Interview with Joshua Arvin Lat: the Kaspersky International Cup 2012 and Kaspersky Asia Pacific & MEA Cup 2012 winner

For today’s hot seat we have Joshua Arvin Lat and his SOUL system. Joshua Arvin Lat is a Filipino software engineer or web developer who recently graduated Bachelor of Science in Computer Science at the University of the Philippines last March 2012. He is known for his thesis entitled “SOUL System: Secure Online USB Login System” which he presented at the Kaspersky Student Conference International Cup 2012 held last May 11 to 13 at the Delft University of Technology in The Netherlands and at the Kaspersky Student Conference Asia Pacific & MEA Cup 2012 at the City University of Hong Kong. And he won 1st place for the IT Security for the Next Generation: Kaspersky Asia Pacific & MEA Cup 2012 and Kaspersky International Cup 2012.

Joshua Arvin Lat is also one of the speakers for the upcoming ROOTCON – Hackers Conference & Information Security Gathering 2012 and will also present the SOUL System there so if you really want to meet him in person and learn more about his project, you can catch him there. Aside from that, he is archived in the SOLDIERX Hacker Database or HDB which is the largest hacker database in the internet and is rumored to be rivaled by the FBI’s Hacker Database.

And so, this is an interview about him and the SOUL System.

1. Can you tell us about the SOUL System which you presented at Kaspersky International Cup 2012 and Kaspersky Asia Pacific & MEA Cup 2012?

The SOUL System is the Secure Online USB Login System. It aims to provide a two-factor authentication system which requires both the user’s password and an ordinary hardware device as a physical password in order to login to online accounts. It combines both steganography and cryptography to produce a system which is secure, low-cost, practical, flexible, and portable. Despite its name, the SOUL System is not limited to using USB Flash drives as security tokens. Any digital container such as laptops, smart phones, and even dropbox folders can be used as security tokens. With the improving processing power of computers, it is only a matter of time before text passwords become insufficient in protecting user accounts.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Compared to other two-factor authentication systems which involves USB flash drives, the SOUL System does not require specialized hardware. This allows the system to be extremely portable, flexible, and practical. It allows the implementation of a backup key system that solves the problem of lost, corrupt, or stolen keys. It also prevents any potential attacker from immediately recognizing an obvious hardware component.

The three main parts of the system are the website, the ordinary hardware device, and trusted third party. The website must first be integrated with the web API provided and then registered to the trusted third party website to allow two-factor authentication. The security token is any ordinary hardware digital container that contains ordinary files such as BMP and PNG files where the user’s data are hidden. It must be registered to the trusted third party so that it can be used to register and login to SOUL System integrated websites. The trusted third party stores and provides the public keys of both the two-factor login enabled websites and the registered security tokens.

2. How does it feel winning both the Kaspersky International Cup 2012 and Kaspersky Asia Pacific & MEA Cup 2012?

We were happy to win and represent the country (Philippines) in both cups. We never really planned in joining the competition since we never were really able to spend much time in our thesis because we were also working full time as software engineers. As the leader of the group, I realized that we would not really lose anything if we submitted the paper and joined the conference.

We were lucky that we still managed to win 1st place in the Kaspersky Asia Pacific & MEA Cup 2012. As the leader and representative of the group in Hong Kong, I was unable to prepare and present properly because I was sick during the week of the competition. We were against amazing research projects whose authors were already security experts and post-graduate students. It was a good thing that we had the advantage of having a more practical research project and better presentation skills.

Our victory in the regional conference earned us a spot in the Kaspersky International Cup 2012. The international cup brought together the winners from the four regional conferences held in America, Europe, Asia-Pacific and MEA, and Russia and the CIS. I knew that we would not stand a chance against the other participants if we were to only rely on presentation skills and the practicality of our research project. We decided to make major modifications in our research project and make sure that the system is a lot faster, more practical, and more secure. I focused on the technical aspects of our research project in my presentation since the judges in the international cup were the recognized security experts in the world. During the presentation, I emphasized that the SOUL System is not only significant in the field of security but also to business since it does not involve technologies that cost a lot of money such as HTTPS and specialized hardware devices. In the end, we went home as world champions and we showed the world how great Filipinos are in the field of security and information technology.

3. Is the SOUL System an open source software? If not, do you consider making the SOUL System an open source software?

Right now, the SOUL System is still in development and we still have not made a decision whether the SOUL System would be an open source software or not. The design of the SOUL System allows it to be easily integrated to websites built in Python, PHP, and Java. With this design, the system can easily be made open source and then used by websites either for free or at a very low cost to support the cost in maintaining the trusted third party.

4. How does the SOUL system change the authentication methods or schemes of a website or an online system?

The SOUL System simply adds another requirement to the authentication process of websites and other online systems. The login form would simply require the password and the physical password to be present during the authentication process. The system involves a signed java applet instead of a normal html form to avoid any transmission of private data stored in the physical passwords. It has an optimized hybrid cryptosystem that secures the transmission of data between any two entities in the system. The authentication flow involves transactions with the trusted third party to secure the transmission and integrity of the data and their sources.

To proceed with the login process, the user simply has to mount the physical password (e.g. USB flash drive) and then open the website integrated with the SOUL System. The user types in the password, selects the SOUL image inside the container, and finally clicks login. The same physical password can be used to login to several online websites.

5. Were you able to pentest your online system in order to check its vulnerabilities?

Because we had only around two to three weeks worth of time to complete our research project, we were only able to focus on solving the major cryptographic design vulnerabilities. We have focused on solving several known attacks such as man-in-the-middle attacks, password cracking attacks, replay attacks, and collision attacks. We will do penetration testing in the near future once we have time to work on the project again. We probably need to learn more about advanced security techniques to solve other vulnerabilities which could be present in the system.

6. What do you think are the challenges right now in IT companies in terms of security?

I think the two main problems right now in IT companies in terms of security are the lack of awareness concerning the dangers and threats posted by malwares and hackers, and the lack of technical knowledge in cyber security. Millions of online users everyday are experiencing identity thefts, data loss, money loss, privacy problems, and even spam. This only shows the lack of awareness and knowledge of these users regarding security issues and threats. In the same way, the main problems faced by IT companies are caused by the lack of awareness in cyber security issues. A large percentage of cyber security problems can easily be prevented just with better passwords, more protected computer systems, and better awareness in cyber security issues and threats. The next main challenge that IT companies are facing involves having the technical knowledge to support the existing systems being used by the people. A lot of IT companies have unsecure systems and servers that can easily be attacked by hackers. With better security, these companies can easily prevent business problems caused by unwanted cyber security attacks. It is necessary that IT companies focus not only in promoting their businesses but also in protecting their own systems which they use everyday.

7. I heard you’re a software engineer, are you planning to work in the Information Security Arena? What are your plans to the near future?

I am still unsure of my plans in the near future but I would likely be continuing web development as my primary expertise. I will partly be focusing in the information security to supplement my current skills. The information security field is a broad field and I have a lot to learn before I can contribute to the information security arena.

References:

http://www.linkedin.com/pub/joshua-lat/46/455/a27

http://www.soldierx.com/hdb/Joshua-Lat