Tuesday, December 13, 2011

ACSAC 2011 Debriefing


by Jeremy Powell

The 2011 Annual Computer Security Applications Conference was held last week in Orlando, FL, and I had the good fortune to attend. The first two days were full of half- and full-day tutorials with varying topics. You can find the program and course descriptions here.

The following is a small set of highlights from the conference that I found particularly interesting:

Sven Dietrich from the Stevens Institute of Technology gave a half day tutorial on the evolution of botnets through their existence. Focusing largely on tracking historical time lines, he described how new technology to defend against botnets drives the quality and robustness of the botnets up, thus matching advancement with advancement. What I found really striking is the sheer sophistication of the advanced bots, allowing for completely decentralized command and control and clever usage of cryptography to deploy updates to the bots. It would seem that these bots have software life cycles (and security concerns!) not unlike conventional software.

Adding to my newfound knowledge of botnets from Dr. Dietrich's tutorial, several papers were presented on live analysis of botnets and malware. The two papers "Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games" and "Detecting Malware’s Failover C&C Strategies with SQUEEZE" were particularly interesting. They both independently proposed methodologies to gain useful information from the behavior of bots when they are under duress. The research suggested that, when bots are having trouble connecting to their peers or to the command and control nodes, they are robustly designed to attempt to connect in different ways. Who they connect to, can enable researchers (and law enforcement) to identify other malicious machines that should be blacklisted and possibly taken down. In some cases, I would imagine from what Dr. Dietrich's tutorial suggested, the bots will phone directly home as a last ditch effort to receive commands, betraying their owners' identities.

Anoop Singhal of NIST and Xinming (Simon) Ou of Kansas State University presented on a method to automatically generate attack graphs and compute "probabilities" of certain attack paths, that can then be input into an enterprise's risk assessment. Although it is considerably "academic" in implementation, an industrialized version of this product would be invaluable to network administrators. After providing a network diagram specification, vulnerability scanning results, and the National Vulnerability Database, the software can reason about whether it is more cost-effective to patch a vulnerable database or to apply other mitigating controls along the potential paths to that database. The really cool thing is that this attack graph generation doesn't need to be restricted to network-based attacks. One could envision this being combined with a server configuration, or even applying it to analyzing malicious information flows through a Multi-Level Security system (e.g., SELinux).

To round things out, researchers from Carleton University spoke about the usefulness of images as passwords. "Facing the Facts about Image Type in Recognition-Based Graphical Passwords" discussed and rebutted the claim that human faces are a particularly good image-based password alphabet because we are hardwired to recognize faces. He conducted experiments to determine and compare the usability and effectiveness of faces to images of every day objects and images of suburban houses. Interestingly, every day objects were a superior password alphabet, because people tend to perform recall better than they recognize. This is illustrated anecdotally by the fact that some participants who were assigned face-based passwords were actually naming the images of the people to help remember them easier. This seems to demonstrate that the ability to "write down" a password (i.e., "Shoe-screwdriver-ball" or "Bill-Marcy-Fred") is a better mechanism to remember passwords than just through simple recognition.

As all conferences are, much of the fun is chatting with security researchers and practitioners and hearing their stories and backgrounds. I was impressed by the earnest and hard work they all have done to keep our security posture in the tech industry as strong as it is today. Unfortunately, the IT security community is currently only effective as a reactionary force; it takes buy-in from developers to bring our efforts from only a quickly outmoded patchwork of security fixes to the full potential of sound security architecture in both software and hardware. But that's a topic for another article...

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.