May 11, 2012

Dhage, S. N., Meshram, B. B. (2012). Intrusion detection system in cloud computing environment.  International Journal of Cloud Computing1(2/3), 261-282. doi:10.1504/IJCC.2012.046711 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

In recent years, with the growing popularity of cloud computing, security in cloud has become an important issue. As ‘prevention is better than cure’, detecting and blocking an attack is better than responding to an attack after a system has been compromised. This paper proposes architecture capable of detecting intrusions, in a distributed cloud computing environment, and safeguarding it from possible security breaches. It deploys a separate instance of IDS for each user and uses a separate controller to manage the instances. IDS in this architecture can be signature-based as well as learning-based method.

Geers, K. (2012). Strategic cyber defense: Which way forward? Journal of Homeland Security and Emergency Management, 9(1), 1-10 [Full text available to UMUC students / faculty.]

Cyber security has evolved from a technical discipline to a strategic, geopolitical concept. The question for national security thinkers today is not how to protect one or even a thousand computers, but millions, including the cyberspace around them. Strategic challenges require strategic solutions. This article considers four nation-state approaches to cyber attack mitigation: 1) Technology: Internet Protocol version 6 (IPv6); 2) Doctrine: Sun Tzu’s Art of War; 3) Deterrence: can we prevent cyber attacks?; 4) Arms control: can we limit cyber weapons? These threat mitigation strategies fall into different categories. IPv6 is a technical solution. Art of War is military. The third and fourth strategies are hybrid: deterrence is a mix of military and political considerations, while arms control is a political/technical approach. Technology and doctrine are the most likely strategies to provide short-term improvement in a nation’s cyber defense posture. Deterrence and arms control, which are more subject to outside political influence and current events, may offer cyber attack mitigation but only in the longer-term.

Goodin, D. (2012, May 10). My own private internet: .secure TLD floated as as bad-guy-free zone. Ars Technica. Retrieved from http://arstechnica.com/security/2012/05/my-own-private-internet-secure-tld-floated-as-bad-guy-free-zone/

A security researcher has won investments of more than $9 million to incorporate a tightly policed section of the Internet reserved for banks, healthcare providers, and other groups that are regularly targeted in malware, phishing, and similar online attacks.

Alex Stamos, CTO of iSec Partners, said Internet addresses subscribing to the secure service would tentatively include the top-level-domain of .secure, which his new venture has applied to operate. Websites, mail servers, and other services using .secure addresses would first have to agree to abide by a stringent set of requirements, including offering end-to-end encryption of most traffic and to follow a strict code of conduct. Artemis Internet, Inc. as the new venture is called, has received about $9.6 million in backing from its parent company, NCC Group, a  UK-based provider of secure IT services.

Internet Crime Complaint Center. (2012, May 10). 2011 internet crime report. Retrieved from http://www.ic3.gov/media/annualreport/2011_IC3Report.pdf

The 2011 IC3 Internet Crime Report reveals both the scope of online crime and IC3’s battle against it. The most common victim complaints included FBI-related scams, identity theft and advance fee fraud.  IC3 received and processed more than 26,000 complaints per month. Based on victim complaints, the top five states were California (34,169), Florida (20,034), Texas (18,477), New York (15,056) and Ohio (12,661). Victims in California reported the highest dollar losses with a total of $70.5 million. For victims reporting financial losses, the average was $4,187.

Kumar, P. S., Subramanian, R. (2012).  RSA-based dynamic public audit service for integrity verification of data storage in cloud computing using Sobol sequence. International Journal of Cloud Computing1(2/3), 167-200. doi:10.1504/IJCC.2012.046719 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Cloud storage has become a trend and more practical in recent years. This unique feature of the cloud poses many security challenging design issues. One of the most important security aspects that need to be addressed is that to assure the integrity of clients data stored in the cloud. In this paper, we propose a RSA-based dynamic public audit service for the integrity verification of data using Sobol sequence. Our scheme allows a third party auditor (TPA) on behalf of the clients to verify the integrity of data stored in the cloud and also supports data dynamics at block level while maintaining the same integrity assurance. Our model allows probabilistic proofs of integrity by challenging random blocks from the server which drastically reduces the computation and communication overhead. The security, performance analysis and experimental results show that our scheme is more secure and efficient than existed probability verification schemes.

McCullah, D. (2012, May 4). FBI: We need wire-tap ready Web sites – now. CNET. Retrieved from http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/

The FBI is asking Internet companies not to oppose a controversial proposal that would require firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.

In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.

Mukherjee, K., & Sahoo, G. (2012). A novel methodology for secured c-governance using Hadamard coding. International Journal of Cloud Computing1(2/3), 145-166. doi:10.1504/IJCC.2012.046718 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Cloud computing has opened a viable business option for corporations, industry and government organisations. This new paradigm is capable to trim down cost, can endow organisations with usage-based pricing, enhance functionality, improved collaboration, communication, omnipresent of application and data. Keeping this in view, this new technology is a natural choice for government sectors as e-governance to hike the recital of government machinery. So, we propose here a cloud computing-based e-governance, i.e., c-governance. But this cutting age of technology is still in its infant stage. So cloud computing and c-governance has to address lot of key issues like – security, performance, availability, scalable software architecture, etc. On this context, this manuscript has focused on a new security framework, security algorithms for c-governance based on Hadamard matrix. The results of the implementations are presented in order to lay bare the effectiveness of the proposed framework and algorithms.

Pelofsky, J. (2012, May 3). Obama administration urges freer access to cellphone records. Reuters. Retrieved from http://www.reuters.com/article/2012/05/03/usa-security-surveillance-idUSL1E8G3OL320120503

The U.S. Congress should pass a law to give investigators freer access to certain cellphone records, an Obama administration official said on Thursday, in remarks that raised concern among advocates of civil liberties and privacy.  Jason Weinstein, a deputy assistant attorney general in the Justice Department’s criminal division, argued [audio] that requirements for warrants at early stages of investigations would “cripple” prosecutors and law enforcement.

Rekhis, S. (2012). System for formal digital forensic investigation aware of anti-forensic attacks. IEEE Transactions on Forensics and Security, 7(2), 635-650. doi:10.1109/TIFS.2011.2176117. [Full text can be requested by UMUC students / faculty from DocumentExpress.]

To defeat the process of investigation and make the analysis and reconstruction of attack scenarios difficult, challenging, or even impossible, attackers are motivated by conducting anti-forensic attacks. Several methods were proposed by the literature to formally reconstruct the sequence of events executed during the incident using theoretical and scientifically proven methods. However, these methods are not tailored to cope with anti-forensic attacks, as they assume that the collected evidence is trusted, do not model anti-forensic actions, and do not characterize provable anti-forensic attacks based on the knowledge of attacks, security solutions, and forms of evidence expected to be generated. We develop in this work a theoretical approach of digital investigation aware of anti-forensic attacks. After describing an investigation process which is able to address these attacks, we develop a state-based logic to describe the investigated system, the deployed security solution, the evidence they provide, and the library of attacks. An inference system is proposed to mitigate anti-forensic attacks and generate potential scenarios starting from traces that were targeted by these attacks. To exemplify the proposal, we provide a case study related to the investigation of an incident that exhibited anti-forensic attacks.

Saita, A. (2012, May 10). UNC-Charlotte data breeches expose 350,000 social security numbers and much more. threatpost. Retrieved from https://threatpost.com/en_us/blogs/unc-charlotte-data-breaches-expose-350000-social-security-numbers-and-much-more-051012

Confidential data, including bank account and Social Security numbers for some 350,000 University of North Carolina-Charlotte students, staff and faculty, were accidentally exposed — some for almost 15 years — due to a system misconfiguration and incorrect access settings that made electronic data publicly available.

The school on Wednesday released a statement on an investigation it launched in February after staff discovered the data breach. The investigation revealed two separate incidents exposed data such as names, addresses, Social Security numbers and financial account information provided during university transactions.

Sion, R., & Chen, Y. (2012). Fighting Mallory the insider: Strong write-once read-many storage assurances. IEEE Transactions on Forensics and Security, 7(2), 755-764. doi:10.1109/TIFS.2011.2172207. [Full text can be requested by UMUC students / faculty from DocumentExpress.]

We introduce a Write-Once Read-Many (WORM) storage system providing strong assurances of data retention and compliant migration, by leveraging trusted secure hardware in close data proximity. This is important because existing compliance storage products and research prototypes are fundamentally vulnerable to faulty or malicious behavior, as they rely on simple enforcement primitives that are ill-suited for their threat model. This is hard because tamper-proof processing elements are significantly constrained in both computation ability and memory capacity-as heat dissipation concerns under tamper-resistant requirements limit their maximum allowable spatial gate-density. We achieve efficiency by 1) ensuring the secure hardware is accessed sparsely, minimizing the associated overhead for expected transaction loads, and 2) using adaptive overhead-amortized constructs to enforce WORM semantics at the throughput rate of the storage server’s ordinary processors during burst periods. With a single secure coprocessor, on commodity x86 hardware, the architecture can support unlimited read throughputs and over 2500 write transactions per second.

Sun, H., Chen, Y., & Lin, Y. (2012). oPass: A user authentication protocol resistant to password stealing and password reuse attacks. IEEE Transactions on Forensics and Security, 7(2), 651-663. doi:10.1109/TIFS.2011.2169958. [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Text password is the most popular form of user authentication on websites due to its convenience and simplicity. However, users’ passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when an adversary compromises one password, she will exploit it to gain access to more websites. Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, keyloggers and malware. In this paper, we design a user authentication protocol named oPass which leverages a user’s cellphone and short message service to thwart password stealing and password reuse attacks. oPass only requires each participating website possesses a unique phone number, and involves a telecommunication service provider in registration and recovery phases. Through oPass, users only need to remember a long-term password for login on all websites. After evaluating the oPass prototype, we believe oPass is efficient and affordable compared with the conventional web authentication mechanisms.

Tehan, R. (2012, April 12). Cybersecurity: Authoritative reports and resources [Congressional Research Service]. Retrieved from https://www.fas.org/sgp/crs/misc/R42507.pdf

Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide.  Attacks have been initiated by individuals, as well as countries. Targets have included government networks, military defenses, companies, or political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which also makes a response problematic.

Congress has been actively involved in cybersecurity issues, holding hearings every year since 2001. There is no shortage of data on this topic: government agencies, academic institutions, think tanks, security consultants, and trade associations have issued hundreds of reports, studies, analyses, and statistics. This report provides links to selected authoritative resources related to cybersecurity issues.

United States. Department of Defense. (2012, May 11). Department of Defense-defense industrial base voluntary cyber security and information assurance activities. Retrieved from http://cryptome.org/dodi/dod051112.pdf

DoD is publishing an interim final rule to establish a voluntary cyber security information sharing program between DoD and eligible DIB companies. The program enhances and supplements DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.

United States. Federal Emergency Management Agency. (2012, March 30). 2012 preparedness report. Retrieved from http://www.fema.gov/library/viewRecord.do?id=5914

The 2012 National Preparedness Report summarizes how prepared we are as a Nation. It focuses on five mission areas: Prevention, Protection, Mitigation, Response, and Recovery. The NPR identifies areas where the Nation has made significant progress, acknowledges remaining opportunities for improvement, and reinforces the important principles of national preparedness. The NPR focuses on threats and hazards that pose the greatest risk to U.S. security and resilience.

Releated article from the New York Times: U.S. study cites worry on readiness for cyberattacks.

[UPCOMING LARGO AREA EVENT] United States. National Institute of Standards and Technology. (2012, June 26). Cyber excellence workshop. Retrieved from http://cryptome.org/2012/05/nist050412.htm [Free registration].

NIST announces a National Cybersecurity Center of Excellence (NCCoE) Workshop to be held on Tuesday, June 26, 2012. This is an initial informational NCCoE workshop. The goals of this workshop are to provide a venue for discussion of the NCCoE public-private partnership structure, and to describe and gather input from individual participants on possible case studies that are expected to form a central focus of collaborative efforts. The workshop will also describe and explore opportunities for industry, academia, and Federal, state and local government agencies to participate in the NCCoE. 

United States. National Security Agency. (2012, April). New smartphones and the risk picture. Retrieved from http://cryptome.org/2012/05/nsa-mobile-risks.pdf

Mobile phone platforms are susceptible to malicious attacks, both  from the network and upon physical compromise. Understanding the vectors of such attacks, level of expertise required to carry them out, available mitigations, and impact of compromise provides a background for certain risk decisions. In general, comparing risks introduced by the new generation of mobile devices to those of traditional, widely-deployed desktop systems provides insight into how the risks to DoD networks are changing. Due to the larger cultural and technological shift to mobile devices, this may be more relevant than comparison of diff erent smartphone brands.

Uzunov, A. V., Fernandez, E .B., & Falkner, K. (2012). Securing distributed systems using patterns: A survey. Computers and Security [in press]. [Full text available to UMUC students / faculty in ScienceDirect database.]

Driven by expanding scientific computing and business enterprise needs, the last decade has seen a shift towards software paradigms in which distribution plays a central role. The increasing size, complexity and heterogeneity of the corresponding systems is accompanied by an increase of security vulnerabilities that require mitigation via combined security and software engineering strategies. In this respect security patterns, which build on the success of design patterns and software patterns more generally, are a tool of great value. In this paper we comprehensively survey the state-of-the-art in securing distributed systems using (security) patterns, considering both relevant patterns and methodologies for applying them. In the first part of the survey, we provide detailed reviews of our selected security patterns, classify the patterns using a multi-dimensional scheme and evaluate them according to a set of quality categories. This highlights deficiencies in the reviewed patterns and provides a basis for identifying new or “missing” patterns and pattern classes. The newly identified and surveyed patterns are a step forward in defining a pattern language for distributed computing. In the second part of the survey, we briefly review a number of pattern-based security methodologies and evaluate their maturity and appropriateness for securing distributed systems.

Zetter, K. (2012, April 8). Twitter hits back at court, prosecutors over ‘Occupy’ order. Wired. Retrieved from http://www.wired.com/threatlevel/2012/05/twitter-hits-back-at-court/ 

In the battle to fight online fishing expeditions by law enforcement officials there is little we can do individually to protect ourselves — which makes it all the more important for internet companies like Twitter and Google to fight back on our behalf.

That’s exactly what Twitter did when it filed a surprisingly feisty motion (.pdf) this week in New York City Criminal Court to quash a court order demanding that it hand over information to law enforcement about one of its account holders — an activist who participated in the Occupy Wall Street protests — as well as tweets that he allegedly posted to the account over a three-month period. The company stepped in with the motion after the account holder lost his own bid to quash the order.

In its motion to quash, Twitter pointed out to the judge that the order would essentially force the company to break the law by handing over data without a warrant. Twitter also took issue with the judge’s ruling that the account holder had no right to fight the order on his own behalf.

Zhou, L., Varadharajan, V., & Hitchens, M. (2012). A flexible cryptographic approach for secure data storage in the cloud using role-based access control. International Journal of Cloud Computing1(2/3), 201-220. doi:10.1504/IJCC.2012.046720 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

There has been a recent trend in storing data in the cloud because of the significant benefits, such as on demand resources and low maintenance costs. However due to the distributed nature of the cloud, access control mechanisms need to be employed to protected the privacy of data stored in cloud. Role-based access control (RBAC) provides a flexible way for users to manage and share their data in the cloud. In this paper, we propose a role-based encryption (RBE) scheme which enforces RBAC policies using cryptographic techniques. In our scheme, an owner of data can encrypt the data to a role in a RBAC system, and only the users who have the permissions of the role in the RBAC system can decrypt the data. Our scheme achieves efficient user management where the manager of a role can easily grant/revoke the membership of the role to/from a user without the needs of other parties’ participants. We compare our scheme with other previously published schemes and show that our scheme has better performance in both computation and management.


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: