PITAC, the US President’s Information Technology Advisory Committee, has released a report on Cyber Security: a Crisis of Prioritization. Free hard copies can be requested.

Vital to the Nation’s security and everyday life, the information technology (IT) infrastructure of the United States is highly vulnerable to disruptive domestic and international attacks, the President’s Information Technology Advisory Committee (PITAC) argues in a new report. While existing technologies can address some IT security vulnerabilities, fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure.

In Cyber Security: A Crisis of Prioritization, PITAC presents four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation’s IT infrastructure. PITAC urges the Government to significantly increase support for fundamental research in civilian cyber security in 10 priority areas; intensify Federal efforts to promote the recruitment and retention of cyber security researchers and students at research universities; increase support for the rapid transfer of Federally developed cyber security technologies to the private sector; and strengthen the coordination of Federal cyber security R&D activities.

A ZDNet article How to track a PC anywhere it connects to the Net describes research by UCSD grad student Tadayoshi Kohno that demonstrates how physical devices can be reliably identified remotely using clock skews.

“Anonymous Internet access is now a thing of the past. A doctoral student at the University of California has conclusively fingerprinted computer hardware remotely, allowing it to be tracked wherever it is on the Internet.

In a paper on his research, primary author and Ph.D. student Tadayoshi Kohno said: “There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting … without the fingerprinted device’s known cooperation.”

The potential applications for Kohno’s technique are impressive. For example, “tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces.”

A pre-print of Kohno’s paper is available:

T. Kohno, A. Broidoand and KC Claffy, Remote physical device fingerprinting, 2005 IEEE Symposium on Security and Privacy, Oakland CA, May 8-11, 2005.

“We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device’s known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. … Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device’s system time is maintained via NTP or SNTP.”

The Cabir bluetooth virus has been reported found in the wild in the United States. Cabir originated in the Philippines and infects bluethooth enabled mobile phones and (maybe) other device running the Symbian operating system. F-Secure offers this description:

Cabir is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform. Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the Caribe.sis file the worm activates and starts looking for new devices to infect over bluetooth. When Cabir worm finds another bluetooth device it willstart sending infected SIS files to it, and lock to that phone so that it won’t look other phones even when the target moves out of range.

The Brittan Elementary School in California now requires students to wear RFID badges that can track their every move. Students must wear identification cards around their necks with their picture, name and grade and a RFID tag. The system was imposed, without parental input, to simplify attendance-taking, reduce vandalism and improve student safety. The district superintendent told the parents concerned about privacy that their children could be disciplined for boycotting the badges.

“It’s not an option, (The badge) is just like a textbook, you have to have it. I’m charged with running the school district and I get to make those kinds of rules.”

The badges were developed by InCom Corp., a company co-founded by the parent of a former Brittan student. The company has paid the school several thousand dollars for agreeing to the experiment, and has promised a royalty from each sale if the system takes off. See stories here and here and a NYT article describing parent protests..

Anupam Joshi pointed out a good story on recent work by Avi Rubin and his students on cracking TI’s cryptographically enabled RFID tag widely used in anti-theft car locks, the ExxonMobil SpeedPass system and other RFID enabled applications. A draft of the paper is available online. Apparently the TI chips use a relatvely short key (40bit?).

Graduate Cryptographers Unlock Code of ‘Thiefproof’ Car Key
By JOHN SCHWARTZ, NYT, January 29, 2005

BALTIMORE - Matthew Green starts his 2005 Ford Escape with a duplicate key he had made at Lowe’s. Nothing unusual about that, except that the automobile industry has spent millions of dollars to keep him from being able to do it.

Mr. Green, a graduate student at Johns Hopkins University, is part of a team that plans to announce on Jan. 29 that it has cracked the security behind “immobilizer” systems from Texas Instruments Inc. The systems reduce car theft, because vehicles will not start unless the system recognizes a tiny chip in the authorized key. They are used in millions of Fords, Toyotas and Nissans.

All that would be required to steal a car, the researchers said, is a moment next to the car owner to extract data from the key, less than an hour of computing, and a few minutes to break in, feed the key code to the car and hot-wire it. …

Cracking the system took the graduate students three months, Dr. Rubin said. “There was a lot of trial and error work with, every once in a while, a little ‘Aha!’ ” …

Mr. Sabetti of Texas Instruments argues that grabbing the code from a key would be very difficult, because the chips have a very short broadcast range. The greatest distance that his company’s engineers have managed in the laboratory is 12 inches, and then only with large antennas that require a power source.

Dr. Rubin acknowledged that his team had been able to read the keys just a few inches from a reader, but said many situations could put an attacker and a target in close proximity, including crowded elevators. …

You might just be a hacker if …. you use Lynx under Solaris, like this poor fellow. We are probably all hackers now. Or worse.

This is another scary technology story…

Lexus cars may be vulnerable to viruses that infect them via mobile phones. Landcruiser 100 models LX470 and LS430 have been discovered with infected operating systems that transfer within a range of 15 feet.

The NY Times has a short review (Nonstop Scrutiny, as Orwell Foresaw) of a new book on our collective privacy loss: No Place To Hide, Behind the Scenes of Our Emerging Surveillance Society, by Robert O’Harrow Jr., 348 pages. Free Press. $26. Sounds like a good book, if you’re in a mood to set your hair on fire over privacy.

As the book discusses, we’re voluntarily giving up much of our privacy for convenience:

Mr. O’Harrow also charts many consumers’ willingness to trade a measure of privacy for convenience (think of the personal information happily dispensed to TiVo machines and Amazon.com in exchange for efficient service and helpful suggestions), freedom for security. He reviews the gargantuan data-gathering and data-mining operations already carried out by companies like Acxiom, ChoicePoint and LexisNexis. And he shows how their methods are being co-opted by the government.

It’s a constant battle and, like most people, I don’t know if I have the energy and perseverance to constantly protect my privacy.

If you were brave enough to read this item, here’s another dare…

New virus masquerades as news headlines
Friday, January 21, 2005 Posted: 10:19 AM EST (1519 GMT)
(CNN) — Researchers have identified a new computer virus that masquerades as news headlines from CNN’s Web site. …

“The President’s Information Technology Advisory Committee (PITAC) achieved consensus yesterday on the final draft of its report on the status of the federal cyber security R&D effort, finding that support for civilian-oriented, fundamental cyber security research is seriously inadequate, the pool of researchers is insufficient, and that coordination between funding agencies is lacking. … The report will note problems in all three agencies one would expect to be funding critical long-term cyber security R&D: NSF, DARPA and the Department of Homeland Security.” …MORE…

A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers’ passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities… read more here…

ias-opportunities is a new mailing list for distributing announcements of funding opportunities, conference and journal calls, and similar solicitations specifically about issues of information assurance, information security, and cybercrime-related issues. It has been set up by Gene Spafford of Purdue’s Center for Education and Research in Information Assurance and Security. The list is a low-volume list for announcements of interest to researchers as well as practitionaers. An archive of past messages is available. List members can send announcements directly and non-members can send announcements to ias-opportunities-submit@cerias.purdue.edu for posting. To subscribe to the list, send email to ias-opportunities-request@cerias.purdue.edu with the command subscribe in the body. To subscribe an address other than the one from which you send the email, use the command subscribe <someEmailAddress>.