Copy
Hello <<First Name>>, and welcome to this issue of the Science of Security and Privacy - Reviews & Outreach (R&O)! Its purpose is to highlight some of the exciting research, news, and events that impact our technical community. All presented materials are available on or through the Virtual Organization portal.
IN THIS ISSUE:
NSA Launches Latest Codebreaker Challenge

Are you a U.S. undergraduate or graduate student interested in attempting to crack a cyber-challenge similar to those that regularly threaten national security? Then sign up for the 2019 NSA Codebreaker Challenge!

The annual Codebreaker Challenge offers students a closer look at the type of work done at NSA and provides the opportunity to develop skills needed to achieve the Agency's national security mission. The problems touch on skills like software reverse engineering, cryptanalysis, exploit development, block chain analysis and more.

This year's challenge scenario is about tech savvy terrorists who have developed a new suite of communication tools that are being used for attack planning purposes. Intelligence suggests...  more ► 

IPv6 Comes of Age
Despite Growing Pains


Internet Protocol Version 6 is slowly being adopted as the replacement for version 4. Touted as a more secure protocol with increased address space, portability, and greater privacy, research into this and other related protocols has increased, particularly in the context of smart grid, mobile communications, and cloud computing. For the Science of Security community, it is relevant to resiliency, composability, and policy-based governance. But despite improved features, adoption of IPv6 is proceeding at a snail’s pace with the possibility it will not be universally deployed for several more decades. One must ask why the reluctance and delay?

IPv6’s predecessor, IPv4, was first used for the ARPANET in 1983; it still routes most Internet traffic today. IPv4 uses a 32-bit addressing scheme to support 4.3 billion devices, which initially was thought to be enough. However, the growth of the Internet, personal computers, smartphones and now Internet of Things devices proved that the world needed more addresses. Use grew from 10,000 users in 1983 to 2.5 billion in 2019. The Internet Engineering Task Force (IETF) recognized this would occur 21 years ago. In 1998 it created IPv6, which uses 128-bit addressing to support approximately 340 trillion trillion (2 to the 128th) users.

The basic IPv6 protocol (RFC 2460) was published in 1998. It incorporated advanced features including new header format with less overhead, faster router processing, larger address space, more efficient processing at intermediate routers, built in security (IPSec), better support for prioritized delivery, extensibility and eliminating the need for the address translation that masks internal addresses in IPv4. In addition, there were economic and policy drivers: upcoming address exhaustion, native security, national policy and technical leadership were seen as factors promoting adoption.

The Internet Society expected IPv6 to be adopted fairly rapidly due to these improvements, particularly with regard to native security. It also expected cost savings as the price of IPv4 addresses would peak in 2018, and then drop after IPv6 deployment passed the 50% mark. But currently, according to Google, the world has only 20% to 22% IPv6 adoption and the U.S. only about 32%. This slow transition to IPv6 has caused...  more ► 

SoS Musings -
Improving Cybersecurity for Aviation


It is only a matter of time before an aircraft is significantly impacted by a hacking incident as indicated by recent discoveries made by cybersecurity researchers and the U.S. government. According to a report released by ResearchAndMarkets.com, titled Aviation Cyber Security Market - Growth, Trends, and Forecast, the aviation cybersecurity market is expected to grow at a compound annual growth rate (CAGR) of 11% from 2019 to 2024. Although the increasing connectivity and digitalization in the aviation sector has brought benefits in regard to better customer service, operations, and passenger flight experience, such advancements in aviation technology in addition to the growing connectivity of this technology has increased the vulnerability of the aviation sector to possible cyberattacks. The aviation industry is expected to invest more in technological advancements aimed at detecting and preventing cyberattacks on the aviation sector’s IT infrastructure and networks, which are critical for ground and flight operations. One key market trend is that North America holds the largest share in the aviation market with the U.S. investing mostly in the research and development of advanced cybersecurity systems. The 2018 Air Transport Cybersecurity Insights report highlights the current challenges faced by the aviation industry in regard to cybersecurity based on the results of a survey to which 59 senior decision makers at major airlines and airports, including CEOs, CISOs, VPs, and IT Directors responded. According to the report, there is a high level of awareness surrounding cybersecurity in the aviation industry. However, current challenges are hindering efforts towards great aviation cybersecurity advancements. These challenges include growing cybersecurity costs, lack of CISOs, and low empowerment of cybersecurity teams. The aviation industry also faces similar challenges to other industries when it comes to cybersecurity such as limited resources, inadequate staff training, network visibility, and a skills gap. As aviation technology continues to grow in Internet-connectivity, posing a greater threat to safety, it is important that research efforts and developments aimed at improving the security of this technology increases.

Researchers have conducted studies that highlighted the importance of improving aviation cybersecurity. Robert Hickey, aviation manager within the Cyber Security Division of the DHS S&T Directorate and his team of experts from government, academia, and industry demonstrated that it is possible to remotely hack a commercial aircraft. According to Hickey, he and his team were successful in hacking a Boeing 757 by accessing its systems through radio frequency communications, further highlighting the possibility of compromising an airplane without having to physically access it. IOActive industrial cybersecurity expert, Ruben Santamarta, brought attention to the vulnerability of the Boeing 787 to remote hacking as he discovered Boeing Co. server that was exposed to the internet. The server contained firmware applications for the aviation manufacturer’s 787 airplane networks in which he discovered multiple security vulnerabilities, including buffer overflow, memory corruption, stack overflow, and denial-of-service flaws. These vulnerabilities could be exploited by attackers to gain remote access to the plane's sensitive avionics network, which is also considered the crew information systems network. Santamarta found these security vulnerabilities by reverse-engineering binary code and examining configuration files in the firmware applications for the Boeing 787 airplane network. He also discovered the exposure of proxy servers, used by airlines to communicate with their 787 planes, to the public internet, which is another way an attacker can compromise the plane's network. Santamarta was also behind the discovery of vulnerabilities in a commercial aircraft's satellite communications equipment that could allow hackers to remotely spy on hundreds of planes from the ground. Using these vulnerabilities, hackers could compromise onboard systems, snoop on in-flight Wi-Fi, and perform surveillance on all connected passenger devices. According to presentations and risk assessments conducted by the U.S. government researchers, tests performed on an aircraft have proven the vulnerability of planes to hacking incidents in which flight operations are impacted and shown that cybersecurity protections for airborne vehicles are lacking. One presentation conducted by the Pacific Northwest National Laboratory (PNNL) indicated the lab's attempt to hack an aircraft through its Wi-Fi Internet and information distribution...  more ► 

Cyber Scene -
Letting Justice Prevail Another 230 Years


Lawyering Up: Supreme Justice(s)

Congress continues to be vectored on issues regarding checks and balances --the impeachment process, White House Syrian withdrawal and cancellation or withholding of funding allocated by Congress, and the sudden death of Rep. Elijah Cummings (D-MD) who chaired the House Oversight Committee in the middle of this mix. Congress will restart hearings with FACEBOOK CEO Mark Zuckerberg, a familiar thread Cyber Scene will address in November.

Meanwhile, the Supreme Court of the US (SCOTUS) kicked off its new fiscal year 2020 term on 7 October (always the first Monday of October). SCOTUS has 47 cases on its docket from a variety of appeals courts and states. Seven cases are pointedly on cyber, whereas others may be tangentially connected, given the ubiquitous nature of cyber underpinning our daily lives. As checks and balance issues are addressed by Congress, a few words regarding SCOTUS members and their mandate to uphold the Constitution of the US, as the third leg of US democracy, might be of use to this readership. This is not to predict where the Court may end up on the issue of cyber, nor report (not yet) what they decide, but rather to explain the process.

Order in the Court

The Justices themselves, appointed by the sitting President and confirmed by the Senate, have not feel no obligation to being pidgeonholed on any projected plot on a political spectrum. They call ‘em as they see ‘em. This spectrum includes liberals, conservatives and centrists; strict versus broad interpretations; "originalists" and "living interpreters;" and national origin, racial, gender and religious diversity since the Bush 41 administration. There have historically been some surprises as "conservatives" (Chief Justice Roberts seems to be a current example) and "liberals" move toward the middle, or even selectively, in the opposite direction. The driver is each Justice's interpretation of the Constitution and the intent of its framers relevant to the case before her/him. Unlike the acrimonious partisanship in the other two branches of government, the Justices are respectful of and collaborative with each other, even when their own interpretations of the Constitution, as viewed in their decisions (majority or dissenting), are polar opposites. There are droves of examples of them reaching across the so-called aisle, and not only during confirmation hearings. For example, Justices Scalia and Ruth Bader Ginsburg were friends despite their distant "place on the spectrum." Justices' positions have been charted, but note the frequent variations in "liberal" verses "conservative." The black lines indicate the Chief Justices’ opinions and the courts under them are referred to as "the Warren/Renquist/Roberts, etc., courts."

Traditionally, the Justices prefer to stay out of the limelight, unlike the members other two branches of US government who run for election, and rather hunker down thoughtfully on the huge docket before them. There have been some exceptions. To illustrate, look at the Justices noted above. The late Justice Antonin Scalia is the subject several books and of a play, "The Originalist" referring to his belief that the framers—mostly Hamilton, with Madison and Jay, in their 1787 Federalist Papers and the Constitutional Convention of 1787 these papers led to--said what they meant. Justice Scalia held that "distorting" the Constitution by revisionism is ill-advised. It took two years for the Constitution to be ratified in 1789; even or particularly then, Congress could get bogged down. John Jay also served the first Chief Justice role—an early framer called upon to practice what his five papers, which focused on foreign policy, proposed. Hamilton wrote 51, and Madison, who drafted the constitution itself, wrote 29.

Another exception is Justice Ruth Bader Ginsburg (RBG), about whom two recent movies ("RBG," a documentary, and "On the Basis of Sex", a Hollywood take) were released over the last two years. Other Justices attempt with greater success to step away from the lights. Justice Clarence Thomas was recently asked by a former SCOTUS clerk (as recounted to your author by this clerk), whether he is publically identifiable as he and his wife RV across the US during Court recess. The Justice replied that recently, when approached at a gas pump by someone saying, "You look a lot like Clarence Thomas," he replied, "Yea, I get that a lot." However, with the publication of two new books about him over the last 6 months, he may sacrifice his anonymity. SCOTUS itself will likely draw greater public attention as new challenges, including cyber, are addressed on the 2020 docket. You can witness this yourself: the sessions where arguments are presented are open to the public while the decisions from the Justices' opinions, decidedly not/not TV-spontaneous, are written. They serve as the Court’s historical precedent—the basis for what lies ahead into the next 230+ years. Stay tuned for the Court’s activity this 2020 term related to cyber, cybersecurity, and its entangling...  more ► 

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view its description and links to the publications.
 
HARD PROBLEMS TOPICS
  Cryptology 2018
 
 
  Quantum Computing Security 2018
 
  Random Key Generation 2018
 
 
  Ransomware 2018
 
 
  Recommender Systems 2018
 
 
 
  Remanence 2018
 
  Repudiation 2018
 
 
 
 
  Resiliency 2018
   more ► 
Forward R&O Forward R&O
Share R&O Share R&O
Follow SoS Follow SoS
Winner of 7th Paper Competition is Evaluating Fuzz Testing



The winning paper is Evaluating Fuzz Testing by George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. This paper was presented at ACM SIGSAC Conference on Computer and Communications Security (CCS '18) in Toronto.

For more information about the competition and to learn more about the honorable mention papers visit the Paper Competition Homepage.
NIST Releases Draft Security Feature Recommendations for IoT Devices

The National Institute of Standards and Technology (NIST) has released a guide to help us all adjust to a world where seemingly everything is connected -- and potentially vulnerable.

"Core Baseline" guide offers practical advice for using everyday items that link to computer networks.
In the News
List of selected articles from recent SoS-VO postings with links to the entries on SoS-VO site.

"Google Calendar Privacy Concerns Raised"

"Instagram Phish Poses as Copyright Infringement Warning – Don’t Click!"

"Advanced Hackers Are Infecting IT Providers in Hopes of Hitting Their Customers"

"Meet 'Simjacker,' a Nasty Mobile Vulnerability Researchers say Puts 1 Billion Phones at Risk"

"Anonymous Researcher Drops vBulletin Zero-Day Impacting Tens of Thousands of Sites"

"Ransomware Attack Disrupts Wyoming Health Services"

"Companies Vastly Overestimating Their GDPR Readiness, Only 28% Achieving Compliance"

"Senate Passes Bill Aimed At Combating Ransomware Attacks"

"Privacy Flaw Found in E-Passports"

"Why AI Could Help in the Industrial Security Space"

"Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass Produced and Sold"

"PDFex Attacks Can Exfiltrate Content From Encrypted PDF Documents"

"Preventing Manipulation in Automated Face Recognition"

"Magecart Web Skimming Group Targets Public Hotspots and Mobile Users"

"Alabama Hospitals Forced to Close After Ransomware Attack"

"Blind Spots in AI Just Might Help Protect Your Privacy"

"URGENT/11: FDA Issues Alert for Cyber Vulnerability That Threatens Medical Devices, Networks"

"How Kids Get into Hacking"

"Intel Proposes New SAPM Memory Type to Protect Against Spectre-Like Attacks"

"Iranian Hackers Targeted a U.S. Presidential Campaign, Microsoft Says"

"Research Aims to Help Social Media Users Secure Their Information"

"Researcher Shows How Adversaries Can Gather Intel on U.S. Critical Infrastructure"

"APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn"

"Phishing Attempts Increase 400%, Many Malicious URLs Found on Trusted Domains"

"Wireless Security Institute Established at Idaho National Laboratory to Improve 5G Technology"

"New Report Outlines IoT Security Vulnerabilities"

"Majority of IT Departments Leave Major Holes in Their USB Drive Security"

"A Controversial Plan to Encrypt More of the Internet"

"Using Machine Learning to Hunt Down Cybercriminals"

"Hackers Bypassing Some Types of 2FA Security FBI Warns"

"Combination of Techniques Could Improve Security for IoT Devices"

"Attackers Hide Behind Trusted Domains, HTTPS"

"NIST and Microsoft Partner to Improve Enterprise Patching Strategies"

"NIST is Hunting for Tech to Secure the Energy Sector’s Network"

"Group Said to Be Behind Attempted Campaign Hack Has Also Gone After Cybersecurity Researchers"

"NAU Cyberengineering Team Wins $6M Grant to Develop Computing Solutions to Combat Cyberattacks"

"Mathematicians Prove That Flash-Memory 'Fingerprints' of Electronic Devices Are Truly Unique"

"How Do We Ensure GNSS Security Against Spoofing?"

"Protecting Smart Machines From Smart Attacks"

"Beyond Testing: The Human Element of Application Security"

"FIN7 Gang Returns With New Malicious Tools"

"New Cryptomining Malware Uses WAV Audio Files to Conceal Its Tracks"

"Cryptography without Using Secret Keys"

"Prevention Better Than Cure at Keeping Young Users From Getting Involved in Cybercrime"

"Security Researchers Expose New Alexa and Google Home Vulnerability"

"Microsoft Launches Election Security Bug Bounty Program"

"Preventing Cyber Security Attacks Lies in Strategic, Third-Party Investments"

"New Research Center Aims to Make Electronics More Secure"

"Stripe Targeted by Phishing Campaign"

"New Cybersecurity Bills Promote CISOs and Privacy"

"UTSA Study Warns of Security Gaps in Smart Light Bulbs"

This is a sample of some of the news items that are on the SoS site.  more ►  are available.
Upcoming Events

Resilience Week 2019 Symposium
Nov 4-7, San Antonio, TX​

Fall '19 SoS Quarterly Meeting
Nov 5-6, Chicago, IL

BSides Charleston
Nov 8-9, Charleston, SC​

2019 IEEE International Conference on Industrial Internet (ICII)
Nov 11-12, Orlando, FL​

2019 ACM Conference on Computer and Communications Security
Nov 11-15, London, UK​​

CLEAR Cyber Leaders Conference
Nov 12-13, Sioux Falls, SD​

Cyber Security and Cloud Expo North America 2019
Nov 13-14, Santa Clara, CA​

QuBit Conference
Nov 14, Sofia, Bulgaria​​

FS-ISAC Fall Summit
Nov 17-20, Washington, DC

Infosecurity ISACA North America Expo and Conference
Nov 20-21, New York City, NY​

2019 12th CMI Conference on Cybersecurity and Privacy (CMI)
Nov 28-29, Copenhagen, Denmark​

The 17th Theory of Cryptography Conference
Dec 1-5, Nuremberg, Germany​

Cyber Security X Dallas
Dec 4, Dallas, TX​

CyberMaryland Conference
Dec 5-6, Baltimore, MD​

Asiacrypt 2019
Dec 8-12, Kobe, Japan​

2019 IEEE International Symposium on Multimedia (ISM)
Dec 9-11, San Diego, CA

(WIFS 2019) 2019 IEEE International Workshop on Information Forensics and Security
Dec 9-12, Delft, Netherlands​

2019 Annual Computer Security Applicatios Conference
Dec 9-13, San Juan, PR

Third-Party Risk & Oversight Summit San Francisco 2019
Dec 9-10, San Francisco, CA

Government IT Symposium
Dec 10-12, Saint Paul, MN​

2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)
Dec 12-14, Los Angeles, CA

2019 IEEE Smart Grid Cybersecurity Workshop
Dec 12-13, Atlanta, GA

 more ► 
Produced by
Cyber Pack Ventures, Inc. 5850 Waterloo Road Suite 140 Columbia, MD 21045 USA

You are receiving this email because you are a member of the SoS-VO website, have participated in an SoS event, or have opted into the SoS mailing list. Want to change how you receive these emails? You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp