Ravioli, Spaghetti, Bonferroni, Canneloni, Lasagna. All delicious products made from semola di grano duro. Add tomato sauce, put some grana on top, serve with Chianti. (Or Teroldego if, like me, you’ve spent some time in the Trentino.) Mjam! Continue reading
In a paper, published at a peer-reviewed conference, the authors wished to test the hypothesis that their univariate data was distributed according to an exponential distribution. They didn’t get it quite right. Continue reading
In my last article, I discussed the theoretical benefits of MPC for collaborative network security and how basic MPC primitves can be optimized for practical performance. In the last article of this series for now, I’d like to report on our experiences from applying MPC protocols to real network traces of six SWITCH customers. Continue reading
Wednesday, June 8, 2011 was World IPv6 Day. The event was an opportunity for participating content-network operators to test their IPv6 readiness, as well as to increase general community awareness of IPv6, and of the slowly ongoing transition. Another goal of IPv6 Day is to “shift the baseline”, as heise did last year: once network operators and content providers see that IPv6 doesn’t break everything (or, more realistically, fix those minor things which do break), they’ll leave it on, and the post-June 8 world will have a little more IPv6 in it. Continue reading
I’ve recently seen a paper, published at a peer-reviewed conference, where the authors argue that some inter-arrival times were exponentially distributed and that the number of events per unit time were poisson distributed. They did some statistical tests and concluded that the evidence was not enough to discard either hypothesis.
Sounds OK? Well, not quite. Continue reading
In my last articles, I argued that next-generation Internet security requires collaboration and that privacy concerns are the main road block for such cooperative solutions. I’ve also discussed network trace anonymization as a potential solution to the privacy issues with network data. Unfortunately, the delicate privacy-utility tradeoff involved in anonymization makes it impractical for real-world use. Continue reading
In my last article, I discussed why collaboration among networks is essential for monitoring the Internet and maintaining its security in the future. Unfortunately, such collaboration is very difficult in practice due to privacy concerns. Continue reading
In the fable “The Blind Men and the Elephant” by the American poet John Godfrey Saxe, six blind men from Indostan heard of a thing called “an elephant” but did not know what it was. To satisfy their minds, they went to observe a real elephant. Each of them approached the elephant from a different side and came to his own conclusion about what an elephant is. The one that touched the side found “It’s very like a wall!”, while the one examining the tusk shouted “It’s very like a spear!”. The knee was judged to be like a tree, the trunk like a snake, the ear like a fan, and the tail like a rope. When they finally came together to discuss their observations they had a long dispute about what an elephant was. However, as Saxe put it: “Though each was partly in the right, all were in the wrong!”
Is the Internet an Elephant? Continue reading
On May 31, 2011, “Kassensturz”, a popular consumer magazine on Swiss TV, will look into e-banking systems as offered to customers of Swiss banks. Members of the CSG participated in evaluating the usability and security of e-banking systems of Migrosbank, UBS, Raiffeisen, Berner Kantonalbank and Postfinance. Due to the legal situation in Switzerland, a security evaluation – in this case tantamount to a limited penetration test – could only be carried out with the explicit consent of the banks concerned.
In our security evaluation we mimicked a real case of an e-banking fraud attempt, in which an on-going session of an e-banking customer was hijacked by cyber-criminals. The hijackers managed to initiate a transfer of a five digit amount to an account presumably under their control. Ultimately the off-line anti-fraud system of the bank detected the anomaly and blocked the attempted scam.
On behalf of Kassensturz we investigated to what extent the e-banking systems under test are vulnerable to the same type of session hijacking as in the real case. The results vary significantly.
Don’t miss “Kassensturz” on May 31st, 21:o5 hours, Swiss TV SF1. http://www.kassensturz.sf.tv/
A rather large collaborative work from the people who brought you Spamalytics was presented this week at the IEEE Symposium on Security and Privacy (known in the field simply as Oakland). The paper represents a new direction in academic research on the spam problem: following the value chain of the products advertised in spam back to the people selling them. Continue reading