters in subtle ways in that by anonymizing the data, for example with real-time traffic monitoring via cellphone, it is not subverted as a means of tracking someone as they are driving in traffic. Cellphones will be used more and more as sensor networks. Sastry described TRUST's mission as deriving security solutions in a principled way that is not reactive, as with the cat-and-mouse pattern of attacks followed by solutions followed by new attacks as has been the case thus far. To listen to the complete interview (in 3 parts), go to Federal News Radio.  D.A. considers 211 cases of possible voter fraudThe Orange County, California District Attorney's Office is investigating 211 possible cases of voter fraud in the November 4th presidential election. Registrar of Voters Neal Kelley sent the list after his office used computer databases to search for cases where one person submitted more than one ballot. Kelley says that history shows that most instances of double voting are unintentional as with a voter that submits two absentee ballots, or an absentee ballot in addition to voting at the polls.UC Berkeley Professor David Wagner, who studies electronic voting security says that post-election audits across the state have improved recently under the heightened scrutiny of state and local officials. "It's important for transparency because it gives voters more confidence that the right person won," Wagner said. "The big picture is the whole state of California is in good shape."Wagner stated that these registration errors should be fixed for future elections but that it is not someting that's going to affect the outcome of an election since it is an issue of such small scale. See complete article in OC Register.  Phone security is much better, says UC Berkeley ProfessorThe Akron Beacon Journal relayed comments by UC Berkeley Professor David Wagner, regarding current telephone security. When asked if there were any difference in security between using a corded phone and a cell phone, Wagner replied"Assuming your cell phone is digital, there's not enough difference to worry about. Back when cell phones were analog, eavesdropping was easy." However today most cell phones are digital and while eavesdropping with a digital cell phone is possible, "it's pretty much out of the reach of casual interception," he said. Wagner notes that wired phones aren't completely secure either, but said both digital cell phones and wired phones are secure enough for most people to use for everyday business. In truth, the weakest aspect of cell-phone use is the frequency of having sensitive conversations in public places without thinking about being overheard. See more at Ohio.com.  Experts debate: Is DRM good or bad for consumers?COMPUTERWORLD ran a story about the FTC's discussion about the controversial DRM (digital rights management) technology possibly benefiting consumers because it could give them more choices for downloading or buying copyrighted content. Others on a panel discussion about new technology products are not convinced however.Until DRM matured, consumers had control over how they used digital content, noted Deirdre Mulligan, director of the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley, Law School. DRM is creating a "permission culture" where consumers have to ask the copyright owner's permission to play a piece of music on both a home computer and a car stereo, she said. See full article at COMPUTERWORLD.  Shankar Sastry to discuss UC Berkeley's intiatives at its first Global Technology Leaders ConferenceA press release came out yesterday in the Wall Street Journal's online MarketWatch announcing UC Berkeley as host of the inaugural A. Richard Newton Global Technology Leaders Conference on Thursday, November 20th.The conference will bring together notable entrepreneurs, scientists and researchers to discuss the world's most overarching challenges and ascertain pathways to solution in the health sciences, energy and technology fields. Dean of UC Berkeley's College of Engineering, Shankar Sastry, will discuss Berkeley's initiatives in these areas. Alberto Sangiovanni-Vincentelli, professor in Electrical Engineering and Computer Sciences at Berkeley, will deliver the keynote address, "The Future of the Future." The conference is being held during Global Entrepreneurship Week and is sponsored by the Ewing Marion Kauffman Foundation and the goal for the group is to develop a roadmap leading to new industries in energy, technology and health care. "It is fitting to launch this annual series during a week that seeks to inspire young people to be innovative and entrepreneurial," said Lesa Mitchell, vice president, Advancing Innovation, Kauffman Foundation. See complete story in MarketWatch.  Improving the Count; Prof. David Wagner, others pose solutions for better election systemThe Boulder Daily Camera ran an article Sunday regarding problems with voting systems in general and in Boulder County specifically. Although Boulder County Commissioners agreed to spend $1.4 million on optical scanning equipment in 2004, in didn't take long for problems that still follow the county's election process showed up. In August 2004, Boulder County lagged hours behind other Colorado counties. Worse, poorly printed ballots delayed election results for 72 hours in November, 2004.?If the proper maintenance and everything else is being done to (the scanners), this is the voting system we should be using,? said John Gideon, co-director of VotersUnite!, a non-partisan group that has been logging errors on all kinds of voting machines.Computer scientist David Wagner of the University of California at Berkeley who studies electronic voting machines, agrees. ?Right now, I think optical scan systems are probably the most mature, reliable technology on the market,? he said. ?Boulder got the best technology on the market. ... None of the voting systems are perfect, and they all have their limitations.? See full story in The Boulder Daily Camera.  Profitability of spam finally measuredZDNet posted an article about a key paper presented at this year's ACM Conference on Computer and Communication Security. A team of researchers, including UC Berkeley Professor Vern Paxson, used somewhat aggressive tactics to collect data that measures the conversion rate, or the rate at which an advertising impression results in a products sale, for spam. They essentially hijacked a portion of the notorious Storm botnet to inject spam that contained links to domains and storefronts they controlled.The team's data has shown that generating 28 sales at an average of $100 each of various "male-enhancement" products required 350 million separate spam messages. This provides a yearly revenue rate of the Storm botnet for the sale of pharmaceuticals at around $3.5 million dollars. See complete article at ZDNet. 
Older News ItemsThese items are being moved to the Trust Website News Blog
|
