Malware and Security

MaS is about computer security, malware and spam issues in general.



I was intrigued by the various twitter feeds, allegedly owned by factions of the Anonymous group. Intrigued because it looked like the messages were encrypted. I asked the cryptographer Endre Bangerter, FH Bern/Biel, to help me out and he forwarded me to one of his reverse engineering wizards, David Gullasch (!/x0n0x), who found out that it was not what I thought it was. Here's David's analysis:

The twitter account AnonCommunicate periodically tweets cryptic looking messages (apparently one tweet every 15 minutes). The stream of messages repeats every 537 tweets:

AAAAAA AAAAA4 NcPhvj VqKmBO lrbGYF WFvtYc 9FeFPl XAHsv8 cp7dLG VwJMht
sz7tNa OCDebL 3XyHL9 4NrD6b xCALJv RUoSl9 jpywkA 9JJg5Y cQSHam T4ACuG

MJGojD uarAAO QmkNiP DriWbM I9grRP Wsxlkw 7hdBSz vTRVKE 1U5CAK iua01m
DhcTSm pL8r7b podCXT JomI1N B4a6fD GbmlyA Gi18vQ 6qTikd rwHQZS 20l0pU


EcMt5A kEka05 5azHox uRhPlE Xh5PCm 28LjtL o5bzoe AAAAAG Mt1IvW bjfNp1
d6lLyZ iyJAKM quAT8w SuxpOj iAAAAA AAAAAA AABlta 7WXyEO ism4GD 7zKKwt

j0i8Ct Xl

The most obvious observation is that it consists of alphanumeric characters (a-z,A-Z,0-9), only. Therefore it can't be base64 encoded – more probably some sort of base62 encoding. Because log2(626) = 35.7251 is a somehow weird value, the six character blocking does not make much sense, if one assumes a binary encoding below the base62 layer.

The next observation come from the character frequencies: the character 'A' is much more likely to be encountered than any other character. This statistical anomaly does not stem from long runs of "AAA...A", these runs are only present in the first and last messages shown above. The many 'A' sprinkled all over the place turn out to be periodic and suggest a different blocking scheme as follows:



Now the truncated final tweet "j0i8Ct Xl" also makes sense, because it exactly completes a 43 character block. Also log2(6243) = 256.03 is much, much nicer and suggests a base62 encoding of 256 bit blocks.

The third hint comes from the statistics of the second character in each block: it always is in the range A-O. Factoring in this fact and that the first character is always 'A', we get a block entropy of log2(15*6241) = 248.03, suggesting that one byte in an underlying binary 32 byte block must be fixed.

The next step is to find the correct base62 decoding. In the spirit of Benford's Law (integers are more likely to start with lower digits), we guess that 'A'..'Z' map to the values 0..25. Also, we guess that '0'..'9' and 'a'..'z' map to contiguous ranges. With these assumptions, the final parameters for the decoding can be found by trial and error:
'A'..'Z','0'..'9','a'..'z' map to 0..61 and the blocks are big-endian integers, which can be decoded like in the following example:

1. decoding the digits:

   A  A  A  A  A  A  A  A ...  t  Y  c  9  F  e  F  P  l  X
   0  0  0  0  0  0  0  0 ... 55 24 38 35  5 40  5 15 47 23

2. computing the integer value:

   0*6242 + 0*6241 + 0*6240 + 0*6239 + 0*6239 + ...
      ... + 40*624 + 5*623 + 15*622 + 47*621 + 23*620
   = 1107723835656471950689271297510666484906119194003614018861

3. repesenting that as big-endian hexadecimal integer:


which obviously corresponds to the ASCII string:

   "------ BEGIN FILE ------" 

Decoding 31 bytes from every 43 character block in this way (and omitting the "------ BEGIN FILE ------" and "------ END FILE ------" strings) yields:

[Ed.: I've reduced this in size and converted it to JPEG format, so this isn't the original. - Morton]

So, it's not as nefarious as it seems. At least at first sight. I'm still exploring the phenomena, though :-)


Getting an El-Al flight into the air

My bike commute to work leads me right along the München airport, so it's not difficult to notice that quite a few planes take off in the mornings. Looking at my watch while riding by, it looks like there are about 1 plane a minute taking to the skies. I managed to get off a little earlier this morning and noticed something new. The airport was quiet: no planes were taking off. So, I drove to the observation mound to see what was up. There was some ground traffic -- vehicles scurrying back and forth, but no planes in the air.
Then, one plane took off from the northern airstrip: an El Al flight and banked south, which is unusual as normally southbound planes leave from the southern strip. Very soon after that, about 5 minutes after, planes took off again at the regular pace. I also passed a police car that had been hiding in the bushes along my bike path.
So, I guess what happened was they cleared the airspace for that El-Al flight and probably had all other planes keep their distance on ground, too. They also probably had various police vehicles all over the airport zone checking in to get the tower the all clear, which is why there was nothing happening for such a long time.
What occurred to me after that take off is how much effort goes into creating such a secure flight and how it really doesn't scale well. If you've ever been on an El-Al flight you know what their passenger security procedures look like. On the ground, the flight get a police escort. The pilots are reportedly former military pilots and the planes are equiped with unusual but undisclosed defense systems. Now I realize that just getting that flight into the air (and probably landing it) is also very disruptive. It also makes El-Al probably the safest airline to fly on, but the model is probably overkill for other airlines.
(Picture from


6th VLDB Workshop on Secure Data Management (SDM) - extended

In Conjunction with VLDB 2009
Lyon, France
August 28, 2009

See also the official web site.

The 6th SDM workshop builds upon the success of the first five workshops (SDM'04, SDM'05, SDM'06, SDM'07, and SDM'08), which were organized in conjunction with VLDB 2004 in Toronto, Canada, VLDB 2005 in Trondheim, Norway, VLDB 2006 in Seoul, Korea, VLDB 2007 in Vienna, Austria, and VLDB 2008 in Auckland, New Zealand.

Deadline for paper submission extended:

May 1, 2009


Although cryptography and security techniques have been around for quite some time, emerging technologies such as ubiquitous computing and ambient intelligence that exploit increasingly interconnected networks, mobility and personalization, put new requirements on security with respect to data management. As data is accessible anytime anywhere, according to these new concepts, it becomes much easier to get unauthorized data access. Furthermore, it becomes simpler to collect, store, and search personal information and endanger people's privacy. Therefore, research in the area of secure data management is of growing importance, attracting attention of both the data management and security research communities The interesting problems range from traditional ones such as, access control (with all variations, like dynamic, context-aware, role-based), database security (e.g. efficient database encryption schemes, search over encrypted data, etc.), privacy preserving data mining to controlled sharing of data.

This year, we will continue with a tradition to have a special session devoted to secure data management in healthcare. Data security and privacy issue are traditionally important in the medical domain. However, recent developments and increasing deployment of IT in healthcare such as the introduction of electronic health records and extramural applications in the personal health care domain, pose new challenges towards the protection of medical data. In contrast to other domains, such as financial, which can absorb the cost of the abuse of the system, healthcare cannot. Once sensitive information about individual's health problems is uncovered and social damage is done, there is no way to revoke the information or to restitute the individual. In addition to this, the medical field has some other specific characteristics, such as long-term value of medical data and flexibility with respect to, on one hand confidentiality, and on the other hand availability of medical data in the case of emergency.


The aim of the workshop is to bring together people from the security research community and data management research community in order to exchange ideas on the secure management of data. This year an additional special session will be organized with the focus on secure and private data management in healthcare. The workshop will provide forum for discussing practical experiences and theoretical research efforts that can help in solving the critical problems in secure data management. Authors from both academia and industry are invited to submit papers presenting novel research on the topics of interest (see below).

Workshop Format

The workshop will be organized in conjunction with the VLDB conference. It is proposed to organize the workshop in conjunction with the VLDB conference.
Also, it is the intention to publish the proceedings in the Spinger-Verlag Lecture Notes on Computer Science series as it was done for the first four workshops. Additionally, we
also want to select the best papers with the intent to publish their extended and revised versions in a special edition of a journal (as it was done for the SDM 2006&2007 workshop with the Journal of Computer Security).
Topics of Interest

Topics of interest include (but are not limited to) the following:

- Secure Data Management
- Database Security
- Data Anonymization/Pseudonymization
- Data Hiding
- Metadata and Security
- XML Security
- Authorization and Access Control
- Data Integrity
- Privacy Preserving Data Mining
- Statistical Database Security
- Control of Data Disclosure
- Private Information Retrieval
- Secure Auditing
- Data Retention
- Search on Encrypted Data
- Digital and Enterprise Rights Management
- Multimedia Security and Privacy
- Private Authentication
- Identity Management
- Privacy Enhancing Technologies
- Security and Semantic Web
- Security and Privacy in Ubiquitous Computing
- Security and Privacy of Health Data
- Web Service Security
- Trust Management
- Policy Management
- Applied Cryptography

Paper Submission

Authors are invited to submit original, unpublished research papers that are not being considered for publication in any other forum. Manuscripts should
be submitted electronically as PDF or PS files via email to

Full papers should not exceed fifteen pages in length (formatted using the camera-ready templates of Springer Lecture Notes in Computer Science We also encourage submitting position statement papers describing research work in progress or lessons learned in practice (max six pages). Submissions must be received no later than May 1.

Each submission must be accompanied by a separate submission overview specifying the title, three keywords, author names with organizational affiliations, and must specify a contact author along with corresponding phone number, fax number, postal address and email address. The submission overview can be included in the body of the email. Each submission will be acknowledged by e-mail. If acknowledgment is not received within 3 days, please contact the organizers. It is intended to publish the proceedings in in the Springer Lecture Notes on Computer Science series. Additionally, we also want to select the best papers with the intent to publish their extended and revised versions in a special edition of a journal (as it was done for the SDM 2006 & 2007 workshop with the Journal of Computer Security).


Computer Security Ontologies

Just by chance, I stumbled over a set of computer security ontologies that the US Navy Center for High Assurance Computing Systems has apparently been working on as a part of a SOA security project 4SEA. From that page:

The NRL Security Ontology was designed with the following objectives in mind:

  • Describe security related information applicable to all types of resources

  • Provide the ability to annotate security related information in various levels of detail for various environments (both commercial and military)

  • Create ontologies that are easy to extend and provide reusability

  • Facilitate mapping of higher-level (mission-level) security requirements to lower-level (resource-level) capabilities

It's a bit difficult to tell where they are going with this, but with the emphasis on web services, UDDI and MDA, it looks similar to Data Centric Security.


CfC: Fifth International Summer School CfP

[PDF version]
Call for Contributions

Fifth International Summer School
organised jointly by the PrimeLife EU project
in cooperation with the IFIP WG 9.2, 9.6/11.7 11.4, 11.6.
Privacy and Identity Management for Life
(PrimeLife/IFIP Summer School 2009)
to be held in Nice, France, 7th – 11th September 2009

New Internet developments pose greater and greater privacy dilemmas. In the Information Society, the need for individuals to protect their autonomy and retain control over their personal information is becoming more and more important. Today, information and communication technologies – and the people responsible for making decisions about them, designing, and implementing them – scarcely consider those requirements, thereby potentially putting individuals’ privacy at risk. The increasingly collaborative character of the Internet enables anyone to compose services and contribute and distribute information. It may become hard for individuals to manage and control information that concerns them and particularly how to eliminate outdated or unwanted personal information, thus leaving personal histories exposed permanently. These activities raise substantial new challenges for personal privacy at the technical, social, ethical, regulatory, and legal levels:

· How can privacy in emerging Internet applications such as collaborative scenarios and virtual communities be protected?

· What frameworks and technical tools could be utilised to maintain life-long privacy?

The theme of this Summer School to be held in September 2009 and co-organised by the PrimeLife EU project and the International Federation for Information Processing (IFIP) will be on privacy and identity management for emerging Internet applications throughout a person’s life.

Both IFIP and PrimeLife take a holistic approach to technology and support interdisciplinary exchange. Participants’ contributions that combine technical, legal, regulatory, socio-economic, ethical, philosophical, or psychological perspectives are especially welcome.

Contributions from students who are at the stages of preparing either masters’ or doctoral theses qualifications will be especially welcomed. The school is interactive in character, and is composed of both keynote lectures and seminars, tutorials and workshops with PhD student presentations. The principle is to encourage young academic and industry entrants to the privacy and identity management world to share their own ideas and to build up a collegial relationship with others. Students that actively participate, in particular those who present a paper, can receive a course certificate which awards 3 ECTS at the PhD level. The certificate can certify the topic of the contributed paper to demonstrate its relation or non-relation to the student’s PhD thesis.

Topics of interest include but are not limited to:
- privacy and Identity management (application scenarios/use cases, technologies, infrastructures, usability aspects)
- privacy-enhancing technologies
- anonymity and pseudonymity
- transparency-enhancing tools
- privacy and trust policies
- privacy-aware web service composition
- privacy metrics
- trust management and reputation systems
- assurance evaluation and control
- privacy in complex emerging real-life scenarios
- the use of privacy-enhancing mechanisms in various application areas that are often life-long in character such as eLearning, eHealth, or LBS
- life-long privacy challenges and sustainable privacy and identity management
- privacy issues relating to social networks, social network analysis, profiling
- privacy aspects of RFID and tracking technologies, biometrics
- surveillance, data retention, availability and other legal-regulatory aspects,
- socio-economic aspects of privacy and identity management, and
- impact on social exclusion/digital divide/cultural aspects.

Contributions will be selected based on an extended abstract review by the Summer School Programme Committee. Accepted short versions of papers will be made available to all participants in the Summer School Pre-Proceedings. After the Summer School, authors will have the opportunity to submit their final full papers (which will address questions and aspects raised during the Summer School) for publication in the Summer School Proceedings published by the official IFIP publisher. The papers to be included in the Final Proceedings published by Springer (or the official IFIP publisher) will again be reviewed and selected by the Summer School Programme Committee.

Summer School Website:

The submission address for extended abstracts (2-4 pages in length) will be accessible via the Summer School Website.

Submission deadline: May 14, 2009
Notification of acceptance: June 18, 2009
Short paper (up to 6 pages) for the Pre-Proceedings: August 11, 2009

General Chair:
Michele Bezzi (SAP Research/ France)

Programme Committee Co-Chairs:
Penny Duquenoy (Middlesex University/ UK, IFIP WG 9.2 chair)
Simone Fischer-Hübner (Karlstad University/ Sweden, IFIP WG11.6 vice chair)
Marit Hansen (Independent Centre for Privacy Protection Schleswig-Holstein, Kiel/ Germany)

Programme Committee:
Jan Camenisch (IBM Research/ Switzerland, IFIP WP 11.4 chair)
Mark Gasson (University of Reading/ UK)
Hans Hedbom (Karlstad University/ Sweden)
Tom Keenan (University of Calgary/ Canada)
Dogan Kesdogan (Siegen University/ Germany)
Kai Kimppa (University of Turku/ Finland)
Eleni Kosta (KU Leuven/ Belgium)
Elisabeth de Leeuw (Ordina/ Netherlands, IFIP WG 11.6 chair)
Marc van Lieshout (Joint Research Centre/ Spain)
Javier Lopez (University of Malaga/ Spain)
Vaclav Matyas (Masaryk University, Brno/ Czech Republic)
Martin Meints (Independent Centre for Privacy Protection Schleswig-Holstein, Kiel/ Germany)
Jean-Christophe Pazzaglia (SAP Research/France)
Uli Pinsdorf (Europäisches Microsoft Innovations Center GmbH (EMIC)/ Germany)
Andreas Pfitzmann (TU Dresden/ Germany)
Charles Raab (University of Edinburgh/ UK)
Kai Rannenberg (Goethe University Frankfurt/ Germany, IFIP TC11 chair)
Dieter Sommer (IBM Research/ Switzerland)
Sandra Steinbrecher (TU Dresden/ Germany)
Morton Swimmer (John Jay College of Criminal Justice, CUNY/ USA)
Jozef Vyskoc (VaF/ Slovakia)
Rigo Wenning (W3C/ France)
Diane Whitehouse (The Castlegate Consultancy/ UK)

Organising Committee Chair:
Jean-Christophe Pazzaglia (SAP Research/ France)


Announcing the local New York chapter of the Heart Project

Although we haven't formally been accepted, I wanted to announce the formation of the local chapter of the Heart Project, which I've called "I heart New York". The idea is to participate in the development of an RDF store for Hadoop/Hbase. The main project is based mainly in Korea, which is just a bit too far for most people to travel, but there is quite a bit of interest in very large RDF databases here, so it seemed a good idea to have a local group. It will be attached to the NYC Semantic Web meetup group that Marco Neumann organizes, which is already one of the world's largest semantic web interest groups.
So, why am I interested, being the security geek that I am? Well, RDF and sematic web technology interests me in two ways. First of all, there is it's use in Data Centric Security. However, the other angle that I have is the encoding, exchange and reasoning over security relevant data expressed in RDF, or at the very least, using constrained (and well-defined) vocabularies. However, while looking at the amount of data that we at Trend Micro collect, I realized that no current system can handle it all. Furthermore, since we are working with a Hadoop infrastructure, it would be appropriate to leverage it. This led me to Heart.
If you are interested in the Heart project I'd encourage you to join in and if you are a New York local, then join our chapter, too!


Metrocards and PII

So, I guess I'm not surprised, but Metrocards do contain ID information allowing the user to be tracked, see the New York Times article on a recent case. If you bought your card with a credit or debit card, then you can be identified, too.
I guess this has to be considered a normal infraction of our privacy nowadays -- along with credit cards, social security numbers, EZ-Pass fobs, ...


[picture by Darny, used under a Creative Common's license.]