WWW Security
Session Chair: Wenke Lee, Georgia Institute of Technology

SIF: Enforcing Confidentiality and Integrity in Web Applications
Stephen Chong, K. Vikram, and Andrew C. Myers, Cornell University

Combating Click Fraud via Premium Clicks
Ari Juels, RSA Laboratories; Sid Stamm, Indiana University, Bloomington; Markus Jakobsson, Indiana University, Bloomington, and RavenWhite Inc.

SpyProxy: Execution-based Detection of Malicious Web Content
Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy, University of Washington

The Human Factor in Online Fraud
Markus Jakobsson, Indiana University

Listen in MP3 format

View the presentation slides

While most Internet security research addresses mathematical and algorithmic aspects, there is a recent trend towards attempting to understand the human factor of security. However, since most current efforts aimed at understanding social aspects of security take the approach of quantifying the efficacy of technical tools and user interfaces, they implicitly adopt a techno-centric view. We suggest that—at times—it may me more suitable to approach the issue from a human-centric view, and to consider how the human factor of security could guide the development of technical security measures to combat online fraud.

In this talk, we discuss what impact deceit and misuse has on online security, drawing on examples from phishing, click-fraud, and general privacy intrusions. We believe that a methodology founded on an improved understanding of human behavior—in particular, in the context of deceit—may help anticipate trends and steer the development of structures and heuristics to curb online fraud. Guided by behavioral aspects of security, we consider technical measures to preemptively counter some of the threats we describe. An extended abstract is available at www.human-factor.org.

Dr. Markus Jakobsson is an Associate Professor at Indiana University at Bloomington, Associate Director of the Center of Applied Cybersecurity Research, and a founder of RavenWhite Inc. He is the inventor or co-inventor of over fifty patents, has served as the vice president of the International Financial Cryptography Association, and is a research fellow of the Anti-Phishing Working Group. He is an editor of the International Journal of Applied Cryptography and a group editor of the ACM Mobile Computing and Communications Review. He is also an editor of Phishing and Countermeasures (Wiley, 2006), and editor/co-author of upcoming books on crimeware (Symantec Press, 2007), click-fraud (Morgan and Claypool, 2007), and cryptographic protocols (Addison-Wesley, 2007).

Privacy
Session Chair: Paul Van Oorschot, Carleton University

Language Identification of Encrypted VoIP Traffic: Alejandra y Roberto or Alice and Bob?
Charles V. Wright, Lucas Ballard, Fabian Monrose, and Gerald M. Masson, Johns Hopkins University

Devices That Tell on You: Privacy Trends in Consumer Ubiquitous Computing
T. Scott Saponas, Jonathan Lester, Carl Hartung, Sameer Agarwal, and Tadayoshi Kohno, University of Washington

Web-Based Inference Detection
Jessica Staddon and Philippe Golle, Palo Alto Research Center; Bryce Zimny, University of Waterloo

Windows Vista Content Protection
Peter Gutmann, University of Auckland, New Zealand

View the presentation slides

Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called premium content. This incurs significant costs in terms of system performance, system stability, technical support overhead, and hardware and software costs. These issues affect not only users of Vista, but also the entire PC industry. This talk looks at the technical details of Vista's content protection and the collateral damage that this incurs throughout the entire computer industry.

Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland, New Zealand, working on the design and analysis of cryptographic security architectures. He helped write the popular PGP encryption package; has authored a number of papers and RFC's on security and encryption, including the X.509 Style Guide for certificates; and is the author of Cryptographic Security Architecture: Design and Verification (published by Springer-Verlag) and the open source cryptlib security toolkit. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about PKIs and the (un-)usability of security applications.

Authentication
Session Chair: Tadayoshi Kohno, University of Washington

Awarded Student Best Paper!
Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks
Saar Drimer and Steven J. Murdoch, Computer Laboratory, University of Cambridge

Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords
Julie Thorpe and P.C. van Oorschot, Carleton University

Halting Password Puzzles: Hard-to-break Encryption from Human-memorable Keys
Xavier Boyen, Voltage Security, Inc.

How to Obtain and Assert Composable Security
Ran Canetti, IBM Research

Listen in MP3 format

View the presentation slides

Capturing the security requirements of distributed systems and applications in a meaningful way is a subtle and tricky business. Assessing whether given protocols meet these requirements is even trickier. One major stumbling point is protocol composition, namely the often unexpected vulnerabilities that result from the interference between protocols in a multi-protocol system. Indeed, security analysis of protocols has traditionally been very fragile with respect to protocol composition. It was even suggested that composable security may be impossible to achieve in general.

The framework of Universally Composable security, proposed in 2001, allows one to design and analyze protocols in a way that guarantees security even when the protocol runs in an arbitrary multi-protocol system. In particular, it allows one to assert the security of protocols in unpredictable, complex environments such as the global Internet. It also enables the security analysis of complex systems to be modular, hence drastically simpler.

This talk motivates and presents the paradigm of Universally Composable security. It then briefly reviews some of the recent research done within this paradigm and on it. Part of this research touches foundational aspects in security and cryptography. Other parts have immediate practical implications.

Ran Canetti graduated from the Weizmann Institute of Science in 1995. He is currently a researcher at the Cryptography group, IBM T.J. Watson Research Center, and a visiting scientist at the Cryptography and Information Security group, CSAIL, MIT. Ran's research interests lie in cryptography and network security, with emphasis on the design and analysis of cryptographic protocols. Ran has also contributed to the security work done at the IETF, including co-designing the HMAC protocol, contributing to the design of the IPSec, TLS, and MSec protocols, and co-chairing the Multicast Security working group and the Crypto Forum research group. See also http://people.csail.mit.edu/canetti.

Threats
Session Chair: Fabian Monrose, Johns Hopkins University

Spamscatter: Characterizing Internet Scam Hosting Infrastructure
David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker, University of California, San Diego

Exploiting Network Structure for Proactive Spam Mitigation
Shobha Venkataraman, Carnegie Mellon University; Subhabrata Sen, Oliver Spatscheck, and Patrick Haffner, AT&T Research; Dawn Song, Carnegie Mellon University

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
Guofei Gu, Georgia Institute of Technology; Phillip Porras, Vinod Yegneswaran, and Martin Fong, SRI International; Wenke Lee, Georgia Institute of Technology

Exploiting Online Games
Gary McGraw, Cigital

Listen in MP3 format

View the presentation slides

View video in MP4 format:
240 by 180 pixels (40.7MB)
320 by 240 pixels (182.5MB)

This talk (based on a book of the same title co-authored by Greg Hoglund) frankly describes controversial security issues surrounding MMORPGs such as World of Warcraft. This no-holds-barred approach is fully loaded with code examples, debuggers, bots, and hacks, of interest whether you are a gamer, a game developer, a software security person, or an interested bystander. I will cover:

• Why online games are a harbinger of software security issues to come
• How millions of gamers have created billion-dollar virtual economies
• How game companies invade your privacy
• Why some gamers cheat
• Techniques for breaking online game security
• How to build a bot to play a game for you
• Methods for total conversion and advanced mods

Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C., area. He is a globally recognized authority on software security and the author of six best-selling books on this topic. The latest, Software Security: Building Security In, was released in 2006, with Exploiting Online Games slated for release this year. His other titles include Java Security, Building Secure Software, and Exploiting Software; and he is editor of the Addison-Wesley Software Security series. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White.

Analysis
Session Chair: Hao Chen, University of California, Davis

Integrity Checking in Cryptographic File Systems with Constant Trusted Storage
Alina Oprea and Michael K. Reiter, Carnegie Mellon University

Discoverer: Automatic Protocol Reverse Engineering from Network Traces
Weidong Cui, Microsoft Research; Jayanthkumar Kannan, University of California, Berkeley; Helen J. Wang, Microsoft Research

Awarded Best Paper!
Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation
David Brumley, Juan Caballero, Zhenkai Liang, James Newsome, and Dawn Song, Carnegie Mellon University

Computer Security in a Large Enterprise
Jerry Brady, Morgan Stanley

Listen in MP3 format

Computer security is one of the most complex challenges facing large enterprises today. Securing a multinational enterprise is a balancing act based on solid risk management and technical solutions in a multifaceted, changing environment. Managing risks without securing the enterprise is meaningless, but is there a one-size-fits-all solution or special technology to secure the organization? Will this solution or technology be cost-effective? What about the intersection between IT security, physical security, and information security? Ultimately, tackling computer security within a large enterprise is more than a technical problem; it must be based on people, process, and technology in order to properly manage risks associated with threats.

Jerry Brady, Executive Director, is the Global Head of IT Security for Morgan Stanley, responsible for IT Security Strategy, Consulting and Assurances, Security Solutions, and Service Delivery.

Mr. Brady has previously been Chief Technology Officer for Guardent, a security services firm later acquired by VeriSign, managed the Security Management Applications business unit and Emerging Technologies for Internet Security Systems, and was VP of Engineering for CertCo (A Bankers Trust Spin-off).

Mr. Brady has also held several management roles in financial services firms including Bankers Trust, JP Morgan, and Touche Ross, and as Chief Security Officer for Prudential, responsible for the company wide Information Security program for all divisions.

Cellular Network Security

Panelists:
Ron Buskey, Motorola; John Larson, Sprint Labs; Simon Mizikovsky, Alcatel-Lucent; Hao Chen, University of California, Davis; Thomas La Porta and Patrick Traynor, The Pennsylvania State University

Listen in MP3 format

Mobile Malware
Mikko Hypponen, F-Secure Corp.

Listen in MP3 format

View the presentation slides

View video in MP4 format:
240 by 180 pixels (35.7MB)
320 by 240 pixels (160.8MB)

The first real viruses for mobile phones were found in June 2004. Since then, scores of different viruses have been found, most of them targeting smartphones running different versions of the Symbian operating system. Many of them are spreading in the wild and have been reported from all continents. These mobile viruses use new spreading vectors such as multimedia messages and Bluetooth and pose special problems for researchers. For example, they can easily escape during analysis as they use radio connections to spread. As total count of known mobile malware is now around 350, we know much more about what types of viruses to expect in the future and about who writes them. We also know what we should do to prevent this niche area from becoming a bigger problem.

Mikko Hypponen is the Chief Research Officer at F-Secure Corp. He has been a globally known computer antivirus guru for the past decade. He has consulted security issues to IBM, Microsoft, Nokia, FBI, the U.S. Secret Service, and Scotland Yard. Mr. Hypponen has been an invited member of CARO (the Computer Anti-Virus Researchers Organization) since 1995. In November 2006 he wrote an article on the history—and future—of mobile viruses for Scientific American.

Low Level
Session Chair: Tal Garfinkel, Stanford University

OSLO: Improving the Security of Trusted Computing
Bernhard Kauer, Technische Universität Dresden

Secretly Monopolizing the CPU Without Superuser Privileges
Dan Tsafrir, The Hebrew University of Jerusalem and IBM T.J. Watson Research Center; Yoav Etsion and Dror G. Feitelson, The Hebrew University of Jerusalem

Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems
Thomas Moscibroda and Onur Mutlu, Microsoft Research

Computer Security and Voting
David Dill, Stanford University

Listen in MP3 format

View video in MP4 format:
240 by 180 pixels (30MB)
320 by 240 pixels (176MB)

It is now quite clear that most electronic voting systems were designed with only minor concern and rudimentary knowledge of computer security. Over the past five years, people with more in-depth knowledge of computer security have helped tremendously in appraising the security of current systems and, to a lesser extent, in improving the security of voting systems. This talk will highlight the ways a computer security perspective might be able to contribute to more trustworthy voting systems, as well as some of the ways that voting is different from other computer security problems.

David Dill is a Professor of Computer Science at Stanford University. He has over 25 years of research experience developing new formal verification technologies for hardware, software, and protocols, including co-founding 0-In Design Automation in 1996. In 2003, Prof. Dill wrote the "Resolution on Electronic Voting," which called for voter-verifiable audit trails on all voting systems and has been endorsed by over 10,000 individuals, including many leading computer scientists. He is also the founder of VerifiedVoting.org, which champions reliable and publicly verifiable elections in the United States. He served on California's Task Force on Touch-Screen Voting, and has testified before the Federal Election Assistance Commission, the Carter-Baker Commission, and the U.S. Senate on the security of electronic voting systems.

Obfuscation
Session Chair: Wietse Venema, IBM Research

Binary Obfuscation Using Signals
Igor V. Popov, Saumya K. Debray, and Gregory R. Andrews, The University of Arizona

Active Hardware Metering for Intellectual Property Protection and Security
Yousra M. Alkabani and Farinaz Koushanfar, Rice University

Advanced Rootkits
Greg Hoglund, HBGary

Listen in MP3 format

Rootkits are backdoor programs that can be placed in a computer without detection. Virus scanners and desktop firewalls are woefully inadequate to stop a rootkit attack, which can go undetected for years. This talk will explain how rootkits are built for Microsoft Windows XP. It will cover detailed technical aspects of rootkit development, such as compilation, loading and unloading, function hooking, paged and nonpaged memory, interrupts and inline code injections. You'll also learn the technical aspects of the hardware environment, such as interrupt handling, memory paging, and virtual memory address translation. The talk will also cover how to detect rootkits, including runtime integrity checks and detecting hooks of all kinds, such as IRP hooks, SSDT hooks, and IDT hooks.

Greg Hoglund has been involved with software security for many years, specializing in Windows rootkits and vulnerability exploitation. He founded the Web site www.rootkit.com, and has co-authored several books on software security (Exploiting Software: How to Break Code, Addison-Wesley, 2004; Rootkits: Subverting the Windows Kernel, Addison-Wesley, 2005). Greg is a long-time game hacker and spends much of his free time reverse engineering and tooling exploits for new games. Professionally, Greg offers in-depth training on rootkit developement and software exploit. He is currently CEO of HBGary, Inc., building a world-class product for software reverse engineering and digital forensics.

Network Security
Session Chair: Angelos Stavrou, Columbia University

On Attack Causality in Internet-Connected Cellular Networks
Patrick Traynor, Patrick McDaniel, and Thomas La Porta, The Pennsylvania State University

Proximity Breeds Danger: Emerging Threats in Metro-area Wireless Networks
P. Akritidis, Computer Laboratory, Cambridge University; W.Y. Chin, Institute for Infocomm Research (I²R), Singapore; V.T. Lam, University of California, San Diego; S. Sidiroglou, Columbia University; K.G. Anagnostakis, Institute for Infocomm Research (I²R), Singapore

On Web Browsing Privacy in Anonymized NetFlows
S.E. Coull, Johns Hopkins University; M.P. Collins, Carnegie Mellon University; C.V. Wright and F. Monrose, Johns Hopkins University; M.K. Reiter, Carnegie Mellon University

Covering Computer Security in The New York Times
John Schwartz, The New York Times

Listen in MP3 format

The MSM gets it wrong, the conventional wisdom goes, because the reporters aren't technically adept but are looking for scare stories to sell newspapers or get ratings. John Schwartz debunks a few myths about the mainstream media and explains that it is possible to write about security and other topics without hype to and still keep your job.