Browser web storage vulnerability investigation: HTML5 localStorage object

With the introduction of HTML5, the latest browser language, a new data storage technique, called localStorage, has been added to allow websites to store larger amounts of data for a long period of time on the user’s local system. This new technology does not (as of this writing) have a fully implemented independent interface to support end user control. Unlike cookies, there is not yet an interface for the user to block, alter or delete localStorage in web browsers. Nefarious users have files of data they utilize in their illegal activities that they need to preserve (stolen user information, credit card numbers, etc.). These users do not want to have a copy of this data on their personal machines in case of an investigation. Therefore, nefarious users are constantly looking for a new method to preserve and store this data, concealing it in such a way that it won’t be associated with them but available when needed. Our project is to model this process by building a web application that would take a file, encrypt it, slice it up into 26 parts and distribute it to as many client systems as possible. At a later time, a second web application would watch for return visits by the holders of the parts of the original file and retrieve the parts as clients interact with the website. We would be studying the recidivism rate of clients returning to the website and the number of copies of each part distributed necessary to achieve a reliable recovery rate of the whole file. We will first test this prototype in a controlled laboratory setting to ensure that it works as intended. Next we have chosen two websites, the XXXX(http://XXX.XXX.edu/) and XXX(http://XXX.XXX.edu/) departmental websites, as a test bed. We have secured permission from the chairs of these departments to utilize these resources. These sites were chosen primarily because their viewers are adult learners and because of their high traffic patterns

The Assembly and provisioning of a red team

As the value and merit of red team exercises in both academic and corporate settings continues to grow, the need to share experiences with staffing, organizing and supporting the red team becomes increasingly important. This paper documents the Northeast Collegiate Cyber Defense Competition’s (NECCDC) Red Team captain’s experiences and lessons learned over the past four years. The paper will begin by identifying the skills and attributes needed for a Red Team and a process for selecting and recruiting members. The methods employed to form a cohesive working group from the members in the time available prior to the event will be discussed. The resources necessary for the Red Team to be effective and how they were provided is examined. We will look at how to promote planning and organization within the team focused on specific strategic goals and objectives of the Red Team. There are several duties during the event for a Red Team captain that will be examined and cautions that will be explained. At the end of the competition, the style and delivery of the after-action-report can have a profound effect on the Blue Teams. Experience with different approaches over the years will be examined. Recommendations for Red Team/Blue Team exchanges that can maximize the learning outcome for the students will be provided. Finally this paper will provide a summary of the experiences for others seeking to form and organize a Red Team either for a competition or an internal educational event

An image storage system using a relational database management system to facilitate picture data handling

The Image Storage System (ISS) is a general purpose graphics facility for the storage and retrieval of pictures. ISS utilizes the capabilities of the Mistress Relational Database Management System, the Relation Interpreter Package and the CORE Graphics Package. The system was developed to illustrate that by utilizing a database system for the storage of the actual picture description, users can incorporate graphics into their applications very simply without becoming a graphics or programming expert. Through the database, image data can be shared between applications and changes or additions to the image will not require program modification. As a consequence of using a data base management system, graphical as well as nongraphical information may be stored together. An important out come of this is that the graphical data may be accessible for non-graphical purposes as well. The database schema is illustrated and its flexibility and user adaptability is demonstrated. The graphics image interpreter is described as well as the underlying Relation Interpreter Package on which it is built

Three-manifolds, virtual homology, and group determinants

We apply representation theory to study the homology of equivariant Dehn-fillings of a given finite, regular cover of a compact 3-manifold with boundary a torus. This yields a polynomial which gives the rank of the part of the homology carried by the solid tori used for Dehn-filling. The polynomial is a symmetrized form of the group determinant studied by Frobenius and Dedekind. As a corollary every such hyperbolic 3-manifold has infinitely many virtually Haken Dehn-fillings.Comment: This is the version published by Geometry & Topology on 29 November 200

A Re-examination of network address translation security

The use of Network Address Translation (NAT) has greatly expanded in recent years. While originally an address management technique it has often been used for security. However, there are many implementations of NAT that are inherently insecure. Recently investigation into some of these has shown increased potential for security holes in NAT deployments. An understanding of the risks associated with NAT and the basic networking topics supporting a research in this area are critical to an information assurance student. This paper describes the basic operation of NAT, outlines one such security problem and its’ mitigation, develops a testing methodology for use in information security curricula and suggests topics to be covered for student success

Covert Channel using Man-In-The-Middle over HTTPS

The goal of this covert channel is to prove the feasibility of using encrypted HTTPS traffic to carry a covert channel. The encryption key is not needed because the original HTTPS payload is not decrypted. The covert message will be appended to the HTTPS data field. The receiver will extract the covert channel and restore the original HTTPS traffic for forwarding. Only legitimate HTTPS connections will be used as the overt channel. A Man-in-the-Middle (MITM) attack at the sending and receiving ends will give access to modify the traffic streams. The HTTPS return traffic from the server can carry a covert channel. Without the original HTTPS traffic for comparison or the original encryption keys, this covert channel is undetectable

An Extended Discussion on a High-Capacity Covert Channel for the Android Operating System

In “Exploring a High-Capacity Covert Channel for the Android Operating System” [1], a covert channel for communicating between different applications on the Android operating system was introduced and evaluated. This covert channel proved to be capable of a much higher throughput than any other comparable channels which had been explored previously. This article will expand on the work which was started in [1]. Specifically, further improvements on the initial covert channel concept will be detailed and their impact with regards to channel throughput will be evaluated. In addition, a new protocol for managing connections and communications between collaborating applications purely using this channel will be defined and explored. A number of different potential mechanisms and techniques for detecting the presence and use of this covert channel will also be described and discussed, including possible counter-measures, which could be implemented

A Document Analysis of Leadership Language That Enhances Family-School Collaboration in Efforts to Narrow the Achievement Gap

Complex problems such as the achievement gap need to be presented to all the stakeholders in the school community to utilize their combined expertise. This requires a specific language to encourage all the stakeholders in the process. Effective leaders achieve this through the principles of transformative leadership by communicating in a way that motivates, challenges, and encourages cooperation. This qualitative comparative case study utilized a document analysis to understand the barriers and solutions to family–school collaboration and leadership solutions to narrow the achievement gap in a highly resourced district. This district recently passed an equity initiative that called for the consistent collection and examination of the critical criterion that improves family and community engagement (see Appendix A, p. 5). Seattle University (SU) student researchers compared the District Annual Strategic Plan and two Elementary School Improvement Plans (belonging to the highest- and lowest-performing elementary schools, based on test scores) to determine their congruence, compare their practices to the literature documenting the achievement gap, and assess the leadership language of these documents. The researchers coded for autocratic leadership language that works against family–school collaboration and transformative leadership language that supports family–school collaboration. They triangulated their findings to identify recommendations at the individual building and district level regarding the use of leadership language in documents and outlining improvement efforts to close the achievement gap as it relates to the relevant literature

CPTC - A Security Competition Unlike Any Other

Participating in cybersecurity competitions has become increasing popular for students in higher education programs that have a focus on computing or cyber security. The Collegiate Penetration Testing Competition was developed to address the industry skills gap and assist in identifying ethically minded security personnel with experience identifying, exercising, and mitigating vulnerabilities