Liu Y.,University of Waterloo |
Cai L.X.,University of Waterloo |
Shen X.,University of Waterloo |
Luo H.,Application Security
IEEE Wireless Communications
Smartphone fever along with roaring mobile traffic pose great challenges for cellular networks to provide seamless wireless access to end users. Operators and vendors realize that new techniques are required to improve spectrum efficiency to meet the ever increasing user demand. In this article, we exploit the great opportunities provided by cognitive radio technology in conventional cellular networks. Specifically, we first present challenging issues including interference management, network coordination, and interworking between access networks in a tiered cognitive cellular network with both macrocells and small cells. Taking into consideration the different network characteristics of macrocells and small cells, we then propose an adaptive resource management framework to improve spectrum utilization efficiency and mitigate the co-channel interference between macrocell and small cell users. A game-theory-based approach to efficient power control has also been provided. © 2002-2012 IEEE. Source
Application Security | Date: 2015-01-14
A business action fraud detection system for a website includes a business action classifier to classify a series of operations from a single web session as a business action. The system also includes a fraud detection processor to determine a score for each operation from the statistical comparison of the data of each request forming part of the operation against statistical models generated from data received in a training phase and the score combining probabilities that the transmission and navigation activity of a session are those expected of a normal user.
Crawled News Article
How secure are the websites and servers of the US military? According to an independent security researcher, who found several “serious” flaws in a bunch of .mil sites, the answer is “not so much.” The flaws show that the the Department of Defense is failing to take care of basic cybersecurity, and that its public facing sites and employee portals are still trivial to hack, according to experts. According to the researcher, who goes by the name MLT, the worst vulnerability was in a subdomain of the website of the Defense Contract Management Agency, a military agency responsible for contract administration services. The bug essentially allowed hackers to trick the site into revealing the contents of a database containing personal information on DoD employees, such as employees' names and home addresses. MLT didn’t exploit the bug, but given the website it was on, and some data he was able to see without hacking the site, it seems like a malicious attacker could have abused it to steal very sensitive and personal data. “I can’t confirm that without actually exploiting it,” MLT told me over an online chat. “But from the table names and the government warnings all over the site, I’d guess that’s the kind of page that shouldn’t be vulnerable to SQL injection.” SQL injection, or SQLi, is an extremely common but dangerous bug that allows hackers to trick websites into spilling database information. (For more on SQLi, read Motherboard's guide.) Despite being an ancient bug, and despite the fact that web developers should know how to prevent it, countless sites are vulnerable to it, and it still causes major breaches. The fact that a military site was vulnerable to it is certainly not good news. “SQL injection in a military site is a very, very, very serious issue.” Jim Manico, a board member of the Open Web Application Security Project, told Motherboard in an email. “It allows the attacker to steal all data from a database. It’s not a good thing—at all—for such an easy to find and easy to fix problem exist in a high risk site.” For MLT, the danger was that someone with less friendly intentions could have used this to get the personal information of DoD employees, who could then be targeted both on the internet and in real life. “What if some blackhats found this vulnerability and exploited it, and are now in possession of the personal information of a bunch of DoD employees?” MLT wrote in a blog post. “Judging from those warnings on the index page, I expected them to take their site security at least somewhat seriously.” MLT reached out to Motherboard about this and other vulnerabilities at the end of November. After finding the flaws, MLT tried to report them to the Pentagon via email, but received no answer. That’s when he reached out to me, hoping I could prod the Pentagon to fix the issues. At that point, I contacted a person who used to work at DoD, hoping he could convey the report to the right people. My contact said he passed the report on, but didn’t know whether the Pentagon acted on it. Several spokespeople for the Department of Defense and the Army did not respond to multiple requests for comment. In any case, the SQLi exploit on the Defense Contract Management Agency site was fixed around a week ago, according to MLT. MLT found several other vulnerabilities, which he detailed in a blog post published on Monday. One of the bugs allowed anyone to access a US Army server just by typing the right string of characters in a browser’s URL bar. MLT also found a list of credentials in cleartext on a page within another Army website. One of the passwords was “mysecretpassword.” Lastly, the researcher also found around a dozen Cross Site Scripting, or XSS, vulnerabilities, which are also extremely common on the web. In fact, 80 percent of all sites have an XSS vulnerability, according to estimates web security firm WhiteHat Security. Given the US military’s footprint on the web, and its outdated systems, “it is completely unsurprising that the military is vulnerable to all of these attacks,” according to Robert Hansen, who works at WhiteHat Security. “Truthfully, I’m quite certain they are vulnerable to far more than what MLT found, even.” Still, “that should make every American and every ally nervous,” he concluded.
Crawled News Article
Cybrary, the world’s first and only no-cost cyber security massive open online course (MOOC) provider, today launched its Cyber Security Job Platform. This talent platform is designed to meet the demand for skilled cyber security professionals, which is growing four times faster than the overall IT job market, and 12 times faster than the total labor market. Currently there are more than a million open job postings for cyber security positions around the world. Complimentary to all job seekers, Cybrary’s new talent platform features jobs in three main categories: GRC/Information Assurance, Network and Application Security, and Malware, Threat and Intel. Job seekers can upload and store up to five resumes for applying to positions. Employers and recruiters can post jobs and find professionals at all levels - entry, advanced, and leadership – for a variety of titles, such as Director of Cyber Security, Risk Management Analysts, Healthcare Information Security Officer, and Threat Analyst. “In the past, cyber security training has been excessively expensive. This has created a shortage of skilled cyber security professionals, leaving many businesses unprepared to fight emerging cyber threats,” said Ryan Corey, co-founder of Cybrary. “By removing training costs and building the world’s largest community of cyber security talent, Cybrary will increase the supply side of the jobs market, bring employers and talent together, and ultimately eradicate the cyber security talent shortage.” Launched in January 2015, Cybrary is growing at a record pace with nearly 250,000 users from over 150 countries. More than 120,000 people took cyber security training courses at Cybrary last month, which provides no-cost, comprehensive IT and cyber security training options for people seeking to break into cyber security or accelerate in their careers. Notably, 16 percent of Cybrary’s user base is comprised of women, which is higher than the industry average. Cybrary has championed several additional initiatives over the last 10 months to meet other cyber security workforce challenges, including a pilot program with Women in Technology (WiT) and Cornerstone which utilizes Cybrary’s enterprise training platform to help advance women and girls in the cyber security industry; the creation of an educational training platform that helps K-12 and higher education educators plan, manage, and monitor IT and cyber security curriculum; and an enterprise security training platform that assists organizations in providing and managing courses and training programs for their employees, including end-user security awareness. Earlier this year, Cybrary was ranked #51 in a report of Top 100 brands in cyber security on social media. In August, the company closed a round of seed funding to help foster community growth and develop additional course content. Cybrary currently offers the most in-demand, cutting-edge training courses in cyber security, with new courses launching monthly. About Cybrary Founded in 2015, Cybrary gives aspiring and practicing cyber security professionals what they have long deserved and been denied: access to no-cost, high-quality, open-source and results-focused IT and cyber security training that will help start and advance their careers. A MOOC provider whose top managers have nearly 15 years of experience in IT training, Cybrary offers no -cost online training to anyone, anywhere and at every skill level.
Crawled News Article
Once upon a time, the biggest barrier to cloud adoption was security. That is no longer the case, but at the Re:Invent conference, Amazon.com unveiled two new security and compliance tools designed to make it easier for Amazon Web Services users to proactively find and fix security issues. Organizations were originally reluctant to move their servers and applications to cloud platforms because they didn't want to run afoul of compliance requirements or commit errors that could result in a massive data breach. Thus, AWS's new Amazon Inspector helps find vulnerabilities and other security issues; it also provides information on how to remediate those bugs and correct configuration mistakes. Finally, AWS's Config Rules is designed to ease compliance concerns as it tells users when specific resources changed and are no longer compliant. Amazon Inspector is an automated security assessment service that finds security or compliance issues on applications deployed in AWS. It analyzes the application’s behavior by monitoring the network, file system, and process activity. It correlates the information with other data, such as details of communication with AWS, use of secure channels, and network traffic between instances to generate reports listing potential security issues. Inspector correlates and analyzes all this information into a report, with issues grouped by severity so that users know which ones to pay attention to first. Inspector also provides advice on how to fix the problems. The resulting report shows existing vulnerabilities in the application code or the server configuration, as well as areas where the service may be out of compliance. Inspector’s reports would be valuable for Amazon customers who find it challenging to stay abreast of changes made to their applications and servers. There have been numerous stories of developers realizing passwords and keys were left inside configuration files when the application was deployed or all the times a server was misconfigured. For businesses in heavily regulated industries such as finance and health care, the assessment could verify they are meeting the strict guidelines on how to store and use data. Because Inspector is currently in preview, the only set of compliance rules it can check against is the PCI DSS 3.0 Assessment, but others will be added over time. Inspector also provides Cloud Trails, which is an audit trail indicating what issue was found, what actions were taken to address the issue, and when those actions occurred. Cloud Trails could be invaluable when working with auditors. Users can specify the duration of the assessment and which rules -- such as best practices, compliance standards, and known vulnerabilities -- Inspector should use as part of its analysis. Along with the PCI DSS assessment, Inspector includes rules from Common Vulnerabilities and Exposures, Network Security Best Practices, Authentication Best Practices, Operating System Security Best Practices, and Application Security Best Practices. The rules packages draw on all the knowledge Amazon has built up over the years, AWS senior vice president Andrew Jassy said. "You can tell which assessments were done, what findings they have, and what they actually did to remediate." The second tool, Config Rules, is designed to make compliance more straightforward. Users can set up compliance rules for resources and define specific actions that execute automatically if the rules are violated. The triggers can range from simply reporting the issue to appropriate parties to shutting down instances. Developers can fire up and shut down storage, processing, and networking resources as needed on AWS. But in a fast-paced environment, it is very easy to overlook security guidelines and policies. Config Rules will automate the checks so that users can fix the issues as they are found, Amazon said. Config Rules can ensure, for example, that every instance is associated with at least one security group or EC2 instances launched in a particular virtual private cloud are properly tagged. It can also check that port 22 is not open to any resource associated to a production security group. If the resource changes or a new one is created, Config Rules run and verify if the resource is still within the defined parameters. Config Rules automates compliance checks, and all results are recorded and tracked on a per-resource basis. Config Rules could be very helpful for customers who may have forgotten about an instance or two sitting around in their environment. Config Rules can be used to shut down instances that aren’t in use or to look at the compliance status of a specific type of resource. For a long time, many organizations held back from moving their workloads to cloud platforms because they were concerned about security. They weren’t sure how to secure the data being stored on servers they didn’t have full control over. There were questions about authentication and identity management, concerns over compliance, and issues with moving data securely. At this year's Re:Invent conference, consulting giant Accenture announced a new AWS Business Group to help businesses address those worries and to migrate their applications to the cloud platform. Accenture recently bought Cloud Sherpas, a Google Cloud Platform consultancy, and it is clearly beefing up its cloud development and migration capabilities.