On May 4th and 5th of 2009, the FORWARD consortium organized the 2nd workshop of the project. The workshop took place in Hotel Delcloy in Côte d’Azur. The agenda focused on the progress of the FORWARD working groups (WGs) having both summary presentations of their work and focused panel discussions for each WG. The keynotes and presentations helped to spark discussions during the panel sessions that were also carried on during the scheduled breaks.
Highlights of Day 1
The first day included some very interesting presentations, starting with the keynote of Marc Dacier, head of Symantec Research – Europe, during the first session of the workshop. Marc highlighted the economic motives behind cyber-attacks. He stressed that research focus should be put on threats based on their profitability.
Michael Behringer‘s talk was also very insightful. Michael identified human as the weakest link in security of complex ICT infrastructures. He argued that we’ll be able to increase the overall security of the infrastructures if we shift responsibility of some complex but mundane tasks (e.g. configuration) from human to software.
Of course, the above is true only for thorougly tested software. Manuel Costa‘s presentation focused on explaining how the reliability of an OS kernel can be compromised from the unprotected use of extensions (e.g. device drivers, network protocol implementations etc). Manuel cited that many thousands of new OS extensions appear every year and because there’s just not enough time for thorough testing they end up having a very high failure rate. This also makes the OS kernel vulnerable because it shares its address space with the unreliable extensions. Manuel argued in favour of the implementation of fine-grained access rights inside the kernel space in order to reduce the effect of faulty extensions on the overall security of the OS kernel.
The presentation of David Brumley also provided some surprising insights to the modus operandi of attackers. David argued that existing security patch delivery mechanisms can actually help the attackers. He explained that it is possible to automatically generate an exploit using the corresponding vulnerability fix. The process is fast enough to allow the attacker to launch an attack with the new exploit before all computers have been patched. Therefore there is a need to revisit the current patch distribution mechanisms.
The first day was completed with split panel discussions of the three FORWARD WGs. The discussions are summarized in the related project deliverable (to be published soon).
Highlights of Day 2
The second day started with the presentations of the work in the different WGs and concluded with the last session of guest presentations. The presentation of Christian Kreibich was very interesting as it provided insight to the spam business. Until now many have speculated on the conversion rates and revenue generated by spam, however there’s little evidence to support or refute any of the speculations. Christian presented a new study on a small part of the Storm botnet that attempts to shed light on these issues. The study concludes that the whole Storm botnet generates less than $2M of revenue annually from its pharmaceutical spam campaign. This is an order of magnitude less than previous speculations. It is also a hint that Storm may be a vertically integrated business. This can be concluded because the profit margin from selling pharmaceuticals would be very low if Storm was selling spam to a third party on the reported market price for spam.
Another interesting presentation was Peter Van Rossum‘s which focused on new vulnerabilities of the Mifare Classic smartcard. Mifare Classic is the most widely used contact-less smartcard on the market, with deployment cases such as the Oyster Card used to pay for public transportation in the Greater London area. In the presentation, four attacks were proposed that can be executed by an adversary having only wireless access to just a card. This is an important advance since previous attacks against the card required access to a legitimate reader, which allowed vendors to refute their applicability in realistic situations. Although NXP (manufacturer of the Mifare Classic) already prepares a successor to the vulnerable card that fixes the identified problems, the existing cards cannot be fixed and should be replaced. The case proves that candidate technologies for use in critical infrastructures (such as the public transportation) should be closely scrutinized by experts before coming to a final decision whether they are suitable for the desired use.
Overall, the 2nd FORWARD workshop was very interesting. The insightful presentations and the friendly atmosphere contributed to constructive discussions that helped participants get a more concrete view on the threats that they will be called to encounter in the near future. Seeing more events with similar scope in Europe would be very beneficial for the European ICT security research community.
