Risk
7/24/2013
02:27 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

NSA's First Annual "Science Of Security Competition"

Winning paper was written by Dr. Joseph Bonneau, who now works for Google

A research paper that was highlighted last year at an international symposium is the winner of the National Security Agency's first annual Science of Security (SoS) Competition that recognizes the best scientific papers about cybersecurity.

The winning paper was written by Dr. Joseph Bonneau, who completed his doctorate last year at the University of Cambridge in the United Kingdom and now works for Google Inc. in New York City. His paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords," was one of 44 nominations. His research was centered on the use and strength of passwords.

Dr. Bonneau was honored on July 18 at an NSA event, where he presented his paper before an audience of cybersecurity experts. The competition reflects the agency's desire to increase collaboration and build the science base of national security efforts.

"We established this highly competitive contest to broaden the scientific foundations of cybersecurity where scientific work in all fields is sorely needed," said Dr. Patricia Muoio, Chief of the NSA Research Directorate's Trusted Systems Research Group. "Dr. Bonneau's paper offered careful and rigorous measurements of password use and strength, and is an example of research that demonstrates a sound scientific approach to cybersecurity."

Strong, evidence-based research requires a large and diverse data set with collection and analysis methods that are well documented and repeatable. Bonneau's research combined those features and used mathematics to produce a measure that has current impact and can enhance future investigations. He discussed his paper at the 2012 IEEE Symposium on Security and Privacy in San Francisco.

The NSA SoS Competition was created to stimulate research toward the development of systems that are resilient to cyber attacks. Entries were judged on scientific merit, the strength and significance of the work reported, and the degree to which the papers exemplify how to perform and report scientific research in cybersecurity.

"Our partnerships with academic and industrial researchers inspire a diversity of thought that enhances innovation," said Dr. Michael Wertheimer, Director of Research. "This competition offers a great opportunity to share scientific methods. It also supports the greater NSA mission to strengthen and protect cyber space for our nation."

Two additional papers received Honorable Mentions for scientific methodology.

One, "On Protection by Layout Randomization" by Drs. Martin Abadi and Gordon Plotkin, breaks new ground in improving security by using a formal approach to study the effect of dynamically changing what cyber attackers view in order to confound them.

In the other paper, "Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World," Drs. Leyla Yumer and Tudor Dumitras use data fusion analysis, tackling large scale data sets to measure cyber attack behavior. This careful measurement of attack behavior could be used in the U.S. government's efforts to protect systems from such attacks.

Eight distinguished experts were among the reviewers:

• Dr. Dan Geer, In-Q-Tel

• Dr. John McLean, Naval Research Laboratory

• Professor Ron Rivest, Massachusetts Institute of Technology

• Professor Angela Sasse, University College London

• Professor Fred Schneider, Cornell University

• Mr. Phil Venables, Goldman-Sachs

• Professor David Wagner, University of California-Berkeley

• Dr. Jeannette Wing, Microsoft Research

After reviewing the papers in an open nomination process, these experts provided individual recommendations to NSA. Dr. Deborah Frincke, NSA's former Deputy Director of Research, and Dr. Muoio then evaluated the nominated papers, as well as the submission rankings of each individual expert, and recommended the awards to Dr. Wertheimer.

The NSA Research Directorate creates breakthroughs in science, technology, engineering, and mathematics. These discoveries enable NSA to achieve and sustain intelligence advances against immediate and emerging threats to U.S. national security. As the only "in-house" organization in the Intelligence Community dedicated to advancing intelligence through science, the Research Directorate provides a consistent advantage over the scientific discoveries of industry, academia, and adversarial nations.

More information about the National Security Agency is available online at www.nsa.gov.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.