Cyber Security Information Sharing presented at DeepSec 2014

by Oscar serrano Serrano,

Summary : Organizations operate increasingly in a coalition and federated environment and the necessity of relying on each other’s information systems in such an environment increases the need to exchange various types of cyber security information, such as data on vulnerabilities, threats and incidents at both the strategic and tactical levels. However, information sharing between partners remains a critical requirement that is only partly met by various approaches that do not deliver the required efficiency and effectiveness.
It is also becoming increasingly apparent that given the complexity of modern CIS and the speed at which cyber-attacks progress, there is a need to develop highly automated cyber security capabilities. The ideal responses in a number of current and future cyber-attack scenarios rely on the use of automated processes. Since automation is a function on a set of input data, the correctness of this input data is critical. Input data must therefore be both comprehensive and accurate. However, collecting and assuring the quality of the cyber security data required to support automation is a daunting task that few, if any, organisations can actually perform. In a coalition environment, it is necessary to pool expert resources in a burden-sharing arrangement to collect and assure cyber security data. It is also necessary to allow for the commercial outsourcing of this work.
This presentation introduces the main problems that organizations face when sharing Cyber Security information and propose solutions that once implemented would enable the development of a comprehensive platform for Cyber Security information sharing.
The views expressed in this presentation are those of the presenter and do not reflect the official policy or position of NATO Communications and information Agency, nor does it represent an endorsement of any kind.
Oscar Serrano holds PhD, master and bachelor degrees in Computer Engineering. He has worked for more than 12 years as consultant and researcher for large international companies, including Telefonica, Vodafone, the Austrian Institute of Technology, Siemens and Eurojust. In August 2012, he joined the North Atlantic Treaty Organization (NATO) as senior scientist in the field of Cyber Security, where he supports NATO efforts to improve the cyber defence capabilities of the alliance.
His research interests include Cyber Security information sharing, detection of advanced threats, risk analysis and management, policy and governance development and cyber Law.

Social Authentication: Vulnerabilities, Mitigations, and Redesign
Marco Lancini
As social networks have become an integral part of online user activity, a massive amount of personal information is readily available to such services. In an effort to hinder malicious individuals from compromising user accounts, high-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA), which requires users to identify some of their friends in randomly selected photos to be allowed access to their accounts.
In this work, we first studied the attack surface of social authentication, showing how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implemented a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluated it using real public data collected from Facebook. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information, and we have then designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the Social Authentication concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software. Our core concept is to select photos in which state-of-the-art face-recognition software detects human faces, but cannot identify them due to certain characteristics. We implemented a web application that recreates the SA mechanism and conducted a user study that sheds light on user behavior regarding photo tagging, and demonstrated the strength of our approach against automated attacks.