Monthly Archives: June 2012

Workshop on the Economics of Information Security 2012

I’m liveblogging WEIS 2012, as I did in 2011, 2010 and 2009. The event is being held today and tomorrow at the Academy of Sciences in Berlin. We were welcomed by Nicolas Zimmer, Berlin’s permanent secretary for economics and research who mentioned the “explosive cocktail” of streetview, and of using social media for credit ratings, in he context of very different national privacy cultures; the Swedes put tax returns online and Britain has CCTV everywhere, while neither is on the agenda in Germany. Yet Germany like other countries wants the benefits of public data – and their army has set up a cyber-warfare unit. In short, cyber security is giving rise to multiple policy conflicts, and security economics research might help policymakers navigate them.

The refereed paper sessions will be blogged in comments below this post.

Debunking cybercrime myths

Our paper Measuring the Cost of Cybercrime sets out to debunk the scaremongering around online crime that governments and defence contractors are using to justify everything from increased surveillance to preparations for cyberwar. It will appear at the Workshop on the Economics of Information Security later this month. There’s also some press coverage.

Last year the Cabinet Office published a report by Detica claiming that cybercrime cost the UK £27bn a year. This was greeted with derision, whereupon the Ministry of Defence’s chief scientific adviser, Mark Welland, asked us whether we could come up with some more defensible numbers.

We assembled a team of experts and collated what’s known. We came up with a number of interesting conclusions. For example, we compared the direct costs of cybercrimes (the amount stolen) with the indirect costs (costs in anticipation, such as countermeasures, and costs in consequence such as paying compensation). With traditional crimes that are now classed as “cyber” as they’re done online, such as welfare fraud, the indirect costs are much less than the direct ones; while for “pure”cybercrimes that didn’t exist before (such as fake antivirus software) the indirect costs are much greater. As a striking example, the botnet behind a third of the spam in 2010 earned its owner about $2.7m while the worldwide costs of fighting spam were around $1bn.

Some of the reasons for this are already well-known; traditional crimes tend to be local, while the more modern cybercrimes tend to be global and have strong externalities. As for what should be done, our research suggests we should perhaps spend less on technical countermeasures and more on locking up the bad guys. Rather than giving most of its cybersecurity budget to GCHQ, the government should improve the police’s cybercrime and forensics capabilities, and back this up with stronger consumer protection.

Extracting Microsoft Windows Backup (BKF) files on Mac OS X with mtftar

With Windows NT, Microsoft introduced Windows Backup (also known as NTBackup), and it was subsequently included in versions of Windows up to and including Windows 2000, Windows XP and Windows Server 2003. It can back up to tape drives, using the Microsoft Tape Format (MTF), or to disk using the closely related BKF file format.

Support for Windows Backup was dropped in Vista but Microsoft introduced the Windows NT Backup Restore Utility for both Windows Vista/Windows Server 2008 (supporting disk and tape backups) and for Windows 7/Windows Server 2008 R2 (supporting disk backups only).

If you just need to restore a MTF/BKF file, the Microsoft-provided software above is probably the best option. However, if (like me) you don’t have a Windows computer handy, or you want to convert the backup into a format more likely to be readable a few years later, they are not ideal. That is why I tried out the mtftar utility, which converts MTF/BKF files into the extremely well-supported TAR file format.

Unfortunately, mtftar appears unmaintained since 2007 and in particular, it doesn’t build on Mac OS X. That’s why I set out to fix it. In case this is of help to anyone else, I have made the modified GPL’d source available on GitHub (diff). It works well enough for me, but use at your own risk.

European ATM Conference & the Cashless Society

I was a guest the annual meeting of the European branch of ATM Industry Association. This was a two day event in London (May 22–23, 2012). I was there thanks to Tom Harper, founder of ATM Marketplace, that is, a B2B website for ancillary cash machine equipment (established circa 1997). Although my interest was to meet Tom to finalise an outline for a forthcoming history of the ATM, the almost ethnographic experience of attending a practitioner conference was refreshing. What follows are some of my impressions of the first day (as I had an overseas engagement the rest of the week).

The conference was jointly organised by ATMIA and Dominic Hirsh’s Retail Banking Research. I have used some of RBR’s data in the past and it is indeed one of the most authoritative sources of information on cash machines, cards and payments. During one of the presentations it was shown how estimates of ATM deployed in Sweden were more accurate than those the Riksbank.

Of greater interest for this blog, is that RBR also organises an annual conference on security. That was a bit disappointing since I was looking to hear on it. Other topics off the agenda included SEPA, regulation enabling independent ATM deployers (IAD) and pressures to reduce interchange fees. I was told they had been addressed in the recent past. In this sense and surprising for a meeting of some 70+ presenters and 500 attendees, the conference was much more ‘on theme’ than an academic gathering of similar size.

So what were the themes? The main theme was self service kiosks, while sub-themes included the cashless society and EMV (interoperation standard for Europay, Visa and Mastercard chip cards).

Continue reading European ATM Conference & the Cashless Society

Call for papers: Workshop on Adaptive Host and Network Security

Stu Wagner, Bob Laddaga, and I are pleased to announce the call for papers for a new Workshop on Adaptive Host and Network Security, to take place at the Sixth IEEE Conference on Self-Adaptive and Self-Organizing Systems in September 2012 in Lyon, France.

Over the past decade the threat of cyber attacks on critical commercial and government infrastructure has been growing at an alarming rate to a point where it is now considered to be a major threat in the world. Current approaches to cyber security involve building fast-growing multi-million line systems that attempt to detect and remove attacking software. Meanwhile, cyber exploits continue to multiply in number, but their size continues to be a couple of hundred lines of code. This disparity of effort means that the current defensive approaches to cyber security can at best fight a holding action. The workshop is intended to explore game-changing approaches to cyber security that focus on adaptation. There is a clear need to develop systems at both the host level and the network level to actively adapt to cyber attacks and to provide greater protection for networked computation at all levels. Topic of interest include:

  • Protecting the host
  • New OS models for secure hosts
  • Combining proof, model checking and dynamic monitoring techniques for host security
  • Meta-level control and monitoring of networks
  • Use of feedback mechanisms in network operations
  • Self-monitoring and self-explaining network systems
  • Self-adaptive and autonomic networking
  • Centralized versus distributed network control
  • Measurement of network properties in support of self evaluation
  • Programming language abstractions to support security
  • Computational models of network security
  • Self healing networks
  • Learning in adaptive networks
  • Dynamically reprogrammable switches
  • The use of a Policy-based Network Management system to build self-adaptively secure networks

Continue reading Call for papers: Workshop on Adaptive Host and Network Security

On the (alleged) LinkedIn password leak

UPDATE 2012-06-07: LinkedIn has confirmed the leak is real, that they “recently” switched to salted passwords (so the data is presumably an out-of-date backup) and that they’re resetting passwords of users involved in the leak. There is still no credible information about if the hackers involved have the account names or the rest of the site’s passwords. If so, this incident could still have serious security consequences for LinkedIn users. If not, it’s still a major black eye for LinkedIn, though they deserve credit for acting quickly to minimise the damage.

LinkedIn appears to have been the latest website to suffer a large-scale password leak. Perhaps due to LinkedIn’s relatively high profile, it’s made major news very quickly even though LinkedIn has neither confirmed nor denied the reports. Unfortunately the news coverage has badly muddled the facts. All I’ve seen is a list 6,458,020 unsalted SHA-1 hashes floating around. There are no account names associated with the hashes. Most importantly the leaked file has no repeated hashes. All of the coverage appears to miss this fact. Most likely, the leaker intentionally ran it through ‘uniq’ in addition to removing account info to limit the damage. Also interestingly, 3,521,180 (about 55%) of the hashes have the first 20 bits over-written with 0. Among these, 670,785 are otherwise equal to another hash, meaning that they are actually repeats of the same password stored in a slightly different format (LinkedIn probably just switched formats at some point in the past). So there are really 5,787,235 unique hashes leaked. Continue reading On the (alleged) LinkedIn password leak

Of contraseñas, סיסמאות, and 密码

Over a year ago, we blogged about a bug at Gawker which replaced all non-ASCII characters in passwords with ‘?’ prior to checking. Along with Rubin Xu and others I’ve investigated issues surrounding passwords, languages, and character encoding throughout the past year. This should be easy: websites using UTF-8 can accept any password and hash it into a standard format regardless of the writing system being used. Instead though, as we report a new paper which I presented last week at the Web 2.0 Security and Privacy workshop in San Francisco, passwords still localise poorly both because websites are buggy and users have been trained to type ASCII passwords only. This has broad implications for passwords’ role as a “universal” authentication mechanism. Continue reading Of contraseñas, סיסמאות, and 密码