New Years Resolution: No More Research in New Clothes for a Naked Emperor

This is the time of year when everyone makes new year’s resolutions. I’m proposing one for program chairs for security conferences: it’s time to “just say no” to yet another paper on how to control damage from buffer overflows and format string attacks. I’ve been attending security conferences for about 20 years, and for at least 10 of those there have been numerous papers about how buffer overflows and format string attacks happen, and how to stop them.

As examples, I offer the following from the recent ACSAC conference:

• “Automated Format String Attack Prevention for Win32/X86 Binaries”
• “The Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack”
  

If you look at any recent security research conference (such as USENIX Security), you’ll similarly find papers on the subject.

We know how to solve problems like this - strongly typed languages like Java and C# are nearly completely effective at preventing these types of attacks. So why are we continuing to invest our scarce research funding in problems like this?

Could you imagine a medical conference where 10% of the presentations were on ways to prevent smokers from getting lung cancer? I’m sure there’s research in figuring out why non-smokers get lung cancer (as well as treatment for the cancers of both smokers and non-smokers), but let’s put our research where it can do some good!

So as my small step, my pledge for 2008 is to reject any papers submitted to me (as a paper reviewer for conferences and magazines) that could be solved by simply using a type-safe language.

A non-recount in Virginia

A month ago I wrote about the very close race between Ken Cuccinelli and Janet Oleszek for the 37th Virginia Senate seat. Today, the Washington Post reports that Oleszek conceded after a recount. The recount widened Cuccinelli's lead from 92 to 101 voes out of about 37,000 cast.

What's truly sad is that the Post article didn't discuss the fact that real recounts are impossible in Virginia. The Verifiable Voting Coalition of Virginia is working with legislators to update state law to allow true recounts (as well as random audits at every election), so that when the last of the DREs are gone, today's sham recounts will be just a bad memory.

Phishing - or not?

Like most people, I get a TON of spam and phishing messages. So I almost deleted this one without reading it - and then realized it's legitimate. This is a horrible example of a company training its customers to be susceptible to phishing attacks, as well as viruses, etc.

For your protection, the content of this message has been sent securely by Aetna using encryption technology. For more information about Aetna's use of encryption please visit this website http://www.aetna.com/aboutaetna/safeguard_data.htm.

Steps to open your secure message:
1. Please double click on the attachment labeled securedoc.html to begin the process of decrypting your message.
2. When you open the attachment you will see Aetna's secure envelope. This envelope contains your encrypted message. There are two ways of opening the envelope.

Preferred method:

By clicking the "open" button you will be offered the opportunity to download a small application (applet) that will enable you to open the message directly on your computer (c: drive). By choosing this option and selecting "always" any future messages that you receive from Aetna will be opened on your computer without further installation. This method may take a few extra minutes initially (depending on your machine and the speed of your connection to the internet), but overall will result in faster / more efficient message retrieval.

Alternate method:

If you cannot, or choose not to download the application click on the link labeled "here". This option will allow you to open the secure email without having to download anything to your computer, but may result in slower retrieval of your secure message.

Saving your message:
The securedoc.html that you clicked to begin the process actually retrieves a key from Aetna which is used to open (or decrypt) your message. The key will expire in 90 days. If you would like to save your message for later review, you should save a copy of the unencrypted message.
How you save email will vary depending on your email service. If you are unsure, please use the help function of your email service and look for topics like: saving, saving messages, storing messages.

If you experience any problems, please contact 1-800-237-7476, option 4 (Secure Email) during normal business hours; 8AM to 6PM E.S.T.


More details of Aetna's "secure" email system can be found here.

BTW, the reason they contacted me is I complained their customer web site doesn't work well with Firefox.

Aetna, you should be ashamed of yourself!

P.S. In case all that isn't enough, the "secure" email system doesn't actually encrypt the message - it just obfuscates it. I tried taking the HTML file and copying it to another system, and it opened and displayed the message immediately.

False positives on automated responses

My previous post was about false positives by police, so it seems appropriate to talk about false positives in another context.

I was looking for a branch of Suntrust Bank (one of the major banks in the area where I live), and discovered that most of their site only works with Internet Explorer (not uncommon, but still frustrating). So I wrote a comment to their "contact us" site, saying that I was unhappy that it wouldn't work with Firefox, especially since Firefox is more secure than IE.

I'm guessing (hoping?!?!) that it's an automated system that provided this response:

Thank you for contacting SunTrust in regards to security of the web site.

We at SunTrust understand your concerns regarding the security of our services, and we appreciate the opportunity to address them.

SunTrust has taken strong measures to ensure that your information remains confidential. The first step is the use of a secure browser. Certain browsers and certain computers have the ability to communicate securely by scrambling the information as it passes across the Internet. The method of communication is called SSL, or Secure Socket Layer. We require the use of a secure browser before a connection can be made to SunTrust's online services. After you reach us using a secure browser, we take measures to make sure your information is kept secure and confidential.

Your information passes through a firewall, which is a device specifically designed to keep out unauthorized users. The information is also scrambled again to ensure that only authorized SunTrust representatives can read it. For security purposes, SunTrust requires you to enter two sets of numbers to gain access to our Online Services, a Customer Identification Number and a password. Your password should only be known by you.

Finally, communication with our representatives regarding your accounts may occur only after your identity has been thoroughly verified.

Wow, I feel better now.

"See something say something" false positives

There are numerous programs for ordinary citizens to report suspicious sightings. Bruce Schneier (among many others) wrote about the problems in these sorts of programs, and how they're prone to get lots of false positives.

Here's one to add to the list: Orthodox (and some non-Orthodox) Jewish men (and a few women) wear Tefillin as part of daily morning prayers every day except Saturday. They are somewhat odd-looking to anyone who hasn't encountered them before. Seems that passengers on a commuter train in suburban Chicago didn't know what they were. They summoned the conductor, who asked the man what he was doing. He replied "I'm praying" and didn't want to be interrupted further. So the conductor stopped the train at the next station and called the police (who, for the record, were brighter than the conductor, and did not arrest the man - contrary to some reports). Apparently one of the concerns was that the straps of the tefillin were "wires" (which is amusing, considering that they are always made of leather).

The issue isn't whether the practice is strange - many religious rituals are strange to those not familiar with them - but whether the paranoia about terrorism has gotten so out of hand that people are unable to distinguish an unusual behavior from a threatening one. But that's really not really a question - it's more a sad reflection on our times.