Is it just me or should this presentation have at least one slide on security considerations?
Three Languages in Thirty Minutes
View more presentations from Sergio Bossa
Monthly Archives: March 2011
Contest Proves Browsers Have Flaws
Actually, I’d like to say that the CanSecWest contest proves again that Stuxnet was not a major engineering effort. But I’ll skip dragging up that controversy again and instead point to the obvious. Researchers have demonstrated that a browser running with superuser rights and no other controls/protections may have a vulnerability.
So make sure you use more controls than just the default browser and OS settings…the usual advice. Yes, it’s still true, software can have a security flaw that takes not much effort for a single engineer to find using fuzzing, debugging and memory analysis. Do not depend on it alone for security.
…it took him about two weeks to find the bug and set out to exploit it.
[…]
Wednesday’s event saw hackers take complete control of a fully patched Sony Vaio and MacBook Air by compromising IE and Safari respectively. Google’s Chrome browser was also up for grabs, but no one stepped forward to try hacking it.
Fully patched, but that’s all.
Wonder if Google is worried about what this says about market share and software adoption. Will they be able to stay above 10%? Recent data suggests IE6 dropped 10% in the past year but is still more common than Chrome.
Attackers used to ignore Apple when it was a small player in the market. Then it rocketed into target territory with several hugely popular products. Google must be frustrated to not have anyone step forward to want to attack them. Even their $20,000 add-on bonus was not enough to gather interest.
BBC Journalists Tortured by Libyan Military
A harrowing first-person account has been published by BBC journalists who were arrested and tortured in Libya. The role of identities in these conflicts is illuminating. Note for example that one of the three journalists, a Palestinian, receives the harshest treatment. The torturer seems to call out bad relations between Libya and Hamas, as well as a hatred for Al-Jazeera:
“He said something bad about Palestinians, a lot of bad things, and he asked his team what they thought about Palestinians and they said the same things. He thought they had helped the Palestinians a lot, but Hamas has given a very bad reaction to Gaddafi. Lots of bad language.
“When I tried to respond he took me out to the car park behind the guard room. Then he started hitting me without saying anything. First with his fist, then boots, then knees. Then he found a plastic pipe on the ground and beat me with that. Then one of the soldiers gave him a long stick. I’m standing trying to protect myself, I’m trying to tell him we’re working, I’m a Palestinian, I have a good impression of the country. He knew who we were [ie journalists] and what we were doing.
“I think there was something personal against me. They knew me and the sort of coverage I had been doing, especially from Tajoura the Friday before. I think they monitored the BBC and had an idea, not just the reports but also DTLs [interviews from the studio with a correspondent in the field]. They don’t like us or Al-Arabiya or Al-Jazeera.”
While in detention they had access to other prisoners and their stories.
…they had been arrested because their phone calls had been intercepted – including ones to the foreign media…
Then after days of beatings and interrogation by the military, they are sent to intelligence headquarters for review.
We were crammed in worse than sardines. The others were so badly beaten, and it was so full, that every time you moved someone screamed. They had mashed faces, broken ribs. We were handcuffed, really tightly, behind our backs.
The intelligence group changes the situation dramatically. The BBC journalists point out that things are cleaner, and more organized. Their description of their oppressors switches, from the above examples of basic and angry brutality, to something far more sinister.
A man with a small sub-machine gun was putting it to the nape of everyone’s neck in turn. He pointed the barrel at each of us. When he got to me at the end of the line, he pulled the trigger twice. The shots went past my ear.
“They all laughed as though it was very funny. There was a whole group of them in plain clothes.”
At this point a man “who spoke very good English, almost Oxford English” interrogates them and then they are released. Another man tells them “sorry it was a mistake by the military”.
It is hard not to notice the flow of identities in this story from an outsider view; a British man is left unharmed and even finds a commonality when facing Libyan intelligence, while an Arab is despised and brutalized. Differences between people obviously have been the source and focus of great tragedy in history, however differences are very relative. Another awful reality is seen here; the fear of espionage and civil war leads oppressors to treat those who we may see as similar to them far more brutally than those who are far more different. The integrity (papers, please) and confidentiality (networking) of communication in Libya today thus are issues of life and death.
Updated to add: below is a video released today of an American Congressman remembering an American 9/11 first responder who died while trying to help rescue people from the North Tower.
Muhammad Hamdani loved his country and sacrificed himself to help other Americans similar to himself, but other Americans have tried to denigrate him and hold his differences in contempt.
After Mr. Hamdani, 23, disappeared on Sept. 11, ugly rumors circulated: he was a Muslim and worked in a lab; he might have been connected to a terrorist group. Months later the truth came out. Mr. Hamdani’s remains had been found near the north tower, and he had gone there to help people he did not know.
Exposing Anonymous With Frequent Pattern
Eight years ago, in 2003, we proposed and presented the use of linguistic analysis for email author identification. Our use case was started with the investigation of Advanced Fee Fraud (AFF), also known as 419 scams from Nigeria. We proved, albeit from a small data set, that language can identify a message author using several key indicators. We further proved that bias made victims far more susceptible to social engineering attacks.
About five years later, in 2008, an educational institution in Quebec picked up this theme of email author identification by applying pattern analysis to data sets. They released an online paper called A novel approach of mining write-prints for authorship attribution in e-mail forensics
In this paper, we introduce an innovative data mining method to capture the write-print of every suspect and model it as combinations of features that occurred frequently in the suspect’s e-mails. This notion is called frequent pattern, which has proven to be effective in many data mining applications, but it is the first time to be applied to the problem of authorship attribution.
Er, well, they are obviously wrong. The first time was not 2008. It probably was not even in 2006 (when we wrote our paper) or 2003. I would be far more impressed if they gave a little credit to the long history of language and data analysis, let alone our published and presented work. Our presentations on pattern frequency for authorship attribution predates not only their paper but, for at least two or three of the authors, their entire career.
At the start of 2010 we presented our findings at the RSA Conference in San Francisco and showed how anonymous authors could be distinguished using linguistic analysis. We pulled apart email messages, presented them based on their use of language (including stylometric features), and presented a taxonomy that predicts fraud based on key indicators.
The audience in our presentations always gets a quiz at the end; many always seem surprised they suddenly are able to see uniqueness in messages where none existed prior.
I just noticed that the Quebec crew have republished their paper under a more contemporary title with almost the same specific use case in mind: Mining writeprints from anonymous e-mails for forensic investigation
In this paper, we focus on the problem of mining the writing styles from a collection of e-mails written by multiple anonymous authors. The general idea is to first cluster the anonymous e-mail by the stylometric features and then extract the writeprint, i.e., the unique writing style, from each cluster. We emphasize that the presented problem together with our proposed solution is different from the traditional problem of authorship identification, which assumes training data is available for building a classifier.
Here is a major differentiation point. We did not assume a massive amount of training data was available or necessary to build a classifier. Our system can be taught to virtually anyone so that they then can start identifying authorship immediately. We have applied it and presented around the world, from Turkey to Brazil, with success.
Here is another major differentiation point. We were not trying to beg “first time” innovation recognition because we combined the extant body of knowledge in linguistics and security (social engineering). It was done in a novel way to help reduce fraud — stop people from falling victim to 419 scams — but we gave attribution.
We could have saved them a lot of time and hassle since we have been reporting it for eight years now. Perhaps there is a chance for collaboration in the future.
I could go on with differentiation points, but here’s one more. We don’t charge you to read our paper or presentation.