"Hosts must be able to access other hosts in an automated fashion, often with very high privileges, for a variety of reasons, including file transfers, disaster recovery, privileged access
management, software and patch management, and dynamic cloud provisioning. This is often accomplished using the Secure Shell (SSH) protocol. The SSH protocol supports several mechanisms for
authentication, with public key authentication being recommended for automated access with SSH. Management of automated access requires proper provisioning, termination, and monitoring processes, just as
interactive access by normal users does. However, the security of SSH-based automated access has been largely ignored to date. This publication assists organizations in understanding the basics of SSH
automated access management in an enterprise, focusing on the management of SSH access tokens."
"Advanced imaging technologies are a new class of people screening systems used at airports and other sensitive environments to detect metallic as well as nonmetallic contraband. We present
the first independent security evaluation of such a system, the Rapiscan Secure 1000 full-body scanner, which was widely deployed at airport checkpoints in the U.S. from 2009 until 2013. We find that the
system provides weak protection against adaptive adversaries: It is possible to conceal knives, guns, and explosives from detection by exploiting properties of the device’s backscatter X-ray technology.
We also investigate cyberphysical threats and propose novel attacks that use malicious software and hardware to compromise the the effectiveness, safety, and privacy of the device. Overall, our findings
paint a mixed picture of the Secure 1000 that carries lessons for the design, evaluation, and operation of advanced imaging technologies, for the ongoing public debate concerning their use, and for
cyberphysical security more broadly."
"Last Thursday, Yahoo announced their plans to support end-to-end encryption using a fork of Google’s end-to-end email extension. This is a Big Deal. With providers like Google and Yahoo
onboard, email encryption is bound to get a big kick in the ass. This is something email badly needs. So great work by Google and Yahoo! Which is why following complaint is going to seem awfully
ungrateful. I realize this and I couldn’t feel worse about it. As transparent and user-friendly as the new email extensions are, they’re fundamentally just re-implementations of OpenPGP — and non-
legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it’s a model of email encryption that’s fundamentally broken. It’s time for PGP to die."
"Digital technologies, commonly referred to as cyber systems, are a security paradox: Even as they grant unprecedented powers, they also make users less secure. Their communicative
capabilities enable collaboration and networking, but in so doing they open doors to intrusion. Their concentration of data and manipulative power vastly improves the efficiency and scale of operations,
but this concentration in turn exponentially increases the amount that can be stolen or subverted by a successful attack. The complexity of their hardware and software creates great capability, but this
complexity spawns vulnerabilities and lowers the visibility of intrusions. Cyber systems’ responsiveness to instruction makes them invaluably flexible; but it also permits small changes in a component’s
design or direction to degrade or subvert system behavior. These systems’ empowerment of users to retrieve and manipulate data democratizes capabilities, but this great benefit removes safeguards present
in systems that require hierarchies of human approvals. In sum, cyber systems nourish us, but at the same time they weaken and poison us."
"our society, their security is becoming an increasingly important issue. However, based on the results of many recent analyses of individual firmware images, embedded systems acquired a
reputation of being insecure. Despite these facts, we still lack a global understanding of embedded systems’ security as well as the tools and techniques needed to support such general claims. […] In
summary, without performing sophisticated static analysis, we discovered a total of 38 previously unknown vulnerabilities in over 693 firmware images. Moreover, by correlating similar files inside
apparently unrelated firmware images, we were able to extend some of those vulnerabilities to over 123 different products. We also confirmed that some of these vulnerabilities altogether are affecting at
least 140K devices accessible over the Internet. It would not have been possible to achieve these results without an analysis at such wide scale. We believe that this project, which we plan to provide
as a firmware unpacking and analysis web service, will help shed some light on the security of embedded devices."
"To open a bank account in Pakistan, to get a new driver license or passport or to activate a SIM card, you need to present a computerized national identity card. These cards are about more
than just proving identity; they are essential to getting on with your day-to-day life. So what happens when you lose your identity to fraud? Pakistan is one of the few nations that has registered almost
the entire population’s biometric details and provided citizens with a computerized national identity card. But even with that system in place, fraud is still rampant. I took a closer look at the fraud
industry to understand just how identity fraud persists in the new biometric era."
"My neighbor lives on the second floor of a Brooklyn walk-up, so when I came to his front door he tossed me a pair of keys rather than walk down the stairs to let me in. I opened the door,
climbed the stairs, and handed his keys back to him. We chatted about our weekends. I drank a glass of water. Then I let him know that I would be back soon to gain unauthorized access to his home. Less
than an hour later, I owned a key to his front door."
"We explore how to manage a portfolio of passwords. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that
approaches justified by loss-minimization alone, and those that ignore important attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we propose, model
and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and user effort. Our findings directly challenge accepted wisdom and conventional advice. We
find, for example, that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal. We give an optimal solution for how to group accounts for re-use, and model-based principles for
"We conduct a security analysis of five popular web-based password managers. Unlike ‘local’ password managers, web-based password managers run in the browser. We identify four key security
concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an
attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the
vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study
suggests that it remains to be a challenge for the password managers to be secure. To guide future development of password managers, we provide guidance for password managers. Given the diversity of
vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers."
"The FTC has brought enforcement actions addressing a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing,
and mobile. These matters include over 130 spam and spyware cases and more than 40 general privacy lawsuits."
"A cyberespionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to the energy supply in the affected countries. The Dragonfly group, which is also known by other vendors as Energetic Bear, are a capable group who are evolving over time and targeting primarily the energy sector and related industries. They have been in operation since at least 2011 but may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus to US and European energy firms in early 2013. More recent targets have included companies related to industrial control systems."
"The 2014 EMC Privacy Index surveyed 15,000 people in 15 countries to produce a ranking of nations based on consumer perceptions and attitudes about data privacy, and their willingness to trade privacy for greater convenience and benefits online."
”[…] smartphones are actually spy phones. But they don’t need to be. If we had enough open wireless networks available, we could change that. Startup companies—and open source projects—could
make devices that used the open networks without reporting your location and communications to phone companies. Devices that skip smoothly from one open wireless network to another don’t provide the kind
of granular information about your intimate activities that the current single-carrier systems do. We have two choices: let mobile privacy stay dead forever, or build an alternative open wireless
"We have built PlayDrone, a system that uses various hacking techniques to circumvent Google security to successfully crawl Google Play. […] We further show that […] Android applications
contain thousands of leaked secret authentication keys which can be used by malicious users to gain unauthorized access to server resources through Amazon Web Services and compromise user accounts on
Facebook. We worked with service providers, including Amazon, Facebook, and Google, to identify and notify customers at risk, and make the Google Play store a safer place."
"We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it
did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice — not to run untrusted executables
— if there was a direct incentive, and how much this incentive would need to be."