Friday, January 16, 2015

Join a great team - three positions open at CACR

CACR has three open positions. Please apply and let anyone know who might be interested know.

One is an analyst to join the CTSC team, working to secure NSF computational science:

The second is an EOT Manager to work on Security Matters and other projects:
The third is am Senior Administrative Assistant in preparation for a long-tenured retiring CACR staff member:

Feel free to contact me with any questions.

Tuesday, May 27, 2014

Quantum Experiment Threat Modeling

I'm enjoying Jonathan Dowling's "Schrödinger's Killer App: Race to Build the World's First Quantum Computer" and it's interesting to read as he describes physicists eliminating not only random errors to their experiments to prove quantum effects versus hidden local variables, but even imagining intelligent, malicious ones.

Most of these are of the form of fairies communicating at the speed of light representing worse-case real world effects that could be causing incorrect conclusions to the experiment, but on page 70, he describes the "Post-experiment computer infestation loophole" in which the computer collecting data for the experiment has been maliciously altered to change collected data but leave no other trace. He concludes that under this circumstance: "the scientific method fails us and we have no choice but to ignore such a possibility."

Ah, to be a physicist :-)

Monday, December 3, 2012

Two open positions at CACR

I've got two open positions that offer the exciting opportunity to work on cybersecurity for computational science.

The first is in the new NSF-funded Center for Trustworthy Scientific Cyberinfrastructure that I'm leading. This position will get to work with a variety of cutting-edge NSF science projects on helping them with their cybersecurity needs, as well as helping to provide leadership in advancing the state of cybersecurity practice and advance research. This particular position will get a chance to learn and apply software assurance.

The second is with by new DOE-funded project, Advanced Identity Management for Extreme-scale Scientific Computing. This project is researching how scientific collaborations impact the operations and trusty model of identity management in distributed computing. It will then build on that research to develop new software tools to implement better identity management for science collaborations.

Both of these positions are exciting opportunities to work in both cybersecurity and with cool science projects. To apply, visit the links above. Feel free to contact me with questions.

Thursday, March 8, 2012

Cyberdefense is hard...

One thing that caught my attention in the recent arrest of the anonymous hackers is how the hacker who goes by "Sabu" was apparently caught, he apparently logged into an IRC chat service forgetting to hide his IP address just once.

This is a good example of what cybersecurity is so hard - defense has to be perfect. If attackers have to play defense too though, that will level the field some.

Thursday, May 5, 2011

Some observations on the rekey of

(This is a fairly technical post about monitoring changes in PKI infrastructure. Unless that sentence interests you, you probably don't want to read further.)

Since the Comodo CA issue I've been playing around with some of the PKI monitoring infrastructure including Perspectives and the Google Certificate Catalog. So when I heard that was rekeyed today, I decided to see what those monitoring infrastructures saw. A couple things surprised me.

First, I happened to have a browser window open to from the previous day when it was still using the old certificate. So I saved both the old and new certificates. From the certificates it was clear it wasn't just a new certificate for the same key, but a new key (along with a update of the validity period from 2/2011-2/2012 to 4/2011-4/2012).

Then, I looked at Perspectives, and it showed the new certificate (94:47:cd:b3:15:94:94:0c:f5:fd:5c:1b:b7:3c:ee:ce - the blue below with the purple being the old certificate) as just starting to be seen, no surprise there.

But, looking a little more carefully at the individual notary responses, while two notaries had either not seen it yet or just seen it in the last day, the other two have been seeing the new certificate for a while. saw the new certificate briefly back in April:

Key = 94:47:cd:b3:15:94:94:0c:f5:fd:5c:1b:b7:3c:ee:ce
 start: Tue Apr 26 02:28:11 2011
 end  : Tue Apr 26 14:28:07 2011
 start: Tue May  3 14:28:41 2011
 end  : Thu May  5 02:28:55 2011
And has been seeing it on and off for a week like clockwork:

Key = 94:47:cd:b3:15:94:94:0c:f5:fd:5c:1b:b7:3c:ee:ce
 start: Fri Apr 29 14:12:06 2011
 end  : Sat Apr 30 02:12:06 2011
 start: Sat Apr 30 14:12:05 2011
 end  : Sun May  1 02:12:06 2011
 start: Sun May  1 14:12:06 2011
 end  : Mon May  2 02:12:11 2011
 start: Mon May  2 14:12:18 2011
 end  : Tue May  3 02:12:20 2011
 start: Tue May  3 14:12:17 2011
 end  : Wed May  4 02:12:23 2011
 start: Wed May  4 14:12:22 2011
 end  : Thu May  5 02:12:25 2011 
Then I went and queried Google Certificate Catalog:
$ dig +short TXT
"15079 15098 19"
It has seen the new certificate for 19 days. If you do the math, the first day it saw the certificate works out to be April 14th, which is the day after it was issued (according to the certificate itself). So either it is clued into the issuance, or Google uses the certificate internally for a while before the world sees it.

So what does this mean? If this rekey is any indication, it means these things don't happen in a clean binary manner. Different parts of the network may see new certificates before others, and maybe for short spurts cutting back and forth between new and old. Looking at the detailed responses from Perspectives, previous changes for also show a similar bouncing back and forth (particularly with This is turn means that certificate checkers using these infrastructures are going to have to be tolerant of this sort of noise during a change over.

Also, looking at Perspectives long term data for, it looks like a change happens every two months or so (note, one can't tell from this if they re-key or just create a new certificate):

Thursday, April 28, 2011

Sony PSN: Compromised security questions...

I am not a fan of security questions. My big criticism is that they turn an innocent fact about you into a shared secret - you now have to remember that the street you lived on in first grade gets you into your webmail account and not blog about that favorite childhood memory.

Now with the recent Sony Playstation Network compromise, it has raised an even bigger problem with (suspected in this case, they aren't sure) compromise of security questions. What do you do if your password questions get compromised at a site?

First, you probably have no idea what answers you even gave. The idea behind these questions is that you remember the answers naturally, so you don't need to write them down. So you probably have no idea now what questions you were asked and what answers got leaked.

Second, even if you did somehow know what answers you gave Sony (perhaps you signed up two weeks ago and you have a great memory), do you remember all the other sites you gave the same answers to? Time to go site to site checking (except, back to my first point, you probably don't remember what answers you are checking for).

Third, let's say you remember all that. These answers about you have been compromised and you can't change them - it's your history! This is a problem shared with biometrics, once your fingerprint gets out, you're stuck with just having nine left. Once a fact about you is known, you just have to know not to use it anymore as a secret.

So, security questions just went from bad to worse in my book.

My suggestion, fill in random strings (I use a random password generator or "slap on the keyboard"). Write your password down in a good password program like Password Safe or KeePass or use the password saving feature on your browser (I suggest setting a master password if you do so). Or if you do forget your password, most sites will still have some way you can get your password reset the old fashioned way through customer support.

Some interesting work on security questions:

And finally xkcd:

Thursday, March 10, 2011

Registration for 2011 CACR Higher Education Cybersecurity Summit now open

Date: Monday, April 11
Time: 8:00 a.m. - 5:00 p.m.
Location: University Place Conference Center, IUPUI

The Indiana University Center for Applied Cybersecurity Research cordially invites you to attend the 2011 Higher Education Cybersecurity Summit. This year's summit will take place on Monday, April 11, on the IUPUI campus near downtown Indianapolis.

The summit will offer a variety of sessions of interest to security, policy, and privacy officers as well as cybersecurity practitioners. There is no cost to attend the summit.