Archive

Monthly Archives: May 2012

  • Aksen, D., & Necati, A. (2012). A bilevel fixed charge location model for facilities under imminent attack. Computers & Operations Research. [Read]
  • Amantini, A., Choraś, M., D’Antonio, S., Egozcue, E., Germanus, D., & Reinhard, H. (2012). The human role in tools for improving robustness and resilience of critical infrastructures. Cognition, Technology, & Work. [Read]
  • Appelbaum, J., & Kleiner, D. (2012, May 4). Resisting the surveillance state and its network effects. Talk given at re:publica 12. [Watch]
  • Arogundade, O. T., Akinwale, Jin, A., & Yang, X. G. (2012). Toward an ontological approach to information system security and safety requirement modeling and reuse. Information Security Journal, 21(3), 137-149. doi:10.1080/19393555.2011.652290 [Abstract / Request]
  • Arunmozhi, S. A., & Venkataramani, Y. (2012). Black hole attack detection and performance improvement in mobile ad-hoc network. Information Security Journal, 21(3), 150-158. doi:10.1080/19393555.2011.652291 [Abstract / Request]
  • Ayuso, P. N., Gasca, R. M., & Lefevre, L. (2012). FT-FW: A cluster-based fault-tolerant architecture for stateful firewalls. Computers & Security. [Read]
  • Bennett, D. (2012). The challenges facing computer forensics investigators in obtaining information from mobile devices for use in criminal investigations. Information Security Journal, 21(3), 159-168. doi:10.1080/19393555.2011.654317 [Abstract / Request]
  • Bogus Pinterest pins lead to survey scams. (2012, May 18). Trendlabs. [Read]
  • Bowen, B. M., Stolfo, S. J., & Ramaswamy, D. (2011, November). Measuring the human factor of cyber security. Paper presented at the 2011 IEEE International Conference on Technology for Homeland Security. [Read]
  • Clayton, M. (2012, May 17). Cybersecurity: How US utilities passed up chance to protect their networks. Christian Science Monitor. [Read] [Related: 5/24/12 letter from Sen. Jay Rockefeller to the American Gas Association].
  • Cybersecurity skills shortage. (2012, Summer). ITNOW, 54(2), 32-34. doi:10.1093/itnow/bws043 [Abstract / Request]
  • Davis, A. (2012, Summer). Hacktivism.  ITNOW54(2), 30-31. doi:10.1093/itnow/bws042 [Abstract / Request]
  • DeYoung, K., & Nakashima, E. (2012, May 23). U.S. hacks Yemeni web sites to counter al-Quaeda propaganda. Washington Post. [Read]
  • Fouladi, B. (2012, May 17). A closer look into the RSA SecureID software token. sensepost. [Read]
  • Gumm, K. E. (2012). Can social network analysis be effective at improving the intelligence community while ensuring civil eights? Information Security Journal, 21(3), 115-126. doi:10.1080/19393555.2011.647251 [Abstract / Request]
  • Geuss, M. (2012, May 23). Google reaches out to owners of machines infected with DNSChanger malware. Ars Technica. [Read]
  • 15th International Conference on Practice and Theory in Public Key Cryptography (2012, May 21-23) – papers presented [Request / Abstracts]:
  • Kim, I. M. (2012, April 30). Penetration testing of a Web application using dangerous HTTP methods [SANS]. [Read]
  • Kravets, D. (2012, May 21). High court to hear warrantless eavesdropping challenge. Wired.  [Read]
  • Krebs, B. (2012, May 21). Adware stages comeback via browser extensions. Krebs on Security. [Read]
  • Landwehr, C., Boneh, D., Mitchell, J. C., Bellovin, S. M., Landau, S., & Lesk, M. E. (2012). Privacy and cybersecurity: The next 100 years. Proceedings of the IEEE. [Read]
  • McCullagh, D. (2012, May 22). FBI quietly forms secretive net-surveillance unit. CNet. [Read]
  • Montelibano, J., & Moore, A. P. (2012, April). Insider threat security reference architecture [Carnegie Melon Software Engineering Institute]. [Read]
  • Moore, A. P., Hanley, M., & Mundie, D. (2012, April). A pattern for increased monitoring for intellectual property theft by departing insiders [Carnegie Melon Software Engineering Institute][Read]
  • Nai Fovino, I., Coletta, A., Carcano, A., & Masera, M. (2012). Critical state-based filtering system for securing SCADA network protocols. IEEE Transactions on Industrial Electronics, 59(10), 3943-3950. doi:10.1109/TIE.2011.2181132 [Abstract / Request]
  • Pfleeger, S. L. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers & Security. [Read]
  • Popescu, C., & Simion, C. P. (2012). A method for defining critical infrastructures. Energy. [Read]
  • Ragan, S. (2012, May 17). America’s first cyber czar Howard Schmidt set to retire. SecurityWeek. [Read]
  • Roberts, P. (2012, May 18). Defense contractor Northrup Grumman hiring for offensive cyber-ops. threatpost. [Read]
  • Seacord, R. C., Dormann, W., McCurley, J., Miller, P., Stoddard, R. W., Svoboda, D., & Welch, J. (2012, April). Source code analysis laboratory (SCALe) [Carnegie Melon Software Engineering Institute]. [Read]
  • Soghoian, C. (2012, April 14). Why Google won’t protect you from Big Brother. Talk given at TEDx San Jose, CA. [Watch]
  • US European Command, NATO boost cyber defenses. (2012, May 18). FDCH Regulatory Intelligence Database. [Read]
  • Warfield, D. (2012). Critical infrastructures: IT security and threats from private sector ownership. Information Security Journal, 21(3), 127-136, doi:10.1080/19393555.2011.652289 [Abstract / Request]
  • Westby, J. R. (2012, May 16). Governance of enterprise security: CyLab 2012 report [Carnegie Melon University CyLab]. [Read]
  • Whittaker, Z. (2012, May 17). UK government staff caught snooping on citizen data. ZDNet. [Read]
  • Wyden, R. (2012, May 21). “Privacy should be the the default, not the exception”  [remarks on CISPA]. [Watch]
  • Yaseen, Q., & Panda, B. (2012). Insider threat mitigation: Preventing unauthorized knowledge acquisition. International Journal of Information Security [in press]. doi:10.1007/s10207-012-0165-6 [Abstract / Request]

CALLS FOR PAPERS

Conferences

20th Annual Network and Distributed System Security Symposium [San Diego, CA, Feb. 24-27, 2013 – submissions due Aug. 1]

Advertisements

Adair, S., & Moran, N. (2012, May 15). Cyber espionage and strategic web compromises – trusted websites serving dangerous results. Shadowserver. Retrieved from http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/

In the last year, attackers engaged in cyber espionage have increasingly turned to the web to distribute their malware via drive-by exploits. The idea of distributing malware via drive-by exploits is not new at all. Internet users are constantly at risk from a daily barrage of exploits across the web as a result of mass SQL injections, malicious advertisements, stored cross site scripting (XSS), compromised web servers, etc. In most cases the miscreant’s goal is to serve malicious exploits to as many people as possible from as many locations as they can. This is where the advanced attackers engaged in cyber espionage campaigns tend to set themselves apart from the others and narrow their focus through what we call strategic web compromises. [Related article from SecurityWeek: Espionage campaign targets foreign policy domains.]

Appelbaum, J., & Binney, B. (2012, April 20). [Audio of interview at the Surveillance Teach-In, Whitney Museum of American Art, New York]. Retrieved from http://whitney.org/WatchAndListen/Tag?context=event&play_id=673

Jacob Appelbaum, computer security researcher, privacy advocate, hacker, and human rights activist, and Bill Binney, National Security Agency whistleblower . . . discuss domestic surveillance and the ways in which technological innovations have allowed for increasingly ubiquitous access into what was once private information.

Danezis, G., Dietrich, S., & Sako, K. (Eds.) ( (2012). Financial cryptography and data security FC 2011 workshops, RLCPS and WECSR 2011, Rodney Bay, St. Lucia, February 28 – March 4, 2011, revised selected papers. [Full text of papers below can be requested by UMUC students / faculty from DocumentExpress.]

Eldefrawy, M. H., Khan, M. K., Alghathbar, K., Kim, T., & Elkamchouchi, H. (2012). Mobile one-time passwords: Two-factor authentication using mobile phones. Security and Communication Networks, 5(5), 508-516. doi:10.1002/sec.340 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

In this paper, we present a novel 2FA scheme whereby multiple OTPs are being produced by utilizing an initial seed and two different nested hash chains: one dedicated to seed updating and the other used for OTP production. We overcome all the restrictions that come from alternative and previous techniques. We analyze our proposal from the viewpoint of security and performance compared with the other algorithms.

Fan, C., Hsu, R., & Chen, W. (2012). Privacy protection for vehicular ad hoc networks by using an efficient revocable message authentication scheme. Security and Communication Networks, 5(5), 462-478. doi:10.1002/sec.328 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Correctness of exchanged information and guaranteeing the privacy of vehicle owners are the two most significant security concerns for VANETs. Pseudonymous public key infrastructure (PPKI) is a practical solution to these two issues. Almost all PPKI technologies are comprehensive schemes, such as the group signature-based and identity-based cryptosystems. An applicable PPKI scheme for secure vehicular communication (VC) should support revocability because it is a significant functionality in VANETs to revoke certificates of vehicles for surrendering or transferring the registrations. However, the computation or space complexity in most of the revocable PPKI-based protocols is linear when the number of vehicles or revoked vehicles increases over time. This drawback markedly degrades the efficiency and stability of secure VC. This work therefore reduces the computation complexities of authentication message verification, certificate tracing, membership revocation, and space complexity of system parameters (e.g., revocation information and public keys), such that they are independent of the number of vehicles or revoked vehicles using a novel and efficient PPKI mechanism based on bilinear mapping. The proposed scheme uses the concept of accumulator schemes and transfers the computation of accumulators from vehicles to certificate authority (CA) for achieving constant computation and storage complexities on vehicles. The computation of accumulators on CA is also low in the proposed scheme. Finally, we formally prove that the proposed scheme, which is based on q-strong Diffie–Hellman, n-Diffie–Hellman exponent (DHE), variant n-DHE, and decision linear Diffie–Hellman assumptions, is secure under the definitions of traceability and anonymity.

Fisher, D. (2012, May 15). Microsoft’s SDL expands beyond Redmond. threatpost. Retrieved from https://threatpost.com/en_us/blogs/microsofts-sdl-expands-beyond-redmond-051612

It’s been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it’s had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and customers is less well-known. Several large organizations have adopted the SDL, either in whole or in part, and Microsoft executives say that the effects on these organizations are going to be just as important as they were for Microsoft.

The company this week is hosting its first Security Development Conference in Washington, D.C., and one of the things that Microsoft executives are focusing on is how the SDL has spread beyond Redmond and taken hold in a number of other industries and organizations. One of those recent adopters of the SDL is Itron, a company that manufacturers smart meters for installation around the world. Those meters are used to regulate and measure power usage in homes and businesses and the use of these machines has become somewhat controversial in the security community because of potential vulnerabilities and attacks.

Goodin, D. (2012, May 14). LulzSec member pleads not guilty to charges that he hacked Stratfor website. Ars Technica. Retrieved from http://arstechnica.com/security/2012/05/lulzsec-member-pleads-not-guilty-to-charges-he-hacked-stratfor-website/

A former LulzSec member has pleaded not guilty to federal charges that he hacked into the servers of global intelligence company Stratfor and stole credit card data and personal details of 860,000 of its clients.

Jeremy Hammond entered the plea on Monday during a brief hearing in US District Court in Manhattan, the Associated Press reported. He’s been held in federal custody since an initial court appearance in Chicago in early March, when federal prosecutors named him as a lieutenant of LulzSec ringleader Hector Xavier “Sabu” Monsegur. There was no request for Hammond to be released on bail during Monday’s hearing, according to the AP report.

Hein, D., Morozov, S., & Saiddian, H. (2012). A survey of client-side web threats and counter-threat measures.  Security and Communication Networks, 5(5), 535-544. doi:10.1002/sec.349 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

The increasing frequency and malevolence of online security threats require that we consider new approaches to this problem. The existing literature focuses on the Web security problem from the server-side perspective. In contrast, we explore it from the client-side, considering the major types of threats. After a short threat summary, we discuss related research and existing countermeasures. We then examine intuitive human-oriented trust models and posit a flexible, multilayer framework to facilitate automated client-side decision making. The proposed suggestions are not intrusive and do not require advanced technical knowledge from end users.

Hsu, C., & Lin, H. (2012). Pairing-based strong designated verifier proxy signature scheme with low cost. Security and Communication Networks, 5(5), 517-522. doi:10.1002/sec.343 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

A proxy signature (PS) scheme has crucial benefits to the delegation operations in an organization. To further provide PS schemes with the property of confidentiality, in this paper, we propose a strong designated verifier PS scheme from pairings. The proposed scheme allows an authorized proxy signer to generate a valid PS on behalf of an original signer such that only the intended verifier is capable of validating it. Besides, the designated verifier cannot transfer the proof to convince any third party, which is referred to as non-transferability. Compared with previous works, ours has lower computational costs. Especially, the delegation process of our proposed scheme is pairing free. Moreover, the security requirement of unforgeability against existential forgery under adaptive chosen-message attacks is formally proven in the random oracle model.

Li, H., & Yuan, H. (2012). Dependability evaluation of integrated circuits at design time against laser fault injection. Security and Communication Networks, 5(5), 450-461. doi:10.1002/sec.327 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Laser fault injection has been proved to be a useful tool for attacks on integrated circuits. Transistors hit by a pulse of photons causes them to conduct transiently, thereby introducing transient logic errors, such as register value modifications, memory dumping, and so on. Attackers can make use of this abnormal behavior and extract sensitive information that the devices try to protect. This paper demonstrates laser fault injection attacks on very-large-scale integration circuits in a semi-invasive way for the purpose of validating fault tolerant design and performance. Then, the paper presents a simulation methodology to evaluate the dependability of the integrated circuit design against laser fault injection attacks at design time. This simulation methodology involves exhaustively scanning the layout, incorporating the exposed cells into a circuit simulator, and examining the response of the circuit in detail. Experiments conducted on the same test chip spot the same vulnerabilities, thus indicating the validity of the proposed simulation methodology.

Neustar. (2012, May). DDoS survey: Q1 2012. Retrieved from http://goo.gl/uGmhn

In February 2012, Neustar surveyed IT professionals across North America to better understand their DDoS experiences. Most were network services managers, senior systems engineers, systems administrators and directors of IT operations. In all, 1,000 people from 26 different industries shared responses about attacks, defenses, ongoing concerns, risks and financial losses. The survey shed light on five key questions:

  • Who has been attacked and who hasn’t?
  • How much do DDoS outages cost?
  • What’s the single biggest fear about DDoS attacks?
  • How long have attacks lasted?
  • What type of DDoS protection are people using?

Ragan, S. (2012, May 16). Utah’s IT boss resigns after massive data breach and policy failure. SecurityWeek. Retrieved from https://www.securityweek.com/utahs-it-boss-resigns-after-massive-data-breach-and-policy-failure

Stephen Fletcher, the executive director of Utah’s Dept. of Technology Services (DTS), has resigned following the aftermath of a massive data breach earlier this year that exposed nearly one million people, including children. The staffing changes come after preliminary investigations exposed serious flaws within the state’s IT practices, including storing information that shouldn’t have been kept at all.

In April, SecurityWeek reported on the news that Utah’s Department of Health (UDOH) had alerted parents and patients to the fact that a data breach that was initially said to have impacted only 24,000 records, had in fact impacted181,604 people. Within 24-hours of that announcement, the numbers were changed again. This time, the UDOH said that the attackers compromised 780,000 records, including 280,000 records that contained Social Security Numbers.

[UPCOMING WEBINAR] SecurityWeek. (2012, May 23). How security can work better with development. Retrieved from https://www.securityweek.com/upcoming-webinar-how-security-can-work-better-development [free registration]

Why do security and development teams find it so difficult to collaborate? The risks to companies from insecure applications have been rising, yet this area continues to be a blind-spot. Have you heard developers say:

  • “There’s no way we can fix all of these defects. Which ones are MUST-fix?”
  • “Prove it’s exploitable or we won’t fix it.”
  • “It’s too late to fix these vulnerabilities – we’ll get to them in the next release.”
  • “The code I sent builds on my machine – what else do you need?”
  • “Just tell us how to fix this defect.”

Join Mark Curphey, Senior Principal Consultant of Foundstone, a division of McAfee, and Coverity’s Co-Founder and CTO, Andy Chou for a one hour webinar where we’ll cover how to get beyond these common arguments and move towards better collaboration with development. We will also discuss key strategies for overcoming these common objections.

Shao, J., Liu, P., Wei, G., & Ling, Y. (2012). Anonymous proxy re-encryption. Security and Communication Networks, 5(5), 439-449. doi:10.1002/sec.326 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Proxy re-encryption (PRE) is a public key encryption that allows a semi-trusted proxy with some information (a.k.a., re-encryption key) to transform a ciphertext under one public key into another ciphertext under another public key. Because of this special property, PRE has many applications, such as the distributed file system. Some of these applications demand that the underlying PRE scheme is anonymous under chosen-ciphertext attacks (CCAs); that is, the adversary cannot identify the recipient of the original/transformed ciphertext, even if it knows the PRE key and can launch the CCA. However, to the best of our knowledge, none of the existing PRE schemes satisfy this requirement. In this work, we propose the first anonymous PRE with CCA security and collusion resistance. Our proposal is proved in the random oracle model based on the DDH assumption.

United States. Court of Appeals for the District of Columbia. (2012, May 11). Electronic Privacy Information Center v. National Security Agency. Retrieved from http://goo.gl/AFYPa

Plaintiff-appellant Electronic Privacy Information Center (“EPIC”) filed a Freedom of Information Act (“FOIA”) request with the National Security Agency (“NSA”) seeking disclosure of any communications between NSA and Google, Inc regarding encryption and cyber security. NSA issued a Glomar response pursuant to FOIA Exemption 3, indicating that it could neither confirm nor deny the existence of any responsive records. EPIC challenged NSA’s Glomar response in the district court, and the parties cross-moved for summary judgment. The district court entered judgment for NSA, and EPIC appealed. We affirm. [Related article from Wired: Court upholds Google-NSA relationship secrecy.]

United States. Department of Homeland Security. National Cybersecurity and Communications Integration Center. (2012, May 15). Attack surface: Healthcare and public health sector. Retrieved from http://info.publicintelligence.net/NCCIC-MedicalDevices.pdf

The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of medical devices [MDs] opens up both new opportunities and new vulnerabilities to  patients and medical facilities. Since wireless MDs are now connected to Medical information technology (IT) networks, IT networks are now remotely accessible through the MD. This may be a desirable development, but the communications security of MDs to protect against theft of  medical information and malicious intrusion is now becoming a major concern. In addition, many HPH organizations are leveraging mobile technologies to enhance operations. The storage capacity, fast computing speeds, ease of use, and portability render mobile devices an optimal solution.

This Bulletin highlights how the portability and remote connectivity of MDs introduce additional risk into Medical IT networks and failure to implement a robust security program will impact the organization’s ability to protect patients and their medical information from intentional and unintentional loss or damage.

[UPCOMING LARGO AREA EVENT] United States. National Institute of Standards and Technology. (2012, May 30). Technical aspects of botnets workshop. Retrieved from http://www.nist.gov/itl/csd/botnets-workshop.cfm [free registration

While security risks on the Internet continue to exist in many areas, one increasingly exploited threat is the global rise of botnets. A botnet infection can lead to the monitoring of a consumer’s personal information and communication, and exploitation of that consumer’s computing power and Internet access.  To address the problems created by botnets, the botnet lifecycle must be disrupted and the malware on the devices removed or made impotent.  Companies, organizations and governments around the world have been developing policies, high-level principles and solutions.

NIST seeks to engage all stakeholders to identify the available and needed technologies and tools to recognize, prevent, and remediate botnets; explore current and future efforts to develop botnet metrics and methodologies for measuring and reporting botnet metrics over time; and, understand where ecosystem stakeholders are in terms of roles and responsibilities.

Wolf, J. (2012, May 11). Pentagon to tighten contractors’ cybersecurity. Reuters. Retrieved from http://www.reuters.com/article/2012/05/11/cyber-pentagon-companies-idUSL1E8GBOEY20120511

The U.S. Defense Department invited all of its eligible contractors on Friday to join a previously restricted information-sharing pact aimed at guarding sensitive Pentagon program data stored on private computer networks.  Greater sharing with the so-called defense industrial base was a key step to coping with widespread cyber threats to U.S. national security, said Ashton Carter, deputy defense secretary, in a statement.

Zetter, K. (2012, May 15). Popular surveillance cameras open to hackers, researcher says. Wired. Retrieved from http://www.wired.com/threatlevel/2012/05/cctv-hack/

Three of the most popular brands of closed-circuit surveillance cameras are sold with remote internet access enabled by default, and with weak password security — a classic recipe for security failure that could allow hackers to remotely tap into the video feeds, according to new research.

The cameras, used by banks, retailers, hotels, hospitals and corporations, are often configured insecurely — thanks to these manufacturer default settings, according to researcher Justin Cacak, senior security engineer at Gotham Digital Science. As a result, he says, attackers can seize control of the systems to view live footage, archived footage or control the direction and zoom of cameras that are adjustable.

Zhu, W. T., Zhou, J., Deng, R. H., & Bao, F. (2012). Detecting node replication attacks in mobile sensor networks: theory and approaches. Security and Communication Networks, 5(5), 496-507. doi:10.1002/sec.326 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Due to cost concerns, sensor nodes are not made tamper-resistant, and a captured node may be easily compromised by an adversary, raising the concern of node replication attacks. We address the problem of detecting such attacks in a mobile sensor network, where each sensor node freely and randomly roams in the sensing region. Our detections have the nice feature that sensor nodes do not need to be aware of their geographic positions, and even loose time synchronization may be unnecessary.

CALLS FOR PAPERS

Conferences

4th International Conference on Security and Privacy in Mobile Information and Communication Systems [Frankfurt, Germany, June 25-26, 2012 – submissions due May 25th]

13th International Workshop on Information Security Applications [Jeju Island, Korea, Aug. 16-18, 2012 – submissions due May 25th]

Secure Autonomous Electric Power Grids Workshop, Co-located with the Sixth IEEE International Conference on Self-Adaptive and Self-Organizing Systems [Lyon, France, Sept. 10, 2012 – submissions due July 4th]

1st International Conference on Digital Forensics and Investigation [Beijing, China, September 21-23, 2012 – submissions due June 1st]

6th International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security [St. Petersburg, Russia, Oct. 17-20, 2012 – submissions due May 27th]

5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012 [Raleigh, NC, Oct. 19, 2012 – submissions due July 16th]

14th International Conference on Information and Communication Security [Hong Kong, Oct. 29-31, 2012 – submissions due May 25th]

Workshop on RFID and IoT Security [Taipei, Taiwan, Nov. 8-9, 2012 – submissions due 9 July 2012]

5th International Symposium on Engineering Secure Software and Systems [Paris, France, Feb. 27-March 1, 2013 – submissions due Sept. 30th]


Dhage, S. N., Meshram, B. B. (2012). Intrusion detection system in cloud computing environment.  International Journal of Cloud Computing1(2/3), 261-282. doi:10.1504/IJCC.2012.046711 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

In recent years, with the growing popularity of cloud computing, security in cloud has become an important issue. As ‘prevention is better than cure’, detecting and blocking an attack is better than responding to an attack after a system has been compromised. This paper proposes architecture capable of detecting intrusions, in a distributed cloud computing environment, and safeguarding it from possible security breaches. It deploys a separate instance of IDS for each user and uses a separate controller to manage the instances. IDS in this architecture can be signature-based as well as learning-based method.

Geers, K. (2012). Strategic cyber defense: Which way forward? Journal of Homeland Security and Emergency Management, 9(1), 1-10 [Full text available to UMUC students / faculty.]

Cyber security has evolved from a technical discipline to a strategic, geopolitical concept. The question for national security thinkers today is not how to protect one or even a thousand computers, but millions, including the cyberspace around them. Strategic challenges require strategic solutions. This article considers four nation-state approaches to cyber attack mitigation: 1) Technology: Internet Protocol version 6 (IPv6); 2) Doctrine: Sun Tzu’s Art of War; 3) Deterrence: can we prevent cyber attacks?; 4) Arms control: can we limit cyber weapons? These threat mitigation strategies fall into different categories. IPv6 is a technical solution. Art of War is military. The third and fourth strategies are hybrid: deterrence is a mix of military and political considerations, while arms control is a political/technical approach. Technology and doctrine are the most likely strategies to provide short-term improvement in a nation’s cyber defense posture. Deterrence and arms control, which are more subject to outside political influence and current events, may offer cyber attack mitigation but only in the longer-term.

Goodin, D. (2012, May 10). My own private internet: .secure TLD floated as as bad-guy-free zone. Ars Technica. Retrieved from http://arstechnica.com/security/2012/05/my-own-private-internet-secure-tld-floated-as-bad-guy-free-zone/

A security researcher has won investments of more than $9 million to incorporate a tightly policed section of the Internet reserved for banks, healthcare providers, and other groups that are regularly targeted in malware, phishing, and similar online attacks.

Alex Stamos, CTO of iSec Partners, said Internet addresses subscribing to the secure service would tentatively include the top-level-domain of .secure, which his new venture has applied to operate. Websites, mail servers, and other services using .secure addresses would first have to agree to abide by a stringent set of requirements, including offering end-to-end encryption of most traffic and to follow a strict code of conduct. Artemis Internet, Inc. as the new venture is called, has received about $9.6 million in backing from its parent company, NCC Group, a  UK-based provider of secure IT services.

Internet Crime Complaint Center. (2012, May 10). 2011 internet crime report. Retrieved from http://www.ic3.gov/media/annualreport/2011_IC3Report.pdf

The 2011 IC3 Internet Crime Report reveals both the scope of online crime and IC3’s battle against it. The most common victim complaints included FBI-related scams, identity theft and advance fee fraud.  IC3 received and processed more than 26,000 complaints per month. Based on victim complaints, the top five states were California (34,169), Florida (20,034), Texas (18,477), New York (15,056) and Ohio (12,661). Victims in California reported the highest dollar losses with a total of $70.5 million. For victims reporting financial losses, the average was $4,187.

Kumar, P. S., Subramanian, R. (2012).  RSA-based dynamic public audit service for integrity verification of data storage in cloud computing using Sobol sequence. International Journal of Cloud Computing1(2/3), 167-200. doi:10.1504/IJCC.2012.046719 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Cloud storage has become a trend and more practical in recent years. This unique feature of the cloud poses many security challenging design issues. One of the most important security aspects that need to be addressed is that to assure the integrity of clients data stored in the cloud. In this paper, we propose a RSA-based dynamic public audit service for the integrity verification of data using Sobol sequence. Our scheme allows a third party auditor (TPA) on behalf of the clients to verify the integrity of data stored in the cloud and also supports data dynamics at block level while maintaining the same integrity assurance. Our model allows probabilistic proofs of integrity by challenging random blocks from the server which drastically reduces the computation and communication overhead. The security, performance analysis and experimental results show that our scheme is more secure and efficient than existed probability verification schemes.

McCullah, D. (2012, May 4). FBI: We need wire-tap ready Web sites – now. CNET. Retrieved from http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/

The FBI is asking Internet companies not to oppose a controversial proposal that would require firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.

In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.

Mukherjee, K., & Sahoo, G. (2012). A novel methodology for secured c-governance using Hadamard coding. International Journal of Cloud Computing1(2/3), 145-166. doi:10.1504/IJCC.2012.046718 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Cloud computing has opened a viable business option for corporations, industry and government organisations. This new paradigm is capable to trim down cost, can endow organisations with usage-based pricing, enhance functionality, improved collaboration, communication, omnipresent of application and data. Keeping this in view, this new technology is a natural choice for government sectors as e-governance to hike the recital of government machinery. So, we propose here a cloud computing-based e-governance, i.e., c-governance. But this cutting age of technology is still in its infant stage. So cloud computing and c-governance has to address lot of key issues like – security, performance, availability, scalable software architecture, etc. On this context, this manuscript has focused on a new security framework, security algorithms for c-governance based on Hadamard matrix. The results of the implementations are presented in order to lay bare the effectiveness of the proposed framework and algorithms.

Pelofsky, J. (2012, May 3). Obama administration urges freer access to cellphone records. Reuters. Retrieved from http://www.reuters.com/article/2012/05/03/usa-security-surveillance-idUSL1E8G3OL320120503

The U.S. Congress should pass a law to give investigators freer access to certain cellphone records, an Obama administration official said on Thursday, in remarks that raised concern among advocates of civil liberties and privacy.  Jason Weinstein, a deputy assistant attorney general in the Justice Department’s criminal division, argued [audio] that requirements for warrants at early stages of investigations would “cripple” prosecutors and law enforcement.

Rekhis, S. (2012). System for formal digital forensic investigation aware of anti-forensic attacks. IEEE Transactions on Forensics and Security, 7(2), 635-650. doi:10.1109/TIFS.2011.2176117. [Full text can be requested by UMUC students / faculty from DocumentExpress.]

To defeat the process of investigation and make the analysis and reconstruction of attack scenarios difficult, challenging, or even impossible, attackers are motivated by conducting anti-forensic attacks. Several methods were proposed by the literature to formally reconstruct the sequence of events executed during the incident using theoretical and scientifically proven methods. However, these methods are not tailored to cope with anti-forensic attacks, as they assume that the collected evidence is trusted, do not model anti-forensic actions, and do not characterize provable anti-forensic attacks based on the knowledge of attacks, security solutions, and forms of evidence expected to be generated. We develop in this work a theoretical approach of digital investigation aware of anti-forensic attacks. After describing an investigation process which is able to address these attacks, we develop a state-based logic to describe the investigated system, the deployed security solution, the evidence they provide, and the library of attacks. An inference system is proposed to mitigate anti-forensic attacks and generate potential scenarios starting from traces that were targeted by these attacks. To exemplify the proposal, we provide a case study related to the investigation of an incident that exhibited anti-forensic attacks.

Saita, A. (2012, May 10). UNC-Charlotte data breeches expose 350,000 social security numbers and much more. threatpost. Retrieved from https://threatpost.com/en_us/blogs/unc-charlotte-data-breaches-expose-350000-social-security-numbers-and-much-more-051012

Confidential data, including bank account and Social Security numbers for some 350,000 University of North Carolina-Charlotte students, staff and faculty, were accidentally exposed — some for almost 15 years — due to a system misconfiguration and incorrect access settings that made electronic data publicly available.

The school on Wednesday released a statement on an investigation it launched in February after staff discovered the data breach. The investigation revealed two separate incidents exposed data such as names, addresses, Social Security numbers and financial account information provided during university transactions.

Sion, R., & Chen, Y. (2012). Fighting Mallory the insider: Strong write-once read-many storage assurances. IEEE Transactions on Forensics and Security, 7(2), 755-764. doi:10.1109/TIFS.2011.2172207. [Full text can be requested by UMUC students / faculty from DocumentExpress.]

We introduce a Write-Once Read-Many (WORM) storage system providing strong assurances of data retention and compliant migration, by leveraging trusted secure hardware in close data proximity. This is important because existing compliance storage products and research prototypes are fundamentally vulnerable to faulty or malicious behavior, as they rely on simple enforcement primitives that are ill-suited for their threat model. This is hard because tamper-proof processing elements are significantly constrained in both computation ability and memory capacity-as heat dissipation concerns under tamper-resistant requirements limit their maximum allowable spatial gate-density. We achieve efficiency by 1) ensuring the secure hardware is accessed sparsely, minimizing the associated overhead for expected transaction loads, and 2) using adaptive overhead-amortized constructs to enforce WORM semantics at the throughput rate of the storage server’s ordinary processors during burst periods. With a single secure coprocessor, on commodity x86 hardware, the architecture can support unlimited read throughputs and over 2500 write transactions per second.

Sun, H., Chen, Y., & Lin, Y. (2012). oPass: A user authentication protocol resistant to password stealing and password reuse attacks. IEEE Transactions on Forensics and Security, 7(2), 651-663. doi:10.1109/TIFS.2011.2169958. [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Text password is the most popular form of user authentication on websites due to its convenience and simplicity. However, users’ passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when an adversary compromises one password, she will exploit it to gain access to more websites. Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, keyloggers and malware. In this paper, we design a user authentication protocol named oPass which leverages a user’s cellphone and short message service to thwart password stealing and password reuse attacks. oPass only requires each participating website possesses a unique phone number, and involves a telecommunication service provider in registration and recovery phases. Through oPass, users only need to remember a long-term password for login on all websites. After evaluating the oPass prototype, we believe oPass is efficient and affordable compared with the conventional web authentication mechanisms.

Tehan, R. (2012, April 12). Cybersecurity: Authoritative reports and resources [Congressional Research Service]. Retrieved from https://www.fas.org/sgp/crs/misc/R42507.pdf

Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide.  Attacks have been initiated by individuals, as well as countries. Targets have included government networks, military defenses, companies, or political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which also makes a response problematic.

Congress has been actively involved in cybersecurity issues, holding hearings every year since 2001. There is no shortage of data on this topic: government agencies, academic institutions, think tanks, security consultants, and trade associations have issued hundreds of reports, studies, analyses, and statistics. This report provides links to selected authoritative resources related to cybersecurity issues.

United States. Department of Defense. (2012, May 11). Department of Defense-defense industrial base voluntary cyber security and information assurance activities. Retrieved from http://cryptome.org/dodi/dod051112.pdf

DoD is publishing an interim final rule to establish a voluntary cyber security information sharing program between DoD and eligible DIB companies. The program enhances and supplements DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.

United States. Federal Emergency Management Agency. (2012, March 30). 2012 preparedness report. Retrieved from http://www.fema.gov/library/viewRecord.do?id=5914

The 2012 National Preparedness Report summarizes how prepared we are as a Nation. It focuses on five mission areas: Prevention, Protection, Mitigation, Response, and Recovery. The NPR identifies areas where the Nation has made significant progress, acknowledges remaining opportunities for improvement, and reinforces the important principles of national preparedness. The NPR focuses on threats and hazards that pose the greatest risk to U.S. security and resilience.

Releated article from the New York Times: U.S. study cites worry on readiness for cyberattacks.

[UPCOMING LARGO AREA EVENT] United States. National Institute of Standards and Technology. (2012, June 26). Cyber excellence workshop. Retrieved from http://cryptome.org/2012/05/nist050412.htm [Free registration].

NIST announces a National Cybersecurity Center of Excellence (NCCoE) Workshop to be held on Tuesday, June 26, 2012. This is an initial informational NCCoE workshop. The goals of this workshop are to provide a venue for discussion of the NCCoE public-private partnership structure, and to describe and gather input from individual participants on possible case studies that are expected to form a central focus of collaborative efforts. The workshop will also describe and explore opportunities for industry, academia, and Federal, state and local government agencies to participate in the NCCoE. 

United States. National Security Agency. (2012, April). New smartphones and the risk picture. Retrieved from http://cryptome.org/2012/05/nsa-mobile-risks.pdf

Mobile phone platforms are susceptible to malicious attacks, both  from the network and upon physical compromise. Understanding the vectors of such attacks, level of expertise required to carry them out, available mitigations, and impact of compromise provides a background for certain risk decisions. In general, comparing risks introduced by the new generation of mobile devices to those of traditional, widely-deployed desktop systems provides insight into how the risks to DoD networks are changing. Due to the larger cultural and technological shift to mobile devices, this may be more relevant than comparison of diff erent smartphone brands.

Uzunov, A. V., Fernandez, E .B., & Falkner, K. (2012). Securing distributed systems using patterns: A survey. Computers and Security [in press]. [Full text available to UMUC students / faculty in ScienceDirect database.]

Driven by expanding scientific computing and business enterprise needs, the last decade has seen a shift towards software paradigms in which distribution plays a central role. The increasing size, complexity and heterogeneity of the corresponding systems is accompanied by an increase of security vulnerabilities that require mitigation via combined security and software engineering strategies. In this respect security patterns, which build on the success of design patterns and software patterns more generally, are a tool of great value. In this paper we comprehensively survey the state-of-the-art in securing distributed systems using (security) patterns, considering both relevant patterns and methodologies for applying them. In the first part of the survey, we provide detailed reviews of our selected security patterns, classify the patterns using a multi-dimensional scheme and evaluate them according to a set of quality categories. This highlights deficiencies in the reviewed patterns and provides a basis for identifying new or “missing” patterns and pattern classes. The newly identified and surveyed patterns are a step forward in defining a pattern language for distributed computing. In the second part of the survey, we briefly review a number of pattern-based security methodologies and evaluate their maturity and appropriateness for securing distributed systems.

Zetter, K. (2012, April 8). Twitter hits back at court, prosecutors over ‘Occupy’ order. Wired. Retrieved from http://www.wired.com/threatlevel/2012/05/twitter-hits-back-at-court/ 

In the battle to fight online fishing expeditions by law enforcement officials there is little we can do individually to protect ourselves — which makes it all the more important for internet companies like Twitter and Google to fight back on our behalf.

That’s exactly what Twitter did when it filed a surprisingly feisty motion (.pdf) this week in New York City Criminal Court to quash a court order demanding that it hand over information to law enforcement about one of its account holders — an activist who participated in the Occupy Wall Street protests — as well as tweets that he allegedly posted to the account over a three-month period. The company stepped in with the motion after the account holder lost his own bid to quash the order.

In its motion to quash, Twitter pointed out to the judge that the order would essentially force the company to break the law by handing over data without a warrant. Twitter also took issue with the judge’s ruling that the account holder had no right to fight the order on his own behalf.

Zhou, L., Varadharajan, V., & Hitchens, M. (2012). A flexible cryptographic approach for secure data storage in the cloud using role-based access control. International Journal of Cloud Computing1(2/3), 201-220. doi:10.1504/IJCC.2012.046720 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

There has been a recent trend in storing data in the cloud because of the significant benefits, such as on demand resources and low maintenance costs. However due to the distributed nature of the cloud, access control mechanisms need to be employed to protected the privacy of data stored in cloud. Role-based access control (RBAC) provides a flexible way for users to manage and share their data in the cloud. In this paper, we propose a role-based encryption (RBE) scheme which enforces RBAC policies using cryptographic techniques. In our scheme, an owner of data can encrypt the data to a role in a RBAC system, and only the users who have the permissions of the role in the RBAC system can decrypt the data. Our scheme achieves efficient user management where the manager of a role can easily grant/revoke the membership of the role to/from a user without the needs of other parties’ participants. We compare our scheme with other previously published schemes and show that our scheme has better performance in both computation and management.


Chu, H., Park, S., & Park, J. (2012). A partially reconstructed previous Gmail session by live digital evidences investigation through volatile data acquisition. Security and Communications Networks [in press]. doi:10.1002/sec.511 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

The essence of this paper is to illustrate live data acquisition within the random access memory of a notebook trying to utilize the collected digital evidences in order to partially reconstruct previous Gmail session, which could be probative digital evidence in a court of law. The proposed framework is essentially crucial for the investigation of certain related cybercrimes on the basis of the digital breadcrumb trails being professionally disclosed and appropriately handled. Without loss of generality, the volatile data would vanish forever when the power of the computing devices is no longer sustainable. This research pinpoints the imminent threat of IT savvy cyber criminals and the corresponding counter procedures used to crack criminal cases if web-based e-mail utilities are essentially involved. This paper is focused on the prevalent e-mail utility, Gmail, as the research subject. At last, live digital evidence acquisition must be accurately fulfilled before the seizure of the computing devices in the crime scene to avoid irreversible investigation procedures which mean the digital evidences could be deleted, resulting in the loss of probative evidence.

Hadžiosmanović, D., Bolzoni, D., & Hartel, P.H. (2012). A log mining approach for process monitoring in SCADA. International Journal of Information Security [in press]. Retrieved from http://eprints.eemcs.utwente.nl/21714/01/ALogMiningApproachforSCADA.pdf

SCADA (Supervisory Control and Data Acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.

Everett, B. (2012, April 27). The encryption conundrum. Network Security, 2012(4), 15-18. [Full text available to UMUC students / faculty in ScienceDirect database.]

With the rise of network-centric trends such as cloud computing and an increase in mobile device usage, the planet’s data networks are increasingly prime targets for cyber-criminals. The number one threat is still cyber-criminals hacking or using malware to steal data from servers. Hacking alone appears in 89% of all incidents, according to the influential Data Breach Investigation Report 2011 (DBIR), a study conducted by the Verizon RISK Team with co-operation from the US Secret Service and the Dutch High Tech Crime Unit. Over the past seven years, the DBIR series has compiled detailed data on over 1,700 IT security breaches spanning over 900 million compromised records.

Gallagher, R. (2012, April 30). Your Eurovision Song Contest vote may be monitored: Mass surveillance in former Soviet states. Slate. Retrieved from http://goo.gl/xiyJl

Western firms that sold dictatorships in the Middle East mass-surveillance technology have been subject to intense scrutiny over the past year. But now a new exposé by journalists in Sweden has shed light on how the same tools are being used closer to home—in ex-Soviet republics across Europe and Central Asia, whose leaders were seemingly shaken by the revolutions of the Arab Spring.

Last week an investigative documentary shown on Swedish public service broadcaster SVT revealed in fascinating depth the extent to which Stockholm-based telecommunications firm Teliasonera is linked to spy agencies in Azerbaijan, Kazakhstan, Uzbekistan, Tajikistan, and Georgia, facilitating crackdowns on dissident politicians and independent journalists.

Citing a multitude of sources—including official government documents and whistle-blower testimony—SVT’s reporters documented how companies owned by Teliasonera had allowed “black box” probes to be fitted within their telecommunications networks. The black boxes allow security services and police to monitor, in real-time and without any judicial oversight, all communications passing through, including texts, Internet traffic and phone calls. (Similar so-called “monitoring centers” were set up in Muammar Gaddafi’s Libya and Bashar al-Assad’s Syria with the help of European companies.)

Gallagher, S. (2012, April 30). Flashback bots search Twitter for controllers, hit Snow Leopard hardest. Ars Technica. Retrieved from http://arstechnica.com/apple/news/2012/04/flashback-bots-search-twitter-for-controllers-hit-snow-leopard-hardest.ars

Malware investigators for the Russian antivirus company Dr. Web report that the latest version of Flashback, the backdoor malware targeting Macs through a Java exploit, is using Twitter as a backup command and control network.

Dr. Web was the first to report on the rapidly growing Flashback botnet—the largest recorded malware attack ever focused on Macs. In an analysis of current variants of the malware, Dr. Web’s team found that the Trojan software installed through the Java exploit is initially configured with a list of servers through which it can receive additional commands and configuration updates. If the malware doesn’t get a correct response from one of the control servers in its own internal generated list, it will search Twitter for posts containing a string of text generated from the current date, and look for a control server address embedded in the posts.

Gong, T., & Bhargava, B. (2012). Immunizing mobile ad hoc networks against collaborative attacks using cooperative immune model. Security and Communications Networks [in press]. doi:10.1002/sec.530 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

In this paper, a security problem of cooperative immunization against collaborative attacks such as blackhole attacks and wormhole attacks, in the mobile ad hoc networks such as the Worldwide Interoperability for Microwave Access (WiMAX) networks, was discussed. Because of the vulnerabilities of the protocol suites, collaborative attacks in the mobile ad hoc networks can cause more damages than individual attacks. In human immune system, nonselfs (i.e., viruses, bacteria and cancers etc.) can attack human body in a collaborative way and cause diseases in the human body. With the inspiration from the human immune system, a tri-tier cooperative immune model was built to detect and eliminate the collaborative attacks (i.e., nonselfs) in the mobile ad hoc networks. ARM-based Network Simulator (NS2) tests and probability analysis were utilized in the prototype for immune model to analyze and detect the attacks. Experimental results demonstrate the validation and effectiveness of the model proposed by minimizing the collaborative attacks and immunizing the mobile ad hoc networks.

Goodin, D. (2012, April 28). Backdoor that threatens power stations to be purged from control system. Ars Technica. Retrieved from http://arstechnica.com/business/news/2012/04/backdoor-that-threated-power-stations-to-be-purged-from-control-system.ars

Mission-critical routers used to control electric substations and other critical infrastructure are being updated to remove a previously undocumented backdoor that could allow vandals to hijack the devices, manufacturer RuggedCom said late Friday.

The announcement by the Ontario, Canada-based company comes two days after Ars reported that the company’s entire line of devices running its Rugged Operating System contained a backdoor with an easily determined password. The backdoor, which can’t be disabled, had not been publicly acknowledged by the company until now, leaving the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear vulnerable to sabotage that could affect the safety of huge populations of people.

Also from Dan Goodin this week in Ars Technica: Release of exploit code puts Oracle database users at risk of attackMalicious apps hosted in Google store turn Android phones into zombies.

Hopkins, N. (2012, May 3). Hackers have breached top secret MoD systems, cyber-security chief admits. Guardian. Retrieved from http://www.guardian.co.uk/technology/2012/may/03/hackers-breached-secret-mod-systems

Computer hackers have managed to breach some of the top secret systems within the [British] Ministry of Defence, the military’s head of cyber-security has revealed.  Major General Jonathan Shaw told the Guardian the number of successful attacks was hard to quantify but they had added urgency to efforts to beef up protection around the MoD’s networks.

“The number of serious incidents is quite small, but it is there,” he said. “And those are the ones we know about. The likelihood is there are problems in there we don’t know about.”

Kerr, D. (2012, May 1). Mozilla is first major tech company to denounce CISPA. CNet. Retrieved from http://news.cnet.com/8301-1009_3-57425719-83/mozilla-is-first-major-tech-company-to-denounce-cispa/

Despite big name tech companies — such as Facebook, Microsoft, and Oracle — supporting the controversial Internet surveillance bill that passed in the House last week, Mozilla has come out against the legislation.

“While we wholeheartedly support a more secure Internet, CISPA has a broad and alarming reach that goes far beyond Internet security,” the tech company wrote to Forbes reporter Andy Greenberg. “The bill infringes on our privacy, includes vague definitions of cybersecurity, and grants immunities to companies and government that are too broad around information misuse.”

Kushner, D. (2012, May 7). Machine politics: The man who started the hacker wars. New Yorker. Retrieved from http://www.newyorker.com/reporting/2012/05/07/120507fa_fact_kushner?currentPage=all

In the summer of 2007, Apple released the iPhone, in an exclusive partnership with A.T. & T. George Hotz, a seventeen-year-old from Glen Rock, New Jersey, was a T-Mobile subscriber. He wanted an iPhone, but he also wanted to make calls using his existing network, so he decided to hack the phone.

Every hack poses the same basic challenge: how to make something function in a way for which it wasn’t designed. In one respect, hacking is an act of hypnosis. As Hotz describes it, the secret is to figure out how to speak to the device, then persuade it to obey your wishes. After weeks of research with other hackers online, Hotz realized that, if he could make a chip inside the phone think it had been erased, it was “like talking to a baby, and it’s really easy to persuade a baby.”

McCullagh, D. (2012, April 27). Microsoft backs away from CISPA, citing privacy. CNET. Retrieved from http://news.cnet.com/8301-33062_3-57423580/microsoft-backs-away-from-cispa-support-citing-privacy/

Microsoft is no longer as enthusiastic about a controversial cybersecurity bill that would allow Internet and telecommunications companies to divulge confidential customer information to the National Security Agency.

The U.S. House of Representatives approved CISPA by a 248 to 168 margin yesterday in spite of a presidential veto threat andwarnings from some House members that the measure represented “Big Brother writ large.” (See CNET’s CISPA FAQ.)

In response to queries from CNET, Microsoft, which has long been viewed as a supporter of the Cyber Intelligence Sharing and Protection Act, said this evening that any law must allow “us to honor the privacy and security promises we make to our customers.”

Reaves, B., & Morris, T. (2012). An open virtual testbed for industrial control system security research. International Journal of Information Security [in press]. doi:10.1007/s10207-012-0164-7  [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Industrial control system security has been a topic of scrutiny and research for several years, and many security issues are well known. However, research efforts are impeded by a lack of an open virtual industrial control system testbed for security research. This paper describes a virtual testbed framework using Python to create discrete testbed components including virtual devices and process simulators. The virtual testbed is designed such that the testbeds are inter-operable with real industrial control system devices and such that the virtual testbeds can provide comparable industrial control system network behavior to a laboratory testbed. Two virtual testbeds modeled upon actual laboratory testbeds have been developed and have been shown to be inter-operable with real industrial control system equipment and vulnerable to attacks in the same manner as a real system. Additionally, these testbeds have been quantitatively shown to produce traffic close to laboratory systems. 

Reese, S. (2012, April 3). Defining homeland security: Analysis and congressional considerations [Congressional Research Service]. Retrieved from https://www.fas.org/sgp/crs/homesec/R42462.pdf

Ten years after the September 11, 2001, terrorist attacks, the U.S. government does not have a single definition for “homeland security.” Currently, different strategic documents and mission statements offer varying missions that are derived from different homeland security definitions. Historically, the strategic documents framing national homeland security policy have included
national strategies produced by the White House and documents developed by the Department of Homeland Security (DHS). Prior to the 2010 National Security Strategy, the 2002 and 2007 National Strategies for Homeland Security were the guiding documents produced by the White House. In 2011, the White House issued the National Strategy for Counterterrorism.

This report discusses the evolution of national and DHS-specific homeland security strategic documents and their homeland security definitions and missions, and analyzes the policy question of how varied homeland security definitions and missions may affect the development of national homeland security strategy. This report, however, does not examine DHS implementation of strategy.

Robertson, B. (2012, April 17). Virtualization: Security’s last frontier. Network Security, 2012(4), 12-15. [Full text available to UMUC students / faculty in ScienceDirect database.]

Server virtualisation offers the promise of delivering irresistible benefits, including the consolidation of several autonomous servers into a single virtualised environment, the ability to scale the performance of servers as the business grows, the flexibility to quickly adapt to changing business needs and the capability to deliver automation that will keep applications running at peak performance. However, virtualising the server infrastructure is only a small component of deploying an efficient and cost effective datacentre.

Many organisations have adopted server virtualisation because of the business benefits it offers. However, key areas of the next-generation datacentre have been overlooked, specifically in the area of network security infrastructure.

In order to realise the full potential of the virtualised server architecture, the supporting infrastructure must deliver the same consolidation, scale, adaptability and automation benefits. Transitioning to a virtualised security infrastructure in co-ordination with virtualised servers can properly align the supporting security, explains Brian Robertson of Crossbeam Systems.

Streitfield, D. (2012, April 30). Google engineer told others of data collection, full version of FCC report finds. New York Times. [Full text available to UMUC students / faculty in ProQuest Newspapers database.]

Google’s harvesting of e-mails, passwords and other sensitive personal information from unsuspecting households in the United States and around the world was neither a mistake nor the work of a rogue engineer, as the company long maintained, but a program that supervisors knew about, according to new details from the full text of a regulatory report.

Symantec. (2012, April). Internet security threat report: 2011 trends. Retrieved from http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf

Symantec has established some of the most comprehensive sources  of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per second. This network  monitors attack activity in more than 200 countries and territories through a  combination of Symantec products and services such as Symantec DeepSight  Threat Management System, Symantec Managed Security Services and  Norton consumer products, and other third-party data sources.

These resources give Symantec’s analysts unparalleled sources of data with  which to identify, analyze, and provide informed commentary on emerging  trends in attacks, malicious code activity, phishing, and spam. The result is the  annual Symantec Internet Security Threat Report, which gives enterprises and  consumers the essential information to secure their systems effectively now and into the future. [Related article from threatpost: Five shocking statistics from the latest internet threat report].

Trustworthy Internet Movement. SSL pulse. Retrieved from https://www.trustworthyinternet.org/ssl-pulse/ 

Today we introduce SSL Pulse, a continuously updated dashboard that is designed to show the state of the SSL ecosystem at a glance. While it is possible today to deploy SSL and to deploy it well, the process is difficult: the default settings are wrong, the documentation is lacking, and the diagnostic tools are inadequate. For these reasons, we cannot say that the Web is yet secure, but we hope that someday it will be. The purpose of SSL Pulse is to bring visibility to SSL implementation issues on the Web, and while businesses are starting to fix these issues we can keep track of progress made towards making SSL more robust and widely adopted on the Internet.

Related article from threatpost: Survey finds secure sites not so secure.

United States. Congress. House. Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. (2012, April 26). Joint subcommittee hearing: Iranian cyber threat to the U.S. homeland. Retrieved from http://homeland.house.gov/hearing/joint-subcommittee-hearing-iranian-cyber-threat-us-homeland .

On Thursday, April 26, 2012 the Committee on Homeland Security’s Subcommittee on Counterterrorism and Intelligence and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a joint hearing entitled “Iranian Cyber Threat to the U.S. Homeland.”

Related article from Government Security News: Iranian cyber threat looms, but is diffuse, says expert panel.

United States. Navy. (2012, April 4). OPNAV instruction 5450. 345. Retrieved from http://cryptome.org/dodi/opnav-5450-345.pdf

[Publishes] the authorities delegated to Commander, U.S. Fleet Cyber Command and Commander, U.S. Tenth Fleet and the functions and tasks of U.S. Fleet Cyber Command and U.S. Tenth Fleet.

CALLS FOR PAPERS

Conferences

ACM Cloud Computing Security Workshop [Raleigh, NC, Oct. 19, 2012 – submissions due July 16]

7th ACM Workshop on Scalable Trusted Computing [Raleigh, NC, Oct. 19, 2012 – submissions due July 16]

Journals

IEEE Internet Computing, Track articles on computer crime [Open, deadline July 15, 2012]