Block-scoped access restriction technique for HTML content in web browsers

Web sites, web browsers, web site authors, web component authors, and end users interact in a complicated environment with many recognized and unrecognized trust relationships. The web browser is the arena in which many important trust relationships interact, thus it bears a considerable burden in protecting the interests and security of web end users as well as web site authors. Existing proposals, draft standards, implemented features, and web application techniques go a long way towards allowing rich and compelling content interactions, but they do not provide for rich, mutually-distrusting content to be safely embedded in a single page. This proposal suggests a declarative policy mechanism that permits untrusted content to be safely embedded in a web site while still retaining some richness. It also suggests a policy integration approach to allow multiple cooperative (but not necessarily trusting) parties to provide components of a policy that combine together in a safe manner. It incorporates techniques including fine-grained and coarse-grained permission dropping and white-listing protections for retained capabilities. Finally, the proposed concepts are applied to a number of real-world CVE vulnerabilities, and it is explained how the proposal does or does not prevent or mitigate the attack. The solution is shown to be effective against cross-style-scripting style attacks, and to not be effective at preventing incoming cross-site request forgery attacks

Rescuing the legacy project: a case study in digital preservation and technical obsolescence

The ability to maintain continuous access to digital documents and artifacts is one of the most significant problems facing the archival, manuscript repository, and record management communities in the twenty-first century. This problem with access is particularly troublesome in the case of complex digital installments, which resist simple migration and emulation strategies. The Legacy Project, which was produced by the William Breman Jewish Heritage Museum in Atlanta, was created in the early 2000s as a means of telling the stories of Holocaust survivors who settled in metropolitan Atlanta. Legacy was an interactive multimedia kiosk that enabled museum visitors to read accounts, watch digital video, and examine photographs about these survivors. However, several years after Legacy was completed, it became inoperable, due to technological obsolescence. By using Legacy as a case study, I examine how institutions can preserve access to complex digital artifacts and how they can rescue digital information that is in danger of being lost.M.S.Committee Chair: Knoespel, Kenneth; Committee Member: Burnett, Rebecca; Committee Member: Fox Harrell; Committee Member: TyAnna Herringto

The Proceedings of 15th Australian Information Security Management Conference, 5-6 December, 2017, Edith Cowan University, Perth, Australia

Conference Foreword The annual Security Congress, run by the Security Research Institute at Edith Cowan University, includes the Australian Information Security and Management Conference. Now in its fifteenth year, the conference remains popular for its diverse content and mixture of technical research and discussion papers. The area of information security and management continues to be varied, as is reflected by the wide variety of subject matter covered by the papers this year. The papers cover topics from vulnerabilities in “Internet of Things” protocols through to improvements in biometric identification algorithms and surveillance camera weaknesses. The conference has drawn interest and papers from within Australia and internationally. All submitted papers were subject to a double blind peer review process. Twenty two papers were submitted from Australia and overseas, of which eighteen were accepted for final presentation and publication. We wish to thank the reviewers for kindly volunteering their time and expertise in support of this event. We would also like to thank the conference committee who have organised yet another successful congress. Events such as this are impossible without the tireless efforts of such people in reviewing and editing the conference papers, and assisting with the planning, organisation and execution of the conference. To our sponsors, also a vote of thanks for both the financial and moral support provided to the conference. Finally, thank you to the administrative and technical staff, and students of the ECU Security Research Institute for their contributions to the running of the conference

Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

Traditionally, when individuals wanted online access they connected their PCs to the internet. Now, non-traditional devices such as cell phones, smart phones, and gaming consoles serve as common means of online access. Gaming consoles, just like PCs need proper sanitization processes to help fight identity theft. Individuals understand you cannot simply throw away a computer that has your personal data on it without some sort of sanitization process; gaming consoles are no different. Simply returning your console back to “factory state” will not do the trick, you need to take things one step further.In this research paper the authors aim to bring awareness to the gaming public, researchers and practitioners that improperly discarding used consoles without proper sanitization practices can inadvertently release personal data which can result in identity theft. The researchers will demonstrate through a case study how easy it is to steal an identity through a discarded Xbox. Finally, the researchers will demonstrate how gamers can sanitize their game consoles when upgrading their systems to ensure their identity is not at risk when the used device is retired

Addressing Insider Threats from Smart Devices

Smart devices have unique security challenges and are becoming increasingly common. They have been used in the past to launch cyber attacks such as the Mirai attack. This work is focused on solving the threats posed to and by smart devices inside a network. The size of the problem is quantified; the initial compromise is prevented where possible, and compromised devices are identified. To gain insight into the size of the problem, campus Domain Name System (DNS) measurements were taken that allow for wireless traffic to be separated from wired traffic. Two-thirds of the DNS traffic measured came from wireless hosts, implying that mobile devices are playing a bigger role in networks. Also, port scans and service discovery protocols were used to identify Internet of Things (IoT) devices on the campus network and follow-up work was done to assess the state of the IoT devices. Motivated by these findings, three solutions were developed. To handle the scenario when compromised mobile devices are connected to the network, a new strategy for steppingstone detection was developed with both an application layer and a transport layer solution. The proposed solution is effective even when the mobile device cellular connection is used. Also, malicious or vulnerable applications make it through the mobile app store vetting process. A user space tool was developed that identifies apps contacting malicious domains in real time and collects data for research purposes. Malicious app behavior can then be identified on the user’s device, catching malicious apps that were overlooked by software vetting. Last, the variety of IoT device types and manufacturers makes the job of keeping them secure difficult. A generic framework was developed to lighten the management burden of securing IoT devices, serve as a middle box to secure legacy devices, and also use DNS queries as a way to identify misbehaving devices

Trademark Vigilance in the Twenty-First Century: An Update

The trademark laws impose a duty upon brand owners to be vigilant in policing their marks, lest they be subject to the defense of laches, a reduced scope of protection, or even death by genericide. Before the millennium, it was relatively manageable for brand owners to police the retail marketplace for infringements and counterfeits. The Internet changed everything. In ways unforeseen, the Internet has unleashed a tremendously damaging cataclysm upon brands—online counterfeiting. It has created a virtual pipeline directly from factories in China to the American consumer shopping from home or work. The very online platforms that make Internet shopping so convenient, and that have enabled brands to expand their sales, have exposed buyers to unwittingly purchasing fake goods which can jeopardize their health and safety as well as brand reputation. This Article updates a 1999 panel discussion titled Trademark Vigilance in the Twenty-First Century, held at Fordham Law School, and explains all the ways in which vigilance has changed since the Internet has become an inescapable feature of everyday life. It provides trademark owners with a road map for monitoring brand abuse online and solutions for taking action against infringers, counterfeiters and others who threaten to undermine brand value

Protecting Against Address Space Layout Randomization (ASLR) Compromises and Return-to-Libc Attacks Using Network Intrusion Detection Systems

Writable XOR eXecutable (W XOR X) and Address Space Layout Randomisation (ASLR), have elevated the understanding necessary to perpetrate buffer overflow exploits [1]. However, they have not proved to be a panacea [1] [2] [3] and so other mechanisms such as stack guards and prelinking have been introduced. In this paper we show that host based protection still does not offer a complete solution. To demonstrate, we perform an over the network brute force return-to-libc attack against a pre-forking concurrent server to gain remote access to W XOR X and ASLR. We then demonstrate that deploying a NIDS with appropriate signatures can detect this attack efficiently