Volume 13, Issue 2

Cyborg Cockroaches Could Power Own Electric 'Brains'

New Scientist (12/30/08) No. 2689, P. 22; Robson, David

Engineers are creating insects that can be controlled through electronics by implanting electrical stimulators that zap certain nerves or brain cells to trigger an impulse to move in the desired direction. The insects, which can be controlled by remote control or a preprogrammed chip, may soon be able to generate the electricity required to control them, prolonging their controllable life span. Powering these chips has been difficult, as wires from external power sources restrict an insect's movement, and most batteries are too heavy to be put on an insect, says Tokyo University of Agriculture and Technology researcher Keisuke Morishima. He has suggested that the insects themselves could be used to power the chips. As a proof of concept, Morishima glued a piezoelectric fiber to the back of a Madagascar hissing cockroach. The movements of the cockroach squeezed and stretched the fiber, generating electricity through mechanical stress. Morishima's experiment demonstrated that the cockroach can generate more than 10 millivolts in a single fiber, meaning that about 100 fibers would be enough to power the stimulator implants. University of Reading cybernetics expert Kevin Warwick believes it may be difficult to store the generated energy in order to provide a steady supply while operating a controllable insect and that 100 fibers may be too heavy for an insect to carry. However, Warwick says the method could be applied to larger animals such as rats, which could generate more power when controlled using a similar system.

View Full Article | Return to Top

A Fairer, Faster Internet Protocol

IEEE Spectrum (12/08) Vol. 45, No. 12, P. 42; Briscoe, Bob

An overhaul of the Internet's sharing protocol will boost both the Internet's speed and simplicity, writes BT researcher Bob Briscoe. The Transmission Control Protocol's (TCP's) sharing rules do not really allocate all users fair bit rates, as they are purported to do, and adding capacity is not a viable solution. Briscoe offers a solution that starts by making it easier for programmers to run TCP more than once, contrary to the traditional model of TCP-friendliness. Programmers establish a weight parameter to control the number of shares a user's computer takes from the network, which guarantees super-fast browsing rates by setting the weights high for light interactive usage and low for heavy usage. The second part of the challenge involves encouraging everyone to flip the weights, and Briscoe says he and his colleagues have hit upon a method to reveal congestion to facilitate the enforcement of limits. This "refeedback" process starts with a congested router marking some package with a debit, after which the receiver transfers the debit marks into congestion-feedback packets. The next step involves the sender reinserting the feedback into the forward data flow as credit marks, with the outcome being that computers at the end still spot and manage congestion, but the packets they transmit now have to indicate how much congestion they will come up against on their way through the Internet, allowing networks to restrict excessive congestion as packets enter the Internet. The network is able to eject packets if the balance of passing marks is consistently in debt.

View Full Article | Return to Top

Experts Uncover Weakness in Internet Security

Ecole Polytechnique Federale de Lausanne (12/30/08) Luy, Florence

Security researchers in Europe and California have discovered a vulnerability in the Internet digital certificate infrastructure that could allow attackers to forge certificates that are trusted by all common Web browsers. The weakness makes it possible to impersonate secure Web sites and email servers to perform undetectable phishing attacks. Whenever a small padlock appears in a browser window, the Web site being visited is secured using a digital certificate from a Certification Authority (CA). To ensure the certificate is authentic, the browser verifies the signature using cryptographic algorithms. The researchers discovered that one of these algorithms, known as MD5, can be misused. The first known flaw in the MD5 algorithm was presented in 2004 at the annual Crypto cryptography conference by Chinese researchers, who performed a collision attack and created two different messages with the same digital signature. The initial attack was severely limited, but a much stronger collision attack has been found by the European and California researchers. The new method proves it is possible to create a rogue CA that is trusted by all major Web browsers. A rogue CA, combined with a known vulnerability in the Domain Name System protocol, could allow attackers to launch virtually undetectable phishing attacks. The researchers say MD5 can no longer be trusted as a secure cryptographic algorithm for use in digital signatures and certificates. Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms, says the developers of the major Internet browsers have been informed of the vulnerability.

View Full Article | Return to Top

The 9 Hottest Skills for '09

Computerworld (12/30/08) Hoffman, Thomas

Even with a struggling economy and record unemployment, certain IT skills will be in high demand in the coming year. Programming and application development will be the most in-demand skills in 2009, concludes Computerworld's annual Forecast survey. For example, demand for SAP skills remains high because an increasing number of companies want to establish global ERP systems. Help desk and technical support are the second most in-demand skills, especially for people with a variety of technical expertise and customer-service abilities. Project managers with a strong track record also will be in high demand, particularly if they can demonstrate the ability to finish a project on time or under budget. The increasingly widespread use of voice, email, video, instant messaging, and other communications systems will keep networking skills in high demand as well, and network convergence projects will increase demand for workers with network security and data privacy skills. Demand for business intelligence specialists, including people with data mining, data warehousing, and data management knowledge, will be high due to the desire to be able to analyze customer and sales data. IT professionals with security skills also are needed, particularly for those with networking and wireless security skills. Web 2.0 skills also are in demand, thanks to the continuing expansion of business-to-business connections and the increasing use of social networking sites and applications in the corporate environment.

View Full Article | Return to Top

Feds May Mine Blogs for Terrorism Clues

USA Today (12/24/08) P. 3A; Frank, Thomas

The U.S. Department of Homeland Security (DHS) wants to use data-mining technology to search blogs and Internet message boards to find those used by terrorists to plan attacks. "Blogging and message boards have played a substantial role in allowing communication among those who would do the United States harm," DHS said in a recent notice. DHS is looking for companies to develop technology to search the Internet for postings "in near to real time which precede" an attack. University of Arizona's Artificial Intelligence Lab director Hsinchun Chen says terrorists provide a lot of bomb-making information on Web sites and forums, as well as through Internet messaging systems. However, Chen and others are uncertain of how useful that information will be in preventing terrorist attacks. Terrorism analyst Matt Devost says that many postings about attacks are simply fantasy or role-playing. The Memorial Institute for the Prevention of Terrorism's Chip Ellis says the government already uses search methods similar to a Google query, and that the search can be helpful in uncovering the latest bomb-making technology. Federation of American Scientists intelligence expert Steven Aftergood praises DHS for trying to find innovative approaches, and says the department's efforts will not jeopardize privacy because it will be searching public Web sites.

View Full Article | Return to Top

Warning over DNS protection

By Denise Dubie, Network World (US)

IT managers should make protecting their systems from a DNS attack a priority, despite the budget constraints that they're operating under.

Despite the threat posed by the vulnerability discovered by Dan Kaminsky last year and despite other DNS attacks, such as cache poisoning and distributed denial-of-service (DDoS), a quarter of all networks had not been patched by mid-November, aocording to The Measurement Group.

"These name servers are trivially vulnerable to the Kaminsky attack. With an effective exploit script, a hacker can insert arbitrary data into the cache of one of these names servers in about 10 seconds," said Cricket Liu, vice president of architecture at Infoblox.

A separate survey of 466 enterprise online customers conducted by DNSstuff in September revealed that 9.6 percent hadn't patched their DNS servers and 21.9 percent didn't know if they were patched. The findings show that despite the DNS community's and several vendors' efforts, a significant number of server administrators have yet to take action. As for the reasons behind the lack of patches, more than 45 percent cited a lack of internal resources, 30 percent said they were unaware of the vulnerability and 24 percent reported they didn't have enough knowledge of DNS to take the appropriate steps.

Infoblox said there was a misconception that DNS was a trivial part of the network. It performs a critical function by mapping domain names to IP addresses and directing Internet inquiries to the appropriate location. "Should an enterprise's DNS systems fail … all Internet functions, including email, web access, e-commerce and extranets become unavailable," according to Infoblox.

Secondly, the belief that any version of BIND will protect name serving machines on the Internet is false, according to Infoblox. BIND version 9 is a major rewrite of the Berkeley Internet Name Domain and includes DNS security and protocol enhancements, as well as support for IPv6.

View Full Article | Return to Top

Cognitive Computing: Building a Machine that can Learn from experience

University of Wisconsin-Madison (12/17/08) Smith, Susan Lampert

University of Wisconsin-Madison psychiatrist Giulio Tononi is working with scientists from Columbia University and IBM to develop software for a thinking computer, while nanotechnology and supercomputing experts from Cornell University, Stanford University, and the University of California-Merced are developing the hardware. The collaborative effort has been awarded a $4.9 million grant from the Defense Advanced Research Projects Agency for the first phase of DARPA's Systems of Neuromorphic Adaptive Plastic Scalable Electronics project. The goal is to create a computer capable of sorting multiple streams of changing data to find patterns and make logical decisions. The finished cognitive computer must also be no larger than the size of a small mammal's brain and use as little power as a 100-watt light bulb. Although the project draws inspiration from the brain's architecture and function, Tononi says that it not possible or desirable to recreate the entire structure of the brain down to the synapse level. "A lot of the work will be to determine what kinds of neurons are crucial and which ones we can do without," he says. Value and reward systems are important, and learning is crucial because a cognitive computer must be able to learn from experience. Tononi says the artificial brain will need to be able to change as it learns from experience, and the design will most likely convey information using electrical impulses modeled after the spiking neurons found in mammal brains.

View Full Article | Return to Top

Military Hoping Chat Bots Will Replace Deployed Parents

InformationWeek (01/02/09) Claburn, Thomas

The U.S. Department of Defense is soliciting proposals for the development of an artificial intelligence program that young children would be able to communicate with when their active duty parents are not available to talk. "The child should be able to have a simulated conversation with a parent about generic, everyday topics," according to a post on the Pentagon's Small Business Innovation Research Web site. "This is a technologically challenging application because it relies on the ability to have convincing voice-recognition, artificial intelligence, and the ability to easily and inexpensively develop a customized application tailored to a specific parent." The military is seeking a solution that young children can use when Internet and phone communication are not an option, so it has ruled out Skype or similar technologies. Boston University psychology professor Catherine Caldwell-Harris questions whether a young child will understand that an avatar on a screen is supposed to be their parent.

View Full Article | Return to Top

UT-Arlington Project That Could Improve the Lives of Blind People Is Short $300,000

Star-Telegram (TX) (12/29/08) Trainor, Gene

Researchers from the University of Texas at Arlington, the University of Texas at San Antonio, and the Southwestern Medical Center have developed Intelligent Eyes, a wearable device that could help sight-impaired people navigate their environment. Intelligent Eyes is a system of cameras, computer chips, software, and audio equipment that could be built for about $100. The researchers say that its low cost could allow it to be widely used, but they need at least $300,000 to develop a demonstration model. Intelligent Eyes users wear glasses that contain a camera in each lens to replicate human eyes. The cameras send information to a digital signal processor in a device worn on the body, which contains software that processes data from the user's surroundings. The information is wirelessly sent to an earphone attached to the glasses, and a verbal description of the surroundings is provided for the user. UT-Arlington professor Jean Gao says the system can identify non-moving and major moving obstacles that most people encounter, such as other people, animals, and vehicles. The system also can tell the difference between a sedan and a SUV. However, it cannot identify some obstacles, such as a glass wall, so canes still would be needed. The current system is too bulky to be worn practically, so the researchers requested a $300,000 National Science Foundation grant to make the system slimmer, but were turned down. The researchers have since made some improvements to the device and plan to request a grant again early next year.

View Full Article | Return to Top

Top Ten Cyber Security Menaces for 2008


Twelve cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008.

Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller.

Here's their consensus list in ranked order:

1. Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites

Web site attacks on browsers are increasingly targeting components, such as Flash and QuickTime, that are not automatically patched when the browser is patched. At the same time, web site attacks have migrated from simple ones based one or two exploits posted on a web site to more sophisticated attacks based on scripts that cycle through multiple exploits to even more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads. One of the latest such modules, mpack, produces a claimed 10-25% success rate in exploiting browsers that visit sites infected with the module. While all this is happening, attackers are actively placing exploit code on popular, trusted web sites where users have an expectation of effective security. Placing better attack tools on trusted sites is giving attackers a huge advantage over the unwary public.

View Full Article | Return to Top

Top 5 Essential Log Reports


Contributors: Chris Brenton - Independent Security Consultant - gro.notnerbsirhc|sirhc#gro.notnerbsirhc|sirhc, Tina Bird, Security Architect, PGP Corporation, Marcus J Ranum, CSO,Tenable Network Security, Inc.


In June of 2000, the "SANS/FBI Top 10 Critical Vulnerabilities" consensus list was created. This list identified the ten most frequently exploited vulnerabilities on the Internet. While the list was not intended to be a complete list of all possible threat models, it was an extremely useful action item list for network, system and security administrators alike. By securing the listed ten items, the administrator would receive the greatest increase in overall security and thus the greatest reduction in security risk from hostile attacks.

In the spirit of this original consensus, the SANS community has again banded together in order to create the "Top 5 Essential Log Reports" consensus. This list is not intended to be a complete review of all the potentially useful log reports. Rather, the focus is on identifying the five most critical log reports for a wide cross-section of the security community. These are the top reports which
should be reviewed on a regular basis. The goal is to include reports that have the highest likelihood of identifying suspect activity, while generating the lowest number of false positive report entries. The log reports may not always clearly indicate the extent of an intrusion, but will at least give sufficient information to the appropriate administrator that suspect activity has been detected and requires further investigation.

View Full Article | Return to Top

20% discount off SANS@Home Network Pen Testing course

Just a quick note to let you know that the SANS Institute is offering a 20% discount off the upcoming SANS@Home webcast training course, "Security 560: Network Penetration Testing and Ethical Hacking" — exclusively for friends of Core Security Technologies.

- Course Title: Security 560: Network Penetration Testing and Ethical Hacking

- Instructors: Ed Skoudis & John Strand

- Start Date: Tuesday, January 13, 2009

- End Date: Thursday, February 19, 2009

- Meeting Times: Tuesdays and Thursdays, 1:00 PM - 4:00 PM EST

To receive your 20% discount, enter "CORE" into the Registration Code field under Step 3 of the registration process. The discount is only applicable for the January 13 - February 19 course. The discount cannot be applied retroactively to existing registrations.

Learn more and register: http://www.sans.org/info/33899

If you have any questions about the course or the discount, please contact SANS at +1 (301) 654-7267 or gro.snas|noitartsiger#gro.snas|noitartsiger.

Return to Top

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License