Issue No. 12 - December (2011 vol. 44)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MC.2011.379
Serious Security Flaws Identified in Cloud Systems
German researchers report finding serious problems with two cloud systems and say these flaws probably exist in other cloud architectures. The Ruhr University Bochum team said the vulnerabilities could let attackers gain administrative rights to host systems.
The investigators found flaws with Amazon Web Services (AWS) and informed Amazon, which has since patched the problems. They also discovered vulnerabilities with the open source Eucalyptus private-cloud software framework.
The Ruhr University team used XML signature-wrapping attacks to gain administrative access to AWS customer accounts. In these attacks, a hacker changes the content of the signed part of a message sent via the SOAP protocol without invalidating the signature itself.
The investigators say they are working on techniques that can be used with existing XML security approaches to eliminate this flaw. They also report that AWS was susceptible to cross-site scripting attacks, in which hackers inject a malicious script into webpages.
According to team members, their cloud attacks were general in nature and did not target Amazon's system and thus would probably be effective against multiple cloud architectures.
Amazon said that the attacks would affect very few types of AWS transactions and that no customers have been affected by such incidents.
Braille Writer Promises to Help the Blind Communicate
A Stanford University-based team of researchers has developed an innovative, relatively inexpensive device for writing Braille. The tablet-based device solves the problem of blind users having to find keys on a virtual keyboard that appears on a flat glass touchscreen. Instead, the researchers developed a way for the keys to find users' fingers.
Adam Duran, a senior at New Mexico State University, came to Stanford to work on the project as part of an invitation-only, advanced-computing competition sponsored by the US Army High-Performance Computing Research Center (AHPCRC), whose partners include several universities and companies.
Duran worked with Stanford assistant professor of mechanical engineering Adrian Lew and computational-mathematics doctoral candidate Sohan Dharmaraja.
The team members originally were going to work on a character-recognition application that would use a mobile device's camera to convert pages of Braille into text. However, they decided that the application would be of limited value and that the logistics of developing it—such as ensuring that a blind person would correctly orient a page for use with the software—would be difficult to solve.
At that point, they decided to work on a Braille writer. According to the researchers, current Braille writers look like laptops without displays, offer limited functionality, and are expensive. They typically work with either screen-reading software or Braille displays.
The key for the Stanford team was developing a touchscreen that blind people could use. The researchers first learned Braille and designed a virtual Braille keypad. They then developed virtual keys that locate themselves under users' fingers after they touch the glass.
This approach makes the Braille reader less expensive and more portable than previous devices, and also simplifies usage. Moreover, it enables touchscreen customization, Dharmaraja said.
The researchers are continuing to work on their device, which they say has functioned well in testing.
Scientists Use Computers to Crack Old, Encrypted German Document
A team of researchers has used computer analysis, machine translation, and other technologies to crack an encrypted 18th-century document that had previously resisted decryption.
The team members—including a machine-translation expert from the University of Southern California's Information Sciences Institute and two Uppsala University linguists—broke the Copiale Cipher.
The 105-page encrypted manuscript contains 75,000 characters—including abstract symbols, as well as Greek and Roman letters—and no spaces. Experts say it was probably written in the late 1700s. The document was discovered years ago in the former East Germany.
It turns out the Copiale Cipher was based on a complex encryption plan that basically substituted symbols for those that appear in an original document.
The researchers used various computer-analysis approaches. They also applied expected-word-frequency and other machine-translation techniques.
After several earlier approaches proved unsuccessful, the investigators tried to determine whether the Copiale Cipher used a hard-to-crack scheme in which more than one character could replace a single letter of an unencrypted document. Although this didn't translate the text, it indicated—based on further analysis—that the original document might have been written in German. Future decryption efforts, which proved successful, assumed this was the case.
Little by little, with the help of an online translation service and knowledge of German grammar, they identified text, as well as patterns and variables that helped with the process. For example, they found that the document's writers used Roman letters as spaces between words, which made the decryption process more difficult.
The research team's translation showed that the Copiale Cipher described the complicated and unusual initiation rites for a secret German oculists' society.
Researchers Launch Full-Court Press to Find Problems with Industrial-Control Systems
The Stuxnet worm gained worldwide attention late last year because it was the first malware to target industrial-control systems and because it was very intricately designed.
According to experts, the Stuxnet incident has increased efforts by both hackers and security researchers to find problems with the control systems that run factories, nuclear-power plants, and other critical facilities.
They consider this effort important because a failure in industrial-control systems could cause power outages, nuclear accidents, and other serious problems.
The US Department of Homeland Security established its Industrial Control Systems Cyber Emergency Response Team in 2009 to handle these types of problems. ICS-CERT reports that it handles six times as many incidents now than when it was founded two years ago. The agency attributes this to the higher profile that industrial-control-system security now has—with both hackers and researchers—since Stuxnet made the news.
ICS-CERT says it is currently working on about 50 problems. However, security researchers for private companies say they've found hundreds more, some critical and some not. For example, members of Google's and Boeing's security teams report finding 665 industrial-control-system vulnerabilities in server software and drivers, as well as the interface software that manages factory machinery. They said 75 of the flaws could cause significant damage if exploited.
The effort to find industrial-control-system issues has also created strange bedfellows in that the companies that make such systems aren't used to working with the independent researchers who are now looking for problems with their products.
Some observers say this could cause problems. If industrial-control-system vendors don't work with independent researchers, the researchers might force corrective measures by releasing technical details of the vulnerabilities before they're patched. This has occurred in the past with other types of software.
GM Works on Augmented Reality for Vehicles
US automaker General Motors, working with several universities, is researching ways to use augmented reality (AR) in vehicles to help drivers cope with hazardous situations.
GM's enhanced vision system would place sensors and cameras inside and outside vehicles. They would monitor external conditions, as well as the movements of a driver's eyes and head. This would let the system provide drivers with relevant safety information. For example, it could alert a driver that the car is approaching a potentially hazardous situation—such as children playing in the street—that the driver either can't see or isn't looking at.
The system would use AR to show important information on a vehicle's windshield, which would be coated with transparent phosphors to improve the display's clarity.
GM says its tests indicate that it is safer for drivers to see information on a windshield, with their eyes looking ahead, than to look down at current vehicle-display systems.
Working in collaboration with schools such as Carnegie Mellon University, GM is still developing the enhanced vision system—researching potential problems such as driver distraction—and doesn't expect it to appear in production for another five to seven years.