Adair, S., & Moran, N. (2012, May 15). Cyber espionage and strategic web compromises – trusted websites serving dangerous results. Shadowserver. Retrieved from http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/
In the last year, attackers engaged in cyber espionage have increasingly turned to the web to distribute their malware via drive-by exploits. The idea of distributing malware via drive-by exploits is not new at all. Internet users are constantly at risk from a daily barrage of exploits across the web as a result of mass SQL injections, malicious advertisements, stored cross site scripting (XSS), compromised web servers, etc. In most cases the miscreant’s goal is to serve malicious exploits to as many people as possible from as many locations as they can. This is where the advanced attackers engaged in cyber espionage campaigns tend to set themselves apart from the others and narrow their focus through what we call strategic web compromises. [Related article from SecurityWeek: Espionage campaign targets foreign policy domains.]
Appelbaum, J., & Binney, B. (2012, April 20). [Audio of interview at the Surveillance Teach-In, Whitney Museum of American Art, New York]. Retrieved from http://whitney.org/WatchAndListen/Tag?context=event&play_id=673
Jacob Appelbaum, computer security researcher, privacy advocate, hacker, and human rights activist, and Bill Binney, National Security Agency whistleblower . . . discuss domestic surveillance and the ways in which technological innovations have allowed for increasingly ubiquitous access into what was once private information.
Danezis, G., Dietrich, S., & Sako, K. (Eds.) ( (2012). Financial cryptography and data security FC 2011 workshops, RLCPS and WECSR 2011, Rodney Bay, St. Lucia, February 28 – March 4, 2011, revised selected papers. [Full text of papers below can be requested by UMUC students / faculty from DocumentExpress.]
Eldefrawy, M. H., Khan, M. K., Alghathbar, K., Kim, T., & Elkamchouchi, H. (2012). Mobile one-time passwords: Two-factor authentication using mobile phones. Security and Communication Networks, 5(5), 508-516. doi:10.1002/sec.340 [Full text can be requested by UMUC students / faculty from DocumentExpress.]
In this paper, we present a novel 2FA scheme whereby multiple OTPs are being produced by utilizing an initial seed and two different nested hash chains: one dedicated to seed updating and the other used for OTP production. We overcome all the restrictions that come from alternative and previous techniques. We analyze our proposal from the viewpoint of security and performance compared with the other algorithms.
Fan, C., Hsu, R., & Chen, W. (2012). Privacy protection for vehicular ad hoc networks by using an efficient revocable message authentication scheme. Security and Communication Networks, 5(5), 462-478. doi:10.1002/sec.328 [Full text can be requested by UMUC students / faculty from DocumentExpress.]
Correctness of exchanged information and guaranteeing the privacy of vehicle owners are the two most significant security concerns for VANETs. Pseudonymous public key infrastructure (PPKI) is a practical solution to these two issues. Almost all PPKI technologies are comprehensive schemes, such as the group signature-based and identity-based cryptosystems. An applicable PPKI scheme for secure vehicular communication (VC) should support revocability because it is a significant functionality in VANETs to revoke certificates of vehicles for surrendering or transferring the registrations. However, the computation or space complexity in most of the revocable PPKI-based protocols is linear when the number of vehicles or revoked vehicles increases over time. This drawback markedly degrades the efficiency and stability of secure VC. This work therefore reduces the computation complexities of authentication message verification, certificate tracing, membership revocation, and space complexity of system parameters (e.g., revocation information and public keys), such that they are independent of the number of vehicles or revoked vehicles using a novel and efficient PPKI mechanism based on bilinear mapping. The proposed scheme uses the concept of accumulator schemes and transfers the computation of accumulators from vehicles to certificate authority (CA) for achieving constant computation and storage complexities on vehicles. The computation of accumulators on CA is also low in the proposed scheme. Finally, we formally prove that the proposed scheme, which is based on q-strong Diffie–Hellman, n-Diffie–Hellman exponent (DHE), variant n-DHE, and decision linear Diffie–Hellman assumptions, is secure under the definitions of traceability and anonymity.
Fisher, D. (2012, May 15). Microsoft’s SDL expands beyond Redmond. threatpost. Retrieved from https://threatpost.com/en_us/blogs/microsofts-sdl-expands-beyond-redmond-051612
It’s been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it’s had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and customers is less well-known. Several large organizations have adopted the SDL, either in whole or in part, and Microsoft executives say that the effects on these organizations are going to be just as important as they were for Microsoft.
The company this week is hosting its first Security Development Conference in Washington, D.C., and one of the things that Microsoft executives are focusing on is how the SDL has spread beyond Redmond and taken hold in a number of other industries and organizations. One of those recent adopters of the SDL is Itron, a company that manufacturers smart meters for installation around the world. Those meters are used to regulate and measure power usage in homes and businesses and the use of these machines has become somewhat controversial in the security community because of potential vulnerabilities and attacks.
Goodin, D. (2012, May 14). LulzSec member pleads not guilty to charges that he hacked Stratfor website. Ars Technica. Retrieved from http://arstechnica.com/security/2012/05/lulzsec-member-pleads-not-guilty-to-charges-he-hacked-stratfor-website/
A former LulzSec member has pleaded not guilty to federal charges that he hacked into the servers of global intelligence company Stratfor and stole credit card data and personal details of 860,000 of its clients.
Jeremy Hammond entered the plea on Monday during a brief hearing in US District Court in Manhattan, the Associated Press reported. He’s been held in federal custody since an initial court appearance in Chicago in early March, when federal prosecutors named him as a lieutenant of LulzSec ringleader Hector Xavier “Sabu” Monsegur. There was no request for Hammond to be released on bail during Monday’s hearing, according to the AP report.
Hein, D., Morozov, S., & Saiddian, H. (2012). A survey of client-side web threats and counter-threat measures. Security and Communication Networks, 5(5), 535-544. doi:10.1002/sec.349 [Full text can be requested by UMUC students / faculty from DocumentExpress.]
The increasing frequency and malevolence of online security threats require that we consider new approaches to this problem. The existing literature focuses on the Web security problem from the server-side perspective. In contrast, we explore it from the client-side, considering the major types of threats. After a short threat summary, we discuss related research and existing countermeasures. We then examine intuitive human-oriented trust models and posit a flexible, multilayer framework to facilitate automated client-side decision making. The proposed suggestions are not intrusive and do not require advanced technical knowledge from end users.
Hsu, C., & Lin, H. (2012). Pairing-based strong designated verifier proxy signature scheme with low cost. Security and Communication Networks, 5(5), 517-522. doi:10.1002/sec.343 [Full text can be requested by UMUC students / faculty from DocumentExpress.]
A proxy signature (PS) scheme has crucial benefits to the delegation operations in an organization. To further provide PS schemes with the property of confidentiality, in this paper, we propose a strong designated verifier PS scheme from pairings. The proposed scheme allows an authorized proxy signer to generate a valid PS on behalf of an original signer such that only the intended verifier is capable of validating it. Besides, the designated verifier cannot transfer the proof to convince any third party, which is referred to as non-transferability. Compared with previous works, ours has lower computational costs. Especially, the delegation process of our proposed scheme is pairing free. Moreover, the security requirement of unforgeability against existential forgery under adaptive chosen-message attacks is formally proven in the random oracle model.
Li, H., & Yuan, H. (2012). Dependability evaluation of integrated circuits at design time against laser fault injection. Security and Communication Networks, 5(5), 450-461. doi:10.1002/sec.327 [Full text can be requested by UMUC students / faculty from DocumentExpress.]
Laser fault injection has been proved to be a useful tool for attacks on integrated circuits. Transistors hit by a pulse of photons causes them to conduct transiently, thereby introducing transient logic errors, such as register value modifications, memory dumping, and so on. Attackers can make use of this abnormal behavior and extract sensitive information that the devices try to protect. This paper demonstrates laser fault injection attacks on very-large-scale integration circuits in a semi-invasive way for the purpose of validating fault tolerant design and performance. Then, the paper presents a simulation methodology to evaluate the dependability of the integrated circuit design against laser fault injection attacks at design time. This simulation methodology involves exhaustively scanning the layout, incorporating the exposed cells into a circuit simulator, and examining the response of the circuit in detail. Experiments conducted on the same test chip spot the same vulnerabilities, thus indicating the validity of the proposed simulation methodology.
Neustar. (2012, May). DDoS survey: Q1 2012. Retrieved from http://goo.gl/uGmhn
In February 2012, Neustar surveyed IT professionals across North America to better understand their DDoS experiences. Most were network services managers, senior systems engineers, systems administrators and directors of IT operations. In all, 1,000 people from 26 different industries shared responses about attacks, defenses, ongoing concerns, risks and financial losses. The survey shed light on five key questions:
- Who has been attacked and who hasn’t?
- How much do DDoS outages cost?
- What’s the single biggest fear about DDoS attacks?
- How long have attacks lasted?
- What type of DDoS protection are people using?
Ragan, S. (2012, May 16). Utah’s IT boss resigns after massive data breach and policy failure. SecurityWeek. Retrieved from https://www.securityweek.com/utahs-it-boss-resigns-after-massive-data-breach-and-policy-failure
Stephen Fletcher, the executive director of Utah’s Dept. of Technology Services (DTS), has resigned following the aftermath of a massive data breach earlier this year that exposed nearly one million people, including children. The staffing changes come after preliminary investigations exposed serious flaws within the state’s IT practices, including storing information that shouldn’t have been kept at all.
In April, SecurityWeek reported on the news that Utah’s Department of Health (UDOH) had alerted parents and patients to the fact that a data breach that was initially said to have impacted only 24,000 records, had in fact impacted181,604 people. Within 24-hours of that announcement, the numbers were changed again. This time, the UDOH said that the attackers compromised 780,000 records, including 280,000 records that contained Social Security Numbers.
[UPCOMING WEBINAR] SecurityWeek. (2012, May 23). How security can work better with development. Retrieved from https://www.securityweek.com/upcoming-webinar-how-security-can-work-better-development [free registration]
Why do security and development teams find it so difficult to collaborate? The risks to companies from insecure applications have been rising, yet this area continues to be a blind-spot. Have you heard developers say:
- “There’s no way we can fix all of these defects. Which ones are MUST-fix?”
- “Prove it’s exploitable or we won’t fix it.”
- “It’s too late to fix these vulnerabilities – we’ll get to them in the next release.”
- “The code I sent builds on my machine – what else do you need?”
- “Just tell us how to fix this defect.”
Join Mark Curphey, Senior Principal Consultant of Foundstone, a division of McAfee, and Coverity’s Co-Founder and CTO, Andy Chou for a one hour webinar where we’ll cover how to get beyond these common arguments and move towards better collaboration with development. We will also discuss key strategies for overcoming these common objections.
Shao, J., Liu, P., Wei, G., & Ling, Y. (2012). Anonymous proxy re-encryption. Security and Communication Networks, 5(5), 439-449. doi:10.1002/sec.326 [Full text can be requested by UMUC students / faculty from DocumentExpress.]
Proxy re-encryption (PRE) is a public key encryption that allows a semi-trusted proxy with some information (a.k.a., re-encryption key) to transform a ciphertext under one public key into another ciphertext under another public key. Because of this special property, PRE has many applications, such as the distributed file system. Some of these applications demand that the underlying PRE scheme is anonymous under chosen-ciphertext attacks (CCAs); that is, the adversary cannot identify the recipient of the original/transformed ciphertext, even if it knows the PRE key and can launch the CCA. However, to the best of our knowledge, none of the existing PRE schemes satisfy this requirement. In this work, we propose the first anonymous PRE with CCA security and collusion resistance. Our proposal is proved in the random oracle model based on the DDH assumption.
United States. Court of Appeals for the District of Columbia. (2012, May 11). Electronic Privacy Information Center v. National Security Agency. Retrieved from http://goo.gl/AFYPa
Plaintiff-appellant Electronic Privacy Information Center (“EPIC”) filed a Freedom of Information Act (“FOIA”) request with the National Security Agency (“NSA”) seeking disclosure of any communications between NSA and Google, Inc regarding encryption and cyber security. NSA issued a Glomar response pursuant to FOIA Exemption 3, indicating that it could neither confirm nor deny the existence of any responsive records. EPIC challenged NSA’s Glomar response in the district court, and the parties cross-moved for summary judgment. The district court entered judgment for NSA, and EPIC appealed. We affirm. [Related article from Wired: Court upholds Google-NSA relationship secrecy.]
United States. Department of Homeland Security. National Cybersecurity and Communications Integration Center. (2012, May 15). Attack surface: Healthcare and public health sector. Retrieved from http://info.publicintelligence.net/NCCIC-MedicalDevices.pdf
The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of medical devices [MDs] opens up both new opportunities and new vulnerabilities to patients and medical facilities. Since wireless MDs are now connected to Medical information technology (IT) networks, IT networks are now remotely accessible through the MD. This may be a desirable development, but the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern. In addition, many HPH organizations are leveraging mobile technologies to enhance operations. The storage capacity, fast computing speeds, ease of use, and portability render mobile devices an optimal solution.
This Bulletin highlights how the portability and remote connectivity of MDs introduce additional risk into Medical IT networks and failure to implement a robust security program will impact the organization’s ability to protect patients and their medical information from intentional and unintentional loss or damage.
[UPCOMING LARGO AREA EVENT] United States. National Institute of Standards and Technology. (2012, May 30). Technical aspects of botnets workshop. Retrieved from http://www.nist.gov/itl/csd/botnets-workshop.cfm [free registration
While security risks on the Internet continue to exist in many areas, one increasingly exploited threat is the global rise of botnets. A botnet infection can lead to the monitoring of a consumer’s personal information and communication, and exploitation of that consumer’s computing power and Internet access. To address the problems created by botnets, the botnet lifecycle must be disrupted and the malware on the devices removed or made impotent. Companies, organizations and governments around the world have been developing policies, high-level principles and solutions.
NIST seeks to engage all stakeholders to identify the available and needed technologies and tools to recognize, prevent, and remediate botnets; explore current and future efforts to develop botnet metrics and methodologies for measuring and reporting botnet metrics over time; and, understand where ecosystem stakeholders are in terms of roles and responsibilities.
Wolf, J. (2012, May 11). Pentagon to tighten contractors’ cybersecurity. Reuters. Retrieved from http://www.reuters.com/article/2012/05/11/cyber-pentagon-companies-idUSL1E8GBOEY20120511
The U.S. Defense Department invited all of its eligible contractors on Friday to join a previously restricted information-sharing pact aimed at guarding sensitive Pentagon program data stored on private computer networks. Greater sharing with the so-called defense industrial base was a key step to coping with widespread cyber threats to U.S. national security, said Ashton Carter, deputy defense secretary, in a statement.
Zetter, K. (2012, May 15). Popular surveillance cameras open to hackers, researcher says. Wired. Retrieved from http://www.wired.com/threatlevel/2012/05/cctv-hack/
Three of the most popular brands of closed-circuit surveillance cameras are sold with remote internet access enabled by default, and with weak password security — a classic recipe for security failure that could allow hackers to remotely tap into the video feeds, according to new research.
The cameras, used by banks, retailers, hotels, hospitals and corporations, are often configured insecurely — thanks to these manufacturer default settings, according to researcher Justin Cacak, senior security engineer at Gotham Digital Science. As a result, he says, attackers can seize control of the systems to view live footage, archived footage or control the direction and zoom of cameras that are adjustable.
Zhu, W. T., Zhou, J., Deng, R. H., & Bao, F. (2012). Detecting node replication attacks in mobile sensor networks: theory and approaches. Security and Communication Networks, 5(5), 496-507. doi:10.1002/sec.326 [Full text can be requested by UMUC students / faculty from DocumentExpress.]
Due to cost concerns, sensor nodes are not made tamper-resistant, and a captured node may be easily compromised by an adversary, raising the concern of node replication attacks. We address the problem of detecting such attacks in a mobile sensor network, where each sensor node freely and randomly roams in the sensing region. Our detections have the nice feature that sensor nodes do not need to be aware of their geographic positions, and even loose time synchronization may be unnecessary.
CALLS FOR PAPERS
4th International Conference on Security and Privacy in Mobile Information and Communication Systems [Frankfurt, Germany, June 25-26, 2012 – submissions due May 25th]
13th International Workshop on Information Security Applications [Jeju Island, Korea, Aug. 16-18, 2012 – submissions due May 25th]
Secure Autonomous Electric Power Grids Workshop, Co-located with the Sixth IEEE International Conference on Self-Adaptive and Self-Organizing Systems [Lyon, France, Sept. 10, 2012 – submissions due July 4th]
1st International Conference on Digital Forensics and Investigation [Beijing, China, September 21-23, 2012 – submissions due June 1st]
6th International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security [St. Petersburg, Russia, Oct. 17-20, 2012 – submissions due May 27th]
5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012 [Raleigh, NC, Oct. 19, 2012 – submissions due July 16th]
14th International Conference on Information and Communication Security [Hong Kong, Oct. 29-31, 2012 – submissions due May 25th]
Workshop on RFID and IoT Security [Taipei, Taiwan, Nov. 8-9, 2012 – submissions due 9 July 2012]
5th International Symposium on Engineering Secure Software and Systems [Paris, France, Feb. 27-March 1, 2013 – submissions due Sept. 30th]