University and vendor researchers are congregating in San Diego this week at USENIX Security ’14 to share the latest findings in security and privacy, and here are 5 that jumped out to me as being particularly interesting.
*On the Feasibility of Large-Scale Infections of iOS Devices
Georgia Tech researchers acknowledge that large-scale iOS device infections have been few and far between, but they claim weaknesses in the iTunes syncing process, device provisioning process and file storage could leave iPhones, iPads and other Apple products vulnerable to attack via botnets. The bad guys could get to the iOS devices via a compromised computer, they say, to install attacker-signed apps and swipe personal info. The researchers came to their conclusion after examining DNS queries within known botnets.
*XRay: Enhancing the Web’s Transparency with Differential Correlation
Columbia University researchers introduce XRay, a tool designed to give web users more insight into which of their personal data is being used to target them with ads. The researchers will present at USENIX a prototype of XRay, which has already been posted online as an open source system for others to explore. Initially, the system can be used to explain targeting in Gmail ads, Amazon recommendations and YouTube video suggestions.“Today we have a problem: the web is not transparent. We see XRay as an important first step in exposing how websites are using your personal data,” says Assistant Professor of Computer Science Roxana Geambasu.
*The Long “Taile” of Typosquatting Domain Names
Investigators from the University of Chicago, Carnegie Mellon University and Budapest University of Technology and Economics took a deep dive into the world of typosquatting, where miscreants prey on unsuspecting web users tricked into visiting websites that only look like the ones they planned to visit and exploiting owners of legitimate websites with similar domain names. The researchers felt a more thorough examination of suspected typosquatting sites was necessarily to separate those that are based on true typos vs. those from cybercrooks, as well as to look more closely at typosquatting involving smaller sites. Much of the previous research, and thus defense tools, have focused on typosquatting that involves big name sites.
*The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers
University of California at Berkeley researchers study five popular browser-based password managers (including LastPass and PasswordBox), and naturally, they identify a handful of security conscerns with the password managers themselves. One-time passwords, bookmarklets and shared passwords all present security vulnerabilities, the researchers say. The researchers come up with suggestions, including a defense in depth approach, for developing safer password managers.
*From the Aether to the Ethernet—Attacking the Internet using Broadcast Digital Television
Columbia University researchers warn that Hybrid Broadcast-Broadband Television, a Web-and-TV integration that is popular in Europe and coming to the United States, is based on an unsecure combination of technologies. Exploits could be widespread, hard to detect and inexpensive to pull off (say $450 to target 20,000 devices), say the researchers “A unique aspect of this attack is that, in contrast to most Internet of Things/Cyber-Physical System threat scenarios where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network,” according to the paper.
Note that all research papers should be available at the USENIX Security ’14 website once the show gets underway on Aug. 20.