"Last week the entire web discovered the existence of the so called ‘Heartbleed’ vulnerability affecting one of the most popular mechanisms used to secure communication with web sites:
OpenSSL. The underlying problem is a programming error with fatal consequences. The technical background is analysed by ENISA in a new flash note."
"Each Internet user has, on average, 25 password-protected accounts, but only 6.5 distinct passwords. Despite the advice of security experts, users are obviously re-using pass-words across multiple sites. So this paper asks the question: given that users are going to re-use passwords across multiple sites, how should they best allocate those passwords to sites so as to minimize their losses from accidental password disclosures?"
"After 12 years, support for Windows XP will end on April 8, 2014. Microsoft Windows XP’s end of support, combined with a collective action failure stemming from individual users’ failure to
realize or internalize the costs of failing to migrate or upgrade their operating systems, could be catastrophic. The attached essay briefly sketches out the argument for why software monopolists should
be legally required to help other companies provide ongoing support for their products. First, it describes the conceptual and economic theories that would support such a requirement. Second, it describes
the conflicting law governing the intersection between intellectual property and antitrust. Third, it exhorts Microsoft to extend the support clock, release its sourcecode, or make clear to the world that
should anyone else wish to take on the task of providing future security support for Windows XP, Microsoft will help them to do so."
"The American Civil Liberties Union writes to offer its perspective on the proposed amendment to Rule 41 concerning remote searches of electronic storage media. […] The proposed amendment
would significantly expand the government’s authority to conduct remote searches of electronic storage media. Those searches raise serious Fourth Amendment questions. It would also expand the government’s
power to engage in computer hacking in the course of criminal investigations, including through the use of malware and other techniques that pose a risk to internet security and that raise Fourth
Amendment and policy concerns."
"We describe cryptographic protocols for secure execution of warrants or legal orders authorizing access to data held by private parties. Using cryptography enables a better combination of
security, privacy, and accountability properties than would otherwise be possible. We describe a series of protocols, based on different assumptions about trust and technical sophistication of the
parties, and making use of wellstudied cryptographic tools. We report benchmark results from our prototype implementation of the tools involved in one such protocol, and show that the protocol’s entire
computational cost is easily feasible even for very large data sets, such as ‘cloud’ software service or telecommunications databases comprising billions of records."
"Criminal activities in cyberspace are increasingly facilitated by burgeoning black markets in both the tools (e.g., exploit kits) and the take (e.g., credit card information). As with most things, intent is what can make something criminal or legitimate, and there are cases where goods or services can be used for altruistic or malicious purposes (e.g., bulletproof hosting and zero-day vulnerabilities). This report describes the fundamental characteristics of these markets and how they have grown into their current state in order to give insight into how their existence can harm the information security environment. Understanding the current and predicted landscape for these markets lays the groundwork for follow-on exploration of options that could minimize the potentially harmful influence these markets impart."
"In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services
can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in
"This document details a large and sophisticated operation, code named ‘Windigo’, in which a malicious group has compromised thousands of Linux and Unix servers. The compromised servers are
used to steal SSH credentials, redirect web visitors to malicious content and send spam. This operation has been ongoing since at least 2011 and has affected high profile servers and companies […] This
report contains a detailed description of our ongoing investigation of the Windigo operation. We provide details on the number of users that have been victimized and the exact type of resources
that are now in control of the gang. Furthermore, we provide a detailed analysis for the three main malicious components of this operation […]"
"With mobile subscriptions worldwide totalling approximately 7 billion by the end of 2013, it is clear that mobile devices are rapidly replacing the personal computer at home and in the workplace. We now rely on smartphones and tablets for everything Internet-related in our lives, from web surfing to e-commerce transactions and online banking. Therefore, in the space of little more than a year or so, we have gone from talking about them as an emerging threat vector, to one which is already being consistently exploited by cybercriminals. They have rapidly become a potential treasure trove of personal data for the cyber criminal and also represent an easy way to get to end users, through social engineering techniques such as fake antivirus, which trick users into paying to get rid of non-existent malware."
"Revelations of large scale electronic surveillance and data mining by governments and corporations have fueled increased adoption of HTTPS. We present a traffic analysis attack against over
6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages
in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. We examine evaluation methodology and reveal accuracy
variations as large as 18% caused by assumptions affecting caching and cookies. We present a novel defense reducing attack accuracy to 27% with a 9% traffic increase, and demonstrate significantly
increased effectiveness of prior defenses in our evaluation context, inclusive of enabled caching, user-specific cookies and pages within the same website."
"The security of computer systems often relies upon decisions and actions of end users. In this paper, we set out to investigate user-centered security by concentrating at the most fundamental
component governing user behavior – the human brain. We introduce a novel neuroscience-based study methodology to inform the design of user-centered security systems. Specifically, we report on an fMRI
study measuring users’ security performance and the underlying neural activity with respect to two critical security tasks: (1) distinguishing between a legitimate and a phishing website, and (2) heeding
security (malware) warnings. At a higher level, we identify neural markers that might be controlling users’ performance in these tasks, and establish relationships between brain activity and behavioral
performance as well as between users’ personality traits and security behavior."
"The United States healthcare system is marching diligently toward a more connected system of care through the use of electronic health record systems (EHRs) and electronic exchange of patient
information between organizations and with patients and caregivers. The Patient Identification and Matching Initiative, sponsored by the Office of the National Coordinator for Health Information Technology) or Health Information Technology (ONC), focused on identifying incremental steps to help ensure the accuracy of every patient’s identity, and the availability of their information wherever and whenever care is needed.
Matching records to the correct person becomes increasingly complicated as organizations share records electronically using different systems, and in a mobile society where patients seek care in many
healthcare settings. Many healthcare organizations use multiple systems for clinical, administrative, and specialty services, which leads to an increased chance of identity errors when matching patient
records. Additionally, many regions experience a high number of individuals who share the exact name and birthdate, leading to the need for additional identifying attributes to be used when matching
patient records. […] Driven by concerns for patient safety in the event of mismatched or unmatched records and the national imperative to improve population health and lower costs through care
coordination, this initiative studied both technical and human processes, seeking improvements to patient identification and matching that could be quickly implemented and lead to near-term improvements
in matching rates."
"The NAID-ANZ Secondhand Hard Drive Study, completed in January 2014 and published 19 Feb., showed that 15 of 52 hard drives randomly purchased, approximately 30 percent, contained highly
confidential personal information. While seven of the 15 devices were recycled by individuals, eight were recycled by law firms, a government medical facility, and a community centre. These study results
come just before the new Privacy Act reforms will be effective 12 March, requiring organisations to safeguard people’s personal information."
"The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework
consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references
that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the
organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics
of their approach to managing cybersecurity risk. The Executive Order also requires that the Framework include a methodology to protect individual privacy and civil liberties when critical infrastructure
organizations conduct cybersecurity activities. While processes and existing needs will differ, the Framework can assist organizations in incorporating privacy and civil liberties as part of a
comprehensive cybersecurity program."
"The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. […] More than 380 unique victims in 31 countries have been observed to date.
What makes ‘The Mask’ special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and
Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS). […] When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys,
analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations. The malware collects a large list of documents from the infected system, including
encryption keys, VPN configurations, SSH keys and RDP files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-
level encryption tools."