Tag Archives: security

Resolved: the Internet Is No Place for Critical Infrastructure

Posted on by
Reply

Risk is a necessary consequence of dependence

DAN GEER

What is critical? To what degree is critical defined as a matter of principle, and to what degree is it defined operationally? I am distinguishing what we say from what we do.

Mainstream media love to turn a spotlight on anything they can label “hypocrisy,” the Merriam-Webster unabridged dictionary meaning of which is:

the act or practice of pretending to be what one is not or to have principles or beliefs that one does not have, especially the false assumption of an appearance of virtue

 

Resolved: the Internet Is No Place for Critical Infrastructure

 

Queue Video Portrait: Ang Cui

Posted on by
Reply

Ang Cui is a Ph.D. student at Columbia University in New York City. His research focuses on embedded devices such as routers, printers and VOIP phones. He is the inventor of a novel, host-based defense mechanism known as Symbiotes. Symbiotes are designed specifically to retrofit black-box, vulnerable, legacy embedded systems with sophisticated anti-exploitation mechanisms. In this video portrait, Ang describes how the extent of the embedded threat in real-world environments, discusses novel exploitation techniques for embedded systems–like enterprise networking equipment–and develops practical defenses for embedded systems that constitute our global communication substrate.

 

Ang Cui

 

Queue Portrait: Ang Cui

 

A Decade of OS Access-control Extensibility

Posted on by
Reply

Open source security foundations for mobile and embedded devices

ROBERT N. M. WATSON, UNIVERSITY OF CAMBRIDGE COMPUTER LABORATORY

To discuss operating system security is to marvel at the diversity of deployed access-control models: Unix and Windows NT multiuser security; Type Enforcement in SELinux; anti-malware products; app sandboxing in Apple OS X, Apple iOS, and Google Android; and application-facing systems such as Capsicum in FreeBSD. This diversity is the result of a stunning transition from the narrow 1990s Unix and NT status quo to security localization—the adaptation of operating-system security models to site-local or product-specific requirements.

A Decade of OS Access-control Extensibility

Related:

Building Systems to Be Shared, Securely

ACM CTO Roundtable on Mobile Devices in the Enterprise

Extensible Programming for the 21st Century

Rethinking Passwords

Posted on by
Reply

Our authentication system is lacking. Is improvement possible?

WILLIAM CHESWICK

There is an authentication plague upon the land. We have to claim and assert our identity repeatedly to a host of authentication trolls, each jealously guarding an Internet service of some sort. Each troll has specific rules for passwords, and the rules vary widely and incomprehensibly.

Password length requirements vary: Dartmouth wants exactly eight characters; my broker, six to eight; Wells Fargo, eight or more. Special characters are often encouraged or required, but some characters are too special: many disallow spaces, single or double quotes, underlines, or hyphens. Some systems disallow certain characters at the beginning of the password; dictionary checks abound, including foreign language dictionaries.

Rethinking Passwords

 

Related:

Security – Problem Solved?

Building Secure Web Applications

LinkedIn Password Leak: Salt Their Hide

 

Splinternet Behind the Great Firewall of China

Posted on by
Reply

Once China opened its door to the world, it could not close it again

Daniel Anderson

What if you could not access YouTube, Facebook, Twitter, and Wikipedia? How would you feel if Google informed you that your connection had been reset during a search? What if Gmail was only periodically available, and Google Docs, which was used to compose this article, was completely unreachable? What a mess!

<a href=’http://queue.acm.org/detail.cfm?id=2405036′>http://queue.acm.org/detail.cfm?id=2405036</a>

Browser Security Case Study: Appearances Can Be Deceiving

Posted on by
Reply

A discussion with Jeremiah Grossman, Ben Livshits, Rebecca Bace, and George Neville-Neil

It seems every day we learn of some new security breach. It’s all there for the taking on the Internet—more and more sensitive data every second. As for privacy, we Facebook, we Google, we bank online, we shop online, we invest online… we put it all out there. And just how well protected is all that personally identifiable information? Not very.

The browser is our most important connection to the Web, and our first line of defense. But have the browser vendors kept up their end of the bargain in protecting users? They claim to have done so in various ways, but many of those claims are thin. From SSL (Secure Sockets Layer) to the Do Not Track initiative to browser add-ons to HTML5, attempts to beef up security and privacy safeguards have fallen well short.

Browser Security Case Study: Appearances Can Be Deceiving

 

Related:

Java Security Architecture Revisited

CTO Roundtable: Malware Defense Overview

Building Secure Web Applications

The Web Wont Be Safe or Secure until We Break It

Posted on by
Reply

Unless you’ve taken very particular precautions, assume every Web site you visit knows exactly who you are.

JEREMIAH GROSSMAN, WHITEHAT SECURITY

The Internet was designed to deliver information, but few people envisioned the vast amounts of information that would be involved or the personal nature of that information. Similarly, few could have foreseen the potential flaws in the design of the Internet—more specifically, Web browsers—that would expose this personal information, compromising the data of individuals and companies.

If people knew just how much of their personal information they unwittingly make available to each and every Web site they visit—even sites they’ve never been to before—they would be disturbed. If they give that Web site just one click of the mouse, out goes even more personally identifiable data, including full name and address, hometown, school, marital status, list of friends, photos, other Web sites they are logged in to, and in some cases, their browser’s auto-complete data and history of other sites they have visited.

http://queue.acm.org/detail.cfm?id=2390758

 

Related:

Browser Security

Security In The Browser

Cybercrime 2.0: When The Cloud Turns Dark

 

Queue Portrait: Video Interview with Robert Watson

Posted on by
Reply

Robert Watson

Robert Watson is a security researcher and open source developer at the University of Cambridge looking at the hardware-software interface. He talks to us about spanning industry and academia, the importance of open source in software research, and challenges facing research that spans traditional boundaries in computer science. We also learn a bit about CPU security, and why applications, rather than operating systems, are increasingly the focus of security research. What are the challenges in the evolving hardware-software interface? Could open source hardware provide a platform for hardware-software research? And why is current hardware part of the problem? George Neville-Neil, Queue’s Kode Vicious, interviews Robert to learn about an exciting computer science research project at Cambridge.

http://queue.acm.org/detail_video.cfm?id=2382552

LinkedIn Password Leak: Salt Their Hide

Posted on by
Reply

If it does not take a full second to calculate the password hash, it is too weak.

POUL-HENNING KAMP

6.5 million unsalted SHA1 hashed LinkedIn passwords have appeared in the criminal underground. There are two words in that sentence that should cause LinkedIn no end of concern: “unsalted” and “SHA1.”

http://queue.acm.org/detail.cfm?id=2254400

Security: Computing in an Adversarial Environment

Posted on by
Reply
Logo
Thursday, April 12, 2012 at 2:00 PM EDT/1:00 PM CDT/11:00 AM PDTSecurity is inherently different from other aspects of computing due to the presence of an adversary. As a result, identifying and addressing security vulnerabilities requires a different mindset from traditional engineering. Proper security engineering—or the lack of it!—affects everything from website scripts to supply chain management to electronic health records to social networks to mobile phones…and the list goes on. Security is further complicated by the translation of social notions—such as identity and trust— into an online world. Worse, security itself is often viewed by both developers and users as the adversary! This learning webinar will introduce the fundamentals of security, describe the security mindset, and highlight why achieving security is difficult.

What you’ll learn:

  • The security mindset – what it is, why it’s needed
  • The social side of security – usability, adoption, identity, trust
  • A deeper dive on insider threat as a case study – what it is, how to detect it, how to prevent it
Presenter:
Carrie GatesSenior Vice President and Director of Research, CA Labs
Dr. Gates has opened new avenues for collaboration in the field of cyber security for CA Technologies by leveraging government programs that further research between CA Labs and academia. She has given over 20 invited talks internationally, authored more than 40 peer-reviewed publications related to information security, and co-authored an amendment on cloud security research for the America Competes Act that was signed into law in December 2010. In October 2010, Dr. Gates was recognized for her work with a Women of Influence award from CSO magazine.Moderator:
Christopher W. CliftonAssociate Professor of Computer Science, Purdue University
Dr. Clifton works on data privacy, particularly with respect to analysis of private data. This includes privacy-preserving data mining, data de-identification and anonymization, and limits on identifying individuals from data mining models. He also works more broadly in data mining, including data mining of text and data mining techniques applied to interoperation of heterogeneous information sources. Christopher also works on database support for widely distributed and autonomously controlled information, particularly issues related to data privacy. Prior to joining Purdue in 2001, Dr. Clifton was a principal scientist in the Information Technology Division at the MITRE Corporation. Before joining MITRE in 1995, he was an assistant professor of computer science at Northwestern University.
Attendance for this webinar is free. Space is limited.This webcast provided by:

 

http://learning.acm.org/webinar/current