What is a Secure Programming Language?

Our most sensitive and important software systems are written in programming languages that are inherently insecure, making the security of the systems themselves extremely challenging. It is often said that these systems were written with the best tools available at the time, so over time with newer languages will come more security. But we contend that all of today\u27s mainstream programming languages are insecure, including even the most recent ones that come with claims that they are designed to be "secure". Our real criticism is the lack of a common understanding of what "secure" might mean in the context of programming language design. We propose a simple data-driven definition for a secure programming language: that it provides first-class language support to address the causes for the most common, significant vulnerabilities found in real-world software. To discover what these vulnerabilities actually are, we have analysed the National Vulnerability Database and devised a novel categorisation of the software defects reported in the database. This leads us to propose three broad categories, which account for over 50% of all reported software vulnerabilities, that as a minimum any secure language should address. While most mainstream languages address at least one of these categories, interestingly, we find that none address all three. Looking at today\u27s real-world software systems, we observe a paradigm shift in design and implementation towards service-oriented architectures, such as microservices. Such systems consist of many fine-grained processes, typically implemented in multiple languages, that communicate over the network using simple web-based protocols, often relying on multiple software environments such as databases. In traditional software systems, these features are the most common locations for security vulnerabilities, and so are often kept internal to the system. In microservice systems, these features are no longer internal but external, and now represent the attack surface of the software system as a whole. The need for secure programming languages is probably greater now than it has ever been

An investigation of genetic algorithm-based feature selection techniques applied to keystroke dynamics biometrics

Due to the continuous use of social networks, users can be vulnerable to online situations such as paedophilia treats. One of the ways to do the investigation of an alleged pedophile is to verify the legitimacy of the genre that it claims. One possible technique to adopt is keystroke dynamics analysis. However, this technique can extract many attributes, causing a negative impact on the accuracy of the classifier due to the presence of redundant and irrelevant attributes. Thus, this work using the wrapper approach in features selection using genetic algorithms and as KNN, SVM and Naive Bayes classifiers. Bringing as best result the SVM classifier with 90% accuracy, identifying what is most suitable for both bases

A Holistic View of Identity Theft Tax Refund Fraud

This thesis attempts to explain what identity theft tax refund fraud is and how the issue has developed over the years. It presents a holistic, historic view of the problem as well as how it has been addressed. It primarily relies on reports from the Internal Revenue Service (IRS), Treasury Inspector General for Tax Administration (TIGTA), Government Accountability Office (GAO) and National Taxpayer Advocate (NTA) in its assessment. It does not examine foreign tax administrations’ methods of dealing with identity theft refund fraud or the extent of the issue in other principalities, and therefore this is an area in need of further research. This thesis does not attempt to make an argument for the efficacy of funding for the IRS either, which is an area that could be further studied. It also does not deal with employment-related identity fraud, which some relate to identity theft refund fraud

Completely Automated Public Physical test to tell Computers and Humans Apart: A usability study on mobile devices

A very common approach adopted to fight the increasing sophistication and dangerousness of malware and hacking is to introduce more complex authentication mechanisms. This approach, however, introduces additional cognitive burdens for users and lowers the whole authentication mechanism acceptability to the point of making it unusable. On the contrary, what is really needed to fight the onslaught of automated attacks to users data and privacy is to first tell human and computers apart and then distinguish among humans to guarantee correct authentication. Such an approach is capable of completely thwarting any automated attempt to achieve unwarranted access while it allows keeping simple the mechanism dedicated to recognizing the legitimate user. This kind of approach is behind the concept of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), yet CAPTCHA leverages cognitive capabilities, thus the increasing sophistication of computers calls for more and more difficult cognitive tasks that make them either very long to solve or very prone to false negatives. We argue that this problem can be overcome by substituting the cognitive component of CAPTCHA with a different property that programs cannot mimic: the physical nature. In past work we have introduced the Completely Automated Public Physical test to tell Computer and Humans Apart (CAPPCHA) as a way to enhance the PIN authentication method for mobile devices and we have provided a proof of concept implementation. Similarly to CAPTCHA, this mechanism can also be used to prevent automated programs from abusing online services. However, to evaluate the real efficacy of the proposed scheme, an extended empirical assessment of CAPPCHA is required as well as a comparison of CAPPCHA performance with the existing state of the art. To this aim, in this paper we carry out an extensive experimental study on both the performance and the usability of CAPPCHA involving a high number of physical users, and we provide comparisons of CAPPCHA with existing flavors of CAPTCHA

Security of Multifactor Authentication Model to Improve Authentication Systems

Multifactor authentication (MFA) is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction. The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a computer system or network. Multifactor authentication is achieved by combining two or three independent credentials: what the user knows (knowledge-based authentication), what the user has (security token or smart card) and what the user is (biometric verification). Single-factor authentication (SFA), in contrast, only requires knowledge the user possesses. Although password-based authentication is well-suited for website or application access, it is not secure enough for online financial transactions. Keywords: authentication , multi-factor-authentication , biometric factor, knowledge factor . possession facto

Thanatechnology: Designing for Death

Thanatechnology, or the study of death technology, is based within the human need to “figure out” death. Through the ages, humans have used technology to further our understanding of what it means to die and what it means to mourn as a way of figuring out what it means to live. Digital data is a huge part of recent digital technology and includes social media data which is a part of many peoples’ daily lives. This leads to many questions including what happens to social media pages when someone dies. These “digital graveyards” leave a lasting impact on many social media sites, whether it be through the “clutter” they add to the site, confusion to its users, or trauma to the families. In many realms, the idea of a “digital death” has not been explored, nor have the implications of digital technology been studied widely in the modern death. Technology is expanding all sectors of the death industry, from the burial process to the remembrance aspect. Social media sites, personal cloud drives, and communal video games the deceased may have played are all aspects of death that should be designed for. Looking at what the technological implications of the modern death is vital to the future of designing digital technologies. This thesis explores current approaches companies are taking when it comes to a user’s death and explores potential other options. This is important to ensure that the future of a persons’ technological presence is preserved in a way they choose and want. KEYWORDS: thanatechnology; grieving; mourning; digital death; ritual; death technology; digital graveyards; digital footprint; etc