Cybersecurity and Continuing Education

userpic=acsacSince 1990, I have had the honor and the privilege of being the Training Chair for the Annual Computer Security Applications Conference (ACSAC), one of the three original conferences on what is now called Cybersecurity. ACSAC, which is held in early December in the sunbelt, is an approximately 200-250 person conference that brings together academics and industry to connect and talk about the application of computer security cybersecurity research. Attendance is about 25% international.

The conference, which this year takes place the week of December 5 at the beautiful Hilton Universal City in Los Angeles, consists of two days of training and workshops, followed by a two-and-a-half day technical conference. The purpose of this post is to highlight this year’s training program. Advance registration ends 11/14/2016. I encourage you, if you have an interest in cybersecurity, to attend one or more of our training courses:

Monday, December 5, 2016
M1 Understanding and Contrasting Android Malware at Runtime
Giovanni Russello, University of Auckland
M2 Program Analysis and Machine Learning to Improve Security and Privacy
Paolina Centonze, Iona College
M3 angr: Advancing Next Generation Research into Binary Analysis
Fish (Ruoyu) Wang, Yan Shoshitaishvili, and Chris Salls, UC Santa Barbara
Tuesday, December 6, 2016
T4 Practical Homomorphic Encryption
Kurt Rohloff, New Jersey Institute of Technology
T5 Big Data Analytics Over Encrypted Data
Hassan Takabi, University of North Texas
T6 Hands-On Interactive Car Hacking
Craig Smith, Theia Labs and Brendan Harris, US Dept. of Transportation Volpe Center
T7 Steganongraphy with Malware Applications
John Ortiz, Harris and UT San Antonio

Tutorials T4 and T5 are half-day, the rest are full day. Click here to register for the conference; there are discounts for locals and those staying in the conference hotel. To register at the hotel, click here. Tutorials cost $575 (full day), $300 (half day); students are $300 (full), $150 (half). Rates include a good-sized continental breakfast and lunch (I know, I’m doing local arrangements and the food as well). Rates go up after 11/14.

Here is a summary of the tutorials: Read More …


Link Chum Stew: What’s In The Pot This Week, Johnny?

Observation StewThis afternoon, I’ve been spending some time cleaning up. What’s this? A list of links? Let’s write about them before they go stale and rotten (like the plums on the dining room table):

  • Dancing Around Politics. If you’ve been around LA at all of late, you’ve probably been handed a flyer for the Shen Yun dance troupe, who have been performing at halls across the city. You’ve probably never heard of them. The LA Times had an interesting article on who they really are and who is backing them: they are a touring dance troupe founded in New York by practitioners of Falun Gong, the spiritual practice banned by the Chinese Communist Party in 1999. The party calls it a cult; Falun Gong says the Chinese government is trying to eradicate thousands of years of culture and tradition and that its repression of Shen Yun shows an intolerance of freedom of expression and religion. Indisputably, the dance company — marking its 10th anniversary — has become a cultural phenomenon. That fits with what my wife called the show: religious indoctrination.  As the article noted: “Nonetheless, it’s safe to say that the bright costumes and spinning dancers are meant to convey a message. “The Falun Gong has a very well organized, managed and elaborate program of public relations, and Shen Yun is part of that,” said James Tong, a UCLA professor, expert in Chinese politics and author of a book about the Communist Party and Falun Gong. When audiences see Shen Yun, “people want to know more about the Falun Gong.””
  • Digital Last Wills. Here’s a good reminder article from LastPass about Digital Wills. As they note in the article: “When preparing a will, many of us focus on our monetary and physical assets. But what about social media accounts? Or email addresses? Or the myriad of online accounts we use to manage our lives, every day? Making a “digital will” that includes passwords and other important digital details will go a long way in helping those who need to settle your affairs, or in helping you if you need to settle the affairs of others.” It is an important concern: I know I do my banking via Quicken… would my wife be able to easy pick that up. To inform all those whom I’m friends with online of what is happening with me? To pass off my highway pages somewhere? To handle other online financial accounts?
  • Upgrading Your Smartphone the Smart Way. Here’s an interesting article on how cell phone companies get you yet again: the upgrade fees if you buy a phone through them. With some, it is cheaper to buy your phone elsewhere, and then just bring it in and have it activated. Useful information to know.
  • Fighting Blisters. One of the scourges of walking as exercise are blisters. They are the reason I’ve switched to Injinji Toe Socks and Vibram Five Fingers. Too bad I didn’t know about this: there is evidently an easy way to combat blisters: use of surgical paper tape. I’ll have to give it a try one day, especially when the plantars fasciitis is acting up and I need shoes with padding and arch support.
  • Women in Cybersecurity. As you know, I’m part of ACSA, the sponsoring group behind SWSIS — the schoarship for women studying information security. Here’s a profile about one of our first recipients. I met Jill when she came out to ACSAC; I wish I had known this about her.
  • High Fidelity. Yesterday was Record Store day, and alas I missed it. But then again, I have enough records for this month. The iPod is at just under 38,000 songs. But here’s a good guide, for Record Store Day, about getting the right equipment to play your records. As for me, I have two turntables (Technics and Sansui), a good JVC amplifier with a phono curve, which feeds into my soundcard and the Roxio tools for recording to MP3 or WAV.
  • Free, as in Free Gigs. How would you like 2GB of free days for a month or two? Evidently, Verizon has a promotion where if you use Android Pay at three retailers, they’ll give you and extra 2GB for two months. The giveaway is part of a promotion that encourages people to start using Android Pay, which is essentially the Android version of mobile payments. Any Verizon customer with a postpaid plan who has an Android Pay-compatible phone will get 1GB of free data the next time they use Google’s mobile payment platform. Use it another two times, for a total of three separate purchases, and Verizon will throw in another gigabyte of free data.Once you’ve got the data freebie, Verizon says you’ll be able to use it across two billing cycles. The offer ends on June 14.
  • Mulholland Drive. Lastly, here’s a fascinating history article on Mulholland Drive: its origins and first plans. If you happen to be inspired to drive all of Mulholland — including the dirt portion across the top of the Santa Monicas, keep your eye out for a watch. I lost it there sometime in high school :-).



The Power of Theatre

The Nigerian Spam Scam Scam (HFF 2015)userpic=acsacAs I wrote in the previous post, I just concluded a week as Local Arrangements Chair for the ACSAC conference. Part of my responsibility was to coordinate some form of dinner entertainment. Luckily, the Hollywood Fringe Festival made that easy, for it was there that I discovered The Nigerian Spam Scam Scam, the duologue based on a true incident.

Here’s the description of the show from the Fringe website, which is as good as the description I might write: ““Please help me transfer $100 million from Bank of Nigeria!” We’ve all gotten this e-mail. Writer performer Dean Cameron did something about it. After he received an email from a Nigerian con artist posing as the wife and son of a dead Nigerian leader, Cameron replied. Posing as a sexually confused Florida millionaire, whose only companions were his cats, houseboy, and personal attorney, Perry Mason. Cameron embarked on a 11 month correspondence with  the bewildered and tenacious Nigerian, impeccably played by co-star Victor Isaac. This hit duologue, taken from actual email threads, documents the hilarious relationship as it descends into a miasma of misunderstanding, desperation, and deception.”

That is literally the show. Two podiums and a digital projector. Dean Cameron (FB, IMDB) relates the story of how he baited along Nigerian spammers, with the ultimate goal of getting them to send him money. Co-star Victor Isaac (FB) provides the voices of the spammer side, from MRS MARIAM ABACHA to IBRAHIM ABACHA to DR DONALD ABAYOMI. The story itself is pretty much just condensed versions of the actual email dialogue, with hysterical side commentary and the occasional visual.

My purpose here is not to review the show again. Rather, I want to talk about something specific to ACSAC — something that made me learn the stresses a producer faces. What stress? Well, consider that in the audience for this show we had a Nigerian Senator (from the newly elected opposition government), and two representatives from the National Assembly Antimoney Laundering & Cybersecurity Coalition of Nigeria. Yes, it is a real organization. How would they react to this show? Would they find it funny? Would they sue us? What have I done?

So, Dean and Victor do the show. Many people are rolling in laughter (especially Gene Spafford, who wants to now book them for a phishing conference). The Nigerians? Straight-faces. They go up and talk to Dean and Victor after the show. Oh, what we would have given to be a fly on that wall.

It turns out that they were worried the audience would believe the actors were portraying real Nigerian officials, and that people might thing the government was behind the scam. We (including one Nigerian student) worked to convince them it was clear that wasn’t the case. This was a true incident, with the words as written in the emails, that was perpetrated by scammers who are running the good name of Nigeria through the mud.

We also worked to convince them that the best way to fight the problem was with the truth. If you read the linked article from the Nigerian News Service, it noted that the goal of the organization is to align Nigeria with the global initiative against terror financing, cybercrimes, currency trafficking and money laundering. The organization was born out of the realization that huge financial losses through such financial crimes had become a threat to the nation, and that the collaboration with strategic partners, particularly the central bank, was to discuss ways to align foreign exchange operations with international best practices. Lastly, in line with the anti-corruption drive of the president, the coalition aimed to meet the expectations of Nigerians to kick out crimes denting the image of the nation internationally.

The upshot of this is that the Nigerian delegation is interested in presenting a case study next year telling a major technical conference the work that Nigeria is doing to prevent crimes such as this, and other forms of fraud that hurt their country.

Step back now, and look at this in perspective: A show from the Hollywood Fringe Festival, presented at a long standing technical conference, has served to encourage a government to tell the world broadly that the image the world has of them is wrong, and that they want to be in the forefront of fighting this type of crime.

The power of theatre. As Dean says at the end of the show, “mic drop”.


A Dinner Costs How Much?!?

userpic=acsacFriday, the ACSAC conference ended for 2015. This year (and next year), the conference was in Los Angeles at the beautiful Universal City/Los Angeles Hilton; this meant that on top of my usual Training Chair hat, I was Local Arrangements Chair. That means I was the coordinator for the event: assigning the rooms, picking the dinner entertainment (more on that in the next post), and selecting all the menus. When I first saw the hotel menus, I was shocked at the prices: lunch prices between $40 and $50; and dinner prices even higher. In fact, when I got the end of day survey for the first day at the hotel, I had trouble answering the question: was this a good value for the price? How can you judge, when gallons of coffee are so expensive.

But as the week went on, I grew to understand the prices are so high. In many ways, this is the same reason that the prices are so high in well established and fancy restaurants. And, no, the reason is not “because they can”. The reason is service.

When you go to almost any restaurant, the bulk of the cost of your meal is not the food costs. Food costs, right now, are relatively low. Delivery costs to your location are higher, but even those aren’t the bulk of the cost due to the volume being shipped. The most significant factor in the cost of a meal out is the labor. In fact, the labor is so expensive they increase the size of the portion so you don’t feel guilty paying that price. [And, of course, we’ve all be taught to clear our plates and not waste food, and so you have one reason behind the growth in obesity. In fact, there might be an interesting statistical study in the correlation between the cost of labor, portion size, and obesity in society.]

In a hotel — especially in a hotel that focuses on service such as a ★★★★ hotel — that cost is magnified more so. Everywhere I turned around at the HUC (Hilton Universal City) there was someone from Banquets making sure that all our needs were met, someone from IT making sure the A/V was right, someone from … you get the idea. Who pays for that service? It isn’t room rental — often room rental is gratis if you make a particular number of room nights and a minimum food and beverage. In fact, the answer is in that sentence: it is in the room rates, and the food and beverage costs. A certain amount of labor can be absorbed by the room rates, but the hotel also must be competitive. The bulk of the labor is captured in the F&B costs.

So, let’s go back to the question: is it a good value? We had only compliments on the quality of the food, and the quantity was almost too much (must remember that for next year). Most importantly, there were no complaints about service or the meeting rooms. The hotel staff was there whenever we needed them, often going above and beyond (with no additional charges). So, looking back in retrospect, I think it was a reasonably good value.

(Of course, that still didn’t mean I didn’t wince a little signing the final event orders. Who wouldn’t? But I also now better understood why I was paying what I was paying).

By the way, this is something that the great unwashed public — and even Congress — doesn’t understand. We’ve all read of the DOD acquiring toilet seats that cost $200 each, when they are $10 at the hardware store. We get incensed about the price, without knowing that they have unique manufacturing requirements that prohibit volume manufacturing, that they have documentation and maintenance requirements for their lifetime, and that they have the overhead of the administrative employees at the corporation that manufactures them, which has much lower volume to spread that overhead across when compared to a bulk manufacturer. Similarly, we hear stories of conferences with the $15 muffin or the $45 rubber chicken, and think the government is wasting money. It isn’t: that money goes to all the people employed by the hotel, providing all the service, and spending that money in the community. Yes, there are some conferences with boondoggles, but most food costs are not the boondoggles. Now you understand.


A Week of Security

userpic=securityI’ve been at ACSAC all week, and it has been a great conference. The committee and the Universal Hilton have a lot of work to do to top this year’s conference at the Hyatt French Quarter. But I’m confident they/we will. So what is more appropriate than some security-related articles:

  • Remember Benford’s Law. Here’s an interesting summary of an article about how accountants are using Benford’s Law to fight fraud. Benford’s Law, for those that don’t recall it, refers to the frequency distribution of digits in many (but not all) real-life sources of data. In this distribution, 1 occurs as the leading digit about 30% of the time, while larger digits occur in that position less frequently: 9 as the first digit less than 5% of the time. Benford’s Law also concerns the expected distribution for digits beyond the first, which approach a uniform distribution. The accountants looked at a log of financial ATM transactions for an ATM with a limit of $50, and saw an abnormal number of first digits that were 4. This led them to find financial fraud. Think about this for analysis of audit trails…
  • Two-Factor Authentication. One point that has been continually made this conference relates to the value of two-factor authentication. We even heard from Avi Rubin on how to use two-factor in online poker. However, there is a major problem with two factor: what happens if you lose the second factor. Here’s an article that explains what to do. Now that you know what to do, you have no excuse. Enable two factor authentication.
  • Cyberphysical Attacks. One major theme of the conference has been cyberphysical security. You probably think it was Stuxnet. Wrong. A recent article points to a 2008 Turkish pipeline explosion, which was caused by a cyberattack that overloaded the pressure on the pipe. As Avi pointed out, as we get more and more devices in our houses and lives that are network connected, how susceptible will we be to cyberattacks.

Want to learn more about these problems? Come to the 2015 ACSAC, December 7-11 2015 at the Universal Hilton. Paper submissions, training submissions, workshop submissions, and similar stuff are all due around June 1, 2015. As Local Arrangements and Tutorial Chair, I look forward to seeing you for what will be my 25th ACSAC on the Conference Committee!


Register and Attend ACSAC 2014 (December 8-12, New Orleans LA)

userpic=acsacWhen many people think about conferences, this media created image comes to mind of the conventions of yore that are pure boondoggles. But those who attend technical conferences and symposia know that the media image is far from the truth. Conferences are serious affairs during business hours with training sessions, papers, panels, keynote speakers. Much of that you could get through a web course or a book, but a conference goes beyond that and gives you something even more important: that chance to network and interact with your peers in the industry, and to make those connections that prove critical as you do your job.

I’m mentioning all of this because registration is now open for the 30th Annual Computer Security Applications Conference (ACSAC), being held December 8–12, 2014 at the Hyatt French Quarter in New Orleans, Louisiana. ACSAC is a great mid-size conference — it’s not the gigantic RSA or Blackhat with thousands of people making it impossible to network, nor is it a small symposium with a narrow technical focus and insufficient critical mass of attendees. ACSAC typically has an attendance around 200, and provides well rounded technical program with training and workshops on Monday and Tuesday, and papers, panels, speakers, and case studies on Wednesday through Friday. I’ve been attending the conference since the 4th ACSAC in 1989 in Tucson, and have continually found it to be of value in what I do.

Let me give some highlights for this year’s program:

You can see the full program at the ACSAC website; each session has links with more information. Information on conference registration and hotel registration is here. Please spread the word about the conference with your friends, colleagues, coworkers, and associates.

Disclaimer: If you know me at all (and I hope you do, if you are reading this), I’ve been involved with the Annual Computer Security Applications Conference (ACSAC) for a long time. I’ve been the chair of the training program since 1990, and over the years I’ve also done local arrangements and been general chair of the conference. I’m also the Secretary of the sponsoring organization, ACSA. ACSA, the sponsoring organization behind ACSAC, also runs the New Security Paradigms Workshop, and is the initiator and sponsor of the Scholarship for Women Studying Information Security (SWSIS).

P.S.: ACSAC 31 (and 32) will be at the Universal Hilton in Los Angeles near Universal City December 7-11, 2015 (and December 5-9, 2016). Mark your calendars now to “save the dates”. I’ll be doing local arrangements for those conferences, and would love to demonstrate why Southern California is the best draw for cybersecurity!


Another One for the History Books

userpic=acsacACSAC 29 is now history. It was a busy week (as you could tell by the dearth of blog posts). Conference weeks are especially busy for me, as I’m the training chair for this conference and one of the long-time regulars — meaning that I’m one of the folks that helps to run the conference.  Combine this with conference activites that run late, a few migraines, and there is just no energy at the end of the day to write a post.

Let me summarize, from memory, the conference day by day. This year was a weird year — tight budgets and the government shutdown meant that our registration numbers were down — severely — by the advance registration deadline. They slowly rose over the last two weeks of November to near normal levels, but it was a nail-biter.  There was much more on-site registration than usual. Combine this with really bad weather at the beginning of last week that impacted the ability of people to get to New Orleans from DFW and IAD/BWI, and… Let’s put it this way: I wasn’t sure if some of the course instructors would make it. Luckily, they did.

The first day of the conference was tutorials and workshops. As training chair, I “audited” the tutorial on systems and security engineering.  I’ve previously written about this: we had 3 instructors who were from Europe (Spain, Germany), and one US instructor. The European instructors seemed to emphasize modeling and security pattern work as opposed to the traditional system engineering process (or in support of it). I didn’t connect with that approach, perhaps because I’m not a UML type of guy. The US instructor talked about the NIST approach and the upcoming 800-160 document. This approach integrates security engineering into the traditional IEEE systems and software engineering approach, and made a lot more sense.

The second day was more tutorials and workshops, followed by the conference reception. During the morning, none of the tutorials were of interest (I had seen the 1/2 day tutorial the previous year), so I sat in the Next Generation Malware Workshop. The first speaker was really interesting — Michael Franz of UC Irvine talked about some approaches he is working on regarding randomization of generated code, essentially making it so that each user has a unique executable, making stack attacks to execute code much more difficult. I didn’t connect with the subsequent two morning speakers. In the afternoon, I attended the tutorial on Cyber-Physical Systems. This was a reasonably good overview, and emphasized my contention that space is just another example of a cyber-physical system.

Wednesday was the first technical program day. The distinguished practitioner talk was great — Nancy Levison on applying Systems Thinking to Safety and Security Engineering. The basic notion was that simple failure analysis was not enough, because safety and security are both emergent properties. Engineering for both is similar, and must be done in the design.  She related this to feedback control loops, and showed how to use that thinking to engineer better systems. A very good talk. After that, I attended a panel on high-assurance approaches to cyber-physical systems. I’m unsure about the approach discussed, as I don’t think formal methods will scale to complex CPS. In the afternoon was a talk on the NIST Cybersecurity Initiative, followed by a panel that I chaired looking back at the legacy of the Orange Book. Following that was the conference dinner — which was excellent — and included a great performance of the Dapper Dandies, a New Orleans Jazz Band.

Thursday started out with a great invited essay by Carl Landwehr of GWU on the need for software building codes, which he justified using the analogy  to traditional building codes.  After that talk, I sat for a bit in the Cyber-Resiliency session, as none of the other tracks looked that interesting. Lunch was the annual meeting of ACSA; as Secretary, I was responsible for taking notes. That ended up going long, so I missed the session after lunch. For the post-break session, I attended a paper sessions with two interesting papers on malware attacks: one looking at attacks and the forensic capabilities of solid-state drives; the other looking at a stealth hard-drive backdoor. I skipped out on the Works-In-Progress session, but then came back for the posters. After that, was the conference committee dinner at Bayona Restaurant in the Quarter. This was a spectacular dinner.

Friday… a migraine got me. It started at 2pm, and got steadily worse. I attended the committee breakfast in pain, went back to my room, and drowsed out till it was gone, missing the first session. I also have the responsibility to pack the conference office, which meant I missed the second session as well :-(. After the end of the conference, we dropped off the shipping, and then went to Squeal for some great BBQ. It was then off to the airport and home.

Next year, the conference will be in New Orleans at the same hotel. We may recast the name to avoid some of the silliness going around in the DOD about “Conference” in the name — focusing more on what the conference is. I’m suggesting “ACSAC | Your Cybersecurity Technology Interchange Meeting”. It will be our 30th year.

ACSAC moves every two years, and aims for the sunbelt — or at least some place that isn’t freezing. We need some place with a reasonably sized airport, that can accommodate direct international flights (for attendees do not like changing to small planes). We need to have hotels with suitable meeting room layouts, that will provide government rates, and can accomodate 200-300 people. We also want to be within walking distance of restaurants and evening stuff, not in the middle of nowhere. For ACSAC 31 and ACSAC 32 (2015 and 2016), we’re looking to the west coast, and the two candidate cities are Los Angeles and Portland. I’m looking into Los Angeles, trying to find areas that will meet the above requirements — most likely, Santa Monica / Marina Del Rey, the south bay (Manhattan Beach / Torrance), Hollywood / Fairfax area, or Universal City. I think Long Beach and Pasadena are too far away to work, and LAX doesn’t have the right atmosphere. Probably in 2017 we’ll start looking back to the mid-country and east coast again.


Different Ways of Thinking

userpic=acsacYesterday was the first day of ACSAC, and it went relatively smooth. We had a larger than normal number of on-site registrations (enough that we had to add a table at lunch), and there were no problems with the training courses or workshops.

I audited the course we had on Systems Security Engineering and Software Engineering. For this course, we had 3 European instructors (Germany, Spain), and one US instructor. I was struck by the difference in techniques and approaches. The European instructors were heavily into the security patterns and UML-based approaches. The US folk (based out of NIST) were building upon the IEEE System and Software Engineering approaches to bake security into the process. I found that I had an easier time understanding the US approach; I’ve never been a modeling or theoretical person.

I began to wonder if the gulf between the two approaches was a generational thing? Just as there is a generational difference between those who grew up with procedural languages (the FORTRANs, Pascals, PL/Is, Cs of the word) and those who grew up with the heavily object oriented languages (the Javas), between those who grew up with straightforward systems vs those who grew up with all this glueware and middleware (CORBA, etc.)… there may be a gap for those whom modeling is the truth and the light, and those who need more straightforward mechanisms. I found that I just couldn’t glom on to the UML based approaches.

Monday evening has no formal conference activities, so I took the time to hit an excellent local record store for some music (including this local artist). We then went hunted down dinner, and found it at the Gumbo Pot. I had the Gumbo Ya-Ya, and my wife had the side of Red Beans and Rice. All were very good.