Wednesday, May 27, 2020

2020 NSF Cybersecurity Summit will be Online September 22-24, 2020

Dear Trusted CI community,

This year’s NSF Cybersecurity Summit will be online, with no in-person meeting as originally planned. Please continue to hold September 22-24, 2020 for this event.

This decision was based on the feedback you gave us to our survey, discussions with our program committee, our assessment of conditions with an emphasis on your safety, and reports we are hearing from many of you that travel funding will be challenging for your institutions. We regret not being able to interact in person but look forward to an interactive event and seeing you again in 2021.

Please watch the Trusted CI Blog and Announcement email list for more updates, including a Call for Participation and subsequently a program. We are working with our program committee, who deserve extra thanks for their efforts in these new circumstances, to develop a program that takes advantage of the online nature to deliver a quality event we hope will make up for some of what we will miss from being together in-person.


Von Welch
Director, Trusted CI

Tuesday, May 19, 2020

Transition to practice success story: Securing payment card readers with Skim Reaper

Skimmers want the data on your payment cards

Transition to practice is really a passion of mine. It is wonderful to write papers and have great ideas. But it is even cooler to get a million people using it. – Professor Patrick Traynor.

Patrick Traynor, Ph.D., is the John and Mary Lou Dasburg Preeminent Chair in Engineering and a professor in the Department of Computer and Information Science and Engineering (CISE) at the University of Florida. His research focuses on the security of mobile systems, with a concentration on telecommunications infrastructure and mobile devices. He is also a co-founder of Pindrop Security, CryptoDrop, and Skim Reaper. (Read his full bio at the end of this article.)

Trusted CI spoke with Professor Traynor about his experience transitioning Skim Reaper from a lab experiment into a real-world product.

Trusted CI: How did the Skim Reaper project get started?

We were doing work on how mobile payments are done in the developing world. Imagine that you don't have a credit card, you don't have access to a traditional bank, but you have a cell phone. People were texting each other and trading top-up minutes as currency. Safaricom in Kenya started allowing people to exchange cash instead of minutes.

The first digital payment system for much of the developing world is called M-Pesa. There'll be tremendous advantages bringing such systems here to the US. But in the process of doing that work, we were looking at how traditional payment systems work.

Skim Reaper was an offshoot of an NSF-funded project on trying to secure modern payments (NSF grant 1526718). It's not like credit cards are going to disappear anytime soon. We're going to have more types of payments, so we're going to have to secure these legacy things.

I had my credit card stolen six times in three years. When I talk to academics about credit card fraud, everyone treats it as a solved problem. When I went through the process with a debit card, the money was out of my account for a long period. I started thinking about how people who are financially vulnerable might go long periods without cash. I thought we needed to do something—to look at how we can push back against credit card skimming.

Trusted CI: How does Skim Reaper work?

The Skim Reaper is a card that's swiped or dipped into the payment terminal, just like a credit card. It's a device about the size and shape of a credit card. It determines how many times it's being read. That's a very simplistic version of what it's doing. But with the kind of credit card skimming that we're going after, the adversary adds a second read head to the card reader. They'll do that by overlaying it. Or they'll put one deep inside, called deep insert.

The card reader itself is going to get a normal read, but so too will the attacker. By developing a device that counts the number of times it's being read and then compares that to the number of times it should be being read, we know whether you have additional read heads in place and therefore whether there's a skimmer.

If a skimmer is in place, the device will turn on a red LCD. If the blue LCD lights up, everything is fine. Something like 10% of the population is red-green colorblind. So, we chose a blue light instead of green. We tried to be as inclusive as possible in the design.

Trusted CI: Did you have any NSF funding for Skim Reaper?

We had no explicit NSF funding for Skim Reaper other than the grant to study securing modern payments that preceded it. I have not applied for TTP-explicit funding before, but I am in the process of applying for some now. I have also applied for SBIR funding in the past as part of my work on Pindrop.

Trusted CI: Tell us how things got started.

When we started on this path, we didn't have access to credit cards skimmers. We started by looking online and trying to reach out to various law enforcement agencies, many of whom, of course, said, “who are you and why are you asking for credit card skimmers?” But we got quite lucky. We were in the process of prototyping our devices. We'd seen enough of the things online and had access to a few small units.

Then, we happened to meet the NYPD Financial Crimes Task Force attending a conference about traditional theft in retail at the University of Florida in 2017. When we met these detectives, we ran back to our lab, grabbed our prototypes, and showed them. They said they could use something like that. We flew up to New York in January 2018 at our expense with our devices for them to teach us everything they know about skimmers and then used our devices on skimmers they had previously recovered. We were in New York City for three days and the NYPD was fantastic. I mean, they were amazing. The care and the skill. They took us through the world of skimming, how it works, where it happens, and the motivations. We worked with the detectives during the day, and we'd go back at night and we would rewrite user interfaces.

Initially, our card had a box with a little LCD screen that would give instructions. They were great instructions for lab guys like me. But that's not what the detectives wanted. They said “nope, it's pretty much got to give us a thumbs up, thumbs down. The tiny print is not going to help us when we're out in the field, you just have to give us a clear signal.” We'd run back to the hotel, rewrite user interfaces, bring them back, test them again. Then on the second day, we saw how they were using them. And the original devices we had literally held together with electrical tape and Gorilla glue. We had to find a Home Depot in Manhattan on the second night because we had to essentially tape them back together.

We learned a lot about how users wanted to use the device, how durable it would have to be, and what the procedures around the use of the device might be. That experience was invaluable. We kept great contact and left five prototypes with the NYPD. About a month and a half later, they came back to us and said that they had used the device on an ATM in Queens. They had a positive hit. They did a stake out, and ultimately were able to make an arrest and conviction based on the use of our device.

Trusted CI: How did the project then transition to a product?

From there, things grew quickly. We started getting media coverage and all of a sudden this project that had happened really out of my own shame for having my credit card stolen so many times, resulted in probably 2,000 phone calls to my office and thousands and thousands of emails. We realized this was widespread. We were prototyping as fast as we possibly could. It probably took us fifteen hours to make a single device. But now, we had requests for thousands. We had to try and do this professionally because we couldn't send out something that as we saw lasted a couple of days. We needed to transition this into a real product. And that's what we spent the next year doing.

Trusted CI: Talk about the scope of your potential customers.

We started off working with law enforcement because they had the most examples of credit card skimmers and they're the ones who are generally called in to deal with the problem when it exists. But ultimately what we're doing is trying to make this available to companies, vendors, and retailers because they're the ones that have the point-of sale-units. They're the ones who are being attacked. It’s the same reason that every retailer needs to have locks on their doors. We think every retailer that takes credit cards, debit cards, or gift cards needs to have a Skim Reaper. They need to know that their customers are going to be secure when they make those payments. And in fact, we've heard anecdotally, and I know for myself, when consumers feel like yours is the store where their card has been skimmed, they stop going there. We think it's on retailers to deploy these devices.

Trusted CI: What about banks or ATM manufacturers?

We are working with multiple companies in the financial industry. There are multiple banks of varying sizes that we currently have as customers.

One of the most important things for a transition that I've found is it's not just about having a good pitch. It's not just about having a good product; it's about getting in front of the right people. The media coverage has really helped. (How the 'Skim Reaper' is trying to kill credit card skimming devices) (How the 'Skim Reaper' protects you from credit card skimmers)

Many industries don't want to talk about security problems, at least publicly. And that's a natural thing. You don't want your consumers to think that you are more vulnerable than the competition. But by working with law enforcement, by doing media outreach with them, this allows other businesses to admit that is a problem for them and they often reach out directly to us.

Trusted CI: Without disclosing any customers, how big have you grown?

We started selling in August of 2019, and we're now deployed in 20 states and internationally.

Trusted CI: Would you like to make any acknowledgments?

I really want to thank the NYPD Financial Crimes Taskforce. If they hadn't taken a chance on us early on, we probably wouldn't be having this conversation. But I'm also grateful to the local police department here in Gainesville, Florida. They've been tremendous. Beyond that, the Department of Agriculture and Consumer Services in the State of Florida are responsible for ensuring that gas pumps pump the correct amount that you pay for. But because they're on the ground and out inspecting pumps, they're often the ones that come across skimmers. And for the last two years they've really been a tremendous resource and we very much enjoyed working with them. All these folks continue to help us by giving us access to the newest skimmers that are out there so that we can make sure that number one, our devices continue to work. And number two, we have new things in the pipeline which will come out soon.

Again, I can't speak highly enough about our law enforcement partners. These folks work hard and need the resources to do their job as effectively as possible. And all throughout this transition process, it just wouldn't have been possible without willing law enforcement partners.

Trusted CI: Tell us about your support structure.

We provide videos and we often Skype with customers to make sure that they know how to use it correctly. So far, we've had minimal requests for support. But again, the experience with the NYPD showed us how to simplify the interface. A tool that's likely to give retailers any kind of help in this space has got to be easy enough that it can be learned in two minutes.

Trusted CI: How widespread is skimming?

This is one of the interesting questions we're trying to answer. The best example comes from colleagues at the Department of Agriculture. They often pull out skimmers from gas pumps and they're wrapped in tape and on occasion they'll have numbers on them. I was told a story where somebody in one day pulled out a number 17, a number 32, and he said, “that's great, I have two but where's one through 16, 18 through 31? And what's the stopping number?” Their guess, based on how many they were pulling, was that they were getting about 5% of what's out there.

Prior to the Skim Reaper, there really weren't any tools to know the numbers because these things are often undetected. Sometimes they are recovered and taken away, sometimes the bad guys come back and take them and move them to other spots. Knowing the scale of the problem is quite difficult. But I think anecdotally, we all know someone who's had their credit card stolen. And if it's not you, you're lucky.

Trusted CI: Talk about some of the other things you're working on.

I'm fortunate to have a wonderful group of incredibly talented and diverse students here at the University of Florida. We're working on a huge range of problems, everything from security and microfinance to detecting deep fake voices and disinformation. We're also looking at strengthening two-factor authentication for common users. Our work really runs the gamut. And that's only possible because of NSF funding. Most of my students are indeed funded by the NSF, and we're quite fortunate.

Skim Reaper is my third startup. I want to try and help incentivize junior scientists and help make that path a lot easier because it's tough, but it's been worth it.

Trusted CI: Why is transitioning to practice important?

In a keynote I gave, I had a slightly darker take on this. The NSF is funding us for a long time and we're quite fortunate and we're doing great work. But at some point, they might say, “We're just not winning the battle. The return on investment isn't high enough.” We may need to do this for our own survival. And quite frankly, the world needs us, and the world needs our innovation. I like that more positive spin on it.

Trusted CI: Any last thoughts?

One last thing I do want to plug. We made a conscious decision that are our devices are manufactured in the US. They're manufactured in Houston. This is important to us because the ideas were generated in the US and we're now helping to create high-tech jobs in Houston. We think that this is a great example of reasons to invest in science. We're creating jobs from the ideation to the manufacturing phase. And they're all happening here in the US.


Patrick Traynor is the John and Mary Lou Dasburg Preeminent Chair in Engineering and a Professor in the Department of Computer and Information Science and Engineering (CISE) at the University of Florida. His research focuses on the security of mobile systems, with a concentration on telecommunications infrastructure and mobile devices. His research has uncovered critical vulnerabilities in cellular networks, developed techniques to find credit card skimmers that have been adopted by law enforcement and created robust approaches to detecting and combating Caller-ID scams.

He received a CAREER Award from the National Science Foundation in 2010, was named a Sloan Fellow in 2014, a Fellow of the Center for Financial Inclusion at Accion in 2016 and a Kavli Fellow in 2017. Professor Traynor earned his Ph.D and M.S. in Computer Science and Engineering from the Pennsylvania State University in 2008 and 2004, respectively, and his B.S. in Computer Science from the University of Richmond in 2002. He is also a co-founder of Pindrop Security, CryptoDrop, and Skim Reaper.

Monday, May 18, 2020

Trusted CI policies for managing information that you share with us

Trusted CI greatly values the trust the community has in us. That trust enables the sharing of your experiences with us knowing we’ll treat what is shared with appropriate respect and confidence. We also recognize that you look to us to synergize experiences and lessons broadly, serving the community as a knowledge hub and allowing all of us to build on each other's knowledge. Hence, Trusted CI seeks to balance two principles:

  1. Trusted CI controls the management and distribution of confidential data such that community members are comfortable sharing such data with Trusted CI during the course of collaborations, engagements, etc.
  2. Trusted CI seeks to share information broadly with the community to facilitate learning from common experiences.
As Trusted CI has grown and matured, we have recognized the need to mature our processes to ensure we live up to these principles, and our processes to do so are well understood by both Trusted CI team members and our collaborators. To that end we have published two new policies we adhere to:

We are making these policies public along with the rest of our cybersecurity program to promote your trust and provide examples for others to use. As always, we recognize the expertise in the community and welcome your feedback and suggestions.

Results of survey on 2020 Cybersecurity Summit

The NSF Cybersecurity Summit Organizers would like to thank the community for providing comments on planning for the 2020 Summit in light of the Pandemic crisis. We are considering options in consultation with the program committee, taking this community input into account, and will make an announcement regarding our plans for the Summit as soon as they are finalized. We felt the survey responses might be of interest to others who face similar event planning uncertainties. Here are some key takeaways from the survey:
  • The Community greatly appreciated the opportunity to voice their opinion on the 2020 Summit.
  • Face-to-Face events provide many benefits for social networking that virtual meetings can't yet replicate.
  • However, the majority of respondents prefer having some type of virtual summit.
  • There were multiple comments that full-day programs are not desirable ("Zoom-Fatigue")

 The aggregated results are as follows:

Question #2 complete legend to responses

Friday, May 8, 2020

Open Storage Network (OSN) and Trusted CI Complete CyberCheckup

The Open Storage Network (OSN) is an NSF-funded pilot project (OAC 1747483, 1747490, 1747493, 1747507, and 1747552). The OSN pilot project's goal is to design and test a cooperative multi-institution, research-oriented storage and transfer service, including a governance model to manage both the technical system and user allocations. The outcome of the pilot project will direct the design of a national scale infrastructure that can serve as a storage substrate along with NSF's other national investments (e.g., XSEDE) and network implementations supported by NSF's CC* program.

OSN is a distributed storage infrastructure accessible via national research and education networks (NRENs). To evaluate the current state of this infrastructure, OSN performed a Trusted CI CyberCheckup, which is an engagee-driven, self-evaluation of a project's cybersecurity readiness. Trusted CI staff provided templates to be used for the CyberCheckup as well as assistance in filling out the templates.

OSN staff first used Trusted CI's "Securing Commodity IT in Scientific CI Projects" spreadsheet to evaluate five facilities including NCSA, SDSC, RENCI, MGHPCC, and JHU. These results were then used to evaluate the OSN system as a whole. OSN staff next completed Trusted CI's "Information Security Program Evaluation" questionnaire. This document was used to capture the current state of the OSN information security program as well as find potential security policy gaps in the pilot program. The output from these CyberCheckup documents will be used by OSN to better secure future phases of the project.

Monday, May 4, 2020

Windows 7 end-of-life security mitigation

On January 14, 2020, Windows 7 entered its End of Life phase.  This means Microsoft no longer offers patches or security updates for Windows 7.  As a result, Windows 7 will be vulnerable to attacks that currently supported Windows operating systems will have patched in future updates.  While our guideline would optimistically be to update any Windows 7 system to supported operating systems, we realize some legacy software and hardware used across the medical and scientific community may not be compatible.

Alternative solutions were raised in discussions on the Trusted CI discuss email list, an article from the University of Michigan, an article from CSO online about isolating the device, and an article from Electronic Specifier focused on medical devices.  From these resources, we offer the following guidelines to reduce the risk of the system to your cyber infrastructure environment, depending on the needs of the host.

Universal controls that apply to all scenarios:
  • Reduce the functionality of the device to only the legacy software needed by doing the following:
    • Uninstall all unnecessary software
    • Turn off all unneeded network services
    • Don't use the system for web browsing or other network client based activities that are non-essential
  • Do not open any new office documents on the system
  • Monitor traffic between host and network at boundaries
Scenario 1: The host is a control system and has no need for access to network
  • Remove host from network, preventing access
  • Prevent accidentally connecting to network by staff by covering Ethernet and USB ports with warning stickers

Scenario 2: The host is a control system where the user physically accesses the host and needs to access the network for sensors as well as to upload data to a server

  • Segment the host from the network via restricted VLAN, allowing access to chosen devices
  • Use local firewall rules to only allow outbound data from host for uploading data and inbound data to host from the specific sensor IPs
  • Disable outside access with a GPO (Group Policy Object) or your local policy

Scenario 3: The host is a control system and needs to allow remote control access and the serving of  data
Trusted CI worked with the Gemini Observatory
in the past on a cyber infrastructure engagement
  • Insert secure bastion host between Windows 7 host and network, requiring access to the bastion host before accessing the Windows 7 host
  • Ensure bastion host follows security best practices for a bastion host role, including multi factor authentication (MFA)
  • Use local firewall rules to limit access to the Windows 7 host
  • Disable outside access with a GPO (Group Policy Object) 

These steps reduce potential risk as well as the impact of a security event should the system become compromised.  In addition to these steps, ensure leadership is informed of the additional risk from this system by informing project leadership. This list is also applicable to other unsupported systems that are vulnerable.  Users of Windows 7 systems can also pay for extended security updates from Microsoft for the next 3 years, which varies in cost by the version of Windows 7 and doubles in price each year.

Trusted CI Webinar May 18th at 11am ET: Is Your Code Safe from Attack? with Barton Miller and Elisa Heymann

University of Wisconsin-Madison's Barton Miller and Elisa Heymann are presenting the talk, "Is Your Code Safe from Attack?" on May 18th at 11am (Eastern).  

This month's webinar is one week early to accommodate the Memorial day holiday.

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The science and cyberinfrastructure community writes a huge quantity of software in the form of services, web applications, and infrastructure to support its mission. Each deployed software component can open your organization to the risk of attack, creating violations of data integrity and privacy, and provide unauthorized access to your computing and science infrastructure. An important part of preventing such attacks is an in-depth review of your code.
The goal of an in depth code review is to understand the structure of your software, identify the critical parts of code and the resources they control, understand trust and privilege, and then use this information to focus key parts of the code. Such a review can identify design issues, coding problems, and deployment mistakes. By focusing on the software structure and resources, you can anticipate types of vulnerabilities that have not yet been seen in the wild. This type of review can take beyond the capabilities of penetration testing.
We will briefly describe our First Principles Vulnerability Assessment (FPVA), which we have applied to a wide variety of real-world software, under the aegis of TrustedCI and other organizations. This software has included systems such as HTCondor, Wireshark, Singularity, Google Chrome, and even software that controls almost half the container shipping ports in the world.
We will describe our experiences with such assessments and discuss how you, as an organization that writes or deploys custom software can access or create such an assessment and how you would work with the assessment team. And, importantly, we will discuss how you respond to the identification of vulnerabilities in your software.
Speaker Bios:

Barton Miller is the Vilas Distinguished Achievement Professor, and Amar & Belinder Professor of Computer Sciences at the University of Wisconsin-Madison. He is also Chief Scientist for the DHS Software Assurance Marketplace (SWAMP) research facility, leads the software assurance effort for the NSF Cybersecurity Center of Excellence (TrustedCI), and co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations.

In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation". Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation.

Miller was the chair of the IDA Center for Computing Sciences Program Review Committee, a member of the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee, and has been on the U.S. Secret Service Electronic Crimes Task Force (Chicago Area). Miller is a Fellow of the ACM.

Elisa Heymann is a Senior Scientist on the NSF Cybersecurity Center of Excellence at the University of Wisconsin-Madison, and an Associate Professor at the Autonomous University of Barcelona. She co-directs the MIST software vulnerability assessment at the Autonomous University of Barcelona, Spain.

She coordinates in-depth vulnerability assessments for NFS Trusted CI, and was also in charge of the Grid/Cloud security group at the UAB, and participated in two major Grid European Projects:  EGI-InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include software security and resource management for Grid and Cloud environments. Her research is supported by the NSF, Spanish government, the European Commission, and NATO.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."