Monthly Archives: March 2012

American National Standards Institute. (2012, March). The financial impact of breached protected health information: A business case for enhanced PHI security. Retrieved from[requires free registration]

The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security explores the reputational, financial, legal, operational, and clinical repercussions of a protected health information (PHI) breach on an organization, and provides a 5-step method – PHI Value Estimator (PHIve)- to assess specific security risks and build a business case for enhanced PHI security. This tool estimates the overall potential costs of a data breach to an organization, and provides a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach.  A detailed example of costing a PHI breach using the PHIve method is provided.

Barrett, D. (2012, March 28). US outgunned in hacker war. Wall Street Journal, p. B1 [Full text available in Wall Street Journal database].

The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.  Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is “unsustainable.” Computer criminals are simply too talented and defensive measures too weak to stop them, he said.

His comments weren’t directed at specific legislation but came as Congress considers two competing measures designed to buttress the networks of critical U.S. infrastructure, such as electrical-power plants and nuclear reactors.

Boyens, J., Paulsen, C., Bartol, N., Moorthy, R., & Shankles, S. (2012, March).  Notional supply chain risk management for federal information systems (Draft NISTIR 7622). Retrieved from

This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain risk. It seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an understanding of, and visibility throughout, the supply chain.

De Hert, P., &  Papakonstantinou, V. (2012). The proposed data protection regulation replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer Law & Security Review, 28(2), 201-207.  [Full text can be requested from DocumentExpress.]

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.

EU ban censorship technology sales to Iran. (2012, March 27). Security and Defense Agenda. Retrieved from

Technology banned includes deep packet inspection equipment, semantic processing engine equipment, speaker recognition/processing equipment, pattern recognition and pattern profiling equipment, semantic processing engine equipment and WEP and WPA code-breaking equipment. The EU also implemented a visa ban and asset freeze on officials whose work centres on censorship and propaganda.

Goodin, D. (2012, March 27). Google’s Chrome web store used to spread malware. Ars Technica. Retrieved from

Crooks have found a new venue to push malware: the official Google Chrome Web Store. It was recently used to hawk Chrome browser extensions secretly hijacking users’ Facebook profiles. According to Kaspersky Lab expert Fabio Assolini, one malicious extension hosted on Google’s own servers contained hidden code that “can gain complete control” of the user’s Facebook profile. The extension then used that access to spread malicious messages and register Facebook Likes for certain items, also inviting fellow users to install it. The same operators advertised a service that delivered Likes of companies looking to promote their profiles. It costs about $27 per 1,000 Likes.

Hoover, J. N. (2012, March 27). NSA chief: China behind RSA attacks. InformationWeek. Retrieved from

China is stealing a “great deal” of military-related intellectual property from the United States and was responsible for last year’s attacks against cybersecurity company RSA, U.S. Cyber Command commander and National Security Agency director Gen. Keith Alexander told the Senate Armed Services Committee on Tuesday.

“I can’t go into the specifics here, but we do see [thefts] from defense industrial base companies,” Alexander said, declining to go into details about other attacks. “There are some very public [attacks], though. The most recent one was the RSA exploits.” RSA had earlier pinned the attacks on a “nation state.” [Full video of related hearing].

Hunton, P. (2012). Data attack of the cyber criminal. Computer Law & Security Review, 28(2), 201-207.  [Full text can be requested from DocumentExpress.]

It is increasingly argued that the primary motive of the cybercriminal and the major reason for the continued growth in cyberattacks is financial gain. In addition to the direct financial impact of cybercrime, it can also be argued that the digital data and the information it represents that can be communicated through the Internet, can have additional intrinsic value to the cybercriminal. In response to the perceived value and subsequent demand for illicit data, a sophisticated and self-sufficient underground digital economy has emerged. The aim of this paper is to extend the author’s earlier research that first introduced the concept of the Cybercrime Execution Stack by examining in detail the underlying data objectives of the cybercriminal. Both technical and non-technical law enforcement investigators need the ability to contextualise and structure the illicit activities of the cybercriminal, in order to communicate this understanding amongst the wider law enforcement community. By identifying the potential value of electronic data to the cybercriminal, and discussing this data in the context of data collection, data supply and distribution, and data use, demonstrates the relevance and advantages of utilising an objective data perspective when investigating cybercrime.

Kaiser Permanente data breach affects thousands of employees. (2012, March 23). InfoSecurity. Retrieved from

Managed health care consortium Kaiser Permanente has notified thousands of current and former employees that their personal information was found on an external hard drive purchased in a second-hand store in California. Kaiser Permanente said employee names, phone numbers, social security numbers, and other personal information was found on a non-Kaiser external hard drive in a California second-hand store in September, according to a report by KXL news radio.

Khan, M. N. A. (2012). Performance analysis of Bayesian networks and neural networks in classification of file system activities. Computers & Security [in press]. [Full text available in ScienceDirect database].

Comprehending state of a file system at any given time is vital for performing digital forensic analyses. Clear picture of the file system activities help reconstruct post-event timeline of the unauthorized or malicious accesses made on a system in order to uncover evidence of the digital crime. This paper describes a comparative performance analysis of the Bayesian networks and Neural networks techniques to classify the state of file system activities in terms of execution of applications based on the pattern of manipulation of specific files during some specific period of time. In particular, this paper discusses the construction of a Bayesian networks and neural networks from the predetermined knowledge of the manipulation of file system artifacts and their corresponding metadata information by a set of software applications. The variability among the execution patterns of various applications indicate that the Bayesian network based model is more appropriate tool compared to neural networks – due to its ability to enable pattern learning and detection even from an incomplete dataset. The focus of this paper is to highlight intrinsic worth of the learning approach of the Bayesian network methodology for a given dataset of training examples in comparison to the techniques used for supervised learning in ordinary neural networks. The paper also highlights the efficacy of Bayesian network technique to proficiently handle large volumes of datasets.

Kierkegaard, P. (2012). Medical data breaches: Notification delayed is notification denied. Computer Law & Security Review, 28(2), 201-207.  [Full text can be requested from DocumentExpress.]

The EU and the United States have implemented data breach notification rules that cover the health sectors. Nevertheless, data breach incidents involving medical data continue to rise, especially in the US and the UK. The HITECH Act, Pub. L. 111-5 Title XIII is the first federal health breach notification law in the US to be characterized by less government intrusions, while the revised EU Privacy Directive, 2009/136/EC calls for tougher privacy protection for data held by electronic communication providers. While the EU law sets a global de facto standard, the law remains toothless without strong enforcement mechanisms.

Klinger, D. (2012, March 28). Satellite jamming becoming a big problem in the Middle East and North Africa. Ars Technica. Retrieved from

The Arab Spring has had yet another consequence — satellite jamming, and the practice is serious enough to threaten the satellite operators’ business. Two operators, Arabsat and Nilesat, complained about the jamming in the Satellite 2012 Conference in Washington, D.C. last week, according to an article in Space News. Arabsat is a 21-country consortium that provides broadcasting to over 100 countries in the Middle East, Africa, and Europe. Nilesat is an Egypt-based operator that carries 415 channels to the Middle East and North Africa. The satellites also provide broadband, telephone, and VSAT service.  Jamming and rounding up satellite dishes has become a common practice for governments wishing to limit unfavorable coverage in their own (or sometimes other people’s) countries

Ly, C., Ma, M., Li, H., Ma, J., & Niu, B. (2012).  A security enhanced authentication and key distribution protocol for wireless networks. Security and Communications Networks, 5(4), 343-352. [Full text can be requested from DocumentExpress.]

In this paper, we propose an enhanced authentication and key distribution protocol to prevent off-line guessing attacks. Security analysis and formal verification prove that the proposed solution has strong security functionality to protect system from various malicious attacks.

Macalintal, I. (2012, March 28). Game change: Mac users now also subject to targeted attacks. Retrieved from

After [Trend Micro’s] previous finding involving a targeted attack whose payload were OS-dependent, we encountered a more recent run that leads to a malicious file specifically affecting Mac OSX. The said malware, detected asTROJ_MDROPR.LB, is a Trojan being used in Pro-Tibetan targeted campaigns, as initially described by Alienvault.

This development in targeted attacks just shows that the groups behind campaigns such as this one are taking into consideration changes in the computing landscape, such as the increase in the number of Mac users. This adjustment to affect Macs also shows that they are refining their scope, and are really customizing their tools to suit their targets.

Nicolett, M. (2012, March 20). Using SIEM for targeted attack detection.  [Full text available in the Gartner database].

Organizations that have deployed security monitoring technologies need to develop activity reports and a monitoring process that is overseen by the security organization but includes the assistance of “outsiders” with specific domain expertise. The most common domains needed are: network, system, database and application. Rapid discovery of a breach is more likely when real-time monitoring is supplemented with context-enriched activity and exception reports that are examined on a daily basis by people who have domain specific knowledge. It is the combination of real-time security monitoring, context (threat, vulnerability, user, asset, data and application) and “smart eyeballs” on dally activity reports that will improve your chances of early breach detection beyond the current 15% success rate. This approach is more effective when management processes have been implemented and there is some degree of role-based access control. The approach requires the cooperation of areas external to IT security, such as the database administration, server support and application support teams.

Perlroth, N., & Markoff, J. (2012, March 26). Symantec dissolves a Chinese alliance. New York Times. Retrieved from

Less than four years after Huawei Technologies and Symantec teamed up to develop computer network security products, the joint venture is being dismantled because Symantec feared the alliance with the Chinese company would prevent it from obtaining United States government classified information about cyberthreats.

More from the NYT this week: US envoy to Russian accuses TV station of hackingCase based in China puts face on persistent hackingEurope cracks down on cybercrime

Prince, B. (2012, March 26). Open source security vulnerabilities plague large organizations. SecurityWeek. Retrieved from

An analysis of a widely-used repository for open source components revealed that Global 500 organizations collectively downloaded more than 2.8 million insecure components in one year.

The study was the result of an analysis by Aspect Security in cooperation with Sonatype. Sonatype operates the Central Repository, which contains 300,000 components and is used by more than 60,000 development organizations worldwide. As both the open source ecosystem and adoption of its technologies continue to grow a rapid pace, security is being challenged and undermined by a lack of awareness of vulnerabilities and the extent to which open source components are being used.

Ragan, S. (2012, March 28). Attackers using Taidoor trojan to target think tanks and US-Taiwan interests. SecurityWeek. Retrieved from

In 2008, the Taidoor Trojan made its first appearance on the Web. It started by attacking government agencies, but the group behind it expanded their reach by targeting a wide range of victims. Now, based on research from Symantec, it appears that the group running Taidoor is interested in think tanks, especially those that are focused on Taiwan.

While Taidoor started out by targeting governments, between 2009 and 2010, the malware shifted gears. Government victims were counted among those in the media, financial, telecom and manufacturing sectors. The length of the attack, almost four years now, shows that the group responsible for Taidoor is persistent if nothing else.

Thamilarasu, G., & Sridhar, R. (2012). A cross-layer game for energy-efficient jamming detection in ad hoc networks.  Security and Communications Networks, 5(4), 364-373. [Full text can be requested from DocumentExpress.]

This paper proposes a game theoretic framework using cross-layer mechanism to detect jamming attacks in wireless networks. Jamming is formulated as a non co-operative Bayesian game to analyze the interaction between attacker and monitoring nodes in the network. The cross-layer (CL) detection engine detects and records statistical PHY/MAC layer information such as average RTS/DATA retransmission value and average carrier sensing failure duration value. The cross-layer decision component uses these measurements to estimate the current game state and decides the optimal monitoring strategy.

United States. Federal Trade Commission. (2012, March 27). FTC charges that security flaws in RockYou game site exposed 32 million email addresses and passwords. Retrieved from

The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges.

Wilshusen, G. C. (2012, March 27). IT supply chain – additional efforts needed by national security-related agencies to address risks. Statement of Gregory C. Wilshusen, Director Information Security Issues [United States Government Accountability Office]. Retrieved from

Reliance on a global supply chain introduces multiple risks to federal information systems and underscores the importance of threat assessments and mitigation. Supply chain threats are present at various phases of a system’s development life cycle and could create an unacceptable risk to federal agencies.

In its report, GAO recommended that the Departments of Energy, Homeland Security, and Justice take steps, as needed, to develop and document policies, procedures, and monitoring capabilities that address IT supply chain risk. In commenting on a draft of the report, the departments generally concurred with the recommendations. [Related article from SecurityWeek].

Yang, J., & Chen, Y. (2012). Toward attack-resistant localization under infrastructure attacks. Security and Communications Networks, 5(4), 384-403. [Full text can be requested from DocumentExpress.]

Trustworthy location information is important because it is a critical input to a wide variety of location-based applications. However, the localization infrastructure is vulnerable to physical attacks, and consequently, the localization results are affected. In this paper, we aim to achieve robust localization under infrastructure attacks. We first investigated the impact of infrastructure attacks on localization and showed that the performance of location estimations degraded significantly under the attack. We then derived an attack-resistant scheme that is not algorithm specific and can be integrated with existing localization algorithms. Our attack-resistant scheme exploited the characteristics of the geometric patterns returned by location estimates under the attack; that is, the localization results of a wireless device under the normal situation were clearly clustered together, whereas the localization results were scattered when an attack was present. Thus, our attack-resistant scheme is grounded on K-means clustering analysis of intra-distance of localization results from all possible combinations of any three access points. To evaluate the effectiveness and scalability of our proposed scheme, we used received signal strength for validation and applied our approach to three broad classes of localization algorithms: lateration based, fingerprint matching, and Bayesian networks. We validated our scheme in the ORBIT test bed (North Brunswick, NJ, USA) using an 802.11 (Wi-Fi) network and in a real office building environment using an 802.15.4 (ZigBee) network. The extensive experimental results demonstrated that the application of our scheme could help the broad range of localization algorithms to achieve comparable or even better localization performance when under infrastructure attacks as compared with normal situations without attack, thus, effectively eliminating the effects of infrastructure attacks.

Zetter, K. (2012, March 26). Microsoft seizes ZeuS servers in anti-botnet rampage. Wired. Retrieved from

Microsoft continued its war on botnets last week with a raid that involved seizing servers controlling millions of zombie computers caught in the spell of the ZeuS malware.

Under a court order, Microsoft employees, accompanied by agents from the U.S. Marshals Service, raided two web hosting companies in Pennsylvania and Illinois on Friday, disabling web servers used as command-and-control centers for the botnets and seizing some 800 web addresses that allowed cybercriminals to infect computers in order to steal banking credentials and siphon money from victims’ accounts. [Related article from the New York Times].

Zhang, Y., Xiao, Y., Ghaboosi, K., Zhang, J., & Deng, H. (2012). A survey of cyber crimes.  Security and Communications Networks, 5(4), 422-437. [Full text can be requested from DocumentExpress.]

This paper provides a survey of cyber crimes that have actually occurred. First, cyber crimes in the digital world are compared with crimes in the physical world. Then, cyber crimes are categorized according to the roles of computers or networks.

Zhang, Y., Xiao, Y., Chen, M., Zhang, J., Deng, H. (2012). A survey of security visualization for computer network logs. Security and Communications Networks, 5(4), 404-421. [Full text can be requested from DocumentExpress.]

Although great efforts have already been made regarding security problems, networks are still threatened by all kinds of potential attacks, which may lead to huge damage and loss. In this survey, we looked into different security visual analytics, and we organized them into five categories.



The 14th ACM Workshop on Multimedia and Security [Coventry, England, Sept. 6-7, 2012]

ICER ’12: International Computing Education Research Conference [Auckland, New Zealand, Sept. 10-12, 2012]

7th International Workshop on Critical Information Infrastructures Security [Lillehammer, Norway, Sept. 17-18, 2012]

The 7th International Conference on Legal, Security and Privacy Issues in IT Law [Athens, Greece, Oct. 2-4, 2012]

31st International Symposium on Reliable Distributed Systems [Irvine, CA, Oct. 8-11, 2012.]

19th ACM Conference on Computer and Communications Security [Raleigh, NC, Oct. 16-18]

Workshop on Security in Communications Networks, Held in Conjunction with IEEE LCN 2012 [Clearwater, FL, Oct. 22-25, 2012]

17th Nordic Conference in Secure IT Systems [Karlskrona, Sweden, Oct. 31 – Nov. 2, 2012.]

6th International Conference on Network and System Security [Wu Yi Shan, Fujian, China, Nov. 21-23, 2012]


IEEE Transactions on Information Forensics and Security, Special Issue on Privacy and Trust Management in Cloud and Distributed Systems [June 1, 2013, deadline May 31, 2012]

IEEE Network Magazine, Special Issue on Cyber Security of Networked Critical Infrastructures [January 2013, deadline June 1, 2012)


Brown, F. (2012, March). Using Google to find vulnerabilities in your IT environment (S4440312). Retrieved from

Attackers are increasingly using a simple method for finding flaws in websites and applications: they Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security.  Sound scary? It is, but there is good news: You can use these same methods to find flaws before the bad guys do. In this special report,we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services—and to fix them before they can be exploited.

Cobb, M. (2012, March). Detecting and defending against advanced persistent threats (S4390312). Retrieved from

APTs are a growing problem for enterprises big and small.  Protecting your organization from these targeted threats requires constant vigilance, ongoing employee training and a concerted effort to align security systems to address every phase of an APT.  Companies also need to develop a remediation and response plan if, despite best efforts, defenses are breached.

Doyle, C. (2012, March 12). Cybersecurity: Cyber Crime Protection Security Act (S. 2111): A legal analysis (R42403). Retrieved from

The Cyber Crime Protection Security Act (S. 2111) would enhance the criminal penalties for the cyber crimes outlawed in the Computer Fraud and Abuse Act (CFAA). Those offenses include espionage, hacking, fraud, destruction, password trafficking, and extortion committed against computers and computer networks. S. 2111 contains some of the enhancements approved by the Senate Judiciary Committee when it reported the Personal Data Privacy and Security Act (S. 1151), S.Rept. 112-91 (2011).

The bill would (1) establish a three-year mandatory minimum term of imprisonment for aggravated damage to a critical infrastructure computer; (2) streamline and increase the maximum penalties for the cyber crimes proscribed in CFAA; (3) authorize the confiscation of real property used to facilitate the commission of such cyber offenses and permit forfeiture of real and personal property generated by, or used to facilitate the commission of, such an offense, under either civil or criminal forfeiture procedures; (4) add such cyber crimes to the racketeering (RICO) predicate offense list, permitting some victims to sue for treble damages and attorneys’ fees; (5) increase the types of password equivalents covered by the trafficking offense and the scope of federal jurisdiction over the crime; (6) confirm that conspiracies to commit one of the CFAA offenses carry the same penalties as the underlying crimes; and (7) provide that a cyber crime prosecution under CFAA could not be grounded exclusively on the failure to comply with a term of service agreement or similar breach of contract or agreement, apparently in response to prosecution theory espoused in Drew. With the exception of this last limitation on prosecutions, the Justice Department has endorsed the proposals found in S. 2111. The bill has been placed on the Senate calendar. As of this date, S. 2111 has no House counterpart.

Glennon, M. J. (2012). State-level cybersecurity. Policy Review, (171), 85-102. [Full text available in ABI/INFORM Complete database].

No air traffic controllers or airport check-ins; no electronically regulated rail traffic; no computer-dependent overnight deliveries of packages or mail; no paychecks for millions of workers whose employers depend on payroll software; no financial records of funds on deposit and no ATMS; no reliable digital records in hospitals and health centers; no electrical power, resulting in no light, no heat, no operating oil refineries or heating fuel or gasoline; no traffic signals, and no telephone or internet service or effective police protection – such is the list of what could be disabled by an attack on America’s computer networks. Espionage conducted by other nations has been regarded as a matter for the federal government, whereas theft, the destruction of property, and related offenses committed by individuals and criminal organizations are thought to be the purview of both state and federal governments. […] as with terrorist attacks, vexing issues of legal categorization arise.

Grace, M., Zhou, W., & Jiang, X. (2012, April 12). Unsafe exposure analysis of mobile in-app advertisements. Paper to be presented at the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Tucson, AZ. Retrieved from

In recent years, there has been explosive growth in smartphone sales, which is accompanied with the availability of a huge number of smartphone applications (or simply apps). End users or consumers are attracted by the many interesting features offered by these devices and the associated apps. The developers of these apps are also benefited by the prospect of financial compensation, either by selling their apps directly or by embedding one of the many ad libraries available on smartphone platforms. In this paper, we focus on potential privacy and security risks posed by these embedded or in-app advertisement libraries (henceforth “ad libraries,” for brevity). To this end, we study the popular Android platform and collect 100,000 apps from the official Android Market in March-May, 2011. Among these apps, we identify 100 representative in-app ad libraries (embedded in 52.1% of them) and further develop a system called AdRisk to systematically identify potential risks. In particular, we first decouple the embedded ad libraries from host apps and then apply our system to statically examine the ad libraries, ranging from whether they will upload privacy sensitive information to remote (ad) servers or whether they will download untrusted code from remote servers. Our results show that most existing ad libraries collect private information: some of them may be used for legitimate targeting purposes (i.e., the user’s location) while others are hard to justify by invasively collecting the information such as the user’s call logs, phone number, browser bookmarks, or even the list of installed apps on the phone. Moreover, additional ones go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks. Our investigation indicates the symbiotic relationship between embedded ad libraries and host apps is one main reason behind these exposed risks. These results clearly show the need for better regulating the way ad libraries are integrated in Android apps.

Lennon, M. (2012, March 19). Mystery of programming language used in Duqu framework solved. SecurityWeek. Retrieved from

Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to “Duqu”, the Trojan often referred to as “Son of Stuxnet”, which surfaced in October 2010. The mystery rested in a section of code written in an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected a system.

Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.

Mills, E. (2012, March 21). Verizon: Hacktivists stole 100 million + records in 2011. CNet. Retrieved from

Financially motivated criminals were behind most of last year’s data breaches, but hacktivists stole almost twice as many records from organizations and government agencies, according to the Data Breach Investigations Report being released by Verizon today.

While more than 80 percent of the data breaches in 2011 were due to organized criminal activity, the number of records pilfered from activist groups represented 58 percent of the total, the report finds.

In particular, hacktivists targeted corporations and big agencies, and consumer data. Activist groups accounted for more than 22 percent of the data breaches targeting large organizations. Meanwhile, 95 percent of the records compromised last year included personal information about individuals, compared with only 1 percent the year before, Verizon said.

Financially motivated cyberthieves tend to do more breaches in total than hacktivists, but grab smaller amounts of data at a time and target smaller organizations that are low-hanging fruit, according to the report.

Pellerin, C. (2012, March 21). Officials: Cyber research needs innovation, talent. Armed Forces Press Service. Retrieved from

As a critical enabler of Defense Department business and military operations and the DOD command-and-control backbone, cyber is the focus of intense research and development in an environment where success means getting out ahead of an evolving threat.

During the unclassified portion of a hearing of the Senate Armed Services subcommittee on emerging threats and capabilities yesterday, experts from DOD, the Defense Advanced Research Projects Agency and the National Security Agency discussed the department’s vulnerabilities and needs.

“DARPA’s bottom-line message today [is] that DOD is capability-limited in cyber, both defensively and offensively,” DARPA Acting Director Kaigham “Ken” J. Gabriel told the panel. “We need to change that.”

Ponemon Institute. (2011, March). 2011 cost of data breach study: United States. Retrieved from

Symantec Corporation and Ponemon Institute are pleased to present 2011 U.S. Cost of Data Breach, our seventh annual benchmark study concerning the cost of data breach incidents for U.S.-based companies. While Ponemon Institute research indicates that data breaches continue to have serious financial consequences for organizations, there is evidence that organizations are becoming better at managing the costs incurred to respond and resolve a data breach incident. In this year’s study, the average per capita cost of data breach has declined from $214 to $194 . . .

This year’s study examines the costs incurred by 49 U.S. companies in 14 different industry sectors after those companies experienced the loss or theft of protected personal data and then had to notify breach victims as required by law. Results are not based upon hypothetical responses; they represent cost estimates for activities resulting from actual data loss incidents. More than 400 individuals were interviewed over a nine-month period. To date, 268 organizations have participated in this research.

Shin, S., Gu, G., Reddy, N., & Lee, C. P. (2012). A large-scale empirical study of Conficker. IEEE Transactions on Information Forensics and Security, 7(2) [NEW ISSUE – table of contents], 676-690. [Full text can be requested from DocumentExpress.]

Conficker is the most recent widespread, well-known worm/bot. According to several reports, it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large scale, about 25 million victims, and study various interesting aspects about this state-of-the-art malware. By analyzing Conficker, we intend to understand current and new trends in malware propagation, which could be very helpful in predicting future malware trends and providing insights for future malware defense. We observe that Conficker has some very different victim distribution patterns compared to many previous generation worms/botnets, suggesting that new malware spreading models and defense strategies are likely needed. We measure the potential power of Conficker to estimate its effects on the networks/hosts when it performs malicious operations. Furthermore, we intend to determine how well a reputation-based blacklisting approach can perform when faced with new malware threats such as Conficker. We cross-check several DNS blacklists and IP/AS reputation data from Dshield and FIRE and our evaluation shows that unlike a previous study which shows that a blacklist-based approach can detect most bots, these reputation-based approaches did relatively poorly for Conficker. This raises a question of how we can improve and complement existing reputation-based techniques to prepare for future malware defense’ Based on this, we look into some insights for defenders. We show that neighborhood watch is a surprisingly effective approach in the case of Conficker. This suggests that security alert sharing/correlation (particularly among neighborhood networks) could be a promising approach and play a more important role for future malware defense.

Torres-Soriano, M. R. (2012). The vulnerabilities of online terrorism. Studies in Conflict & Terrorism, 35(4), 263-277. [Full text can be requested from DocumentExpress.]

Jihadist terrorism has discovered in the Internet a valuable instrument to strengthen its activities. However, in using this technology the terrorists are exposed to new vulnerabilities. The Internet plays a leveling role: each new advantageous use it brings is accompanied by a new opportunity to weaken terrorist groups. The present article examines the main vulnerabilities of radical groups who have accorded the Internet a central role in their strategy, namely, less anonymity and security, a loss of content visibility, a major credibility problem, and an undermining of the legitimacy of the terrorist discourse as a consequence of their use of Web 2.0.

[USEFUL WEEKLY PUBLICATION]. United States. Computer Emergency Readiness Team. US-CERT cyber security bulletin. Retrieved from

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). 

[USEFUL DAILY PUBLICATION] United States. Department of Homeland Security. DHS daily open source infrastructure report. Retrieved from

The DHS Daily Open Source Infrastructure Report is collected each business day as a summary of open-source published information concerning significant critical infrastructure issues. Each Daily Report is divided by the critical infrastructure sectors and key assets defined in the National Infrastructure Protection Plan.

Wolchok, S., Wustrow, E., Isabel, D., & Halderman, J. A. (2012, February). Attacking the Washington, D.C. internet voting system. Paper presented at the 16th Conference on Financial Cryptography and Data Security, Bonaire, Netherlands. Retrieved from

In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website. Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security. This paper describes our experience participating in this trial. Within 48 hours of the system going live, we had gained nearcomplete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days —and might have remained unaware for far longer had we not deliberately left a prominent clue. This case study —the first (to our knowledge) to analyze the security of a government Internet voting system from the perspective of an attacker in
a realistic pre-election deployment —attempts to illuminate the practical challenges of securing online voting as practiced today by a growing number of jurisdictions.

Zetter, K. (2012, March 19). DuQu mystery solved with help of crowdsourcing. Wired. Retrieved from

A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues.

The language, which DuQu used to communicate with command-and-control servers, turns out to be a special type of C code compiled with the Microsoft Visual Studio Compiler 2008.

Researchers at Kaspersky Lab, who put out the call for help two weeks ago after failing to figure out the language on their own, said they received more than 200 comments to a blog post they wrote seeking help, and more than 60 direct emails from programmers and others who made suggestions.

Wen, Z. (2012, March 21). Hacker, suspected of 6 million user info leak, detained. Shanghai Daily. Retrieved from

The man suspected of hacking into China’s largest website for programmers and leaking personal information of over 6 million users last December has been detained on charges of illegal acquisition of computer data, the Beijing News reported today.  The suspect surnamed Zeng was held in Wenzhou, eastern Zhejiang Province on February 4 after Beijing police opened an investigation into the case on December 22, the paper said.

The leak, considered the biggest in China’s Internet history, occurred on December 21 when the personal information of more than 6 million users of the China Software Developer Network was exposed on the Internet for free downloading.

Berghel, H. (2012). Wikileaks and the matter of Private Manning. Computer, 45(3), 70-73. [Full text available in IEEE Computer Science Digital Library database].

The release of significant documents by WikiLeaks, the international online not-for-profit organization, has become front-page news that has significant implications for computing professionals.

More from Wired: “UN torture chief: Bradley Manning treatment was cruel, inhuman”

Booth, R., & Mahmood, M. (2012, March 13). How the Assad emails came to light. Guardian. Retrieved from

In late March last year, Syrian opposition activists say, a young government worker in Damascus nervously handed a scrap of paper to a friend. On it were four handwritten codes that the friend was instructed to pass to a small group of exiled Syrians who would know what to do with them.

The paper contained two email addresses: and They are thought to have been the personal email usernames and passwords of the president, Bashar al-Assad, and his wife, Asma.

For the next nine months they were to offer a cell of activists an extraordinary window into what appeared to be the private lives of Syria’s first family and their attempts to turn around the country’s steady descent towards the abyss.

Galperin, E. (2012, March 15). Fake YouTube site targets Syrian activists with malware.  Electronic Frontier Foundation. Retrieved from

Last week, EFF reported on two instances of pro-Syrian-government malware targeting Syrian activists through links sent in chats and emails. This week, we’ve seen new Windows malware dropped by a fake YouTube site hosting Syrian opposition videos.

Golovanov, S. (2012, March 16). A unique ‘fileless’ bot attacks news site visitors. Securelist. Retrieved from

In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive.

The infection mechanism used by this malware proved to be very difficult to identify. The websites used to spread the infection are hosted on different platforms and have different architectures. None of our attempts to reproduce the infections were successful. A quick analysis of KSN statistics that might help to identify the connection between compromised resources and the malicious code being distributed did not yield any results, either. However, we did manage to find something that the news sites had in common.

[UPCOMING LARGO-AREA EVENT] Goodwin, J. (2012, March 13). China panel to explore ‘China’s computer exploitations’ March 26. Government Security News. Retrieved from

The U.S.-China Economic and Security Review Commission, a congressionally-mandated panel that looks at the national security implications of America’s economic relationship with China, will hold a public meeting in Manassas, VA, on March 26 that will examine recent trends in China’s computer exploitations and nuclear strategies.

The public session, which will take place at the Hylton Performing Arts Center, 10960 George Mason Circle, Manassas, VA 20109, from 9 AM to 3 PM, will be open to the public, with no advanced reservations required.

Johnson, N. B. (2012, March 15). Increase in cyber attacks on federal systems slows. Federal Times. Retrieved from

Cyber attacks against federal websites and networks increased 5 percent between 2010 and 2011, a big slowdown compared to the 40 percent increase between 2009 and 2010, the government reported.

Federal agencies suffered 43,889 cyber attacks in 2011, up from 41,776 the previous year, according to a report by the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT).

Agencies have adopted more performance-based metrics that allow them to better measure their cybersecurity progress and address security weaknesses, according to the report, which details how well agencies are complying with the 2002 Federal Information Security Management Act.

Kravets, D. (2012, March 14). FBI can’t crack Android pattern-screen lock. Wired. Retrieved from

Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation.

The bureau claims in federal court documents that forensics experts performed “multiple attempts” to access the contents of a Samsung Exhibit II handset, but failed to unlock the phone.

Madnick, S., Choucri, N., Li, X., & Ferwerda, J. (2012, March). Comparative analysis of cybersecurity metrics to develop new hypotheses (ESD-WP-2012-03). Retrieved from

Few Internet security organizations provide comprehensive, detailed, and reliable quantitative metrics, especially in the international perspective across multiple countries, multiple years, and multiple categories. As common refrain to justify this situation, organizations ask why they should spend valuable time and resources collecting and standardizing data.

This report aims to provide an encouraging answer to this question by demonstrating the value that even limited metrics can provide in a comparative perspective. We present some findings generated through the use of a research tool, the Explorations in Cyber Internet Relations (ECIR) Data Dashboard. In essence, this dashboard consists of a simple graphing and analysis tool, coupled with a database consisting of data from disparate national-level cyber data sources provided by governments, Computer Emergency Response Teams (CERTs), and international organizations. Users of the dashboard can select relevant security variables, compare various countries, and scale information as needed.

Prince, B. (2012, March 13). New bank fraud schemes target SIM cards in multi-layered attacks. SecurityWeek. Retrieved from

As online banking shifts to add more authentication tests, scammers have been forced to up their game to compromise accounts. In new research, security firm Trusteer revealed two examples of just how much.

According to Trusteer, the first scheme starts with a drive-by download infecting victims with the Gozi Trojan. Once the Trojan is on the victim’s PC, it uses a Web page injection that prompts the victim to enter the International Mobile Equipment Identity (IMEI) number on their mobile device before they can enter their online bank account. For those who don’t know what an IMEI number is, the scammers are thoughtful enough to explain how to find it on the phone’s battery or dialing *#06# on the device keypad.

Ragan, S. (2012, March 14). Gh0stRAT variant used in targeted attacks against organizations in Tibet. SecurityWeek. Retrieved from

Researchers from AlienVault Labs have discovered a spear phishing attack against several organizations in Central Tibet. Based on the data, the security firm believes that the attacks are originating from the same Chinese group that launched the Nitro attacks last year.

Towards the end of 2011, a group believed to be located in China, launched a series of attacks against chemical and defense companies, aiming to obtain sensitive information about the organizations themselves, and their supporters. The attacks were given the name Nitro, and they leveraged Phishing and a PDF exploit to target a vulnerability in Windows. However, what made headlines was the payload, a Remote Access Trojan called Gh0st (Gh0stRAT), a relative of the Poison Ivy trojan. At least 48 companies were believed to have been targeted in the Nitro attacks.

Riboni, D., Pareschi, & Bettini, C. (2012). JS-Reduce: Defending your data from sequential background knowledge attacks. IEEE Transactions on Secure and Dependable Computing [new issue], 9(3), 387-400. [Full text available in IEEE Computer Society Digital Library database].

Web queries, credit card transactions, and medical records are examples of transaction data flowing in corporate data stores, and often revealing associations between individuals and sensitive information. The serial release of these data to partner institutions or data analysis centers in a nonaggregated form is a common situation. In this paper, we show that correlations among sensitive values associated to the same individuals in different releases can be easily used to violate users’ privacy by adversaries observing multiple data releases, even if state-of-the-art privacy protection techniques are applied. We show how the above sequential background knowledge can be actually obtained by an adversary, and used to identify with high confidence the sensitive values of an individual. Our proposed defense algorithm is based on Jensen-Shannon divergence; experiments show its superiority with respect to other applicable solutions. To the best of our knowledge, this is the first work that systematically investigates the role of sequential background knowledge in serial release of transaction data.

Schmidt, M. S. (2012, March 13). New interest in hacking as threat to security. New York Times. Retrieved from

During the five-month period between October and February, there were 86 reported attacks on computer systems in the United States that control critical infrastructure, factories and databases, according to the Department of Homeland Security compared with 11 over the same period a year ago.

None of the attacks caused significant damage, but they were part of a spike in hacking attacks on networks and computers of all kinds over the same period. The department recorded more than 50,000 incidents since October, about 10,000 more than in the same period a year earlier, with an incident defined as any intrusion or attempted intrusion on a computer network.

The increase has prompted a new interest in cybersecurity on Capitol Hill, where lawmakers are being prodded by the Obama administration to advance legislation that could require new standards at facilities where a breach could cause significant casualties or economic damage.

Shar, L. K., & Tan, H. B. K. (2012). Defending against cross-site scripting attacks. Computer, 45(3), 55-62. [Full text available in IEEE Computer Science Digital Library database].

Researchers have proposed multiple solutions to cross-site scripting, but vulnerabilities continue to exist in many Web applications due to developers’ lack of understanding of the problem and their unfamiliarity with current defenses’ strengths and limitations.

United States. Government Accountability Office. (2012, March). IRS needs to further enhance internal control over financial reporting and taxpayer data (GAO-12-393). Retrieved from

IRS implemented numerous controls and procedures intended to protect key financial and tax-processing systems; nevertheless, control weaknesses in these systems continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information processed by IRS’s systems. Specifically, the agency continues to face challenges in controlling access to its information resources. For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas. In addition, unpatched and outdated software exposed IRS to known vulnerabilities, and the agency had not enforced backup procedures for a key system.

Wheatman, J. (2012, March 14). Database activities you should be monitoring. Gartner. [Full text available in Gartner database].

The need to monitor activities in business-critical data stores continues to grow in scope and importance. Organizations should evaluate the landscape of security monitoring tools, balancing the cost, impact and security benefits, and implement solutions that address 10 critical areas.

Also from Gartner this week: Three Kinds of Password Management, How Metadata Improves Business Opportunities and Threats, and Developing a Strategy for Business-Aligned Information Security.

Zetter, K. (2012, March 9). Teen exploits three zero-day vulns for $60K win in Google Chrome hack contest. Wired. Retrieved from

Just hours before the end of Google’s $1 million hack challenge, a teenager who once applied to work at Google without getting a response, hacked the company’s Chrome browser using three zero-day vulnerabilities, one of which allowed him to escape the browser’s security sandbox.