5 cool new security research breakthroughs
5 cool new security research breakthroughs
By Bob Brown
NetworkWorld | Aug 19, 2014 1:42 PM PT
University and vendor researchers are congregating in San
Diego this week at USENIX Security ’14 to share the latest findings in security
and privacy, and here are 5 that jumped out to me as being particularly
interesting.
*On the Feasibility of Large-Scale Infections of iOS
Devices
Georgia Tech researchers acknowledge that large-scale iOS
device infections have been few and far between, but they claim weaknesses in
the iTunes syncing process, device provisioning process and file storage could
leave iPhones, iPads and other Apple products vulnerable to attack via botnets.
The bad guys could get to the iOS devices via a compromised computer, they say,
to install attacker-signed apps and swipe personal info. The researchers came
to their conclusion after examining DNS queries within known botnets.
*XRay: Enhancing the Web’s Transparency with Differential
Correlation
Columbia University researchers introduce XRay, a tool
designed to give web users more insight into which of their personal data is
being used to target them with ads. The researchers will present at USENIX a
prototype of XRay, which has already been posted online as an open source
system for others to explore. Initially, the system can be used to explain
targeting in Gmail ads, Amazon recommendations and YouTube video
suggestions.“Today we have a problem: the web is not transparent. We see XRay
as an important first step in exposing how websites are using your personal
data,” says Assistant Professor of Computer Science Roxana Geambasu.
*The Long “Taile” of Typosquatting Domain Names
Investigators from the University of Chicago, Carnegie
Mellon University and Budapest University of Technology and Economics took a
deep dive into the world of typosquatting, where miscreants prey on
unsuspecting web users tricked into visiting websites that only look like the
ones they planned to visit and exploiting owners of legitimate websites with
similar domain names. The researchers felt a more thorough examination of
suspected typosquatting sites was necessarily to separate those that are based
on true typos vs. those from cybercrooks, as well as to look more closely at
typosquatting involving smaller sites. Much of the previous research, and thus
defense tools, have focused on typosquatting that involves big name sites.
*The Emperor’s New Password Manager: Security Analysis of
Web-based Password Managers
University of California at Berkeley researchers study
five popular browser-based password managers (including LastPass and
PasswordBox), and naturally, they identify a handful of security conscerns with
the password managers themselves. One-time passwords, bookmarklets and shared
passwords all present security vulnerabilities, the researchers say. The
researchers come up with suggestions, including a defense in depth approach,
for developing safer password managers.
*From the Aether to the Ethernet—Attacking the Internet
using Broadcast Digital Television
Columbia University researchers warn that Hybrid
Broadcast-Broadband Television, a Web-and-TV integration that is popular in
Europe and coming to the United States, is based on an unsecure combination of
technologies. Exploits could be widespread, hard to detect and inexpensive to
pull off (say $450 to target 20,000 devices), say the researchers “A unique
aspect of this attack is that, in contrast to most Internet of
Things/Cyber-Physical System threat scenarios where the attack comes from the
data network side and affects the physical world, our attack uses the physical
broadcast network to attack the data network,” according to the paper.
Comments
Post a Comment