5 cool new security research breakthroughs

Researchers at USENIX Security '14 are sharing the latest findings in security and privacy, and here are 5 that are particularly interesting

University and vendor researchers are congregating in San Diego this week at USENIX Security '14 to share the latest findings in security and privacy, and here are 5 that jumped out to me as being particularly interesting.

*On the Feasibility of Large-Scale Infections of iOS Devices

Georgia Tech researchers acknowledge that large-scale iOS device infections have been few and far between, but they claim weaknesses in the iTunes syncing process, device provisioning process and file storage could leave iPhones, iPads and other Apple products vulnerable to attack via botnets. The bad guys could get to the iOS devices via a compromised computer, they say, to install attacker-signed apps and swipe personal info. The researchers came to their conclusion after examining DNS queries within known botnets.

*XRay: Enhancing the Web's Transparency with Differential Correlation

Columbia University researchers introduce XRay, a tool designed to give web users more insight into which of their personal data is being used to target them with ads. The researchers will present at USENIX a prototype of XRay, which has already been posted online as an open source system for others to explore. Initially, the system can be used to explain targeting in Gmail ads, Amazon recommendations and YouTube video suggestions."Today we have a problem: the web is not transparent. We see XRay as an important first step in exposing how websites are using your personal data," says Assistant Professor of Computer Science Roxana Geambasu.

*The Long "Taile" of Typosquatting Domain Names

Investigators from the University of Chicago, Carnegie Mellon University and Budapest University of Technology and Economics took a deep dive into the world of typosquatting, where miscreants prey on unsuspecting web users tricked into visiting websites that only look like the ones they planned to visit and exploiting owners of legitimate websites with similar domain names. The researchers felt a more thorough examination of suspected typosquatting sites was necessarily to separate those that are based on true typos vs. those from cybercrooks, as well as to look more closely at typosquatting involving smaller sites. Much of the previous research, and thus defense tools, have focused on typosquatting that involves big name sites.

*The Emperor's New Password Manager: Security Analysis of Web-based Password Managers

University of California at Berkeley researchers study five popular browser-based password managers (including LastPass and PasswordBox), and naturally, they identify a handful of security concerns with the password managers themselves. One-time passwords, bookmarklets and shared passwords all present security vulnerabilities, the researchers say. The researchers come up with suggestions, including a defense in depth approach, for developing safer password managers.

*From the Aether to the Ethernet--Attacking the Internet using Broadcast Digital Television

Columbia University researchers warn that Hybrid Broadcast-Broadband Television, a Web-and-TV integration that is popular in Europe and coming to the United States, is based on an unsecure combination of technologies. Exploits could be widespread, hard to detect and inexpensive to pull off (say $450 to target 20,000 devices), say the researchers "A unique aspect of this attack is that, in contrast to most Internet of Things/Cyber-Physical System threat scenarios where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network," according to the paper.

Note that all research papers should be available at the USENIX Security '14 website once the show gets underway on Aug. 20.

Join the CSO newsletter!

Error: Please check your email address.

Tags Columbia UniversityAppleiossecurityGeorgia Techsoftwareoperating systems

More about MellonTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Brown

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place