Tag Archive for: ScienceDaily

Why computer security advice is more confusing than it should be — ScienceDaily

/in


If you find the computer security guidelines you get at work confusing and not very useful, you’re not alone. A new study highlights a key problem with how these guidelines are created, and outlines simple steps that would improve them — and probably make your computer safer.

At issue are the computer security guidelines that organizations like businesses and government agencies provide their employees. These guidelines are generally designed to help employees protect personal and employer data and minimize risks associated with threats such as malware and phishing scams.

“As a computer security researcher, I’ve noticed that some of the computer security advice I read online is confusing, misleading or just plain wrong,” says Brad Reaves, corresponding author of the new study and an assistant professor of computer science at North Carolina State University. “In some cases, I don’t know where the advice is coming from or what it’s based on. That was the impetus for this research. Who’s writing these guidelines? What are they basing their advice on? What’s their process? Is there any way we could do better?”

For the study, researchers conducted 21 in-depth interviews with professionals who are responsible for writing computer security guidelines for organizations including large corporations, universities and government agencies.

“The key takeaway here is that the people writing these guidelines try to give as much information as possible,” Reaves says. “That’s great, in theory. But the writers don’t prioritize the advice that’s most important. Or, more specifically, they don’t deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming — and the most important points get lost in the shuffle.”

The researchers found that one reason security guidelines can be so overwhelming is that guideline writers tend to incorporate every possible item from a wide variety of authoritative sources.

“In other words, the guideline writers are compiling security information, rather than curating security information for their readers,” Reaves says.

Drawing on what they learned…

Source…

Next-gen wireless networks could be designed with built-in defenses against ‘metasurface-in-the-middle’ attack — ScienceDaily

/in


Crafty hackers can make a tool to eavesdrop on some 6G wireless signals in as little as five minutes using office paper, an inkjet printer, a metallic foil transfer and a laminator.

The wireless security hack was discovered by engineering researchers from Rice University and Brown University, who will present their findings and demonstrate the attack this week in San Antonio at ACM WiSec 2022, the Association for Computing Machinery’s annual conference on security and privacy in wireless and mobile networks.

“Awareness of a future threat is the first step to counter that threat,” said study co-author Edward Knightly, Rice’s Sheafor-Lindsay Professor of Electrical and Computer Engineering. “The frequencies that are vulnerable to this attack aren’t in use yet, but they are coming and we need to be prepared.”

In the study, Knightly, Brown University engineering Professor Daniel Mittleman and colleagues showed an attacker could easily make a sheet of office paper covered with 2D foil symbols — a metasurface — and use it to redirect part of a 150 gigahertz “pencil beam” transmission between two users.

They dubbed the attack “Metasurface-in-the-Middle” as a nod to both the hacker’s tool and the way it is wielded. Metasurfaces are thin sheets of material with patterned designs that manipulate light or electromagnetic waves. “Man-in-the-middle” is a computer security industry classification for attacks in which an adversary secretly inserts themself between two parties.

The 150 gigahertz frequency is higher than is used in today’s 5G cellular or Wi-Fi networks. But Knightly said wireless carriers are looking to roll out 150 gigahertz and similar frequencies known as terahertz waves or millimeter waves over the next decade.

“Next-generation wireless will use high frequencies and pencil beams to support wide-band applications like virtual reality and autonomous vehicles,” said Knightly, who will present the research with co-author Zhambyl Shaikhanov, a graduate student in his lab.

In the study, the researchers use the names Alice and Bob to refer to the two people whose communications are hacked. The eavesdropper is called Eve.

To mount the attack, Eve first…

Source…

Computer attacks with laser light — ScienceDaily

/in


Computer systems that are physically isolated from the outside world (air-gapped) can still be attacked. This is demonstrated by IT security experts of the Karlsruhe Institute of Technology (KIT) in the LaserShark project. They show that data can be transmitted to light-emitting diodes of regular office devices using a directed laser. With this, attackers can secretly communicate with air-gapped computer systems over distances of several meters. In addition to conventional information and communication technology security, critical IT systems need to be protected optically as well.

Hackers attack computers with lasers. This sounds like a scene from the latest James Bond movie, but it actually is possible in reality. Early December 2021, researchers of KIT, TU Braunschweig, and TU Berlin presented the LaserShark attack at the 37th Annual Computer Security Applications Conference (ACSAC). This research project focuses on hidden communication via optical channels. Computers or networks in critical infrastructures are often physically isolated to prevent external access. “Air-gapping” means that these systems have neither wired nor wireless connections to the outside world. Previous attempts to bypass such protection via electromagnetic, acoustic, or optical channels merely work at short distances or low data rates. Moreover, they frequently allow for data exfiltration only, that is, receiving data.

Hidden Optical Channel Uses LEDs in Commercially Available Office Devices

The Intelligent System Security Group of KASTEL — Institute of Information Security and Dependability of KIT, in cooperation with researchers from TU Braunschweig and TU Berlin, have now demonstrated a new attack: With a directed laser beam, an adversary can introduce data into air-gapped systems and retrieve data without additional hardware on-side at the attacked device. “This hidden optical communication uses light-emitting diodes already build into office devices, for instance, to display status messages on printers or telephones,” explains Professor Christian Wressnegger, Head of the Intelligent System Security Group of KASTEL. Light-emitting diodes (LEDs) can receiving light, although they are not designed to…

Source…

Computer scientists discover new vulnerability affecting computers globally — ScienceDaily

/in


In 2018, industry and academic researchers revealed a potentially devastating hardware flaw that made computers and other devices worldwide vulnerable to attack.

Researchers named the vulnerability Spectre because the flaw was built into modern computer processors that get their speed from a technique called “speculative execution,” in which the processor predicts instructions it might end up executing and preps by following the predicted path to pull the instructions from memory. A Spectre attack tricks the processor into executing instructions along the wrong path. Even though the processor recovers and correctly completes its task, hackers can access confidential data while the processor is heading the wrong way.

Since Spectre was discovered, the world’s most talented computer scientists from industry and academia have worked on software patches and hardware defenses, confident they’ve been able to protect the most vulnerable points in the speculative execution process without slowing down computing speeds too much.

They will have to go back to the drawing board.

A team of University of Virginia School of Engineering computer science researchers has uncovered a line of attack that breaks all Spectre defenses, meaning that billions of computers and other devices across the globe are just as vulnerable today as they were when Spectre was first announced. The team reported its discovery to international chip makers in April and will present the new challenge at a worldwide computing architecture conference in June.

The researchers, led by Ashish Venkat, William Wulf Career Enhancement Assistant Professor of Computer Science at UVA Engineering, found a whole new way for hackers to exploit something called a “micro-op cache,” which speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process. Micro-op caches have been built into Intel computers manufactured since 2011.

Venkat’s team discovered that hackers can steal data when a processor fetches commands from the micro-op cache.

“Think about a hypothetical airport security scenario where TSA lets you in without checking your…

Source…