National Cybersecurity
Global Cybersecurity
& broadly applicable items
United States. Executive Office of the President. (2012, January). National strategy for global supply chain security. Retrieved from https://www.hsdl.org/?view&did=698202
A strategy for insuring the security and resiliency of "the worldwide network of transportation, postal, and shipping
pathways, assets, and infrastructures by which goods are moved from the
point of manufacture until they reach an end consumer, as well as
supporting communications infrastructure and systems."
Global Cybersecurity
& broadly applicable items
Alsaleh, M., Mannan, M., & Oorschot, P. C. (2012). Revisiting defenses against large-scale online password guessing attacks. IEEE Transactions in Secure and Dependable Computing, 9(1), 128-141. [Full text available in the IEEE Computer Science Digital Library database.]
Brute force and dictionary attacks on password-only remote login
services are now widespread and ever increasing. Enabling convenient
login for legitimate users while preventing such attacks is a difficult
problem. Automated Turing Tests (ATTs) continue to be an effective,
easy-to-deploy approach to identify automated malicious login attempts
with reasonable cost of inconvenience to users. In this paper, we
discuss the inadequacy of existing and proposed login protocols designed
to address large-scale online dictionary attacks (e.g., from a botnet
of hundreds of thousands of nodes). We propose a new Password Guessing
Resistant Protocol (PGRP), derived upon revisiting prior proposals
designed to restrict such attacks. While PGRP limits the total number of
login attempts from unknown remote hosts to as low as a single attempt
per username, legitimate users in most cases (e.g., when attempts are
made from known, frequently-used machines) can make several failed login
attempts before being challenged with an ATT. We analyze the
performance of PGRP with two real-world data sets and find it more
promising than existing proposals.
Bryan-Low, C. (2012, January 23). Hackers-for-hire are easy to find. Wall Street Journal. Retrieved from http://online.wsj.com/article/SB10001424052970203471004577145140543496380.html
Sitting in his Los Angeles home, Kuwaiti billionaire Bassam Alghanim
received an alarming call from a business associate: Hundreds of his
personal emails were posted online for anyone to see. Mr. Alghanim checked and found it to be true, according to a person
familiar with the matter. The emails included information on his
personal finances, legal affairs, even his pharmacy bills, this person
said. That led to another surprise. Mr. Alghanim discovered the person who had
allegedly commissioned the hackers was his own brother, with whom he is
fighting over how to divide up billions of dollars of joint assets. Mr.
Alghanim's lawyers allege in court filings that the brother hired
investigators to illegally access his email with the help of Chinese
hackers. Cost to hire the hackers: about $400.
Cappelli, D., Moore, A. P., Trzeciak, R. F. (2012). The CERT guide to insider threats: How
to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Boston, MA: Addison-Wesley Professional. [E-book available in the Safari Books Online database.]
This book ... conveys the big picture of
the insider threat problem over time: the complex interactions and
unintended consequences of existing policies, practices,
technology, insider mindsets, and organizational culture. Most
important, it offers actionable recommendations for the entire
organization, from executive management and board members to IT,
data owners, HR, and legal departments.
Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81. [Full text available in the ACM Digital Library database.]
On the surface, phishing attacks may seem to be a variant of spam. However,such attacks can lead to damaging losses in terms of identity theft, sensitive intellectual property and customer information, and national-security secrets. Phishing attacks are also increasingly pervasive and sophisticated. Phishing has spread beyond email to include VOIP, SMS, instant messaging, social networking sites, and even massively multiplayer games. Criminals have also shifted from sending mass-email messages, hoping to trick anyone, to more selective “spearphishing” attacks that use relevant contextual information to trick specific victims.
IT security budgets are expected to rise this year. (2012, January 25). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/23474/it-security-budgets-are-expected-to-increase-this-year/
More than half of organizations expect to
increase their information security spending in 2012, some by 8% of
more, according to a survey by the Enterprise Strategy Group (ESG).
In addition, information security initiatives were identified by IT professionals as one of the top five IT priorities for 2012. ESG
also found that 35% of organizations plan to hire additional security
staff; 23% of organizations believe that there is a “problematic
shortage” of security skills in their organization.
King, C. (2012, January). Spotlight on: Malicious insiders and organized crime activity (CMU/SEI-2012-TN-001). Retrieved from http://www.sei.cmu.edu/library/abstracts/reports/12tn001.cfm?WT.DCSext.abstract
The focus of this report is on current or former employees,
contractors, or business partners who were affiliated with, or are
considered to be part of, organized crime. The case material came from a
mixture of court documents, Department of Justice press releases,
interviews, and media reports. This report defines malicious insiders
and organized crime and provides a snapshot of who malicious insiders
are, what and how they strike, and why. This report concludes with a
summary of the relevant details of the highlighted cases and offers
recommendations that could potentially mitigate the risk of similar
occurrences.
NQ Mobile / National Cybersecurity Alliance. Report on consumer behaviors and perceptions of mobile security. Retrieved from http://docs.nq.com/NQ_Mobile_Security_Survey_Jan2012.pdf
From a related Infosecurity article: "The report, conducted independently, surveys 1,158 American smartphone
users and provides a thorough and sometimes surprising insight into
consumers’ attitudes toward and understanding of mobile security. It
highlights, for example, that business really should be concerned about
the security implications of evolving consumerization (or ‘bring your
own device’) in the workplace."
Perlroth, N. (2012, January 22). Flaws in videoconferencing may open up board room to hackers. New York Times. [Full text available in the New York Times database.]
One afternoon this month, a hacker took a tour of a dozen conference
rooms around the globe via equipment that most every company has in
those rooms; videoconferencing equipment. With the move of a mouse, he steered a camera around each room,
occasionally zooming in with such precision that he could discern
grooves in the wood and paint flecks on the wall. In one room, he zoomed
out through a window, across a parking lot and into shrubbery some 50
yards away where a small animal could be seen burrowing underneath a
bush. With such equipment, the hacker could have easily eavesdropped on
privileged attorney-client conversations or read trade secrets on a
report lying on the conference room table.
Rockwell, M. (2012, January 23). LANL says researchers have developed rock-solid quantum cryptography for handheld device. Government Security News. Retrieved from http://www.gsnmagazine.com/node/25496
Researchers at the Los Alamos Nuclear Laboratory have developed a
miniature transmitter that can bring strong security to handheld devices
like tablet computers or smart phones and could replace a range of
security systems, including those at border crossings. The
laboratory said on Jan. 20 that it had developed a miniature transmitter
that communicates with a trusted authority to generate random
cryptographic keys to encode and decode information. Researchers at the
lab said the technology was “an impenetrable line of defense” called the
QKarD (Quantum Smart Card) that loads quantum cryptography onto a smart
card or smart phone.
Zettrer, K. (2012, January 24). 10K reasons to worry about critical infrastructure. Wired. Retrieved from http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/
A security researcher was able to locate and map more than 10,000
industrial control systems hooked up to the public internet, including
water and sewage plants, and found that many could be open to easy hack
attacks, due to lax security practices. Infrastructure software vendors and critical infrastructure owners
have long maintained that industrial control systems . . . are not at risk of penetration by
outsiders because they’re “air-gapped” from the internet — that is,
they’re not online. But Eireann Leverett, a computer science doctoral student at
Cambridge University, has developed a tool that matches information
about ICSes that are connected to the internet with information about
known vulnerabilities to show how easy it could be for an attacker to
locate and target an industrial control system.
Zuo, Y. (2012). Survivability experiment and attack characteristics for RFID. IEEE Transactions in Secure and Dependable Computing, 9(2), 289-302. [Full text available in the IEEE Computer Science Digital Library database.]
Radio Frequency Identification (RFID) has been developed as an important technique for many high security and high integrity settings. In this paper, we study
survivability issues for RFID. We first present an RFID survivability
experiment to define a foundation to measure the degree of survivability
of an RFID system under varying attacks. Then we model a series of
malicious scenarios using stochastic process algebras and study the
different effects of those attacks on the ability of the RFID system to
provide critical services even when parts of the system have been
damaged. Our simulation model relates its statistic to the attack
strategies and security recovery. The model helps system designers and
security specialists to identify the most devastating attacks given the
attacker's capacities and the system's recovery abilities. The goal is
to improve the system survivability given possible attacks. Our model is
the first of its kind to formally represent and simulate attacks on
RFID systems and to quantitatively measure the degree of survivability
of an RFID system under those attacks.
