Tag Archives: Cybersecurity

The identity threat

By Teri Takai – The big problem for many government agencies is that most of them still rely on declarative legacy roles, rubber-stamping certifications and manual processes to manage identities and roles — all of which expose them to continual and multiple access risks. External threat actors compromise identities to evade detection from existing defenses, while insiders work under the radar to access data for exfiltration.

To provide a robust defense and protect the identity-based perimeter, government agencies must consider new thinking and approaches.

The core issue is security leaders are not attacking the evolving security landscape through proactive planning and change management. Instead, they are stuck in a reactive mode.

It is not hard to understand why: the user profile is 24-7, global, instantaneous, and rich in consumer-driven IT. more> https://goo.gl/X59JUA

Updates from Georgia Tech

Four-Stroke Engine Cycle Produces Hydrogen from Methane and Captures CO<sub2
By John Toon – When is an internal combustion engine not an internal combustion engine? When it’s been transformed into a modular reforming reactor that could make hydrogen available to power fuel cells wherever there’s a natural gas supply available.

By adding a catalyst, a hydrogen separating membrane and carbon dioxide sorbent to the century-old four-stroke engine cycle, researchers have demonstrated a laboratory-scale hydrogen reforming system that produces the green fuel at relatively low temperature in a process that can be scaled up or down to meet specific needs. The process could provide hydrogen at the point of use for residential fuel cells or neighborhood power plants, electricity and power production in natural-gas powered vehicles, fueling of municipal buses or other hydrogen-based vehicles, and supplementing intermittent renewable energy sources such as photovoltaics.

Known as the CO2/H2 Active Membrane Piston (CHAMP) reactor, the device operates at temperatures much lower than conventional steam reforming processes, consumes substantially less water and could also operate on other fuels such as methanol or bio-derived feedstock. It also captures and concentrates carbon dioxide emissions, a by-product that now lacks a secondary use – though that could change in the future.

Unlike conventional engines that run at thousands of revolutions per minute, the reactor operates at only a few cycles per minute – or more slowly – depending on the reactor scale and required rate of hydrogen production. And there are no spark plugs because there’s no fuel combusted. more> https://goo.gl/h4K7fV

Related>

Updates from Aalto University

A new method for converting wastewater nutrients into fertilizer
By Riku Vahala – Researchers of Aalto University have developed a new, energy-efficient method for capturing nitrogen and phosphorus from different liquid waste fractions. In laboratory studies, with the help of the method, it is possible to separate 99% of the nitrogen and 90-99% of phosphorus in wastewater and produce granular ammonium sulphate (NH4)2SO4 and phosphorus precipitate suitable for fertilizers.

The capture method is based on the use of calcium hydroxide Ca(OH)2 to convert ammoniacal nitrogen NH4+ into ammoniacal gas NH3, which are separated through a semi-permeable membrane. Following this, the ammonium is dissolved into sulphuric acid to produce ammonium sulphate. In the process, the phosphorus is precipitated with the help of calcium salt.

‘A patent application for the method is currently under way, and the aim of the project is to find company partners who could make use of the patent in the best possible manner, create products with its help and market the new process. If successful, the new process will also create a competitive export product’, Anna Mikola, DSc (Tech), points out. more> https://goo.gl/kOrqHP

Related>

Dramatically reducing software vulnerabilities

By Paul E. Black, Larry Feldman, and Greg Witte – There are varied approaches to reducing software vulnerabilities, many of which are not primarily technical. These approaches cover many aspects of the development life cycle.

For example, helping users to meaningfully describe security needs may help to ensure that security is built into the products. Similarly, improving training for those who design, build, test, and use software will help to avoid, detect, and correct product defects

Practical changes in the development approach can significantly reduce the number of these errors, vastly improving the quality of the resulting product. Understanding the specific impact of each approach requires effective methods to measure software quality – such measurement itself is a difficult challenge. more> https://goo.gl/4zU50z

2017 Will Be The Year Of Cyber Warfare

By Paul Laudicina – I am pleased to share the “top ten” predictions for the year ahead from A.T. Kearney’s Global Business Policy Council.

The first prediction among these top ten, that a crippling cyber attack on critical infrastructure in a major economy will occur—an attack we all won’t miss in the headlines, or forget —is the one I believe merits the most attention. It demonstrates clearly that the current power politics dynamic has shifted dramatically. In the space of the last half century, hard power has given way to soft power which has in turn now yielded increasingly to cyber power.

And the challenge to leadership at every level of both the public and private sector to protect our physical, financial, institutional and ideological assets is considerable.

During the mid-20th century, “hard” military and economic might was how power was measured, with the high costs of “mutually assured destruction” acting as a deterrent against another world war.

After the fall of the Berlin wall, “soft” power, the ability to shape the preferences of others “through attraction rather than coercion or payments,” became the most influential medium advancing the interests of great powers, particularly the United States with its dominance in media, entertainment, lifestyle, and popular culture. more> https://goo.gl/ya3PyZ

The Pirates Who Stole Netflix

By Elaine Ou – Friday’s (Oct 21) attack was a Distributed Denial of Service, an attempt to make an online service unavailable by overwhelming it with junk traffic from multiple sources. Attackers amass their armies by scanning the internet for devices protected by default passwords and dropping malicious software into them. Infected machines become “bots” that can be controlled remotely, without their owners’ knowledge, and used to go after any target. This most recent attack used a botnet estimated to be millions of devices strong.

For many Americans, disabling Netflix on a Friday evening is about as close as it gets to an act of war . But what does a cyberwar look like?

During the rise of seaborne trade, the East India companies sailed merchant ships full of gold and jewels across the Indian Ocean while Spanish treasure galleons carried silver between Latin America and the coast of Spain. The inability of European powers to secure their shipping routes led hundreds of thousands of sailors to seek lucrative careers as pirates. more> https://goo.gl/S8m7O4

Related>

Updates from Georgia Tech

Study Finds “Lurking Malice” in Cloud Hosting Services
By John Toon – “Bad actors have migrated to the cloud along with everybody else,” said Raheem Beyah, a professor in Georgia Tech’s School of Electrical and Computer Engineering. “The bad guys are using the cloud to deliver malware and other nefarious things while remaining undetected. The resources they use are compromised in a variety of ways, from traditional exploits to simply taking advantage of poor configurations.”

Beyah and graduate student Xiaojing Liao found that the bad actors could hide their activities by keeping components of their malware in separate repositories that by themselves didn’t trigger traditional scanners. Only when they were needed to launch an attack were the different parts of this malware assembled.

“Some exploits appear to be benign until they are assembled in a certain way,” explained Beyah, who is the Motorola Foundation Professor and associate chair for strategic initiatives and innovation in the School of Electrical and Computer Engineering. “When you scan the components in a piecemeal kind of way, you only see part of the malware, and the part you see may not be malicious.”

In the cloud, malicious actors take advantage of how difficult it can be to scan so much storage. Operators of cloud hosting services may not have the resources to do the deep scans that may be necessary to find the Bars – and their monitoring of repositories may be limited by service-level agreements. more> https://goo.gl/hiLHXk

Related>

Updates from Georgia Tech

Georgia Tech Research Finds Fan Communities Are Reshaping the Social Web for the Better
By Joshua Preston – Modern fan groups predate the Internet by more than half a century (think Star Trek conventions), and their shared interests include everything from science fiction to knitting. But replicating the connections fans make in person in a digital space has proved difficult.

Instead, groups with special interests are often forced onto Facebook and other social media with a one-size-fits-all approach to interacting online.

By adopting a user-centric approach to design, this community has created a rarity on the web, a “digital commons” without advertising where harassment is almost nonexistent, and a large installed audience enjoys a culture of genuine diversity.

The study, from Georgia Tech and University of Colorado-Boulder, is based on the website Archive of Our Own (AO3), an 840,000 member community of fan fiction or “fanfic” writers who post and share user-generated content. The site was launched in 2008 and boasts nearly 2 million story posts to date.

“AO3’s success demonstrates how beneficial it is to have a technology’s users as part of its development team,” said Casey Fiesler, lead researcher on the study while a Ph.D. candidate at Georgia Tech, and now assistant professor at University of Colorado-Boulder.

“What makes the rise of this online platform exceptional is that it was built primarily by its fans, some of whom started with little or no programming experience,” said Amy Bruckman, a professor of Interactive Computing at Georgia Tech and author on the study. more> http://goo.gl/KHngV9

Related>

This Is the Real Reason Apple Is Fighting the FBI

By Julian Sanchez – It’s a fight over the future of high-tech surveillance, the trust infrastructure undergirding the global software ecosystem, and how far technology companies and software developers can be conscripted as unwilling suppliers of hacking tools for governments.

It’s also the public face of a conflict that will undoubtedly be continued in secret—and is likely already well underway.

Law enforcement and intelligence agencies have for years wanted Congress to update the Communications Assistance for Law Enforcement Act of 1992, which spells out the obligations of telephone companies and Internet providers to assist government investigations, to deal with growing prevalence of encryption—perhaps by requiring companies to build the government backdoors into secure devices and messaging apps. In the face of strong opposition from tech companies, security experts and civil liberties groups, Congress has thus far refused to do so.

This would create an internal conflict of interest: The same company must work to both secure its products and to undermine that security—and the better it does at the first job, the larger the headaches it creates for itself in doing the second. more> http://goo.gl/S6Whjj

Why Is Embedded Security So Difficult?


By Alan Grau [2] – There are a number of reasons that embedded security is hard. A few of the top challenges include:

  • The low cost of attack
  • The weakest link problem
  • A lack of expertise and training

It’s very easy, when talking about cybersecurity, to focus on the various technical aspects of building a secure device.

Security is only as strong as its weakest link. As security is a system issue, not just a device issue, there is a very long chain of possible attack points that must be secured. more> http://goo.gl/6U1IHZ

Related>