Posts Tagged ‘computer security researcher’

Let me tell you about children who are leading changes in a wide variety of areas including education, research on cancer and asthma, and even information security and privacy. It was eye-opening to me because many people—including me!—discount discoveries made by children because they are “too young” to add significant information to a dialog. What they could add—if we give them a chance—is a fresh perspective.

I recently had the opportunity to attend an information security keynote presentation given by Reuben Paul. I attend many security events every year, so that might not seem so unusual, except that this amazing young man is only nine years old. He gave his first information security presentation Infosec from the Mouth of Babes at the 2014 DerbyCon conference in Kentucky at the age of eight, and he has given many presentations since then. Here is his story. His father, Mano Paul, is an information security trainer and consultant.

Reuben’s talk at DerbyCon discussed three topics:

  1. Why should you teach kids about Information Security?
  2. How can you teach kids about Information Security?
  3. What can kids teach you about Information Security?

Reuben’s advice at DerbyCon? “[Parents and educators should] teach … kids to use [technology] safely and securely.”

Many grownups do not have the level of understanding of privacy and security that Reuben does. How did Reuben gain that understanding? Reuben credits his parents and his school for being supportive, but some credit belongs to Reuben. He imagined how children could participate in information security and privacy, and insisted on being heard. That takes, well, imagination as well as persistence.

Then I started looking at other amazing children. I found a section on TED Talks called “TED under 20.”

One of the first videos I saw was called Science is for everyone, kids included. The video tells the story of neuroscientist Beau Lotto working with a class of 25 eight- to ten-year-old children from Blackawton Primary School, Blackawton, Devon, UK. The children developed an experiment on training bees to choose flowers according to rules. Then the children wrote and submitted a paper, which was published by the Royal Society Biology Letters.

The paper is free to download and fun to read!

The conclusion the Blackawton Primary School children came to was that “Play enables humans (and other mammals) to discover (and create) relationships and patterns. When one adds rules to play, a game is created. This is science: the process of playing with rules that enables one to reveal previously unseen patterns of relationships that extend our collective understanding of nature and human nature.”

Jo Lunt, science teacher at Blackawton Primary School, said, “I think one of the biggest changes I’ve seen is the children’s approach to learning science. They don’t get so hung up or worried about getting the answer right. They think more about the journey they’re on and the learning they’re doing along the way.”

How I harnessed the wind, is the story of William Kamkwamba. Malawi, the country where he lived, experienced a drought in 2001. He and his family not only couldn’t pay for his schooling, they were all starving because their crops failed. He was determined to help his family find a solution for the drought. He found a book in the library with plans for a windmill. At the age of 14, he built his first windmill from scrap yard materials to pump water for crop irrigation and to create electricity.

Award-winning teenage science in action explains the projects of the three teenage girls who won the 2011 Google Science Fair. Lauren Hodge, age 13-14 category, conducted her research on how carcinogens formed while grilling chicken. Shree Bose’s project, the age 17-18 age category and grand prize winner, concentrated on reasons why cancer survivors developed resistance to chemotherapy. Naomi Shah, age 15-16 category, used a complex mathematical model to look at ways to improve air quality for asthmatics.

Children learn very rapidly, and since they have used technology all their lives, they will often master new skills with an ease that will take your breath away. Be the change, mentor change, and be willing to change. Be open to learning from anyone who can teach you!

Krebs.2jpgI recently had the pleasure of attending a presentation put on by Brian Krebs, where he also signed his new book, Spam Nation.

I have been reading his blog,, since I did a paper on the Russian Business Network in 2008 for a class I was taking.

His blog is fascinating, and the book is also! The book has everything you’d look for in a thriller—spies, counterspies, theft, drugs, murder, hackers—and it’s all true. Even if you’re not a techie, I highly recommend this book.

And, if you’re buying pharmaceuticals from an online pharmacy that doesn’t ask for a doctor’s prescription, I hope this book will convince you to stop. It’s a really dangerous practice because you don’t know what you’re ingesting.

You might know and follow the general rules for creating a good password. Apparently, no one else does.

The “25 Worst Passwords” is an annual press release from SplashData, which sells password management tools. They also tap into the resources provided by similar security reporting firms. Those reports from recent news stories illustrate that most people seem to be really bad at inventing new passwords. Writing about the Adobe website breach of 2013 PC World revealed that ‘adobe123’ and ‘photoshop’ were very common choices. An article from the BBC cited security researcher Per Thorsheim. He pointed out that the color schemes of Twitter, Facebook, and Google, all lead people to include the word “blue” in their passwords.

As a result, more websites require you to use a Mix of Upper and Lower Case, and also to include $pecial C#aracters and Numb3rs. The password photoshop becames !Ph0t0$hop* and that should be more secure.

However, what really makes that more secure is not the mix of characters but the two additional symbols. The ! and * at the beginning and end turn a string of 9 characters into a string of 11. The basic arithmetic of computing says that the longer something is, the harder it is to guess. Your bank transfers money with cipher strings of 200 digits. We call them “computationally difficult” to crack.

“Black hat hackers” build special computers to attack passwords. One of those homebrew boxes broke every Windows-standard 8-character password in under 6 hours. A lesser machine revealed 90% of the passwords on LinkedIn. However, if you have an 11-character password those powerful crackers would need 515 years to work through all the possible combinations. And yet, long as they are “AmericanTheBeautiful” and “ToBeOrNotToBe” are known phrases.

Those networks of multiple game processors also grind through huge databases of words and proper names in English and their many variations. . Passages from the Bible, quotations from Shakespeare, and other cultural artifacts add to the databases.  Black hat hackers have mammoth dictionaries of known passwords. Those are compiled from the revelations of each successful attack.

Password Cracking Machine

Jeremi Gosney’s High Performance Computer. The rapidly-moving graphics of games are computationally intensive. So, the central processor and parallel processors of the Xbox, PlayStation, and others rely on co-processors designed for rapid arithmetic. That makes them perfect for running billions of guesses per second.

It is also true that some websites prevent you from using special characters. You might be instructed to keep your passwords to Upper and Lower Case Letters and the numerals 0 through 9. Restricted like that, all of the possible 11-character passwords can be broken in just 4 years. Turn the computer on; let it run day and night; it churns out passwords.

The reason why you sometimes are restricted from special characters is that the Dollar $ign and <Greater-than Less-than> and @some others# are common to programming systems and languages such as SQL (pronounced “sequel”) and Java. So, in place of the password, a hacker inserts a line of computer code to open up the website to their commands. Such SQL attacks are common.

BBC Cat 2

“If you have a cat, or any other type of pet, do not use its name as part of a password.” – BBC

That brings us to the corporations and organizations that allow your data to be stolen. SQL attacks are an old, known problem. But everyone is busy. And businesses cut costs by releasing employees. So, successful attacks are inevitable. The key to security is not just to put up barriers. Victims must act quickly, decisively, and effectively when those firewalls are breached. And they will be breached. It is not a matter of “if” but of “when.” For over 20 years, even the FBI has suffered periodic intrusions.   Rather than requiring you to have a ridiculously difficult password, the system administrators should just do their jobs.

But this is the Information Age. We all have computers, phones, pads, notebooks, and networks. That puts the burden back on you.

We give out our usernames and passwords all too easily. Spam Nation is new book by Brian Krebs. Formerly a technology writer for the Washington Post, Krebs more recently investigated two Russian “businessmen” who apparently controlled the world’s largest floods of spam email. They sold fake Viagra and fake vicodin, fake Gucci and fake Rolex. Millions of people bought them. From all indications, the crooks really did deliver the goods. In doing that, they acquired millions of usernames and passwords. And people are lazy.

If you have the same log-in credentials for illegal drugs that you do for your bank account, you have only yourself to blame when a drug dealer steals your money.

Brian Krebs writes a very readable blog.

Brian Krebs writes a very readable blog.

But the same breach could come through the garden club, the library charity, your school, or work. How many log-in accounts have you had since the Worldwide Web was launched in 1991? According to Brian Krebs, it is your responsibility to keep yourself safe by keeping your identities separate.

Even Wonder Woman, Superman, Batman, and Batgirl manage only two lives each, not twenty. You may need a password manager. PC Magazine, PC World, MacWorld, and InfoWorld all review and evaluate password managers. It is a start. Of course, if your home Wi-Fi network is open to the public, then you have a different problem, entirely.


If you have a late model car, someone could disable the brakes, command the steering wheel, set the speed, open the doors, disable the airbags, or explode them, all from a Wi-Fi hotspot.

Perhaps the modern icon is the General Motors OnStar system. Everyone knows it; it shows up in movies and TV as commonly as orange juice or dogs. OnStar was launched in 1995 and went from analog to completely digital in 2006. (Wikipedia here.)  Now, such radio systems are a standard feature on common makes and models. The radios are called “transceivers” for “transmitter and receiver”, that is, a “walkie-talkie” or two-way radio, in other words, a cell phone that is always on. With that link someone can take control of your car.

Computers in cars go back to the 1978 Cadillac Seville. The chip was a Motorola 6800, used also in early personal computers. It ran the car’s onboard display that provided eleven outputs such as fuel economy, estimated time of arrival, and engine speed. By the turn of the Millennium, upscale BMWs and Mercedes boasted 100 processors. Even the low-tech Volvo now has 50. (Automotive Mileposts website here and Embedded website here. Note that “embedded” systems are computer controllers that built into other machines for control or diagnostics. Embedded systems is a branch of computing.)

However, the older your car, the safer you are. A vehicle from the 1980s or 1990s will have electronic controls, but they will be less open to attack from the outside.  Without a radio link such as OnStar, there is no way to control the car from the outside. Also, the older processors were more often dedicated to reporting things such as gas mileage or fuel economy. Electronic fuel ignition replaced carburetors, but, again, was a simple, stand-alone controller that could not be compromised from the outside.

Over the past few years, two different security projects have been reported in which “white hat hackers” (good guys) investigated ways to take control of different models of automobile.


The little antenna on the Prius is not just for the FM radio.

 In 2011, Car and Driver told about the work of the Center for Automotive Embedded Systems Security, a collaboration between academics from the University of Washington and California State University at San Diego. First, they plugged their own device under the dashboard to compromise the on-board diagnostic computer. (Anyone who can get to your car could do that the next time you take in for an oil change or other routine service.) In the second phase, they figured out how to do that remotely.

According to Car and Driver: “Such breaches are possible because the dozens of  independently operating computers on modern vehicles are all connected through an in-car communications network known as a controller-area-network bus, or CAN bus.  Even though vital systems such as the throttle, brakes, and steering are on a separate part of the network that’s not directly connected to less secure infotainment and diagnostic systems, the two networks are so entwined that an entire car can be hacked if any single component is breached.”  (“Hack to the Future” Car and Driver July 2011 by Keith Barry here.)  The original research from the academics is posted online as PDFs.  (See below).

In the words of the researchers:  “We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input—including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.”  (Published as “Experimental Security Analysis of a Modern Automobile” by

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.
 IEEE Symposium on Security andPrivacy, Oakland, CA, May 16–19, 2010. Available as a PDF from the authors here.)

Then, having figured out how to install their own controller into a car under the dashboard, they turned to the problem of remote control.

“Modern automobiles are pervasively computerized, and hence potentially vulnerable to attack. However, while previous research has shown that the internal networks within some modern cars are insecure, the associated threat model—requiring prior physical access—has justifiably been viewed as unrealistic. Thus, it remains an open question if automobiles can also be susceptible to remote compromise. Our work seeks to put this question to rest by systematically analyzing the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, we discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them.”  (Published as “Comprehensive Experimental Analyses of Automotive Attack Surfaces” by Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage (University of California, San Diego) and Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno (University of Washington). Available as a PDF from the authors here.)

Two years later, Andy Greenberg, who reports on technology for Forbes, filed a story about Charlie Miller and Chris Valasek who carried out their own car hacking research with a government grant.

“Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles.” (Forbes, August 12, 2013 here. This story includes a video of the event. They took Greenberg for a ride that ended in a crash despite everything he could do to fight for control of the car. The 5 mph roll out finally stopped in some high grass. )



I shop at Target about once a week. Last Saturday, I was dismayed to discover that an estimated 40 million debit and credit cards used at Target had been stolen. This isn’t the first time my card number has been stolen, and it probably won’t be the last, unfortunately.

Many of those cards will be duplicate numbers, so the total number of cards stolen will probably be fewer than 40 million. Still, it is a very large breach, the second largest to date. The biggest breach—90 million credit/debit account numbers!—in the US occurred at TJX over a period of 18 months and was discovered on December 18, 2006 (TJX data theft).

First, let’s look at what happened:

  • On December 15, 2013, malware was discovered on Target’s point-of-sale systems at US stores. Target eliminated the malware, and notified card processors and payment card networks.
  • According to some sources (a Reuters story posted on Yahoo!), Target did not find the breach; it was discovered by a security researcher. That is worrisome.
  • According to Target, the issue only affected US stores; purchases made online at or in Canada were not part of the breach.
  • In their statement, Target explains the breach occurred between 11/27/2013 and 12/15/2013.
  • PIN data was stolen (Reuters – Target says PINs stolen, but confident data secure), but not the key, which according to Target’s statement, resides at the external card processing center. They are not giving out the name of their processing center. The PIN data is encrypted with Triple DES encryption.  To decrypt the PIN data, the thieves need the key.
  • There are 2 types of security codes used with credit/debit cards. Each card issuer calls the security codes by different names.
    • The first code is embedded in the magnetic stripe of the card and is used when you present the card to a merchant; it’s often called the CVV code. This one was included in the stolen data.
    • The second number, often called the CVV2 code, is not included in the magnetic stripe data and therefore was not stolen. This is the number used when you make card-not-present transactions, such as online or over the phone. American Express prints the four-digit number they use on the front side of the card, while most other issuers use a three-digit code printed on the back of the card next to the signature area.
  • The US Secret Service is investigating, as well as an unnamed outside investigator.
  • Stay tuned for more details. I don’t think investigators have a good handle on this theft yet, so the details are likely to change.

Note: PINs are not the safest way to protect your financial information; there are only 10,000 combinations (0000 to 9999). Europe uses electronic chips in their cards; another method is a dynamic pin generated through a text message or some other media, such as an RSA token. The problem with dynamic pins is that they’re slow and expensive.

According to Krebs on Security, stolen Target credit/debit card numbers are already being sold in underground black markets in batches of one million cards.

What to do?

  1. Monitor any account(s) used at Target at least daily for evidence of tampering.
  2. Check out the Target breach details.
  3. Get a copy of your credit report. You get 1 free credit report from each credit agency per year.
  4. Target says they will pay for credit reporting; they will have more details later.
  5. Replace your card:
    • If you use a Target REDcard, contact Target for a replacement card.
    • Ask your bank or credit union to replace each card used at Target during the dates the breach occurred.
  6. If you choose not to replace your card, at least change your PIN number.
  7. When you choose a PIN, do not use your birth date or consecutive digits, such as “1234.”
  8. Some cards allow you to add an alert when it’s used; check with your card issuer to find out if they have this feature. The Target REDcard does give you this ability.
  9. Do not respond to any scam emails, texts, or phone calls asking for your PIN or your social security number or your credit card number.
  10. Some people suggest buying a prepaid credit card or using cash instead of using credit/debit cards. I’ve never used one, so I don’t know anything about costs, but I’m going to look into it.

If you notice fraudulent activity in your account:

  1. Notify your card issuer immediately at the number on the back of your card and cancel your card. This greatly limits the payment portion of fraud you’re responsible for.
  2. Put a block on your credit report at one of the three credit reporting agencies:
  3. Read the FTC’s tips for “Lost or Stolen Credit, ATM, and Debit Cards.”

Who pays the costs?

While it’s true that the banks and the merchant eat the losses initially; ultimately, we all pay the price of such theft through higher costs.

What is Universal Plug and Play? It is a protocol that allows network devices to talk to each other and it often runs on devices unless it is turned off. I have listed a few examples of devices that might have it enabled, which include such devices as home routers, printers, smart TVs, IP cameras, and home automation systems, but there could be many other types of devices that could have it turned on.

The first thing to check is your home router. How do you find out if your router is vulnerable? Rapid7 is a security research firm that has a free website-based tool that will check your router, available here Click the button “Scan My Router.” You do not have to install any software. It should take about 30 seconds to run.

If you want to check more than your router, there is a program on that page that you can download and run.

There is also a link to a page listing answers to frequently asked questions as well as a link to a more in-depth, technical explanation if  you’re interested.

A new vulnerability reported at bugtraq on December 11, 2012, has just come to my notice.  The compromise occurs if you visit a website displaying an ad containing the exploit, even so-called safe sites like YouTube or the New York Times. If you have any version of Internet Explorer open on a compromised website–even if the page is minimized or you’re not on the page–your mouse cursor movements can be tracked.

Microsoft’s position as stated in this article is that this vulnerability would be very difficult to exploit.

There is a demo of this issue in Internet Explorer at All I could see displayed was when the CTRL, SHIFT, or ALT keys were pressed; no other keys displayed. I could, however, tell when the browser window was dragged to my other screen. Note: has a demo game set up. In order to play the game, they want you to log in with your Twitter account. I do not recommend signing into any site with credentials from Facebook, Twitter, LinkedIn, or any other social media site.

As stated in the article, the demo does not work if the URL is entered into a Firefox web browser.

My suggestion is to only use Internet Explorer if necessary, and to close any browser–IE, Firefox, Chrome, whatever–when you are done using it, especially if it has ads on it.

Peter G. Neumann, an 80-year-old computer scientist working at SRI International, and Robert N. Watson, a computer security researcher based at Cambridge University’s Computer Laboratory, are heading a team who are working on a five-year project for the Pentagon’s Defense Advanced Research Projects Agency (DARPA) CRASH program to redesign computers and networks to make them secure. CRASH stands for Clean-slate design of Resilient, Adaptive, Survivable Hosts. The project is called CTSRD (CRASH-worthy Trustworthy Systems R&D).

Dr. Neumann quotes Albert Einstein when talking about computer security, “Everything should be made as simple as possible, but no simpler.”

The NY Times has a great article on Dr. Neumann and his project at You can read the first paper that Dr. Neumann and Dr. Watson published about CTRSD at