The Semantic Web and Policy Workshop will be held at the 4th International Semantic Web Conference on 7 November 2005 in Galway, Ireland. The workshop is focused on two research areas:

• policy-based frameworks for the semantic web for security, privacy, trust, information filtering, accountability, etc.
• applying semantic web technologies in policy frameworks for application domains such as grid computing, networking, storage systems, pervasive computing and specifying agent communities norms.

In addition to presentations of nine submitted papers, Ora Lassila will give an invited talk on “Applying Semantic Web in Mobile and Ubiquitous Computing: Will Policy-Awareness Help?” and a panel of policy researchers will initiate a discussion of “The 2005 Web Policy Zeitgeist”. The proceedings is available and participants can register at the online.

This is an interesting and accessible article on the DDoS extortion business and companies that offer protection services.

The Zombie Hunters — On the trail of cyberextortionists, Evan Ratliff, The New Yorker, 10 October 2005

“One afternoon this spring, a half-dozen young computer engineers sat in the headquarters of Prolexic, an Internet-security company in Hollywood, Florida, puzzling over an attack on one of the company’s clients, a penile enhancement business called MensNiche.com. The engineers, gathered in the company’s network operations center, or noc, on the fourth floor of a new office building, were monitoring Internet traffic on fifty-inch wall-mounted screens. Anna Claiborne, one of the company’s senior network engineers, wandered into the noc in jeans and a T-shirt. The MensNiche attacker had launched an assault on the company’s Web site at 4 a.m., and Claiborne had spent the night in the office fending it off. “Hence,” she said, “I look like hell today.”"
…more…

A Reuters article claims that Google is preparing to launch its own wireless Internet service, Google WiFi. Evidence includes several pages found at wifi.google.com including a FAQ for their Google Secure Access, a downloadable client application that allows users to establish a more secure WiFi connection. Some report that San Francisco Bay Area users will soon be able to connect freely to Google Wi-Fi hotspots using this VPN wireless client.

UPDATE: An anonymous source on Dave Farber’s IP mailing list says:

Google is doing two things:

1) promoting municipal Wi-Fi and working with the city of San Francisco and companies like EarthLink;

2) releasing a beta of a simple VPN client — “Google Secure Access” — which provides a tunnel to a Google VPN server exploiting the built-in VPN tool in Windows XP and 2000. This is useful on insecure Wi-Fi networks for those that have no VPN, but it is not a Wi-Fi service.

Offering a free VPN service might make sense as a new way for Google to put ads in front of eyes.

The US National Security Agency (NSA) is planning to build a secure wireless PDA that also does voice and data communications over public networks, including CDMA, GSM and 802.11. Dubbed SME-PDA (for “secure mobile environment - portable electronic device” — boy do they need better marketing!), it’s rumored to support voice and data communications up to Top Secret and email up to Secret. The device will be developed for NSA by L-3 Communications and another, not yet named company. Earlier reports named General Dynamics C4 Systems as being involved. …more…

The Open Web Application Security Project has developed WebGoat as a training environment for securing web applications.

WebGoat is a lessons based, deliberately insecure web application designed to teach web application security. Each of the 25 lessons provides the user an opportunity to demonstrate their understanding by exploiting a real vulnerability. WebGoat provides the ability to examine the underlying code to gain a better understanding of the vulnerability as well as provide runtime hints to assist in solving each lesson. V3.7 includes lessons covering most of the OWASP Top Ten vulnerabilities and contains several new lessons on web services, SQL Injection, and authentication. Simply unzip, run, and go to WebGoat in your browser to start learning.

Sounds like a great teaching and learning tool for building secure web-based systems.

Bruce Shneier report that Tel Aviv University researchers have demonstrated a passive attack that can recover the PIN used by bluetooth devices during the pairing protocol, allowing the attacker to eavesdrop on a Bluetooth network. The approach works for the four digit PINs adopted by industry. See their Mobisys 2005 paper or this news article.

eWeek has a reasonable article summarizing the weaknesses in TI’s RFID systems.

After uncovering a security weakness in a radio-frequency identification tag from Texas Instruments Inc., researchers from RSA Security Inc.’s RSA Laboratories and The Johns Hopkins University are now eyeing future exploits against other RFID products in the interests of better security, one of the researchers said this week.
     Meanwhile, TI will keep making the compromised RFID tag in order to meet the needs of applications more sensitive to speed and pricing than to privacy, according to a TI official. …

PITAC, the US President’s Information Technology Advisory Committee, has released a report on Cyber Security: a Crisis of Prioritization. Free hard copies can be requested.

Vital to the Nation’s security and everyday life, the information technology (IT) infrastructure of the United States is highly vulnerable to disruptive domestic and international attacks, the President’s Information Technology Advisory Committee (PITAC) argues in a new report. While existing technologies can address some IT security vulnerabilities, fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure.

In Cyber Security: A Crisis of Prioritization, PITAC presents four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation’s IT infrastructure. PITAC urges the Government to significantly increase support for fundamental research in civilian cyber security in 10 priority areas; intensify Federal efforts to promote the recruitment and retention of cyber security researchers and students at research universities; increase support for the rapid transfer of Federally developed cyber security technologies to the private sector; and strengthen the coordination of Federal cyber security R&D activities.

A ZDNet article How to track a PC anywhere it connects to the Net describes research by UCSD grad student Tadayoshi Kohno that demonstrates how physical devices can be reliably identified remotely using clock skews.

“Anonymous Internet access is now a thing of the past. A doctoral student at the University of California has conclusively fingerprinted computer hardware remotely, allowing it to be tracked wherever it is on the Internet.

In a paper on his research, primary author and Ph.D. student Tadayoshi Kohno said: “There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting … without the fingerprinted device’s known cooperation.”

The potential applications for Kohno’s technique are impressive. For example, “tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces.”

A pre-print of Kohno’s paper is available:

T. Kohno, A. Broidoand and KC Claffy, Remote physical device fingerprinting, 2005 IEEE Symposium on Security and Privacy, Oakland CA, May 8-11, 2005.

“We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device’s known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. … Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device’s system time is maintained via NTP or SNTP.”

The Cabir bluetooth virus has been reported found in the wild in the United States. Cabir originated in the Philippines and infects bluethooth enabled mobile phones and (maybe) other device running the Symbian operating system. F-Secure offers this description:

Cabir is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform. Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the Caribe.sis file the worm activates and starts looking for new devices to infect over bluetooth. When Cabir worm finds another bluetooth device it willstart sending infected SIS files to it, and lock to that phone so that it won’t look other phones even when the target moves out of range.

The Brittan Elementary School in California now requires students to wear RFID badges that can track their every move. Students must wear identification cards around their necks with their picture, name and grade and a RFID tag. The system was imposed, without parental input, to simplify attendance-taking, reduce vandalism and improve student safety. The district superintendent told the parents concerned about privacy that their children could be disciplined for boycotting the badges.

“It’s not an option, (The badge) is just like a textbook, you have to have it. I’m charged with running the school district and I get to make those kinds of rules.”

The badges were developed by InCom Corp., a company co-founded by the parent of a former Brittan student. The company has paid the school several thousand dollars for agreeing to the experiment, and has promised a royalty from each sale if the system takes off. See stories here and here and a NYT article describing parent protests..

Anupam Joshi pointed out a good story on recent work by Avi Rubin and his students on cracking TI’s cryptographically enabled RFID tag widely used in anti-theft car locks, the ExxonMobil SpeedPass system and other RFID enabled applications. A draft of the paper is available online. Apparently the TI chips use a relatvely short key (40bit?).

Graduate Cryptographers Unlock Code of ‘Thiefproof’ Car Key
By JOHN SCHWARTZ, NYT, January 29, 2005

BALTIMORE - Matthew Green starts his 2005 Ford Escape with a duplicate key he had made at Lowe’s. Nothing unusual about that, except that the automobile industry has spent millions of dollars to keep him from being able to do it.

Mr. Green, a graduate student at Johns Hopkins University, is part of a team that plans to announce on Jan. 29 that it has cracked the security behind “immobilizer” systems from Texas Instruments Inc. The systems reduce car theft, because vehicles will not start unless the system recognizes a tiny chip in the authorized key. They are used in millions of Fords, Toyotas and Nissans.

All that would be required to steal a car, the researchers said, is a moment next to the car owner to extract data from the key, less than an hour of computing, and a few minutes to break in, feed the key code to the car and hot-wire it. …

Cracking the system took the graduate students three months, Dr. Rubin said. “There was a lot of trial and error work with, every once in a while, a little ‘Aha!’ ” …

Mr. Sabetti of Texas Instruments argues that grabbing the code from a key would be very difficult, because the chips have a very short broadcast range. The greatest distance that his company’s engineers have managed in the laboratory is 12 inches, and then only with large antennas that require a power source.

Dr. Rubin acknowledged that his team had been able to read the keys just a few inches from a reader, but said many situations could put an attacker and a target in close proximity, including crowded elevators. …