On Mitigation of Side-Channel Attacks in 3D ICs: Decorrelating Thermal Patterns from Power and Activity

Various side-channel attacks (SCAs) on ICs have been successfully demonstrated and also mitigated to some degree. In the context of 3D ICs, however, prior art has mainly focused on efficient implementations of classical SCA countermeasures. That is, SCAs tailored for up-and-coming 3D ICs have been overlooked so far. In this paper, we conduct such a novel study and focus on one of the most accessible and critical side channels: thermal leakage of activity and power patterns. We address the thermal leakage in 3D ICs early on during floorplanning, along with tailored extensions for power and thermal management. Our key idea is to carefully exploit the specifics of material and structural properties in 3D ICs, thereby decorrelating the thermal behaviour from underlying power and activity patterns. Most importantly, we discuss powerful SCAs and demonstrate how our open-source tool helps to mitigate them.Comment: Published in Proc. Design Automation Conference, 201

Cliophysics: Socio-political Reliability Theory, Polity Duration and African Political (In)stabilities

Quantification of historical sociological processes have recently gained attention among theoreticians in the effort of providing a solid theoretical understanding of the behaviors and regularities present in sociopolitical dynamics. Here we present a reliability theory of polity processes with emphases on individual political dynamics of African countries. We found that the structural properties of polity failure rates successfully capture the risk of political vulnerability and instabilities in which 87.50%, 75%, 71.43%, and 0% of the countries with monotonically increasing, unimodal, U-shaped and monotonically decreasing polity failure rates, respectively, have high level of state fragility indices. The quasi-U-shape relationship between average polity duration and regime types corroborates historical precedents and explains the stability of the autocracies and democracies.Comment: 4 pages, 3 figures, 1 tabl

A Target to the Heart of the First Amendment: Government Endorsement of Responsible Disclosure as Unconstitutional

Brian Krebs, a former reporter for the Washington Post who is now known for his blog Krebs on Security, remained relatively unknown for most of his career. But in December 2013, Mr. Krebs found that hackers had exploited a data vulnerability in Target’s electronic-payment system, compromising millions of credit-card numbers that had been used to purchase goods from the second-largest discount retailer in the United States. In the following months, an investigation revealed that the breach affected nearly half of the 110-million credit cards recently used at Target, resulting in one of the largest known digital credit-card heists in history. Even before Target’s data breach personally affected millions of consumers, concern over the security of personal data was endemic. A survey conducted in March 2013 revealed that 82.1% of Americans were at least somewhat worried about a data breach involving banks, government entities, or other organizations, and roughly the same percentage were concerned about identity theft and credit-card fraud. With over 78- million data records containing personal information exposed to breaches in the first ten months of 2014 alone, it is unsurprising that a separate survey found that 77% of consumers agreed that expeditious notification of vulnerabilities involving stolen or lost data was important. Coupled with the potential widespread harm caused by data breaches, discrepancies in data-holders’ approaches to security vulnerabilities have prompted a call for a national response. Generally, two approaches exist for confronting data security issues: full disclosure and responsible disclosure. Proponents of the former argue that stifling communication about data breaches or vulnerabilities, no matter the source, is detrimental, conflicting with both public sentiment and constitutional rights. On the other end of the spectrum, supporters of a responsible disclosure policy suggest that allowing companies to rectify data security issues before public dissemination provides a better solution. In effect, responsible disclosure requires those who discover a data vulnerability to not only notify the affected organization, but also keep knowledge of the data security weakness confidential, regardless of its potential impact on consumers. Although the predominant industry approach, this Article argues that the responsible disclosure approach should not be legislatively or judicially adopted. Not only does a responsible disclosure policy violate the First Amendment as a prior restraint, but it also constitutes poor public policy, ultimately causing a chilling effect that would reduce business accountability. In an effort to avoid both limiting the development of enhanced data security safeguards and restricting the public’s ability to engage in self-help, Congress and the judiciary should allow basic market forces to pave the way for innovation in this continually evolving field

Use Case Based Blended Teaching of IIoT Cybersecurity in the Industry 4.0 Era

[Abstract] Industry 4.0 and Industrial Internet of Things (IIoT) are paradigms that are driving current industrial revolution by connecting to the Internet industrial machinery, management tools or products so as to control and gather data about them. The problem is that many IIoT/Industry 4.0 devices have been connected to the Internet without considering the implementation of proper security measures, thus existing many examples of misconfigured or weakly protected devices. Securing such systems requires very specific skills, which, unfortunately, are not taught extensively in engineering schools. This article details how Industry 4.0 and IIoT cybersecurity can be learned through practical use cases, making use of a methodology that allows for carrying out audits to students that have no previous experience in IIoT or industrial cybersecurity. The described teaching approach is blended and has been imparted at the University of A Coruña (Spain) during the last years, even during the first semester of 2020, when the university was closed due to the COVID-19 pandemic lockdown. Such an approach is supported by online tools like Shodan, which ease the detection of vulnerable IIoT devices. The feedback results provided by the students show that they consider useful the proposed methodology, which allowed them to find that 13% of the IIoT/Industry 4.0 systems they analyzed could be accessed really easily. In addition, the obtained teaching results indicate that the established course learning outcomes are accomplished. Therefore, this article provides useful guidelines for teaching industrial cybersecurity and thus train the next generation of security researchers and developers.This work has been funded by the Xunta de Galicia (ED431G 2019/01), the Agencia Estatal de Investigación of Spain (TEC2016-75067-C4-1-R, RED2018-102668-T, PID2019-104958RB-C42) and ERDF funds of the EU (AEI/FEDER, UE)Xunta de Galicia; ED431G 2019/0

A Target to the Heart of the First Amendment: Government Endorsement of Responsible Disclosure as Unconstitutional

Brian Krebs, a former reporter for the Washington Post who is now known for his blog Krebs on Security, remained relatively unknown for most of his career. But in December 2013, Mr. Krebs found that hackers had exploited a data vulnerability in Target’s electronic-payment system, compromising millions of credit-card numbers that had been used to purchase goods from the second-largest discount retailer in the United States. In the following months, an investigation revealed that the breach affected nearly half of the 110-million credit cards recently used at Target, resulting in one of the largest known digital credit-card heists in history. Even before Target’s data breach personally affected millions of consumers, concern over the security of personal data was endemic. A survey conducted in March 2013 revealed that 82.1% of Americans were at least somewhat worried about a data breach involving banks, government entities, or other organizations, and roughly the same percentage were concerned about identity theft and credit-card fraud. With over 78- million data records containing personal information exposed to breaches in the first ten months of 2014 alone, it is unsurprising that a separate survey found that 77% of consumers agreed that expeditious notification of vulnerabilities involving stolen or lost data was important. Coupled with the potential widespread harm caused by data breaches, discrepancies in data-holders’ approaches to security vulnerabilities have prompted a call for a national response. Generally, two approaches exist for confronting data security issues: full disclosure and responsible disclosure. Proponents of the former argue that stifling communication about data breaches or vulnerabilities, no matter the source, is detrimental, conflicting with both public sentiment and constitutional rights. On the other end of the spectrum, supporters of a responsible disclosure policy suggest that allowing companies to rectify data security issues before public dissemination provides a better solution. In effect, responsible disclosure requires those who discover a data vulnerability to not only notify the affected organization, but also keep knowledge of the data security weakness confidential, regardless of its potential impact on consumers. Although the predominant industry approach, this Article argues that the responsible disclosure approach should not be legislatively or judicially adopted. Not only does a responsible disclosure policy violate the First Amendment as a prior restraint, but it also constitutes poor public policy, ultimately causing a chilling effect that would reduce business accountability. In an effort to avoid both limiting the development of enhanced data security safeguards and restricting the public’s ability to engage in self-help, Congress and the judiciary should allow basic market forces to pave the way for innovation in this continually evolving field

The Proceedings of 15th Australian Information Security Management Conference, 5-6 December, 2017, Edith Cowan University, Perth, Australia

Conference Foreword The annual Security Congress, run by the Security Research Institute at Edith Cowan University, includes the Australian Information Security and Management Conference. Now in its fifteenth year, the conference remains popular for its diverse content and mixture of technical research and discussion papers. The area of information security and management continues to be varied, as is reflected by the wide variety of subject matter covered by the papers this year. The papers cover topics from vulnerabilities in “Internet of Things” protocols through to improvements in biometric identification algorithms and surveillance camera weaknesses. The conference has drawn interest and papers from within Australia and internationally. All submitted papers were subject to a double blind peer review process. Twenty two papers were submitted from Australia and overseas, of which eighteen were accepted for final presentation and publication. We wish to thank the reviewers for kindly volunteering their time and expertise in support of this event. We would also like to thank the conference committee who have organised yet another successful congress. Events such as this are impossible without the tireless efforts of such people in reviewing and editing the conference papers, and assisting with the planning, organisation and execution of the conference. To our sponsors, also a vote of thanks for both the financial and moral support provided to the conference. Finally, thank you to the administrative and technical staff, and students of the ECU Security Research Institute for their contributions to the running of the conference