Bibliography[69] Obama Order Sped Up Wave of Cyberattacks Against Iran, June 2012.http://www.nytimes.com/2012/06/01/world/middleeast/obama-orde<strong>red</strong>-waveof-cyberattacks-against-iran.html?pagewanted=all&_r=1&.[70] U.S. Team and Israel Developed Iran Worm, June 2012. http://online.wsj.com/article/SB10001424052702304821304577440703810436564.html.[71] Cyberattack leaves natural gas pipelines vulnerable to sabotage, Feb. 2013.http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattackleaves-natural-gas-pipelines-vulnerable-to-sabotage.[72] Hello, Unit 61398, Feb. 2013. http://www.economist.com/blogs/analects/2013/02/chinese-cyber-attacks.[73] McAfee Threats Report: First Quarter 2013. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2013.pdf, 2013.[74] SANS SCADA and Process Control Security Survey, Feb. 2013. https://www.sans.org/reading_room/analysts_program/sans_survey_scada_2013.pdf.[75] Symantec Internet Security Threat Report 2013. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.enus.pdf,2013.[76] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In Proceedings ofthe 12th ACM conference on Computer and Communications Security (CCS), 2005.[77] B. Adida. Beamauth: two-factor web authentication with a <strong>book</strong>mark. In Proceedings of the14th ACM conference on Computer and communications security, CCS ’07, pages 48–57, NewYork, NY, USA, 2007. ACM.[78] G. Aggrawal, E. Bursztein, C. Jackson, and D. Boneh. An analysis of private browsingmodes in modern browsers. In Proceedings of 19th Usenix Security Symposium, 2010.[79] D. Akhawe and A. P. Felt. Alice in warningland: A large-scale field study of browsersecurity warning effectiveness. In Proceedings of the 22th USENIX Security Symposium, 2013.[80] P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory errorexploits with WIT. In Proceedings of the 2008 IEEE Symposium on Security and Privacy,S&P’08, 2008.[81] C. Albanesius. Google: Wi-Fi Sniffing Collected Whole E-Mails, URLs, Passwords. PC-MAG.COM, October 2010. http://www.pcmag.com/author-bio/chloe-albanesius.[82] S. Alexander. Defeating compiler-level buffer overflow protection. USENIX ;login:, 30(3):59–71, June 2005.[83] S. Anand, M. Naik, H. Yang, and M. Harrold. Automated concolic testing of smartphoneapps. In Proc. of FSE, 2012.[84] Anonymous. Why we protest. http://whyweprotest.net/community/.[85] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon.From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. In Proceedingsof the 21st USENIX Security Symposium, 2012.[86] C. Arthur. Conficker is a lesson for MPs - especially over ID cards. The Guardian,http://www.guardian.co.uk/technology/2009/apr/02/conficker-parliamentsecurity-charles-arthur,2009.[87] E. Athanasopoulos, A. Makridakis, S. Antonatos, D. Antoniades, S. Ioannidis, K. G.Anagnostakis, and E. P. Markatos. Information Security. In T.-C. Wu, C.-L. Lei, V. Rijmen,and D.-T. Lee, editors, ISC ’08 Proceedings of the 11th international conference on InformationSecurity, volume 5222 of Lecture Notes in Computer Science, pages 146–160. Springer BerlinHeidelberg, 2008.168
Bibliography[88] A. Avizienis, J.-C. Laprie, B. Randell, and C. Landwehr. Basic concepts and taxonomy ofdependable and secure computing. IEEE Trans. Dependable Secur. Comput., 1(1):11–33, Jan.2004.[89] R. Baden, A. Bender, N. Spring, B. Bhattacharjee, and D. Starin. Persona: an online socialnetwork with user-defined privacy. In Proceedings of the ACM SIGCOMM 2009 conference onData communication - SIGCOMM ’09, page 135. ACM Press, 2009.[90] G. Balakrishnan and T. Reps. Analyzing memory accesses in x86 binary executables. InProcedings of the Conference on Compiler Construction, CC’04, 2004.[91] M. Balduzzi, C. Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameterpollution vulnerabilities in web applications. In Proceedings of the 18th Network andDistributed System Security Symposium, 2011.[92] M. Balduzzi, C. Platzer, T. Holz, E. Kirda, D. Balzarotti, and C. Kruegel. Abusing socialnetworks for automated user profiling. In International Symposium on Recent Advances inIntrusion Detection (RAID 2010), 9 2010.[93] J. Baltazar, J. Costoya, and R. Flores. The Real Face of KOOBFACE : The Largest Web 2 . 0Botnet Explained, 2009.[94] D. Balzarotti(Ed.). D4.1: First Report on Threats on the Future Internet and ResearchRoadmap. Technical report, SySSeC Consortia, Sept. 2011.[95] D. Balzarotti(Ed.). D4.2: Second Report on Threats on the Future Internet and ResearchRoadmap. Technical report, SySSeC Consortia, Sept. 2012.[96] A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashingattacks. In Proceedings of the USENIX Annual Technical Conference, June 2000.[97] A. Barth, J. Caballero, and D. Song. Secure Content Sniffing for Web Browsers or Howto Stop Papers from Reviewing Themselves. In Proceedings of the 30th IEEE Symposium onSecurity & Privacy, Oakland, CA, May 2009.[98] A. Barth, C. Jackson, and J. C. Mitchell. Robust Defenses for Cross-Site Request Forgery. InProceedings of the 15th ACM Conference on Computer and Communications Security (CCS), 2008.[99] U. Bayer, C. Kruegel, and E. Kirda. Ttanalyze: A tool for analyzing malware. In Proc. ofEICAR, 2006.[100] M. Benioff and E. Lazowska, editors. Cyber Security: A Crisis of Prioritization. NationalCoordination Office for Information Technology Research and Development, Feb. 2005.[101] J. Bennett, Y. Lin, and T. Haq. The Number of the Beast, 2013. http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html.[102] E. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: an efficient approachto combat a broad range of memory error exploits. In In Proceedings of the 12th USENIXSecurity Symposium, 2003.[103] R. Biddle, S. Chiasson, and P. Van Oorschot. Graphical passwords: Learning from the firsttwelve years. ACM Comput. Surv., 44(4):19:1–19:41, Sep 2012.[104] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All your contacts are belong to us. InProceedings of the 18th international conference on World wide web - WWW ’09, page 551. ACMPress, 2009.[105] H. Bojinov, D. Boneh, R. Cannings, and I. Malchev. Address space randomization formobile devices. In Proceedings of the fourth ACM conference on Wireless network security,WiSec ’11, pages 127–138, New York, NY, USA, 2011. ACM.[106] H. Bojinov, E. Bursztein, and D. Boneh. XCS: Cross Channel Scripting and Its Impacton Web Applications. In CCS ’09: Proceedings of the 16th ACM conference on Computer andcommunications security, pages 420–431, New York, NY, USA, 2009. ACM.[107] J. Bonneau. Statistical metrics for individual password strength. In Proceedings of the 20thinternational conference on Security Protocols, pages 76–86, 2012.169
- Page 1:
SEVENTH FRAMEWORK PROGRAMMETHERED B
- Page 4 and 5:
The Red Book. ©2013 The SysSec Con
- Page 7 and 8:
PrefaceAfter the completion of its
- Page 9 and 10:
Contents1 Executive Summary 32 Intr
- Page 11 and 12:
1 Executive SummaryBased on publish
- Page 13:
1.2. Grand Challenges4. will have t
- Page 16 and 17:
2. Introductionwho want to get at t
- Page 18 and 19:
2. Introduction• Although conside
- Page 20 and 21:
2. Introductionfuture, where each a
- Page 22 and 23:
2. Introductiondrones), such sensor
- Page 24 and 25:
2. Introductioncover our energy nee
- Page 27:
Part I: Threats Identified
- Page 30 and 31:
3. In Search of Lost Anonymity3.2 W
- Page 32 and 33:
3. In Search of Lost Anonymityguide
- Page 35 and 36:
4 Software VulnerabilitiesExtending
- Page 37 and 38:
4.1. What Is the Problem?infrastruc
- Page 39 and 40:
4.5. State of the Artparts of criti
- Page 41:
4.7. Example Problemstem mitigation
- Page 44 and 45:
5. Social Networks5.1 Who Is Going
- Page 46 and 47:
5. Social Networksby such an applic
- Page 48 and 49:
5. Social Networksdisasters. This r
- Page 50 and 51:
6. Critical Infrastructure Security
- Page 52 and 53:
6. Critical Infrastructure Security
- Page 54 and 55:
6. Critical Infrastructure Security
- Page 56 and 57:
6. Critical Infrastructure Security
- Page 59 and 60:
7 Authentication and AuthorizationH
- Page 61 and 62:
7.2. Who Is Going to Be Affected?so
- Page 63 and 64:
7.5. State of the ArtFinally, ident
- Page 65 and 66:
7.6. Research Gapshashes and evalua
- Page 67 and 68:
8 Security of Mobile DevicesIn an e
- Page 69 and 70:
8.3. What Is the Worst That Can Hap
- Page 71 and 72:
8.4. State of the ArtAll the other
- Page 73:
8.6. Example Problemserated anomaly
- Page 76 and 77:
9. Legacy Systemsthe execution of a
- Page 78 and 79:
9. Legacy Systemsparts of the progr
- Page 81 and 82:
10 Usable SecurityKeys, locks, and
- Page 83 and 84:
10.4. What Is the Worst That Can Ha
- Page 85 and 86:
10.6. Research Gaps10.6 Research Ga
- Page 87:
10.7. Example Problemsof value for
- Page 90 and 91:
11. The Botnet that Would not DieNu
- Page 92 and 93:
11. The Botnet that Would not Diefa
- Page 94 and 95:
11. The Botnet that Would not Dieti
- Page 96 and 97:
12. Malwarethan 128 million malware
- Page 98 and 99:
12. Malwareequipped with auto-updat
- Page 100 and 101:
12. Malwarethe introduction of App
- Page 102 and 103:
13. Social Engineering and Phishing
- Page 104 and 105:
13. Social Engineering and Phishing
- Page 106 and 107:
13. Social Engineering and Phishing
- Page 108 and 109:
13. Social Engineering and Phishing
- Page 111 and 112:
14 Grand ChallengesOne of the most
- Page 113:
Part II: Related Work
- Page 116 and 117:
15. A Crisis of Prioritization•
- Page 118 and 119:
16. Forwardare accessible from the
- Page 120 and 121:
16. ForwardRecommendation 4: “The
- Page 122 and 123:
17. Federal Plan for Cyber Security
- Page 124 and 125:
17. Federal Plan for Cyber Security
- Page 126 and 127: 18. EffectsPlus18.1 Roadmap Structu
- Page 128 and 129: 18. EffectsPlus18.6 Identified Prio
- Page 130 and 131: 19. Digital GovernmentThe roadmap o
- Page 132 and 133: 20. Horizon2020• “Making cyber
- Page 135 and 136: 21 Trust in the Information Society
- Page 137: 21.2. Recommendationsallows for the
- Page 140 and 141: 22. ENISA Threat Landscape2. Malwar
- Page 142 and 143: 22. ENISA Threat LandscapeSocial Te
- Page 144 and 145: 22. ENISA Threat Landscapewriters w
- Page 146 and 147: 23. Cyber Security Research Worksho
- Page 149 and 150: 24 Cyber Security Strategy of theEu
- Page 151 and 152: 24.2. Strategic PrioritiesProposed
- Page 153 and 154: 25 The Dutch National Cyber Securit
- Page 155 and 156: 25.1. ContextsInternet (e.g., smart
- Page 157 and 158: 25.1. Contextsdefensive approaches
- Page 159 and 160: 25.2. Research Themesand radio broa
- Page 161 and 162: 25.2. Research Themesconsists of se
- Page 163 and 164: 25.2. Research ThemesRisk managemen
- Page 165 and 166: AMethodologiesIn this appendix we o
- Page 167 and 168: BSysSec Threats Landscape Evolution
- Page 169 and 170: B.4. SysSec 2013 Threats LandscapeT
- Page 171 and 172: B.4. SysSec 2013 Threats LandscapeS
- Page 173 and 174: Bibliography[1] 10 Questions for Ke
- Page 175: Bibliography[45] SCADA & Security o
- Page 179 and 180: Bibliography[130] G. Cluley. 600,00
- Page 181 and 182: Bibliography[172] D. Evans. Top 25
- Page 183 and 184: Bibliography[214] ICS-CERT. Monthly
- Page 185 and 186: Bibliography[253] C. Lever, M. Anto
- Page 187 and 188: Bibliography[291] Mozilla. Browseri
- Page 189 and 190: Bibliography[329] F. Raja, K. Hawke
- Page 191 and 192: Bibliography[370] T. Telegraph. Bog
- Page 193 and 194: Bibliography[407] W. Yang, N. Li, Y
Change language