FALL 2017.2 Communique of the Department of Computer and Information Sciences
Top 10 Security Risks of 2017 | OWASP by Christina Cardoza
The Open Web Application Security Project (OWASP) officially released its Top 10 most critical web application security risks. This is the first time the organization has updated the Top 10 since 2013. “Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We’ve completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, rewritten each risk from the ground up, and added references to frameworks and languages that are now commonly used,” the OWASP wrote in the Top 10 2017. According to the OWASP, some significant changes over the past couple of years that resulted in an update to the Top 10 include microservices, single page apps, and the dominance of JavaScript as a primary language on the web. The Top 10 now consists of: 1. Injection 2. Broker Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE)
WHAT’S INSIDE An Artificial Synapse That Can Learn Autonomously
2
UNSW team develops cyber security education app
3
Common Data Structure Operations
3
Physicists Quantum Entangle Silicon Devices to Send Information Over a 20-Centimeter Distance
4
Why companies are switching to Everything as a Service
5
Quality Hacks
6
5. 6. 7. 8. 9. 10.
Broken Access Control Security Misconfiguration Cross-Site Script (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging and Monitoring
XXE, insecure deserialization and insufficient logging and monitoring are new to the Top 10. Broken access control is a combination of 2013’s insecure direct object references and missing function level access control. In addition, the OWASP has removed unvalidated redirects and forwards, and cross-site request forgery from the Top 10. “Why have CSRF and unvalidated redirects and forwards been removed? It’s time to move on. The data for these is no longer strong enough to warrant inclusion, especially when we only have 8 data supported spots with our new methodology, and these two items didn’t rank in the community survey. This is actually a sign of success; the fact that CSRF is finally going away is a sign that the OWASP Top 10 has been successful at its mission,” the OWASP wrote in a blog post. The community survey, which received more than 500 responses, did agree on the inclusion insecure deserialization and insufficient logging and monitoring, according to the OWASP. “These two items were obviously top of mind for many this year considering the era of the mega breach is not slowing down,” the OWASP wrote. (Continued on page 2)
1
An Artificial Synapse That Can Learn Autonomously by Dom Galeon energy to learn, and it can learn autonomously.
MIMICKING THE BRAIN Developments and advances in artificial intelligence (AI) have been due in large part to technologies that mimic how the human brain works. In the world of information technology, such AI systems are called neural networks. These contain algorithms that can be trained, among other things, to imitate how the brain recognizes speech and images. However, running an Artificial Neural Network consumes a lot of time and energy. Now, researchers from the National Center for Scientific Research (CNRS) in Thales, the University of Bordeaux in Paris-Sud, and Evry have developed an artificial synapse called a memristor directly on a chip. It paves the way for intelligent systems that required less time and
In the human brain, synapses work as connections between neurons. The connections are reinforced and learning is improved the more these synapses are are stimulated. The memristor works in a similar fashion. It’s made up of a thin ferroelectric layer (which can be spontaneously polarized) that is enclosed between two electrodes. Using voltage pulses, their resistance can be adjusted, like biological neurons. The synaptic connection will be strong when resistance is low, and vice-versa. The memristor’s capacity for learning is based on this adjustable resistance. BETTER AI AI systems have developed considerably in the past couple of years. Neural networks built with learning algorithms are now capable of performing tasks which synthetic systems previously could not do. For instance, intelligent systems can now compose music, play games and beat human players, or do your taxes. Some can even identify suicidal behavior, or differentiate between what is lawful and what isn’t. This is all thanks to AI’s capacity to learn, the only limitation of which is the amount of time and effort it takes to consume the data that serve as its springboard. With the memristor, this learning process can be greatly improved. Work continues on the memristor, particularly on exploring ways to optimize its function. For starters, the researchers have successfully built a physical model to help predict how it functions. Their work is published in the journal Nature Communications.
Soon, we may have AI systems that can learn as well as our brains can — or even better. Image Credit: Sören Boyn/CNRS/Thales physics joint research unit
References: Nature Communications, CNRS Source: https://futurism.com/?p=77793
“A great deal of feedback was received during the creation of the OWASP Top 10 – 2017, more than for any other equivalent According to the OWASP, insecure deserialization leads to OWASP effort. This shows how much passion the community remote code execution, and insufficient logging and monitoring has for the OWASP Top 10, and thus how critical it is for coupled with missing or weak integration results in hackers OWASP to get the Top 10 right for the majority of use cases,” being able to attack systems and maintain persistence. the OWASP wrote. (Continued from page 1)
XXE is a new category supported by data. “Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks,” the OWASP wrote. To defend against the Top 10, the OWASP believes developers need to establish and use repeatable processes and security controls, security testers need to establish continuous application security testing, application managers need to take charge of the full application lifecycle from an IT perspective, and the organization as a whole needs to have an application security program in place. 2
UNSW team develops cyber security education app by Susanna Smith UNSW Sydney students, employees and alumni have collaborated to develop an app designed to educate people about cyber security.
that can be quickly consumed," he said. "We also wanted our students to think – ‘Wow, I can’t believe my uni built this!'."
A.L.I.C.E. (Artificial Learning Intelligence for Centralised Education) uses a 1980s retro-style arcade theme to take players through a range of cyber security scenarios with the aim of recovering their stolen identity. Along the way they navigate “the network”, using their wits to outsmart evil viruses, beat attacking malware and ward off phishing attacks on their The app social media accounts. Players are assisted by an artificial development team intelligence system built for centralised education. hails from across A.L.I.C.E. has been developed to educate students and staff about cyber security. the UNSW Kamer Nizamdeen, a UNSW IT Business Analyst and game community and development analyst, said the app was developed and includes students with backgrounds in Computer Science and produced to raise awareness of the most common cyber Information Systems drawn from the UNSW Heroes Program, security threats to UNSW students. staff from UNSW IT, and alumni working with vendor partner S1T2. "Cyber security is a current hot topic. As we spend more and more time online, our digital footprint and online presence "We went from a small room in the Scientia Gallery on campus relate directly to our personal identity. If it’s not carefully to a creative design studio in Surry Hills where the story, protected we can be left vulnerable and open to theft," characters and gameplay were further fleshed out," Nizamdeen Nizamdeen said. said. "The app has been developed on the Unity platform which our student team had the opportunity to experiment with." Nizamdeen explained that the program is based on gamification theory, which brings game design elements and A.L.I.C.E. was released on 13 November and is available for principles to learning situations – encouraging players to have free download via the Play Store (Google) and the App Store fun while learning. (Apple). Further enhancements will be made before the app is launched for O Week on 19 February 2018. "The challenge was to create an awareness campaign among our student population that would be palatable, highlighting Source: UNSW Newsroom ways to protect themselves online and providing key messages Click here to download .APK for side loading.
3
Physicists Quantum Entangle Silicon Devices to Send Information Over a 20-Centimeter Distance by Dom Galeon Storing Quantum Information In the science of quantum communication, the challenge has always been prolonging the entangled state that the particles are in. As quantum information is carried by these entangled particles, the length of time the entanglement is sustained affects the distance that the information can travel. Quantum communication systems do this using direct opticalfiber connections, which are rather limited because the way that fibers absorb light can disrupt the entanglement needed to carry quantum information. Building a quantum internet, which is essentially a network of quantum entangled routers linked by fiber that can store quantum information, requires a function of routers that can store and send entangled particles. A team of researchers from the University of Vienna in Austria, led by Ralf Riedinger, supposedly built such a router. This device is a nanomachine capable of receiving and storing quantum information sent through ordinary fiber optic cables. It contains a pair of nanofabricated silicon resonators that use electron-beam lithography and plasma reactive-ion etching, which are tiny silicon beams that vibrate like a guitar string.
The inner workings of this nanomachine. Image Credit: Ralf Riedinger
In order for the machine to store quantum information, the silicon beams needed to vibrate at a precise frequency. Riedinger’s team arrived at the exact frequency, which is 5.1 gigahertz (or a wavelength of about 1,553.8 nanometers), after fabricating around 500 of these silicon resonators and testing each chip to find identical pairs. “We find a total of 5 pairs fulfilling this requirement within 234 devices tested per chip,” the researchers wrote in the paper published online. Both chips were placed in a fridge, while they remained connected to each
other by 70 meters of optical cable fiber, covering a distance of 20 centimeters. The two resonators were then successfully entangled. “We create and demonstrate entanglement between two nanomechanical devices across two chips that are separated by 20 cm.,” the researchers wrote. Making the Quantum Internet Real In their proof-of-principle experiment, the researchers first cooled the resonators to almost absolute zero to keep them in a quantum ground state. To generate entanglement, they then connected the resonators by a fiber-optic cable that contained photons at the identified resonance frequency. Although their tests were only done over 20 centimeters, this setup could be significantly expanded. “We do not see any additional restrictions to extend this to several kilometers and beyond,” Riedinger’s team wrote. “The system presented here is directly scalable to more devices and could be integrated into a real quantum network.” In short, what they’ve built is essentially a working quantum router — a device that could be crucial in realizing a quantum internet. Even better, it could be modified to carry information over microwave frequencies, according to the MIT Technology Review, and therefore be connected with quantum computers that operate on these frequencies. “Combining our results with optomechanical devices capable of transferring quantum information from the optical to the microwave domain could provide a backbone for a future quantum internet using superconducting quantum computers,” Riedinger and his colleagues wrote. Just like how quantum computers would change our problemsolving abilities, a quantum internet is expected to completely revolutionize communication. This is partially because it promises to be more secure, thanks to quantum cryptography that renders messages potentially un-hackable. Experts believe that we’re only a decade away from realizing a working, secure quantum network. References: MIT Tech Review, arXiv Source: futurism
JavaScript Tip use === instead of == The == (or !=) operator performs an automatic type conversion if needed. The === (or !==) operator will not perform any conversion. It compares the value and the type, which could be considered faster than ==. [10] === 10 [10] == 10 '10' == 10 '10' === 10 [] == 0 [] === 0
// // // // // //
is is is is is is
false true true false true false 4
Why companies are switching to Everything as a Service There are a variety of reasons a company would want to shift business or IT services from an in-house to an as-a-service model. A new research report from ZDNet's sister site, Tech Pro Research, examines why businesses choose the as-a-service option, what services they've shifted, and what outcomes they're experiencing. When asked why their company chose to use service providers instead of systems created inhouse, half of respondents to the Tech Pro Research survey cited automatic maintenance offered by vendors as a reason. Slightly less than half said that lower cost in terms of deployment and maintenance, and faster time to deployment, were advantages of the asa-service model. Because 42 percent of respondents came from businesses with 49 or fewer employees, it makes sense that many of them also said their company chose the as-a-service model because they didn't have the in-house expertise to deploy services they use, or that the company needed to free up the IT team for other tasks. Companies represented in the survey used an average of two to three business functions, and two to three IT functions as a service. Source: zdnet
5
6