Archive for the ‘PhD’ Category

« Older Entries

Choosing your Computer Security Conference

Wednesday, December 17th, 2008

While trawling through references, and chasing down files as part of my final PhD push, I came across a  resource compiled by Guofei Gu at Texas A&M. He has provided a Computer Security Conference Ranking and Statistic page. While by his own admission it is somewhat subjective, he makes use of some interesting metrics.

If you ahve novel research and are looking to get the best bang for yourl buck, this list can help you select the right forum to present in.  Particularly interesting is the statistics list showing acceptance rates for some of the major conferences over the last few years.

Tags:
Posted in PhD, Security | No Comments »

New Infosec Viz Tool - Picviz

Friday, October 24th, 2008

Version 0.3 of PicViz has been released, based on python and QT - which bodes well for potential portability. This is yet another tool to help one actually filter through piles of connections, using a classic parallel axis setup.  Drilldown is offered. Some example renderings of  the Kaminsky DNS attacks are available.

A more advanced version of the kind of output achievable is also provided showing how with the help of a pre-processing script, the SSH login process can be graphed:

Graphs are produced via an intermediate scripting language which has by design strong similarity to that used by Graphviz.  I’ll definatley be adding this to my toolset and seeing how it handles processing of some of the rather large data sets Ive got.

Tags: , , ,
Posted in Security, Vizualization, tools | No Comments »

Verifying Smime content with openSSL

Monday, August 25th, 2008

I had an interesting question posed ot me today by Dominic who asked me to verify whether his all new Digital certificate was correctly being used for signing mail. Thunderbird sadly complained that the signature was invalid, which was unexpected, and that the issuer was unknown ( expected since it comes form a private hierarchy.)  The question then lead to where did the problem lie?

My gut feel was that it was the disclaimer being inserted by an intermediary gateway ( one has to love corpmail).  Setting about proving this was the hard part.  The first issue at hand wa to actually extract the certificates so I could play with the verification.  Cert Viewer Plus for Thunderbird made this part a dream. Creating a modified version of the signed message was a little bit more problematic.

Trusting the command line, I started hunting around for details on openssl support for SMIME, which it has.  OPenSSL needs a full CA path for being able to verify SMIME signed messages. One can optain this from various places ( such as exporting form your browser) but in a case like this where a private hierarchy was being used, its enough to just make used of a somewhat smaller subset contianing only the certificates used in this chain.  These can be extracted using Cert Viewer Plus. Alternately some command line magic can be used to extract the PKCS7 formatted embedded certificates out in standard PEM format., using the following command:

openssl smime -pk7out -in mail.txt | \
        openssl pkcs7 -print_certs > extract.crt

Now that we have a certificate chain we can attempt the verify. The extract.crt below can be either from the openssl method above or the Cert Viewer plus PEM dump.

openssl smime -CAfile extract.crt -verify -in mail.txt

Now e actually have a more usable error message. Although I really don’t know why I have such a deep distrust in GUI apps for actually telling me what is wrong.

Verification failure
88175:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_doit.c:808:
88175:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:265:

As suspected the digest filed, which lead to a overall signature failure.  The next step was to see if removing the disclaimer worked.  Repeating on a slightly edited version of the the mail gave the following:

openssl smime -CAfile extract.crt -verify -in mail2.txt
...
mail contents deleted
...
Verification successful

So the original question posed was if the signature system was working correctly which it now was. The differences between the two mail files was checked using diff

diff -u mail.txt  mail2.txt
--- mail.txt         Mon Aug 25 18:06:33 2008
+++ mail2.txt      Mon Aug 25 18:08:10 2008
@@ -61,10 +61,6 @@
    South Africa

-Important Notice: This email is subject to important restrictions, qualifications
 and disclaimers ("the Disclaimer") ..that all was one very long line that made
 up the corporate disclaimer.....
-
-
-
 ------=_NextPart_000_0048_01C906C7.DB6FB700
 Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"

From the above the only difference shown is that a mailgateway had added in a extra four lines of disclaimer and whitespace padding.  The question now evolves as to how to provide the now pretty much ubiquitious organisational disclaimer in outgoing mail in such a way that it doesnt trash any cryptographic operations in which the mail is involved.  Ive gone back over mails from a  couple of other people in corporate South Africa that I know , and the problem seems to be widespread.

The solution may be that the disclaimer as such is encapsulated as a separeate mime component, which is what interestingly one university here does ( although it insists on prepending its mime encapsulated HTML disclaimer, which makes for relaly ugly mail reading!)

Tags: , , ,
Posted in Applications, LyX, Networking, Security, Systems Administration, Uncategorized, Unix, Vizualization | 3 Comments »

Applied Security Visualization released

Thursday, August 21st, 2008

I probably should have posted this a while back but, its still worth noting that Raffael Marty’s Applied Security VisualizationApplied Security Vizualisation has been released, and includes a copy of the DAVIX CD as distributed at Defcon 16 (davix-1.0.1-defcon16.iso.gz - also obtainable from the homepage, includes a couple of packet traces as used in the Defcon workshop) , which includes a copy of InetVis as one of their four chosen visual analysis tools on the live CD.

For the impatient some instructions are available for getting started. Now to work out what else to order form amazon so that the 40USD specail shipment fee hurts a little less ( thanks to our totally criminal and incompetent post office in South Africa)

Failing that its time to wait till the local places get round to stocking it.

Tags: , , ,
Posted in Applications, Books, Security, Vizualization | No Comments »

VizSec 2007 proceedings out

Monday, June 16th, 2008

The Proceedings of the 2007 Workshop on Visualization for Computer Security (VizSec 2007) are finally available. Springer Has the book available for order at a princely 60 Euros. Amazon has the book listed but not yet available for shipping , but one can pre-order. For those interested, Springer has a flyer and table of contents available. PDF versions of the presentations given are available form the VizSec 2007 website.

My copy should hopefully be arriving in the next few weeks, but I’m looking forward to the Work done by John R Goodall, Gregory Conti and Kwan-Liu Ma as editors. I’m just sorry I’m not going to make VizSec 2008 this year.

The two papers that I presented are (links to the PDF slides):

Tags: , , ,
Posted in Books, PhD, Security, Vizualization | No Comments »

DAVIX live CD looking for Beta Testers

Sunday, June 15th, 2008

DAVIX is the upcoming live CD for data analysis and visualization, which will be released at Blackhat/DEFCON in Las Vegas this summer, with another talk at VizSec 2008. From the VizSec.org announcement:

Applied Security VizualisationJan Monsch and Raffael Marty and have prepared the second beta version of DAVIX. And are now seeking for beta testers that have the time to test DAVIX and answer the questionnaire that comes along with the beta version. All completely filled out questionnaires received by me until Monday 23 June 2008 18:00 UTC will enter a raffle for one autographed copy of Raffy’s upcoming book “Applied Security Visualization”.

If you want to participate in the beta test please contact: jan.monsch ät iplosion.com

What makes me quite happy is that they have included InetVis as one of their four chosen visual analysis tools on the live CD.

I’ve been paying with this since this morning and so far so good.

Tags: , ,
Posted in Applications, Security, Vizualization | 1 Comment »

Visualizing Viruses

Thursday, June 12th, 2008

Wired has a article on the Artwork done by MIT Media Lab’s grad student Alex Dragulescu. Working under contract to MessageLabs he has produced a number number of pictures, showing images of Mydoom, Ghost Keylogger and other bits of Malware.
While all quite pretty there seems to be no detail of how they were created in the original post although the MalWarez link on his homepage describes the process as follows:

..For each piece of disassembled code, API calls, memory addresses and subroutines are tracked and analyzed. Their frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity.

The Storm Worm is probably my favorite visualizations. He also has an interesting set of images entitled SpamPlants, based on input relating to the ASCII character frequency of spam messages.

Now this sounds like a great project for an aspiring security researcher with a graphical bent.

Tags: , ,
Posted in Security, Vizualization | No Comments »

Another RFC to BibTeX script

Monday, June 9th, 2008

Following form my earlier post regarding a pre-compiled bibTeX database of all Internet RFCs, I discovered while browsing the CTAN archives that Richard Mortier wrote a awk script back in 2000 while at Cambridge Computing Lab, that does something similar. For purists who don’t trust this new fangled XML and XSLT stuff its available at:

http://www.ctan.org/tex-archive/biblio/bibtex/utils/misc/rfc2bib.awk

Or other CTAN mirrors closer to you.

Tags: ,
Posted in PhD, Uncategorized | No Comments »

New Hilbert Release

Wednesday, June 4th, 2008

With Nick now in Grahamstown, development on the Hilbert Curve application has progressed well. Version 4.05 has been released around a month after the 2.05 edition previously mentioned, which is heading much closer towards completion. The unix build scripts still need to be integrated, but there has been much improvement. The most noticeable improvements are in the processing speed new around 90 seconds for a datafile of 53 million Addresses, and its ability to put out some very high res images (4096×4096) when working with higher order curves. At this resolution we are able to present a single pixel as representing a class C network or in effect 256 individual IP addresses. The updated release also allows for the application of image overlays when in interactive mode, which can make navigation significantly easier.

A sample of the kind of output is seen below (full resolution image is 990K) which shows destination IP addresses harvested from the Albany Schools Cache server during January through May 2008:


A plot of 53 million packets from the CAIDA telescope project - 27 Feb 2007 midnight to 6am:





With these higher resolution images available, analysis can be performed at a much finer grained level.

Tags: , , ,
Posted in Linux, Networking, Security, Vizualization | No Comments »

BibTeX frequency table

Wednesday, June 4th, 2008

Something I usually ask my students to do us to draw up a frequency table of their use of references in their Theses. This is useful to see if one is over-citing particular sources, or disregarding sources that are more significant. Up until now most have gone the paper and pencil route.

Fred Otten came up with the following script using good old sed, awk and some plumbing, that draws up a nice list based on an input Lyx file.


#!/bin/sh
cat $1 | grep key\ \" |\
awk '{ print substr($2,2,length($2)-2)}' | \
sed -e s/,/\\n/g | \
awk 'BEGIN {i=0} \
{ if (temp[$1]) { temp[$1]=temp[$1]+1 } \
else { temp[$1]=1; tmp[i]=$1; i++; }; } \
END { for (j=0; j { print tmp[j] ” ” temp[tmp[j]] } }’ | sort

This gives a two column listing of the citation keys and their frequency count. This of course can be extended using further awk statements to transpose the columns, or sort by frequency, rather than citation key.

Tags: , ,
Posted in LyX, PhD | 2 Comments »

« Older Entries