Slashdot Mirror

Pete Warden, an engineer and CTO of Jetpac, writes: When I talk to people about machine learning on phones and devices I often get asked "What's the killer application?". I have a lot of different answers, everything from voice interfaces to entirely new ways of using sensor data, but the one I'm most excited about in the near-team is compression. Despite being fairly well-known in the research community, this seems to surprise a lot of people, so I wanted to share some of my personal thoughts on why I see compression as so promising.

I was reminded of this whole area when I came across an OSDI paper on "Neural Adaptive Content-aware Internet Video Delivery". The summary is that by using neural networks they're able to improve a quality-of-experience metric by 43% if they keep the bandwidth the same, or alternatively reduce the bandwidth by 17% while preserving the perceived quality. There have also been other papers in a similar vein, such as this one on generative compression [PDF], or adaptive image compression. They all show impressive results, so why don't we hear more about compression as a machine learning application?

All of these approaches require comparatively large neural networks, and the amount of arithmetic needed scales with the number of pixels. This means large images or video with high frames-per-second can require more computing power than current phones and similar devices have available. Most CPUs can only practically handle tens of billions of arithmetic operations per second, and running ML compression on HD video could easily require ten times that. The good news is that there are hardware solutions, like the Edge TPU amongst others, that offer the promise of much more compute being available in the future. I'm hopeful that we'll be able to apply these resources to all sorts of compression problems, from video and image, to audio, and even more imaginative approaches.

"This is brilliant and terrifying in equal measure," writes the Morning Paper. Long-time Slashdot reader phantomfive writes: Many CPUs these days have DVFS (Dynamic Voltage and Frequency Scaling), which allows the CPU's clockspeed and voltage to vary dynamically depending on whether the CPU is idling or not. By turning the voltage up and down with one thread, researchers were able to flip bits in another thread. By flipping bits when the second thread was verifying the TrustZone key, the researchers were granted permission. If number 'A' is a product of two large prime numbers, you can flip a few bits in 'A' to get a number that is a product of many smaller numbers, and more easily factorable.
"As the first work to show the security ramifications of energy management mechanisms," the researchers reported at Usenix, "we urge the community to re-examine these security-oblivious designs."

An anonymous reader writes: Android bootloader components from five major chipset vendors are affected by vulnerabilities that break the CoT (Chain of Trust) during the Android OS boot-up sequence, opening devices to attacks. The vulnerabilities were discovered with a new tool called BootStomp, developed by nine computer scientists from the University of California, Santa Barbara. Researchers analyzed five bootloaders from four vendors (NVIDIA, Qualcomm, MediaTek, and Huawei/HiSilicon). Using BootStomp, researchers identified seven security flaws, six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged five and are working on a fix. "Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the research team said (PDF). "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."

The CBC reports: What if circumventing censorship didn't rely on some app or service provider that would eventually get blocked but was built into the very core of the internet itself? What if the routers and servers that underpin the internet -- infrastructure so important that it would be impractical to block -- could also double as one big anti-censorship tool...? After six years in development, three research groups have joined forces to conduct real-world tests.
An anonymous reader writes: Earlier this week, Professor Eric Wustrow, from the University of Colorado at Boulder, presented An ISP-Scale Deployment of TapDance at the USENIX Workshop on Free and Open Communications on the Internet. TapDance is an anti-censorship, circumvention application based on "refraction networking" (formerly known as "decoy routing") that has been the subject of academic research for several years. Now, with integration with Psiphon, 50,000 users, a deployment that spans two ISPs, and an open source release, it seems to have graduated to the real world.
"In the long run, we absolutely do want to see refraction networking deployed at as many ISPs that are as deep in the network as possible," one of the paper's authors told the CBC. "We would love to be so deeply embedded in the core of the network that to block this tool of free communication would be cost-prohibitive for censors."

An anonymous reader writes: Facebook has awarded this year's Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. The team created a detection system -- called DAS (Directed Anomaly Scoring) -- that identifies uncommon patterns in emails communications. They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.

"Out of 19 spearphishing attacks, our detector failed to detect 2 attacks," the research team said. "Our detector [also] achieved an average false positive rate of 0.004%," researchers added, pointing out that this is almost 200 times better than previous research.

Honorable mentions went two other projects, one for using existing static analysis techniques to find a large number of vulnerabilities in Linux kernel drivers, and another for preventing specific classes of vulnerabilities in low-level code.

An anonymous reader writes: Facebook has awarded this year's Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. The team created a detection system -- called DAS (Directed Anomaly Scoring) -- that identifies uncommon patterns in emails communications. They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.

"Out of 19 spearphishing attacks, our detector failed to detect 2 attacks," the research team said. "Our detector [also] achieved an average false positive rate of 0.004%," researchers added, pointing out that this is almost 200 times better than previous research.

Honorable mentions went two other projects, one for using existing static analysis techniques to find a large number of vulnerabilities in Linux kernel drivers, and another for preventing specific classes of vulnerabilities in low-level code.

An anonymous reader writes: Facebook has awarded this year's Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. The team created a detection system -- called DAS (Directed Anomaly Scoring) -- that identifies uncommon patterns in emails communications. They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.

"Out of 19 spearphishing attacks, our detector failed to detect 2 attacks," the research team said. "Our detector [also] achieved an average false positive rate of 0.004%," researchers added, pointing out that this is almost 200 times better than previous research.

Honorable mentions went two other projects, one for using existing static analysis techniques to find a large number of vulnerabilities in Linux kernel drivers, and another for preventing specific classes of vulnerabilities in low-level code.

The University of Texas at Austin and Cornell University are saying blurred or pixelated images are not as safe as they may seem. As machine learning technology improves, the methods used to hide sensitive information become less secure. Quartz reports: Using simple deep learning tools, the three-person team was able to identify obfuscated faces and numbers with alarming accuracy. On an industry standard dataset where humans had 0.19% chance of identifying a face, the algorithm had 71% accuracy (or 83% if allowed to guess five times). The algorithm doesn't produce a deblurred image -- it simply identifies what it sees in the obscured photo, based on information it already knows. The approach works with blurred and pixelated images, as well as P3, a type of JPEG encryption pitched as a secure way to hide information. The attack uses Torch (an open-source deep learning library), Torch templates for neural networks, and standard open-source data. To build the attacks that identified faces in YouTube videos, researchers took publicly-available pictures and blurred the faces with YouTube's video tool. They then fed the algorithm both sets of images, so it could learn how to correlate blur patterns to the unobscured faces. When given different images of the same people, the algorithm could determine their identity with 57% accuracy, or 85% percent when given five chances. The report mentions Max Planck Institute's work on identifying people in blurred Facebook photos. The difference between the two research is that UT and Cornell's research is much more simple, and "shows how weak these privacy methods really are."

C3ntaur writes: The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment. Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit. Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer. The research paper titled "Flip Feng Shui: Hammering a Needle in the Software Stack" can be read here.

Trailrunner7 quotes a report from OnTheWire: : Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor's TrustZone secure execution environment. The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.

"Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen," the researchers wrote in their paper, which was presented at the USENIX Security Symposium this week.
It's a proof-of-concept attack. But interestingly, another recently-discovered Android vulnerability also required the user to install a malicious app -- and then allowed attackers to take full control of the device.

An anonymous reader writes from a report via Softpedia: "In the most innovative, weirdest, and stupidest idea of the month, two researchers from the University of Colorado Boulder and the University of Michigan have created a crypto-currency that rewards people for participating in DDoS attacks," reports Softpedia. "Called DDoSCoin, this digital currency rewards a person (the miner) for using their computer as part of a DDoS attack. Just like Bitcoin, DDoSCoin uses cryptographic data to provide a proof-of-work. In DDoSCoin's case, this proof-of-work is extracted from the TLS connection a miner establishes with the website they're supposed to attack." This means that DDoSCoin can be used only with DDoS attacks on TLS-enabled websites. Participating in DDoS attacks gives miners DDoSCoin, which can then be converted in Bitcoin or fiat currency. Furthermore, anyone can request a DDoS attack via the PAY_TO_DDOS transaction. The research paper that proposes DDoSCoin is only a theoretical exercise, and a DDoSCoin crypto-currency does not currently exist in the real world. For now.

An anonymous reader writes: MIT's Computer Science and Artificial Intelligence Laboratory has created a new system called Chronos that can accurately detect the position of electronic devices in a room -- as well as the users who are carrying them -- within tens of centimeters using Wi-Fi signals only. "Chronos works without the aid of any secondary sensors, only using a technology called time-of-flight calculation, which measures the time it takes data to travel from the WiFi access point to the user's device," according to an article on Softpedia, citing a paper (PDF) that the researchers presented at a USENIX symposium in March. "MIT researchers say that by multiplying the time-in-flight value they receive from each user with the speed of light, they were able to detect each user's distance to the central Wi-Fi access point."

An anonymous reader shares an article on MIC: Researchers at the Massachusetts Institute of Technology want to change how we connect to Wi-Fi. To avoid the cumbersome network login process, a team has come up with a way to grant computers access to a Wi-Fi network based on their proximity to a router. Applied practically, that means you could walk into a cafe and your device would automatically connect to a network -- no annoying password necessary. The same could be true for a home network. When your friends come over, they could immediately be granted access to your Wi-Fi. The paper (PDF), sadly, doesn't offer details on the security aspect. Security researchers advise that one should be careful when connecting to a public Wi-Fi. Say you forget to turn off Wi-Fi on your device, and you walk into a cafe. Your phone will automatically establish a connection with this supposed network. If the network is compromised, plenty of devices will be exposed to attack.

An anonymous reader writes: MIT researchers have created an algorithm that analyzes web pages and creates dependency graphs for all network resources that need to be loaded (CSS, JS, images, etc.). The algorithm, called Polaris, will be presented this week at the USENIX Symposium on Networked Systems Design and Implementation conference, and is said to be able to cut down page load times by 34%, on average. The larger and more resources a web page contains, the better the algorithm's efficiency gets -- which should be useful on today's JavaScript-heavy sites.

New submitter della writes: Password checkers — those things that tell you whether your password is strong or not — are good: various studies have found that they make users choose better passwords. Unfortunately, nowadays attackers use probabilistic strategies based on natural language processing to guess passwords earlier, and most checkers consist of heuristic rules that don't reflect well probabilistic attacks. To do better you could in theory simulate the attack, but if your password is not that bad, that would be very expensive or just unfeasible.

In a paper I wrote with Maurizio Filippone and presented at ACM's CCS conference, we show how you can take an attack model and a password, and through a simple formula come up quickly with a reliable estimation of how many guesses that attack would need to guess the password. You can use this to roll a better password checker, or — as we've also done in the paper — to compare different attacks.

An anonymous reader writes: A group of researchers have discovered some of the most popular BitTorrent applications, including uTorrent, Mainline, and Vuze are vulnerable to a newly discovered form of distributed denial of service attack that makes it easy for a single person to bring down large sites. The weaknesses allow an attacker to insert the target's IP address instead of their own in the malicious request. To mount a Distributed Reflective DoS (DRDoS) attack, an attacker sends this malformed requests to other BitTorrent users, which then act as reflectors and amplifiers and flood the intended victim with responses.

An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.

An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.

An anonymous reader writes: Facebook has awarded $100,000 to a team of researchers from Georgia Tech University for their discovery of a new method for identifying "bad-casting" vulnerabilities that affect programs written in C++. "Type casting, which converts one type of an object to another, plays an essential role in enabling polymorphism in C++ because it allows a program to utilize certain general or specific implementations in the class hierarchies. However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities," the researchers explained in their paper.

An anonymous reader writes: Closely behind the discoveries of the Stagefright flaw, the hole in Android's mediaserver service that can put devices into a coma, and the Certifi-gate bug, comes that of an Android serialization vulnerability that affects Android versions 4.3 to 5.1 (i.e. over 55 percent of all Android phones). The bug (CVE-2015-3825), discovered by IBM's X-Force Application Security Research Team in the OpenSSLX509Certificate class in the Android platform, can be used to turn malicious apps with no privileges into "super" apps that will allow cyber attackers to thoroughly "own" the victim's device. In-depth technical details about the vulnerabilities are available in this paper the researchers are set to present at USENIX WOOT '15.

An anonymous reader writes: Google researchers have asked 231 security experts and 294 web-users who aren't security experts about their security best practices, and the list of top ones for each group differs considerably. Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates. Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down. Another interesting thing to point out is that non-experts love and use antivirus software.

New submitter Peter Desnoyers writes: Shingled Magnetic Recording (SMR) drives are starting to hit the market, promising larger drives without heroic (and expensive) measures such as helium fill, but at a cost — data can no longer be over-written in place, requiring SSD-like algorithms to handle random writes.

At the USENIX File and Storage Technologies conference in February, researchers from Northeastern University (disclaimer — I'm one of them) dissected shingled drive performance both figuratively and literally, using both micro-benchmarks and a window cut in the drive to uncover the secrets of Seagate's first line of publicly-available SMR drives.

TL;DR: It's a pretty good desktop drive — with write cache enabled (the default for non-server setups) and an intermittent workload it performs quite well, handling bursts of random writes (up to a few tens of GB total) far faster than a conventional drive — but only if it has long powered-on idle periods for garbage collection. Reads and large writes run at about the same speed as on a conventional drive, and at $280 it costs less than a pair of decent 4TB drives. For heavily-loaded server applications, though, you might want to wait for the next generation. Here are a couple videos (in 16x slow motion) showing the drive in action — sequential read after deliberately fragmenting the drive, and a few thousand random writes.

Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you'll find his answers to your old but not forgotten questions. Fu: I apologize for the year-long delay, but my queue has rather overflowed after part of my house collapsed. See slide #11 for more information on the delay.

Medical device security is a challenging area because it covers a rather large set of disciplines including software engineering, clinical care, patient safety, electrical engineering, human factors, physiology, regulatory affairs, cryptography, etc. There are a lot of well meaning security engineers who have not yet mastered the culture and principles of health care and medicine, and similarly there are a lot of well meaning medical device manufacturers who have not yet mastered the culture and principles of information security and privacy. I started out as a gopher handing out authentication tokens for a paperless medical record system at a hospital in the early 1990s, but in the last decade have focused my attention on security of embedded devices with application to health and wellness.

I huddled with graduate students from my SPQR Lab at Michigan, and we wrote up the following responses to the great questions. We were not able to answer every question, but readers can find years worth of in-depth technical papers on blog.secure-medicine.org and spqr.eecs.umich.edu/publications.php and thaw.org.



Cochlear Implants
by mcspoo

How secure are Cochlear implants and their processors? Any chance I'm going to hear the voice of God (without the tooth implant, ala Real Genius?)

Fu: Classic cochlear implants are mostly analog circuits with some external supporting software. However, newer implants on the drawing board are looking at how to enable audiologists to adjust implant settings remotely from the cloud. There are, of course, some significant security and privacy issues that need to be resolved. But there are also good reasons for remote access. Namely, patient's bodies change overtime and an audiologist must tune the implant settings manually today. Remote control may simplify the life for patients from a demographic that may have difficulty making office visits.

Cochlear implants are amazing little devices to enable profoundly deaf patients to partially restore hearing. See the cover of Biodesign: The Process of Innovating Medical Technologies by Zenios, Makower, Yock. Also see Ultra Low Power Bioelectronics by Rahul Sarpeshkar. Cochlear implants consist of two major pieces: (1) an implant in the skull that directly stimulates the auditory nerve, and (2) a less resource-constrained external device worn on the scalp. The external device clips onto the scalp with a magnet to keep the implant paired. Think of the implant as special circuitry to wirelessly deliver sound as electrical impulses. Think of the external device as the source of power, sound inputs, and control.

I met a relatively young flight attendant a few years ago who had a cochlear implant. He explained that one day he suffered a routine cold that got worse and caused a rare infection that destroyed his auditory nerve. He lost his hearing. The cochlear implant sufficiently restored his hearing such that he and I could have a normal conversation.

You can imagine the complex security and privacy questions that will need to be considered when future devices go all "Internet of Things" or "TerraSwarm."



PCA Pumps?
by Digital Ebola

Have you explored changing the dosages on drug pumps? Either through exploiting the device directly or by exploiting the database backend? I reference the Hospira pumps that run Linux, allowing one to telnet to them as root with no password authentication. Hospira did issue an update to that but since pumps are so numerous, I'm sure that many hospitals have been slow to update. Thanks!

Fu: Pumps for medicine are amazing. Most people who have visited a hospital or seen a TV show should be aware of the plain old IV drip of saline solution to hydrate patients by gravity. It gets more interesting when a computer-controlled pump takes over from gravity. There are all sorts of pumps ranging from bed-side pumps to implantable pumps.

A PCA pump is short for a patient-controlled analgesia. I believe this question is referring to a bed-side pump rather than an implant. For instance, a patient may receive a PCA pump to deliver controlled pain medication such as morphine. Typical user interfaces consist of a "more please" button that delivers a bolus of drug via an IV.

A number of researchers have analyzed the attack surfaces for insulin infusion pumps, a special kind of externally worn pump for diabetics. Several faculty have done outstanding work in this space several years ago, and more recently a number of smart blackhat researchers have demonstrated the problems in ways more easily understandable by the general public. I think it's fair to say that manufacturers initially underestimated the importance of security requirements engineering during the early concept phases of product engineering. That said, the manufacturers are doing some amazing engineering. There is a game of catch-up, but I am optimistic that the manufacturers will improve by following the new U.S. FDA guidance on cybersecurityin good faith. Some manufacturers apparently have been thinking about security for a while. For instance, members of the insulin pump team at Medtronic recently were issued a medical device security patent filed way back in 2007!

Now on to the real question: what about the backdoor of the pump? No one likes to advertise the unsavory backdoors built into products---some by design and some by accident. It's out of sight, out of mind. On old CAT scans, you'll sometimes even find an "lp" Unix account enabled without a password. I don't know about this particular pump in question, but I would not be surprised if there are some ports left open for debugging or communication with online drug libraries. You will likely find some interesting traffic, perhaps not cryptographically protected, if you listen to the network. If you do find a problem, please be responsible and patient. Finding a vulnerability in a web browser is significantly different from finding a vulnerability in a medical device. The direct consequences on patients must be taken into account, and security researchers not collaborating with a physician are likely skating on thin ice. I recommend that researchers notify the FDA so that they may communicate the problem to the manufacturer. Call up the FDA people listed on the FDA cybersecurity guidance. Or file a MedWatch 3500 report. It once took a year for FDA to process one of my security reports; they are somewhat understaffed. FDA has tens of thousands of employees, but only about two of them focus on security. So be patient. They are good people doing the best they can with their scare resources. Remember, your U.S. readers elected the people who set the budget.



Clinical Data Systems
by DeathGrippe

Most clinics, hospitals, insurance companies and dental offices are extensively computerized and networked. Based on your experience, how often are these systems compromised?

Fu: I find a good rule of thumb to measure security of a clinical environment: count the number of Windows XP boxes. Why? Because these devices are more vulnerable to run-of-the-mill, conventional malware. At one large hospital, medical devices based on Windows XP were re-infected about every 12 days if the box is not protected. With "bandaid" approaches like firewalls and anti-virus, the devices can last longer before re-infection. Alas, you can't make good wine out of bad grapes. Windows XP lacks meaningful security requirements. Microsoft learned its lessons, and has improved the security requirements and approaches over the years. Microsoft ended all support for XP on April 8th of this year.

That said, Linux ain't no picnic either. All operating systems have risks and benefits. I believe the root of the problem is that software security lifecycles for consumer grade operating systems do not align well with the product lifecycles of medical devices. Medical devices need to remain safe and effective for a very long time.



What can I do if I have one?
by AmiMoJo

Say I have an implant that could be hacked, what can I do to protect myself? Are any vendors more reputable than others when it comes to security? Is tinfoil effective? Should I demand my doctor replaces known vulnerable equipment?

Fu: I think patients can take comfort in knowing that FDA has written meaningful guidance on cybersecurity that is likely a game changer for manufacturing. Also, I find that engineers at most medical device manufactures sincerely want to improve the security of their products. This positive attitude is unlike what one will find in adversarial industries like electronic voting where it's more common to see manufacturer denial of risks rather than mitigation risks. I've seen some large medical device manufacturers vendors organize security teams composed of dozens of employees across engineering, sales, marketing, you name it, the whole company. They are beginning to understand that information security and privacy has to become part of the corporate culture if the products make use of modern communication and computer technology.

On the other hand, I don't think you'll ever find a hack-proof computer---whether it be a laptop, smart fridge, or medical device. I used to believe that a computer buried in concrete was secure, until I buried one in the concrete foundation of my house and powered it up wirelessly. You could also go to your car dealer and replace your car with a crash-proof car after you run into a tree. You might get funny looks. A manufacturer cannot eliminate risk, but it can be smart about minimizing risk. For instance, one of the best ways to minimize security risk is to have meaningful security requirements during the concept phase of device engineering. The requirements won't prevent security problems, but lack of security requirements will prevent the product from having meaningful security down the line. One can argue that it's a lot cheaper to engineer security from the start rather than to retrofit, but that argument is no longer necessary since draft FDA guidance on cybersecurity is abundantly clear on expectations for security risk management during the manufacture of new devices.

If I were prescribed a medical device, I would accept it. Why? Anything with a computer is hackable by some adversary. So worrying about whether an implant can being hacked does not help answer the basic question: how to balance risk. If you are prescribed a medical device, then likely your doctor determined that you have a significant, predisposed risk. For instance, you might have a significant risk of sudden cardiac arrest. In general, you are much safer with a device than without.



Re:Start-ups
by Anonymous Coward

How good is malwaresoftware and the WattsUpDoc system at finding something potentially harmful on a device?

Fu: WattsUpDoc is a system that detects malware by analyzing patterns in the power outlet. It's basically a phase shift on the AC power line caused by reactive power and varying loads of the connected computer. The details get hairy and are written for the experts, so I'd refer you to the scientific paper. The beauty is that no software changes are required for the device being monitored (e.g., medical devices).

We published our report on WattsUpDoc at the USENIX HealthTech workshop. There is also a related paper on detecting web browser activity from the power lines. The performance surprised me: 95% accuracy for known malware, and 85% accuracy for previously unknown malware (unlabeled samples of a malware infection that were not in the training set). It works well because medical devices tend to do a small number of different things when working normally. We can detect the deviation.



Should the local IT team have full control over a system
by Joe_Dragon

Should the local IT team have full control over any system in place / should vendors be forced to let systems have AV and OS updates installed on them with out delays?

Fu: Hi Joe the Dragon. I shall call you Trogdor This is a good question, but it technically is a leading question because computing systems created by medical device manufacturers force the IT team to choose between bad and worse. In a more ideal world, we wouldn't need to worry about viruses in the first place. So let me go on a tangent for a moment. Buffer overflows? Maybe that medical device should not be written in C. SQL injection error? Maybe you shouldn't be running a web server with an embedded database inside a life-critical medical device in the first place. The IT folks catch a lot of blame ranging from breaches to clinician complaints of mucking up the clinical workflow. There's some truth to that, but realize that the IT folks are stuck with what they can buy or make.

Ok, now your question: Do you give IT the keys? I'm not gonna be tricked into answering that one. It depends. I think the most effective organizational structures are ones where the clinical safety teams and the IT security teams learn to speak each others' languages. The manufacturers need to be forthcoming about offering regular security updates for underlying 3rd party software if they make the business choice to use COTS software. Hey, COTS software is cheap for a reason. The best situation is when the leaders of these teams do not hesitate to call each other. That said, the most secure system might also be the most unsafe. The most safe system might be the least secure. There are cases where one might forgo security because a safety issue trumps. What if you lock out access to a hypothetical pacemaker after three failed password attempts? Probably not a good idea if you think for a moment. A secure system that cannot deliver care is neither safe nor effective. Striking the balance is tricky.

I have a long rant on software updates (NSFW).



Safer Programming Language
by Anonymous Coward

The C programming language is most often used for embedded devices. The language is poorly specified. Compilers sometimes have issues, and programmers find a zillion creative ways to make mistakes. MISRA C and its enforcement is a bag of hurt in the absence of certified tools. Has there been any work to define a more safe/sane programming language for embedded devices?

Fu: Yes, but it's certainly hard to find in the medical device community. My colleagues from aviation software safety brag about their safer languages and practices, and I do think it's a good idea for the medical device community to borrow ideas from avionics. However, there are a couple roadblocks.

First, there's a crapton of legacy software out there. Try this experiment: walk into the C suite (not the programming language, the corporate suite), then declare that you need to stop product development for 9 months in order to convert to architectures that have better security properties. I know of only one company that did this (hint, it's an automotive company).

Second, the universities are at fault. I once asked a senior engineer at a medical device manufacturer why they wrote in C and assembly for their implantable medical device firmware. The engineer explained, that's who they can hire! The universities produce the graduates, and we are not training them sufficiently for trustworthy computing. When we teach students C and C++, we are handing them loaded weapons. Many of the students are talented and can respect the unchecked power of C and assembly. It's especially good for high performance systems and hand-optimized inner loop code. However, if we want to see improvements in choices of programming languages, universities need to produce engineers who understand the risks of different programming languages. No one language is perfect for every situation. I highly recommend reading Prof. John Knight's book on Fundamentals of Dependable Computing for Software Engineers to learn about how to match the programming language to the risks.



What to do when security is unfixable?
by Anonymous Coward

Seeing the abysmal state of computer security, even basic computer reliability expectations (which Dijkstra already noted, years ago), it's no surprise that embedded systems are no better. Simply because you usually don't see them and are thus less likely to notice just how poorly and insecurely the software is done. So how do we convince these people in the medical apparatus industry to leave well alone with the networking and wireless and bells and whistles, and simply deliver us machinery that does what it does, keep us alive, and not also surf the 'web for cat videos, or leave the door open for someone to come along with the latest exploit kit? Why do these things have to be connected at all?

Fu: A couple responses. A lot of medical devices are not networked in the sense of our home computers on the Internet. Many are connected with sneakernet. Yet the malware still can get in. Sleep labs are notorious for malware because patients bring in USB sticks of music, plus unwanted bonus material. I know one large medical device that was offline, but got infected by Conficker during the split second that the vendor temporarily enabled the Internet connection to download a software update. Sad.

Keep in mind that manufacturers create products because they think they can sell them. If consumers did not express interest in questionably secure products, then we'd see better security. If insurance rates were tied to cybersecurity hygiene, we'd see security economics at work. Unfortunately, security and privacy are out of sight and out of mind as you point out. For instance, hospitals often demand the bells and whistles. I witnessed one physician checking Gmail and the web on a medical records system during surgery. I didn't have a chance to explain the risks of drive-by downloads as he was occupied teaching a young resident how to catheterize the anesthetized patient. I know another hospital system where they let radiologists check email on the medical devices because staff wanted access to email, and there wasn't enough desk space for a second computer.

I have a set of slides on wireless where I make the argument that wireless is like bacon. People think it makes everything taste better. Wireless communication and network connections do serve an important role, but one needs to make a case-by-case judgement for each device. I like the concept of wireless to reduce infection rates during surgical implantations of defibrillators and pacemakers. About 1-2% of implantations result in major complications such as infection, and about 1% of these cases are fatal. Wireless does introduce security risks. While the security architectures can be greatly improved, I'd rather be insecurely alive than securely dead from an infection.



Medical device security vs. Open standards?
by Anonymous Coward

In the ever increasing world of consumerized technology (Apps, smartphones, smarter cars etc.), how do you see medical device security staying relevant and cutting edge while maintaining adequate security? More and more people can and probably will ask "why can't I use with my ?". For instance,could a secure, but open interface be created for Insulin pumps which would allow an end-user app to aggregate multiple data sources into a better snapshot of that person, while still being secure and protected from hijacking by a 3rd party?

Fu: I agree that the natives will get restless if they perceive security as a problem rather than a solution. However, consumers have become accustomed to crap in a hurry during the 1990s transition from postcards to hyperconnected electronic communication. I think it will be difficult to create magic walled gardens or magic interfaces that "add" security because security is not a product, it's a property and a process. I see three areas where one can improve the trustworthiness of medical device software: early concept phases, post market surveillance, and all the fun stuff between (design, implementation, testing, verification, validation, etc.). There's a significant security focus on the implementation and finding bugs, but by that time much of the fate is sealed by the requirements engineering. I think more time should be spent at the concept phase on hazard analysis, risk management, etc. so that implementations are less likely to have security problems. Then spend time on post-market surveillance so you can measure the shifting effectiveness of the security mechanisms as the threats evolve.

Today, the worries are mostly conventional malware slowing down medical devices or causing malfunctions. We've begun to see signs of nation state threats, and we should use our time carefully as threats rarely decrease in severity.

I'd encourage computer science students to work for a medical device manufacturer or FDA rather than the latest Silicon Valley startup. The problems will be interesting and will bring great personal satisfaction. For creative students who enjoy writing and open ended problem solving in health care, apply to graduate schools that carry out medical device security research! Best wishes.

An anonymous reader writes: A new research paper (PDF) outlines security software that scans and scrapes web sites (past and present) to identify patterms leading up to a security breach. It then accurately predicts what websites will be hacked in the future. The tool has an accuracy of up to 66%. Quoting: "The algorithm is designed to automatically detect whether a Web server is likely to become malicious in the future by analyzing a wide array of the site's characteristics: For example, what software does the server run? What keywords are present? How are the Web pages structured? If your website has a whole lot in common with another website that ended up hacked, the classifier will predict a gloomy future. The classifier itself always updates and evolves, the researchers wrote. It can 'quickly adapt to emerging threats.'"

stephendavion (2872091) writes Researchers will demonstrate the process used to spy on smartphones using gyroscopes at Usenix Security event on August 22, 2014. Researchers from Stanford and a defense research group at Rafael will demonstrate a way to spy on smartphones using gyroscopes at Usenix Security event on August 22, 2014. According to the "Gyrophone: Recognizing Speech From Gyroscope Signals" study, the gyroscopes integrated into smartphones were sensitive enough to enable some sound waves to be picked up, transforming them into crude microphones.

An anonymous reader writes New research was released on cyber-attacks via human-rights NGO World Uyghur Congress over a period of four years. Academic analysis was conducted through the lens of a human-rights NGO representing a minority living in China and in exile when most targeted attack reports are against large organizations with apparent or actual financial or IP theft unlike WUC, and reported by commercial entities rather than academics. The attacks were a combination of sophisticated social engineering via email written primarily in the Uyghur language, in some cases through compromised WUC email accounts, and with advanced malware embedded in attached documents. Suspicious emails were sent to more than 700 different email addresses, including WUC leaders as well as journalists, politicians, academics and employees of other NGOs (including Amnesty International and Save Tibet — International Campaign for Tibet). The study will be presented at USENIX on August 21, and the full paper is already available.

itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.

rjmarvin writes "Two developers were able to successfully reverse-engineer Dropbox to intercept SSL traffic, bypass two-factor authentication and create open-source clients. They presented their paper, 'Looking inside the (Drop) box' (PDF) at USENIX 2013, explaining step-by-step how they were able to succeed where others failed in reverse-engineering a heavily obfuscated application written in Python. They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack, NASA, and a host of Google apps, just to name a few..."

Trailrunner7 writes, quoting Threat Post "By tweaking the firmware on certain kinds of phones, a hacker could make it so other phones in the area are unable to receive incoming calls or SMS messages, according to research presented at the USENIX Security Symposium. The hack involves modifying the baseband processor on some Motorola phones and tricking some older 2G GSM networks into not delivering calls and messages. By 'watching' the messages sent from phone towers and not delivering them to users, the hack could effectively shut down some small localized mobile networks. Essentially the hacked firmware ... can block ... pages by responding to them before the phones that were initially intended to receive them do, something Kevin Redon and company called during their research 'the race for the fastest paging response time.'" Thanks to the power of Osmocom BB, which has implemented Free Software baseband for several GSM devices. Also see the research paper.

You may have read about this on Slashdot: Three researchers were going to present a paper next week at the USENIX Security '13 conference about security holes they found in one of Volkswagen's anti-theft systems, but a British court said they couldn't. One of the presenters works at a British university, and the court may have jurisdiction over him. The other two are not U.K. residents, and the Usenix conference is being held in Washington D.C., so jurisdiction questions are flying thick and fast. Amusingly, whether the paper is published and presented or not, the security holes and crack codes it is supposed to contain have been available on the Internet for quite a while, so bad guys who want to learn about them most likely have done so already. Then, last week, we heard that one of the presenters was going to show up at the conference and possibly ignore the injunction. Meanwhile, USENIX co-executive director Casey Henderson and EFF intellectual property director Corynne McSherry talked with Slashdot's Timothy Lord via Zoom and discussed this situation, and how this sort of problem might be prevented in the future.

sl4shd0rk writes "Samsung-is-not-as-cool-as-Apple Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August. Volkswagen says the flaw could allow someone to 'break the security and steal a car' so it is justifiable grounds for blocking Flavio's paper. No word yet on how soon Volkswagen will have a patch."

First time accepted submitter Olivier Bonaventure writes "The TCP protocol is closely coupled with the underlying IP protocol. Once a TCP connection has been established through one IP address, the other packets of the connection must be sent from this address. This makes mobility and load balancing difficult. Multipath TCP is a new extension that solves these old problems by decoupling TCP from the underlying IP. A Multipath TCP connection can send packets over several interfaces/addresses simultaneously while remaining backward compatible with existing TCP applications. Multipath TCP has several use cases, including smartphones that can use both WiFi and 3G, or servers that can pool multiple high-speed interfaces. Christoph Paasch, Gregory Detal and their colleagues who develop the implementation of Multipath TCP in the Linux kernel have achieved 50 Gbps for a single TCP connection [note: link has source code and technical details] by pooling together six 10 Gbps interfaces."

An anonymous reader writes "Flash SSDs are non-volatile, right? So how could power failures screw with your data? Several ways, according to a ZDNet post that summarizes a paper (PDF) presented at last month's FAST 13 conference. Researchers from Ohio State and HP Labs researchers tested 15 SSDs using an automated power fault injection testbed and found that 13 lost data. 'Bit corruption hit 3 devices; 3 had shorn writes; 8 had serializability errors; one device lost 1/3 of its data; and 1 SSD bricked. The low-end hard drive had some unserializable writes, while the high-end drive had no power fault failures. The 2 SSDs that had no failures? Both were MLC 2012 model years with a mid-range ($1.17/GB) price.'"

An anonymous reader writes "Flash SSDs are non-volatile, right? So how could power failures screw with your data? Several ways, according to a ZDNet post that summarizes a paper (PDF) presented at last month's FAST 13 conference. Researchers from Ohio State and HP Labs researchers tested 15 SSDs using an automated power fault injection testbed and found that 13 lost data. 'Bit corruption hit 3 devices; 3 had shorn writes; 8 had serializability errors; one device lost 1/3 of its data; and 1 SSD bricked. The low-end hard drive had some unserializable writes, while the high-end drive had no power fault failures. The 2 SSDs that had no failures? Both were MLC 2012 model years with a mid-range ($1.17/GB) price.'"

An anonymous reader writes "Flash SSDs are non-volatile, right? So how could power failures screw with your data? Several ways, according to a ZDNet post that summarizes a paper (PDF) presented at last month's FAST 13 conference. Researchers from Ohio State and HP Labs researchers tested 15 SSDs using an automated power fault injection testbed and found that 13 lost data. 'Bit corruption hit 3 devices; 3 had shorn writes; 8 had serializability errors; one device lost 1/3 of its data; and 1 SSD bricked. The low-end hard drive had some unserializable writes, while the high-end drive had no power fault failures. The 2 SSDs that had no failures? Both were MLC 2012 model years with a mid-range ($1.17/GB) price.'"

Rikki Endsley has been Community Manager for USENIX since September, 2011. She also edits their magazine, ;login:, writes for publications ranging from Linux.com to Network World, and is a long-distance runner to boot. But this interview concentrates on USENIX, a worthy organization that does a great job of helping its members (and the entire Unix/Linux community) stay up to date technically and, with its job board, keep USENIX members employed. Toward the end of the conversation, Rikki mentions some of the intangible but valuable benefits people get when they attend USENIX events. (Remember: If you don't have time to watch the video, can't see the video or just don't like video, you can click on the "Show/Hide Transcript" link and read a text version of the video.)

Rikki Endsley has been Community Manager for USENIX since September, 2011. She also edits their magazine, ;login:, writes for publications ranging from Linux.com to Network World, and is a long-distance runner to boot. But this interview concentrates on USENIX, a worthy organization that does a great job of helping its members (and the entire Unix/Linux community) stay up to date technically and, with its job board, keep USENIX members employed. Toward the end of the conversation, Rikki mentions some of the intangible but valuable benefits people get when they attend USENIX events. (Remember: If you don't have time to watch the video, can't see the video or just don't like video, you can click on the "Show/Hide Transcript" link and read a text version of the video.)

Rikki Endsley has been Community Manager for USENIX since September, 2011. She also edits their magazine, ;login:, writes for publications ranging from Linux.com to Network World, and is a long-distance runner to boot. But this interview concentrates on USENIX, a worthy organization that does a great job of helping its members (and the entire Unix/Linux community) stay up to date technically and, with its job board, keep USENIX members employed. Toward the end of the conversation, Rikki mentions some of the intangible but valuable benefits people get when they attend USENIX events. (Remember: If you don't have time to watch the video, can't see the video or just don't like video, you can click on the "Show/Hide Transcript" link and read a text version of the video.)

benrothke writes "When the IBM PC first came out 31 years ago, it supported a maximum of 256KB RAM. You can buy an equivalent computer today with substantially more CPU power at a fraction of the price. But in those 31 years, the information security functionality in which the PC operates has not progressed accordingly. In Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents, author Jean-François Blanchette observes that the move to a paperless society means that paper-based evidence needs to be recreated in the digital world. It also requires an underlying security functionality to flow seamlessly across organizations, government agencies and the like. While the computing power is there, the ability to create a seamless cryptographic culture is much slower in coming." Keep reading for the rest of Ben's review. Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents author Jean-François Blanchette pages 288 publisher MIT Press rating 9/10 reviewer Ben Rothke ISBN 978-0262017510 summary Excellent overview and history of using cryptography to build a trust framework The so called Year of the PKI has been waiting for over a decade, and after reading Burdens of Proof, it is evident why a large-scale PKI will be a long time in coming. More than that, getting the infrastructure in place in a complex environment that exists in the USA with myriad jurisdictions and technologies may prove ultimately to be impossibility.

The irony is that an effective mechanism for digital authentication would seem to be an indispensable part of the digital age. The lack of such an authentication infrastructure may be the very reason that fraud, malware, identity theft and much more, are so pervasive on the Internet.

The premise of this fascinating book is that the slow decline from the use of paper from a legal and evidentiary perspective has significant consequences. For the last few hundred years, paper has been ubiquitous in modern life; from legal and health records, school, employment and everything in between.

The book details the many challenges that businesses and governments face in moving from a paper-based record society and the underlying trust mechanisms that go along with it, to a new digital-based record system, and how a new framework is needed for such a method. The book details part of that new framework.

The book opens with an observation on the authenticity of President Obama's birth certificate. While Blanchette is not a birther, he does note that if the moral authority of paper records has diminished, then the electronic documents replacing them, which are what the Obama administration provided, appear to be even more malleable. And that is precisely the issue that he addresses.

Blanchette details a compelling story and writes it as an insider. He was a member of a task force appointed in 1999 by the French Ministry of Justice to provide guidance on the reform of the rules governing the admissibility of written evidence in French courts, into a digital format.

The first few chapters provide an excellent overview of the history of cryptography. Chapter 3 – On the Brink of a Revolution– gives an excellent summary of cryptography from 1976 on, starting with seminal research that was done by Diffie and Hellman, and Rivest, Shamir and Adleman (RSA).

In chapter 5, Blanchette details his narrative about how France embraced and moved to a more digital governmental framework. He notes that the challenge was that France was the country that gave bureaucracy its name, and is a place where citizens must carry at all times their papers d'identite and is a society enmeshed in paper. Blanchette writes of the many French bureaucracies that had to let go of their protectionist stances as they moved down the path to letting electronic documents have legal validity.

Blanchette writes that in France, one of the biggest impediments to moving to a digital framework were the French civil-law notaries or notaire. French notaries are much more powerful than a notary public in the US, and are closer to being what a paralegal does in the US.

The French notaire are a wealthy and powerful monopoly when it comes to issues of purchases, sales, exchanges, co-ownerships, land plots, leases, mortgages and the like. A notaire can form a corporation prepare commercial business leases and much more. The entire French notary profession had been dependent on its monopoly to grant authenticity, and no definition of electronic authenticity could emerge and succeed if it did not meet its criteria.

While paper trust may be intuitive now, Blanchette writes that it wasn't always the case. When documents were first created (whenever that may have been), they did not immediately inspire trust. As with other innovations, there was a long and complex period of evolution needed to gain accepted levels of trust.

In chapter 6, the books notes that many people assumed cryptography would be the mechanism that would inspire trust in the digital world. Blanchette writes that the mistake cryptographers made and sometimes continue to make; is that they often assumed that the properties of cryptographic objects will translate transparently into the complex social and institutional setting in which they are deployed in.

This was incisively noted in Why Johnny Can't Encrypt, which was a usability evaluation of PGP by Whitten and Tygar. The author's observed that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. While the paper was written in 1999, most of its findings are still relevant.

Chapter 6 provides 3 fascinating case studies that show have different approach to security technology and cryptographic deployments are imperative in ensuring that they work.

In just under 200 pages, the books 7 chapters provide both a fascinating overview of the history of cryptography, in addition to showing how cryptography can be effectively used to authenticate digital documents. The book also has a high-level framework (a comprehensive framework would require at least 5 times as many pages) for an effective cryptographic framework for digital trust.

As Blanchette notes many times in the book, the challenge with getting digital signatures to work is not with the technology; rather it is with the underlying societal infrastructure in which to make it work. France was brought kicking and screaming into the age of electronic authentication, and is one of the few countries that have had such widespread success.

The book is a fascinating read that details how frustrating difficult it has been to create a comprehensive mechanism for digital authentication. The book raises many beguiling questions, and Blanchette is smart enough to notes that there are no simply answers to these multifaceted problems.

Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents is both a fascinating overview of the history of paper and electronic authentication, in addition to providing a synopsis of what it will take to make create a cryptographic culture, where digital evidence will be as accepted in the courtroom, as its antique paper cousin.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

mikejuk writes "A recent research technique manages to hide malware by stitching together bits of program that are already installed in the system to create the functionality required. Although the Frankenstein system is only a proof of concept, and the code created just did some simple tasks, sorting and XORing, without having the ability to replicate, computer scientists from University of Texas, Dallas, have proved that the method is viable. What it does is to scan the machine's disk for fragments of code, gadgets, that do simple standard tasks. Each task can have multiple gadgets that can be used to implement it and each gadget does a lot of irrelevant things as well as the main task. The code that you get when you stitch a collection of gadgets together is never the same and this makes it difficult to detect the malware using a signature. Compared to the existing techniques of hiding malware the Frankenstein approach has lots of advantages — the question is, is it already in use?" Except for the malware part, this has a certain familiar ring.

An anonymous reader writes "IEEE Spectrum reports on a method that exploits the decaying contents of unpowered computer memory to create an hourglass-like 'time machine' that rate limits brute force attacks against contactless smartcards and RFIDs. The paper takes an odd twist on the 'cold boot' attack reported four years ago at USENIX Security. Not quite as cool as a hot tub time machine though. " Full paper (PDF).

Lucas123 writes "New research shows that far more than wireless network or CPUs, the NAND flash memory in cell phones, and in particular smartphones, affects the device's performance when it comes to loading apps, surfing the web and loading and reading documents. In tests with top-selling 16GB smartphones, NAND flash memory slowed mobile app performance from two to three times with one exception, Kingston's embedded memory card; that card slowed app performance 20X. At the bottom of the bottleneck is the fact that while network and CPUs speeds have kept pace with mobile app development, flash throughput hasn't. The researchers from Georgia Tech and NEC Corp. are working on methods to improve flash performance (PDF), including using a PRAM buffer to stage writes or be used as the final location for the SQLite databases."

An anonymous reader writes "Researchers from UCSD have demonstrated how thermal imagery cameras can be used to steal customers' PINs (PDF) when you withdraw cash from ATMs. Their paper, entitled 'Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks', (PDF) discovered that plastic PIN pads were the best for retaining heat signatures showing which numbers (and in which order) were used by bank customers. Fortunately the methodology does not appear to have been used by criminals yet, but a third of people surveyed admit that they do not check ATMs for tampering before withdrawing cash."

An anonymous reader writes "I always thought that the SSD was a questionable place to store private data. These researchers at UCSD's Non-Volatile Systems Laboratory have torn apart SSDs and have found remnant data even after running several open source and commerical secure erase tools. They've also proposed some changes to SSDs that would make them more secure. Makes you think twice about storing data on SSDs — once you put it on, getting it off isn't so easy."

nk497 writes "The smudges left behind on touchscreen devices could be used to decipher passwords to gain access, according to researchers at the University of Pennsylvania. The report tested the idea out (PDF) on Android phones, which use a graphical pattern that the user traces to unlock the handset. The researchers took photos of the smudge trails left on the screen and bumped up the contrast, finding they could unlock the phone 92% of the time. While they noted Android 2.2 also offers an alphanumeric password option, the researchers claimed such a smudge attack could be used against other touchscreen interfaces, including bank machines and voting machines. 'In future work, we intend to investigate other devices that may be susceptible, and varied smudge attack styles, such as heat trails caused by the heat transfer of a finger touching a screen,' they said."

An anonymous reader writes "I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday, and there were people from the French Institute for Computer Science who have continuously spied on most BitTorrent users on the Internet for 100 days, from a single machine. They've also identified 70% of all content providers; yes, those guys that insert the new contents into BitTorrent. As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

An anonymous reader writes "Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren't realistic, that attackers won't have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week's USENIX EVT."

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

An anonymous reader writes "The latest proposed solution to the fact humans suck at using passwords properly is to let people use digital objects, like mp3s, photos or videos instead. A file is hashed into a unique, secure string that acts as the real password. A paper on the idea was put forward in a recent Usenix conference on hot topics in security, and a Firefox extension that implements the idea is available too."

An anonymous reader writes "Bruce Schneier and colleagues from the University of Washington have figured out a way to break the deniability of TrueCrypt 5.1a's hidden files. What about the spanking-new TrueCrypt 6? Schneier says that 'The new version will definitely close some of the leakages, but it's unlikely that it closed all of them.' Meanwhile, PC World is reporting that the problems Schneier and colleagues found are bigger than just TrueCrypt. Among their discoveries: Word auto-saves the contents of encrypted files to the unencrypted portions of your disk, and this problem should apply to all non-full disk encryption software. Their research paper will appear at Usenix HotSec '08."