Research Menu

.
Skip Search Box

The Next Wave | Vol. 19 | No. 2 | 2012

Applying a new mathematical framework to cybersecurity

A team of researchers from the Stevens Institute of Technology and the City University of New York, led by Dr. Antonio Nicolosi, is applying a new mathematical paradigm to cryptography to secure the Internet. Dr. Nicolosi's team was awarded a grant from the National Science Foundation to support the development of new cryptographic tools and protocols and to promote collaboration between the cryptography and group-theory research communities. The team is applying recent developments in combinatorial group therapy (CGT)—a mathematical framework sensitive to the order of operations in an equation—to cybersecurity. Cybersecurity depends upon the quantifiable hardness of a small number of mathematical equations available in cryptographic methodologies; because CGT is sensitive to the order of operations, it is an effective method to generate new quantifiable mathematical equations that can be used to enhance cybersecurity. Dr. Nicolosi believes that CGT could also improve authentication protocol efficiency. Both undergraduate and graduate students will be participating in building the systems used to test the equations. For more information, visit www.stevens.edu/news/content/applying-new-mathematics-robust-cryptography-and-safer-internet.


Combating next-generation computer viruses

Dr. Kevin Hamlen of the University of Texas at Dallas' Cyber Security Research Center has discovered a new method to predict the actions of computer viruses. Dr. Hamlen's research uses advanced algorithms based on programming-language research to predict and interrupt the actions of malware programs in the microseconds before those programs begin to execute and mutate. His method builds upon existing computing capabilities and features already programmed into most central processing unit chips currently used in various popular devices, such as laptops. This research could give way to new, proactive antivirus programs. For more information, visit www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=2754&zoneid=329.


New forensics tool exposes online activity

Stanford University researchers, led by Elie Bursztein, have developed software that bypasses the encryption on a personal computer's hard drive to reveal the websites a user has visited and whether he/she has any data stored in the cloud. Other than Microsoft, Bursztein and his team are the only ones to discover how to decrypt the files. Their free, open-source software—Offline Windows Analysis and Data Extraction (OWADE)—runs on a Windows operating system and was introduced at the Black Hat 2011 security conference in August. OWADE can enable, for example, a law enforcement agent to reconstruct a suspect's online activity by extracting sensitive data stored by Windows, the browsers, and instant messaging software from the computer's hard drive. For more information, visit www.newscientist.com/article/mg21128285.300-new-forensics-tool-can-expose-all-your-online-activity.html. The white paper can be downloaded from elie.im/talks/beyond-files-recovery-OWADE-cloud-based-forensic.


Measuring the effects of a Wi-Fi attack

Dr. Wenye Wang and a team of researchers at North Carolina State University have developed a method to measure the effects of different types of wireless-fidelity (Wi-Fi) attacks on a network; this method will be helpful in developing new cybersecurity technologies. The researchers examined two Wi-Fi attack models—a persistent attack and an intermittent attack—and compared how these attacks are affected by different conditions, such as the number of users. They developed a metric called an order gain, which measures the probability of an attacker having access to a Wi-Fi network versus the probability of a legitimate user having access to the same network. For example, if a user has an 80 percent chance of accessing a network, and other users have the remaining 20 percent, the order gain is four. This metric is useful in determining which attacks cause the most disruption. The researchers suggested that system administrators focus their countermeasures on persistent attacks that target networks with large numbers of users because this yields the largest order gain. For more information, visit news.ncsu.edu/releases/wmswangordergain/.


An app that logs the keystrokes on your smartphone

Hao Chen and Liang Cai of the University of California, Davis, have created an application that records what you type on your Android smartphone. Also called keylogging, criminals can use this method to steal your passwords, logins, and other private information. The application uses the smartphone's motion sensors to detect vibrations that result from tapping the screen, and it doesn't have to be visible on the screen to work. Chen and Cai say that the application correctly guesses over 70 percent of keystrokes on a virtual numerical keypad like those used in calculator applications. They expect the accuracy to be even higher on tablet devices due to tablets' larger size and resulting movement from tapping the screen. For more information, visit www.newscientist.com/article/mg21128255.200-smartphone-jiggles-reveal-your-private-data.html.


Enhanced security for sensitive data in cloud computing

A team of researchers from North Carolina State University (NCSU) and IBM have developed a new technique to better protect sensitive data in cloud computing while preserving the system's performance. Cloud computing uses hypervisors—programs that create a virtual workspace, or cloud, in which different operating systems can run in isolation from one another. In cloud computing, a common concern is that attackers could take advantage of vulnerabilities in the hypervisor to steal or corrupt sensitive data from other users in the cloud. The new technique, Strongly Isolated Computing Environment (SICE), addresses this concern by isolating sensitive information and workload from the rest of the functions performed by the hypervisor. Dr. Peng Ning, professor of computer science at NCSU and one of the researchers on the project, says, "...our approach relies on a software foundation called the Trusted Computing Base, or TCB, that has approximately 300 lines of code, meaning that only these 300 lines of code need to be trusted in order to ensure the isolation offered by our approach. Previous techniques have exposed thousands of lines of code to potential attacks. We have a smaller attack surface to protect." Additionally, testing indicated that the SICE framework used only about three percent of the system's performance on multicore processors that do not require direct network access. For more information, visit news.ncsu.edu/releases/wmsningsice/.


Vulnerabilities found in top Google Chrome extensions

Security researchers Adrienne Porter Felt, Nicholas Carlini, and Prateek Saxena at the University of California, Berkeley, conducted a review of 100 Google Chrome extensions, including the 50 most popular ones, and found that 27 percent of them contain one or more JavaScript injection vulnerabilities. This vulnerability can allow an attacker, via the web or an unsecure Wi-Fi hotspot, to take complete control of an extension and gain access to a user's private data. The researchers also reported that seven of the vulnerable extensions were used by 300,000 people or more. They sent vulnerability warnings to all the relevant developers. For more information, visit www.informationweek.com/news/security/vulnerabilities/231602411.


Secure cloud computing service for US researchers

On November 2, 2011, Indiana University (IU) and Penguin Computing announced a partnership to offer US researchers access to a secure cloud computing service. The service remains secure because it is run by a group of computers owned by Penguin and housed in IU's secure state-of-the-art data center. In addition to IU, initial users of the service include the University of Virginia, the University of California, Berkeley, and the University of Michigan. The service will next be available for purchase to researchers at other US institutions of higher education and federally funded research centers. For more information, visit ovpitnews.iu.edu/news/page/normal/20208.html.


Automated tool defeats CAPTCHA on popular websites

TABLE1. Results of Decaptcha testing
Website Decaptcha's
Solving Rate
Megaupload 93%
CAPTCHA.net 73%
NIH 72%
Blizzard 70%
Authorize.net 66%
eBay 43%
Reddit 42%
Slashdot 35%
Wikipedia 25%
Digg 20%
CNN 16%
Baidu 5%
Skyrock 2%
Google 0%
reCAPTCHA 0%

Stanford University researchers Elie Bursztein, Matthieu Martin, and John C. Mitchel created an automated tool, Decaptcha, that deciphers text-based antispam tests used by many popular websites. Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a security mechanism used by many websites to block spam bots from registering for an account or posting a comment; it consists of a challenge, such as typing distorted text, that only humans are supposed to be able to solve. Decaptcha uses algorithms to clean up image background noise and to break text strings into individual characters for easier recognition. The researchers ran the tool against 15 popular websites and found that it was able to beat Visa's Authorize.net payment gateway 66 percent of the time, Blizzard (i.e., World of Warcraft, Starcraft II, and Battle.net) 70 percent of the time, eBay 43 percent of the time, and Wikipedia 25 percent of the time. Of the tested websites, Decaptcha could not break CAPTCHAs on Google or reCAPTCHA. (See table 1 for more results.) To download the paper describing this research, "Text-based CAPTCHA strengths and weaknesses," visit elie.im/publication/text-based-Captcha-strengths-and-weaknesses.


Internet privacy tools are difficult for most users

Researchers from the Carnegie Mellon CyLab Usable Privacy and Security Laboratory conducted a usability study of nine Internet privacy tools and found that they were confusing and ineffective for most nontechnical users. The researchers evaluated the use of privacy settings in two popular browsers, Internet Explorer 9 and Mozilla Firefox 5, as well as three tools that set opt-out cookies to prevent websites from displaying advertisements, and four tools that block certain sites from tracking user activity. The major findings include the following:

    Users can't distinguish between trackers. Users are unfamiliar with companies that track their behavior, so tools that ask them to set opt-out or blocking preferences on a per-company basis are ineffective. Most users just set the same preferences for every company on a list.

    Inappropriate defaults. The default settings of privacy tools and opt-out sites are inappropriate for users; they generally do not block tracking. A user must manually adjust the settings of these tools to activate their capability to block tracking.

    Communication problems. The tools provide instructions and guidance that are either too simplistic to inform a user's decision, or too technical to be understood.

    Need for feedback. Many of the tools do not provide feedback to let users know that the tool is actually working.

    Users want protections that don't break things. Users had difficulty determining when the tool they were using caused parts of websites to stop working. Subscribing to a Tracking Protection List (TPL) that blocks most trackers except those necessary for sites to function can solve this problem, but participants were unaware of the need to select a TPL or didn't know how to choose one.

    Confusing interfaces. The tools suffered from major usability flaws. For example, some users mistook registration pages for opt-out pages, and some users did not realize they needed to subscribe to certain features of the tools.

To download the technical report describing this research, "Why Johnny can't opt out: A usability evaluation of tools to limit online behavioral advertising," visit www.cylab.cmu.edu/research/techreports/2011/tr_cylab11017.html.


"Split-manufacturing" microprocessors to protect intellectual property

The Intelligence Advanced Research Project Agency (IARPA) is working toward developing a "split-manufacturing" process for microprocessor chips to ensure their design is secure and protected. In split-manufacturing, chip fabrication is split into two processes: front-end-of-line (FEOL) and back-end-of-line (BOEL). The FEOL process involves the fabrication of transistor layers in offshore foundries, and the BOEL process involves the fabrication of metallizations in trusted US facilities. According to IARPA, those working on the FEOL process will not have access to information about the design intention of the chips. This split process is intended to prevent malicious circuitry as well as protect the intellectual property of the chip design. Sandia National Laboratories will coordinate all FEOL and BEOL processes, and the University of Southern California Information Sciences Institute will carry out the fabrication runs. For more information, visit www.informationweek.com/news/government/enterprise-architecture/231902147.

View PDF version of this article 374 KB

 

Date Posted: Jan 15, 2009 | Last Modified: May 9, 2012 | Last Reviewed: May 9, 2012

 
bottom