USBWall: A Novel Security Mechanism to Protect Against Maliciously Reprogrammed USB Devices

Universal Serial Bus (USB) is a popular choice of interfacing computer systems with peripherals. With the increasing support of modern operating systems, it is now truly plug-and-play for most USB devices. However, this great convenience comes with a risk which can allow a device to perform arbitrary actions at any time while it is connected. Researchers have confirmed that a simple USB device such as a mass storage device can be disguised to have an additional function such as a keyboard. An unauthorized keyboard attachment can compromise the security of the host by allowing arbitrary keystrokes to enter the host. This undetectable threat differs from traditional virus that spreads via USB devices due to the location it is stored and the way it behaves. Therefore, it is impossible for current file-level antivirus to be aware of such risk. Currently, there is no commercially available protection for USB devices other than mass storage devices. We propose a novel way to protect the host via a software/hardware solution we named a USBWall. USBWall uses BeagleBoard Black (BBB), a low-cost open-source computer, to act as a middleware to enumerate the devices on behalf of the host. We developed a program to assist the user to identify the risk of a device. We present a simulated USB device with malicious firmware to the USBWall. Based on the results, we confirm that using the USBWall to enumerate USB devices on behalf of the host eliminates risks to the hosts

Loose Lips Sink Attorney-Client Ships: Unintended Technological Disclosure of Confidential Communications Essay.

In general, attorneys must not reveal confidential information relating to the representation of their clients. Attorneys must make reasonable efforts to ensure the attorneys they supervise, as well as their nonlawyer employees, maintain client confidences. In modern days, technology virtually guarantees attorneys and clients will communicate electronically. While most attorneys would not knowingly disclose client confidences, there is a growing problem of unintended disclosure through electronic means. On a practical level, maintaining confidence is of utmost importance to both attorneys and clients. Attorneys may believe they are using good faith and competent, reasonable actions to protect their clients’ information from security breaches. Yet, through an act of carelessness they may inadvertently allow unauthorized access to the information. Attorneys have an ethical obligation to act in a reasonable fashion to protect their clients’ confidences. This includes the obligation to protect electronically stored information from unintended disclosure either from inadvertent release of the information or from failure to secure the data against unauthorized access. State statutes are becoming more specific and are imposing greater obligations on attorneys to provide notice to their clients. Some of these statutes create a civil cause of action against attorneys. Additionally, all statutes raise the bar on what attorneys are required to do when a breach occurs. Even if technical notices satisfy the statutory requirements, it would not help to maintain the goodwill of their clients. Most attorneys are not trained to meet the increasingly complicated area of information assurance. Preserving clients’ confidence in their attorneys and the legal system is critical to the success of the legal profession

Loose Lips Sink Attorney-Client Ships: Unintended Technological Disclosure of Confidential Communications Essay.

In general, attorneys must not reveal confidential information relating to the representation of their clients. Attorneys must make reasonable efforts to ensure the attorneys they supervise, as well as their nonlawyer employees, maintain client confidences. In modern days, technology virtually guarantees attorneys and clients will communicate electronically. While most attorneys would not knowingly disclose client confidences, there is a growing problem of unintended disclosure through electronic means. On a practical level, maintaining confidence is of utmost importance to both attorneys and clients. Attorneys may believe they are using good faith and competent, reasonable actions to protect their clients’ information from security breaches. Yet, through an act of carelessness they may inadvertently allow unauthorized access to the information. Attorneys have an ethical obligation to act in a reasonable fashion to protect their clients’ confidences. This includes the obligation to protect electronically stored information from unintended disclosure either from inadvertent release of the information or from failure to secure the data against unauthorized access. State statutes are becoming more specific and are imposing greater obligations on attorneys to provide notice to their clients. Some of these statutes create a civil cause of action against attorneys. Additionally, all statutes raise the bar on what attorneys are required to do when a breach occurs. Even if technical notices satisfy the statutory requirements, it would not help to maintain the goodwill of their clients. Most attorneys are not trained to meet the increasingly complicated area of information assurance. Preserving clients’ confidence in their attorneys and the legal system is critical to the success of the legal profession

Data Exfiltration:A Review of External Attack Vectors and Countermeasures

AbstractContext One of the main targets of cyber-attacks is data exfiltration, which is the leakage of sensitive or private data to an unauthorized entity. Data exfiltration can be perpetrated by an outsider or an insider of an organization. Given the increasing number of data exfiltration incidents, a large number of data exfiltration countermeasures have been developed. These countermeasures aim to detect, prevent, or investigate exfiltration of sensitive or private data. With the growing interest in data exfiltration, it is important to review data exfiltration attack vectors and countermeasures to support future research in this field. Objective This paper is aimed at identifying and critically analysing data exfiltration attack vectors and countermeasures for reporting the status of the art and determining gaps for future research. Method We have followed a structured process for selecting 108 papers from seven publication databases. Thematic analysis method has been applied to analyse the extracted data from the reviewed papers. Results We have developed a classification of (1) data exfiltration attack vectors used by external attackers and (2) the countermeasures in the face of external attacks. We have mapped the countermeasures to attack vectors. Furthermore, we have explored the applicability of various countermeasures for different states of data (i.e., in use, in transit, or at rest). Conclusion This review has revealed that (a) most of the state of the art is focussed on preventive and detective countermeasures and significant research is required on developing investigative countermeasures that are equally important; (b) Several data exfiltration countermeasures are not able to respond in real-time, which specifies that research efforts need to be invested to enable them to respond in real-time (c) A number of data exfiltration countermeasures do not take privacy and ethical concerns into consideration, which may become an obstacle in their full adoption (d) Existing research is primarily focussed on protecting data in ‘in use’ state, therefore, future research needs to be directed towards securing data in ‘in rest’ and ‘in transit’ states (e) There is no standard or framework for evaluation of data exfiltration countermeasures. We assert the need for developing such an evaluation framework

Digital forensics trends and future

Nowadays, rapid evolution of computers and mobile phones has caused these devices to be used in criminal activities. Providing appropriate and sufficient security measures is a difficult job due to complexity of devices which makes investigating crimes involving these devices even harder. Digital forensic is the procedure of investigating computer crimes in the cyber world. Many researches have been done in this area to help forensic investigation to resolve existing challenges. This paper attempts to look into trends of applications of digital forensics and security at hand in various aspects and provide some estimations about future research trends in this area

Multi-algorithmic Cryptography using Deterministic Chaos with Applications to Mobile Communications

In this extended paper, we present an overview of the principal issues associated with cryptography, providing historically significant examples for illustrative purposes as part of a short tutorial for readers that are not familiar with the subject matter. This is used to introduce the role that nonlinear dynamics and chaos play in the design of encryption engines which utilize different types of Iteration Function Systems (IFS). The design of such encryption engines requires that they conform to the principles associated with diffusion and confusion for generating ciphers that are of a maximum entropy type. For this reason, the role of confusion and diffusion in cryptography is discussed giving a design guide to the construction of ciphers that are based on the use of IFS. We then present the background and operating framework associated with a new product - CrypsticTM - which is based on the application of multi-algorithmic IFS to design encryption engines mounted on a USB memory stick using both disinformation and obfuscation to ‘hide’ a forensically inert application. The protocols and procedures associated with the use of this product are also briefly discussed

AUTOMATED VEHICLES: A GUIDE FOR PLANNERS AND POLICYMAKERS

Automated vehicles are those which are capable of sensing their environments in order to perform at least some aspects of the safety-critical control (like steering, throttling, or braking) without direct human input. As a guide for planners and policymakers, the objective of this thesis is to develop a strong foundation for anticipating the potential impacts resulting from advancements in vehicle automation. To establish the foundation, this thesis uses a robust qualitative methodology, coupling a review of literature on the potential advantages and disadvantages of vehicle automation and lessons from past innovations in transportation, with recent trends of the Millennial Generation, carsharing services, and a series of interviews with thought-leaders in automation, planning, policymaking, transportation, and aviation. Five significant findings emerged from this thesis: (1) the impacts of vehicle automation differ depending on one’s visions of what automation means, how it is implemented, what the automation does, and where it operates; (2) current limitations of vehicle automation to perform all aspects of the dynamic driving task in all driving conditions make it difficult to move from level-4 to level-5 automation; (3) level-5 automation is required to have any effect on carsharing, mobility, and quality of life; (4) assuming effective planning and policymaking techniques, housing preferences, urban growth, and increases in total VMT will likely not be significantly impacted by vehicle automation; (5) human drivers may never be allowed to disengage their attention from a partially-automated vehicle, specifically in applications where drivers are expected to reengage their attention in safety-critical situations. From the perspective of understanding the bigger picture, this thesis developed a proposed future scenario of vehicle automation in the next five to ten years that is used to suggest guiding principles for policymakers, and key recommendations for planners, engineers, and researchers

Risk Management for the Future

A large part of academic literature, business literature as well as practices in real life are resting on the assumption that uncertainty and risk does not exist. We all know that this is not true, yet, a whole variety of methods, tools and practices are not attuned to the fact that the future is uncertain and that risks are all around us. However, despite risk management entering the agenda some decades ago, it has introduced risks on its own as illustrated by the financial crisis. Here is a book that goes beyond risk management as it is today and tries to discuss what needs to be improved further. The book also offers some cases