Scientists band together for TRUST-worthy research

By Niall McKay, Contributor 07 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

When the U.S. Secret Service wanted to put a stop to password theft and phishing, they went to TRUST -- Team for Research in Ubiquitous Secure Technology -- a recently formed group of some of the best computer security experts from eight of the country's top universities.

Three years ago, the San Francisco Electronic Crimes Task Force, a division of the Secret Service met with, Stanford University professors Dan Boneh and John Mitchell and asked them to come up with software to prevent man-in-the-middle attacks.

TRUST is a $19 million, National Science Foundation-funded project led by the University of California, Berkeley. It includes more than three dozen computer scientists from Carnegie Mellon, Stanford, Cornell, San Jose State and Vanderbilt universities, as well as liberal arts-oriented Smith and Mills colleges. Commercial contributors include IBM, Cisco Systems Inc., Microsoft and Sun Microsystems Inc.

The group's objective is to build trustworthy systems and develop government and business policies that will protect the nation's digital infrastructure from cyberattacks. For instance, one current project involves language-based security and developing a "security grammar" for computer programming languages. TRUST hopes the effort will help end an array of dangerous occurances, such as allowing software executables and worms downloads to run without a user's or a system's knowledge.

Along those lines, scientists are attempting to carry out some tasks such as "static-code verification" by setting out the design principals for secure application programming interfaces, as well as develop tools to check new APIs. Another principal is "dynamic analysis," which would closely scrutinize the inner workings of operating systems to stop inappropriate actions.

Meanwhile, as a direct result of the meeting with the Secret Service, Boneh and Mitchell and their team at Stanford have developed software that ties a user's password directly to the URL (and IP address) of a Web site being accessing, thus preventing the dangerous man-in-the-middle attacks, in which an attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other directly.

The software is called PwdHash and it can be downloaded from the Stanford web site.

Even if a hacker hijacks the DNS server, posts a false Web site and captures the incoming username and password login information, it will be incorrect because it will be tied to a false IP address.

Identity theft and fraud prevention are high priorities for the group. Identity theft has become widespread, but better technology will do little to reduce the problem without significant policy changes, according to Fred Schneider, TRUST's chief scientist and a professor of computer science at Cornell University.

"Many companies accept publicly available information such as a Social Security number as a means of [partly] authenticating a user," Schneider said. "This is a typical policy problem where government, law enforcement and the technology industry need to work together to encourage proper authentication methods."

Another policy problem is that both government and industry store vast amounts of information on individuals, often without their knowledge or consent, which is then regularly mined. "We have not developed good policies for allowing corporations to extract the information that they need without invading the privacy of the individual," Schneider said.

That is why the program includes Pamela Samuelson, a law professor at UC Berkeley's School of Information Management and Systems, who is examining the legal implications of storing and managing databases of personal information.

Meanwhile, TRUST reads like a who's who of computer security academics. Vanderbilt University in Nashville, Tenn., for example, is noted for its expertise in Supervisory Control and Data Acquisition (SCADA) systems used in the industrial, engineering, power generation and oil and gas industry. Stanford, located in the heart of Silicon Valley, has long been an IT research powerhouse, as have Berkeley and Cornell.

Added to the mix are Smith College in Northampton, Mass. and Mills College near Oakland, Calif., both small liberal arts womens' schools. According to Schneider, these two schools are interesting to the alliance because they have young, predominantly female student populations to lend diversity to the more technical campuses.

Boneh and Mitchell also lead a project on preventing web "phishing" and identity theft, funded by the Department of Homeland Security and conducted in conjunction with the U.S. Secret Service. It's called SpoofGuard it can be downloaded from the Stanford Web site. The software places a traffic light in the browser toolbar, it performs a number of checks and if any of them come back negative, the traffic light turns red warning the user not to enter sensitive information.

Niall McKay is a freelance technology writer based in Oakland, Calif.

Tags: Software Development Methodology,  Password Management and Policy,  Email and Messaging Threats (spam, phishing, instant messaging),  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Password Management and Policy Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary