Researchers Say Gazelle Browser Offers Better Security
Campus Technology (02/26/09) Mackie, Kurt
Researchers at various universities are working with Microsoft Research to develop a more secure Web browser code-named Gazelle. The researchers recently demonstrated Gazelle on Windows Vista and with Internet Explorer's Trident renderer, and have also published a paper describing the project. Gazelle uses a browser-based operating system, a browser kernel that consists of approximately 5,000 lines of C# code and can withstand memory attacks. "No existing browsers, including new architectures like IE 8, Google Chrome, and OP [another experimental browser], have a multi-principal OS construction that gives a browser-based OS, typically called browser kernel, the exclusive control to manage the protection and fair-sharing of all system resources among browser principals," the authors write. The principals, or Web sites, communicate with each other by passing messages through the browser kernel, which manages security and the sharing of system resources. The browser uses separate processes to run a Web page and its embedded principals. Still in the prototype stage, Gazelle is slow because of its level of overhead, and the team also will have to address the browser plug-in issue.
Thursday, February 26, 2009
Blog: Researchers Say Gazelle Browser Offers Better Security
Blog: 76% of phishing sites hosted on compromised servers; lots of SQL Injection
Research: 76% of phishing sites hosted on compromised servers
Posted by Dancho Danchev; February 26th, 2009 @ 7:12 am
In a newly released paper entitled “Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing” Tyler Moore and Richard Clayton provide empirical evidence according to which 75.8% of the phishing sites that they’ve analyzed (2486 sites) were hosted on compromised web servers to which the phishers obtained access through Google hacking techniques (search engine reconnaissance).
The research also indicates that not only are legitimate sites (unknowingly) providing hosting services to scammers, but also that 19% of the vulnerable sites that they’ve analyzed were recompromised within six months.
Monday, February 23, 2009
Blog: U.S. lists top 20 security controls
U.S. lists top 20 security controls
A group of U.S. government security organizations has listed the top 20 security actions that they recommend organizations should take to improve computer security. Called Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance, the list was published on Monday by a conglomerate of U.S. government agencies, including the NSA, US-Cert, various U.S. Department of Defense computer security groups and security training organization Sans Institute.
Blog: US Consortium Releases Consensus Security Audit Guidelines [CAG]
US Consortium Releases Consensus Security Audit Guidelines
SANS NewsBites Vol. 11 Num. 15 (February 23, 2009)
A consortium of security experts from government and industry has released the Consensus Audit Guidelines (CAG), a list of 20 controls that government and private industry organizations must implement to protect against and mitigate the effects of cyber attacks. For each control, the CAG details attacks that it stops or mitigates, how to implement and automate the control, and how to determine whether the control is implemented effectively. The CAG consortium includes the organizations that know how actual attacks are being executed (NSA Red and Blue teams,US-CERT, DC3, DoE Nuclear labs, and more.) The CAG is available for public comment through March 23, 2009. The full guidelines may be found at:
http://www.sans.org/cag/ http://www.theregister.co.uk/2009/02/23/cybersecurity_gold_standard/
http://news.cnet.com/8301-1009_3-10169583-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://fcw.com/Articles/2009/02/23/cyber-controls.aspx
http://federaltimes.com/index.php?S=3957648
[Editor's Note (Northcutt): I hope you will take a few minutes out of your busy day and take a look at these. You are going to see some initials to the left of the controls. QW stands for Quick Win. The big suggestion I have is to look over the quick wins and see if you can get a few of those in place. Great job on these and I hope we start to see thought leaders take advantage of this.]
Monday, February 16, 2009
Blog: The Computer as a Road Map to Unknowable Territory; modeling complex behavior
Washington Post (02/16/09) P. A7; Vedantam, Shankar
Scientist Yaneer Bar-Yam has developed a computational model of the economy that uses virtual actors to populate the world, instead of digital representations of specific individuals, companies, and brokers, enabling researchers to change how the actors behave and study how those changes affect the economic ecosystem. Bar-Yam says the principle behind the model is that humans regularly solve problems by imaging how certain behaviors will affect specific outcomes, but in a complex system such as the economy, which can be affected by fear, rumors, and misinformation, the ability to forecast accurately is severely reduced. He wanted to understand why the economy was so turbulent, and his model provides a unique explanation for the instability. In July 2007, the Bush administration eliminated a 69-year-old regulation known as the uptick rule. The rule was designed to prevent bear raids, which is when a powerful investor suddenly sells a large number of shares in a company, creating a temporary situation in which supply is greater than demand, causing prices to fall and allowing the investor to buy back shares at a lower price. Bar-Yam's model suggests that the elimination of the uptick rule created instability in the same way removing a support from a house would, which allowed the housing crisis to cripple the economy. The model, which was created at Bar-Yam's New England Complex Systems Institute, is just one of many computational models that have recently been developed to obtain a more thorough understanding of complex systems. Other models include two University of Maryland models, one used to predict how different situations could amplify the likelihood of violence in the Middle East, and one that shows that infant mortality levels predict the likelihood of political instability in a country better than any other single measurement.
Monday, February 9, 2009
Blog: How to make your website really, really fast
How to make your website really, really fast
Posted by Andrew Mager; February 9th, 2009 @ 2:48 pm
Friday, February 6, 2009
Blog: A New Kind of Counting; Graph Coloring Problem solution
A New Kind of Counting
Max Planck Society (02/06/09) Abrell, Barbara
Scientists at Germany's Max Planck Institute for Dynamics and Self-Organization (MPIDS) and Cornell University have developed a computer algorithm to crack previously unsolvable counting problems. Such counting problems are visualized by researchers as a network of lines and nodes, which means only one basic challenge must be met: Determining the number of different ways to color in the nodes with a certain number of colors without assigning the same color to nodes joined by a line. A node's color is imbued with a completely new significance, depending on the application. "The existing algorithm copies the whole network for each stage of the calculation and only changes one aspect of it each time," says MPIDS scientist Frank van Bussel. The researchers move through the network on a node-by-node basis, and the program never looks at the entire network but only at the next node point. At the first node point, the program cannot finalize the color selection as it would have to know how all the other nodes are linked to each other. Instead, the program notes down a formula for the first lattice point, which contains this uncertainty as an unknown quantity. As the program moves through the network, all the connections are exposed and the unknown quantities are removed. The program's knowledge of the network is complete once it has reached the final node point. The calculation time for a square lattice the size of a chess board is estimated to be many billions of years, but Denny Fliegner of MPIDS says the program can accomplish this in just seven seconds.
Thursday, February 5, 2009
Blog: Fingerprints and Faces Can Be Faked, But Not Brain Patterns
Fingerprints and Faces Can Be Faked, But Not Brain Patterns
ICT Results (02/05/09)
The European Union-funded HUMABIO project is combining new types of biometric recognition systems with the latest sensor technologies to develop better security applications. HUMABIO researchers have developed sensorial and connectivity hardware for specific biometric applications, as well as new software to extract the biometric profile of individuals, which is based on physiology and behavior characteristics. HUMABIO's biometrics include using electrocardiograms to record heart rhythms and electroencephalograms to record brain patterns. The project has developed a prototype headgear system that uses two electrodes to take both readings. The technology is still in the proof-of-concept stage, but project coordinator Dimitrios Tzovaras says the researchers are very pleased with the results so far. "This is the first time this type of biometrics has been used for identification, and it solves most of the problems other biometric systems face," Tzovaras says. The project has been working on other types of biometrics that are much closer to commercialization, including gait or walking analysis, and analyzing a person's seated posture. The project also has been working on improving facial- and voice-recognition systems, and combining multiple biometric techniques into a multimodal biometric identification system that is more secure than individual biometric techniques.
Blog: Fighting Tomorrow's Hackers
Fighting Tomorrow's Hackers
American Friends of Tel Aviv University (02/05/09)
The development of quantum computing threatens to expose the security of digital information as the technology could be used to bypass the current cryptographic systems used by businesses and banks. "We need to develop a new encryption system now, before our current systems... become instantly obsolete with the advent of the first quantum computer," says Oded Regev, a professor at Tel Aviv University's Blavantnik School of Computer Science. Regev has proposed a secure and efficient system that is backed by a mathematical proof of security and believed to be the first solution safe from quantum computers. Regev combined ideas from quantum computation with research from other leaders in the field to create a system that is efficient enough for real-world applications. Regev first presented his work at the ACM Symposium on Theory of Computing, and it will appear in the Journal of the ACM. The work also will become the foundation for other cryptographic systems projects at the Stanford Research Institute, Stanford University, and the Massachusetts Institute of Technology. Regev's proposed system could have a variety of real-world applications, including banking transactions, online auctions, and digital signatures.