April 27, 2012

Bernard, N., & Leprévost, F. (2012). Beyond TOR: The TrueNyms Protocol. Security and Intelligent Information Systems, 7053, 68-84. Retrieved from http://goo.gl/zguZD

How to hide who is communicating with whom? How to hide when a person is communicating? How to even hide the existence of ongoing communications? Partial answers to these questions have already been proposed, usually as byproducts of anonymity providing systems. The most advanced one available today is Onion-Routing and is implemented in Tor and I2P. Still, Onion-Routing is exposed to a series of serious attacks. The current paper classifies these series of attacks, and announces the TrueNyms unobservability protocol. We describe here how TrueNyms handles one of the families of attacks applying to the current Onion-Routing system, namely traffic analysis on the “shape”, and give some evidence on its performance. Developed since 2003, TrueNyms is not anymore an academic answer to a privacy problem, but is a heavily tested and efficient product providing unobservability and anonymity. Although it cannot be used (for the time-being) for very low-latency applications like telephony over IP, TrueNyms can be efficiently used for most low-latency applications like Web browsing and HTTP-based protocols (RSS for instance), Instant Messaging, File transfers, audio and video streaming, remote shell, etc. TrueNyms allows parties to communicate without revealing anything about the communication — including its very existence — to any observer, despite how powerful such an observer might be.

Bradbury, D. (2012, April). SCADA: A critical vulnerability. Computer Fraud and Security, 2012(4), 11-14. [Full text available to UMUC students / faculty in ScienceDirect database.]

Are we at risk of a system meltdown of Hollywood proportions? A recent presentation highlighting critical vulnerabilities in some of our most popular industrial control systems suggests so. Project Basecamp, a vulnerability assessment exercise carried out by security firm Digital Bond, assessed levels of security in Supervisory Control And Data Acquisition (SCADA) products. It found them badly wanting.

Many control systems assume that they will be used within carefully controlled environments and react unpredictably – or disastrously – when sent unexpected input and yet we depend on them to run much of the critical infrastructure on which our daily lives depend. Danny Bradbury examines the dangers and asks what can be done.

Burt, J. (2012, April 24). Mac Flashback trojan started with compromised WordPress blogs. eWeek. Retrieved from http://www.eweek.com/c/a/Security/Mac-Flashback-Attack-Started-With-Compromised-WordPress-Blogs-345275/

The Flashback malware that eventually infected more than 600,000 Macs worldwide probably started from tens of thousands of WordPress blog sites that had been hacked into and compromised, according to researchers at Kaspersky Lab.

Caldwell, T. (2012, April). Locking down the e-wallet. Computer Fraud and Security, 2012(4), 5-8. [Full text available to UMUC students / faculty in ScienceDirect database.]

The Google Wallet mobile app made the e-wallet concept mass market, but security breaches were not far behind. A focal point of malware writers seems to be banking trojans that attack the highly secured connection between the bank and the user.

Tracey Caldwell examines the security threats facing e-wallets and sets out a number of approaches to securing e-wallets, from using the Secure Element, to optical tokens and cloud-based authentication. She also discusses the role that retailers, merchants and telco companies may play in e-wallet security in the future.

Cobb,  M. (2012, April). How did they get in? A guide to tracking down the source of APTs [InformationWeek]. Retrieved from http://twimgs.com/darkreading/advancedthreat/S4740412-howdidtheygetin.pdf

If you think that your organization hasn’t been affected by an advanced persistent threat, you probably haven’t looked hard enough. Identifying that your organization is under attack is difficult enough; determining the scope of infiltration and damage presents a whole new level of challenge. To effectively protect against APTs, security pros will need to employ an arsenal of tools in a coordinated fashion, as well as develop new understandings of and approaches to system and data exploits.

Cook, T. (2012, April 24). A regular expression search primer for forensic analysts [SANS]. Retrieved from https://www.sans.org/reading_room/whitepapers/forensics/regular-expression-search-primer-forensic-analysts_33929

Often forensic texts and articles assume a level of experience and comfort with Linux command line string searching and text manipulation that a reader does not possess. This assumption tends to leave the reader to their own devices to puzzle out how to locate and extract specific string content from files. The focus of this paper is to introduce the reader to Linux string search and text manipulation commands and provide specific use cases and search patterns that will be of use to Forensic Analysts. 

Electronic Frontier Foundation. (2012). Map of domestic aerial drone authorizations. Retrieved from http://goo.gl/iLTyD

From a related article: This week the Federal Aviation Administration (FAA) finally released its first round of records in response to EFF’s Freedom of Information Act (FOIA) lawsuit for information on the agency’s drone authorization program. The agency says the two lists it released include the names of all public and private entities that have applied for authorizations to fly drones domestically. These lists—which include the Certificates of Authorizations (COAs), issued to public entities like police departments, and the Special Airworthiness Certificates (SACs), issued to private drone manufacturers—show for the first time who is authorized to fly drones in the United States.

Erdbrink, T. (2012, April 24). Facing cyberattack, Iranian officials disconnect some oil terminals from internet. New York Times. [Full text available to UMUC students / faculty in ProQuest Newspapers database.]

Iran disconnected several of its main Persian Gulf oil terminals from the Internet on Monday, local news media reported, as technicians were struggling to contain what they said were intensifying cyberattacks on the Oil Ministry and its affiliates.

Iranian officials said the virus attack, which began in earnest on Sunday afternoon, had not affected oil production or exports, because the industry is still primarily mechanical and does not rely on the Internet. Officials said they were disconnecting the oil terminals and possibly some other installations in an effort to combat the virus.

Farivar, C. (2012, April 23). Cellphone industry opposes California location privacy bill. Ars Technica. Retrieved from http://arstechnica.com/business/news/2012/04/cellphone-industry-opposes-california-location-privacy-bill.ars

On Tuesday, the California Senate Public Safety Committee is hearing arguments on the California Location Privacy Bill (SB 1434). It’s a new bill that would provide more consumer protection for law enforcement access to mobile phones. As currently written, it would require a warrant before police gain access to location information, and would also require that mobile phone companies disclose how often and why they are giving up this information as a way to monitor proper use of this law.

Not surprisingly, the Electronic Frontier Foundation and the ACLU of Northern California have been arguing in favor of the new bill. Who’s against? Why, it’s CTIA, the industry trade group of the cellphone industry.

Fisher, D. (2012, April 24). Security experts, internet engineers urge lawmakers to drop CISPA. threatpost. Retrieved from https://threatpost.com/en_us/blogs/security-experts-internet-engineers-urge-lawmakers-drop-cispa-042412

A long list of security, networking and computer science experts have signed a letter sent to lawmakers on Monday, asking them to drop support for CISPA and other proposed cybersecurity bills because they consider the measures overly broad and say they would infringe on users’ privacy and civil liberties. The group, which includes Bruce Schneier, Peter Neumann and others, said the bills’ focus on allowing the sharing of users’ traffic with government agencies would “unnecessarily trade our civil liberties for the promise of improved network security.”

The Cyber Intelligence Sharing and Protection Act (CISPA) has become a focus of criticism and ire from a number of groups who oppose the bill’s provision that could allow ISPs to turn over traffic from their networks to government agencies as part of a program to share information on security threats and attacks. Critics have said that this could amount to wiretapping without the knowledge of the users whose data is captured and shared.

Goodin, D. (2012, April 23). TV based botnets? DoS attacks on your fridge? More plausible than you think. Ars Technica. Retrieved from http://arstechnica.com/business/news/2012/04/tv-based-botnets-ddos-attacks-on-your-fridge-more-plausible-than-you-think.ars

It’s still premature to say you need firewall or antivirus protection for your television set, but a duo of recently diagnosed firmware vulnerabilities in widely used TV models made by two leading manufacturers suggests the notion isn’t as far-fetched as many may think.

The most recent bug, found in a wide range of high-definition TVs from Samsung, was disclosed on Thursdayby Luigi Auriemma, an Italy-based researcher who regularly finds security flaws in Microsoft Windowsvideo games, and even the industrial-strength systems used to control dams, gas refineries, and other critical infrastructure. While poking around a Samsung D6000 model belonging to his brother, he inadvertently discovered a way to remotely send the TV into an endless restart mode that persists even after unplugging the device and turning it back on.

Holleman, J. (2012, April 20). Personal data for 228,000 in SC compromised. The State. Retrieved from http://www.thestate.com/2012/04/20/2241321/personal-information-of-more-than.html

A state employee inappropriately gained access to personal information for more than 228,000 Medicaid beneficiaries, a security breach that prompted the Department of Health and Human Services to take measures to offer credit protection services to the individuals involved.

Christopher Lykes Jr., 36, of Swansea, was arrested Thursday and charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information, according to SLED. Lykes also is a former member of the executive committee of the Lexington County Democratic Party.

Mansfield-Devine, S. (2012, April). Interview: BYOD and the enterprise network.  Computer Fraud and Security, 2012(4), 14-17. [Full text available to UMUC students / faculty in ScienceDirect database.]

Bring Your Own Device (BYOD) is a trend that many organisations are confused or concerned about. In this interview, Frank Andrus, CTO at Bradford Networks, explains that data leaks, malware and hacking aren’t the only issues. There are more fundamental concerns with how your networks are managed. And the solution might be to work with your users, rather than simply trying to control them.

Moyle, E., & Kelly, D. (2012, April 20). Federal government cybersecurity survey [InformationWeek]. Retrieved from http://reports.informationweek.com/abstract/104/8769/Government/research-federal-government-cybersecurity-survey.html 

InformationWeek surveyed 106 federal IT professionals in March on the cybersecurity threats faced by their agencies and their strategies for dealing with them. The detailed survey results, and our analysis of how they correlate to the White House’s cybersecurity policy initiatives, are contained in this report.

InformationWeek asked survey respondents about their progress in meeting national cybersecurity objectives, barriers to progress, areas of investment and the threat landscape. While the threats are varied and significant, our data suggests that progress is being made. A majority of those surveyed rated their agency’s cybersecurity readiness as good or excellent, and only a minority reported an information security breach in the past three months.

Pear, R. (2012, April 27). House votes to approve disputed hacking bill. New York Times. [Full text available to UMUC students / faculty in ProQuest Newspapers database.]

Defying a veto threat from President Obama, the House on Thursday passed a bill that encourages intelligence agencies and businesses to share information about threats to computer systems, including attacks on American Web sites by hackers in China and other countries.

The vote was 248 to 168, as 42 Democrats joined 206 Republicans in backing the bill. The “no” votes were cast by 140 Democrats and 28 Republicans, including a number who described the measure as a potential threat to privacy and civil liberties.

Prince, B. (2012, April 23). FBI: Kill DNSChanger trojan or prepare to lose internet access. SecurityWeek.  Retrieved from https://www.securityweek.com/fbi-kill-dnschanger-trojan-or-prepare-lose-internet-access

The FBI is advising people to check their computers for DNSChanger malware before infected computers are essentially shut off from the Internet.

Come July 9, the DNS servers set up by the government to take the place of malicious servers controlled by a gang behind a spate of DNSChanger infections will be taken offline. This means that computers using those servers that have not been cleaned of the malware will not be able to connect to the Internet via any connection requiring DNS resolution. Hoping to avoid a catastrophe for potentially hundreds of thousands of users, the FBI is encouraging people to visit the website for the DNSChanger Working Group (DCWG), which can alert them as to whether or not they are infected and offer information about how to fix the problem.

Roberts, P. (2012, April 23). Google ups bounty for bugs for $20,000. threatpost. Retrieved from https://threatpost.com/en_us/blogs/google-ups-bounty-bugs-20000-042312 

Search giant Google said it is quintupling the top bounty it will pay for information on security holes in its products to $20,000.  In a post on the company’s Online Security Blog, Google said it was updating its rewards and rules for the bounty program, which is celebrating its first anniversary. In addition to a top prize of $20,000 for vulnerabilities that allow code to be executed on product systems, Google said it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorization features.

Terry, K. (2012, April 24). Should FDA assess medical device defenses against hackers? InformationWeek. Retrieved from http://www.informationweek.com/news/healthcare/security-privacy/232900818

The vulnerability of wireless medical devices to hacking has attracted attention in Washington. Although there has not yet been a high-profile case of such a cyber-attack, the Information Security and Privacy Advisory Board, which advises the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST), recently proposed that the Food and Drug Administration (FDA) or another federal agency assess the security of medical devices before they’re sold.

United States. Department of Energy. (2012, April 25). Version 4 critical infrastructure reliability standards. Retrieved from http://cryptome.org/2012/04/ferc042512.pdf

Under section 215 of the Federal Power Act, the Federal Energy  Regulatory Commission (Commission) approves eight modified Critical Infrastructure  Protection (CIP) Reliability Standards, CIP-002-4 through CIP-009-4, developed and  submitted to the Commission for approval by the North American Electric Reliability  Corporation (NERC), the Electric Reliability Organization certified by the Commission.   The CIP Reliability Standards provide a cybersecurity framework for the identification  and protection of “Critical Cyber Assets” to support the reliable operation of the BulkPower System. Reliability Standard CIP-002-4 requires the identification and  documentation of Critical Cyber Assets associated with “Critical Assets” that support the  reliable operation of the Bulk-Power System and introduces “bright line” criteria for the  identification of Critical Assets.

Whistleblower: The NSA is lying – U.S. government has copies of most of your emails. (2012, April 20). Democracy Now. Retrieved from https://www.democracynow.org/2012/4/20/whistleblower_the_nsa_is_lying_us

National Security Agency whistleblower William Binney reveals he believes domestic surveillance has become more expansive under President Obama than President George W. Bush. He estimates the NSA has assembled 20 trillion “transactions” — phone calls, emails and other forms of data — from Americans. This likely includes copies of almost all of the emails sent and received from most people living in the United States. Binney talks about Section 215 of the USA PATRIOT Act and challenges NSA Director Keith Alexander’s assertion that the NSA is not intercepting information about U.S. citizens [audio, with transcript.]

More from: Wired: The NSA is building the country’s biggest spy center (watch what you say); Wired: James Bamford on how the NSA’s new spy center may know everything; IXmaps: NSA listening posts.

Xu, Z., Bai, K., & Zhu, S. (2012, April). TapLogger: Inferring user inputs on smartphone touch-screens using onboard motion sensors. Paper presented at the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Tucson, AZ. Retrieved from http://www.cse.psu.edu/~szhu/papers/taplogger.pdf

Today’s smartphones are shipped with various embedded motion sensors, such as the accelerometer, gyroscope, and
orientation sensors. These motion sensors are useful in supporting the mobile UI innovation and motion-based commands. However, they also bring potential risks of leaking user’s private information as they allow third party applications to monitor the motion changes of smartphones.  In this paper, we study the feasibility of inferring a user’s tap inputs to a smartphone with its integrated motion sensors. Specifically, we utilize an installed trojan application to stealthily monitor the movement and gesture changes of a smartphone using its on-board motion sensors. When the user is interacting with the trojan application, it learns the motion change patterns of tap events. Later, when the user is performing sensitive inputs, such as entering passwords on the touchscreen, the trojan application applies the learnt pattern to infer the occurrence of tap events on the touchscreen as well as the tapped positions on the touchscreen. For demonstration, we present the design and implementation of TapLogger, a trojan application for the Android platform, which stealthily logs the password of screen lock and the numbers entered during a phone call (e.g., credit card and PIN numbers). Statistical results are presented to show the feasibility of such inferences and attacks.

Zetter, K. (2012, April 25). Equipment maker caught installing backdoor account in control system code. Wired. Retrieved from http://www.wired.com/threatlevel/2012/04/ruggedcom-backdoor/

A Canadian company that makes equipment and software for critical industrial control systems planted a backdoor login account in its flagship operating system, according to a security researcher, potentially allowing attackers to access the devices online.

The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, “factory,” that was assigned by the vendor and can’t be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device.

More from ArsTechnica: Backdoor in mission-critical hardware threatens power, air-traffic control systems.

Zetter, K. (2012, April 25). VMWare source code leak follows alleged hack of Chinese defense contractor. Wired. Retrieved from http://www.wired.com/threatlevel/2012/04/vmware-source-code-leaked/

Source code belonging to VMWare has leaked to the internet after apparently being stolen by a hacker who claims to have obtained it from a Chinese firm’s network.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: