Computer systems security area has received increased attention from both academics and in industry. However, recent work indicates that substantial security gaps emerge when systems are deployed, even with the use of state-of-the-art security protocols. Our findings suggest that wide-spread security problems exist even when protocols such as SSL and SSH are deployed because systems today do no...

We construct a simple authentication protocol whose security is based solely on the problem of Learning Parity with Noise (LPN) that is secure against Man-in-the-Middle attacks. Our protocol is suitable for RFID devices, whose limited circuit size and power constraints rule out the use of more heavyweight operations such as modular exponentiation. The protocol is extremely simple: both parties ...

During the SA3-31 meeting in Munich, it was decided that the Bluetooth link between peripheral devices did not require integrity protection (see section 6.1.1 of [1]). This contribution indicates that a man-in-the-middle attack may be possible on the bluetooth link in a WLAN in-terworking environment. The attacker lures the victim to connect to a malicious WLAN access point. The attack does not...

Increased focus on the Universal Serial Bus (USB) attack surface of devices has recently resulted in a number of new vulnerabilities. Much of this advance has been aided by the advent of hardware-based USB emulation techniques. However, existing tools and methods are far from ideal, requiring a significant investment of time, money, and effort. In this work, we present a USB testing framework t...

Phone features, e.g., 911 call, voicemail, and Do Not Disturb, are critical and necessary for all deployed VoIP systems. In this paper, we empirically investigate the security of these phone features. We have implemented a number of attacks and experimented with VoIP services by leading VoIP service providers Vonage, AT&T and Gizmo. Our experimental results demonstrate that a man-in-the-middle ...

This paper describes a declarative framework for representing and reasoning about truthfulness of agents using Answer Set Programming. The paper illustrates how, starting from observations, knowledge about the actions of the agents, and the normal behavior of agents, one can evaluate the statements made by agents against a set of observations over time. The paper presents an ASP program for com...

Unconditionally secure authentication codes with arbitration (A 2-codes) protect against deceptions from the transmitter and the receiver as well as that from the opponent. We rst show that an optimal A 2-code implies an orthogonal array and an aane-resolvable design. Next we deene a new design, an aane-resolvable + BIBD, and prove that optimal A 2-codes are equivalent to this new design. From ...

Video chat systems such as Chatroulette have become increasingly popular as a way to meet and converse one-onone via video and audio with other users online in an open and interactive manner. At the same time, security and privacy concerns inherent in such communication have been little explored. This paper presents one of the first investigations of the privacy threats found in such video chat...

Open Shortest Path First (OSPF) is the most widely deployed interior gateway routing protocol on the Internet. We present two new attacks on OSPF that expose design vulnerabilities in the protocol specification. These new attacks can affect routing advertisements of routers not controlled by the attacker while evading the OSPF self-defense “fight-back” mechanism. By exploiting these vulnerabili...

An individual who intends to engage in sensitive transactions using a public terminal such as an ATM needs to trust that (a) all communications are indeed carried out with the intended terminal, (b) such communications are confidential, and (c) the terminal’s integrity is guaranteed. Satisfying such requirements prevents man-in-the-middle attacks and eavesdropping. We have analysed several exis...