Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Category Archives: PC Security

The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities

Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities,  by Clark, Fry, Blaze and Smith

“Work on security vulnerabilities in software has primarily focused on three points in the software life-cycle: (1) finding and removing software defects, (2) patching or hardening software after vulnerabilities have been discovered, and (3) measuring the rate of vulnerability exploitation. This paper examines an earlier period in the software vulnerability lifecycle, starting from the release date of a version through to the disclosure of the fourth vulnerability, with a particular focus on the time from release until the very first disclosed vulnerability. Analysis of software vulnerability data, including up to a decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source) shows that properties  extrinsic to the software play a much greater role in rate of vulnerability discovery than do intrinsic properties such as software quality. This leads us to the observation that (at least in the first phase of a product’s existence), software vulnerabilities have different properties from software defects. We show that the length of the period after the release of a software product (or version) and before the discovery of the first vulnerability (the ’Honeymoon’ period) is primarily a function of familiarity with the system. In addition, we demonstrate that legacy code resulting from code re-use is a major contributor to both the rate of vulnerability discovery and the numbers of vulnerabilities found; this has significant implications for software engineering principles and practice.”

DHS Privacy Complaints Increase in 2013, Many Databases Kept Secret

EPIC – “The Department of Homeland Security Quarterly Report to Congress details programs and databases affecting privacy. According to the agency, DHS received 964 privacy complaints between September 1, 2013 and November 30, 2013. By contrast, DHS received 295 privacy complaints during the same period in 2011. According to the report, most DHS systems complies with Privacy Act noticeContinue Reading

Council on Foreign Relations Cybersecurity Policy Research Links

“How can the United States protect cyberspace “control system of our country,” without restricting the open “flow of information on the Internet“? What should countries consider when developing international cybersecurity standards and protocol? What should their citizens know to protect their information and their rights? Cybersecurity Policy Research Links provide news, background information, legislation, analysis,Continue Reading

Research shows smartphone sensors leave trackable fingerprints

News release, ECE Illinois: “Research by Associate Professor Romit Roy Choudhury and graduate students Sanorita Dey and Nirupam Roy have demonstrated that the accelerometers used in mobile devices posses unique, trackable fingerprints. This suggests that even when a smartphone application doesn’t ask for geospatial information (“…would like to use your current location”), there are otherContinue Reading

EFF – Which Tech Companies Help Protect You From Government Data Demands?

EFF Survey Shows Improved Privacy and Transparency Policies of the Internet’s Biggest Companies “Technology companies are privy to our most sensitive information: our conversations, photos, location data, and more. But which companies fight the hardest to protect your privacy from government data requests? Today, the Electronic Frontier Foundation (EFF) releases its fourth annual “Who HasContinue Reading

NIST Revises Guide to Use of Transport Layer Security (TLS) in Networks

“The National Institute of Standards and Technology (NIST) has released an update to a document that helps computer administrators maintain the security of information traveling across their networks. The document, NIST Special Publication 800-52 Revision 1: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, updates the original SP 800-52, released in 2005. Sensitive data—fromContinue Reading

The Target Data Breach: Frequently Asked Questions

CRS – The Target Data Breach: Frequently Asked Questions. N. Eric Weiss. Specialist in Financial Economics; Rena S. Miller, Specialist in Financial Economics. April 22, 2014. “According to Target, in November and December of 2013, information on 40 million payment cards (credit, debit, and ATM cards) and personally identifiable information (PII) on 70 million customers was compromised. The Secret Service hasContinue Reading

Biggest EU cyber security exercise to date

“Today, 28 April 2014, European countries kick off the Cyber Europe 2014 (CE2014). CE2014 is a highly sophisticated cyber exercise, involving more than 600 security actors across Europe. More than 200 organisations and 400 cyber-security professionals across Europe join forces today during the first phase of ENISA’s bi-annual large scale cyber security exercise, Cyber Europe 2014.Continue Reading

More online Americans say they’ve experienced a personal data breach

Pew Research – Mary Madden – “As news of large-scale data breaches and vulnerabilities grows, new findings from the Pew Research Center suggest that growing numbers of online Americans have had important personal information stolen and many have had an account compromised.  Findings from a January 2014 survey show that: 18% of online adults haveContinue Reading

Financial Institutions Directed to Respond to Hearbleed Attacks

Via American Banker: “The Federal Financial Institutions Examination Council said Thursday that it expects “financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability.” OpenSSL is open-source software that lets web sites encrypt communications with visitors. A vulnerability has been foundContinue Reading

FTC- Heartbleed May Cause You Some Heartache

News release: “If you’re thinking “Heartbleed” sounds serious, you’re right. But it’s not a health condition. It’s a critical flaw in OpenSSL, a popular software program that’s used to secure websites and other services (like VPN and email). If your company relies on OpenSSL to encrypt data, take steps to fix the problem and limitContinue Reading

IRS misses XP deadline, pays Microsoft millions for patches

ComputerWorld: “The U.S. Internal Revenue Service (IRS) acknowledged this week that it missed the April 8 cut-off for Windows XP support, and will be paying Microsoft millions for an extra year of security patches. Microsoft terminated Windows XP support on Tuesday when it shipped the final public patches for the nearly-13-year-old operating system. Without patches for vulnerabilitiesContinue Reading