Scientists band together for TRUST-worthy research

By Niall McKay, Contributor 07 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

When the U.S. Secret Service wanted to put a stop to password theft and phishing, they went to TRUST -- Team for Research in Ubiquitous Secure Technology -- a recently formed group of some of the best computer security experts from eight of the country's top universities.

Three years ago, the San Francisco Electronic Crimes Task Force, a division of the Secret Service met with, Stanford University professors Dan Boneh and John Mitchell and asked them to come up with software to prevent man-in-the-middle attacks.

TRUST is a $19 million, National Science Foundation-funded project led by the University of California, Berkeley. It includes more than three dozen computer scientists from Carnegie Mellon, Stanford, Cornell, San Jose State and Vanderbilt universities, as well as liberal arts-oriented Smith and Mills colleges. Commercial contributors include IBM, Cisco Systems Inc., Microsoft and Sun Microsystems Inc.

The group's objective is to build trustworthy systems and develop government and business policies that will protect the nation's digital infrastructure from cyberattacks. For instance, one current project involves language-based security and developing a "security grammar" for computer programming languages. TRUST hopes the effort will help end an array of dangerous occurances, such as allowing software executables and worms downloads to run without a user's or a system's knowledge.

Along those lines, scientists are attempting to carry out some tasks such as "static-code verification" by setting out the design principals for secure application programming interfaces, as well as develop tools to check new APIs. Another principal is "dynamic analysis," which would closely scrutinize the inner workings of operating systems to stop inappropriate actions.

Meanwhile, as a direct result of the meeting with the Secret Service, Boneh and Mitchell and their team at Stanford have developed software that ties a user's password directly to the URL (and IP address) of a Web site being accessing, thus preventing the dangerous man-in-the-middle attacks, in which an attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other directly.

The software is called PwdHash and it can be downloaded from the Stanford web site.

Even if a hacker hijacks the DNS server, posts a false Web site and captures the incoming username and password login information, it will be incorrect because it will be tied to a false IP address.

Identity theft and fraud prevention are high priorities for the group. Identity theft has become widespread, but better technology will do little to reduce the problem without significant policy changes, according to Fred Schneider, TRUST's chief scientist and a professor of computer science at Cornell University.

"Many companies accept publicly available information such as a Social Security number as a means of [partly] authenticating a user," Schneider said. "This is a typical policy problem where government, law enforcement and the technology industry need to work together to encourage proper authentication methods."

Another policy problem is that both government and industry store vast amounts of information on individuals, often without their knowledge or consent, which is then regularly mined. "We have not developed good policies for allowing corporations to extract the information that they need without invading the privacy of the individual," Schneider said.

That is why the program includes Pamela Samuelson, a law professor at UC Berkeley's School of Information Management and Systems, who is examining the legal implications of storing and managing databases of personal information.

Meanwhile, TRUST reads like a who's who of computer security academics. Vanderbilt University in Nashville, Tenn., for example, is noted for its expertise in Supervisory Control and Data Acquisition (SCADA) systems used in the industrial, engineering, power generation and oil and gas industry. Stanford, located in the heart of Silicon Valley, has long been an IT research powerhouse, as have Berkeley and Cornell.

Added to the mix are Smith College in Northampton, Mass. and Mills College near Oakland, Calif., both small liberal arts womens' schools. According to Schneider, these two schools are interesting to the alliance because they have young, predominantly female student populations to lend diversity to the more technical campuses.

Boneh and Mitchell also lead a project on preventing web "phishing" and identity theft, funded by the Department of Homeland Security and conducted in conjunction with the U.S. Secret Service. It's called SpoofGuard it can be downloaded from the Stanford Web site. The software places a traffic light in the browser toolbar, it performs a number of checks and if any of them come back negative, the traffic light turns red warning the user not to enter sensitive information.

Niall McKay is a freelance technology writer based in Oakland, Calif.

Tags: Software Development Methodology,  Password Management and Policy,  Email and Messaging Threats (spam, phishing, instant messaging),  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Microsoft extends SDL program, adds Agile development template Malware in Google attacks uses spaghetti code Self-defending Web applications thwart attacks Information security book excerpts and reviews Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Should security tests be part of a software quality assurance program? Does an EULA make it truly illegal to decompile software? Password Management and Policy Torrent phishing scheme trips up Twitter users Microsoft, security firms warn of password meltdown How to find and remove keyloggers and prevent spyware installation How to encrypt passwords using network security certificates Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats How to determine password strength for a website Prevent password cracking with password management strategies Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Email and Messaging Threats (spam, phishing, instant messaging) Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Panda warns of American Express phishing scam Active PDF attacks target Reader, Acrobat zero-day vulnerability Yahoo login credentials at risk to hijacking attack The world's top 5 riskiest domains How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary