Bibliography[150] D. Desai. Malware Analysis Report: Trojan: AndroidOS/Zitmo, Semptember2011. http://www.kindsight.net/sites/default/files/android_trojan_zitmo_final_pdf_17585.pdf.[151] S. Designer. Non-executable user stack. http://www.openwall.com/linux/.[152] A. Dey and S. Weis. Pseudoid: Enhancing privacy in federated login. In Hot Topics inPrivacy Enhancing Technologies, 2010.[153] R. Dhamija, J. Tygar, and M. Hearst. Why Phishing Works. In Proceedings of the SIGCHIConference on Human Factors in Computing Systems, pages 581–590. ACM New York, NY,USA, 2006.[154] R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHIconference on Human Factors in computing systems. ACM, 2006.[155] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. IETF,August 2008. https://tools.ietf.org/html/rfc5246.[156] Q. Ding, N. Katenka, P. Barford, E. Kolaczyk, and M. Crovella. Intrusion as (anti)socialcommunication. In Proceedings of the 18th ACM SIGKDD conference on Knowledge discoveryand data mining - KDD ’12, page 886, 2012.[157] D. Dittrich. So You Want to Take Over a Botnet. In Proceedings of the 5th USENIX conferenceon Large-Scale Exploits and Emergent Threats, 2012.[158] P. Durance and M. Godet. Scenario building: Uses and abuse. Technological Forecasting andSocial Change, 77:1488–1492, 2010.[159] T. Durden. Bypassing PaX ASLR protection. Phrack, 11(59), 2002.[160] P. Eckersley. How unique is your web browser? In Proceedings of the Privacy EnhancingTechnologies Symposium (PETS), 2010.[161] M. Egele. Invited talk: The state of mobile security. In DIMVA, 2012.[162] M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting privacy leaks in iosapplications. In NDSS, 2011.[163] M. Egele, A. Moser, C. Kruegel, and E. Kirda. Pox: Protecting users from maliciousface<strong>book</strong> applications. In Proceedings of 3rd Workshop on Security and Social Networking, 2011.[164] M. Egele, G. Stringhini, C. Kruegel, and G. Vigna. Compa: Detecting compromisedaccounts on social networks. In ISOC Network and Distributed System Security Symposium(NDSS), 2013.[165] M. W. Eichin and J. A. Rochlis. With Microscope and Tweezers: An Analysis of the InternetVirus of November 1988. In Proceedings of the IEEE Symposium on Security & Privacy, pages326–344, 1989.[166] EMC. The Digital Universe is Still Growing. http://www.emc.com/leadership/programs/digital-universe.htm, 2009.[167] W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: aninformation-flow tracking system for realtime privacy monitoring on smartphones. In Proc.of USENIX OSDI, 2010.[168] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android applicationsecurity. In USENIX Security, Berkeley, CA, USA, 2011.[169] W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification.In CCS, 2009.[170] Ú. Erlingsson. Low-level software security: Attack and defenses. Technical Report MSR-TR-07-153, Microsoft Research, 2007. http://research.microsoft.com/pubs/64363/tr-2007-153.pdf.[171] European Commission. Cybersecurity Strategy of the European Union: An Open, Safe andSecure Cyberspace, Feb. 2013.172
Bibliography[172] D. Evans. Top 25 technology p<strong>red</strong>ictions. Technical report, CISCO, 2009.[173] Face<strong>book</strong>. Social Authentication. 2011. http://www.face<strong>book</strong>.com/blog.php?post=486790652130.[174] Face<strong>book</strong>. Social Plugins. 2013. http://developers.face<strong>book</strong>.com/docs/plugins/.[175] N. Falliere. Sality: Story of a Peer-to-Peer Viral Network, 2011. Technical Report bySymantec Labs.[176] N. Falliere, L. O. Murchu, and E. Chien. W32. stuxnet dossier. Technical report, SymantecCorporation, 2011.[177] A. Felt and D. Evans. Privacy protection for social networking platforms. In Proceedings ofthe 2008 Workshop on Web 2.0 Security and Privacy.[178] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified.In CCS, 2011.[179] J. Fildes. Stuxnet worm ’targeted high-value iranian assets’. http://www.bbc.co.uk/news/technology-11388018, September 2010.[180] J. Fildes. Stuxnet virus targets and spread revealed. http://www.bbc.co.uk/news/technology-12465688, February 2011.[181] D. Florencio and C. Herley. A large-scale study of web password habits. In Proceedings ofthe 16th international conference on World Wide Web, WWW ’07, pages 657–666, New York,NY, USA, 2007. ACM.[182] D. Florencio and C. Herley. Is everything we know about password stealing wrong? IEEESecurity & Privacy, 10(6):63–69, 2012.[183] S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In Proceedingsof the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), 1997.[184] M. Frantzen and M. Shuey. Stackghost: Hardware facilitated stack protection. In Proceedingsof the 10 th USENIX Security Symposium, August 2001.[185] M. F<strong>red</strong>rikson and B. Livshits. RePriv: Re-envisioning in-browser privacy. In IEEESymposium on Security and Privacy, May 2011.[186] G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomizedlib(c). In Proceedings of the 25th Annual Computer Security Applications Conference(ACSAC), 2009.[187] T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture forIntrusion Detection. In Proc. of NDSS, 2003.[188] S. Garriss, M. Kaminsky, M. J. Freedman, B. Karp, D. Mazières, and H. Yu. RE: ReliableEmail. 3rd Symposium on Networked Systems Design and Implementation, 2006.[189] S. Gaw and E. W. Felten. Password management strategies for online accounts. InProceedings of the second symposium on Usable privacy and security, SOUPS ’06, pages 44–55,New York, NY, USA, 2006. ACM.[190] M. Gegick, L. Williams, J. Osborne, and M. Vouk. Prioritizing software security fortificationthrough code-level metrics. In Proc. of the 4th ACM workshop on Quality of protection, QoP’08.ACM Press, Oct. 2008.[191] B. Genge, C. Siaterlis, and M. Hohenadel. AMICI: An Assessment Platform for Multi-Domain Security Experimentation on Critical Infrastructures. ibs.ro, 2012.[192] B. Genge, C. Siaterlis, I. Nai Fovino, and M. Masera. A cyber-physical experimentationenvironment for the security analysis of networked industrial control systems. Computers& Electrical Engineering, 38(5):1146–1161, Sept. 2012.[193] GeogiaTech Research Institute and GeorgiaTech Information Security Center. Emergingcyber threats report 2013. Internet. http://www.gatech.edu/newsroom/release.html?nid=170981, 2012.173
- Page 1:
SEVENTH FRAMEWORK PROGRAMMETHERED B
- Page 4 and 5:
The Red Book. ©2013 The SysSec Con
- Page 7 and 8:
PrefaceAfter the completion of its
- Page 9 and 10:
Contents1 Executive Summary 32 Intr
- Page 11 and 12:
1 Executive SummaryBased on publish
- Page 13:
1.2. Grand Challenges4. will have t
- Page 16 and 17:
2. Introductionwho want to get at t
- Page 18 and 19:
2. Introduction• Although conside
- Page 20 and 21:
2. Introductionfuture, where each a
- Page 22 and 23:
2. Introductiondrones), such sensor
- Page 24 and 25:
2. Introductioncover our energy nee
- Page 27:
Part I: Threats Identified
- Page 30 and 31:
3. In Search of Lost Anonymity3.2 W
- Page 32 and 33:
3. In Search of Lost Anonymityguide
- Page 35 and 36:
4 Software VulnerabilitiesExtending
- Page 37 and 38:
4.1. What Is the Problem?infrastruc
- Page 39 and 40:
4.5. State of the Artparts of criti
- Page 41:
4.7. Example Problemstem mitigation
- Page 44 and 45:
5. Social Networks5.1 Who Is Going
- Page 46 and 47:
5. Social Networksby such an applic
- Page 48 and 49:
5. Social Networksdisasters. This r
- Page 50 and 51:
6. Critical Infrastructure Security
- Page 52 and 53:
6. Critical Infrastructure Security
- Page 54 and 55:
6. Critical Infrastructure Security
- Page 56 and 57:
6. Critical Infrastructure Security
- Page 59 and 60:
7 Authentication and AuthorizationH
- Page 61 and 62:
7.2. Who Is Going to Be Affected?so
- Page 63 and 64:
7.5. State of the ArtFinally, ident
- Page 65 and 66:
7.6. Research Gapshashes and evalua
- Page 67 and 68:
8 Security of Mobile DevicesIn an e
- Page 69 and 70:
8.3. What Is the Worst That Can Hap
- Page 71 and 72:
8.4. State of the ArtAll the other
- Page 73:
8.6. Example Problemserated anomaly
- Page 76 and 77:
9. Legacy Systemsthe execution of a
- Page 78 and 79:
9. Legacy Systemsparts of the progr
- Page 81 and 82:
10 Usable SecurityKeys, locks, and
- Page 83 and 84:
10.4. What Is the Worst That Can Ha
- Page 85 and 86:
10.6. Research Gaps10.6 Research Ga
- Page 87:
10.7. Example Problemsof value for
- Page 90 and 91:
11. The Botnet that Would not DieNu
- Page 92 and 93:
11. The Botnet that Would not Diefa
- Page 94 and 95:
11. The Botnet that Would not Dieti
- Page 96 and 97:
12. Malwarethan 128 million malware
- Page 98 and 99:
12. Malwareequipped with auto-updat
- Page 100 and 101:
12. Malwarethe introduction of App
- Page 102 and 103:
13. Social Engineering and Phishing
- Page 104 and 105:
13. Social Engineering and Phishing
- Page 106 and 107:
13. Social Engineering and Phishing
- Page 108 and 109:
13. Social Engineering and Phishing
- Page 111 and 112:
14 Grand ChallengesOne of the most
- Page 113:
Part II: Related Work
- Page 116 and 117:
15. A Crisis of Prioritization•
- Page 118 and 119:
16. Forwardare accessible from the
- Page 120 and 121:
16. ForwardRecommendation 4: “The
- Page 122 and 123:
17. Federal Plan for Cyber Security
- Page 124 and 125:
17. Federal Plan for Cyber Security
- Page 126 and 127:
18. EffectsPlus18.1 Roadmap Structu
- Page 128 and 129:
18. EffectsPlus18.6 Identified Prio
- Page 130 and 131: 19. Digital GovernmentThe roadmap o
- Page 132 and 133: 20. Horizon2020• “Making cyber
- Page 135 and 136: 21 Trust in the Information Society
- Page 137: 21.2. Recommendationsallows for the
- Page 140 and 141: 22. ENISA Threat Landscape2. Malwar
- Page 142 and 143: 22. ENISA Threat LandscapeSocial Te
- Page 144 and 145: 22. ENISA Threat Landscapewriters w
- Page 146 and 147: 23. Cyber Security Research Worksho
- Page 149 and 150: 24 Cyber Security Strategy of theEu
- Page 151 and 152: 24.2. Strategic PrioritiesProposed
- Page 153 and 154: 25 The Dutch National Cyber Securit
- Page 155 and 156: 25.1. ContextsInternet (e.g., smart
- Page 157 and 158: 25.1. Contextsdefensive approaches
- Page 159 and 160: 25.2. Research Themesand radio broa
- Page 161 and 162: 25.2. Research Themesconsists of se
- Page 163 and 164: 25.2. Research ThemesRisk managemen
- Page 165 and 166: AMethodologiesIn this appendix we o
- Page 167 and 168: BSysSec Threats Landscape Evolution
- Page 169 and 170: B.4. SysSec 2013 Threats LandscapeT
- Page 171 and 172: B.4. SysSec 2013 Threats LandscapeS
- Page 173 and 174: Bibliography[1] 10 Questions for Ke
- Page 175 and 176: Bibliography[45] SCADA & Security o
- Page 177 and 178: Bibliography[88] A. Avizienis, J.-C
- Page 179: Bibliography[130] G. Cluley. 600,00
- Page 183 and 184: Bibliography[214] ICS-CERT. Monthly
- Page 185 and 186: Bibliography[253] C. Lever, M. Anto
- Page 187 and 188: Bibliography[291] Mozilla. Browseri
- Page 189 and 190: Bibliography[329] F. Raja, K. Hawke
- Page 191 and 192: Bibliography[370] T. Telegraph. Bog
- Page 193 and 194: Bibliography[407] W. Yang, N. Li, Y