The Web Scene » Security

UK’s Centre for Cyber-Security Opens at Queen’s

sparky3887 — Fri, 12 Mar 2010 17:27:14 +0000

The Centre for Secure Information Technologies (CSIT) recently opened at Queen’s University Belfast. CSIT will create 80 new positions and serve as the United Kingdom’s primary center for the development of technology to fight malicious cyberattacks. The research conducted at CSIT will help prevent Internet crime and protect the security and trustworthiness of electronically stored information. CSIT is one of the first Innovation and Knowledge Centers established in the U.K. The center is backed by funding from the Engineering and Physical Sciences Research Council and the Technology Strategy Board, and more than 20 organizations have committed to supporting CSIT’s work over the next five years. CSIT will unite research specialists from fields including data encryption, network security systems, wireless-enabled security systems, and intelligent video analysis. CSIT principal investigator professor John McCanny believes the new center will become globally recognized thanks to the breadth and depth of its technological capabilities, and because it represents a new international paradigm for innovation.

View Full Article

For More Information:http://www.cpccci.com

Hold Vendors Liable for Buggy Software, Security Experts Say

sparky3887 — Fri, 19 Feb 2010 00:10:15 +0000

Security experts from more than 30 organizations recently called on enterprises to put more pressure on security vendors to ensure secure code development. The group, led by the SANS Institute and Mitre, also released draft language for use in procurement contracts between organizations and software development firms that would leave the development firms liable for software defects. “Nearly every attack is enabled by [programming] mistakes that provide a handhold for attackers,” says the SANS Institute’s Alan Paller. “The only way programming errors can be eradicated is by making software development organizations legally liable for the errors.” SANS and Mitre also released its CWE/SANS Top 25 list of the most common programming errors being made by software developers. According to the list, SQL injection errors, cross-site scripting flaws, and buffer overflow weaknesses are the most common programming errors.

View Full Article

For More Information Visit: http://www.cpccci.com

K-State Computer Scientists Developing Techniques to Strengthen the Security of Information Systems for Health Care, Military Data

sparky3887 — Thu, 07 Jan 2010 00:39:36 +0000

Kansas State University (KSU) researchers, in collaboration with Princeton University (PU) computer scientists, are developing tools to secure information systems spanning large distances. The research team, led by KSU’s John Hatcliff and PU’s Andrew Appel, received a five-year, $3 million grant from the Air Force Office of Scientific Research. The new tools involve creating mathematical and logical models that can be used by special auditing programs to make sure that information systems are secure. “We’re doing foundational research on novel forms of mathematical models and logics that enable designers and analysts to precisely state what information is allowed to flow from one point to another and under what conditions,” Hatcliff says. The researchers also are working with Rockwell Collins, a company that creates communications and aviation electronics. Rockwell Collins wants to apply the KSU research to several systems currently in development at the U.S. Department of Defense. The new tools also have the potential to be integrated into the health care system for use with patients’ medical records, Hatcliff says. The researchers say the tools already have been used by several academic research groups and various industries from around the world.

View Full Article

For More Information Visit: http://www.cpccci.com

As Attacks Increase, U.S. Struggles to Recruit Computer Security Experts

sparky3887 — Wed, 23 Dec 2009 22:59:29 +0000

Cyberattacks are increasing in frequency and sophistication at a time when the U.S. government is struggling to address a shortage of proficient computer security experts. This shortage comes as the Pentagon is trying to staff a new Cyber Command that melds offensive and defensive computer security capabilities while the U.S. Department of Homeland Security (DHS) plans to expand its own cybersecurity force by as many as 1,000 people over the next three years. Realizing that meeting this goal will be difficult, DHS is focusing on training people already in the federal government in cybersecurity skills. In November, the Government Accountability Office warned a Senate panel that the number of scans, probes, and attacks reported to the DHS’ U.S. Computer Emergency Readiness Team has increased by more than 300 percent. Mischel Kwon, former director of the readiness team, says that for years federal law forced most civilian agencies to spend their cyberfunds on security audits instead of on building a robust security program. Karen Evans, the Bush administration’s information technology (IT) administrator, points out that most federal IT managers do not know what advanced skills are required to counter cyberattacks. The National Science Foundation’s Scholarship for Service program, which pays for up to two years of college in exchange for an equal number of years of federal employment, is a key element in the U.S. government’s initiative to cultivate cybersecurity talent. However, the private sector often offers much higher salaries for cybersecurity personnel than the private sector.

View Full Article

For More Information Visit: http://www.cpccci.com

In Shift, U.S. Talks to Russia on Internet Security

sparky3887 — Mon, 14 Dec 2009 23:31:45 +0000

The U.S. government has reversed its policy toward bolstering cybersecurity by initiating consultation with Russia, rather than the other way round. Officials familiar with the negotiations say the Obama administration understood that more countries are developing cyberweapons and that halting a global cyberweapons arms race required a new strategy. In November, a delegation led by a Russian Security Council member convened in Washington, D.C. with members of the U.S. National Security Council and the departments of State, Defense, and Homeland Security, and several weeks later the United States agreed to talk about cyberwarfare and cybersecurity with representatives of the United Nations committee on disarmament and international security. Russia has espoused the idea that an international pact is the best instrument for tackling the growing challenges posed by military operations to civilian computer networks, and people familiar with the discussions say the U.S.’s resistance to the concept has started to wear down. Viktor V. Sokolov with Russia’s Institute of Information Security says the latest round of discussions signals the opening of negotiations between the two powers on a possible cyberspace disarmament treaty. An anonymous U.S. State Department official says the United States has not resisted the idea of such a treaty, and that it is hoping to use the discussions to boost international cooperation in combating cybercrime. In contrast, the official says Russia has been pursuing the restriction of cyberweapons development. U.S. officials involved in the negotiations say that in addition to the cyberweapons ban, Russia is focusing on a prohibition against cyberterrorism, which they claim is an attempt to ban “politically destabilizing speech.”

View Full Article

For More Information Visit: http://www.cpccci.com

Building Real Security With Virtual Worlds

sparky3887 — Tue, 01 Dec 2009 00:10:38 +0000

University of Maryland (UM) researchers are combining computerized modeling and group behavior predictions with video-game graphics to create virtual worlds that defense analysts can use to predict the results of military and policy actions. “Defense analysts can understand the repercussions of their proposed recommendations for policy options or military actions by interacting with a virtual world environment,” says UM professor V.S. Subrahmanian. “They can propose a policy option and walk skeptical commanders through a virtual world where the commander can literally ‘see’ how things might play out.” Computer scientists have created a “pretty good chunk” of the computing theory and software needed to build a virtual Afghanistan, Pakistan, or another “world,” Subrahmanian says. Maryland researchers have developed artificial intelligence software that uses data about past behavior of groups to create rules about the probability of a group’s potential actions in different situations. The researchers also have developed “cultural islands,” which give a virtual world representation of a real-world environment or terrain, populated with characters from that part of the world who follow a behavior model. They also have developed the CONVEX and CAPE forecasting engines, which focus on predicting behavioral changes in groups using validated and historical data. “We are now at the point where, with the help of the analysts, we can start thinking about building computer-generated models that can automatically adapt to changes in group behaviors and to conditions on the ground,” Subrahmanian says.

View Full Article

For More Information Visit: http://www.cpccci.com

New Digital Security Program Doesn’t Protect as Promised

sparky3887 — Tue, 06 Oct 2009 20:43:03 +0000

The Vanish security system has been broken by a team of researchers from the University of Texas at Austin, Princeton University, and the University of Michigan. Developed by scientists at the University of Washington, Vanish is designed to protect a computer user’s data by restricting the availability of the encryption key used to access it after a certain amount of time, such as eight hours. Vanish splits up the keys into many small pieces and stores them at many different places on the network, which makes the data look like digital gibberish. However, the team has developed a program, Unvanish, which is capable of collecting and storing anything that looks like a fragment of a Vanish key on the network, checking its archive of fragments and finding the pieces needed to decrypt a message. The researchers say Unvanish can make messages reappear long after they should have disappeared, close to 100 percent of the time. “A true self-destruction feature continues to be challenging to provide,” says Texas professor Brent Waters. Texas professor Emmett Witchel says that “our goal with Unvanish is to discourage people from relying on the privacy of a system that is not actually private.”

View Full Article

For More Information:http://www.cpccci.com

Trust But Verify: Security Risks Abound in the IT Supply Chain

sparky3887 — Tue, 21 Jul 2009 01:34:22 +0000

There are substantial national security issues associated with the use of information technology (IT) products delivered via the global supply chain, including theft of intellectual property, logic bombs and self-modifying code, deliberately concealed back doors and features for unsanctioned remote access, and risks from bogus or counterfeit products. Three years ago, ACM published a study identifying the national security risks posed by the U.S. government’s use of foreign software, and the leading risk was that non-understanding of code pedigree could permit belligerent nations, terrorists, and others to undermine or sabotage software used in critical government systems. Yet the problem also applies to hardware and potential risks caused by counterfeit products or foreign computer chips and microprocessors, as well as the activities of domestic miscreants. The complexity of the IT supply chain means no clear demarcation between software and hardware pedigree from source to government system. In January 2008, the White House issued a Homeland Security Presidential Directive calling for a national priority and plan for anti-cyberthreat action, and one of the directive’s initiatives is designed to address IT supply chain risks. The National Institute of Standards and Technology has identified several sub-program areas to tackle, including criteria for identifying federal government systems and networks that need augmented efforts to ensure supply chain risk management, lifecycle processes and standards, acquisition policy and legal analysis, and a process for sharing vendor threat analyses across the federal government. Meanwhile, U.S. Customs and Border Protection’s Customs-Trade Partnership Against Terrorism (C-TPAT) has shown considerable progress in its goal to protect the trade industry from terrorists and offer incentives and benefits to private-sector firms that meet or surpass C-TPAT supply chain security criteria and best practices.

View Full Article

For more information please visit: http://www.cpccci.com

Argonne Develops Program for Cyber Security ‘Neighborhood Watch’

sparky3887 — Sat, 18 Jul 2009 02:18:54 +0000

The U.S. Department of Energy’s (DOE’s) Argonne National Laboratory has developed the Federated Model for Cyber Security, a program that enables its labs to share information on the millions of cyberattacks they fight off each year. The program allows cybersecurity defense systems to communicate with each other when attacked and share information with systems at other institutions in an effort to strengthen the overall cybersecurity of a complex. “The Federated Model for Cyber Security acts as a virtual neighborhood watch program,” says Argonne cybersecurity officer Michael Skwarek. “If one institution is attacked, secure and timely communication to others in the federation will aid in protecting them from that same attack through active response.” The ability to securely share information during an attack will help others protect themselves from similar attacks. “This program addresses the need for the exchange of hostile activity information with the goal of reducing the time to react across the complex,” Skwarek says. “History has shown that hostile activity is often targeted at more than one location, and having our defenses ready and armed will assist greatly.” The program is currently capable of transmitting information on hostile IP addresses and domain names, and will soon be able to share hostile email addresses and Web URLs. The team behind the Federated Model of Cyber Security was awarded the DOE’s 2009 Cyber Security Innovation and Technology Achievement Award.

View Full Article

For more information please visit: http://www.cpccci.com

IBM Security Software Masks Confidential Info

sparky3887 — Wed, 15 Jul 2009 03:20:44 +0000

IBM researchers have developed Masking Gateway for Enterprises (MAGEN), software that uses optical character recognition and screen scraping technology to identify and conceal confidential information. IBM says MAGEN can prevent data leakage and allow for data sharing while protecting sensitive business data. MAGEN works at the screen level by “catching” the information before it reaches the screen, analyzing the content, and masking sensitive details that should be hidden from the potential viewer. The system treats the information as a picture, uses optical character recognition to identify confidential sections, and places a data “mask” over those details, without copying, changing, or processing the data. IBM says customers can set masking rules that can be defined per screen structure or per application. MAGEN does not change the software program or data, but rather filters information before it reaches the screen. The software also does not force companies to create modified copies of electronic records to mask, scramble, or eliminate data. IBM says MAGEN could be used for healthcare firms that outsource customer service and claims processing functions to a third party, enabling customer service representatives to access patient records while protecting private medical information.

View Full Article

For more information please visit: http://www.cpccci.com