| Title | Browser Interfaces and Extended Validation SSL Certificates: An Empirical Study |
| Author | |
| Year | 2009 |
| Keyword | usability and security, SSL certificates, extended validation, web site identity, user study, browser user interfaces |
| Abstract | There has been a loss of confidence in the security provided by SSL certificates and browser interfaces in the face of various attacks. As one response, basic SSL server certificates are being demoted to second-class status in conjunction with the introduction of Extended Validation (EV) SSL certificates. Unfortunately, EV SSL certificates may complicate the already difficult design challenge of effectively conveying certificate information to the average user. This study explores the interfaces related to SSL certificates in the most widely deployed browser (Internet Explorer 7), proposes an alternative set of interface dialogs, and compares their effectiveness through a user study involving 40 participants. The alternative interface was found to offer statistically significant improvements in confidence, ease of finding information, and ease of understanding. Such results from a modest re-design effort suggest considerable room for improvement in the user interfaces of browsers today. This work motivates further study of whether EV SSL certificates offer a robust foundation for improving Internet trust, or a further compromise to usable security for ordinary users. |
| Title | Antivirus security: naked during updates |
| Author | Byungho Min, Vijay Varadharajan,†, Udaya Tupakula and Michael Hitchens |
| Year | 2013 |
| Keyword | |
| Abstract |
| Title | Resolving JavaScript Vulnerabilities in the Browser Runtime |
| Author | Ejike Ofuonye, James Miller ECE Department University of Alberta ofuonye@ualberta.ca, jm@ece.ualberta.ca |
| Year | 2008 |
| Keyword | |
| Abstract | The volume of web based malware on the Internet keeps rising despite huge investments on web security. JavaScript, the dominant scripting language for web applications, is the primary channel for most of these attacks. In this paper, we describe research into the design and implementation of new web client protection system based on code instrumentation techniques. This system combines traditional static analysis techniques with a dynamic HTML, CSS and JavaScript code runtime monitoring agent to offer an efficient, easily deployable, policy driven framework for improved user protection. Rewriting and runtime monitoring are based on providing safe equivalents of JavaScript code constructs known to contain insecurities and hence exploitable by malicious web applications. As a demonstration of the practical capabilities of our framework, we also include a case study attack and empirical analysis of some of its various aspects across 1000 home pages belonging to the most popular web sites on the Internet. |
| Title | “The Four Most-Used Passwords Are Love, Sex, Secret, and God”: Password Security and Training in Different User Groups |
| Author | Birgy Lorenz, Kaido Kikkas, and Aare Klooster |
| Year | 2013 |
| Keyword | passwords, security awareness, training, privacy, user behavior. |
| Abstract | Picking good passwords is a cornerstone of computer security. Yet already since the early days (e.g. The Stockings Were Hung by the Chimney with Care from 1973; we have also borrowed our title from the 1995 movie Hackers), insecure passwords have been a major liability. Ordinary users want simple and fast solutions – they either choose a trivial (to remember and to guess) password, or pick a good one, write it down and stick the paper under the mouse pad, inside the pocket book or to the monitor. They are also prone to reflecting their personal preferences in their password choices, providing telling hints online and giving them out on just a simple social engineering attack. Kevin Mitnick has said that security is not a product that can be purchased off the shelf, but consists of policies, people, processes, and technology. This applies fully to password security as well. We studied several different groups (students, educators, ICT specialists etc – more than 300 people in total) and their password usage. The methods included password practices survey, password training sessions, discussions and also simulated social engineering attacks (the victims were informed immediately about their mistakes). We suggest that password training should be adjusted for different focus groups. For example, we found that schoolchildren tend to grasp new concepts faster – often, a simple explanation is enough to improve the password remarkably. Thus, we would stress the people and process aspects of the Mitnick formula mentioned above.At the same time, many officials and specialists tend to react to password training with dismissal and scorn (our study suggests that 'you cannot guess my password' is an alarmingly common mindset). Examples like 'admin', 'Password', '123456' etc have occurred even at qualified security professionals, more so at educators. Yet, as Estonia is increasingly relying on the E-School system, these passwords are becoming a prime target. Therefore, for most adult users we suggest putting the emphasis on policy and technology aspects (strict, software-enforced lower limits of acceptable password length, character variability checks, but also clearly written rulesets etc). |
| Title | Embedded Based Tailgating/Piggybacking Detection Security System |
| Author | Tjun Wern Chan, Vooi Voon Yap and Chit Siang Soh Faculty of Engineering and Green Technology Universiti Tunku Abdul Rahman Kampar, Perak, Malaysia |
| Year | 2012 |
| Keyword | tailgating; piggybacking; security system; OpenCV; embedded; open source |
| Abstract | Access control is a system which enables the authority to control and restrict access to a target sensitive or secured area. However, its effectiveness is highly dependent on the proper usage of the system by those who are granted access. These authorized personnel have total control of the door from the time it unlocks until it relocks again. One of the biggest weaknesses of automated access control is the lacked of a system to prevent a practice known as “tailgating” or “piggybacking”. This paper presents a low cost solution to this problem by using a single internet protocol camera and an embedded based control unit combining with video analytics technology. Results showed that the developed system is able to detect various tailgating/piggybacking violations successfully. |
| Title | A Comparison of Perceived and Real Shoulder-surfing Risks between Alphanumeric and Graphical Passwords |
| Author | Furkan Tari A. Ant Ozok Stephen H. Holden |
| Year | 2006 |
| Keyword | Authentication, Human Factors, Social Engineering, Shoulder Surfing, Graphical Passwords, Authentication, Password Security, Usable Security. |
| Abstract | Previous research has found graphical passwords to be more memorable than non-dictionary or “strong” alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords’ increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. |
| Title | Characterizing Privacy Leakage of Public WiFi Networks for Users on Travel |
| Author | Ningning Cheng, Wei Cheng, Prasant Mohapatra, Aruna Seneviratne |
| Year | 2013 |
| Keyword | |
| Abstract | Deployment of public wireless access points (also hotspots) and the prevalence of portable computing devices has made it more convenient for people on travel to access the Internet. On the other hand, it also generates |
| Title | Mobile Malware Threats and Defenses for Homeland Security |
| Author | Kangbin Yim, and Ilsun You |
| Year | 2012 |
| Keyword | |
| Abstract | As the population of mobile users grows rapidly, mobile malware targeting smartphones are becoming a new threat to homeland security. So far, many kinds of malicious malwares including monetizing, stealing credentials or rooting have emerged. The latest mobile malwares are especially posing a serious threat to homeland security, because they can zombify phones to be controlled by their command and conquer servers. In this paper, we survey the threats and malicious behaviors of current mobile malwares. Then, we study the defense mechanisms of mobile malware and introduce a cooperative system for mobile security in South Korea. We also discuss the possible future of mobile malware and attack techniques. |
| Title | An Overview of Cryptanalysis Research for the Advanced Encryption Standard |
| Author | Alan Kaminsky, Michael Kurdziel, Stanisław Radziszowski Rochester Institute of Technology, Rochester, NY |
| Year | 2003 |
| Keyword | Advanced Encryption Standard; AES; Cryptanalysis; Side Channel Attacks |
| Abstract | Since its release in November 2001, the Advanced Encryption Standard (NIST FIPS-197) has been the subject of extensive cryptanalysis research. The importance of this research has intensified since AES was named, in 2003, by NSA as a Type-1 Suite B Encryption Algorithm (CNSSP-15). As such, AES is now authorized to protect classified and unclassified national security systems and information. This paper provides an overview of current cryptanalysis research on the AES cryptographic algorithm. Discussion is provided on the impact by each technique to the strength of the algorithm in national security applications. The paper is concluded with an attempt at a forecast of the usable life of AES in these applications. |
| Title | Requirements for Containing Self-Propagating Code Internet Quarantine: |
| Author | David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage University of California, San Diego |
| Year | 2001 |
| Keyword | |
| Abstract | It has been clear since 1988 that self-propagating code can quickly spread across a network by exploiting homogeneous security vulnerabilities. However, the last few years have seen a dramatic increase in the frequency and virulence of such “worm” outbreaks. For example, the Code-Red worm epidemics of 2001 infected hundreds of thousands of Internet hosts in a very short period – incurring enormous operational expense to track down, contain, and repair each infected machine. In response to this threat, there is considerable effort focused on developing technical means for detecting and containing worm infections before they can cause such damage. This paper does not propose a particular technology to address this problem, but instead focuses on a more basic question: How well will any such approach contain a worm epidemic on the Internet? We describe the design space of worm containment systems using three key parameters – reaction time, containment strategy and deployment scenario. Using a combination of analytic modeling and simulation, we describe how each of these design factors impacts the dynamics of a worm epidemic and, conversely, the minimum engineering requirements necessary to contain the spread of a given worm. While our analysis cannot provide definitive guidance for engineering defenses against all future threats, we demonstrate the lower bounds that any such system must exceed to be useful today. Unfortunately, our results suggest that there are significant technological and administrative gaps to be bridged before an effective defense can be provided in today’s Internet. ability of the population, the length of the infectious period and the rate of infection. These translate into three potential interventions to mitigate the threat of worms: prevention, treatment, and containment. This paper focuses exclusively on the last approach, but we briefly discuss each to justify that decision. |
| Title | Plugging the Leaks Without Unplugging Your Network in the Midst of Disaster |
| Author | Aaron D Goldman, Arif Selcuk Uluagac |
| Year | 2012 |
| Keyword | |
| Abstract | Network Disaster Recovery research has examined behavior of networks after disasters with an aim to restoring normal conditions. In addition to probable loss of connectivity, a disaster scenario can also lead to security risks. However, network security has been examined extensively under normal conditions, and not under conditions that ensue after disasters. Therefore, security issues should be addressed during the period of chaos after a disaster, but before operating conditions return to normal. Furthermore, security should be assured, while still allowing access to the network to enable public communication in order to assist in disaster relief efforts. In general, the desire to help with public assistance requires opening up access to the network, while security concerns add pressure to close down or limit access to the network. In this study, we show that the objectives of availability and confidentiality, two objectives that have not previously been considered together in disaster scenarios, can be simultaneously achieved. For our study, we evaluated six wireless devices with various network configurations, including a laptop, a Kindle Fire e-reader, an Android tablet, a Google Nexus phone, an IP camera, and an Apple TV, to approximate behaviors of a communication network under a disaster scenario. Actual data leakage was tracked and observed for these devices. To the best of our knowledge this has not previously been examined in a systematic manner for post-disaster scenarios. After illustrating the data leakage of various devices, we analyze the risk associated with the various types of leakage. Moving private traffic to a VPN would free the physical network for use as a public resource. Index Terms—Data Leakage, Network Disaster Recovery, Availability, Confidentiality, Post-Disaster Network Security |
| Title | Design and Implementation of Secure Subnet Inside of Data Sensitive Network |
| Author | Haiwei Xue, Yunliang Zhang, Zhien Guo, Yiqi Dai |
| Year | 2013 |
| Keyword | Component; Privacy; Netwrok Security; Access Control; Inside Leak; Security Model; BLP |
| Abstract | Sensitive data leak can cause significant loss for some organizations, especially for technology intensive companies and country security departments. Traditional mandatory access control (MAC) can only control whether the user can access the sensitive data or not, and cannot prevent the user to leak or spread the data. So even designed impeccable access control policies, we still cannot prevent inside leak. A nature solution is using physical isolation to prevent sensitive data from being leaked outside network; however inside the physical isolated network, data still can be spread from one subnet to another. We present Secure Subnet System, a BLP model base security system that can provide more strong access control, which is called mandatory action control. In our system after a user read sensitive data, system will dynamically change security policies to prevent the user to leak these data or spread the data outside to another subnet. We use a state machine model to describe our system, and use secure transfer equations to dynamically calculate the system policies for each new state. Our model can be proved to be secure by formal methods. We implemented a demon of our system. In this paper we also show the design details of the demon and evaluate the demon both from security and performance. The evaluation results show that the output of the security tests case are under expected; and the performance test case show that, for the 64KB IO chunk size, IO read loss can be improved to 6.6%, IO write loss can be improved to 1.2% after optimization. |
| Title | Malware Defense Using Network Security Authentication £ |
| Author | Joseph V. Antrosio and Errin W. Fulp Wake Forest University Department of Computer Science Winston-Salem, NC, USA nsg.cs.wfu.edu antrjv|fulp @wfu.edu |
| Year | 2005 |
| Keyword | |
| Abstract | Malware defenses have primarily relied upon intrusion fingerprints to detect suspicious network behavior. While effective for discovering computers that are already compromised, these systems are not designed to stop the spread or damage of malware. Standard gateway firewalls can prevent outside-based attacks; however, they are ineffective in a mobile network where threats originate from inside and administrators have limited control over client machines. This paper introduces a new strategy for malware defense using security authentication which focuses on vulnerabilities rather than exploits. The proposed system uses a remote security scanner to check for vulnerabilities and quarantines machines using logical network segmentation. This maximizes the usefulness of the machine in question while preventing attacks. Furthermore given the unique ability to quarantine machines without any specialized host software, the proposed system can defend against internal malware threats in a mobile network. been achieved utilizing a proof-of-concept model and standard networking tools. |
| Title | |
| Author | |
| Year | 2013 |
| Keyword | Survey; Pervasive Computing; Network-level security and protection; Physical Security |
| Abstract | Emergency management is increasingly dependent on networks for information gathering, coordination and physical system control, and consequently is increasingly vulnerable to network failures. A cyber attack could cause such network failures intentionally, so as to impede the work of first responders and maximise the impact of a physical emergency. We propose a taxonomy of existing and potential research that is relevant in this setting, covering attack types that have already occurred or are likely to occur, and defence mechanisms that are already in use or would be applicable. |