An empty Pringles tube can be a hacker's best friend

Ireland's low-profile COSAC meeting attracts big players in computersecurity

Ireland's low-profile COSAC meeting attracts big players in computersecurity

It's a typical day at Naas's luxurious Killashee Country House hotel - a wedding party is trickling in for a reception, while several well-groomed older women sit around tables having afternoon tea in the upstairs lounge. A family or two relaxes after a large lunch.

Then comes the invasion. Filing in for coffee and snacks comes a group of over 100, nearly all male, speaking eagerly of steganography and database vulnerabilities, encryption algorithms and biometric scanners, SWAP files and cookie poisoning.

This is a rarified group, drawn from five continents, that gathers annually in Ireland for one of the best-kept secrets in the computer security world: the COSAC conference. For nine years, this low-profile but high-calibre event has drawn some of the biggest names and most respected researchers in the security and encryption sector.

READ MORE

Numbers are limited, the sessions are small and attendees consider it a COSAC virtue that many participants never finish their formal presentation because of enthusiastic questioning - or good-natured heckling - from the audience.

"It's my passion," says Mr David Lynas, COSAC's founder and organiser, explaining why he has put on COSAC as a labour of love, and without the usual big commercial sponsors, for almost a decade.

His background is in security and he works as director of global service development for British computer security firm QinetiQ. The conference was born out of his own intense interest in the area of technology and security and a desire to gather together all the people he'd most like to see in one room.

"You go to one of the big conferences and, if you're lucky, maybe one person says something really interesting and makes the conference worthwhile," he says. "In my madness, what I thought was that I'd invite each of those 'one persons' that I'd seen."

The idea clearly struck home for many in the industry, who, Mr Lynas says, get to bounce ideas off each other. The reputation of the conference is such that each year its roster of speakers includes names that headline the big conferences. "It's the only environment in which they actually learn," he says, rather than just stand in front of an audience.

Each year the group goes to a small, upmarket country hotel where the group generally takes over most or all of the hotel for its sessions. Lush meals and evening entertainment followed by late- night nattering sessions have become standard.

Last year, the keynote speaker was the brilliant Sun Microsystems engineer and mathematician Dr Whitfield Diffie. A cryptography legend, Dr Diffie created the concept of public key cryptography, a method of encoding data that forms the bedrock for the entire computer security industry.

This year, speakers included Mr Michael Wiener, famed for designing a system that first broke the mathematical "key" of the till-then widely used encryption algorithm (or mathematical formula) called DES; Dr Gene Schultz, an academic at the University of California at Berkeley, well known for his research and books on security; and Prof Tsutomu Matsumoto, who was recently in the international spotlight for demonstrating that he could trick fingerprint scanning systems with artificial fingers made from gelatin.

Prof Matsumoto's talk, which concluded the four-day conference, prompted appreciative laughter and loud applause when he showed slides of the success rates he achieved in tricking biometric finger scanners (one of COSAC's ironies is that no more appreciative audience exists for an adept demonstration of security failure than those expert in devising the systems in the first place).

He explained how he and his students bought inexpensive silicone and gelatin from hobby shops and supermarkets, made a mould in 10 minutes, then poured in the gelatin to produce what he called a "gummy finger" in under 20 minutes.

The gummy fingers, with a moisture content similar to live fingers, tricked the scanners nearly every time. More devastatingly, he also showed that a fingerprint could be lifted from the side of a glass and made into a gummy finger through a process using an electron microscope, an inkjet printer and photograph retouching software.

In another session, computer forensics expert and director of forensics company Inforenz, Mr Andy Clark, showed that software used to eliminate information from computers, called, unsurprisingly, "evidence eliminators", actually left many revealing files on a machine. People use such programs to preserve their privacy, or because they are engaged in criminal activity and want to eliminate evidence, he said.

However, software he tested often stripped out harmless but useful files, such as the computer user's "favourites" list in a Web browser, while leaving huge numbers of potentially sensitive files. Thus, such programs weren't a serious hurdle for forensic investigators, he said. "They get in the way but they certainly do not remove all traces of activity. In fact, they can be more of a pain for the user."

He advised listeners to add an encryption package to their PC "if you really want to make our life hard".

In another function room, Dr David Everett, chief technical officer for Datacard Group, showed off a "cantennae" - a scanner he'd made from an empty Pringles can (Hot and Spicy flavour) that will search the air for live wireless (WiFi) networks.

News of how to make a Pringles scanner had made the rounds of internet discussion groups earlier this year - Dr Everett's purpose was to show both how easily WiFi networks can be pinpointed, and to have a look at how hard it might be to hack those networks.

Though the networks could be sniffed out with little problem, and the vast majority he found in the Brighton area were using no encryption security at all, it was actually quite complicated and time-consuming to try and hack into them, he said. A good security system would be "extremely difficult to break", he said.

Senior security expert at Computer Associates, Mr David Love, spoke on information warfare as a threat to business. "What's the biggest threat to security?" he asked. "It's the belief that a threat doesn't exist." A recent survey of British business revealed that, while the majority had experienced some kind of attack on its information, only about a fourth had any kind of security plan.

Because information warfare - which he broadly defines as nearly any kind of attack on information held on computers - is both a commercial and a government issue, he says it is not yet clear who is supposed to be protecting commercial interests, and who pays for that protection.

In nearly all the sessions, discussion is rigorous, cutting in on the actual presentation. Indeed, presenters seem worried when their audience doesn't interrupt. Many debates push the sessions into overtime, leading to the hourly sight of a flurry of COSAC participants - 90 per cent of whom typically return to attend another conference - trotting down the Killashee's hallways to get to their next choice from an agenda of 43 talks.

Killashee was a hit with the crypto men and women, so the same hallways will be filled again at the same time next year. Mr Lynas can hardly wait.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology