Archive for 2010

Car Immobilizers

Friday, December 24th, 2010

Karsten Nohl is in the news again, this time for demonstrating how bad the proprietary crypto used for car immobilizers is. Here are a few articles:

Karsten presented the technical aspects in a talk at the 8th Embedded Security in Cars conference in Berlin.

Even if car manufacturers get the crypto right, relay attacks pose a serious threat, especially for modern cars that do away with the mechanical key completely. See the upcoming NDSS paper by Aurelien Francillon, Boris Danev, and Srdjan Capkun: Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars.

Secure Biometrics

Thursday, December 9th, 2010

We’ve released our code and paper on efficient privacy-preserving biometric identification:

Yan Huang (University of Virginia), Lior Malka (Intel/University of Maryland), David Evans (University of Virginia), and Jonathan Katz (University of Maryland). Efficient Privacy-Preserving Biometric Identification. To appear in 18th Network and Distributed System Security Conference (NDSS 2011), 6-9 February 2011. [PDF, 14 pages]

We present an efficient matching protocol that can be used in many privacy-preserving biometric identification systems in the semi-honest setting. Our most general technical contribution is a new backtracking protocol that uses the by-product of evaluating a garbled circuit to enable efficient oblivious information retrieval. We also present a more efficient protocol for computing the Euclidean distances of vectors, and optimized circuits for finding the closest match between a point held by one party and a set of points held by another. We evaluate our protocols by implementing a practical privacy-preserving fingerprint matching system.

Yan will present the paper at NDSS in February. The code for our system is available under the MIT open source license.

flickr cc: didbygraham

GuardRails at OWASP AppSec DC

Tuesday, November 9th, 2010

Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri will present GuardRails at AppSec DC on Wednesday, 10 November. The conference is at the Walter E. Washington Convention Center in Washington, DC.

GuardRails is a framework for automating many of the tasks necessary to build a security web application. For more, see the talk abstract: GuardRails: A Nearly Painless Solution to Insecure Web Applications. (and video and slides will appear there soon)

Update 9 December: The slides are here [PDF].

Deutsche Post “Security Cup”

Tuesday, September 7th, 2010

I’m a judge for the Deutsche Post “Security Cup” contest being organized by our former student, Karsten Nohl. The goal of the contest is to incentivize enterprising students and practitioners to bash on the Deutsche Post’s E-Postbrief web application. They are offering some fairly significant prizes (up to 5,000 Euro per bug) to teams that identify vulnerabilities in their application, as well as providing up-front funding to qualified teams that enter the contest.

Deutsche Post Page
EPostal News

Why Aren’t HTTP-only Cookies More Widely Deployed?

Monday, May 3rd, 2010

Yuchen Zhou will present a paper [PDF] on HTTP-only cookies and why it is so hard to deploy security technologies at Web 2.0 Security and Privacy (attached to the Oakland conference) on May 20.

HTTP-only cookies were introduced eight years ago as a simple way to prevent cookie-stealing through cross-site scripting attacks. Adopting HTTP-only cookies seems to be an easy task with no significant costs or drawbacks, but many major websites still do not use HTTP-only cookies. This paper reports on a survey of HTTP-only cookie use in popular websites, and considers reasons why HTTP-only cookies are not yet more widely deployed.

Scientists work to keep hackers out of implanted medical devices

Monday, April 19th, 2010

Nate Paul, who finished a PhD in our group a few years ago and is now a research scientist at Oak Ridge National Labs, is the focus of this CNN story: Scientists work to keep hackers out of implanted medical devices, CNN, 16 April 2010.

Nathanael Paul likes the convenience of the insulin pump that regulates his diabetes. It communicates with other gadgets wirelessly and adjusts his blood sugar levels automatically.

But, a few years ago, the computer scientist started to worry about the security of this setup.

What if someone hacked into that system and sent his blood sugar levels plummeting? Or skyrocketing? Those scenarios could be fatal.

“If your computer fails, no one dies,” he said in a phone interview. “If your insulin pump fails, you have problems.”

As sci-fi as it sounds, Paul’s fears are founded in reality.

Oakland 2010 Papers

Tuesday, February 2nd, 2010

The list of papers accepted to the 31st IEEE Symposium on Security and Privacy is now posted:

The PC accepted 26 research papers (from 237 submissions) and 5 Systematization of Knowledge papers (from 30 submissions).

Hope to see everyone at the conference in Berkeley this May!