- monthly subscription or
- one time payment
- cancelable any time
"Tell the chef, the beer is on me."
Over 100 of the best students in cyber from the UK Academic Centres of Excellence in Cyber Security Research are gathered here at the University of Cambridge Computer Laboratory today for the second edition of our annual “Inter-ACE” hacking contest.
The competition is hosted on the CyberNEXS cyber-range of our sponsor Leidos, and involves earning points for hacking into each other’s machines while defending one’s own. The competition has grown substantially from last year’s: you can follow it live on Twitter (@InterACEcyber) At the time of writing, we still don’t know who is going to take home the trophy. Can you guess who will?
The event has been made possible thanks to generous support from the National Cyber Security Centre, the Cabinet Office, Leidos and NCC Group.
We’re looking for a Chief Information Security Officer. This isn’t a research post here at the lab, but across the yard in University Information Services, where they manage our networks and our administrative systems. There will be opportunities to work with security researchers like us, but the main task is protecting Cambridge from all sorts of online bad actors. If you would like to be in the thick of it, and you know what you’re doing, here’s how you can apply.
BSides London 2017
7th June 2017
ILEC Conference Centre, 47 Lillie Road London, SW6 1UD
We invite proposals for BSides London 2017, to be held on the 7th June, 2017 in London, UK.
Please note that all submissions must be submitted at: https://bit.ly/BSidesLDN2017CFP
CfP opens – February 14th
CfP closes – March 27th
Voting on CFP Open – March 30th
Voting on CFP Close – April 13th
email notification to proposers – April 14th
Deadline for speakers to confirm attendance – April 21st
BSides London schedule published – May 1st
BSides London! – June 7th, 2017
(All deadlines are 11:59pm GMT)
What is BSides?
Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.
This year our focus will be on a theme that is a fundamental to InfoSec: “Sharing is Caring: Disclosure, leaks as well as knowledge transfer it is all about sharing”. We seek original contributions that present attacks, analyses, designs, applications, protocols, systems, practical experiences, and theory. As usual the theme is not prescriptive, and proposals may include (but are not limited to) the following topics:
* Information technology
* Network security & Cryptography
* Web Application security
* Mobile security
* Usable security
* Virtualization and cloud computing
* Innovative attack / defense strategies
* Forensics / Malware
* Embedded device security / IoT
* Physical security and lockpicking
* Hardware hacking
* Biohacking and modification
* Open source software
* Robotics (bonus points for bringing an actual robot)
* Massive abuse of technology
* Evolutionary computing
* Ethical and philosophical implications of hacking
Advice to presenters
PRESENTATIONS should describe novel technical contributions within the scope of the call. The presentations will be subjected to open (non-blind) peer review by the organising committee. The allotted time for each presentation will typically be between 45 minutes to 1 hour (including Q&A); though shorter presentations are also welcome.
Remember that our participants’ backgrounds and experience are varied. There must be something for everyone, so when choosing a subject go with something you are comfortable with no matter the difficulty level. Your presentation should tell us a story:
– Here is a problem
– It’s an interesting problem
– It’s an unsolved problem
– Here is my idea
– My idea works (details, data)
– Here’s how my idea compares to other people’s approaches
If your talk is not selected, please keep in mind that we aim to provide a “lighting talks” track where speakers can present their topics on a first come/first served basis.
Best of luck and thanks for being part of Security BSides London! For additional information or questions regarding the process please email cfp at securitybsides.org.uk
As in previous years, the schedule for BSides London 2017 will be selected by public vote.
This post was written to update you on the current situation of our dear friend and CEO Felix 'FX' Lindner. It will be used to keep you updated on FX's progress. Please understand that updates won’t happen regularly. Some of you already heard the news, but some haven’t. To cut the sad story of a long journey short: FX suffered from cerebral bleeding (aneurysm) in early July 2016. He underwent several surgeries, which thankfully all went well – considering the circumstances. Unfortunately, FX is under medical supervision since. Just recently, he was moved from medical care to a specialized rehabilitation institution, where his health situation will hopefully improve even further. The journey to a full recovery is still ahead of him and will take an indefinite amount of time. Be assured that his family and everyone at Recurity Labs supports him to make sure that he receives the best imaginable treatment available. If you feel like sending encouraging words to FX, his family, or even us, please write to firstname.lastname@example.org. Please note that all messages will be read and filtered by the responsible people at Recurity Labs and forwarded as we see fit. This has been made a requirement by FX's family in order to enable us to responsibly channel such messages depending on FX' state of health. However, no messages will be left unread or deleted without at least passing your name and wishes along. We want to thank you for your discretion during the last half year, your respectful manners and your sympathy transmitted electronically or verbally in various ways. But most importantly, we wish FX a fast and full recovery! All the best and thank you, FX's family and the team at Recurity Labs
The following is an op-ed I wrote in today’s Times. It appeared in their Thunderer column.
You’re less likely to be treated fairly by your bank if you’re elderly, poor, female or black. We’ve suspected this for years, and finally The Times has dug up the numbers to prove it.
Fraud victims who’re refused compensation often contact our security research group at Cambridge after they find we work on payment fraud. We call this stream of complaints our ‘fraud telescope’ as it gives us early warning of what the bad guys are up to. We’ve had more than 2,000 cases over 25 years.
In recent years we’ve started to realise what we weren’t seeing. The “dark matter” in the fraud universe is the missing victims: we don’t see that many middle-class white men. The victims who do come to us are disproportionately elderly, poor, female, or black. But crime surveys tell us that the middle classes and the young are more likely to be victims of fraud, so it’s hard to avoid the conclusion that banks are less generous to some of their customers.
We raised the issue of discrimination in 2011 with one of the banks and with the Commission for Racial Equality, but as no-one was keeping records, nothing could be proved, until today.
How can this discrimination happen? Well, UK rules give banks a lot of discretion to decide whether to refund a victim, and the first responders often don’t know the full story. If your HSBC card was compromised by a skimmer on a Tesco ATM, there’s no guarantee that Tesco will have told anyone (unlike in America, where the law forces Tesco to tell you). And the fraud pattern might be something entirely new. So bank staff end up making judgement calls like “Is this customer telling the truth?” and “How much is their business worth to us?” This in turn sets the stage for biases and prejudices to kick in, however subconsciously. Add management pressure to cut costs, sometimes even bonuses for cutting them, and here we are.
There are two lessons. First, banks need to train staff to be aware of unconscious bias (as universities do), and monitor their performance.
Second, the Financial Conduct Authority needs to protect all customers properly. It seems to be moving in the right direction; after the recent fraud against tens of thousands of Tesco Bank account holders, it said it expected fraud victims to be made good immediately. This has been the law in the USA since the 1980s and it must become a firm rule here too.
Now that everyone’s distracted with the supreme court case on Brexit, you can expect the government to sneak out something it’s ashamed of. Health secretary Jeremy Hunt has decided to ignore the wishes of over a million people who opted out of having their hospital records given to third parties such as drug companies, and the ICO has decided to pretend that the anonymisation mechanisms he says he’ll use instead are sufficient. One gently smoking gun is the fifth bullet in a new webpage here, where the Department of Health claims that when it says the data are anonymous, your wishes will be ignored. The news has been broken in an article in the Health Services Journal (it’s behind a paywall, as a splendid example of transparency) with the Wellcome Trust praising the ICO’s decision not to take action against the Department. We are assured that “the data is seen as crucial for vital research projects”. The exchange of letters with privacy campaigners that led up to this decision can be found here, here, here, here, here, here, and here.
An early portent of this u-turn was reported here in 2014 when officials reckoned that the only way they could still do administrative tasks such as calculating doctors’ bonuses was to just pretend that the data are anonymous even though they know it isn’t really. Then, after the care.data scandal showed that a billion records had been sold to over a thousand purchasers, we reported here how HES data had also been sold and how the minister seemed to have misled parliament about this.
I will be talking about ethics of all this on Thursday. Even if ministers claim that stolen medical records are OK to use, researchers must not act as if this is true; if patients end up trusting doctors as little as we trust politicians, then medical research will be in serious trouble. There is a video of a previous version of this talk here.
Meanwhile, if you’re annoyed that Jeremy Hunt proposes to ignore not just your privacy rights but your express wishes, you can send him a notice under Section 10 of the Data Protection Act forbidding him from disclosing your data. The Department has complied with such notices in the past, albeit with bad grace as they have no automated way to do it. If thousands of people serve such notices, they may finally have to stand up to the drug company lobbyists and write the missing software. For more, see here.
Last week I gave a keynote talk at CCS about DigiTally, a project we’ve been working on to extend mobile payments to areas where the network is intermittent, congested or non-existent.
The Bill and Melinda Gates Foundation called for ways to increase the use of mobile payments, which have been transformative in many less developed countries. We did some research and found that network availability and cost were the two main problems. So how could we do phone payments where there’s no network, with a marginal cost of zero? If people had smartphones you could use some combination of NFC, bluetooth and local wifi, but most of the rural poor in Africa and Asia use simple phones without any extra communications modalities, other than those which the users themselves can provide. So how could you enable people to do phone payments by simple user actions? We were inspired by the prepayment electricity meters I helped develop some twenty years ago; meters conforming to this spec are now used in over 100 countries.
We got a small grant from the Gates Foundation to do a prototype and field trial. We designed a system, Digitally, where Alice can pay Bob by exchanging eight-digit MACs that are generated, and verified, by the SIM cards in their phones. For rapid prototyping we used overlay SIMs (which are already being used in a different phone payment system in Africa). The cryptography is described in a paper we gave at the Security Protocols Workshop this spring.
Last month we took the prototype to Strathmore University in Nairobi to do a field trial involving usability studies in their bookshop, coffee shop and cafeteria. The results were very encouraging and I described them in my talk at CCS (slides). There will be a paper on this study in due course. We’re now looking for partners to do deployment at scale, whether in phone payments or in other apps that need to support value transfer in delay-tolerant networks.
Over the past fifteen years, we’ve come to realise that many information security failures arise from poor incentives. If Alice guards a system while Bob pays the cost of failure, things can be expected to go wrong. Security economics is now an important research topic: you can’t design secure systems involving multiple principals if you can’t get the incentives right. And it goes way beyond computer science. Without understanding how incentives play out, you can’t expect to make decent policy on cybercrime, on consumer protection or indeed on protecting critical national infrastructure
We first did the course last year as a paid-for course with EdX. Our agreement with them was that they’d charge for it the first time, to recoup the production costs, and thereafter it would be free.
So here it is as a free course. Spread the word!
At our security group meeting on the 19th August, Sergei Skorobogatov demonstrated a NAND backup attack on an iPhone 5c. I typed in six wrong PINs and it locked; he removed the flash chip (which he’d desoldered and led out to a socket); he erased and restored the changed pages; he put it back in the phone; and I was able to enter a further six wrong PINs.
Sergei has today released a paper describing the attack.
During the recent fight between the FBI and Apple, FBI Director Jim Comey said this kind of attack wouldn’t work.
Petr Svenda et al from Masaryk University in Brno won the Best Paper Award at this year’s USENIX Security Symposium with their paper classifying public RSA keys according to their source.
I really like the simplicity of the original assumption. The starting point of the research was that different crypto/RSA libraries use slightly different elimination methods and “cut-off” thresholds to find suitable prime numbers. They thought these differences should be sufficient to detect a particular cryptographic implementation and all that was needed were public keys. Petr et al confirmed this assumption. The best paper award is a well-deserved recognition as I’ve worked with and followed Petr’s activities closely.
The authors created a method for efficient identification of the source (software library or hardware device) of RSA public keys. It resulted in a classification of keys into more than dozen categories. This classification can be used as a fingerprint that decreases the anonymity of users of Tor and other privacy enhancing mailers or operators.The graphs extracted from: The Million Key Question – Investigating The Origins of RSA Public Keys (follow the link for more).
All that is a result of an analysis of over 60 million freshly generated keys from 22 open- and closed-source libraries and from 16 different smart-cards. While the findings are fairly theoretical, they are demonstrated with a series of easy to understand graphs (see above).
I can’t see an easy way to exploit the results for immediate cyber attacks. However, we started looking into practical applications. There are interesting opportunities for enterprise compliance audits, as the classification only requires access to datasets of public keys – often created as a by-product of internal network vulnerability scanning.
An extended version of the paper is available from http://crcs.cz/rsa.
A handful of our users have already requested information regarding the Qt 5.6.0 build, that is shipped with IDA 6.95.
Here are the options that were used to build the libraries on:
...\5.6.0\configure.bat "-nomake" "tests" "-qtnamespace" "QT" "-confirm-license" "-accessibility" "-opensource" "-force-debug-info" "-platform" "win32-msvc2015" "-opengl" "desktop" "-prefix" "C:/Qt/5.6.0"
.../5.6.0/configure "-nomake" "tests" "-qtnamespace" "QT" "-confirm-license" "-accessibility" "-opensource" "-force-debug-info" "-platform" "linux-g++-32" "-developer-build" "-fontconfig" "-qt-freetype" "-qt-libpng" "-glib" "-qt-xcb" "-dbus" "-qt-sql-sqlite" "-gtkstyle" "-prefix" "/usr/local/Qt/5.6.0"
.../5.6.0/build/../configure "-nomake" "tests" "-qtnamespace" "QT" "-confirm-license" "-accessibility" "-opensource" "-force-debug-info" "-platform" "macx-g++-32" "-debug-and-release" "-fontconfig" "-qt-freetype" "-qt-libpng" "-qt-sql-sqlite" "-prefix" "/Users/Shared/Qt/5.6.0"
In addition to the specific configure options, the Qt build that ships with IDA includes the following patch. You should therefore apply it to your own Qt 5.6.0 sources before compiling, in order to obtain similar binaries.
Note that this patch should work without any modification, against the 5.6.0 release as found there. You may have to fiddle with it, if your Qt 5.6.0 sources come from somewhere else.
IDA is still, as of this writing (August 9th, 2015), a 32-bit application and both IDA & its installer(*) require certain 32-bit libraries to be present on your Linux system before they can run.
Here is the list of commands you will have to run in order to install those dependencies, for the following systems:
(*) that is: if you want the installer to run a graphical interface, instead of a command-line one.
The following should allow IDA to run on most Linux systems deriving from Debian distributions:
sudo dpkg --add-architecture i386 sudo apt-get update sudo apt-get install libc6-i686:i386 libexpat1:i386 libffi6:i386 libfontconfig1:i386 libfreetype6:i386 libgcc1:i386 libglib2.0-0:i386 libice6:i386 libpcre3:i386 libpng12-0:i386 libsm6:i386 libstdc++6:i386 libuuid1:i386 libx11-6:i386 libxau6:i386 libxcb1:i386 libxdmcp6:i386 libxext6:i386 libxrender1:i386 zlib1g:i386 libx11-xcb1:i386 libdbus-1-3:i386 libxi6:i386 libsm6:i386 libcurl3:i386
It is necessary to also run the following command, for IDA to present a usable & well-integrated GUI on many Debian & Ubuntu desktops. If the set of dependencies above are not enough to obtain a slick UI, please try the following:
sudo apt-get install libgtk2.0-0:i386 gtk2-engines-murrine:i386 gtk2-engines-pixbuf:i386 libpango1.0-0:i386
IDA will require the following packages to be installed, in order to run properly on RHEL 7.2 (and probably any other RPM-based distribution) :
redhat-lsb-core.i686 glib2.i686 libXext.i686 libXi.i686 libSM.i686 libICE.i686 freetype.i686 fontconfig.i686 dbus-libs.i686
While the author of this post is not quite familiar with Arch Linux, one of our users reported that adding the required dependencies can be performed through the AUR package that can be found at: https://aur.archlinux.org/packages/ida-pro-6.4/.
(And then, installing a 32-bit system-wide interpreter (i.e., if one favors that option over the default that consists of using the Python runtime shipped with IDA), should be performed by installing the package ‘lib32-python2’.)
At PETS 2016 we presented a new side-channel attack in our paper Don’t Interrupt Me While I Type: Inferring Text Entered Through Gesture Typing on Android Keyboards. This was part of Laurent Simon‘s thesis, and won him the runner-up to the best student paper award.
We found that software on your smartphone can infer words you type in other apps by monitoring the aggregate number of context switches and the number of hardware interrupts. These are readable by permissionless apps within the virtual procfs filesystem (mounted under /proc). Three previous research groups had found that other files under procfs support side channels. But the files they used contained information about individual apps– e.g. the file /proc/uid_stat/victimapp/tcp_snd contains the number of bytes sent by “victimapp”. These files are no longer readable in the latest Android version.
We found that the “global” files – those that contain aggregate information about the system – also leak. So a curious app can monitor these global files as a user types on the phone and try to work out the words. We looked at smartphone keyboards that support “gesture typing”: a novel input mechanism democratized by SwiftKey, whereby a user drags their finger from letter to letter to enter words.
This work shows once again how difficult it is to prevent side channels: they come up in all sorts of interesting and unexpected ways. Fortunately, we think there is an easy fix: Google should simply disable access to all procfs files, rather than just the files that leak information about individual apps. Meanwhile, if you’re developing apps for privacy or anonymity, you should be aware that these risks exist.
IDA 6.9 users on Mac OS X, who have suffered seemingly-apparent crashes while using IDA.
The Qt 5.4.1 libraries shipped with IDA 6.9 suffer from the following bug: https://bugreports.qt.io/browse/QTBUG-44708, which was apparently fixed in Qt 5.5.0.
If, when IDA crashes, you ever spotted a backtrace that looks like the following:
frame #0: 0x00000000 frame #1: 0x00d8a50d QtGui'QT::QTextEngine::shapeText(int) const + 1187 frame #2: 0x00d8b517 QtGui'QT::QTextEngine::shape(int) const + 1199 frame #3: 0x00d8c977 QtGui'QT::QTextEngine::width(int, int) const + 155 frame #4: 0x00d73571 QtGui'QT::QFontMetricsF::width(QT::QString const&) const + 163 frame #5: 0x00041184 idaq'___lldb_unnamed_function853$$idaq + 420 ...
then you’ve been a victim of this rather tiresome issue.
(note: frame #0 doesn’t quite matter; the 2nd line,
QT::QTextEngine::shapeText(int), is the important one)
We have applied the patch mentionned in the Qt bugreport & re-built the
libqcocoa.dylib Qt platform support.
You will have to:
$ shasum libqcocoa.dylib afcf3603f593776c6f39f41f81e98843897cf0ed libqcocoa.dylib
libqcocoa.dylibbinary instead of the one in
Once that is done, those crashes shouldn’t happen anymore.
A big, big thank you to Willem Jan Hengeveld & Vladimir Putin, who have reported this!
IDA C++ plugin authors, who wish to link such plugins against Qt 5.x libraries.
One of our customers, Aliaksandr Trafimchuk, recently reported that whenever IDA was run with a plugin of his that links against the Qt libraries that we ship, IDA would crash at exit-time (at least on Windows.)
Aliaksandr already did most of the work of figuring out exactly what was causing the crash, and even had a work-around (more like a kludge, as he pointed out, really) for it, but he still wanted to let us know about it so we are aware of the problem & perhaps can communicate about it.
The crash is an access violation, in an area of memory that doesn’t seem to be mapped by any stack, heap, DLL code or data.
The stack reveals that the crash happens at
QCoreApplication::~QCoreApplication()-time (i.e., at application exit), when the
QFontCache is freeing/releasing its entries:
Qt5Core.dll!QT::QSettingsGroup::~QSettingsGroup() Qt5Gui.dll!QT::QMapNode::destroySubTree() Qt5Gui.dll!QT::QFontCache::clear() Qt5Gui.dll!QT::QFontCache::~QFontCache() [External Code] Qt5Gui.dll!QT::QThreadStorage::deleteData(void * x) Qt5Core.dll!QT::QThreadStorageData::set(void * p) Qt5Gui.dll!QT::QFont::cleanup() Qt5Gui.dll!QT::QGuiApplicationPrivate::~QGuiApplicationPrivate() [External Code] Qt5Core.dll!QT::QObject::~QObject() Qt5Core.dll!QT::QCoreApplication::~QCoreApplication() idaq.exe!013426c5() Unknown (...)
Our customer’s plugin uses a UI description file, that needs to be processed by Qt’s
uic (UI-compiler). The generated code contains lines such as these:
label = new QLabel(TestDialog); label->setObjectName(QStringLiteral("label")); QFont font; font.setFamily(QStringLiteral("Comic Sans MS"));
Note the use of
This is an optimization that came in Qt 5.x, and that causes actual
QString instances to be laid out in the
.rodata section of the program (together with a special refcount value that is
-1, meaning “don’t touch this refcount”.)
Although at exit-time, this “static const”
in-.rodata-QString instance wouldn’t be modified (because of the -1 refcount), simply reading it will cause a crash, since the section holding it has been removed from memory.
This is a known limitation/problem, too: https://bugreports.qt.io/browse/QTBUG-46880
This is where the problem lies: at exit-time, IDA will:
QCoreApplicationgoes out of scope, which will perform (among other things) the
QFontCachestill refers to literal
QStringdata, in a section that is now gone (it was discarded at #1)
In fact, Qt expects that any binary that uses Qt libraries should remain in memory, so that some optimizations (such as the
QStringLiteral) will continue to work. That’s why, when Qt unloads some of its own plugins, it doesn’t really unload those from memory.
Although the Qt library maintainers consider that having such limitations on binaries that link against Qt is acceptable, I personally hope they try to keep those restrictions as minimal as possible.
In any case, concerning this
QStringLiteral issue, we have a way out: at compilation-time, pass the compiler the following flag:
This will turn the
QStringLiteral() expression into a
QString::fromUtf8(), which will allocate the memory on the heap and the plugin should work just fine.
Another possibility reported by an IDA user (but untested by us), is to add the following after the Qt headers #include directives:
#undef QStringLiteral #define QStringLiteral(_str) _str
With this method, the literal C-style string will be implicitly converted to a
QString, using the default conversion rules.
The kludge (which is Windows-specific) consists of calling
LoadLibrary(szMyPluginFilePath), thereby somewhat artificially incrementing the refcount of his plugin, which will cause it to remain in memory & thus the
~QFontCache cleanup will succeed.
"Tell the chef, the beer is on me."
"Basically the price of a night on the town!"
"I'd love to help kickstart continued development! And 0 EUR/month really does make fiscal sense too... maybe I'll even get a shirt?" (there will be limited edition shirts for two and other goodies for each supporter as soon as we sold the 200)