Security and Privacy Research Lab

From Freedom to Tinker: “Today, the public learned of a previously undisclosed compromise of a trusted Certificate Authority — one of the entities that issues certificates attesting to the identity of “secure” web sites. Last week, Comodo quietly issued a command via its certificate revocation servers designed to tell browsers to no longer accept 9 certificates. …

“This implied that the certificates were likely malicious, and may even been used by a third-party to impersonate secure sites. …

“Clearly, something exceptional happened behind the scenes. Security hacker Jacob Appelbaum did some fantastic detective work using the EFF’s SSL Observatory data and discovered that all of the certificates in question originated from Comodo — perhaps from one of the many affiliated companies that issues certificates under Comodo’s authority via their ‘Registration Authority’ (RA) program. Evidently, someone had figured out how to successfully attack Comodo or one of their RAs, or had colluded with them in getting some invalid certs.”

Jacob Appelbaum is a UW Security and Privacy Lab researcher and a Tor developer. You can read more about Jacob’s discoveries here.

The UW CSE cyber defense competition team just won regionals! Congratulations to team members Alexei Czeskis (team captain), Ian Finder, Mark Jordan, Karl Koscher, Conrad Meyer, Baron Oldenburg, Mary Pimenova, and Cullen Walsh!

Update (4.7.2011): The Seattle Times has written an article about the team: “A team of eight University of Washington students will wage war this weekend against an expert force, defending their territory with stealth tactics and on-the-fly invention. But there are no physical weapons involved. There’s not even a physical battleground. For the fourth year in a row, the team will compete in the National Collegiate Cyber Defense Competition, in which teams from around the country attempt to shield a computer system from professional hackers aiming to cause havoc ranging from stealing trade secrets to turning home pages into random YouTube videos.”

Read the full article here.

Congratulations to Karl Koscher, Alexei Czeskis, and Franziska Roesner, and their University of California at San Diego collaborators Steve Checkoway, Damon McCoy, Brian Kantor, and Danny Anderson, whose study of the vulnerability of modern cars to remote compromise was picked up by the press after being presented to the National Academy of Sciences. (We understand some faculty at UW and UCSD were involved as well.)

The Associated Press and The New York Times broke the story, with additional coverage at Technology Review, PCWorld, Slashdot, Jamie Zawinski’s blog, Boing Boing, and The Volokh Conspiracy. More information at the CEASS site.

UW security and privacy researchers had a strong showing at the 2011 Computers, Privacy & Data Protection conference in Brussels, Belgium, winning both the Multidisciplinary Privacy Award award and an honorable mention.

The goal of the CPDP multi-disciplinary privacy research award is to promote the need for and reward the results of multidisciplinary research, with the participation of the representative of diverse constituencies engaged in the investigation of the new ideas in data protection. Any paper published or accepted for publication in 2010 was eligible to win.

UW CSE grad student Alexei Czeskis and alumni Iva Dermendjieva and Hussein Yapit won the award for their work on balancing privacy and value tensions in mobile parenting technologies (published at SOUPS 2010 with co-authors Alan Borning, Batya Friedman, Brian Gill, and Tadayoshi Kohno). Alexei, pictured on the right, went to Belgium to receive the award.

UW CSE PhD student Tamara Denning won an honorable mention for her work on analyzing human values and security for wireless implantable medical devices (published at CHI 2010 with co-authors Alan Borning, Batya Friedman, Brian Gill, Tadayoshi Kohno, and William Maisel).

Congratulations!

UW security research Karl Koscher is featured in 16:9, Canada’s version of 60 Minutes. Karl is seen discussing his research on the security and privacy properties of the new US Passport Cards and Enhanced Drivers Licenses. Also featured in the video is UW PhD student Emily Fortuna.

Jacob Appelbaum‘s new vision — to create a “home Internet with anonymity built in” — is featured in MIT’s Technology Review magazine. Jacob is a UW security and privacy lab research scientist and core Tor developer. His key idea is to integrate the Tor anonymity system directly into wireless routers, thereby making strong privacy more accessible to the general public. UW security researcher Alexei Czeskis and others from the Tor community are also participating in this project. Good luck Jacob and Alexei with this new direction!

The New York Times Magazine has a detailed article on online anonymity and the Tor project. UW security researcher and Tor developer Jacob Appelbaum is extensively quoted. Originally funded by the U.S. Department of Defense, Tor now helps protect the privacy of hundreds of thousands of people around the world.

The U.S. National Institute of Standards and Technology (NIST) has selected the Skein cryptographic hash function as one of five finalists in its SHA-3 competition. The winner will become the new U.S. hash function standard. Sixty-four proposed hash function designs were submitted to NIST when the competition began two years ago. Skein was designed by a team of cryptographers and computer security experts, including UW’s Yoshi Kohno. (If you look closely, you’ll notice that the team photo was taken in the beautiful halls of the UW Paul G. Allen Center for Computer Science & Engineering.)

The annual UW Computer Science & Engineering Industrial Affiliates Meeting took place on October 27th and 28th. On the 27th, more than 100 representatives from Affiliates companies participated in a day of research presentations, and more than than 250 Seattle-area alumni joined for an evening of posters. There were also awards. UW security and privacy lab PhD students Karl Koscher, Alexei Czeskis, and Franzi Roesner won an award for their poster on car security, and PhD student Roxana Geambasu and graduate student Amit Levy won an award for their poster on Comet: An Active Distributed Key-Value Store.

The photo at the right, taken by UW CSE faculty member Bruce Hemingway, shows (from left) Karl, Alexei, and Franzi discussing their poster with an attendee.

An article at AolNews warns of five new classes of cyber attacks, research into two of which were pioneered by UW security and privacy lab researchers. In 2008 UW researchers, in collaboration with the University of Massachusetts Amherst and the Beth Israel Deaconess Medical Center, published an award-winning paper at the 2008 IEEE Symposium on Security and Privacy evaluating the computer security risks and challenges with implantable medical devices. Earlier this year, UW and UC San Diego researchers published a paper at the 2010 IEEE Symposium on Security and Privacy describing the results of an extensive experimental analysis of a modern car. This research is forward-looking. No known threats have manifested to date, and UW researchers are now focused on developing defenses for futures medical devices and automobiles.