Projects & Presentations

Here's the menagerie of things I've been up to lately.

Building Threat Models for the Mobile Ecosystem

Android Security Symposium, 2017 (Slides)

Co-authors: Michael Peck, Christopher Brown, Spike Dog

This presentation will provide an in-depth discussion and analysis of NIST's National Cybersecurity Center of Excellence's (NCCoE) efforts to enumerate and model these threats, resulting in our Mobile Threat Catalogue and a mobile profile of MITRE's ATT&CK model. NCCoE's mobile security efforts are dedicated to solving enterprise mobile security challenges. In talking with mobile security stakeholders, we realized there was a need for a comprehensive catalog of threats posed to mobile devices. The resulting Catalogue outlines a taxonomy of threats, including those faced by a mobile device itself as well as the broader mobile ecosystem upon which the device depends. Each Catalogue entry includes a title, exploit examples, countermeasures, and references. The Catalogue resides on GitHub, enabling public collaboration and continuous development.

Mobile Data & Application Isolation - Project Update

Public Safety Communications Research, 2016 (Slides)

The NPSBN will enable first responders to use modern mobile devices for interoperable public safety operations. While this fundamentally changes how first responders will communicate and access public safety resources, the mobile devices and the data and applications residing on the devices, need to be secured against mobile malware and other threats. Protection mechanisms will need to include methods to isolate commercial applications from mission critical ones, while providing management and reporting capabilities to determine if a device is compromised. Note: This slide deck focuses on discussing preliminary research.

NISTIR 8071: LTE Architecture Overview and Security Analysis (Draft)

NIST, 2016 (Report)

Co-authors: Michael Bartock, Jeffrey Cichonski

Cellular technology plays an increasingly large role in society as it has become the primary portal to the Internet for a large segment of the population. One of the main drivers making this change possible is the deployment of 4th generation (4G) Long Term Evolution (LTE) cellular technologies. This document serves as a guide to the fundamentals of how LTE networks operate and explores the LTE security architecture. This is followed by an analysis of the threats posed to LTE networks and supporting mitigations.

NISTIR 8080: Usability and Security Considerations for Public Safety Mobile Authentication (Draft)

NIST, 2016 (Report)

Co-authors: Dr. Yee-Yin Choong, Dr. Kristen K Greene

There is a need for cybersecurity capabilities and features to protect the Nationwide Public Safety Broadband Network (NPSBN). However, cybersecurity requirements should not compromise the ability of first responders to complete their missions. In addition, the diversity of public safety disciplines means that one solution may not meet the usability needs of different disciplines. Understanding how public safety users operate in their different environments will allow for usable cybersecurity capabilities and features to be deployed and used. Although first responders work in a variety of disciplines, this report is focused on fire service, emergency medical, and law enforcement. This report describes the constraints presented by the personal protective equipment, specialized gear, and unique operating environments and how such92 constraints may interact with mobile authentication requirements. The overarching goal of this work is analyzing mobile authentication technologies to explore which may be more appropriate and usable for first responders in a given environment.

NIST SP 1800-4: Mobile Device Security - Cloud & Hybrid Builds

NIST, 2015 (Report)

Co-authors: Christopher Brown, Kevin Bowler, Sallie Edwards, Neil McNab, Matthew Steele

This NIST Cybersecurity Practice Guide demonstrates how commercially available technologies can meet an organization’s needs to secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices. In our lab at the NCCoE, part of the National Institute of Standards and Technology (NIST), we built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution. We demonstrate how security can be supported throughout the mobile device lifecycle.

Defending Election Campaigns from Cyberspace

BSides DC 2015 (Slides) (Code)

Co-authors: Kevin Franklin

Electoral candidates from both sides of the aisle increasingly rely on the internet to promote their brands and to focus the message of their political platforms. Yet cyberspace isn’t safespace. How do voters know they’re viewing a candidate’s real website? How can voters ensure their online donations are actually going to a specific candidate or cause? Election cybercrime is a burgeoning area but little data exists on the size and scope of these unscrupulous activities. We wrote our own open source suite of tools to begin to measure the scope of this problem and used it to scan every single candidate running for the house and senate (1000+ candidates)in the 2014 General Elections. In this session we’ll discuss the results of our scans and explore how any candidates and voters can defend themselves online.

LTE Security - How Good Is It?

RSA 2015 (Slides)

Co-authors: Jeff Cichonski

LTE standards purport to provide strong security. However, many security protections are optional with all the carrier variations that implies. We present an overview of the LTE standards, technology, security architecture. We also describe the threats (rogue towers, eavesdropping, renegotiation attacks, etc.) and mitigations to LTE networks versus the required security mechanisms.

Considerations for Identity Management in Public Safety Mobile Networks

NIST, March 2015 (Paper)

Co-authors: Nelson Hastings

NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks, analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks with a particular focus on the nationwide public safety broadband network (NPSBN) based on the Long Term Evolution (LTE) family of standards. A short background on identity management is provided alongside a review of applicable federal and industry guidance. Considerations are provided for identity proofing, selecting tokens, and the authentication process.

Tap on, tap off: Onscreen keyboards and mobile password entry

Shmoocon 2015 (Slides)

Co-authors: Dr. Kristen K. Greene, John Kelsey

Password entry on mobile devices significantly impacts both usability and security, but there is a dearth of usable security research in this area, specifically for complex password entry. To address this research gap, we set out to assign strength metrics to passwords for which we already had usability data, in an effort to have a more meaningful comparison between usability and security. A primary accomplishment of this work is our method of optimizing the input of randomly generated passwords on mobile devices via password permutation. This is done by grouping character classes (i.e., uppercase, lowercase, digit, symbol) together to minimize the total number of required keystrokes and decrease cognitive load. We propose a measurement method for quantifying effects on entropy resulting from this password permutation. Additionally, we created and are releasing python scripts, and make use of an existing publicly available NIST data visualization tool to facilitate comparison between usability and security metrics.

Exploring Usability and Security Metrics for Passwords on Mobile Platforms

ACSAC 2014 Poster Session (Poster)

Co-authors: Dr. Kristen K. Greene

This poster discusses work in progress. We are exploring the current state of both usability and security metrics applicable to passwords and to discuss our experiences in attempting to use these metrics in a real world situation.

LTE Security - Facts & Fictions

BSides Charlotte 2014 (Slides) (YouTube)

This talk discusses the core concepts of LTE networks with a focus on the security mechanisms mandated by 3GPP.

Common Vulnerability Scoring System Implementation Guidance

NIST, April 2014 (Paper)

Co-authors: Harold Booth, Charles Wergin

This Interagency Report provides guidance to individuals scoring vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. CVSS defines a vulnerability as a bug, flaw, weakness, or exposure of an application, system device, or service that could lead to a failure of confidentiality, integrity, or availability. The guidance in this document is the result of applying the CVSS specification to over 50 000 vulnerabilities scored by analysts at the National Vulnerability Database (NVD). This document is intended to serve as an extension to the CVSS Version 2.0 specification, providing additional guidance for difficult and/or unique scoring situations. To assist vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular types of software vulnerabilities. The report includes a collection of scored vulnerabilities from the NVD, alongside a justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.

Malicious Online Activities Related to the 2012 U.S. General Election

ShmooCon 2014 (Slides)

Co-authors: Matthew Jablonski, Robert Tarlecki

This presentation looks back at the number of ways that the 2012 Presidential election was bought, sold, and manipulated through malicious online activities. We identify activities that could be classified as manipulative, mischievous, or downright illegal, such as fake campaign donation sites, political spam, attempts to sell ballots, privacy violations, and rogue Super PACs. For each of these activities we provide examples of sources that demonstrate their online presence during the 2012 election and include additional information. We also include examples of malicious election activity in recent elections. Finally, we attempt to examine and discuss the motivations and methods behind these malicious activities.

An Introduction to Cellular Security

Open Security Training, 2014 (Class Page) (Slides)

This 8 hour Open Security Training class is intended to demonstrate the core concepts of cellular network security. Although the course discusses GSM, UMTS, and LTE - it is heavily focused on LTE.

NIST SP 800-164: Guidelines on Hardware Rooted Security in Mobile Devices (Draft)

NIST, 2012 (Report)

Co-authors: Lily Chen, Andrew Regenscheid

Many mobile devices are not capable of providing strong security assurances to end users and organizations. Current mobile devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts. This document focuses on defining the fundamental security primitives and capabilities needed to enable more secure mobile device use. This document is intended to accelerate industry efforts to implement these primitives and capabilities. The guidelines in this document are intended to provide a baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD).

Common Software Weaknesses Reported in Evoting Systems

Software Assurance Forum, September 2012 (Slides)

Co-authors: Michael Kass

This presentation discusses the architectures of electronic voting systems typically used in the U.S. today, and the kinds of software security weaknesses and vulnerabilities identified in independent security assessments of those systems. In particular, reported security vulnerability information is presented from the 2007 state-sponsored California Top to Bottom Review (TTBR) and Ohio EVEREST independent security assessments of electronic voting systems used in those states

Interpreting Babel: Classifying Electronic Voting Systems

EVOTE 2012 (Slides) (Paper)

Co-authors: Jessica Myers

This presentation discusses the architectures of electronic voting systems typically used in the U.S. today, and the kinds of software security weaknesses and vulnerabilities identified in independent security assessments of those systems. In particular, reported security vulnerability information is presented from the 2007 state-sponsored California Top to Bottom Review (TTBR) and Ohio EVEREST independent security assessments of electronic voting systems used in those states

Generalized Protocol for Certifying E-Voting Systems

EVOTE 2012 (Slides) (Paper)

Co-authors: Jessica Myers

This presentation discusses the architectures of electronic voting systems typically used in the U.S. today, and the kinds of software security weaknesses and vulnerabilities identified in independent security assessments of those systems. In particular, reported security vulnerability information is presented from the 2007 state-sponsored California Top to Bottom Review (TTBR) and Ohio EVEREST independent security assessments of electronic voting systems used in those states

Generalized Protocol for Certifying E-Voting Systems

State Certification Testing of Voting Systems National Conference, June 2012 (Slides)

Co-authors: Dr. Jay Bagga, Jessica Myers

The certification of voting systems is both an art and a science, drawing from a variety of scientific fields while requiring astute political and sociological knowledge. This work attempts to abstract from all the layers and complexities of voting system certification and propose a protocol to be used a guide when certifying voting systems. It represents current best practices, and incorporates ideas from both the federal and state certification programs. Although the protocol is generalized, it is intended to be extremely practical. This work applies to certification at all levels in the United States, including federal, state, and local. It attempts to aggregate best practices and knowledge of certification processes at these levels to produce a certification protocol that can be continually revised. In the author's opinion, the certification authority granting or denying certification possibly plays the largest role in the certification process, in that the skill, personnel, and resources of that entity are used to assess a voting system against the certification requirements. As a best practice the certification authority should work closely with the local election officials running elections, and incorporate this perspective into the certification process.

Checking the List Twice

State Certification Testing of Voting Systems National Conference, June 2012 (Slides)

Co-authors: Matthew Masterson, Danielle Sellars

This presentation documents our experiences in verifying the physical, software, and set up configuration for the voting systems in Ohio's 88 counties.

A Survey of Internet Voting

Election Assistance Commission, August 2011 (Paper)

Co-authors: Jessica Myers

The EAC's Survey of Internet Voting is a comprehensive review of Internet voting systems used in elections worldwide between 2000 and 2011. EAC staff conducted the study to assist in the development of electronic absentee voting guidelines, specifically to assist the Commission's efforts to identify technologies that could improve services for military and overseas voters and voters with disabilities