Jefferson’s Wheel

Austin DeVinney, who worked with us on GuardRails last summer and presented a poster at USENIX Security Symposium, was featured in Radford's College of Science and Technology newsletter.

Information technology student Austin DeVinney's interest and curiosity has paid off with a summer internship opportunity with cybersecurity expert and Associate Professor of Computer Science at the University of Virginia David Evans.

The full article is here: IT Student Presents Research at Prestigious Conference [PDF].

The New York Times has a new article about Karsten Nohl’s studies of mobile phone carrier security: Lax Security Exposes Voice Mail to Hacking, Study Says (the title is very misleading, since there is nothing really specific to voice mail here, it is about intercepting actual calls), New York Times, 25 December 2011.

In a study of 31 mobile operators in Europe, Morocco and Thailand, Karsten Nohl, a Berlin hacker and mobile security expert, found that many operators provided poor or weak defenses to protect consumers from illicit surveillance and identity theft.

Mr. Nohl said he was able to hack into mobile conversations and text messages and could impersonate the account identities of cellphone users in 11 countries using an inexpensive, 7-year-old Motorola cellphone and free decryption software available on the Internet. He has tested each mobile operator more than 100 times, he said, and has ranked the quality of their defenses.

…

“This is a major vulnerability in most networks we tested, and the irony is that it costs very little, if nothing, to repair,” Mr. Nohl said. “Often it is just a question of inertia on the part of operators, or they have other priorities, such as building their networks.” …

While the research was limited mostly to Europe, Mr. Nohl, a German citizen who received a doctorate in computer science at the University of Virginia, said the level of security provided by U.S. network operators was on a par with European operators, meaning there was also room for improvement.

In Asia, the Middle East and Latin America, the level of mobile security varies widely and can be much lower. Operators in India and China, Mr. Nohl said, encrypt digital traffic poorly or not at all, either to save on the network’s operating costs or to allow government censors unfettered access to communications.

UVa Today has a story about our secure computation project: U.Va. Team Awarded $3 Million NSF Secure Computation Grant, Fariss Samarrai, UVa Today, 14 October 2011.

Photo: Cole Geddy

“Secure computation is the idea that you can have two people compute a function that depends on things that each one knows individually and wants to keep private without exposing their private data to the other person, or to anyone else,” Evans said.

The research has applications in everyday life, from private medical information, such as personal genomics, to privacy-preserving face recognition and electronic commerce.

As a simple example of how it works, consider two people who each have smartphones with personal address books. They would like to know if they know any of the same people by comparing their address books. But, they may not want to share their address books, which include potentially sensitive private information. So how can they find the common entries, without revealing anything about their other contacts?

Read More …

Computers will make the world of tomorrow a much safer place. They will do away with cash, so that you need no longer fear being attacked for your money. In addition, you need not worry that your home will be burgled or your car stolen. The computers in your home and car will guard them, allowing only yourself to enter or someone with your permission.

However, there is one kind of crime which may exist in the future — computer crime.

From World of Tomorrow — School, Work and Play, by Neil Ardley, 1981. (Scanned by David Gagnon. Hat tip: Ian Finder, University of Washington)

Muzzammil Zaveri (BACS 2011), who worked in our group 2010-2011, and Ethan Fast (BACS 2011) have launched a new company, Proxino, that provides developers with a way of finding bugs in their site’s JavaScript code, as well as optimizing the loading and performance of scripts. Ethan and Muzzammil were funded by Y Combinator, starting in Summer 2011 (right after finishing their BACS degrees). Here’s an article about Proxino:
YC-Funded Proxino: Automated Error Reporting For Your Client-Side JavaScript, TechCrunch, 22 August 2011.

While he was a student here, Muzzammil worked on the GuardRails secure web application framework. Ethan worked in Westley Weimer‘s group on automated program repair.

The New York Times is covering Karsten Nohl’s work on vulnerabilities in cellular data networks: Hacker to Demonstrate ‘Weak’ Mobile Internet Security, New York Times, 9 August 2011.

Karsten Nohl, who published the algorithms used by mobile operators to encrypt voice conversations on digital phone networks in 2009, said during an interview he planned to demonstrate how he had intercepted and read the data during a presentation Wednesday.

Mr. Nohl said he and a colleague, Luca Melette, intercepted and decrypted wireless data using an inexpensive, modified, 7-year-old Motorola cellphone and several free software applications. The two intercepted and decrypted data traffic in a five-kilometer, or 3.1-mile, radius, Mr. Nohl said.

The interceptor phone was used to test networks in Germany, Italy and other European countries that Mr. Nohl declined to identify. In Germany, Mr. Nohl said he was able to decrypt and read data transmissions on all four mobile networks — T-Mobile, O2 Germany, Vodafone and E-Plus. He described the level of encryption provided by operators as “weak.”

In Italy, Mr. Nohl said his interceptions revealed that two operators, TIM, the mobile unit of the market leader, Telecom Italia, and Wind did not encrypt their mobile data transmissions at all. A third, Vodafone Italia, provided weak encryption, he said.

Technology Review also has an article: Researchers Hack Mobile Data Communications, Technology Review, 10 August 2011.

Phones might be the most familiar devices affected by the research, says Karsten Nohl, founder of Security Research Labs, a Berlin-based research consultancy that conducted the work. But the standard is also used in some cars, automated industrial systems, and electronic tollbooths. “It carries a lot of sensitive data,” Nohl says.

Security researchers haven’t looked at the GPRS standard much in the past, Nohl says, but since more and more devices are using GPRS, he believes the risk posed by poor security is growing.

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

The Register also has this story: Hackers crack crypto for GPRS mobile networks, The Register, 10 August 2011.

The details will be presented at Chaos Communications Camp today (August 10).